brainblast 0.6.2 → 0.6.4

package/dist/chunk-2XJORJPQ.js

@@ -0,0 +1,31 @@
+// src/solanaCanonicalMints.ts
+var CANONICAL_MINTS = {
+  USDC: { symbol: "USDC", name: "USD Coin", mint: "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v" },
+  USDT: { symbol: "USDT", name: "USD Tether", mint: "Es9vMFrzaCERmJfrF4H2FYD4KCoNkY11McCe8BenwNYB" },
+  SOL: { symbol: "SOL", name: "Wrapped SOL", mint: "So11111111111111111111111111111111111111112" },
+  WSOL: { symbol: "WSOL", name: "Wrapped SOL", mint: "So11111111111111111111111111111111111111112" },
+  JUP: { symbol: "JUP", name: "Jupiter", mint: "JUPyiwrYJFskUPiHa7hkeR8VUtAeFoSYbKedZNsDvCN" },
+  BONK: { symbol: "BONK", name: "Bonk", mint: "DezXAZ8z7PnrnRJjz3wXBoRgixCa6xjnB7YaB1pPB263" },
+  WIF: { symbol: "WIF", name: "dogwifhat", mint: "EKpQGSJtjMFqKZ9KQanSqYXRcF8fBopzLHYxdM65zcjm" },
+  PYTH: { symbol: "PYTH", name: "Pyth Network", mint: "HZ1JovNiVvGrGNiiYvEozEVgZ58xaU3RKwX8eACQBCt3" },
+  RAY: { symbol: "RAY", name: "Raydium", mint: "4k3Dyjzvzp8eMZWUXbBCjEvwSkkk59S5iCNLY3QrkX6R" },
+  ORCA: { symbol: "ORCA", name: "Orca", mint: "orcaEKTdK7LKz57vaAYr9QeNsVEPfiu6QeMU1kektZE" },
+  MNGO: { symbol: "MNGO", name: "Mango", mint: "MangoCzJ36AjZyKwVPDeoDLiiwVqHVDRtNoCKzSPH7" },
+  mSOL: { symbol: "mSOL", name: "Marinade Staked SOL", mint: "mSoLzYCxHdYgdzU16g5QSh3i5K3z3KZK7ytfqcJm7So" }
+};
+var CANONICAL_BY_MINT = Object.fromEntries(
+  Object.values(CANONICAL_MINTS).map((c) => [c.mint, c])
+);
+function canonicalMintForSymbol(symbol) {
+  return CANONICAL_MINTS[symbol.toUpperCase()];
+}
+function isCanonicalMint(mint) {
+  return mint in CANONICAL_BY_MINT;
+}
+
+export {
+  CANONICAL_MINTS,
+  CANONICAL_BY_MINT,
+  canonicalMintForSymbol,
+  isCanonicalMint
+};

package/dist/{chunk-A56IF3UX.js → chunk-2Y6UILTZ.js}

@@ -1,3 +1,7 @@
+import {
+  CANONICAL_MINTS
+} from "./chunk-2XJORJPQ.js";
+
 // src/finder.ts
 import { Project, SyntaxKind } from "ts-morph";
 
@@ -789,6 +793,65 @@ var forbiddenCallReplacement = (c, p) => {
   };
 };
 
+// src/checkers/solanaMintIdentity.ts
+import { Node, SyntaxKind as SyntaxKind11 } from "ts-morph";
+var BASE58_RE = /^[1-9A-HJ-NP-Za-km-z]{32,44}$/;
+function tokenize(name) {
+  return name.replace(/([a-z])([A-Z])/g, "$1_$2").split(/[_\s]+/).map((t) => t.toUpperCase()).filter(Boolean);
+}
+function symbolFromName(name) {
+  return tokenize(name).find((t) => t in CANONICAL_MINTS);
+}
+function addressFromInitializer(init) {
+  if (Node.isStringLiteral(init)) {
+    return init.getLiteralValue();
+  }
+  if (Node.isNewExpression(init)) {
+    const args = init.getArguments();
+    if (args.length > 0 && Node.isStringLiteral(args[0])) {
+      return args[0].getLiteralValue?.() ?? args[0].getText().replace(/['"]/g, "");
+    }
+  }
+  return void 0;
+}
+var solanaMintIdentity = (c, _params) => {
+  const sf = c.fn.getSourceFile?.();
+  if (!sf) return { result: "cant_tell", detail: "Could not access source file" };
+  let foundWrong = false;
+  let foundRight = false;
+  for (const vd of sf.getDescendantsOfKind(SyntaxKind11.VariableDeclaration)) {
+    const sym = symbolFromName(vd.getName());
+    if (!sym) continue;
+    const init = vd.getInitializer();
+    if (!init) continue;
+    const addr = addressFromInitializer(init);
+    if (!addr || !BASE58_RE.test(addr)) continue;
+    if (addr === CANONICAL_MINTS[sym].mint) {
+      foundRight = true;
+    } else {
+      foundWrong = true;
+    }
+  }
+  for (const pa of sf.getDescendantsOfKind(SyntaxKind11.PropertyAssignment)) {
+    const nameNode = pa.getNameNode();
+    const name = Node.isIdentifier(nameNode) ? nameNode.getText() : nameNode.getText().replace(/['"]/g, "");
+    const sym = symbolFromName(name);
+    if (!sym) continue;
+    const init = pa.getInitializer();
+    if (!init) continue;
+    const addr = addressFromInitializer(init);
+    if (!addr || !BASE58_RE.test(addr)) continue;
+    if (addr === CANONICAL_MINTS[sym].mint) {
+      foundRight = true;
+    } else {
+      foundWrong = true;
+    }
+  }
+  if (foundWrong) return { result: "fail", detail: "Mint constant has wrong address for its symbol" };
+  if (foundRight) return { result: "pass", detail: "All symbol-named mint constants have canonical addresses" };
+  return { result: "cant_tell", detail: "No symbol-named mint constants found" };
+};
+
 // src/checkers/index.ts
 var registry = {
   "positional-arg-identity": positionalArgIdentity,
@@ -801,7 +864,8 @@ var registry = {
   "env-secrets-committed": envSecretsCommitted,
   "taint-to-sink": taintToSink,
   "literal-multiplier-wrong-constant": literalMultiplierWrongConstant,
-  "forbidden-call-replacement": forbiddenCallReplacement
+  "forbidden-call-replacement": forbiddenCallReplacement,
+  "solana-mint-identity-mismatch": solanaMintIdentity
 };
 function runChecker(kind, c, params) {
   const fn = registry[kind];
@@ -1017,7 +1081,7 @@ function findRustCandidates(targetDir, rule) {
 }
 
 // src/fixers/positionalArgIdentity.ts
-import { SyntaxKind as SyntaxKind11 } from "ts-morph";
+import { SyntaxKind as SyntaxKind12 } from "ts-morph";
 
 // src/fixers/diffUtil.ts
 function buildDiff(node, replacement) {
@@ -1042,9 +1106,9 @@ function buildDiff(node, replacement) {
 // src/fixers/positionalArgIdentity.ts
 var fixPositionalArgIdentity = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind11.CallExpression).filter((call) => {
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind12.CallExpression).filter((call) => {
     const exp = call.getExpression();
-    return exp.getKind() === SyntaxKind11.PropertyAccessExpression && exp.asKind(SyntaxKind11.PropertyAccessExpression).getName() === p.call;
+    return exp.getKind() === SyntaxKind12.PropertyAccessExpression && exp.asKind(SyntaxKind12.PropertyAccessExpression).getName() === p.call;
   });
   if (calls.length === 0) {
     const wantParam2 = c.params[p.paramIndex] ?? "<rawBodyParam>";
@@ -1059,7 +1123,7 @@ Do not call JSON.parse() on the body before this verification step.`
   }
   const arg = calls[0].getArguments()[p.argIndex];
   const wantParam = c.params[p.paramIndex];
-  if (arg && wantParam && arg.getKind() === SyntaxKind11.CallExpression) {
+  if (arg && wantParam && arg.getKind() === SyntaxKind12.CallExpression) {
     return {
       summary: `Pass the raw body parameter '${wantParam}' to ${p.call} instead of a parsed value`,
       diff: buildDiff(arg, wantParam)
@@ -1069,12 +1133,12 @@ Do not call JSON.parse() on the body before this verification step.`
 };
 
 // src/fixers/requiredCallWithOptions.ts
-import { SyntaxKind as SyntaxKind12 } from "ts-morph";
+import { SyntaxKind as SyntaxKind13 } from "ts-morph";
 function callName6(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind12.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind12.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind12.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind13.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind13.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind13.PropertyAccessExpression).getName();
   }
   return "";
 }
@@ -1092,15 +1156,15 @@ function placeholderFor(propName) {
 }
 var fixRequiredCallWithOptions = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind12.CallExpression);
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind13.CallExpression);
   const verify = calls.filter((x) => p.verifyCalls.includes(callName6(x)));
   if (verify.length > 0) {
     const call = verify[0];
     const args = call.getArguments();
     const lastArg = args[args.length - 1];
-    const obj = lastArg?.asKind(SyntaxKind12.ObjectLiteralExpression);
+    const obj = lastArg?.asKind(SyntaxKind13.ObjectLiteralExpression);
     const presentNames = obj ? obj.getProperties().map((pr) => {
-      const pa = pr.asKind(SyntaxKind12.PropertyAssignment) ?? pr.asKind(SyntaxKind12.ShorthandPropertyAssignment);
+      const pa = pr.asKind(SyntaxKind13.PropertyAssignment) ?? pr.asKind(SyntaxKind13.ShorthandPropertyAssignment);
       return pa?.getName() ?? "";
     }) : [];
     const missingGroups = p.requiredProps.filter(
@@ -1134,22 +1198,22 @@ JWKS must come from Privy's published JWKS endpoint for your app.`
 };
 
 // src/fixers/literalMultiplierWrongConstant.ts
-import { SyntaxKind as SyntaxKind13 } from "ts-morph";
+import { SyntaxKind as SyntaxKind14 } from "ts-morph";
 function callName7(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind13.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind13.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind13.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind14.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind14.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind14.PropertyAccessExpression).getName();
   }
   return "";
 }
 function findIdentifier(node, name) {
-  if (node.getKind() === SyntaxKind13.Identifier && node.getText() === name) return node;
-  return node.getDescendantsOfKind(SyntaxKind13.Identifier).find((id) => id.getText() === name);
+  if (node.getKind() === SyntaxKind14.Identifier && node.getText() === name) return node;
+  return node.getDescendantsOfKind(SyntaxKind14.Identifier).find((id) => id.getText() === name);
 }
 var fixLiteralMultiplierWrongConstant = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind13.CallExpression).filter((call) => callName7(call) === p.call);
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind14.CallExpression).filter((call) => callName7(call) === p.call);
   if (calls.length === 0) return void 0;
   const arg = calls[0].getArguments()[p.argIndex];
   if (!arg) return void 0;

package/dist/chunk-FQA5BYWW.js

@@ -0,0 +1,89 @@
+// src/ricomaps.ts
+function deployerFlagsFrom(sec) {
+  if (!sec) return [];
+  const flags = [];
+  if (sec.hasMintAuthority) flags.push("mint-authority-live");
+  if (sec.hasFreezeAuthority) flags.push("freeze-authority-live");
+  if (sec.isMutable) flags.push("metadata-mutable");
+  if (sec.riskFactors) flags.push(...sec.riskFactors);
+  return flags;
+}
+function renderRicoText(r) {
+  const lines = [
+    `Rico Maps analysis \u2014 ${r.mint}`,
+    `  Risk score:    ${r.riskScore}/100`,
+    `  Holders:       ${r.totalHolders}`,
+    `  Cabal:         ${r.cabalCount}`,
+    `  Snipers:       ${r.snipersDetected ? `yes (${(r.sniperPct * 100).toFixed(1)}%)` : "none"}`,
+    `  Bundle clusters: ${r.bundleClustersDetected ? "detected" : "none"}`
+  ];
+  if (r.deployerFlags.length) {
+    lines.push(`  Deployer flags: ${r.deployerFlags.join(", ")}`);
+  }
+  if (r.tier) lines.push(`  Tier:          ${r.tier}`);
+  return lines.join("\n");
+}
+async function analyzeToken(mint, opts = {}) {
+  const url = `${opts.baseUrl ?? "https://ricomaps.fun"}/api/v1/analyze`;
+  let res;
+  try {
+    res = await fetch(url, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ mint, apiKey: opts.apiKey ?? "" }),
+      signal: AbortSignal.timeout(15e3)
+    });
+  } catch (err) {
+    return { ok: false, kind: "network", error: String(err) };
+  }
+  if (res.status === 401 || res.status === 403) {
+    return { ok: false, kind: "auth", status: res.status, error: "Invalid or missing API key" };
+  }
+  if (res.status === 429) {
+    const retryAfter = res.headers.get("Retry-After");
+    return {
+      ok: false,
+      kind: "rate-limit",
+      status: 429,
+      error: "Rate limit exceeded",
+      retryAfterMs: retryAfter ? parseInt(retryAfter, 10) * 1e3 : void 0
+    };
+  }
+  if (res.status === 400) {
+    const text = await res.text().catch(() => "bad request");
+    return { ok: false, kind: "bad-request", status: 400, error: text };
+  }
+  if (!res.ok) {
+    return { ok: false, kind: "server", status: res.status, error: `Server error ${res.status}` };
+  }
+  let body;
+  try {
+    body = await res.json();
+  } catch {
+    return { ok: false, kind: "server", error: "Invalid JSON response" };
+  }
+  const s = body.summary;
+  const sniperPct = s.totalHolders > 0 && s.sniperCount != null ? s.sniperCount / s.totalHolders : 0;
+  const result = {
+    mint,
+    riskScore: s.riskScore,
+    totalHolders: s.totalHolders,
+    cabalCount: s.cabalCount,
+    snipersDetected: s.snipersDetected,
+    sniperPct,
+    bundleClustersDetected: s.bundleClustersDetected,
+    symbol: body.tokenMetadata?.symbol,
+    name: body.tokenMetadata?.name,
+    tokenSecurity: body.tokenSecurity,
+    deployerFlags: deployerFlagsFrom(body.tokenSecurity),
+    tier: body.tier,
+    processingMs: body.processingMs
+  };
+  return { ok: true, result };
+}
+
+export {
+  deployerFlagsFrom,
+  renderRicoText,
+  analyzeToken
+};

package/dist/{chunk-ZZ6LBZV5.js → chunk-HXQNNGSC.js}

@@ -7,7 +7,7 @@ import {
   loadPack,
   resolveRules,
   walk
-} from "./chunk-A56IF3UX.js";
+} from "./chunk-2Y6UILTZ.js";
 
 // src/trustGraph/directory.ts
 import { readFileSync, existsSync } from "fs";

package/dist/chunk-VI2JBH2T.js

@@ -0,0 +1,79 @@
+import {
+  CANONICAL_BY_MINT,
+  CANONICAL_MINTS
+} from "./chunk-2XJORJPQ.js";
+
+// src/tokenRegistry.ts
+async function jupiterLookup(mint, baseUrl) {
+  const url = `${baseUrl ?? "https://tokens.jup.ag"}/token/${mint}`;
+  try {
+    const res = await fetch(url, { signal: AbortSignal.timeout(1e4) });
+    if (res.status === 404) return null;
+    if (!res.ok) return null;
+    return await res.json();
+  } catch {
+    return null;
+  }
+}
+function detectImpersonation(resolvedSymbol) {
+  if (!resolvedSymbol) return { impersonation: false };
+  const upper = resolvedSymbol.toUpperCase();
+  const canonical = CANONICAL_MINTS[upper];
+  if (!canonical) return { impersonation: false };
+  return { impersonation: true, canonicalMint: canonical.mint };
+}
+async function verifyTokenIdentity(mint, opts = {}) {
+  const bundled = CANONICAL_BY_MINT[mint];
+  if (bundled) {
+    const expectMismatch2 = opts.expectSymbol ? opts.expectSymbol.toUpperCase() !== bundled.symbol.toUpperCase() : void 0;
+    return {
+      mint,
+      status: "verified-canonical",
+      symbol: bundled.symbol,
+      name: bundled.name,
+      source: "bundled",
+      impersonation: false,
+      expectMismatch: expectMismatch2 ?? void 0
+    };
+  }
+  if (opts.offline) {
+    const { impersonation: impersonation2, canonicalMint: canonicalMint2 } = detectImpersonation(opts.claimedSymbol);
+    return {
+      mint,
+      status: "unverified",
+      source: "none",
+      impersonation: impersonation2,
+      canonicalMint: canonicalMint2,
+      detail: "offline mode \u2014 Jupiter lookup skipped"
+    };
+  }
+  const jup = await jupiterLookup(mint, opts.baseUrl);
+  if (!jup) {
+    const { impersonation: impersonation2, canonicalMint: canonicalMint2 } = detectImpersonation(opts.claimedSymbol);
+    return {
+      mint,
+      status: "unknown",
+      source: "none",
+      impersonation: impersonation2,
+      canonicalMint: canonicalMint2
+    };
+  }
+  const resolvedSymbol = jup.symbol ?? opts.claimedSymbol;
+  const { impersonation, canonicalMint } = detectImpersonation(resolvedSymbol);
+  const expectMismatch = opts.expectSymbol ? opts.expectSymbol.toUpperCase() !== (resolvedSymbol ?? "").toUpperCase() : void 0;
+  const status = impersonation ? "unverified" : "verified";
+  return {
+    mint,
+    status,
+    symbol: jup.symbol,
+    name: jup.name,
+    source: "jupiter",
+    impersonation,
+    canonicalMint,
+    expectMismatch: expectMismatch ?? void 0
+  };
+}
+
+export {
+  verifyTokenIdentity
+};

package/dist/cli.js

@@ -17,12 +17,13 @@ import {
   submitTelemetry,
   telemetryFilePath,
   validatePack
-} from "./chunk-ZZ6LBZV5.js";
+} from "./chunk-HXQNNGSC.js";
 import {
   audit,
   getChangedRanges,
   resolveRules
-} from "./chunk-A56IF3UX.js";
+} from "./chunk-2Y6UILTZ.js";
+import "./chunk-2XJORJPQ.js";
 import "./chunk-3RG5ZIWI.js";
 
 // src/cli.ts
@@ -119,7 +120,7 @@ if (args[0] === "drift") {
   process.exit(0);
 }
 if (args[0] === "mcp") {
-  const { startMcpServer } = await import("./mcp-AFYJQ7K6.js");
+  const { startMcpServer } = await import("./mcp-FCKMS2MQ.js");
   await startMcpServer();
   process.exit(0);
 }
@@ -143,6 +144,10 @@ if (args[0] === "watch") {
   await new Promise(() => {
   });
 }
+if (args[0] === "rico") {
+  await runRico(args.slice(1));
+  process.exit(0);
+}
 if (args[0] === "fix") {
   await runFix(args.slice(1));
   process.exit(0);
@@ -510,7 +515,7 @@ async function runDiff(argv) {
     console.error("  e.g.: brainblast diff lodash@4.17.20 lodash@4.17.21");
     process.exit(2);
   }
-  const { diffVersions, renderDiffText, renderDiffMd, riskScore } = await import("./diff-KIR4PCBC.js");
+  const { diffVersions, renderDiffText, renderDiffMd: _renderDiffMd, riskScore } = await import("./diff-KIR4PCBC.js");
   let result;
   try {
     result = await diffVersions(ecosystem, pkgName, fromVersion, toVersion);
@@ -538,3 +543,80 @@ Risk profile unchanged (${result.unchanged.length} advisory${result.unchanged.le
     console.log("\nNo known advisories for either version.");
   }
 }
+async function runRico(argv) {
+  const { analyzeToken, renderRicoText } = await import("./ricomaps-WTMWBBOY.js");
+  const { verifyTokenIdentity } = await import("./tokenRegistry-CYIUZHAZ.js");
+  const mint = argv.find((a) => !a.startsWith("--"));
+  if (!mint) {
+    console.error("usage: brainblast rico <mint> [--expect SYMBOL] [--api-key KEY] [--fail-on SCORE] [--offline] [--json]");
+    process.exit(2);
+  }
+  const expectIdx = argv.indexOf("--expect");
+  const expectSymbol = expectIdx >= 0 ? argv[expectIdx + 1] : void 0;
+  const apiKeyIdx = argv.indexOf("--api-key");
+  let apiKey = apiKeyIdx >= 0 ? argv[apiKeyIdx + 1] : void 0;
+  const failOnIdx = argv.indexOf("--fail-on");
+  const failOn = failOnIdx >= 0 ? parseInt(argv[failOnIdx + 1], 10) : 70;
+  const offline = argv.includes("--offline");
+  const jsonOut = argv.includes("--json");
+  let ricoResult = null;
+  if (!offline) {
+    ricoResult = await analyzeToken(mint, { apiKey });
+    if (!ricoResult.ok && ricoResult.kind === "auth") {
+      const readline = await import("readline");
+      const rl = readline.createInterface({ input: process.stdin, output: process.stderr });
+      const answer = await new Promise((resolve) => {
+        rl.question(
+          "\nRico Maps API key missing or invalid.\n  [s] Skip quality scan\n  [k] Enter API key\nChoice: ",
+          resolve
+        );
+      });
+      rl.close();
+      if (answer.trim().toLowerCase().startsWith("k")) {
+        const rl2 = readline.createInterface({ input: process.stdin, output: process.stderr });
+        apiKey = await new Promise((resolve) => {
+          rl2.question("API key: ", resolve);
+        });
+        rl2.close();
+        ricoResult = await analyzeToken(mint, { apiKey });
+      } else {
+        ricoResult = null;
+      }
+    }
+  }
+  const claimedSymbol = ricoResult?.ok ? ricoResult.result.symbol : void 0;
+  const identity = await verifyTokenIdentity(mint, { expectSymbol, claimedSymbol, offline });
+  if (jsonOut) {
+    console.log(JSON.stringify({ identity, quality: ricoResult?.ok ? ricoResult.result : null }, null, 2));
+  } else {
+    const impTag = identity.impersonation ? " \u26A0 IMPERSONATION" : "";
+    const expectTag = identity.expectMismatch ? " \u26A0 EXPECT MISMATCH" : "";
+    console.log(`
+Identity  [${identity.status}]${impTag}${expectTag}`);
+    if (identity.symbol) console.log(`  Symbol:  ${identity.symbol}`);
+    if (identity.name) console.log(`  Name:    ${identity.name}`);
+    console.log(`  Source:  ${identity.source}`);
+    if (identity.impersonation && identity.canonicalMint) {
+      console.log(`  Canonical ${identity.symbol} mint: ${identity.canonicalMint}`);
+      console.log(`  This token: ${mint}`);
+    }
+    if (identity.detail) console.log(`  Note:    ${identity.detail}`);
+    if (ricoResult === null) {
+      console.log("\nQuality   [skipped]");
+    } else if (!ricoResult.ok) {
+      console.log(`
+Quality   [error: ${ricoResult.kind}] ${ricoResult.error}`);
+      if (ricoResult.kind === "rate-limit" && ricoResult.retryAfterMs) {
+        console.log(`  Retry after: ${Math.ceil(ricoResult.retryAfterMs / 1e3)}s`);
+      }
+    } else {
+      console.log(`
+${renderRicoText(ricoResult.result)}`);
+    }
+    console.log("");
+  }
+  const highRisk = ricoResult?.ok && ricoResult.result.riskScore >= failOn;
+  if (identity.impersonation || identity.expectMismatch || highRisk) {
+    process.exit(1);
+  }
+}

package/dist/index.d.ts

@@ -555,4 +555,73 @@ declare function checkDrift(dir: string, opts?: {
 }): Promise<DriftResult>;
 declare function renderDriftText(result: DriftResult): string;
 
-export { type AccountFlow, type AuditRef, type BuildOpts, type Candidate, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_REGISTRY_URL, DEFAULT_TTL_HOURS, type DiffResult, type DriftAdvisory, type DriftBaseline, type DriftPackage, type DriftResult, type GraduationEvent, type OnChainProgram, type OsvAdvisory, PACK_MANIFEST_FILE, type PackInitOptions, type PackManifest, type PackRuleValidation, type PackValidateResult, type ParityNote, type ParsedDiff, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type Rule, type RustAccountField, type RustCandidate, type RustChecker, type Severity, type TelemetrySubmitResult, type TrustGraph, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type WatchEvent, type WatchOptions, analyzeCosts, applyDiffToFile, audit, auditWithRule, base58Decode, base58Encode, buildTrustGraph, rules as bundledRules, cacheSize, checkDrift, checkerKinds, defaultCachePath, diffVersions, fileChanged, findCandidates, findConfigCandidates, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getRepoHash, getUserHash, getWorkingTreeChanges, initPack, isEntryExpired, isTelemetryEnabled, isValidSolanaAddress, lamportsToSol, loadDirectory, loadPack, loadPacksFromDir, loadProgramCache, loadRules, parseDiff, putCacheEntry, queryOsv, rangeChanged, recordGraduationEvents, renderCostReportMd, renderDiffMd, renderDiffText, renderDriftText, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, riskScore, runChecker, runIncrementalScan, saveProgramCache, seedPackages, startWatch, submitTelemetry, telemetryFilePath, testKinds, validatePack, validatePackManifest };
+interface CanonicalMint {
+    symbol: string;
+    name: string;
+    mint: string;
+}
+declare const CANONICAL_MINTS: Record<string, CanonicalMint>;
+declare const CANONICAL_BY_MINT: Record<string, CanonicalMint>;
+declare function canonicalMintForSymbol(symbol: string): CanonicalMint | undefined;
+declare function isCanonicalMint(mint: string): boolean;
+
+type IdentityStatus = "verified-canonical" | "verified" | "unverified" | "unknown";
+interface TokenIdentity {
+    mint: string;
+    status: IdentityStatus;
+    symbol?: string;
+    name?: string;
+    source: "bundled" | "jupiter" | "none";
+    impersonation: boolean;
+    canonicalMint?: string;
+    expectMismatch?: boolean;
+    detail?: string;
+}
+interface VerifyOpts {
+    expectSymbol?: string;
+    claimedSymbol?: string;
+    baseUrl?: string;
+    offline?: boolean;
+}
+declare function verifyTokenIdentity(mint: string, opts?: VerifyOpts): Promise<TokenIdentity>;
+
+interface RicoTokenSecurity {
+    hasMintAuthority: boolean;
+    hasFreezeAuthority: boolean;
+    isMutable: boolean;
+    riskLevel?: string;
+    riskFactors?: string[];
+}
+interface RicoResult {
+    mint: string;
+    riskScore: number;
+    totalHolders: number;
+    cabalCount: number;
+    snipersDetected: boolean;
+    sniperPct: number;
+    bundleClustersDetected: boolean;
+    symbol?: string;
+    name?: string;
+    tokenSecurity?: RicoTokenSecurity;
+    deployerFlags: string[];
+    tier?: string;
+    processingMs?: number;
+}
+type RicoOutcome = {
+    ok: true;
+    result: RicoResult;
+} | {
+    ok: false;
+    kind: "auth" | "rate-limit" | "bad-request" | "server" | "network";
+    status?: number;
+    error: string;
+    retryAfterMs?: number;
+};
+declare function deployerFlagsFrom(sec?: RicoTokenSecurity): string[];
+declare function renderRicoText(r: RicoResult): string;
+declare function analyzeToken(mint: string, opts?: {
+    apiKey?: string;
+    baseUrl?: string;
+}): Promise<RicoOutcome>;
+
+export { type AccountFlow, type AuditRef, type BuildOpts, CANONICAL_BY_MINT, CANONICAL_MINTS, type Candidate, type CanonicalMint, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_REGISTRY_URL, DEFAULT_TTL_HOURS, type DiffResult, type DriftAdvisory, type DriftBaseline, type DriftPackage, type DriftResult, type GraduationEvent, type IdentityStatus, type OnChainProgram, type OsvAdvisory, PACK_MANIFEST_FILE, type PackInitOptions, type PackManifest, type PackRuleValidation, type PackValidateResult, type ParityNote, type ParsedDiff, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type RicoOutcome, type RicoResult, type RicoTokenSecurity, type Rule, type RustAccountField, type RustCandidate, type RustChecker, type Severity, type TelemetrySubmitResult, type TokenIdentity, type TrustGraph, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type VerifyOpts, type WatchEvent, type WatchOptions, analyzeCosts, analyzeToken, applyDiffToFile, audit, auditWithRule, base58Decode, base58Encode, buildTrustGraph, rules as bundledRules, cacheSize, canonicalMintForSymbol, checkDrift, checkerKinds, defaultCachePath, deployerFlagsFrom, diffVersions, fileChanged, findCandidates, findConfigCandidates, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getRepoHash, getUserHash, getWorkingTreeChanges, initPack, isCanonicalMint, isEntryExpired, isTelemetryEnabled, isValidSolanaAddress, lamportsToSol, loadDirectory, loadPack, loadPacksFromDir, loadProgramCache, loadRules, parseDiff, putCacheEntry, queryOsv, rangeChanged, recordGraduationEvents, renderCostReportMd, renderDiffMd, renderDiffText, renderDriftText, renderRicoText, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, riskScore, runChecker, runIncrementalScan, saveProgramCache, seedPackages, startWatch, submitTelemetry, telemetryFilePath, testKinds, validatePack, validatePackManifest, verifyTokenIdentity };

package/dist/index.js

@@ -31,7 +31,7 @@ import {
   submitTelemetry,
   telemetryFilePath,
   validatePack
-} from "./chunk-ZZ6LBZV5.js";
+} from "./chunk-HXQNNGSC.js";
 import {
   PACK_MANIFEST_FILE,
   audit,
@@ -52,7 +52,7 @@ import {
   runChecker,
   testKinds,
   validatePackManifest
-} from "./chunk-A56IF3UX.js";
+} from "./chunk-2Y6UILTZ.js";
 import {
   diffVersions,
   queryOsv,
@@ -65,6 +65,20 @@ import {
   renderDriftText,
   seedPackages
 } from "./chunk-EAKU3L7F.js";
+import {
+  analyzeToken,
+  deployerFlagsFrom,
+  renderRicoText
+} from "./chunk-FQA5BYWW.js";
+import {
+  verifyTokenIdentity
+} from "./chunk-VI2JBH2T.js";
+import {
+  CANONICAL_BY_MINT,
+  CANONICAL_MINTS,
+  canonicalMintForSymbol,
+  isCanonicalMint
+} from "./chunk-2XJORJPQ.js";
 import "./chunk-3RG5ZIWI.js";
 
 // src/generate.ts
@@ -81,10 +95,13 @@ function generateTestForResult(result, rule, outPath) {
   return outPath;
 }
 export {
+  CANONICAL_BY_MINT,
+  CANONICAL_MINTS,
   DEFAULT_REGISTRY_URL,
   DEFAULT_TTL_HOURS,
   PACK_MANIFEST_FILE,
   analyzeCosts,
+  analyzeToken,
   applyDiffToFile,
   audit,
   auditWithRule,
@@ -93,9 +110,11 @@ export {
   buildTrustGraph,
   rules as bundledRules,
   cacheSize,
+  canonicalMintForSymbol,
   checkDrift,
   checkerKinds,
   defaultCachePath,
+  deployerFlagsFrom,
   diffVersions,
   fileChanged,
   findCandidates,
@@ -108,6 +127,7 @@ export {
   getUserHash,
   getWorkingTreeChanges,
   initPack,
+  isCanonicalMint,
   isEntryExpired,
   isTelemetryEnabled,
   isValidSolanaAddress,
@@ -126,6 +146,7 @@ export {
   renderDiffMd,
   renderDiffText,
   renderDriftText,
+  renderRicoText,
   renderTest,
   renderTrustGraphMd,
   rentExemptMinimum,
@@ -140,5 +161,6 @@ export {
   telemetryFilePath,
   testKinds,
   validatePack,
-  validatePackManifest
+  validatePackManifest,
+  verifyTokenIdentity
 };

package/dist/{mcp-AFYJQ7K6.js → mcp-FCKMS2MQ.js}

@@ -1,11 +1,12 @@
 import {
   audit,
   resolveRules
-} from "./chunk-A56IF3UX.js";
+} from "./chunk-2Y6UILTZ.js";
 import {
   diffVersions,
   queryOsv
 } from "./chunk-SC6RNNDW.js";
+import "./chunk-2XJORJPQ.js";
 import "./chunk-3RG5ZIWI.js";
 
 // src/mcp.ts

package/dist/ricomaps-WTMWBBOY.js

@@ -0,0 +1,11 @@
+import {
+  analyzeToken,
+  deployerFlagsFrom,
+  renderRicoText
+} from "./chunk-FQA5BYWW.js";
+import "./chunk-3RG5ZIWI.js";
+export {
+  analyzeToken,
+  deployerFlagsFrom,
+  renderRicoText
+};

package/dist/rules/solana-token-impersonation.yaml

@@ -0,0 +1,17 @@
+id: solana-token-impersonation
+severity: critical
+title: Hardcoded Solana mint address doesn't match the named token's canonical address
+component:
+  name: "@solana/web3.js / @solana/spl-token"
+  type: SDK
+  version: any
+  sourceUrl: https://github.com/solana-labs/solana-web3.js
+detect:
+  modules: ["@solana/web3.js", "@solana/spl-token"]
+  nameRegex: "mint|payment|usdc|usdt|swap|pay|deposit|withdraw|treasury|stablecoin"
+  triggerCalls: []
+  requiresImport: true
+check:
+  kind: solana-mint-identity-mismatch
+test:
+  kind: none

package/dist/tokenRegistry-CYIUZHAZ.js

@@ -0,0 +1,8 @@
+import {
+  verifyTokenIdentity
+} from "./chunk-VI2JBH2T.js";
+import "./chunk-2XJORJPQ.js";
+import "./chunk-3RG5ZIWI.js";
+export {
+  verifyTokenIdentity
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "brainblast",
-  "version": "0.6.2",
+  "version": "0.6.4",
   "type": "module",
   "description": "Deterministic auditor for catastrophic AI-integration bugs: scan a repo, find the silent money/auth traps, and generate the behavioral test that proves they're fixed.",
   "keywords": [