brainblast 0.6.3 → 0.7.0

package/dist/chunk-HL7NVANZ.js

@@ -0,0 +1,331 @@
+import {
+  base58Encode
+} from "./chunk-VG5FMOLW.js";
+
+// src/firewall.ts
+var KNOWN_PROGRAMS = {
+  "11111111111111111111111111111111": "System Program",
+  TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA: "SPL Token",
+  TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb: "SPL Token-2022",
+  ATokenGPvbdGVxr1b2hvZbsiqW5xWH25efTNsLJA8knL: "Associated Token Account",
+  metaqbxxUerdq28cj1RbAWkYQm3ybzjb6a8bt518x1s: "Metaplex Token Metadata",
+  MemoSq4gqABAXKb96qnH8TysNcWxMyWCqXgDLGmfcHr: "SPL Memo",
+  ComputeBudget111111111111111111111111111111: "Compute Budget",
+  AddressLookupTab1e1111111111111111111111111: "Address Lookup Table",
+  BPFLoaderUpgradeab1e11111111111111111111111: "BPF Upgradeable Loader",
+  // Blue-chip DeFi / launch programs
+  JUP6LkbZbjS1jKKwapdHNy74zcZ3tLUZoi5QNyVTaV4: "Jupiter Aggregator v6",
+  "675kPX9MHTjS2zt1qfr1NYHuzeLXfQM9H24wFSUt1Mp8": "Raydium AMM v4",
+  whirLbMiicVdio4qvUfM5KAg6Ct8VwpYzGff3uctyCc: "Orca Whirlpools",
+  "6EF8rrecthR5Dkzon8Nwu78hRvfCKubJ14M5uBEwF6P": "pump.fun",
+  pAMMBay6oceH9fJKBRHGP5D4bD4sWpmSwMn52FMfXEA: "PumpSwap AMM"
+};
+var SPL_TOKEN_PROGRAMS = /* @__PURE__ */ new Set([
+  "TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA",
+  "TokenzQdBNbLqP5VEhdkAS6EPFLC1PHnBqCXEpPxuEb"
+]);
+var BPF_UPGRADEABLE_LOADER = "BPFLoaderUpgradeab1e11111111111111111111111";
+function readCompactU16(buf, offset) {
+  let value = 0;
+  let shift = 0;
+  let o = offset;
+  for (; ; ) {
+    const byte = buf[o++];
+    value |= (byte & 127) << shift;
+    if ((byte & 128) === 0) break;
+    shift += 7;
+    if (shift > 21) throw new Error("compact-u16 too long");
+  }
+  return [value, o];
+}
+function decodeTransaction(base64, opts = {}) {
+  const bytes = new Uint8Array(Buffer.from(base64, "base64"));
+  if (bytes.length < 35) throw new Error("transaction too short to be valid");
+  let o = 0;
+  if (!opts.messageOnly) {
+    const [sigCount, afterCount] = readCompactU16(bytes, 0);
+    o = afterCount + sigCount * 64;
+    if (o >= bytes.length) throw new Error("signature array overruns buffer");
+  }
+  const msg = bytes.subarray(o);
+  let mo = 0;
+  let version = "legacy";
+  if ((msg[0] & 128) !== 0) {
+    version = msg[0] & 127;
+    mo = 1;
+  }
+  const numRequiredSignatures = msg[mo++];
+  const numReadonlySigned = msg[mo++];
+  const numReadonlyUnsigned = msg[mo++];
+  const [acctCount, afterAccts] = readCompactU16(msg, mo);
+  mo = afterAccts;
+  const staticAccountKeys = [];
+  for (let i = 0; i < acctCount; i++) {
+    staticAccountKeys.push(base58Encode(msg.subarray(mo, mo + 32)));
+    mo += 32;
+  }
+  const recentBlockhash = base58Encode(msg.subarray(mo, mo + 32));
+  mo += 32;
+  const [ixCount, afterIxCount] = readCompactU16(msg, mo);
+  mo = afterIxCount;
+  const instructions = [];
+  for (let i = 0; i < ixCount; i++) {
+    const programIdIndex = msg[mo++];
+    const [naccts, afterNaccts] = readCompactU16(msg, mo);
+    mo = afterNaccts;
+    const accountIndexes = [];
+    for (let j = 0; j < naccts; j++) accountIndexes.push(msg[mo++]);
+    const [datalen, afterDatalen] = readCompactU16(msg, mo);
+    mo = afterDatalen;
+    const data = msg.subarray(mo, mo + datalen);
+    mo += datalen;
+    instructions.push({
+      programIdIndex,
+      programId: staticAccountKeys[programIdIndex] ?? `#${programIdIndex}`,
+      accountIndexes,
+      data
+    });
+  }
+  const addressTableLookups = [];
+  if (version !== "legacy") {
+    const [altCount, afterAlt] = readCompactU16(msg, mo);
+    mo = afterAlt;
+    for (let i = 0; i < altCount; i++) {
+      const accountKey = base58Encode(msg.subarray(mo, mo + 32));
+      mo += 32;
+      const [wlen, afterW] = readCompactU16(msg, mo);
+      mo = afterW + wlen;
+      const [rlen, afterR] = readCompactU16(msg, mo);
+      mo = afterR + rlen;
+      addressTableLookups.push({ accountKey, writableCount: wlen, readonlyCount: rlen });
+    }
+  }
+  return {
+    version,
+    numRequiredSignatures,
+    numReadonlySigned,
+    numReadonlyUnsigned,
+    staticAccountKeys,
+    recentBlockhash,
+    instructions,
+    addressTableLookups
+  };
+}
+function splTokenFinding(disc) {
+  switch (disc) {
+    case 4:
+    // Approve
+    case 13:
+      return {
+        severity: "warn",
+        kind: "token-delegate-approval",
+        detail: "Approves a delegate over a token account \u2014 a common drain vector. Verify the delegate is trusted."
+      };
+    case 6:
+      return {
+        severity: "critical",
+        kind: "token-set-authority",
+        detail: "Changes a mint/account authority (SetAuthority). This can hand control of a token to another party."
+      };
+    case 9:
+      return {
+        severity: "info",
+        kind: "token-close-account",
+        detail: "Closes a token account and reclaims its rent to the destination."
+      };
+    default:
+      return null;
+  }
+}
+function bpfLoaderFinding(disc) {
+  if (disc === 3)
+    return {
+      severity: "critical",
+      kind: "program-upgrade",
+      detail: "Upgrades a deployed program (BPF Upgradeable Loader Upgrade). Replaces on-chain code."
+    };
+  if (disc === 4 || disc === 6)
+    return {
+      severity: "critical",
+      kind: "program-set-authority",
+      detail: "Changes a program's upgrade authority (BPF Loader SetAuthority)."
+    };
+  return null;
+}
+function analyzeInstructions(decoded, known) {
+  const findings = [];
+  for (const ix of decoded.instructions) {
+    const pid = ix.programId;
+    if (SPL_TOKEN_PROGRAMS.has(pid) && ix.data.length >= 1) {
+      const f = splTokenFinding(ix.data[0]);
+      if (f) findings.push(f);
+    }
+    if (pid === BPF_UPGRADEABLE_LOADER && ix.data.length >= 4) {
+      const disc = ix.data[0] | ix.data[1] << 8 | ix.data[2] << 16 | ix.data[3] << 24;
+      const f = bpfLoaderFinding(disc);
+      if (f) findings.push(f);
+    }
+    if (!(pid in known)) {
+      findings.push({
+        severity: "warn",
+        kind: "unknown-program",
+        detail: `Top-level instruction invokes an unrecognized program: ${pid}. Verify it is a program you intend to call.`
+      });
+    }
+  }
+  if (decoded.addressTableLookups.length > 0) {
+    findings.push({
+      severity: "info",
+      kind: "address-lookup-tables",
+      detail: `Transaction uses ${decoded.addressTableLookups.length} address lookup table(s); some accounts are resolved off-message and not statically visible.`
+    });
+  }
+  return findings;
+}
+function parseCpiPrograms(logs) {
+  const programs = /* @__PURE__ */ new Set();
+  for (const line of logs) {
+    const m = line.match(/^Program (\S+) invoke \[\d+\]$/);
+    if (m) programs.add(m[1]);
+  }
+  return [...programs];
+}
+async function simulate(base64, opts) {
+  const { DEFAULT_RPC } = await import("./rpc-W5F4KXS2.js");
+  const url = opts.rpcUrl ?? DEFAULT_RPC;
+  const fetchImpl = opts.fetchImpl ?? fetch;
+  const ac = new AbortController();
+  const t = setTimeout(() => ac.abort(), opts.timeoutMs ?? 1e4);
+  try {
+    const res = await fetchImpl(url, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        id: 1,
+        method: "simulateTransaction",
+        params: [base64, { encoding: "base64", sigVerify: false, replaceRecentBlockhash: true, commitment: "confirmed" }]
+      }),
+      signal: ac.signal
+    });
+    if (!res.ok) throw new Error(`simulateTransaction: HTTP ${res.status}`);
+    const body = await res.json();
+    if (body.error) throw new Error(`simulateTransaction: ${body.error.message}`);
+    const v = body.result?.value ?? {};
+    return { err: v.err ?? null, logs: v.logs ?? null, unitsConsumed: v.unitsConsumed };
+  } finally {
+    clearTimeout(t);
+  }
+}
+function worstSeverity(findings) {
+  if (findings.some((f) => f.severity === "critical")) return "block";
+  if (findings.some((f) => f.severity === "warn")) return "warn";
+  return "allow";
+}
+async function inspectTransaction(base64, opts = {}) {
+  const known = { ...KNOWN_PROGRAMS, ...opts.knownPrograms ?? {} };
+  const decoded = decodeTransaction(base64, { messageOnly: opts.messageOnly });
+  const findings = analyzeInstructions(decoded, known);
+  const topLevelIds = new Set(decoded.instructions.map((ix) => ix.programId));
+  const programs = [...topLevelIds].map((id) => ({
+    id,
+    label: known[id] ?? null,
+    known: id in known,
+    topLevel: true
+  }));
+  const report = {
+    version: decoded.version,
+    feePayer: decoded.staticAccountKeys[0] ?? "(none)",
+    numSigners: decoded.numRequiredSignatures,
+    staticAccounts: decoded.staticAccountKeys.length,
+    programs,
+    usesAddressLookupTables: decoded.addressTableLookups.length > 0,
+    simulation: { ran: false },
+    findings,
+    verdict: "allow"
+  };
+  if (opts.simulate !== false) {
+    try {
+      const sim = await simulate(base64, opts);
+      const cpiPrograms = sim.logs ? parseCpiPrograms(sim.logs) : [];
+      report.simulation = {
+        ran: true,
+        ok: sim.err === null,
+        err: sim.err ?? void 0,
+        unitsConsumed: sim.unitsConsumed,
+        logsCount: sim.logs?.length,
+        cpiPrograms
+      };
+      for (const pid of cpiPrograms) {
+        if (!(pid in known) && !topLevelIds.has(pid)) {
+          findings.push({
+            severity: "warn",
+            kind: "unknown-cpi-program",
+            detail: `Cross-program invocation to an unrecognized program: ${pid}.`
+          });
+          report.programs.push({ id: pid, label: null, known: false, topLevel: false });
+        }
+      }
+      if (sim.err !== null) {
+        findings.push({
+          severity: "warn",
+          kind: "simulation-failed",
+          detail: `Transaction simulation returned an error: ${JSON.stringify(sim.err)}. Signing it would likely fail on-chain.`
+        });
+      }
+    } catch (e) {
+      report.simulation = { ran: false };
+      findings.push({
+        severity: "info",
+        kind: "simulation-unavailable",
+        detail: `Could not simulate (static analysis only): ${e?.message ?? String(e)}`
+      });
+    }
+  }
+  report.verdict = worstSeverity(findings);
+  return report;
+}
+var SEV_ICON = { critical: "\u26D4", warn: "\u26A0 ", info: "\xB7 " };
+var VERDICT_BANNER = {
+  allow: "ALLOW \u2014 no dangerous patterns detected",
+  warn: "WARN \u2014 review before signing",
+  block: "BLOCK \u2014 dangerous pattern detected, do not sign blind"
+};
+function renderFirewallText(r) {
+  const lines = [];
+  lines.push(`Transaction firewall  [${VERDICT_BANNER[r.verdict]}]`);
+  lines.push("");
+  lines.push(`  Version:     ${r.version}`);
+  lines.push(`  Fee payer:   ${r.feePayer}`);
+  lines.push(`  Signers:     ${r.numSigners}`);
+  lines.push(`  Accounts:    ${r.staticAccounts}${r.usesAddressLookupTables ? " (+ lookup tables)" : ""}`);
+  lines.push(`  Programs:`);
+  for (const p of r.programs) {
+    const tag = p.known ? p.label : "UNKNOWN";
+    lines.push(`    ${p.known ? "\u2713" : "?"} ${p.id}  ${tag}${p.topLevel ? "" : " (via CPI)"}`);
+  }
+  if (r.simulation.ran) {
+    lines.push(`  Simulation:  ${r.simulation.ok ? "ok" : "FAILED"}${r.simulation.unitsConsumed != null ? ` (${r.simulation.unitsConsumed} CU)` : ""}`);
+  } else {
+    lines.push(`  Simulation:  not run`);
+  }
+  lines.push("");
+  if (r.findings.length === 0) {
+    lines.push("  No findings.");
+  } else {
+    lines.push("  Findings:");
+    for (const f of r.findings) {
+      lines.push(`    ${SEV_ICON[f.severity]} [${f.kind}] ${f.detail}`);
+    }
+  }
+  return lines.join("\n");
+}
+
+export {
+  KNOWN_PROGRAMS,
+  decodeTransaction,
+  analyzeInstructions,
+  parseCpiPrograms,
+  inspectTransaction,
+  renderFirewallText
+};

package/dist/chunk-O5Z4ZJHC.js

@@ -0,0 +1,89 @@
+// src/idlRules.ts
+import { stringify as yamlStringify } from "yaml";
+function toSnakeCase(s) {
+  return s.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[\s-]+/g, "_").toLowerCase();
+}
+function idlProgramName(idl) {
+  return idl.metadata?.name ?? idl.name ?? "anchor-program";
+}
+function flattenAccounts(accounts) {
+  const out = [];
+  for (const a of accounts) {
+    if (a.accounts && a.accounts.length > 0) {
+      out.push(...flattenAccounts(a.accounts));
+    } else {
+      out.push(a);
+    }
+  }
+  return out;
+}
+function parseIdl(json) {
+  if (!json || typeof json !== "object") throw new Error("IDL is not an object");
+  const idl = json;
+  if (!Array.isArray(idl.instructions)) throw new Error("IDL has no instructions array");
+  for (const ix of idl.instructions) {
+    if (!ix.name || !Array.isArray(ix.accounts)) {
+      throw new Error(`IDL instruction missing name/accounts: ${JSON.stringify(ix).slice(0, 80)}`);
+    }
+  }
+  return idl;
+}
+function buildConstraintParams(idl) {
+  const instructions = idl.instructions.map((ix) => {
+    const leaves = flattenAccounts(ix.accounts);
+    return {
+      name: toSnakeCase(ix.name),
+      signers: leaves.filter((a) => a.isSigner).map((a) => toSnakeCase(a.name)),
+      mutable: leaves.filter((a) => a.isMut).map((a) => toSnakeCase(a.name))
+    };
+  });
+  return { idlName: idlProgramName(idl), instructions };
+}
+function generateRulesFromIdl(idl) {
+  const params = buildConstraintParams(idl);
+  const handlerNames = params.instructions.map((i) => i.name).filter(Boolean);
+  if (handlerNames.length === 0) return [];
+  const nameRegex = `^(${handlerNames.map(escapeRegex).join("|")})$`;
+  const progName = params.idlName;
+  const rule = {
+    id: `idl-${toKebab(progName)}-account-constraints`,
+    severity: "critical",
+    title: `Anchor accounts match the ${progName} IDL signer/mut constraints`,
+    component: {
+      name: progName,
+      type: "Anchor program",
+      version: idl.metadata?.version ?? idl.version ?? "unversioned",
+      sourceUrl: "https://www.anchor-lang.com/docs/the-accounts-struct"
+    },
+    detect: {
+      lang: "rust",
+      modules: ["@coral-xyz/anchor", "@project-serum/anchor"],
+      nameRegex,
+      triggerCalls: []
+    },
+    check: {
+      kind: "anchor-account-matches-idl",
+      params
+    },
+    test: { kind: "none" }
+  };
+  return [rule];
+}
+function escapeRegex(s) {
+  return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+function toKebab(s) {
+  return toSnakeCase(s).replace(/_/g, "-");
+}
+function renderRulesYaml(rules) {
+  return rules.map((r) => yamlStringify(r)).join("\n---\n");
+}
+
+export {
+  toSnakeCase,
+  idlProgramName,
+  parseIdl,
+  buildConstraintParams,
+  generateRulesFromIdl,
+  renderRulesYaml
+};

package/dist/chunk-QC27GNQ7.js

@@ -0,0 +1,101 @@
+import {
+  analyzeToken
+} from "./chunk-FQA5BYWW.js";
+import {
+  verifyTokenIdentity
+} from "./chunk-VI2JBH2T.js";
+
+// src/batchScan.ts
+async function mapPool(items, concurrency, fn) {
+  const results = new Array(items.length);
+  let next = 0;
+  const workers = Array.from({ length: Math.max(1, Math.min(concurrency, items.length)) }, async () => {
+    for (; ; ) {
+      const idx = next++;
+      if (idx >= items.length) break;
+      results[idx] = await fn(items[idx], idx);
+    }
+  });
+  await Promise.all(workers);
+  return results;
+}
+async function scanOne(mint, opts) {
+  const failOn = opts.failOnRisk ?? 70;
+  try {
+    const identity = await verifyTokenIdentity(mint, { baseUrl: opts.jupBaseUrl, offline: opts.offline });
+    const row = {
+      mint,
+      identityStatus: identity.status,
+      impersonation: identity.impersonation,
+      symbol: identity.symbol,
+      rank: 0
+    };
+    if (!opts.offline) {
+      const outcome = await analyzeToken(mint, { apiKey: opts.apiKey, baseUrl: opts.ricoBaseUrl });
+      if (outcome.ok) {
+        const q = outcome.result;
+        row.riskScore = q.riskScore;
+        row.snipers = q.snipersDetected;
+        row.bundleClusters = q.bundleClustersDetected;
+        row.deployerFlags = q.deployerFlags;
+        if (!row.symbol) row.symbol = q.symbol;
+      }
+    }
+    row.rank = (row.impersonation ? 1e3 : 0) + (row.riskScore ?? -1);
+    return row;
+  } catch (e) {
+    return { mint, identityStatus: "error", impersonation: false, error: e?.message ?? String(e), rank: -2 };
+  }
+}
+async function batchScan(mints, opts = {}) {
+  const failOn = opts.failOnRisk ?? 70;
+  const unique = [...new Set(mints.map((m) => m.trim()).filter(Boolean))];
+  const rows = await mapPool(unique, opts.concurrency ?? 5, (m) => scanOne(m, opts));
+  rows.sort((a, b) => b.rank - a.rank);
+  const summary = {
+    total: rows.length,
+    impersonators: rows.filter((r) => r.impersonation).length,
+    highRisk: rows.filter((r) => (r.riskScore ?? -1) >= failOn).length,
+    errored: rows.filter((r) => r.identityStatus === "error").length
+  };
+  return { rows, summary };
+}
+function parseMintList(content) {
+  const trimmed = content.trim();
+  if (trimmed.startsWith("[")) {
+    const arr = JSON.parse(trimmed);
+    if (!Array.isArray(arr)) throw new Error("JSON mint list must be an array of strings");
+    return arr.map((x) => String(x));
+  }
+  return trimmed.split(/\r?\n/).map((l) => l.replace(/#.*$/, "").trim()).filter(Boolean);
+}
+function pad(s, n) {
+  return s.length >= n ? s.slice(0, n) : s + " ".repeat(n - s.length);
+}
+function renderBatchText(result) {
+  const lines = [];
+  lines.push(`Batch token scan \u2014 ${result.summary.total} token(s)`);
+  lines.push(
+    `  ${result.summary.impersonators} impersonator(s), ${result.summary.highRisk} high-risk, ${result.summary.errored} error(s)`
+  );
+  lines.push("");
+  lines.push(`  ${pad("MINT", 14)} ${pad("SYMBOL", 8)} ${pad("IDENTITY", 18)} ${pad("RISK", 5)} FLAGS`);
+  for (const r of result.rows) {
+    const mintShort = r.mint.length > 12 ? r.mint.slice(0, 6) + ".." + r.mint.slice(-4) : r.mint;
+    const flags = [];
+    if (r.impersonation) flags.push("IMPERSONATION");
+    if (r.snipers) flags.push("snipers");
+    if (r.bundleClusters) flags.push("bundle");
+    if (r.error) flags.push(`error:${r.error}`);
+    lines.push(
+      `  ${pad(mintShort, 14)} ${pad(r.symbol ?? "-", 8)} ${pad(r.identityStatus, 18)} ${pad(r.riskScore != null ? String(r.riskScore) : "-", 5)} ${flags.join(", ")}`
+    );
+  }
+  return lines.join("\n");
+}
+
+export {
+  batchScan,
+  parseMintList,
+  renderBatchText
+};

package/dist/chunk-SVSVVW6U.js

@@ -0,0 +1,187 @@
+import {
+  probeUpgradeAuthority
+} from "./chunk-XSVQSK53.js";
+
+// src/trustGraph/directory.ts
+import { readFileSync, existsSync } from "fs";
+import { fileURLToPath } from "url";
+import { join } from "path";
+import { parse } from "yaml";
+var cache = null;
+function bundledPath() {
+  const here = fileURLToPath(new URL(".", import.meta.url));
+  const candidates = [
+    join(here, "programs", "directory.yaml"),
+    // dist/programs/directory.yaml
+    join(here, "..", "..", "programs", "directory.yaml"),
+    // src/../../programs/
+    join(here, "..", "programs", "directory.yaml")
+    // fallback
+  ];
+  for (const c of candidates) {
+    if (existsSync(c)) return c;
+  }
+  return candidates[0];
+}
+function loadDirectory(path = bundledPath()) {
+  if (cache && path === bundledPath()) return cache;
+  const raw = parse(readFileSync(path, "utf8"));
+  if (!raw || !Array.isArray(raw.programs)) {
+    throw new Error(`invalid program directory at ${path}: missing 'programs' array`);
+  }
+  const m = /* @__PURE__ */ new Map();
+  for (const p of raw.programs) {
+    if (!p.programId || !p.name) throw new Error(`directory entry missing programId/name: ${JSON.stringify(p)}`);
+    if (m.has(p.programId)) throw new Error(`directory has duplicate programId ${p.programId}`);
+    m.set(p.programId, { ...p, provenance: { ...p.provenance ?? {}, directoryFile: path } });
+  }
+  if (path === bundledPath()) cache = m;
+  return m;
+}
+
+// src/trustGraph/programCache.ts
+import { readFileSync as readFileSync2, writeFileSync, mkdirSync, existsSync as existsSync2 } from "fs";
+import { join as join2, dirname } from "path";
+import { homedir } from "os";
+var DEFAULT_TTL_HOURS = 168;
+var SCHEMA_VERSION = "1.0";
+function defaultCachePath() {
+  const envOverride = process.env["BRAINBLAST_CACHE_PATH"];
+  return envOverride ?? join2(homedir(), ".brainblast", "program-cache.json");
+}
+function emptyCache() {
+  return { schemaVersion: SCHEMA_VERSION, entries: {} };
+}
+function loadProgramCache(cachePath) {
+  const path = cachePath ?? defaultCachePath();
+  if (!existsSync2(path)) return emptyCache();
+  try {
+    const raw = JSON.parse(readFileSync2(path, "utf8"));
+    if (raw?.schemaVersion !== SCHEMA_VERSION) {
+      return emptyCache();
+    }
+    if (!raw.entries || typeof raw.entries !== "object") return emptyCache();
+    return { schemaVersion: SCHEMA_VERSION, entries: raw.entries };
+  } catch {
+    return emptyCache();
+  }
+}
+function saveProgramCache(cache2, cachePath) {
+  const path = cachePath ?? defaultCachePath();
+  mkdirSync(dirname(path), { recursive: true });
+  writeFileSync(path, JSON.stringify(cache2, null, 2), "utf8");
+}
+function getCacheEntry(cache2, programId, ttlHoursOverride) {
+  const entry = cache2.entries[programId];
+  if (!entry) return null;
+  if (isEntryExpired(entry, ttlHoursOverride)) return null;
+  return entry.program;
+}
+function putCacheEntry(cache2, programId, program, sourceRun, ttlHours = DEFAULT_TTL_HOURS) {
+  cache2.entries[programId] = {
+    program,
+    cachedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    sourceRun,
+    ttlHours
+  };
+  return cache2;
+}
+function getCacheEntryMeta(cache2, programId) {
+  return cache2.entries[programId] ?? null;
+}
+function isEntryExpired(entry, ttlHoursOverride) {
+  const ttl = ttlHoursOverride ?? entry.ttlHours ?? DEFAULT_TTL_HOURS;
+  if (ttl <= 0) return true;
+  const cachedMs = Date.parse(entry.cachedAt);
+  if (Number.isNaN(cachedMs)) return true;
+  const ageMs = Date.now() - cachedMs;
+  return ageMs >= ttl * 36e5;
+}
+function cacheSize(cache2, ttlHoursOverride) {
+  return Object.values(cache2.entries).filter((e) => !isEntryExpired(e, ttlHoursOverride)).length;
+}
+
+// src/trustGraph/build.ts
+async function buildTrustGraph(programIds, opts = {}) {
+  const dir = loadDirectory(opts.directoryPath);
+  const programs = [];
+  const unresolved = [];
+  const cacheEnabled = opts.cachePath !== null;
+  const cachePathArg = opts.cachePath === null ? void 0 : opts.cachePath;
+  const cache2 = cacheEnabled ? loadProgramCache(cachePathArg) : null;
+  const newFromRpc = [];
+  const runId = (/* @__PURE__ */ new Date()).toISOString().replace(/[-:T]/g, "").slice(0, 14);
+  const seen = /* @__PURE__ */ new Set();
+  const ordered = programIds.filter((id) => seen.has(id) ? false : (seen.add(id), true));
+  for (const id of ordered) {
+    const directoryHit = dir.get(id);
+    if (directoryHit) {
+      programs.push(directoryHit);
+      continue;
+    }
+    if (cache2) {
+      const cached = getCacheEntry(cache2, id);
+      if (cached) {
+        const meta = getCacheEntryMeta(cache2, id);
+        programs.push({
+          ...cached,
+          provenance: {
+            ...cached.provenance ?? {},
+            notes: [
+              cached.provenance?.notes,
+              `cache-hit: cachedAt=${meta.cachedAt} sourceRun=${meta.sourceRun}`
+            ].filter(Boolean).join("; ")
+          }
+        });
+        continue;
+      }
+    }
+    if (opts.probeRpc === false) {
+      unresolved.push({
+        programId: id,
+        reason: "not_in_directory_or_cache_and_rpc_disabled"
+      });
+      continue;
+    }
+    let authority;
+    try {
+      authority = await probeUpgradeAuthority(id, opts);
+    } catch (e) {
+      unresolved.push({ programId: id, reason: `rpc_error: ${e?.message ?? String(e)}` });
+      continue;
+    }
+    const probed = {
+      programId: id,
+      name: `Unknown program (${id.slice(0, 8)}\u2026)`,
+      kind: "app",
+      upgradeAuthority: authority,
+      verifiedBuild: { state: "unknown" },
+      audits: [],
+      parity: { mainnet: "unknown", devnet: "unknown" },
+      provenance: { rpcUrl: opts.rpcUrl, notes: "live-probed; not in curated directory" }
+    };
+    programs.push(probed);
+    newFromRpc.push(id);
+    if (cache2) {
+      putCacheEntry(cache2, id, probed, runId);
+    }
+  }
+  if (cache2 && newFromRpc.length > 0) {
+    saveProgramCache(cache2, cachePathArg);
+  }
+  return { programs, unresolved, generatedAt: (/* @__PURE__ */ new Date()).toISOString() };
+}
+
+export {
+  loadDirectory,
+  DEFAULT_TTL_HOURS,
+  defaultCachePath,
+  loadProgramCache,
+  saveProgramCache,
+  getCacheEntry,
+  putCacheEntry,
+  getCacheEntryMeta,
+  isEntryExpired,
+  cacheSize,
+  buildTrustGraph
+};