brainblast 0.6.4 → 0.7.1

package/dist/chunk-XSVQSK53.js

@@ -0,0 +1,100 @@
+import {
+  base58Encode,
+  isValidSolanaAddress
+} from "./chunk-VG5FMOLW.js";
+
+// src/trustGraph/rpc.ts
+var BPF_UPGRADEABLE_LOADER = "BPFLoaderUpgradeab1e11111111111111111111111";
+var BPF_LOADER_2 = "BPFLoader2111111111111111111111111111111111";
+var NATIVE_LOADER = "NativeLoader1111111111111111111111111111111";
+var DEFAULT_RPC = "https://api.mainnet-beta.solana.com";
+async function rpc(method, params, opts) {
+  const url = opts.rpcUrl ?? DEFAULT_RPC;
+  const fetchImpl = opts.fetchImpl ?? fetch;
+  const ac = new AbortController();
+  const t = setTimeout(() => ac.abort(), opts.timeoutMs ?? 1e4);
+  try {
+    const res = await fetchImpl(url, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ jsonrpc: "2.0", id: 1, method, params }),
+      signal: ac.signal
+    });
+    if (!res.ok) throw new Error(`rpc ${method}: HTTP ${res.status}`);
+    const body = await res.json();
+    if (body.error) throw new Error(`rpc ${method}: ${body.error.message}`);
+    if (body.result === void 0) throw new Error(`rpc ${method}: empty result`);
+    return body.result;
+  } finally {
+    clearTimeout(t);
+  }
+}
+async function getAccountInfo(address, opts = {}) {
+  if (!isValidSolanaAddress(address)) throw new Error(`invalid Solana address: ${address}`);
+  const result = await rpc(
+    "getAccountInfo",
+    [address, { encoding: "base64", commitment: "confirmed" }],
+    opts
+  );
+  if (!result || !result.value) return null;
+  const v = result.value;
+  const [b64] = v.data;
+  return {
+    owner: v.owner,
+    data: Buffer.from(b64, "base64"),
+    executable: v.executable,
+    lamports: v.lamports
+  };
+}
+async function probeUpgradeAuthority(programId, opts = {}) {
+  const acct = await getAccountInfo(programId, opts);
+  if (!acct) {
+    return {
+      kind: "unknown",
+      address: null,
+      source: "rpc",
+      checkedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  if (acct.owner === BPF_LOADER_2 || acct.owner === NATIVE_LOADER) {
+    return {
+      kind: "renounced",
+      address: null,
+      source: "rpc",
+      checkedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  if (acct.owner !== BPF_UPGRADEABLE_LOADER) {
+    throw new Error(
+      `program ${programId} is owned by ${acct.owner}, not a known loader; not a deployed program?`
+    );
+  }
+  if (acct.data.length < 36) throw new Error(`program account too small: ${acct.data.length}`);
+  const tag = acct.data[0] | acct.data[1] << 8 | acct.data[2] << 16 | acct.data[3] << 24;
+  if (tag !== 2) throw new Error(`expected Program (tag=2) state, got tag=${tag}`);
+  const programDataAddr = base58Encode(acct.data.subarray(4, 36));
+  const pd = await getAccountInfo(programDataAddr, opts);
+  if (!pd) {
+    throw new Error(`program ${programId} ProgramData ${programDataAddr} not found`);
+  }
+  if (pd.data.length < 45) throw new Error(`ProgramData account too small: ${pd.data.length}`);
+  const pdTag = pd.data[0] | pd.data[1] << 8 | pd.data[2] << 16 | pd.data[3] << 24;
+  if (pdTag !== 3) throw new Error(`expected ProgramData (tag=3), got tag=${pdTag}`);
+  const optionTag = pd.data[12];
+  const checkedAt = (/* @__PURE__ */ new Date()).toISOString();
+  if (optionTag === 0) {
+    return { kind: "renounced", address: null, source: "rpc", checkedAt };
+  }
+  if (optionTag !== 1) throw new Error(`unexpected Option tag in ProgramData: ${optionTag}`);
+  const authority = base58Encode(pd.data.subarray(13, 45));
+  return { kind: "unknown", address: authority, source: "rpc", checkedAt };
+}
+
+export {
+  BPF_UPGRADEABLE_LOADER,
+  BPF_LOADER_2,
+  NATIVE_LOADER,
+  DEFAULT_RPC,
+  getAccountInfo,
+  probeUpgradeAuthority
+};

package/dist/cli.js

@@ -2,28 +2,36 @@
 import {
   analyzeCosts,
   applyDiffToFile,
-  buildTrustGraph,
-  cacheSize,
-  defaultCachePath,
   initPack,
   isTelemetryEnabled,
-  isValidSolanaAddress,
-  loadProgramCache,
   parseDiff,
   recordGraduationEvents,
   renderCostReportMd,
-  renderTrustGraphMd,
   startWatch,
   submitTelemetry,
   telemetryFilePath,
   validatePack
-} from "./chunk-HXQNNGSC.js";
+} from "./chunk-B2M3TZSA.js";
+import {
+  renderTrustGraphMd
+} from "./chunk-2UZGWXIX.js";
+import {
+  buildTrustGraph,
+  cacheSize,
+  defaultCachePath,
+  loadProgramCache
+} from "./chunk-SVSVVW6U.js";
 import {
   audit,
   getChangedRanges,
   resolveRules
-} from "./chunk-2Y6UILTZ.js";
+} from "./chunk-IY52XKWL.js";
 import "./chunk-2XJORJPQ.js";
+import "./chunk-O5Z4ZJHC.js";
+import "./chunk-XSVQSK53.js";
+import {
+  isValidSolanaAddress
+} from "./chunk-VG5FMOLW.js";
 import "./chunk-3RG5ZIWI.js";
 
 // src/cli.ts
@@ -120,7 +128,7 @@ if (args[0] === "drift") {
   process.exit(0);
 }
 if (args[0] === "mcp") {
-  const { startMcpServer } = await import("./mcp-FCKMS2MQ.js");
+  const { startMcpServer } = await import("./mcp-AM7MTCSZ.js");
   await startMcpServer();
   process.exit(0);
 }
@@ -144,10 +152,57 @@ if (args[0] === "watch") {
   await new Promise(() => {
   });
 }
+if (args[0] === "watch-chain") {
+  const rest = args.slice(1);
+  const programId = rest.find((a) => !a.startsWith("--"));
+  if (!programId) {
+    console.error("usage: brainblast watch-chain <program-id> [--rpc URL] [--interval <seconds>] [--limit N]");
+    console.error("  Poll a deployed program for new activity and upgrade-authority changes. Emits NDJSON.");
+    process.exit(2);
+  }
+  const { startChainWatch } = await import("./watchChain-F6INXAPA.js");
+  const rpcIdx = rest.indexOf("--rpc");
+  const rpcUrl = rpcIdx >= 0 ? rest[rpcIdx + 1] : void 0;
+  const intIdx = rest.indexOf("--interval");
+  const intervalMs = intIdx >= 0 ? parseInt(rest[intIdx + 1], 10) * 1e3 : void 0;
+  const limIdx = rest.indexOf("--limit");
+  const limit = limIdx >= 0 ? parseInt(rest[limIdx + 1], 10) : void 0;
+  const handle = startChainWatch(programId, { rpcUrl, intervalMs, limit });
+  process.on("SIGINT", () => {
+    handle.stop();
+    process.exit(0);
+  });
+  process.on("SIGTERM", () => {
+    handle.stop();
+    process.exit(0);
+  });
+  await new Promise(() => {
+  });
+}
 if (args[0] === "rico") {
   await runRico(args.slice(1));
   process.exit(0);
 }
+if (args[0] === "firewall") {
+  await runFirewall(args.slice(1));
+  process.exit(0);
+}
+if (args[0] === "idl-rules") {
+  await runIdlRules(args.slice(1));
+  process.exit(0);
+}
+if (args[0] === "score") {
+  await runScore(args.slice(1));
+  process.exit(0);
+}
+if (args[0] === "pump-check") {
+  await runPumpCheck(args.slice(1));
+  process.exit(0);
+}
+if (args[0] === "batch") {
+  await runBatch(args.slice(1));
+  process.exit(0);
+}
 if (args[0] === "fix") {
   await runFix(args.slice(1));
   process.exit(0);
@@ -620,3 +675,177 @@ ${renderRicoText(ricoResult.result)}`);
     process.exit(1);
   }
 }
+async function runFirewall(argv) {
+  const { inspectTransaction, renderFirewallText } = await import("./firewall-HN5XJLGC.js");
+  const tx = argv.find((a) => !a.startsWith("--"));
+  if (!tx) {
+    console.error("usage: brainblast firewall <base64-tx> [--rpc URL] [--no-simulate] [--message-only] [--strict] [--json]");
+    console.error("  Inspect a serialized Solana transaction before an agent signs it.");
+    console.error("  Exit 1 on BLOCK verdict (or any WARN with --strict).");
+    process.exit(2);
+  }
+  const rpcIdx = argv.indexOf("--rpc");
+  const rpcUrl = rpcIdx >= 0 ? argv[rpcIdx + 1] : void 0;
+  const noSimulate = argv.includes("--no-simulate");
+  const messageOnly = argv.includes("--message-only");
+  const strict2 = argv.includes("--strict");
+  const jsonOut = argv.includes("--json");
+  let report2;
+  try {
+    report2 = await inspectTransaction(tx, { rpcUrl, simulate: !noSimulate, messageOnly });
+  } catch (e) {
+    console.error(`brainblast firewall: ${e?.message ?? String(e)}`);
+    process.exit(2);
+  }
+  if (jsonOut) {
+    console.log(JSON.stringify(report2, null, 2));
+  } else {
+    console.log(renderFirewallText(report2));
+  }
+  if (report2.verdict === "block" || strict2 && report2.verdict === "warn") {
+    process.exit(1);
+  }
+}
+async function runIdlRules(argv) {
+  const { readFileSync: readFileSync2, writeFileSync: writeFileSync3, mkdirSync: mkdirSync3 } = await import("fs");
+  const { join: join3 } = await import("path");
+  const { parseIdl, generateRulesFromIdl, renderRulesYaml } = await import("./idlRules-3KZML4NL.js");
+  const idlPath = argv.find((a) => !a.startsWith("--"));
+  if (!idlPath) {
+    console.error("usage: brainblast idl-rules <idl.json> [--out <dir>] [--json]");
+    console.error("  Generate brainblast rules from an Anchor IDL's account constraints.");
+    process.exit(2);
+  }
+  const outIdx = argv.indexOf("--out");
+  const outDir2 = outIdx >= 0 ? argv[outIdx + 1] : void 0;
+  const jsonOut = argv.includes("--json");
+  let idl;
+  try {
+    idl = parseIdl(JSON.parse(readFileSync2(idlPath, "utf8")));
+  } catch (e) {
+    console.error(`brainblast idl-rules: ${e?.message ?? String(e)}`);
+    process.exit(2);
+  }
+  const rules2 = generateRulesFromIdl(idl);
+  if (rules2.length === 0) {
+    console.error("brainblast idl-rules: IDL produced no rules (no instructions?)");
+    process.exit(1);
+  }
+  if (jsonOut) {
+    console.log(JSON.stringify(rules2, null, 2));
+    return;
+  }
+  const yaml = renderRulesYaml(rules2);
+  if (outDir2) {
+    mkdirSync3(outDir2, { recursive: true });
+    const file = join3(outDir2, `${rules2[0].id}.yaml`);
+    writeFileSync3(file, yaml);
+    console.log(`Generated ${rules2.length} rule(s) \u2192 ${file}`);
+    console.log(`  Run against your program:  npx brainblast <program-dir> --packs <pack-with-this-rule>`);
+  } else {
+    console.log(yaml);
+  }
+}
+async function runScore(argv) {
+  const { scoreProgram, renderScoreText, gradeAtLeast } = await import("./score-VLKER37D.js");
+  const { isValidSolanaAddress: isValidSolanaAddress2 } = await import("./trustGraph-4SSJOQKT.js");
+  const programId = argv.find((a) => !a.startsWith("--"));
+  if (!programId) {
+    console.error("usage: brainblast score <program-id> [--rpc URL] [--no-probe] [--min A|B|C|D|F] [--json]");
+    console.error("  Compute a 0-100 trust score + A-F grade for a deployed Solana program.");
+    process.exit(2);
+  }
+  if (!isValidSolanaAddress2(programId)) {
+    console.error(`brainblast score: not a valid Solana address: ${programId}`);
+    process.exit(2);
+  }
+  const rpcIdx = argv.indexOf("--rpc");
+  const rpcUrl = rpcIdx >= 0 ? argv[rpcIdx + 1] : void 0;
+  const noProbe = argv.includes("--no-probe");
+  const minIdx = argv.indexOf("--min");
+  const min = minIdx >= 0 ? argv[minIdx + 1] : void 0;
+  const jsonOut = argv.includes("--json");
+  let result;
+  try {
+    result = await scoreProgram(programId, { rpcUrl, probeRpc: !noProbe });
+  } catch (e) {
+    console.error(`brainblast score: ${e?.message ?? String(e)}`);
+    process.exit(1);
+  }
+  if (jsonOut) {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    console.log(renderScoreText(result));
+  }
+  if (min && !gradeAtLeast(result.grade, min)) {
+    process.exit(1);
+  }
+}
+async function runPumpCheck(argv) {
+  const { pumpPreflight, renderPreflightText } = await import("./pumpCheck-K2ESOBNU.js");
+  const mint = argv.find((a) => !a.startsWith("--"));
+  if (!mint) {
+    console.error("usage: brainblast pump-check <mint> [--rpc URL] [--api-key KEY] [--fail-on SCORE] [--offline] [--json]");
+    console.error("  Launch pre-flight: mint/freeze authority, identity, and Rico Maps forensics \u2192 GO/CAUTION/NO-GO.");
+    process.exit(2);
+  }
+  const rpcIdx = argv.indexOf("--rpc");
+  const rpcUrl = rpcIdx >= 0 ? argv[rpcIdx + 1] : void 0;
+  const keyIdx = argv.indexOf("--api-key");
+  const apiKey = keyIdx >= 0 ? argv[keyIdx + 1] : void 0;
+  const failIdx = argv.indexOf("--fail-on");
+  const failOnRisk = failIdx >= 0 ? parseInt(argv[failIdx + 1], 10) : void 0;
+  const offline = argv.includes("--offline");
+  const jsonOut = argv.includes("--json");
+  let report2;
+  try {
+    report2 = await pumpPreflight(mint, { rpcUrl, apiKey, failOnRisk, offline });
+  } catch (e) {
+    console.error(`brainblast pump-check: ${e?.message ?? String(e)}`);
+    process.exit(2);
+  }
+  if (jsonOut) {
+    console.log(JSON.stringify(report2, null, 2));
+  } else {
+    console.log(renderPreflightText(report2));
+  }
+  if (report2.verdict === "NO-GO") process.exit(1);
+}
+async function runBatch(argv) {
+  const { readFileSync: readFileSync2 } = await import("fs");
+  const { batchScan, parseMintList, renderBatchText } = await import("./batchScan-JR2G5JCF.js");
+  const file = argv.find((a) => !a.startsWith("--"));
+  if (!file) {
+    console.error("usage: brainblast batch <file> [--concurrency N] [--api-key KEY] [--fail-on SCORE] [--offline] [--json]");
+    console.error("  Risk-rank a list of contract addresses (newline-separated or JSON array).");
+    process.exit(2);
+  }
+  let mints;
+  try {
+    mints = parseMintList(readFileSync2(file, "utf8"));
+  } catch (e) {
+    console.error(`brainblast batch: ${e?.message ?? String(e)}`);
+    process.exit(2);
+  }
+  if (mints.length === 0) {
+    console.error("brainblast batch: no addresses found in file");
+    process.exit(2);
+  }
+  const concIdx = argv.indexOf("--concurrency");
+  const concurrency = concIdx >= 0 ? parseInt(argv[concIdx + 1], 10) : void 0;
+  const keyIdx = argv.indexOf("--api-key");
+  const apiKey = keyIdx >= 0 ? argv[keyIdx + 1] : void 0;
+  const failIdx = argv.indexOf("--fail-on");
+  const failOnRisk = failIdx >= 0 ? parseInt(argv[failIdx + 1], 10) : void 0;
+  const offline = argv.includes("--offline");
+  const jsonOut = argv.includes("--json");
+  const result = await batchScan(mints, { concurrency, apiKey, failOnRisk, offline });
+  if (jsonOut) {
+    console.log(JSON.stringify(result, null, 2));
+  } else {
+    console.log(renderBatchText(result));
+  }
+  if (result.summary.impersonators > 0 || result.summary.highRisk > 0) {
+    process.exit(1);
+  }
+}

package/dist/firewall-HN5XJLGC.js

@@ -0,0 +1,18 @@
+import {
+  KNOWN_PROGRAMS,
+  analyzeInstructions,
+  decodeTransaction,
+  inspectTransaction,
+  parseCpiPrograms,
+  renderFirewallText
+} from "./chunk-HL7NVANZ.js";
+import "./chunk-VG5FMOLW.js";
+import "./chunk-3RG5ZIWI.js";
+export {
+  KNOWN_PROGRAMS,
+  analyzeInstructions,
+  decodeTransaction,
+  inspectTransaction,
+  parseCpiPrograms,
+  renderFirewallText
+};

package/dist/idlRules-3KZML4NL.js

@@ -0,0 +1,17 @@
+import {
+  buildConstraintParams,
+  generateRulesFromIdl,
+  idlProgramName,
+  parseIdl,
+  renderRulesYaml,
+  toSnakeCase
+} from "./chunk-O5Z4ZJHC.js";
+import "./chunk-3RG5ZIWI.js";
+export {
+  buildConstraintParams,
+  generateRulesFromIdl,
+  idlProgramName,
+  parseIdl,
+  renderRulesYaml,
+  toSnakeCase
+};

package/dist/index.d.ts

@@ -624,4 +624,241 @@ declare function analyzeToken(mint: string, opts?: {
     baseUrl?: string;
 }): Promise<RicoOutcome>;
 
-export { type AccountFlow, type AuditRef, type BuildOpts, CANONICAL_BY_MINT, CANONICAL_MINTS, type Candidate, type CanonicalMint, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_REGISTRY_URL, DEFAULT_TTL_HOURS, type DiffResult, type DriftAdvisory, type DriftBaseline, type DriftPackage, type DriftResult, type GraduationEvent, type IdentityStatus, type OnChainProgram, type OsvAdvisory, PACK_MANIFEST_FILE, type PackInitOptions, type PackManifest, type PackRuleValidation, type PackValidateResult, type ParityNote, type ParsedDiff, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type RicoOutcome, type RicoResult, type RicoTokenSecurity, type Rule, type RustAccountField, type RustCandidate, type RustChecker, type Severity, type TelemetrySubmitResult, type TokenIdentity, type TrustGraph, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type VerifyOpts, type WatchEvent, type WatchOptions, analyzeCosts, analyzeToken, applyDiffToFile, audit, auditWithRule, base58Decode, base58Encode, buildTrustGraph, rules as bundledRules, cacheSize, canonicalMintForSymbol, checkDrift, checkerKinds, defaultCachePath, deployerFlagsFrom, diffVersions, fileChanged, findCandidates, findConfigCandidates, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getRepoHash, getUserHash, getWorkingTreeChanges, initPack, isCanonicalMint, isEntryExpired, isTelemetryEnabled, isValidSolanaAddress, lamportsToSol, loadDirectory, loadPack, loadPacksFromDir, loadProgramCache, loadRules, parseDiff, putCacheEntry, queryOsv, rangeChanged, recordGraduationEvents, renderCostReportMd, renderDiffMd, renderDiffText, renderDriftText, renderRicoText, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, riskScore, runChecker, runIncrementalScan, saveProgramCache, seedPackages, startWatch, submitTelemetry, telemetryFilePath, testKinds, validatePack, validatePackManifest, verifyTokenIdentity };
+declare const KNOWN_PROGRAMS: Record<string, string>;
+type FirewallSeverity = "info" | "warn" | "critical";
+type FirewallVerdict = "allow" | "warn" | "block";
+interface FirewallFinding {
+    severity: FirewallSeverity;
+    kind: string;
+    detail: string;
+}
+interface FirewallProgram {
+    id: string;
+    label: string | null;
+    known: boolean;
+    topLevel: boolean;
+}
+interface DecodedInstruction {
+    programIdIndex: number;
+    programId: string;
+    accountIndexes: number[];
+    data: Uint8Array;
+}
+interface DecodedTx {
+    version: "legacy" | number;
+    numRequiredSignatures: number;
+    numReadonlySigned: number;
+    numReadonlyUnsigned: number;
+    staticAccountKeys: string[];
+    recentBlockhash: string;
+    instructions: DecodedInstruction[];
+    addressTableLookups: {
+        accountKey: string;
+        writableCount: number;
+        readonlyCount: number;
+    }[];
+}
+interface FirewallReport {
+    version: "legacy" | number;
+    feePayer: string;
+    numSigners: number;
+    staticAccounts: number;
+    programs: FirewallProgram[];
+    usesAddressLookupTables: boolean;
+    simulation: {
+        ran: boolean;
+        ok?: boolean;
+        err?: unknown;
+        unitsConsumed?: number;
+        logsCount?: number;
+        cpiPrograms?: string[];
+    };
+    findings: FirewallFinding[];
+    verdict: FirewallVerdict;
+}
+declare function decodeTransaction(base64: string, opts?: {
+    messageOnly?: boolean;
+}): DecodedTx;
+declare function analyzeInstructions(decoded: DecodedTx, known: Record<string, string>): FirewallFinding[];
+declare function parseCpiPrograms(logs: string[]): string[];
+interface FirewallOpts extends RpcOpts {
+    simulate?: boolean;
+    messageOnly?: boolean;
+    knownPrograms?: Record<string, string>;
+}
+declare function inspectTransaction(base64: string, opts?: FirewallOpts): Promise<FirewallReport>;
+declare function renderFirewallText(r: FirewallReport): string;
+
+interface IdlAccount {
+    name: string;
+    isMut?: boolean;
+    isSigner?: boolean;
+    accounts?: IdlAccount[];
+}
+interface IdlInstruction {
+    name: string;
+    accounts: IdlAccount[];
+}
+interface AnchorIdl {
+    name?: string;
+    metadata?: {
+        name?: string;
+        version?: string;
+    };
+    version?: string;
+    instructions: IdlInstruction[];
+}
+declare function toSnakeCase(s: string): string;
+declare function idlProgramName(idl: AnchorIdl): string;
+declare function parseIdl(json: unknown): AnchorIdl;
+interface IdlConstraintParams {
+    idlName: string;
+    instructions: {
+        name: string;
+        signers: string[];
+        mutable: string[];
+    }[];
+}
+declare function buildConstraintParams(idl: AnchorIdl): IdlConstraintParams;
+declare function generateRulesFromIdl(idl: AnchorIdl): Rule[];
+declare function renderRulesYaml(rules: Rule[]): string;
+
+type Grade = "A" | "B" | "C" | "D" | "F";
+interface ScoreFactor {
+    name: string;
+    weight: number;
+    points: number;
+    detail: string;
+}
+interface TrustScore {
+    programId: string;
+    resolved: boolean;
+    score: number | null;
+    grade: Grade | "unrated";
+    factors: ScoreFactor[];
+    summary: string;
+    program?: OnChainProgram;
+    unresolvedReason?: string;
+}
+declare function gradeForScore(score: number): Grade;
+declare function scoreFromProgram(program: OnChainProgram): TrustScore;
+declare function scoreProgram(programId: string, opts?: BuildOpts): Promise<TrustScore>;
+declare function renderScoreText(s: TrustScore): string;
+declare function gradeAtLeast(grade: Grade | "unrated", min: Grade): boolean;
+
+type ChainEvent = {
+    type: "watch_started";
+    programId: string;
+    headSignature: string | null;
+    baselineAuthority: string | null;
+    ts: string;
+} | {
+    type: "new_activity";
+    programId: string;
+    newCount: number;
+    signatures: string[];
+    ts: string;
+} | {
+    type: "authority_changed";
+    programId: string;
+    from: string | null;
+    to: string | null;
+    ts: string;
+} | {
+    type: "poll_error";
+    programId: string;
+    message: string;
+    ts: string;
+};
+interface ChainWatchState {
+    lastSignature: string | null;
+    baselineAuthority: string | null;
+    initialized: boolean;
+}
+interface ChainWatchOpts extends RpcOpts {
+    limit?: number;
+    intervalMs?: number;
+    emit?: (e: ChainEvent) => void;
+    probeAuthority?: (programId: string, opts: RpcOpts) => Promise<{
+        address: string | null;
+    }>;
+}
+declare function pollChainOnce(programId: string, state: ChainWatchState, opts?: ChainWatchOpts): Promise<{
+    events: ChainEvent[];
+    state: ChainWatchState;
+}>;
+declare function initialChainWatchState(): ChainWatchState;
+declare function startChainWatch(programId: string, opts?: ChainWatchOpts): {
+    stop: () => void;
+};
+
+type PreflightStatus = "pass" | "warn" | "fail" | "skip";
+type PreflightVerdict = "GO" | "CAUTION" | "NO-GO";
+interface PreflightCheck {
+    id: string;
+    label: string;
+    status: PreflightStatus;
+    detail: string;
+}
+interface MintInfo {
+    mintAuthorityRevoked: boolean;
+    freezeAuthorityRevoked: boolean;
+    mintAuthority: string | null;
+    freezeAuthority: string | null;
+    supply: string;
+    decimals: number;
+    isInitialized: boolean;
+}
+interface PreflightReport {
+    mint: string;
+    verdict: PreflightVerdict;
+    checks: PreflightCheck[];
+    mintInfo?: MintInfo;
+    identity?: TokenIdentity;
+    quality?: RicoResult;
+}
+declare function parseMintAccount(data: Uint8Array): MintInfo;
+interface PreflightOpts extends RpcOpts {
+    apiKey?: string;
+    ricoBaseUrl?: string;
+    jupBaseUrl?: string;
+    offline?: boolean;
+    failOnRisk?: number;
+}
+declare function pumpPreflight(mint: string, opts?: PreflightOpts): Promise<PreflightReport>;
+declare function renderPreflightText(r: PreflightReport): string;
+
+interface BatchRow {
+    mint: string;
+    identityStatus: IdentityStatus | "error";
+    impersonation: boolean;
+    symbol?: string;
+    riskScore?: number;
+    snipers?: boolean;
+    bundleClusters?: boolean;
+    deployerFlags?: string[];
+    error?: string;
+    rank: number;
+}
+interface BatchResult {
+    rows: BatchRow[];
+    summary: {
+        total: number;
+        impersonators: number;
+        highRisk: number;
+        errored: number;
+    };
+}
+interface BatchScanOpts {
+    apiKey?: string;
+    ricoBaseUrl?: string;
+    jupBaseUrl?: string;
+    offline?: boolean;
+    concurrency?: number;
+    failOnRisk?: number;
+}
+declare function batchScan(mints: string[], opts?: BatchScanOpts): Promise<BatchResult>;
+declare function parseMintList(content: string): string[];
+declare function renderBatchText(result: BatchResult): string;
+
+export { type AccountFlow, type AnchorIdl, type AuditRef, type BatchResult, type BatchRow, type BatchScanOpts, type BuildOpts, CANONICAL_BY_MINT, CANONICAL_MINTS, type Candidate, type CanonicalMint, type ChainEvent, type ChainWatchOpts, type ChainWatchState, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_REGISTRY_URL, DEFAULT_TTL_HOURS, type DecodedInstruction, type DecodedTx, type DiffResult, type DriftAdvisory, type DriftBaseline, type DriftPackage, type DriftResult, type FirewallFinding, type FirewallOpts, type FirewallProgram, type FirewallReport, type FirewallSeverity, type FirewallVerdict, type Grade, type GraduationEvent, type IdentityStatus, type IdlAccount, type IdlConstraintParams, type IdlInstruction, KNOWN_PROGRAMS, type MintInfo, type OnChainProgram, type OsvAdvisory, PACK_MANIFEST_FILE, type PackInitOptions, type PackManifest, type PackRuleValidation, type PackValidateResult, type ParityNote, type ParsedDiff, type PreflightCheck, type PreflightOpts, type PreflightReport, type PreflightStatus, type PreflightVerdict, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type RicoOutcome, type RicoResult, type RicoTokenSecurity, type Rule, type RustAccountField, type RustCandidate, type RustChecker, type ScoreFactor, type Severity, type TelemetrySubmitResult, type TokenIdentity, type TrustGraph, type TrustScore, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type VerifyOpts, type WatchEvent, type WatchOptions, analyzeCosts, analyzeInstructions, analyzeToken, applyDiffToFile, audit, auditWithRule, base58Decode, base58Encode, batchScan, buildConstraintParams, buildTrustGraph, rules as bundledRules, cacheSize, canonicalMintForSymbol, checkDrift, checkerKinds, decodeTransaction, defaultCachePath, deployerFlagsFrom, diffVersions, fileChanged, findCandidates, findConfigCandidates, generateRulesFromIdl, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getRepoHash, getUserHash, getWorkingTreeChanges, gradeAtLeast, gradeForScore, idlProgramName, initPack, initialChainWatchState, inspectTransaction, isCanonicalMint, isEntryExpired, isTelemetryEnabled, isValidSolanaAddress, lamportsToSol, loadDirectory, loadPack, loadPacksFromDir, loadProgramCache, loadRules, parseCpiPrograms, parseDiff, parseIdl, parseMintAccount, parseMintList, pollChainOnce, pumpPreflight, putCacheEntry, queryOsv, rangeChanged, recordGraduationEvents, renderBatchText, renderCostReportMd, renderDiffMd, renderDiffText, renderDriftText, renderFirewallText, renderPreflightText, renderRicoText, renderRulesYaml, renderScoreText, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, riskScore, runChecker, runIncrementalScan, saveProgramCache, scoreFromProgram, scoreProgram, seedPackages, startChainWatch, startWatch, submitTelemetry, telemetryFilePath, testKinds, toSnakeCase, validatePack, validatePackManifest, verifyTokenIdentity };