brainblast 0.7.0 → 0.7.2

package/dist/{chunk-34VXOLJF.js → chunk-B2M3TZSA.js}

@@ -7,7 +7,7 @@ import {
   loadPack,
   resolveRules,
   walk
-} from "./chunk-CRYFCQYM.js";
+} from "./chunk-IY52XKWL.js";
 
 // src/costAnalysis.ts
 import { Project, SyntaxKind } from "ts-morph";

package/dist/{chunk-CRYFCQYM.js → chunk-IY52XKWL.js}

@@ -913,6 +913,89 @@ function anchorIdlAccount(c, params) {
   };
 }
 
+// src/checkers/anchorAccountMissingConstraint.ts
+var DEFAULT_AUTHORITY_RE = /^(authority|admin|owner|payer|caller|signer|user|operator|manager|creator|deployer)$/i;
+function anchorAccountMissingConstraint(c, p) {
+  const namePattern = p?.nameRegex ? new RegExp(p.nameRegex) : DEFAULT_AUTHORITY_RE;
+  const authorityFields = c.accountFields.filter((f) => namePattern.test(f.name));
+  if (authorityFields.length === 0) {
+    return {
+      result: "cant_tell",
+      detail: p?.absentDetail ?? `Handler '${c.fnName}' has no authority-named account fields matching the pattern; rule does not apply.`
+    };
+  }
+  const missing = authorityFields.filter(
+    (f) => f.typeName.includes("AccountInfo") && !f.attrText.includes("signer") && !f.typeName.includes("Signer<")
+  );
+  if (missing.length > 0) {
+    const names = missing.map((f) => `'${f.name}'`).join(", ");
+    return {
+      result: "fail",
+      detail: p?.failDetail ?? `Handler '${c.fnName}': authority-named field(s) ${names} use AccountInfo<'info> without a \`signer\` constraint. Anchor performs no signing check on AccountInfo \u2014 any key can be passed as the authority and privileged instructions will execute without signature validation. Fix: change the type to Signer<'info>, or add #[account(signer)] to the field's constraint.`
+    };
+  }
+  return {
+    result: "pass",
+    detail: p?.passDetail ?? `Handler '${c.fnName}': all authority-named fields use Signer<'info> or have a signer constraint.`
+  };
+}
+
+// src/checkers/anchorForbiddenAccountType.ts
+var DEFAULT_FORBIDDEN = "UncheckedAccount";
+function anchorForbiddenAccountType(c, p) {
+  const forbidden = p?.forbiddenType ?? DEFAULT_FORBIDDEN;
+  const flagged = c.accountFields.filter((f) => f.typeName.includes(forbidden));
+  if (flagged.length === 0) {
+    if (c.accountFields.length > 0) {
+      return {
+        result: "pass",
+        detail: p?.passDetail ?? `Handler '${c.fnName}' has no '${forbidden}' account fields.`
+      };
+    }
+    return {
+      result: "cant_tell",
+      detail: p?.absentDetail ?? `Handler '${c.fnName}' has no account fields to inspect; rule does not apply.`
+    };
+  }
+  const names = flagged.map((f) => `'${f.name}'`).join(", ");
+  return {
+    result: "fail",
+    detail: p?.failDetail ?? `Handler '${c.fnName}' uses ${forbidden}<'info> on account(s) ${names}. ${forbidden} performs no runtime validation \u2014 ownership, signer status, and data layout are entirely unchecked. Replace with a typed account: Account<'info, T> (program-owned data), Signer<'info> (must sign), SystemAccount<'info> (system-owned), or InterfaceAccount<'info, T> (Token-2022 compatible).`
+  };
+}
+
+// src/checkers/anchorBodyCallPattern.ts
+function anchorBodyCallPattern(c, p) {
+  if (!p?.forbiddenPattern) {
+    return { result: "cant_tell", detail: "anchorBodyCallPattern: no forbiddenPattern param provided." };
+  }
+  const forbidden = new RegExp(p.forbiddenPattern);
+  const exempt = p?.exemptPattern ? new RegExp(p.exemptPattern) : null;
+  const hasForbidden = forbidden.test(c.fnBodyText);
+  if (!hasForbidden) {
+    if (c.fnBodyText.trim().length > 0) {
+      return {
+        result: "pass",
+        detail: p?.passDetail ?? `Handler '${c.fnName}' does not contain the forbidden pattern '${p.forbiddenPattern}'.`
+      };
+    }
+    return {
+      result: "cant_tell",
+      detail: p?.absentDetail ?? `Handler '${c.fnName}' has an empty body; rule does not apply.`
+    };
+  }
+  if (exempt && exempt.test(c.fnBodyText)) {
+    return {
+      result: "pass",
+      detail: p?.passDetail ?? `Handler '${c.fnName}' contains '${p.forbiddenPattern}' but also matches the exemption pattern \u2014 considered safe.`
+    };
+  }
+  return {
+    result: "fail",
+    detail: p?.failDetail ?? `Handler '${c.fnName}' body contains '${p.forbiddenPattern}', which is a known footgun pattern. Use the Anchor seeds + bump constraint on the Accounts struct instead of deriving PDAs at runtime.`
+  };
+}
+
 // src/checkers/index.ts
 var registry = {
   "positional-arg-identity": positionalArgIdentity,
@@ -927,7 +1010,10 @@ var registry = {
   "literal-multiplier-wrong-constant": literalMultiplierWrongConstant,
   "forbidden-call-replacement": forbiddenCallReplacement,
   "solana-mint-identity-mismatch": solanaMintIdentity,
-  "anchor-account-matches-idl": anchorIdlAccount
+  "anchor-account-matches-idl": anchorIdlAccount,
+  "anchor-account-missing-constraint": anchorAccountMissingConstraint,
+  "anchor-forbidden-account-type": anchorForbiddenAccountType,
+  "anchor-body-call-pattern": anchorBodyCallPattern
 };
 function runChecker(kind, c, params) {
   const fn = registry[kind];

package/dist/cli.js

@@ -4,14 +4,16 @@ import {
   applyDiffToFile,
   initPack,
   isTelemetryEnabled,
+  lamportsToSol,
   parseDiff,
   recordGraduationEvents,
   renderCostReportMd,
+  rentExemptMinimum,
   startWatch,
   submitTelemetry,
   telemetryFilePath,
   validatePack
-} from "./chunk-34VXOLJF.js";
+} from "./chunk-B2M3TZSA.js";
 import {
   renderTrustGraphMd
 } from "./chunk-2UZGWXIX.js";
@@ -25,7 +27,7 @@ import {
   audit,
   getChangedRanges,
   resolveRules
-} from "./chunk-CRYFCQYM.js";
+} from "./chunk-IY52XKWL.js";
 import "./chunk-2XJORJPQ.js";
 import "./chunk-O5Z4ZJHC.js";
 import "./chunk-XSVQSK53.js";
@@ -36,7 +38,7 @@ import "./chunk-3RG5ZIWI.js";
 
 // src/cli.ts
 import { writeFileSync as writeFileSync2, mkdirSync as mkdirSync2 } from "fs";
-import { join as join2 } from "path";
+import { join as join3 } from "path";
 
 // src/memory.ts
 import { existsSync, readFileSync, writeFileSync, mkdirSync } from "fs";
@@ -109,6 +111,351 @@ function updateMemory(memory, checks2, now = /* @__PURE__ */ new Date()) {
   return { memory: { schemaVersion: "1.0", lastRun, fixHistory }, precedents };
 }
 
+// src/deployPlan.ts
+import { readFileSync as readFileSync2, readdirSync, statSync, existsSync as existsSync2 } from "fs";
+import { join as join2 } from "path";
+import { createRequire } from "module";
+var PROGRAM_ACCOUNT_SIZE = 36;
+var PROGRAMDATA_METADATA = 45;
+var BUFFER_METADATA = 37;
+var DEFAULT_MAX_LEN_MULTIPLIER = 2;
+var WRITE_CHUNK_BYTES = 1012;
+var BASE_TX_FEE_LAMPORTS = 5e3;
+var _require = createRequire(import.meta.url);
+var _parser = null;
+function getParser() {
+  if (_parser) return _parser;
+  const Parser = _require("tree-sitter");
+  const Rust = _require("tree-sitter-rust");
+  _parser = new Parser();
+  _parser.setLanguage(Rust);
+  return _parser;
+}
+function walkRust(dir, out = []) {
+  for (const entry of readdirSync(dir)) {
+    if (entry === "node_modules" || entry === ".git" || entry === "target") continue;
+    const p = join2(dir, entry);
+    const st = statSync(p);
+    if (st.isDirectory()) walkRust(p, out);
+    else if (p.endsWith(".rs")) out.push(p);
+  }
+  return out;
+}
+function named(node) {
+  const out = [];
+  for (let i = 0; i < node.childCount; i++) {
+    const c = node.child(i);
+    if (c.isNamed) out.push(c);
+  }
+  return out;
+}
+function itemsWithAttrs(containerNode) {
+  const result = [];
+  let pending = [];
+  for (const kid of named(containerNode)) {
+    if (kid.type === "attribute_item") pending.push(kid.text);
+    else {
+      result.push({ attrs: pending, node: kid });
+      pending = [];
+    }
+  }
+  return result;
+}
+function evalSpaceExpr(expr) {
+  const tokens = expr.split("+").map((t) => t.trim());
+  let value = 0;
+  let literal = true;
+  for (const t of tokens) {
+    if (/^\d+$/.test(t)) value += parseInt(t, 10);
+    else if (t.length > 0) literal = false;
+  }
+  return { value, literal };
+}
+function attrValue(attrText, key) {
+  const re = new RegExp(`\\b${key}\\s*=\\s*`);
+  const m = re.exec(attrText);
+  if (!m) return null;
+  let i = m.index + m[0].length;
+  let depth = 0;
+  let out = "";
+  for (; i < attrText.length; i++) {
+    const ch = attrText[i];
+    if (ch === "[" || ch === "(") depth++;
+    else if (ch === "]" || ch === ")") {
+      if (depth === 0) break;
+      depth--;
+    } else if (ch === "," && depth === 0) break;
+    out += ch;
+  }
+  return out.trim() || null;
+}
+function parseInitAccounts(targetDir2) {
+  const parser = getParser();
+  const accounts = [];
+  for (const file of walkRust(targetDir2)) {
+    let src;
+    try {
+      src = readFileSync2(file, "utf8");
+    } catch {
+      continue;
+    }
+    if (!src.includes("#[derive(Accounts)]") && !src.includes("Accounts)]")) continue;
+    const tree = parser.parse(src);
+    const root = tree.rootNode;
+    const topPairs = itemsWithAttrs(root);
+    for (const { attrs, node } of topPairs) {
+      if (node.type !== "struct_item") continue;
+      const isAccounts = attrs.some((a) => a.includes("Accounts"));
+      if (!isAccounts) continue;
+      const nameNode = node.childForFieldName("name");
+      const structName = nameNode?.text ?? "<anonymous>";
+      const body = node.childForFieldName("body");
+      if (!body) continue;
+      for (const { attrs: fAttrs, node: fNode } of itemsWithAttrs(body)) {
+        if (fNode.type !== "field_declaration") continue;
+        const attrText = fAttrs.join("\n");
+        const hasInit = /\binit\b/.test(attrText) || /\binit_if_needed\b/.test(attrText);
+        if (!hasInit) continue;
+        const fieldName = fNode.childForFieldName("name")?.text ?? "?";
+        const typeName = fNode.childForFieldName("type")?.text ?? "?";
+        const spaceRaw = attrValue(attrText, "space");
+        let space = null;
+        let spaceExpr;
+        if (spaceRaw) {
+          const { value, literal } = evalSpaceExpr(spaceRaw);
+          if (literal) space = value;
+          else {
+            space = null;
+            spaceExpr = spaceRaw;
+          }
+        }
+        accounts.push({
+          name: fieldName,
+          struct: structName,
+          file,
+          line: fNode.startPosition.row + 1,
+          typeName,
+          space,
+          spaceExpr,
+          rentLamports: space === null ? null : rentExemptMinimum(space),
+          seeds: attrValue(attrText, "seeds"),
+          payer: attrValue(attrText, "payer"),
+          conditional: /\binit_if_needed\b/.test(attrText)
+        });
+      }
+    }
+  }
+  return accounts;
+}
+function findProgramBinary(targetDir2) {
+  const candidates = [
+    join2(targetDir2, "target", "deploy"),
+    join2(targetDir2, "target", "sbf-solana-solana", "release"),
+    join2(targetDir2, "target", "bpfel-unknown-unknown", "release")
+  ];
+  let best = null;
+  for (const dir of candidates) {
+    if (!existsSync2(dir)) continue;
+    for (const entry of readdirSync(dir)) {
+      if (!entry.endsWith(".so")) continue;
+      const p = join2(dir, entry);
+      const bytes = statSync(p).size;
+      if (!best || bytes > best.bytes) best = { path: p, bytes };
+    }
+  }
+  return best;
+}
+function buildDeployPlan(targetDir2, opts = {}) {
+  const maxLenMultiplier = opts.maxLenMultiplier ?? DEFAULT_MAX_LEN_MULTIPLIER;
+  const priorityMicroLamports = opts.priorityMicroLamports ?? 0;
+  const binary = opts.programLen != null ? null : findProgramBinary(targetDir2);
+  const programLen = opts.programLen ?? binary?.bytes ?? null;
+  const initAccounts = parseInitAccounts(targetDir2);
+  const unresolvedInit = initAccounts.filter((a) => a.rentLamports === null);
+  const initRentLamports = initAccounts.reduce((s, a) => s + (a.rentLamports ?? 0), 0);
+  const programAccountRent = programLen == null ? 0 : rentExemptMinimum(PROGRAM_ACCOUNT_SIZE);
+  const programDataRent = programLen == null ? 0 : rentExemptMinimum(PROGRAMDATA_METADATA + maxLenMultiplier * programLen);
+  const bufferRent = programLen == null ? 0 : rentExemptMinimum(BUFFER_METADATA + programLen);
+  const writeTxCount = programLen == null ? 0 : Math.ceil(programLen / WRITE_CHUNK_BYTES);
+  const initStructs = [...new Set(initAccounts.map((a) => a.struct))];
+  const baseTxCount = (programLen == null ? 0 : 2 + writeTxCount) + initStructs.length;
+  const txFeeLamports = baseTxCount * BASE_TX_FEE_LAMPORTS;
+  const steps = [];
+  let idx = 1;
+  if (programLen != null) {
+    steps.push({
+      index: idx++,
+      kind: "create-buffer",
+      label: "Create buffer account",
+      rentLamports: 0,
+      transientLamports: bufferRent,
+      feeLamports: BASE_TX_FEE_LAMPORTS,
+      detail: `Allocate a ${BUFFER_METADATA + programLen}-byte buffer (held by the upgradeable loader) and fund it with ${bufferRent.toLocaleString()} lamports of rent. Refunded to you when the buffer is drained at deploy time.`
+    });
+    steps.push({
+      index: idx++,
+      kind: "write",
+      label: `Write program bytes (${writeTxCount} transaction${writeTxCount === 1 ? "" : "s"})`,
+      rentLamports: 0,
+      transientLamports: 0,
+      feeLamports: writeTxCount * BASE_TX_FEE_LAMPORTS,
+      detail: `Stream the ${programLen.toLocaleString()}-byte program into the buffer in ~${WRITE_CHUNK_BYTES}-byte chunks. ${writeTxCount} write transaction${writeTxCount === 1 ? "" : "s"} at ${BASE_TX_FEE_LAMPORTS} lamports each.`
+    });
+    steps.push({
+      index: idx++,
+      kind: "deploy",
+      label: "Deploy program from buffer",
+      rentLamports: programAccountRent + programDataRent,
+      transientLamports: -bufferRent,
+      feeLamports: BASE_TX_FEE_LAMPORTS,
+      detail: `Create the program account (${PROGRAM_ACCOUNT_SIZE} B, rent ${programAccountRent.toLocaleString()}) and the programdata account (${(PROGRAMDATA_METADATA + maxLenMultiplier * programLen).toLocaleString()} B at ${maxLenMultiplier}\xD7 upgrade headroom, rent ${programDataRent.toLocaleString()}). The buffer's lamports roll into the programdata account.`
+    });
+  }
+  for (const struct of initStructs) {
+    const accts = initAccounts.filter((a) => a.struct === struct);
+    const rent = accts.reduce((s, a) => s + (a.rentLamports ?? 0), 0);
+    const names = accts.map((a) => a.name).join(", ");
+    const anyUnresolved = accts.some((a) => a.rentLamports === null);
+    steps.push({
+      index: idx++,
+      kind: "initialize",
+      label: `Initialize: ${struct}`,
+      rentLamports: rent,
+      transientLamports: 0,
+      feeLamports: BASE_TX_FEE_LAMPORTS,
+      detail: `Invoke the handler using \`Context<${struct}>\` to create ${accts.length} account(s): ${names}. Payer funds ${rent.toLocaleString()} lamports of rent` + (anyUnresolved ? " (plus unresolved-space accounts \u2014 see notes)." : ".")
+    });
+  }
+  const lockedLamports = programAccountRent + programDataRent + initRentLamports;
+  const walletRequiredLamports = lockedLamports + bufferRent + txFeeLamports;
+  return {
+    binary,
+    programLen,
+    maxLenMultiplier,
+    priorityMicroLamports,
+    programAccountRent,
+    programDataRent,
+    bufferRent,
+    writeTxCount,
+    txFeeLamports,
+    initAccounts,
+    initRentLamports,
+    unresolvedInit,
+    steps,
+    lockedLamports,
+    walletRequiredLamports,
+    generatedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function sol(lamports) {
+  return `${lamportsToSol(lamports)} SOL`;
+}
+function renderDeployPlanMd(p) {
+  const L = ["## Deployment Plan\n"];
+  if (p.programLen == null) {
+    L.push(
+      "\u26A0\uFE0F  **No compiled `.so` found** under `target/deploy/`. Run `anchor build` (or `cargo build-sbf`) first for exact deploy cost. The transaction sequence below is structural; rent figures for the program binary are omitted.\n"
+    );
+  } else {
+    const srcNote = p.binary ? `\`${p.binary.path.split("/").slice(-1)[0]}\` (${p.programLen.toLocaleString()} bytes)` : `${p.programLen.toLocaleString()} bytes (provided)`;
+    L.push(`**Program binary:** ${srcNote}
+`);
+    L.push("### How much SOL do I need?\n");
+    L.push("| Item | Size | Rent (lamports) | SOL | Recoverable? |");
+    L.push("|------|------|-----------------|-----|--------------|");
+    L.push(
+      `| Program account | ${PROGRAM_ACCOUNT_SIZE} B | ${p.programAccountRent.toLocaleString()} | ${lamportsToSol(p.programAccountRent)} | \u274C until program closed |`
+    );
+    L.push(
+      `| Program data (${p.maxLenMultiplier}\xD7 headroom) | ${(PROGRAMDATA_METADATA + p.maxLenMultiplier * p.programLen).toLocaleString()} B | ${p.programDataRent.toLocaleString()} | ${lamportsToSol(p.programDataRent)} | \u274C until program closed |`
+    );
+    L.push(
+      `| Buffer (transient) | ${(BUFFER_METADATA + p.programLen).toLocaleString()} B | ${p.bufferRent.toLocaleString()} | ${lamportsToSol(p.bufferRent)} | \u2705 refunded at deploy |`
+    );
+    if (p.initAccounts.length > 0) {
+      L.push(
+        `| Init accounts (${p.initAccounts.length}) | \u2014 | ${p.initRentLamports.toLocaleString()} | ${lamportsToSol(p.initRentLamports)} | depends on close logic |`
+      );
+    }
+    L.push(
+      `| Transaction fees (~${p.steps.reduce((s, x) => s + (x.feeLamports > 0 ? 1 : 0), 0)} steps) | \u2014 | ${p.txFeeLamports.toLocaleString()} | ${lamportsToSol(p.txFeeLamports)} | \u274C spent |`
+    );
+    L.push("");
+    L.push(
+      `**\u2192 Fund the deploying wallet with at least ${sol(p.walletRequiredLamports)}** (${p.walletRequiredLamports.toLocaleString()} lamports).`
+    );
+    L.push(
+      `Steady-state locked after deploy: **${sol(p.lockedLamports)}** (program + programdata + init rent). The buffer rent and fees are not part of the steady-state lockup.
+`
+    );
+    if (p.priorityMicroLamports > 0) {
+      L.push(
+        `_Priority fee of ${p.priorityMicroLamports} \xB5lamports/CU requested \u2014 add it on top of the base fees above for congested-network safety._
+`
+      );
+    }
+  }
+  L.push("### Exact transaction sequence\n");
+  for (const s of p.steps) {
+    const tags = [];
+    if (s.rentLamports > 0) tags.push(`locks ${sol(s.rentLamports)}`);
+    if (s.transientLamports > 0) tags.push(`transient ${sol(s.transientLamports)}`);
+    if (s.transientLamports < 0) tags.push(`refunds ${sol(-s.transientLamports)}`);
+    if (s.feeLamports > 0) tags.push(`fee ${sol(s.feeLamports)}`);
+    const tagStr = tags.length ? `  _(${tags.join(", ")})_` : "";
+    L.push(`${s.index}. **${s.label}**${tagStr}`);
+    L.push(`   ${s.detail}`);
+  }
+  L.push("");
+  if (p.initAccounts.length > 0) {
+    L.push("### Init accounts (rent at setup)\n");
+    L.push("| Account | Struct | Type | Space | Rent | PDA seeds | Payer |");
+    L.push("|---------|--------|------|-------|------|-----------|-------|");
+    for (const a of p.initAccounts) {
+      const file = a.file.split("/").slice(-2).join("/");
+      const space = a.space != null ? `${a.space} B` : `\u26A0\uFE0F \`${a.spaceExpr ?? "?"}\``;
+      const rent = a.rentLamports != null ? lamportsToSol(a.rentLamports) + " SOL" : "\u2014";
+      const seeds = a.seeds ? `\`${a.seeds.replace(/\|/g, "\\|")}\`` : "(keypair)";
+      L.push(
+        `| \`${a.name}\`${a.conditional ? " (cond.)" : ""} (${file}:${a.line}) | ${a.struct} | \`${a.typeName.replace(/\|/g, "\\|")}\` | ${space} | ${rent} | ${seeds} | ${a.payer ?? "\u2014"} |`
+      );
+    }
+    L.push("");
+    if (p.unresolvedInit.length > 0) {
+      L.push(
+        `> \u26A0\uFE0F  ${p.unresolvedInit.length} account(s) declare \`space\` via a non-literal expression (e.g. \`8 + State::INIT_SPACE\`). Their rent is excluded from the totals above \u2014 resolve the constant to get an exact figure.
+`
+      );
+    }
+  }
+  return L.join("\n");
+}
+function renderDeployPlanText(p) {
+  const L = [];
+  L.push("\u2500\u2500 Deployment Plan \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+  if (p.programLen == null) {
+    L.push("  no compiled .so found \u2014 run `anchor build` for exact cost.");
+    L.push("  (showing structural transaction sequence only)");
+  } else {
+    L.push(`  program binary: ${p.programLen.toLocaleString()} bytes`);
+    L.push(`  program account:   ${p.programAccountRent.toLocaleString()} lamports (${lamportsToSol(p.programAccountRent)} SOL)`);
+    L.push(`  program data (${p.maxLenMultiplier}x):  ${p.programDataRent.toLocaleString()} lamports (${lamportsToSol(p.programDataRent)} SOL)`);
+    L.push(`  buffer (transient): ${p.bufferRent.toLocaleString()} lamports (${lamportsToSol(p.bufferRent)} SOL, refunded)`);
+    if (p.initAccounts.length > 0)
+      L.push(`  init accounts:     ${p.initRentLamports.toLocaleString()} lamports (${lamportsToSol(p.initRentLamports)} SOL)`);
+    L.push(`  tx fees (est):     ${p.txFeeLamports.toLocaleString()} lamports (${lamportsToSol(p.txFeeLamports)} SOL)`);
+    L.push(`  \u2500\u2500\u2500 fund wallet with \u2265 ${lamportsToSol(p.walletRequiredLamports)} SOL  (steady-state locked: ${lamportsToSol(p.lockedLamports)} SOL)`);
+  }
+  L.push("  sequence:");
+  for (const s of p.steps) {
+    const locks = s.rentLamports > 0 ? ` +${lamportsToSol(s.rentLamports)} SOL` : "";
+    L.push(`    ${s.index}. ${s.label}${locks}`);
+  }
+  if (p.unresolvedInit.length > 0)
+    L.push(`  note: ${p.unresolvedInit.length} init account(s) have non-literal space \u2014 excluded from totals.`);
+  return L.join("\n");
+}
+
 // src/cli.ts
 import { execFileSync } from "child_process";
 var args = process.argv.slice(2);
@@ -128,7 +475,7 @@ if (args[0] === "drift") {
   process.exit(0);
 }
 if (args[0] === "mcp") {
-  const { startMcpServer } = await import("./mcp-ML2X44WE.js");
+  const { startMcpServer } = await import("./mcp-AM7MTCSZ.js");
   await startMcpServer();
   process.exit(0);
 }
@@ -203,6 +550,10 @@ if (args[0] === "batch") {
   await runBatch(args.slice(1));
   process.exit(0);
 }
+if (args[0] === "deploy-plan") {
+  runDeployPlan(args.slice(1));
+  process.exit(0);
+}
 if (args[0] === "fix") {
   await runFix(args.slice(1));
   process.exit(0);
@@ -253,11 +604,11 @@ if (!changedRanges) {
 }
 var costReport = analyzeCosts(targetDir);
 report.costAnalysis = costReport;
-var outDir = join2(targetDir, ".agent-research");
+var outDir = join3(targetDir, ".agent-research");
 mkdirSync2(outDir, { recursive: true });
-var reportPath = join2(outDir, "report.json");
+var reportPath = join3(outDir, "report.json");
 writeFileSync2(reportPath, JSON.stringify(report, null, 2));
-var costMdPath = join2(outDir, "cost-analysis.md");
+var costMdPath = join3(outDir, "cost-analysis.md");
 writeFileSync2(costMdPath, renderCostReportMd(costReport));
 console.log(`brainblast: scanned ${targetDir} with ${rules.length} rule(s)`);
 if (checks.length === 0) console.log("  (no catastrophic components detected)");
@@ -308,6 +659,38 @@ if (ci) {
   const gateFail = fails > 0 || strict && cantTell > 0;
   process.exit(gateFail ? 1 : 0);
 }
+function runDeployPlan(argv) {
+  if (argv.includes("--help") || argv.includes("-h")) {
+    console.log("usage: brainblast deploy-plan [targetDir] [--json] [--max-len-mult N] [--program-len BYTES] [--priority-fee MICROLAMPORTS]");
+    console.log("  Estimate SOL needed to deploy an Anchor program and print the exact ordered");
+    console.log("  transaction sequence (create buffer \u2192 write \u2192 deploy \u2192 initialize PDAs).");
+    console.log("  Reads the compiled .so under target/deploy/; pass --program-len to model a");
+    console.log("  build you haven't compiled yet.");
+    process.exit(0);
+  }
+  const num = (name) => {
+    const idx = argv.indexOf(`--${name}`);
+    if (idx < 0) return void 0;
+    const v = parseInt(argv[idx + 1], 10);
+    return Number.isFinite(v) ? v : void 0;
+  };
+  const targetDir2 = argv.find((a, i) => !a.startsWith("--") && !/^\d+$/.test(a) && argv[i - 1] !== "--max-len-mult" && argv[i - 1] !== "--program-len" && argv[i - 1] !== "--priority-fee") ?? process.cwd();
+  const plan = buildDeployPlan(targetDir2, {
+    maxLenMultiplier: num("max-len-mult"),
+    programLen: num("program-len"),
+    priorityMicroLamports: num("priority-fee")
+  });
+  if (argv.includes("--json")) {
+    console.log(JSON.stringify(plan, null, 2));
+    return;
+  }
+  console.log(renderDeployPlanText(plan));
+  const outDir2 = join3(targetDir2, ".agent-research");
+  mkdirSync2(outDir2, { recursive: true });
+  const mdPath = join3(outDir2, "deploy-plan.md");
+  writeFileSync2(mdPath, renderDeployPlanMd(plan));
+  console.log(`  deploy plan: ${mdPath}`);
+}
 function runPack(argv) {
   const sub = argv[0];
   if (sub === "init") {
@@ -329,8 +712,8 @@ function runPack(argv) {
       description: flag("description")
     });
     console.log(`brainblast pack init: wrote ${manifestFile}`);
-    console.log(`  rules:    ${join2(dir, "rules")}/`);
-    console.log(`  fixtures: ${join2(dir, "fixtures")}/`);
+    console.log(`  rules:    ${join3(dir, "rules")}/`);
+    console.log(`  fixtures: ${join3(dir, "fixtures")}/`);
     return;
   }
   if (sub === "validate") {
@@ -707,8 +1090,8 @@ async function runFirewall(argv) {
   }
 }
 async function runIdlRules(argv) {
-  const { readFileSync: readFileSync2, writeFileSync: writeFileSync3, mkdirSync: mkdirSync3 } = await import("fs");
-  const { join: join3 } = await import("path");
+  const { readFileSync: readFileSync3, writeFileSync: writeFileSync3, mkdirSync: mkdirSync3 } = await import("fs");
+  const { join: join4 } = await import("path");
   const { parseIdl, generateRulesFromIdl, renderRulesYaml } = await import("./idlRules-3KZML4NL.js");
   const idlPath = argv.find((a) => !a.startsWith("--"));
   if (!idlPath) {
@@ -721,7 +1104,7 @@ async function runIdlRules(argv) {
   const jsonOut = argv.includes("--json");
   let idl;
   try {
-    idl = parseIdl(JSON.parse(readFileSync2(idlPath, "utf8")));
+    idl = parseIdl(JSON.parse(readFileSync3(idlPath, "utf8")));
   } catch (e) {
     console.error(`brainblast idl-rules: ${e?.message ?? String(e)}`);
     process.exit(2);
@@ -738,7 +1121,7 @@ async function runIdlRules(argv) {
   const yaml = renderRulesYaml(rules2);
   if (outDir2) {
     mkdirSync3(outDir2, { recursive: true });
-    const file = join3(outDir2, `${rules2[0].id}.yaml`);
+    const file = join4(outDir2, `${rules2[0].id}.yaml`);
     writeFileSync3(file, yaml);
     console.log(`Generated ${rules2.length} rule(s) \u2192 ${file}`);
     console.log(`  Run against your program:  npx brainblast <program-dir> --packs <pack-with-this-rule>`);
@@ -812,7 +1195,7 @@ async function runPumpCheck(argv) {
   if (report2.verdict === "NO-GO") process.exit(1);
 }
 async function runBatch(argv) {
-  const { readFileSync: readFileSync2 } = await import("fs");
+  const { readFileSync: readFileSync3 } = await import("fs");
   const { batchScan, parseMintList, renderBatchText } = await import("./batchScan-JR2G5JCF.js");
   const file = argv.find((a) => !a.startsWith("--"));
   if (!file) {
@@ -822,7 +1205,7 @@ async function runBatch(argv) {
   }
   let mints;
   try {
-    mints = parseMintList(readFileSync2(file, "utf8"));
+    mints = parseMintList(readFileSync3(file, "utf8"));
   } catch (e) {
     console.error(`brainblast batch: ${e?.message ?? String(e)}`);
     process.exit(2);

package/dist/index.js

@@ -54,7 +54,7 @@ import {
   submitTelemetry,
   telemetryFilePath,
   validatePack
-} from "./chunk-34VXOLJF.js";
+} from "./chunk-B2M3TZSA.js";
 import {
   renderTrustGraphMd
 } from "./chunk-2UZGWXIX.js";
@@ -91,7 +91,7 @@ import {
   runChecker,
   testKinds,
   validatePackManifest
-} from "./chunk-CRYFCQYM.js";
+} from "./chunk-IY52XKWL.js";
 import {
   CANONICAL_BY_MINT,
   CANONICAL_MINTS,

package/dist/{mcp-ML2X44WE.js → mcp-AM7MTCSZ.js}

@@ -1,7 +1,7 @@
 import {
   audit,
   resolveRules
-} from "./chunk-CRYFCQYM.js";
+} from "./chunk-IY52XKWL.js";
 import "./chunk-2XJORJPQ.js";
 import "./chunk-O5Z4ZJHC.js";
 import {

package/dist/rules/anchor-pda-find-program-address.yaml

@@ -0,0 +1,28 @@
+id: anchor-pda-find-program-address
+severity: high
+title: Anchor handler calls find_program_address at runtime instead of using seeds+bump constraint
+component:
+  name: Anchor Framework
+  type: Blockchain
+  version: ">=0.26.0"
+  sourceUrl: https://www.anchor-lang.com/docs/the-accounts-struct#seeds-and-bump
+detect:
+  lang: rust
+  modules:
+    - "@coral-xyz/anchor"
+    - "@project-serum/anchor"
+  nameRegex: ".*"
+  triggerCalls: []
+check:
+  kind: anchor-body-call-pattern
+  params:
+    forbiddenPattern: "Pubkey::find_program_address|find_program_address\\s*\\("
+test:
+  kind: anchor-program-test
+  params:
+    scenario: pda-canonical-bump-mismatch
+    description: >-
+      Initializes the PDA storing the canonical bump, then calls the handler with
+      a non-canonical bump seed. With find_program_address the handler may accept
+      this (re-deriving a different nonce), whereas the seeds+bump constraint
+      enforces the stored canonical bump and will reject it.

package/dist/rules/anchor-signer-constraint-missing.yaml

@@ -0,0 +1,27 @@
+id: anchor-signer-constraint-missing
+severity: critical
+title: Anchor authority account missing signer constraint
+component:
+  name: Anchor Framework
+  type: Blockchain
+  version: ">=0.26.0"
+  sourceUrl: https://www.anchor-lang.com/docs/the-accounts-struct#signer
+detect:
+  lang: rust
+  modules:
+    - "@coral-xyz/anchor"
+    - "@project-serum/anchor"
+  nameRegex: ".*"
+  triggerCalls: []
+check:
+  kind: anchor-account-missing-constraint
+  params:
+    nameRegex: "^(authority|admin|owner|payer|caller|signer|user|operator|manager|creator|deployer)$"
+test:
+  kind: anchor-program-test
+  params:
+    scenario: unauthorized-caller
+    description: >-
+      Calls the instruction with a key that does not match the expected authority
+      and has not signed the transaction. Must be rejected with a signing error.
+      If it succeeds, the authority check is absent and privilege escalation is possible.

package/dist/rules/anchor-unchecked-account-type.yaml

@@ -0,0 +1,27 @@
+id: anchor-unchecked-account-type
+severity: high
+title: Anchor instruction uses UncheckedAccount — no runtime validation
+component:
+  name: Anchor Framework
+  type: Blockchain
+  version: ">=0.26.0"
+  sourceUrl: https://www.anchor-lang.com/docs/the-accounts-struct#uncheckedaccount
+detect:
+  lang: rust
+  modules:
+    - "@coral-xyz/anchor"
+    - "@project-serum/anchor"
+  nameRegex: ".*"
+  triggerCalls: []
+check:
+  kind: anchor-forbidden-account-type
+  params:
+    forbiddenType: "UncheckedAccount"
+test:
+  kind: anchor-program-test
+  params:
+    scenario: arbitrary-account-substitution
+    description: >-
+      Passes an account owned by an arbitrary program (not the expected program ID)
+      as the UncheckedAccount field. Must be rejected. If it succeeds, an attacker
+      can substitute any account and the instruction will operate on attacker-controlled data.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "brainblast",
-  "version": "0.7.0",
+  "version": "0.7.2",
   "type": "module",
   "description": "Deterministic auditor for catastrophic AI-integration bugs: scan a repo, find the silent money/auth traps, and generate the behavioral test that proves they're fixed.",
   "keywords": [