brainblast 0.7.3 → 0.7.4

package/dist/{chunk-UWE6HAGS.js → chunk-F7QOW3IM.js}

@@ -1,6 +1,6 @@
 import {
   buildTrustGraph
-} from "./chunk-SVSVVW6U.js";
+} from "./chunk-GF37ANSW.js";
 
 // src/score.ts
 var W_AUTHORITY = 35;

package/dist/{chunk-SVSVVW6U.js → chunk-GF37ANSW.js}

@@ -1,4 +1,5 @@
 import {
+  getAccountInfo,
   probeUpgradeAuthority
 } from "./chunk-XSVQSK53.js";
 
@@ -39,6 +40,41 @@ function loadDirectory(path = bundledPath()) {
   return m;
 }
 
+// src/trustGraph/classifyAuthority.ts
+var SYSTEM_PROGRAM = "11111111111111111111111111111111";
+var KNOWN_AUTHORITY_OWNERS = {
+  // Squads — the dominant Solana multisig. v3 ("SMPL") and v4 program ids.
+  // https://docs.squads.so/main/development/sdk/program-ids
+  SMPLecH534NA9acpos4G6x7uf3LWbCAwZQE9e8ZekMu: { kind: "multisig", label: "Squads v3" },
+  SQDS4ep65T869zMMBKyuUq6aD6EgTu8psMjkvj52pCf: { kind: "multisig", label: "Squads v4" },
+  // SPL Governance (Realms) — the standard on-chain governance program.
+  // https://github.com/solana-labs/solana-program-library/tree/master/governance
+  GovER5Lthms3bLBqWub97yVrMmEogzX7xNjdXpPPCVZw: { kind: "dao", label: "SPL Governance (Realms)" }
+};
+async function classifyUpgradeAuthority(address, opts = {}) {
+  const acct = await getAccountInfo(address, opts);
+  if (!acct) {
+    return { kind: "unknown" };
+  }
+  if (acct.owner === SYSTEM_PROGRAM) {
+    return { kind: "single-key", ownerProgram: SYSTEM_PROGRAM };
+  }
+  const known = KNOWN_AUTHORITY_OWNERS[acct.owner];
+  if (known) {
+    return { kind: known.kind, ownerProgram: acct.owner, ownerLabel: known.label };
+  }
+  return { kind: "unknown", ownerProgram: acct.owner };
+}
+async function enrichAuthorityClassification(authority, opts = {}) {
+  if (authority.kind !== "unknown" || !authority.address) return authority;
+  const c = await classifyUpgradeAuthority(authority.address, opts);
+  return {
+    ...authority,
+    kind: c.kind,
+    ...c.ownerProgram ? { ownerProgram: c.ownerProgram } : {}
+  };
+}
+
 // src/trustGraph/programCache.ts
 import { readFileSync as readFileSync2, writeFileSync, mkdirSync, existsSync as existsSync2 } from "fs";
 import { join as join2, dirname } from "path";
@@ -146,6 +182,12 @@ async function buildTrustGraph(programIds, opts = {}) {
     let authority;
     try {
       authority = await probeUpgradeAuthority(id, opts);
+      if (opts.classifyAuthority !== false) {
+        try {
+          authority = await enrichAuthorityClassification(authority, opts);
+        } catch {
+        }
+      }
     } catch (e) {
       unresolved.push({ programId: id, reason: `rpc_error: ${e?.message ?? String(e)}` });
       continue;
@@ -174,6 +216,10 @@ async function buildTrustGraph(programIds, opts = {}) {
 
 export {
   loadDirectory,
+  SYSTEM_PROGRAM,
+  KNOWN_AUTHORITY_OWNERS,
+  classifyUpgradeAuthority,
+  enrichAuthorityClassification,
   DEFAULT_TTL_HOURS,
   defaultCachePath,
   loadProgramCache,

package/dist/{chunk-2UZGWXIX.js → chunk-QMJEZ6NO.js}

@@ -1,19 +1,27 @@
 // src/trustGraph/render.ts
 function renderAuthority(p) {
   const a = p.upgradeAuthority;
+  const owner = a.ownerProgram ? ` _(owner: \`${a.ownerProgram}\`)_` : "";
   switch (a.kind) {
     case "renounced":
       return "\u{1F512} **Renounced** \u2014 program is frozen; no key can upgrade it.";
     case "single-key":
-      return `\u26A0\uFE0F **Single key** \`${a.address}\` \u2014 one private key can replace this program at any time.`;
+      return `\u26A0\uFE0F **Single key** \`${a.address}\` \u2014 one private key can replace this program at any time.${owner}`;
     case "multisig":
-      return `\u{1F510} **Multisig** \`${a.address}\` \u2014 a threshold of signers can upgrade.`;
+      return `\u{1F510} **Multisig** \`${a.address}\` \u2014 a threshold of signers can upgrade.${owner}`;
     case "dao":
-      return `\u{1F3DB} **DAO** \`${a.address}\` \u2014 governance program controls upgrades.`;
+      return `\u{1F3DB} **DAO** \`${a.address}\` \u2014 governance program controls upgrades.${owner}`;
     case "unknown":
-      return a.address ? `\u2753 **Unclassified authority** \`${a.address}\` \u2014 needs research to confirm single-key vs multisig/DAO.` : "\u2753 **Unknown** \u2014 could not determine upgrade authority.";
+      return a.address ? `\u2753 **Unclassified authority** \`${a.address}\`${owner} \u2014 needs research to confirm single-key vs multisig/DAO.` : "\u2753 **Unknown** \u2014 could not determine upgrade authority.";
   }
 }
+function renderTrustSummary(p) {
+  const a = p.upgradeAuthority;
+  const authBit = a.kind === "renounced" ? "\u{1F512} immutable" : a.kind === "multisig" ? "\u{1F510} multisig" : a.kind === "dao" ? "\u{1F3DB} DAO-governed" : a.kind === "single-key" ? "\u26A0\uFE0F single-key upgradeable" : "\u2753 authority unclassified";
+  const verifiedBit = p.verifiedBuild.state === "verified" ? "\u2705 verified build" : p.verifiedBuild.state === "unverified" ? "\u274C unverified" : "\u2753 build unchecked";
+  const auditBit = p.audits.length ? `\u2705 audited (${p.audits.map((x) => x.firm).join(", ")})` : "\u274C no audits on file";
+  return `${authBit} \xB7 ${verifiedBit} \xB7 ${auditBit}`;
+}
 function renderVerified(p) {
   const v = p.verifiedBuild;
   switch (v.state) {
@@ -42,6 +50,8 @@ function renderProgram(p) {
     "",
     `\`${p.programId}\`${p.kind ? ` \xB7 kind: \`${p.kind}\`` : ""}`,
     "",
+    `**Trust:** ${renderTrustSummary(p)}`,
+    "",
     `- **Upgrade authority:** ${renderAuthority(p)}`,
     `- **Verified build:** ${renderVerified(p)}`,
     `- **Parity:** ${renderParity(p)}`,

package/dist/chunk-WQFLKWBY.js

@@ -0,0 +1,110 @@
+import {
+  DEFAULT_RPC
+} from "./chunk-XSVQSK53.js";
+import {
+  isValidSolanaAddress
+} from "./chunk-VG5FMOLW.js";
+
+// src/oracle.ts
+var SLOT_MS = 400;
+var DEFAULT_STALENESS_SLOTS = 150;
+async function rpc(method, params, opts) {
+  const url = opts.rpcUrl ?? DEFAULT_RPC;
+  const fetchImpl = opts.fetchImpl ?? fetch;
+  const ac = new AbortController();
+  const t = setTimeout(() => ac.abort(), opts.timeoutMs ?? 1e4);
+  try {
+    const res = await fetchImpl(url, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ jsonrpc: "2.0", id: 1, method, params }),
+      signal: ac.signal
+    });
+    if (!res.ok) throw new Error(`rpc ${method}: HTTP ${res.status}`);
+    const body = await res.json();
+    if (body.error) throw new Error(`rpc ${method}: ${body.error.message}`);
+    if (body.result === void 0) throw new Error(`rpc ${method}: empty result`);
+    return body.result;
+  } finally {
+    clearTimeout(t);
+  }
+}
+async function checkOracleFreshness(account, opts = {}) {
+  if (!isValidSolanaAddress(account)) throw new Error(`invalid Solana address: ${account}`);
+  const thresholdSlots = opts.maxStalenessSlots ?? (opts.maxStalenessSeconds != null ? Math.max(1, Math.round(opts.maxStalenessSeconds * 1e3 / SLOT_MS)) : DEFAULT_STALENESS_SLOTS);
+  const checkedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const currentSlot = await rpc("getSlot", [{ commitment: "confirmed" }], opts);
+  const sigs = await rpc(
+    "getSignaturesForAddress",
+    [account, { limit: 1 }],
+    opts
+  );
+  if (!sigs || sigs.length === 0) {
+    return {
+      account,
+      currentSlot,
+      lastSlot: null,
+      lastBlockTime: null,
+      slotsBehind: null,
+      secondsBehind: null,
+      thresholdSlots,
+      fresh: false,
+      verdict: "NO_HISTORY",
+      checkedAt
+    };
+  }
+  const last = sigs[0];
+  const lastSlot = last.slot;
+  const lastBlockTime = last.blockTime ?? null;
+  const slotsBehind = Math.max(0, currentSlot - lastSlot);
+  const secondsBehind = lastBlockTime != null ? Math.max(0, Math.floor(Date.now() / 1e3) - lastBlockTime) : Math.round(slotsBehind * SLOT_MS / 1e3);
+  const fresh = slotsBehind <= thresholdSlots;
+  return {
+    account,
+    currentSlot,
+    lastSlot,
+    lastBlockTime,
+    slotsBehind,
+    secondsBehind,
+    thresholdSlots,
+    fresh,
+    verdict: fresh ? "FRESH" : "STALE",
+    checkedAt
+  };
+}
+function renderOracleText(f) {
+  const L = [];
+  L.push("\u2500\u2500 Oracle Freshness \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+  L.push(`  account:       ${f.account}`);
+  L.push(`  current slot:  ${f.currentSlot.toLocaleString()}`);
+  if (f.verdict === "NO_HISTORY") {
+    L.push("  last write:    (no transactions found touching this account)");
+    L.push("  verdict:       \u2753 NO_HISTORY \u2014 cannot confirm freshness");
+    return L.join("\n");
+  }
+  L.push(`  last write:    slot ${f.lastSlot.toLocaleString()} (${f.slotsBehind.toLocaleString()} slots / ~${f.secondsBehind}s ago)`);
+  L.push(`  threshold:     ${f.thresholdSlots.toLocaleString()} slots`);
+  L.push(`  verdict:       ${f.fresh ? "\u2705 FRESH" : "\u{1F6A8} STALE \u2014 last update is older than the freshness threshold"}`);
+  return L.join("\n");
+}
+function renderOracleMd(f) {
+  const L = ["## Oracle Freshness\n"];
+  L.push(`**Account:** \`${f.account}\`  \xB7  checked ${f.checkedAt}
+`);
+  if (f.verdict === "NO_HISTORY") {
+    L.push("\u2753 **NO_HISTORY** \u2014 no transactions were found touching this account, so freshness can't be confirmed. Double-check the address.");
+    return L.join("\n");
+  }
+  const badge = f.fresh ? "\u2705 **FRESH**" : "\u{1F6A8} **STALE**";
+  L.push(`${badge} \u2014 last written at slot ${f.lastSlot.toLocaleString()}, ${f.slotsBehind.toLocaleString()} slots (~${f.secondsBehind}s) behind the current slot (${f.currentSlot.toLocaleString()}).`);
+  L.push("");
+  L.push(`Threshold: ${f.thresholdSlots.toLocaleString()} slots. ${f.fresh ? "Within tolerance." : "**Exceeds tolerance \u2014 do not price against this feed until it updates.**"}`);
+  return L.join("\n");
+}
+
+export {
+  DEFAULT_STALENESS_SLOTS,
+  checkOracleFreshness,
+  renderOracleText,
+  renderOracleMd
+};

package/dist/cli.js

@@ -21,13 +21,13 @@ import {
 } from "./chunk-5VYTURTO.js";
 import {
   renderTrustGraphMd
-} from "./chunk-2UZGWXIX.js";
+} from "./chunk-QMJEZ6NO.js";
 import {
   buildTrustGraph,
   cacheSize,
   defaultCachePath,
   loadProgramCache
-} from "./chunk-SVSVVW6U.js";
+} from "./chunk-GF37ANSW.js";
 import {
   audit,
   getChangedRanges,
@@ -563,6 +563,10 @@ if (args[0] === "exploits") {
   runExploits(args.slice(1));
   process.exit(0);
 }
+if (args[0] === "oracle") {
+  await runOracle(args.slice(1));
+  process.exit(0);
+}
 if (args[0] === "fix") {
   await runFix(args.slice(1));
   process.exit(0);
@@ -700,6 +704,48 @@ function runDeployPlan(argv) {
   writeFileSync2(mdPath, renderDeployPlanMd(plan));
   console.log(`  deploy plan: ${mdPath}`);
 }
+async function runOracle(argv) {
+  if (argv.includes("--help") || argv.includes("-h") || argv.filter((a) => !a.startsWith("--")).length === 0) {
+    console.log("usage: brainblast oracle <account> [--rpc URL] [--max-staleness-slots N | --max-staleness-seconds N] [--json]");
+    console.log("  Is the oracle fresh? Reports how many slots/seconds ago the price account was");
+    console.log("  last written (provider-agnostic) and gates FRESH/STALE. Exit 1 on STALE or");
+    console.log("  NO_HISTORY. Pass your own --rpc for reliable results (public RPC is rate-limited).");
+    process.exit(argv.length === 0 ? 2 : 0);
+  }
+  const { checkOracleFreshness, renderOracleText, renderOracleMd } = await import("./oracle-DVZLFJ43.js");
+  const num = (name) => {
+    const i = argv.indexOf(`--${name}`);
+    if (i < 0) return void 0;
+    const v = parseInt(argv[i + 1], 10);
+    return Number.isFinite(v) ? v : void 0;
+  };
+  const rpcIdx = argv.indexOf("--rpc");
+  const rpcUrl = rpcIdx >= 0 ? argv[rpcIdx + 1] : void 0;
+  const account = argv.find(
+    (a, i) => !a.startsWith("--") && argv[i - 1] !== "--rpc" && argv[i - 1] !== "--max-staleness-slots" && argv[i - 1] !== "--max-staleness-seconds"
+  );
+  if (!account) {
+    console.error("error: missing <account>. usage: brainblast oracle <account> [--rpc URL] [--json]");
+    process.exit(2);
+  }
+  let f;
+  try {
+    f = await checkOracleFreshness(account, {
+      rpcUrl,
+      maxStalenessSlots: num("max-staleness-slots"),
+      maxStalenessSeconds: num("max-staleness-seconds")
+    });
+  } catch (e) {
+    console.error(`error: ${e?.message ?? String(e)}`);
+    process.exit(2);
+  }
+  if (argv.includes("--json")) console.log(JSON.stringify(f, null, 2));
+  else console.log(renderOracleText(f));
+  const outDir2 = join3(process.cwd(), ".agent-research");
+  mkdirSync2(outDir2, { recursive: true });
+  writeFileSync2(join3(outDir2, "oracle-freshness.md"), renderOracleMd(f));
+  process.exit(f.fresh ? 0 : 1);
+}
 function runExploits(argv) {
   if (argv.includes("--help") || argv.includes("-h")) {
     console.log("usage: brainblast exploits [id] [--json]");
@@ -1172,8 +1218,8 @@ async function runIdlRules(argv) {
   }
 }
 async function runScore(argv) {
-  const { scoreProgram, renderScoreText, gradeAtLeast } = await import("./score-VLKER37D.js");
-  const { isValidSolanaAddress: isValidSolanaAddress2 } = await import("./trustGraph-4SSJOQKT.js");
+  const { scoreProgram, renderScoreText, gradeAtLeast } = await import("./score-YXFXD6QG.js");
+  const { isValidSolanaAddress: isValidSolanaAddress2 } = await import("./trustGraph-K5PWNEL4.js");
   const programId = argv.find((a) => !a.startsWith("--"));
   if (!programId) {
     console.error("usage: brainblast score <program-id> [--rpc URL] [--no-probe] [--min A|B|C|D|F] [--json]");

package/dist/index.d.ts

@@ -388,6 +388,7 @@ interface UpgradeAuthority {
     address: string | null;
     source: UpgradeAuthoritySource;
     checkedAt?: string;
+    ownerProgram?: string;
 }
 type VerifiedBuildState = {
     state: "verified";
@@ -443,6 +444,7 @@ interface RpcOpts {
 
 interface BuildOpts extends RpcOpts {
     probeRpc?: boolean;
+    classifyAuthority?: boolean;
     directoryPath?: string;
     cachePath?: string | null;
 }
@@ -452,6 +454,20 @@ declare function renderTrustGraphMd(g: TrustGraph): string;
 
 declare function loadDirectory(path?: string): Map<string, OnChainProgram>;
 
+declare const SYSTEM_PROGRAM = "11111111111111111111111111111111";
+interface KnownOwner {
+    kind: Exclude<UpgradeAuthorityKind, "renounced">;
+    label: string;
+}
+declare const KNOWN_AUTHORITY_OWNERS: Record<string, KnownOwner>;
+interface AuthorityClassification {
+    kind: UpgradeAuthorityKind;
+    ownerProgram?: string;
+    ownerLabel?: string;
+}
+declare function classifyUpgradeAuthority(address: string, opts?: RpcOpts): Promise<AuthorityClassification>;
+declare function enrichAuthorityClassification(authority: UpgradeAuthority, opts?: RpcOpts): Promise<UpgradeAuthority>;
+
 declare function base58Encode(bytes: Uint8Array): string;
 declare function base58Decode(s: string): Uint8Array;
 declare function isValidSolanaAddress(s: string): boolean;
@@ -876,6 +892,32 @@ declare function batchScan(mints: string[], opts?: BatchScanOpts): Promise<Batch
 declare function parseMintList(content: string): string[];
 declare function renderBatchText(result: BatchResult): string;
 
+declare const DEFAULT_STALENESS_SLOTS = 150;
+type OracleVerdict = "FRESH" | "STALE" | "NO_HISTORY";
+interface OracleFreshness {
+    account: string;
+    currentSlot: number;
+    /** Slot of the most recent signature touching the account; null if none. */
+    lastSlot: number | null;
+    /** Unix seconds of that signature's block, when the RPC provides it. */
+    lastBlockTime: number | null;
+    slotsBehind: number | null;
+    secondsBehind: number | null;
+    thresholdSlots: number;
+    fresh: boolean;
+    verdict: OracleVerdict;
+    checkedAt: string;
+}
+interface OracleOpts extends RpcOpts {
+    /** Staleness threshold in slots (default 150 ≈ 60s). */
+    maxStalenessSlots?: number;
+    /** Staleness threshold in seconds; converted to slots (~400ms each). */
+    maxStalenessSeconds?: number;
+}
+declare function checkOracleFreshness(account: string, opts?: OracleOpts): Promise<OracleFreshness>;
+declare function renderOracleText(f: OracleFreshness): string;
+declare function renderOracleMd(f: OracleFreshness): string;
+
 interface ExploitPattern {
     /** Stable slug, e.g. "wormhole". */
     id: string;
@@ -905,4 +947,4 @@ declare function renderExploitsMd(patterns?: ExploitPattern[]): string;
 declare function renderExploitsText(patterns?: ExploitPattern[]): string;
 declare function renderExploitDetailText(e: ExploitPattern): string;
 
-export { type AccountFlow, type AnchorIdl, type AuditRef, type BatchResult, type BatchRow, type BatchScanOpts, type BuildOpts, CANONICAL_BY_MINT, CANONICAL_MINTS, type Candidate, type CanonicalMint, type ChainEvent, type ChainWatchOpts, type ChainWatchState, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_REGISTRY_URL, DEFAULT_TTL_HOURS, type DecodedInstruction, type DecodedTx, type DiffResult, type DriftAdvisory, type DriftBaseline, type DriftPackage, type DriftResult, EXPLOIT_PATTERNS, type ExploitPattern, type FirewallFinding, type FirewallOpts, type FirewallProgram, type FirewallReport, type FirewallSeverity, type FirewallVerdict, type Grade, type GraduationEvent, type IdentityStatus, type IdlAccount, type IdlConstraintParams, type IdlInstruction, KNOWN_PROGRAMS, type MintInfo, type OnChainProgram, type OsvAdvisory, PACK_MANIFEST_FILE, type PackInitOptions, type PackManifest, type PackRuleValidation, type PackValidateResult, type ParityNote, type ParsedDiff, type PreflightCheck, type PreflightOpts, type PreflightReport, type PreflightStatus, type PreflightVerdict, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type RicoOutcome, type RicoResult, type RicoTokenSecurity, type Rule, type RustAccountField, type RustCandidate, type RustChecker, type ScoreFactor, type Severity, type TelemetrySubmitResult, type TokenIdentity, type TrustGraph, type TrustScore, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type VerifyOpts, type WatchEvent, type WatchOptions, analyzeCosts, analyzeInstructions, analyzeToken, applyDiffToFile, audit, auditWithRule, base58Decode, base58Encode, batchScan, buildConstraintParams, buildTrustGraph, rules as bundledRules, cacheSize, canonicalMintForSymbol, checkDrift, checkerKinds, decodeTransaction, defaultCachePath, deployerFlagsFrom, diffVersions, fileChanged, findCandidates, findConfigCandidates, formatUsd, generateRulesFromIdl, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getExploitPattern, getRepoHash, getUserHash, getWorkingTreeChanges, gradeAtLeast, gradeForScore, idlProgramName, initPack, initialChainWatchState, inspectTransaction, isCanonicalMint, isEntryExpired, isTelemetryEnabled, isValidSolanaAddress, lamportsToSol, loadDirectory, loadPack, loadPacksFromDir, loadProgramCache, loadRules, parseCpiPrograms, parseDiff, parseIdl, parseMintAccount, parseMintList, pollChainOnce, pumpPreflight, putCacheEntry, queryOsv, rangeChanged, recordGraduationEvents, renderBatchText, renderCostReportMd, renderDiffMd, renderDiffText, renderDriftText, renderExploitDetailText, renderExploitsMd, renderExploitsText, renderFirewallText, renderPreflightText, renderRicoText, renderRulesYaml, renderScoreText, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, riskScore, runChecker, runIncrementalScan, saveProgramCache, scoreFromProgram, scoreProgram, seedPackages, startChainWatch, startWatch, submitTelemetry, telemetryFilePath, testKinds, toSnakeCase, totalLossUsd, validatePack, validatePackManifest, verifyTokenIdentity };
+export { type AccountFlow, type AnchorIdl, type AuditRef, type AuthorityClassification, type BatchResult, type BatchRow, type BatchScanOpts, type BuildOpts, CANONICAL_BY_MINT, CANONICAL_MINTS, type Candidate, type CanonicalMint, type ChainEvent, type ChainWatchOpts, type ChainWatchState, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_REGISTRY_URL, DEFAULT_STALENESS_SLOTS, DEFAULT_TTL_HOURS, type DecodedInstruction, type DecodedTx, type DiffResult, type DriftAdvisory, type DriftBaseline, type DriftPackage, type DriftResult, EXPLOIT_PATTERNS, type ExploitPattern, type FirewallFinding, type FirewallOpts, type FirewallProgram, type FirewallReport, type FirewallSeverity, type FirewallVerdict, type Grade, type GraduationEvent, type IdentityStatus, type IdlAccount, type IdlConstraintParams, type IdlInstruction, KNOWN_AUTHORITY_OWNERS, KNOWN_PROGRAMS, type MintInfo, type OnChainProgram, type OracleFreshness, type OracleOpts, type OracleVerdict, type OsvAdvisory, PACK_MANIFEST_FILE, type PackInitOptions, type PackManifest, type PackRuleValidation, type PackValidateResult, type ParityNote, type ParsedDiff, type PreflightCheck, type PreflightOpts, type PreflightReport, type PreflightStatus, type PreflightVerdict, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type RicoOutcome, type RicoResult, type RicoTokenSecurity, type Rule, type RustAccountField, type RustCandidate, type RustChecker, SYSTEM_PROGRAM, type ScoreFactor, type Severity, type TelemetrySubmitResult, type TokenIdentity, type TrustGraph, type TrustScore, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type VerifyOpts, type WatchEvent, type WatchOptions, analyzeCosts, analyzeInstructions, analyzeToken, applyDiffToFile, audit, auditWithRule, base58Decode, base58Encode, batchScan, buildConstraintParams, buildTrustGraph, rules as bundledRules, cacheSize, canonicalMintForSymbol, checkDrift, checkOracleFreshness, checkerKinds, classifyUpgradeAuthority, decodeTransaction, defaultCachePath, deployerFlagsFrom, diffVersions, enrichAuthorityClassification, fileChanged, findCandidates, findConfigCandidates, formatUsd, generateRulesFromIdl, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getExploitPattern, getRepoHash, getUserHash, getWorkingTreeChanges, gradeAtLeast, gradeForScore, idlProgramName, initPack, initialChainWatchState, inspectTransaction, isCanonicalMint, isEntryExpired, isTelemetryEnabled, isValidSolanaAddress, lamportsToSol, loadDirectory, loadPack, loadPacksFromDir, loadProgramCache, loadRules, parseCpiPrograms, parseDiff, parseIdl, parseMintAccount, parseMintList, pollChainOnce, pumpPreflight, putCacheEntry, queryOsv, rangeChanged, recordGraduationEvents, renderBatchText, renderCostReportMd, renderDiffMd, renderDiffText, renderDriftText, renderExploitDetailText, renderExploitsMd, renderExploitsText, renderFirewallText, renderOracleMd, renderOracleText, renderPreflightText, renderRicoText, renderRulesYaml, renderScoreText, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, riskScore, runChecker, runIncrementalScan, saveProgramCache, scoreFromProgram, scoreProgram, seedPackages, startChainWatch, startWatch, submitTelemetry, telemetryFilePath, testKinds, toSnakeCase, totalLossUsd, validatePack, validatePackManifest, verifyTokenIdentity };

package/dist/index.js

@@ -1,3 +1,9 @@
+import {
+  DEFAULT_STALENESS_SLOTS,
+  checkOracleFreshness,
+  renderOracleMd,
+  renderOracleText
+} from "./chunk-WQFLKWBY.js";
 import {
   checkDrift,
   renderDriftText,
@@ -17,7 +23,7 @@ import {
   renderScoreText,
   scoreFromProgram,
   scoreProgram
-} from "./chunk-UWE6HAGS.js";
+} from "./chunk-F7QOW3IM.js";
 import {
   parseMintAccount,
   pumpPreflight,
@@ -64,12 +70,16 @@ import {
 } from "./chunk-5VYTURTO.js";
 import {
   renderTrustGraphMd
-} from "./chunk-2UZGWXIX.js";
+} from "./chunk-QMJEZ6NO.js";
 import {
   DEFAULT_TTL_HOURS,
+  KNOWN_AUTHORITY_OWNERS,
+  SYSTEM_PROGRAM,
   buildTrustGraph,
   cacheSize,
+  classifyUpgradeAuthority,
   defaultCachePath,
+  enrichAuthorityClassification,
   getCacheEntry,
   getCacheEntryMeta,
   isEntryExpired,
@@ -77,7 +87,7 @@ import {
   loadProgramCache,
   putCacheEntry,
   saveProgramCache
-} from "./chunk-SVSVVW6U.js";
+} from "./chunk-GF37ANSW.js";
 import {
   PACK_MANIFEST_FILE,
   audit,
@@ -150,10 +160,13 @@ export {
   CANONICAL_BY_MINT,
   CANONICAL_MINTS,
   DEFAULT_REGISTRY_URL,
+  DEFAULT_STALENESS_SLOTS,
   DEFAULT_TTL_HOURS,
   EXPLOIT_PATTERNS,
+  KNOWN_AUTHORITY_OWNERS,
   KNOWN_PROGRAMS,
   PACK_MANIFEST_FILE,
+  SYSTEM_PROGRAM,
   analyzeCosts,
   analyzeInstructions,
   analyzeToken,
@@ -169,11 +182,14 @@ export {
   cacheSize,
   canonicalMintForSymbol,
   checkDrift,
+  checkOracleFreshness,
   checkerKinds,
+  classifyUpgradeAuthority,
   decodeTransaction,
   defaultCachePath,
   deployerFlagsFrom,
   diffVersions,
+  enrichAuthorityClassification,
   fileChanged,
   findCandidates,
   findConfigCandidates,
@@ -223,6 +239,8 @@ export {
   renderExploitsMd,
   renderExploitsText,
   renderFirewallText,
+  renderOracleMd,
+  renderOracleText,
   renderPreflightText,
   renderRicoText,
   renderRulesYaml,

package/dist/oracle-DVZLFJ43.js

@@ -0,0 +1,15 @@
+import {
+  DEFAULT_STALENESS_SLOTS,
+  checkOracleFreshness,
+  renderOracleMd,
+  renderOracleText
+} from "./chunk-WQFLKWBY.js";
+import "./chunk-XSVQSK53.js";
+import "./chunk-VG5FMOLW.js";
+import "./chunk-3RG5ZIWI.js";
+export {
+  DEFAULT_STALENESS_SLOTS,
+  checkOracleFreshness,
+  renderOracleMd,
+  renderOracleText
+};

package/dist/{score-VLKER37D.js → score-YXFXD6QG.js}

@@ -4,8 +4,8 @@ import {
   renderScoreText,
   scoreFromProgram,
   scoreProgram
-} from "./chunk-UWE6HAGS.js";
-import "./chunk-SVSVVW6U.js";
+} from "./chunk-F7QOW3IM.js";
+import "./chunk-GF37ANSW.js";
 import "./chunk-XSVQSK53.js";
 import "./chunk-VG5FMOLW.js";
 import "./chunk-3RG5ZIWI.js";

package/dist/{trustGraph-4SSJOQKT.js → trustGraph-K5PWNEL4.js}

@@ -1,12 +1,16 @@
 import {
   renderProgram,
   renderTrustGraphMd
-} from "./chunk-2UZGWXIX.js";
+} from "./chunk-QMJEZ6NO.js";
 import {
   DEFAULT_TTL_HOURS,
+  KNOWN_AUTHORITY_OWNERS,
+  SYSTEM_PROGRAM,
   buildTrustGraph,
   cacheSize,
+  classifyUpgradeAuthority,
   defaultCachePath,
+  enrichAuthorityClassification,
   getCacheEntry,
   getCacheEntryMeta,
   isEntryExpired,
@@ -14,7 +18,7 @@ import {
   loadProgramCache,
   putCacheEntry,
   saveProgramCache
-} from "./chunk-SVSVVW6U.js";
+} from "./chunk-GF37ANSW.js";
 import {
   DEFAULT_RPC,
   getAccountInfo,
@@ -29,11 +33,15 @@ import "./chunk-3RG5ZIWI.js";
 export {
   DEFAULT_RPC,
   DEFAULT_TTL_HOURS,
+  KNOWN_AUTHORITY_OWNERS,
+  SYSTEM_PROGRAM,
   base58Decode,
   base58Encode,
   buildTrustGraph,
   cacheSize,
+  classifyUpgradeAuthority,
   defaultCachePath,
+  enrichAuthorityClassification,
   getAccountInfo,
   getCacheEntry,
   getCacheEntryMeta,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "brainblast",
-  "version": "0.7.3",
+  "version": "0.7.4",
   "type": "module",
   "description": "Deterministic auditor for catastrophic AI-integration bugs: scan a repo, find the silent money/auth traps, and generate the behavioral test that proves they're fixed.",
   "keywords": [