brainblast 0.7.3 → 0.7.5

package/dist/{chunk-UWE6HAGS.js → chunk-F7QOW3IM.js}

@@ -1,6 +1,6 @@
 import {
   buildTrustGraph
-} from "./chunk-SVSVVW6U.js";
+} from "./chunk-GF37ANSW.js";
 
 // src/score.ts
 var W_AUTHORITY = 35;

package/dist/{chunk-SVSVVW6U.js → chunk-GF37ANSW.js}

@@ -1,4 +1,5 @@
 import {
+  getAccountInfo,
   probeUpgradeAuthority
 } from "./chunk-XSVQSK53.js";
 
@@ -39,6 +40,41 @@ function loadDirectory(path = bundledPath()) {
   return m;
 }
 
+// src/trustGraph/classifyAuthority.ts
+var SYSTEM_PROGRAM = "11111111111111111111111111111111";
+var KNOWN_AUTHORITY_OWNERS = {
+  // Squads — the dominant Solana multisig. v3 ("SMPL") and v4 program ids.
+  // https://docs.squads.so/main/development/sdk/program-ids
+  SMPLecH534NA9acpos4G6x7uf3LWbCAwZQE9e8ZekMu: { kind: "multisig", label: "Squads v3" },
+  SQDS4ep65T869zMMBKyuUq6aD6EgTu8psMjkvj52pCf: { kind: "multisig", label: "Squads v4" },
+  // SPL Governance (Realms) — the standard on-chain governance program.
+  // https://github.com/solana-labs/solana-program-library/tree/master/governance
+  GovER5Lthms3bLBqWub97yVrMmEogzX7xNjdXpPPCVZw: { kind: "dao", label: "SPL Governance (Realms)" }
+};
+async function classifyUpgradeAuthority(address, opts = {}) {
+  const acct = await getAccountInfo(address, opts);
+  if (!acct) {
+    return { kind: "unknown" };
+  }
+  if (acct.owner === SYSTEM_PROGRAM) {
+    return { kind: "single-key", ownerProgram: SYSTEM_PROGRAM };
+  }
+  const known = KNOWN_AUTHORITY_OWNERS[acct.owner];
+  if (known) {
+    return { kind: known.kind, ownerProgram: acct.owner, ownerLabel: known.label };
+  }
+  return { kind: "unknown", ownerProgram: acct.owner };
+}
+async function enrichAuthorityClassification(authority, opts = {}) {
+  if (authority.kind !== "unknown" || !authority.address) return authority;
+  const c = await classifyUpgradeAuthority(authority.address, opts);
+  return {
+    ...authority,
+    kind: c.kind,
+    ...c.ownerProgram ? { ownerProgram: c.ownerProgram } : {}
+  };
+}
+
 // src/trustGraph/programCache.ts
 import { readFileSync as readFileSync2, writeFileSync, mkdirSync, existsSync as existsSync2 } from "fs";
 import { join as join2, dirname } from "path";
@@ -146,6 +182,12 @@ async function buildTrustGraph(programIds, opts = {}) {
     let authority;
     try {
       authority = await probeUpgradeAuthority(id, opts);
+      if (opts.classifyAuthority !== false) {
+        try {
+          authority = await enrichAuthorityClassification(authority, opts);
+        } catch {
+        }
+      }
     } catch (e) {
       unresolved.push({ programId: id, reason: `rpc_error: ${e?.message ?? String(e)}` });
       continue;
@@ -174,6 +216,10 @@ async function buildTrustGraph(programIds, opts = {}) {
 
 export {
   loadDirectory,
+  SYSTEM_PROGRAM,
+  KNOWN_AUTHORITY_OWNERS,
+  classifyUpgradeAuthority,
+  enrichAuthorityClassification,
   DEFAULT_TTL_HOURS,
   defaultCachePath,
   loadProgramCache,

package/dist/{chunk-5VYTURTO.js → chunk-HFYBK2VA.js}

@@ -7,7 +7,7 @@ import {
   loadPack,
   resolveRules,
   walk
-} from "./chunk-5H5JQXXU.js";
+} from "./chunk-V4XS5DKD.js";
 
 // src/costAnalysis.ts
 import { Project, SyntaxKind } from "ts-morph";

package/dist/{chunk-2UZGWXIX.js → chunk-QMJEZ6NO.js}

@@ -1,19 +1,27 @@
 // src/trustGraph/render.ts
 function renderAuthority(p) {
   const a = p.upgradeAuthority;
+  const owner = a.ownerProgram ? ` _(owner: \`${a.ownerProgram}\`)_` : "";
   switch (a.kind) {
     case "renounced":
       return "\u{1F512} **Renounced** \u2014 program is frozen; no key can upgrade it.";
     case "single-key":
-      return `\u26A0\uFE0F **Single key** \`${a.address}\` \u2014 one private key can replace this program at any time.`;
+      return `\u26A0\uFE0F **Single key** \`${a.address}\` \u2014 one private key can replace this program at any time.${owner}`;
     case "multisig":
-      return `\u{1F510} **Multisig** \`${a.address}\` \u2014 a threshold of signers can upgrade.`;
+      return `\u{1F510} **Multisig** \`${a.address}\` \u2014 a threshold of signers can upgrade.${owner}`;
     case "dao":
-      return `\u{1F3DB} **DAO** \`${a.address}\` \u2014 governance program controls upgrades.`;
+      return `\u{1F3DB} **DAO** \`${a.address}\` \u2014 governance program controls upgrades.${owner}`;
     case "unknown":
-      return a.address ? `\u2753 **Unclassified authority** \`${a.address}\` \u2014 needs research to confirm single-key vs multisig/DAO.` : "\u2753 **Unknown** \u2014 could not determine upgrade authority.";
+      return a.address ? `\u2753 **Unclassified authority** \`${a.address}\`${owner} \u2014 needs research to confirm single-key vs multisig/DAO.` : "\u2753 **Unknown** \u2014 could not determine upgrade authority.";
   }
 }
+function renderTrustSummary(p) {
+  const a = p.upgradeAuthority;
+  const authBit = a.kind === "renounced" ? "\u{1F512} immutable" : a.kind === "multisig" ? "\u{1F510} multisig" : a.kind === "dao" ? "\u{1F3DB} DAO-governed" : a.kind === "single-key" ? "\u26A0\uFE0F single-key upgradeable" : "\u2753 authority unclassified";
+  const verifiedBit = p.verifiedBuild.state === "verified" ? "\u2705 verified build" : p.verifiedBuild.state === "unverified" ? "\u274C unverified" : "\u2753 build unchecked";
+  const auditBit = p.audits.length ? `\u2705 audited (${p.audits.map((x) => x.firm).join(", ")})` : "\u274C no audits on file";
+  return `${authBit} \xB7 ${verifiedBit} \xB7 ${auditBit}`;
+}
 function renderVerified(p) {
   const v = p.verifiedBuild;
   switch (v.state) {
@@ -42,6 +50,8 @@ function renderProgram(p) {
     "",
     `\`${p.programId}\`${p.kind ? ` \xB7 kind: \`${p.kind}\`` : ""}`,
     "",
+    `**Trust:** ${renderTrustSummary(p)}`,
+    "",
     `- **Upgrade authority:** ${renderAuthority(p)}`,
     `- **Verified build:** ${renderVerified(p)}`,
     `- **Parity:** ${renderParity(p)}`,

package/dist/chunk-S7X53LWF.js

@@ -0,0 +1,129 @@
+// src/tokenEconomics.ts
+var ECONOMIC_PATTERNS = [
+  {
+    id: "metaplex-seller-fee",
+    category: "royalty",
+    sdk: "Metaplex Token Metadata",
+    call: "createV1 / createNft / createFungible",
+    field: "sellerFeeBasisPoints",
+    whatZeroMeans: "Omitted \u2192 defaults to 0. Creators earn no royalty on any secondary sale, permanently \u2014 the token mints fine and looks correct on-chain.",
+    fix: "Set sellerFeeBasisPoints explicitly at mint time (e.g. 500 = 5%). There is no after-the-fact migration once minted.",
+    ruleId: "metaplex-seller-fee-zero",
+    status: "enforced",
+    docsUrl: "https://developers.metaplex.com/token-metadata/mint"
+  },
+  {
+    id: "bags-fee-share-creator",
+    category: "fee",
+    sdk: "Bags",
+    call: "createBagsFeeShareConfig",
+    field: "feeClaimers[].userBps (creator inclusion)",
+    whatZeroMeans: "The creator wallet omitted from feeClaimers, or the userBps not summing to 10000 \u2192 the creator's share of trading fees is silently zero. This is the original Bags trap.",
+    fix: "Include the creator wallet as a feeClaimers entry and ensure every userBps sums to 10000.",
+    ruleId: "bags-fee-share-creator-included",
+    status: "enforced",
+    docsUrl: "https://bags.fm"
+  },
+  {
+    id: "token2022-transfer-fee",
+    category: "fee",
+    sdk: "SPL Token-2022 (Transfer Fee extension)",
+    call: "createInitializeTransferFeeConfigInstruction",
+    field: "transferFeeBasisPoints",
+    whatZeroMeans: "Initializing the transfer-fee extension with 0 basis points \u2192 no fee is ever withheld on transfers. The extension is 'configured' but collects nothing.",
+    fix: "Pass a non-zero transferFeeBasisPoints (and a sensible maximumFee) when initializing the extension.",
+    // Positional-argument call — not an object-literal field, so the bundled
+    // object-field checker doesn't cover it yet. Advisory until a positional
+    // variant ships.
+    ruleId: null,
+    status: "advisory",
+    docsUrl: "https://www.solana-program.com/docs/token-2022/extensions#transfer-fee"
+  },
+  {
+    id: "reward-rate-zero",
+    category: "reward",
+    sdk: "Staking / LP reward distributors (generic)",
+    call: "initialize / configureReward (varies)",
+    field: "rewardRate / emissionsPerSecond",
+    whatZeroMeans: "A reward-rate or emissions field omitted/zeroed \u2192 stakers and LPs accrue nothing while the pool looks live. A silent, ongoing zero-yield misconfiguration.",
+    fix: "Set the reward-rate field explicitly and assert it is non-zero in your deploy script; add a project-local economic-value-zero-or-missing rule for your SDK's call shape.",
+    ruleId: null,
+    status: "advisory"
+  }
+];
+function getEconomicPattern(id) {
+  return ECONOMIC_PATTERNS.find((e) => e.id === id || e.ruleId === id);
+}
+function economicPatternsByCategory(cat) {
+  return ECONOMIC_PATTERNS.filter((e) => e.category === cat);
+}
+function enforcedCount(patterns = ECONOMIC_PATTERNS) {
+  return patterns.filter((e) => e.status === "enforced").length;
+}
+var CATEGORY_LABEL = {
+  royalty: "Royalties",
+  fee: "Fees",
+  reward: "Reward distribution"
+};
+function renderEconomicsMd(patterns = ECONOMIC_PATTERNS) {
+  const L = ["## Token Economics \u2014 silent zero-revenue class\n"];
+  L.push(
+    "The Bags exploit generalized: a revenue-bearing field that, if omitted or zeroed, silently collects nothing \u2014 forever. Watch these across every protocol that touches fees, royalties, or rewards.\n"
+  );
+  L.push("| Category | SDK | Field | Status | Rule |");
+  L.push("|----------|-----|-------|--------|------|");
+  for (const e of patterns) {
+    const status = e.status === "enforced" ? "\u2705 enforced" : "\u26A0\uFE0F advisory";
+    L.push(`| ${CATEGORY_LABEL[e.category]} | ${e.sdk} | \`${e.field}\` | ${status} | ${e.ruleId ? `\`${e.ruleId}\`` : "\u2014"} |`);
+  }
+  L.push("");
+  L.push(`**${enforcedCount(patterns)} of ${patterns.length} enforced by a bundled rule; the rest are advisories (grep targets / project-local rule candidates).**
+`);
+  for (const e of patterns) {
+    L.push(`### ${e.sdk} \u2014 \`${e.field}\` (${CATEGORY_LABEL[e.category]})
+`);
+    L.push(`- **Call:** \`${e.call}\``);
+    L.push(`- **Zero/omitted means:** ${e.whatZeroMeans}`);
+    L.push(`- **Fix:** ${e.fix}`);
+    L.push(`- **Detection:** ${e.ruleId ? `\`${e.ruleId}\` (bundled)` : "advisory \u2014 no bundled rule yet"}`);
+    if (e.docsUrl) L.push(`- **Docs:** ${e.docsUrl}`);
+    L.push("");
+  }
+  return L.join("\n");
+}
+function renderEconomicsText(patterns = ECONOMIC_PATTERNS) {
+  const L = [];
+  L.push("\u2500\u2500 Token Economics \u2014 silent zero-revenue class \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+  L.push("  fields that default to zero and silently collect nothing");
+  L.push("");
+  for (const e of patterns) {
+    const status = e.status === "enforced" ? "[enforced]" : "[advisory]";
+    L.push(`  ${status} ${CATEGORY_LABEL[e.category]}: ${e.sdk} \xB7 ${e.field}`);
+    L.push(`    ${e.whatZeroMeans}`);
+    if (e.ruleId) L.push(`    rule: ${e.ruleId}`);
+    L.push("");
+  }
+  L.push(`  ${enforcedCount(patterns)}/${patterns.length} enforced by a bundled rule`);
+  return L.join("\n");
+}
+function renderEconomicDetailText(e) {
+  const L = [];
+  L.push(`\u2500\u2500 ${e.sdk} \u2014 ${e.field} \u2500\u2500`);
+  L.push(`  category:    ${CATEGORY_LABEL[e.category]}`);
+  L.push(`  call:        ${e.call}`);
+  L.push(`  zero means:  ${e.whatZeroMeans}`);
+  L.push(`  fix:         ${e.fix}`);
+  L.push(`  detection:   ${e.ruleId ? `${e.ruleId} (bundled rule)` : "advisory \u2014 no bundled rule yet"}`);
+  if (e.docsUrl) L.push(`  docs:        ${e.docsUrl}`);
+  return L.join("\n");
+}
+
+export {
+  ECONOMIC_PATTERNS,
+  getEconomicPattern,
+  economicPatternsByCategory,
+  enforcedCount,
+  renderEconomicsMd,
+  renderEconomicsText,
+  renderEconomicDetailText
+};

package/dist/{chunk-5H5JQXXU.js → chunk-V4XS5DKD.js}

@@ -1050,6 +1050,75 @@ function anchorCpiUnverifiedProgram(c, p) {
   };
 }
 
+// src/checkers/economicValueZeroOrMissing.ts
+import { SyntaxKind as SyntaxKind12 } from "ts-morph";
+function callName6(call) {
+  const exp = call.getExpression();
+  if (exp.getKind() === SyntaxKind12.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind12.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind12.PropertyAccessExpression).getName();
+  }
+  return "";
+}
+function unwrap(expr) {
+  let e = expr;
+  while (e) {
+    const k = e.getKind();
+    if (k === SyntaxKind12.AsExpression || k === SyntaxKind12.ParenthesizedExpression || k === SyntaxKind12.TypeAssertionExpression || k === SyntaxKind12.NonNullExpression) {
+      e = e.getExpression();
+    } else break;
+  }
+  return e;
+}
+function isLiteralZero(expr) {
+  const u = unwrap(expr);
+  if (!u) return false;
+  const num = u.asKind(SyntaxKind12.NumericLiteral);
+  if (num) return Number(num.getLiteralValue()) === 0;
+  const big = u.asKind(SyntaxKind12.BigIntLiteral);
+  if (big) return /^0n?$/.test(big.getText().replace(/_/g, ""));
+  return false;
+}
+var economicValueZeroOrMissing = (c, p) => {
+  const names = Array.isArray(p.calls) ? p.calls : [p.calls];
+  const field = p.field;
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind12.CallExpression).filter((x) => names.includes(callName6(x)));
+  if (calls.length === 0) {
+    return {
+      result: "cant_tell",
+      detail: p.absentDetail ?? `No call to ${names.join("/")} in '${c.fnName}'; economic-value check does not apply.`
+    };
+  }
+  for (const call of calls) {
+    const obj = call.getArguments().map((a) => unwrap(a)?.asKind(SyntaxKind12.ObjectLiteralExpression)).find((o) => !!o);
+    if (!obj) continue;
+    const member = obj.getProperty(field);
+    if (!member) {
+      return {
+        result: "fail",
+        detail: p.omittedDetail ?? `'${field}' is omitted from the ${callName6(call)} config \u2014 it defaults to zero. This is a permanent, silent zero-revenue misconfiguration: the call succeeds and no value is ever collected. Set '${field}' explicitly.`
+      };
+    }
+    const pa = member.asKind(SyntaxKind12.PropertyAssignment);
+    const shorthand = member.asKind(SyntaxKind12.ShorthandPropertyAssignment);
+    const init = pa?.getInitializer() ?? shorthand?.getNameNode();
+    if (isLiteralZero(init)) {
+      return {
+        result: "fail",
+        detail: p.zeroDetail ?? `'${field}' is set to a literal 0 in the ${callName6(call)} config \u2014 zero revenue will ever be collected. If intentional, this is a footgun; otherwise set a non-zero value.`
+      };
+    }
+    return {
+      result: "pass",
+      detail: p.passDetail ?? `'${field}' is set to a non-zero value in the ${callName6(call)} config.`
+    };
+  }
+  return {
+    result: "cant_tell",
+    detail: p.absentDetail ?? `Call to ${names.join("/")} found but its config argument isn't an object literal; can't validate '${field}'.`
+  };
+};
+
 // src/checkers/index.ts
 var registry = {
   "positional-arg-identity": positionalArgIdentity,
@@ -1068,7 +1137,8 @@ var registry = {
   "anchor-account-missing-constraint": anchorAccountMissingConstraint,
   "anchor-forbidden-account-type": anchorForbiddenAccountType,
   "anchor-body-call-pattern": anchorBodyCallPattern,
-  "anchor-cpi-unverified-program": anchorCpiUnverifiedProgram
+  "anchor-cpi-unverified-program": anchorCpiUnverifiedProgram,
+  "economic-value-zero-or-missing": economicValueZeroOrMissing
 };
 function runChecker(kind, c, params) {
   const fn = registry[kind];
@@ -1284,7 +1354,7 @@ function findRustCandidates(targetDir, rule) {
 }
 
 // src/fixers/positionalArgIdentity.ts
-import { SyntaxKind as SyntaxKind12 } from "ts-morph";
+import { SyntaxKind as SyntaxKind13 } from "ts-morph";
 
 // src/fixers/diffUtil.ts
 function buildDiff(node, replacement) {
@@ -1309,9 +1379,9 @@ function buildDiff(node, replacement) {
 // src/fixers/positionalArgIdentity.ts
 var fixPositionalArgIdentity = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind12.CallExpression).filter((call) => {
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind13.CallExpression).filter((call) => {
     const exp = call.getExpression();
-    return exp.getKind() === SyntaxKind12.PropertyAccessExpression && exp.asKind(SyntaxKind12.PropertyAccessExpression).getName() === p.call;
+    return exp.getKind() === SyntaxKind13.PropertyAccessExpression && exp.asKind(SyntaxKind13.PropertyAccessExpression).getName() === p.call;
   });
   if (calls.length === 0) {
     const wantParam2 = c.params[p.paramIndex] ?? "<rawBodyParam>";
@@ -1326,7 +1396,7 @@ Do not call JSON.parse() on the body before this verification step.`
   }
   const arg = calls[0].getArguments()[p.argIndex];
   const wantParam = c.params[p.paramIndex];
-  if (arg && wantParam && arg.getKind() === SyntaxKind12.CallExpression) {
+  if (arg && wantParam && arg.getKind() === SyntaxKind13.CallExpression) {
     return {
       summary: `Pass the raw body parameter '${wantParam}' to ${p.call} instead of a parsed value`,
       diff: buildDiff(arg, wantParam)
@@ -1336,12 +1406,12 @@ Do not call JSON.parse() on the body before this verification step.`
 };
 
 // src/fixers/requiredCallWithOptions.ts
-import { SyntaxKind as SyntaxKind13 } from "ts-morph";
-function callName6(call) {
+import { SyntaxKind as SyntaxKind14 } from "ts-morph";
+function callName7(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind13.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind13.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind13.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind14.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind14.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind14.PropertyAccessExpression).getName();
   }
   return "";
 }
@@ -1359,15 +1429,15 @@ function placeholderFor(propName) {
 }
 var fixRequiredCallWithOptions = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind13.CallExpression);
-  const verify = calls.filter((x) => p.verifyCalls.includes(callName6(x)));
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind14.CallExpression);
+  const verify = calls.filter((x) => p.verifyCalls.includes(callName7(x)));
   if (verify.length > 0) {
     const call = verify[0];
     const args = call.getArguments();
     const lastArg = args[args.length - 1];
-    const obj = lastArg?.asKind(SyntaxKind13.ObjectLiteralExpression);
+    const obj = lastArg?.asKind(SyntaxKind14.ObjectLiteralExpression);
     const presentNames = obj ? obj.getProperties().map((pr) => {
-      const pa = pr.asKind(SyntaxKind13.PropertyAssignment) ?? pr.asKind(SyntaxKind13.ShorthandPropertyAssignment);
+      const pa = pr.asKind(SyntaxKind14.PropertyAssignment) ?? pr.asKind(SyntaxKind14.ShorthandPropertyAssignment);
       return pa?.getName() ?? "";
     }) : [];
     const missingGroups = p.requiredProps.filter(
@@ -1375,7 +1445,7 @@ var fixRequiredCallWithOptions = (c, p, outcome) => {
     );
     if (missingGroups.length === 0) return void 0;
     const newProps = missingGroups.map((g) => placeholderFor(g[0])).join(", ");
-    const summary = `Add ${missingGroups.map((g) => g[0]).join(" and ")} to the ${callName6(call)} call`;
+    const summary = `Add ${missingGroups.map((g) => g[0]).join(" and ")} to the ${callName7(call)} call`;
     if (obj) {
       const inner = obj.getText().slice(1, -1).trim();
       const newText = inner.length > 0 ? `{ ${inner}, ${newProps} }` : `{ ${newProps} }`;
@@ -1387,7 +1457,7 @@ var fixRequiredCallWithOptions = (c, p, outcome) => {
     }
     return {
       summary,
-      suggestion: `Add an options object ({ ${newProps} }) as an argument to ${callName6(call)}.`
+      suggestion: `Add an options object ({ ${newProps} }) as an argument to ${callName7(call)}.`
     };
   }
   return {
@@ -1401,22 +1471,22 @@ JWKS must come from Privy's published JWKS endpoint for your app.`
 };
 
 // src/fixers/literalMultiplierWrongConstant.ts
-import { SyntaxKind as SyntaxKind14 } from "ts-morph";
-function callName7(call) {
+import { SyntaxKind as SyntaxKind15 } from "ts-morph";
+function callName8(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind14.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind14.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind14.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind15.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind15.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind15.PropertyAccessExpression).getName();
   }
   return "";
 }
 function findIdentifier(node, name) {
-  if (node.getKind() === SyntaxKind14.Identifier && node.getText() === name) return node;
-  return node.getDescendantsOfKind(SyntaxKind14.Identifier).find((id) => id.getText() === name);
+  if (node.getKind() === SyntaxKind15.Identifier && node.getText() === name) return node;
+  return node.getDescendantsOfKind(SyntaxKind15.Identifier).find((id) => id.getText() === name);
 }
 var fixLiteralMultiplierWrongConstant = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind14.CallExpression).filter((call) => callName7(call) === p.call);
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind15.CallExpression).filter((call) => callName8(call) === p.call);
   if (calls.length === 0) return void 0;
   const arg = calls[0].getArguments()[p.argIndex];
   if (!arg) return void 0;

package/dist/chunk-WQFLKWBY.js

@@ -0,0 +1,110 @@
+import {
+  DEFAULT_RPC
+} from "./chunk-XSVQSK53.js";
+import {
+  isValidSolanaAddress
+} from "./chunk-VG5FMOLW.js";
+
+// src/oracle.ts
+var SLOT_MS = 400;
+var DEFAULT_STALENESS_SLOTS = 150;
+async function rpc(method, params, opts) {
+  const url = opts.rpcUrl ?? DEFAULT_RPC;
+  const fetchImpl = opts.fetchImpl ?? fetch;
+  const ac = new AbortController();
+  const t = setTimeout(() => ac.abort(), opts.timeoutMs ?? 1e4);
+  try {
+    const res = await fetchImpl(url, {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ jsonrpc: "2.0", id: 1, method, params }),
+      signal: ac.signal
+    });
+    if (!res.ok) throw new Error(`rpc ${method}: HTTP ${res.status}`);
+    const body = await res.json();
+    if (body.error) throw new Error(`rpc ${method}: ${body.error.message}`);
+    if (body.result === void 0) throw new Error(`rpc ${method}: empty result`);
+    return body.result;
+  } finally {
+    clearTimeout(t);
+  }
+}
+async function checkOracleFreshness(account, opts = {}) {
+  if (!isValidSolanaAddress(account)) throw new Error(`invalid Solana address: ${account}`);
+  const thresholdSlots = opts.maxStalenessSlots ?? (opts.maxStalenessSeconds != null ? Math.max(1, Math.round(opts.maxStalenessSeconds * 1e3 / SLOT_MS)) : DEFAULT_STALENESS_SLOTS);
+  const checkedAt = (/* @__PURE__ */ new Date()).toISOString();
+  const currentSlot = await rpc("getSlot", [{ commitment: "confirmed" }], opts);
+  const sigs = await rpc(
+    "getSignaturesForAddress",
+    [account, { limit: 1 }],
+    opts
+  );
+  if (!sigs || sigs.length === 0) {
+    return {
+      account,
+      currentSlot,
+      lastSlot: null,
+      lastBlockTime: null,
+      slotsBehind: null,
+      secondsBehind: null,
+      thresholdSlots,
+      fresh: false,
+      verdict: "NO_HISTORY",
+      checkedAt
+    };
+  }
+  const last = sigs[0];
+  const lastSlot = last.slot;
+  const lastBlockTime = last.blockTime ?? null;
+  const slotsBehind = Math.max(0, currentSlot - lastSlot);
+  const secondsBehind = lastBlockTime != null ? Math.max(0, Math.floor(Date.now() / 1e3) - lastBlockTime) : Math.round(slotsBehind * SLOT_MS / 1e3);
+  const fresh = slotsBehind <= thresholdSlots;
+  return {
+    account,
+    currentSlot,
+    lastSlot,
+    lastBlockTime,
+    slotsBehind,
+    secondsBehind,
+    thresholdSlots,
+    fresh,
+    verdict: fresh ? "FRESH" : "STALE",
+    checkedAt
+  };
+}
+function renderOracleText(f) {
+  const L = [];
+  L.push("\u2500\u2500 Oracle Freshness \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+  L.push(`  account:       ${f.account}`);
+  L.push(`  current slot:  ${f.currentSlot.toLocaleString()}`);
+  if (f.verdict === "NO_HISTORY") {
+    L.push("  last write:    (no transactions found touching this account)");
+    L.push("  verdict:       \u2753 NO_HISTORY \u2014 cannot confirm freshness");
+    return L.join("\n");
+  }
+  L.push(`  last write:    slot ${f.lastSlot.toLocaleString()} (${f.slotsBehind.toLocaleString()} slots / ~${f.secondsBehind}s ago)`);
+  L.push(`  threshold:     ${f.thresholdSlots.toLocaleString()} slots`);
+  L.push(`  verdict:       ${f.fresh ? "\u2705 FRESH" : "\u{1F6A8} STALE \u2014 last update is older than the freshness threshold"}`);
+  return L.join("\n");
+}
+function renderOracleMd(f) {
+  const L = ["## Oracle Freshness\n"];
+  L.push(`**Account:** \`${f.account}\`  \xB7  checked ${f.checkedAt}
+`);
+  if (f.verdict === "NO_HISTORY") {
+    L.push("\u2753 **NO_HISTORY** \u2014 no transactions were found touching this account, so freshness can't be confirmed. Double-check the address.");
+    return L.join("\n");
+  }
+  const badge = f.fresh ? "\u2705 **FRESH**" : "\u{1F6A8} **STALE**";
+  L.push(`${badge} \u2014 last written at slot ${f.lastSlot.toLocaleString()}, ${f.slotsBehind.toLocaleString()} slots (~${f.secondsBehind}s) behind the current slot (${f.currentSlot.toLocaleString()}).`);
+  L.push("");
+  L.push(`Threshold: ${f.thresholdSlots.toLocaleString()} slots. ${f.fresh ? "Within tolerance." : "**Exceeds tolerance \u2014 do not price against this feed until it updates.**"}`);
+  return L.join("\n");
+}
+
+export {
+  DEFAULT_STALENESS_SLOTS,
+  checkOracleFreshness,
+  renderOracleText,
+  renderOracleMd
+};

package/dist/cli.js

@@ -18,21 +18,21 @@ import {
   submitTelemetry,
   telemetryFilePath,
   validatePack
-} from "./chunk-5VYTURTO.js";
+} from "./chunk-HFYBK2VA.js";
 import {
   renderTrustGraphMd
-} from "./chunk-2UZGWXIX.js";
+} from "./chunk-QMJEZ6NO.js";
 import {
   buildTrustGraph,
   cacheSize,
   defaultCachePath,
   loadProgramCache
-} from "./chunk-SVSVVW6U.js";
+} from "./chunk-GF37ANSW.js";
 import {
   audit,
   getChangedRanges,
   resolveRules
-} from "./chunk-5H5JQXXU.js";
+} from "./chunk-V4XS5DKD.js";
 import "./chunk-2XJORJPQ.js";
 import "./chunk-O5Z4ZJHC.js";
 import "./chunk-XSVQSK53.js";
@@ -480,7 +480,7 @@ if (args[0] === "drift") {
   process.exit(0);
 }
 if (args[0] === "mcp") {
-  const { startMcpServer } = await import("./mcp-EOTWSQK7.js");
+  const { startMcpServer } = await import("./mcp-LITBQHBF.js");
   await startMcpServer();
   process.exit(0);
 }
@@ -563,6 +563,14 @@ if (args[0] === "exploits") {
   runExploits(args.slice(1));
   process.exit(0);
 }
+if (args[0] === "oracle") {
+  await runOracle(args.slice(1));
+  process.exit(0);
+}
+if (args[0] === "economics") {
+  await runEconomics(args.slice(1));
+  process.exit(0);
+}
 if (args[0] === "fix") {
   await runFix(args.slice(1));
   process.exit(0);
@@ -700,6 +708,87 @@ function runDeployPlan(argv) {
   writeFileSync2(mdPath, renderDeployPlanMd(plan));
   console.log(`  deploy plan: ${mdPath}`);
 }
+async function runEconomics(argv) {
+  const {
+    ECONOMIC_PATTERNS,
+    getEconomicPattern,
+    renderEconomicsText,
+    renderEconomicsMd,
+    renderEconomicDetailText
+  } = await import("./tokenEconomics-HBF3DYNH.js");
+  if (argv.includes("--help") || argv.includes("-h")) {
+    console.log("usage: brainblast economics [id] [--json]");
+    console.log("  Token Economics Validator: the silent zero-revenue class (fees, royalties,");
+    console.log("  rewards) \u2014 fields that default to zero and quietly collect nothing. Pass an");
+    console.log("  id to see one in detail. Known ids:");
+    console.log(`    ${ECONOMIC_PATTERNS.map((e) => e.id).join(", ")}`);
+    process.exit(0);
+  }
+  const json = argv.includes("--json");
+  const id = argv.find((a) => !a.startsWith("--"));
+  if (id) {
+    const e = getEconomicPattern(id);
+    if (!e) {
+      console.error(`error: no economic pattern '${id}'. Known: ${ECONOMIC_PATTERNS.map((x) => x.id).join(", ")}`);
+      process.exit(2);
+    }
+    if (json) console.log(JSON.stringify(e, null, 2));
+    else console.log(renderEconomicDetailText(e));
+    return;
+  }
+  if (json) {
+    console.log(JSON.stringify(ECONOMIC_PATTERNS, null, 2));
+    return;
+  }
+  console.log(renderEconomicsText());
+  const outDir2 = join3(process.cwd(), ".agent-research");
+  mkdirSync2(outDir2, { recursive: true });
+  writeFileSync2(join3(outDir2, "token-economics.md"), renderEconomicsMd());
+  console.log(`
+  catalog: ${join3(outDir2, "token-economics.md")}`);
+}
+async function runOracle(argv) {
+  if (argv.includes("--help") || argv.includes("-h") || argv.filter((a) => !a.startsWith("--")).length === 0) {
+    console.log("usage: brainblast oracle <account> [--rpc URL] [--max-staleness-slots N | --max-staleness-seconds N] [--json]");
+    console.log("  Is the oracle fresh? Reports how many slots/seconds ago the price account was");
+    console.log("  last written (provider-agnostic) and gates FRESH/STALE. Exit 1 on STALE or");
+    console.log("  NO_HISTORY. Pass your own --rpc for reliable results (public RPC is rate-limited).");
+    process.exit(argv.length === 0 ? 2 : 0);
+  }
+  const { checkOracleFreshness, renderOracleText, renderOracleMd } = await import("./oracle-DVZLFJ43.js");
+  const num = (name) => {
+    const i = argv.indexOf(`--${name}`);
+    if (i < 0) return void 0;
+    const v = parseInt(argv[i + 1], 10);
+    return Number.isFinite(v) ? v : void 0;
+  };
+  const rpcIdx = argv.indexOf("--rpc");
+  const rpcUrl = rpcIdx >= 0 ? argv[rpcIdx + 1] : void 0;
+  const account = argv.find(
+    (a, i) => !a.startsWith("--") && argv[i - 1] !== "--rpc" && argv[i - 1] !== "--max-staleness-slots" && argv[i - 1] !== "--max-staleness-seconds"
+  );
+  if (!account) {
+    console.error("error: missing <account>. usage: brainblast oracle <account> [--rpc URL] [--json]");
+    process.exit(2);
+  }
+  let f;
+  try {
+    f = await checkOracleFreshness(account, {
+      rpcUrl,
+      maxStalenessSlots: num("max-staleness-slots"),
+      maxStalenessSeconds: num("max-staleness-seconds")
+    });
+  } catch (e) {
+    console.error(`error: ${e?.message ?? String(e)}`);
+    process.exit(2);
+  }
+  if (argv.includes("--json")) console.log(JSON.stringify(f, null, 2));
+  else console.log(renderOracleText(f));
+  const outDir2 = join3(process.cwd(), ".agent-research");
+  mkdirSync2(outDir2, { recursive: true });
+  writeFileSync2(join3(outDir2, "oracle-freshness.md"), renderOracleMd(f));
+  process.exit(f.fresh ? 0 : 1);
+}
 function runExploits(argv) {
   if (argv.includes("--help") || argv.includes("-h")) {
     console.log("usage: brainblast exploits [id] [--json]");
@@ -1172,8 +1261,8 @@ async function runIdlRules(argv) {
   }
 }
 async function runScore(argv) {
-  const { scoreProgram, renderScoreText, gradeAtLeast } = await import("./score-VLKER37D.js");
-  const { isValidSolanaAddress: isValidSolanaAddress2 } = await import("./trustGraph-4SSJOQKT.js");
+  const { scoreProgram, renderScoreText, gradeAtLeast } = await import("./score-YXFXD6QG.js");
+  const { isValidSolanaAddress: isValidSolanaAddress2 } = await import("./trustGraph-K5PWNEL4.js");
   const programId = argv.find((a) => !a.startsWith("--"));
   if (!programId) {
     console.error("usage: brainblast score <program-id> [--rpc URL] [--no-probe] [--min A|B|C|D|F] [--json]");

package/dist/index.d.ts

@@ -388,6 +388,7 @@ interface UpgradeAuthority {
     address: string | null;
     source: UpgradeAuthoritySource;
     checkedAt?: string;
+    ownerProgram?: string;
 }
 type VerifiedBuildState = {
     state: "verified";
@@ -443,6 +444,7 @@ interface RpcOpts {
 
 interface BuildOpts extends RpcOpts {
     probeRpc?: boolean;
+    classifyAuthority?: boolean;
     directoryPath?: string;
     cachePath?: string | null;
 }
@@ -452,6 +454,20 @@ declare function renderTrustGraphMd(g: TrustGraph): string;
 
 declare function loadDirectory(path?: string): Map<string, OnChainProgram>;
 
+declare const SYSTEM_PROGRAM = "11111111111111111111111111111111";
+interface KnownOwner {
+    kind: Exclude<UpgradeAuthorityKind, "renounced">;
+    label: string;
+}
+declare const KNOWN_AUTHORITY_OWNERS: Record<string, KnownOwner>;
+interface AuthorityClassification {
+    kind: UpgradeAuthorityKind;
+    ownerProgram?: string;
+    ownerLabel?: string;
+}
+declare function classifyUpgradeAuthority(address: string, opts?: RpcOpts): Promise<AuthorityClassification>;
+declare function enrichAuthorityClassification(authority: UpgradeAuthority, opts?: RpcOpts): Promise<UpgradeAuthority>;
+
 declare function base58Encode(bytes: Uint8Array): string;
 declare function base58Decode(s: string): Uint8Array;
 declare function isValidSolanaAddress(s: string): boolean;
@@ -876,6 +892,62 @@ declare function batchScan(mints: string[], opts?: BatchScanOpts): Promise<Batch
 declare function parseMintList(content: string): string[];
 declare function renderBatchText(result: BatchResult): string;
 
+declare const DEFAULT_STALENESS_SLOTS = 150;
+type OracleVerdict = "FRESH" | "STALE" | "NO_HISTORY";
+interface OracleFreshness {
+    account: string;
+    currentSlot: number;
+    /** Slot of the most recent signature touching the account; null if none. */
+    lastSlot: number | null;
+    /** Unix seconds of that signature's block, when the RPC provides it. */
+    lastBlockTime: number | null;
+    slotsBehind: number | null;
+    secondsBehind: number | null;
+    thresholdSlots: number;
+    fresh: boolean;
+    verdict: OracleVerdict;
+    checkedAt: string;
+}
+interface OracleOpts extends RpcOpts {
+    /** Staleness threshold in slots (default 150 ≈ 60s). */
+    maxStalenessSlots?: number;
+    /** Staleness threshold in seconds; converted to slots (~400ms each). */
+    maxStalenessSeconds?: number;
+}
+declare function checkOracleFreshness(account: string, opts?: OracleOpts): Promise<OracleFreshness>;
+declare function renderOracleText(f: OracleFreshness): string;
+declare function renderOracleMd(f: OracleFreshness): string;
+
+type EconomicCategory = "royalty" | "fee" | "reward";
+type EconomicStatus = "enforced" | "advisory";
+interface EconomicPattern {
+    /** Stable slug. */
+    id: string;
+    category: EconomicCategory;
+    /** SDK / protocol the field belongs to. */
+    sdk: string;
+    /** The setup/config call that takes the field. */
+    call: string;
+    /** The revenue-bearing field that silently defaults to zero. */
+    field: string;
+    /** What a zero/omitted value costs you, in one sentence. */
+    whatZeroMeans: string;
+    /** The safe pattern. */
+    fix: string;
+    /** Bundled rule that detects this, or null for an advisory entry. */
+    ruleId: string | null;
+    status: EconomicStatus;
+    /** Optional reference / docs URL. */
+    docsUrl?: string;
+}
+declare const ECONOMIC_PATTERNS: EconomicPattern[];
+declare function getEconomicPattern(id: string): EconomicPattern | undefined;
+declare function economicPatternsByCategory(cat: EconomicCategory): EconomicPattern[];
+declare function enforcedCount(patterns?: EconomicPattern[]): number;
+declare function renderEconomicsMd(patterns?: EconomicPattern[]): string;
+declare function renderEconomicsText(patterns?: EconomicPattern[]): string;
+declare function renderEconomicDetailText(e: EconomicPattern): string;
+
 interface ExploitPattern {
     /** Stable slug, e.g. "wormhole". */
     id: string;
@@ -905,4 +977,4 @@ declare function renderExploitsMd(patterns?: ExploitPattern[]): string;
 declare function renderExploitsText(patterns?: ExploitPattern[]): string;
 declare function renderExploitDetailText(e: ExploitPattern): string;
 
-export { type AccountFlow, type AnchorIdl, type AuditRef, type BatchResult, type BatchRow, type BatchScanOpts, type BuildOpts, CANONICAL_BY_MINT, CANONICAL_MINTS, type Candidate, type CanonicalMint, type ChainEvent, type ChainWatchOpts, type ChainWatchState, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_REGISTRY_URL, DEFAULT_TTL_HOURS, type DecodedInstruction, type DecodedTx, type DiffResult, type DriftAdvisory, type DriftBaseline, type DriftPackage, type DriftResult, EXPLOIT_PATTERNS, type ExploitPattern, type FirewallFinding, type FirewallOpts, type FirewallProgram, type FirewallReport, type FirewallSeverity, type FirewallVerdict, type Grade, type GraduationEvent, type IdentityStatus, type IdlAccount, type IdlConstraintParams, type IdlInstruction, KNOWN_PROGRAMS, type MintInfo, type OnChainProgram, type OsvAdvisory, PACK_MANIFEST_FILE, type PackInitOptions, type PackManifest, type PackRuleValidation, type PackValidateResult, type ParityNote, type ParsedDiff, type PreflightCheck, type PreflightOpts, type PreflightReport, type PreflightStatus, type PreflightVerdict, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type RicoOutcome, type RicoResult, type RicoTokenSecurity, type Rule, type RustAccountField, type RustCandidate, type RustChecker, type ScoreFactor, type Severity, type TelemetrySubmitResult, type TokenIdentity, type TrustGraph, type TrustScore, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type VerifyOpts, type WatchEvent, type WatchOptions, analyzeCosts, analyzeInstructions, analyzeToken, applyDiffToFile, audit, auditWithRule, base58Decode, base58Encode, batchScan, buildConstraintParams, buildTrustGraph, rules as bundledRules, cacheSize, canonicalMintForSymbol, checkDrift, checkerKinds, decodeTransaction, defaultCachePath, deployerFlagsFrom, diffVersions, fileChanged, findCandidates, findConfigCandidates, formatUsd, generateRulesFromIdl, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getExploitPattern, getRepoHash, getUserHash, getWorkingTreeChanges, gradeAtLeast, gradeForScore, idlProgramName, initPack, initialChainWatchState, inspectTransaction, isCanonicalMint, isEntryExpired, isTelemetryEnabled, isValidSolanaAddress, lamportsToSol, loadDirectory, loadPack, loadPacksFromDir, loadProgramCache, loadRules, parseCpiPrograms, parseDiff, parseIdl, parseMintAccount, parseMintList, pollChainOnce, pumpPreflight, putCacheEntry, queryOsv, rangeChanged, recordGraduationEvents, renderBatchText, renderCostReportMd, renderDiffMd, renderDiffText, renderDriftText, renderExploitDetailText, renderExploitsMd, renderExploitsText, renderFirewallText, renderPreflightText, renderRicoText, renderRulesYaml, renderScoreText, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, riskScore, runChecker, runIncrementalScan, saveProgramCache, scoreFromProgram, scoreProgram, seedPackages, startChainWatch, startWatch, submitTelemetry, telemetryFilePath, testKinds, toSnakeCase, totalLossUsd, validatePack, validatePackManifest, verifyTokenIdentity };
+export { type AccountFlow, type AnchorIdl, type AuditRef, type AuthorityClassification, type BatchResult, type BatchRow, type BatchScanOpts, type BuildOpts, CANONICAL_BY_MINT, CANONICAL_MINTS, type Candidate, type CanonicalMint, type ChainEvent, type ChainWatchOpts, type ChainWatchState, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_REGISTRY_URL, DEFAULT_STALENESS_SLOTS, DEFAULT_TTL_HOURS, type DecodedInstruction, type DecodedTx, type DiffResult, type DriftAdvisory, type DriftBaseline, type DriftPackage, type DriftResult, ECONOMIC_PATTERNS, EXPLOIT_PATTERNS, type EconomicCategory, type EconomicPattern, type EconomicStatus, type ExploitPattern, type FirewallFinding, type FirewallOpts, type FirewallProgram, type FirewallReport, type FirewallSeverity, type FirewallVerdict, type Grade, type GraduationEvent, type IdentityStatus, type IdlAccount, type IdlConstraintParams, type IdlInstruction, KNOWN_AUTHORITY_OWNERS, KNOWN_PROGRAMS, type MintInfo, type OnChainProgram, type OracleFreshness, type OracleOpts, type OracleVerdict, type OsvAdvisory, PACK_MANIFEST_FILE, type PackInitOptions, type PackManifest, type PackRuleValidation, type PackValidateResult, type ParityNote, type ParsedDiff, type PreflightCheck, type PreflightOpts, type PreflightReport, type PreflightStatus, type PreflightVerdict, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type RicoOutcome, type RicoResult, type RicoTokenSecurity, type Rule, type RustAccountField, type RustCandidate, type RustChecker, SYSTEM_PROGRAM, type ScoreFactor, type Severity, type TelemetrySubmitResult, type TokenIdentity, type TrustGraph, type TrustScore, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type VerifyOpts, type WatchEvent, type WatchOptions, analyzeCosts, analyzeInstructions, analyzeToken, applyDiffToFile, audit, auditWithRule, base58Decode, base58Encode, batchScan, buildConstraintParams, buildTrustGraph, rules as bundledRules, cacheSize, canonicalMintForSymbol, checkDrift, checkOracleFreshness, checkerKinds, classifyUpgradeAuthority, decodeTransaction, defaultCachePath, deployerFlagsFrom, diffVersions, economicPatternsByCategory, enforcedCount, enrichAuthorityClassification, fileChanged, findCandidates, findConfigCandidates, formatUsd, generateRulesFromIdl, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getEconomicPattern, getExploitPattern, getRepoHash, getUserHash, getWorkingTreeChanges, gradeAtLeast, gradeForScore, idlProgramName, initPack, initialChainWatchState, inspectTransaction, isCanonicalMint, isEntryExpired, isTelemetryEnabled, isValidSolanaAddress, lamportsToSol, loadDirectory, loadPack, loadPacksFromDir, loadProgramCache, loadRules, parseCpiPrograms, parseDiff, parseIdl, parseMintAccount, parseMintList, pollChainOnce, pumpPreflight, putCacheEntry, queryOsv, rangeChanged, recordGraduationEvents, renderBatchText, renderCostReportMd, renderDiffMd, renderDiffText, renderDriftText, renderEconomicDetailText, renderEconomicsMd, renderEconomicsText, renderExploitDetailText, renderExploitsMd, renderExploitsText, renderFirewallText, renderOracleMd, renderOracleText, renderPreflightText, renderRicoText, renderRulesYaml, renderScoreText, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, riskScore, runChecker, runIncrementalScan, saveProgramCache, scoreFromProgram, scoreProgram, seedPackages, startChainWatch, startWatch, submitTelemetry, telemetryFilePath, testKinds, toSnakeCase, totalLossUsd, validatePack, validatePackManifest, verifyTokenIdentity };

package/dist/index.js

@@ -1,3 +1,23 @@
+import {
+  batchScan,
+  parseMintList,
+  renderBatchText
+} from "./chunk-QC27GNQ7.js";
+import {
+  ECONOMIC_PATTERNS,
+  economicPatternsByCategory,
+  enforcedCount,
+  getEconomicPattern,
+  renderEconomicDetailText,
+  renderEconomicsMd,
+  renderEconomicsText
+} from "./chunk-S7X53LWF.js";
+import {
+  DEFAULT_STALENESS_SLOTS,
+  checkOracleFreshness,
+  renderOracleMd,
+  renderOracleText
+} from "./chunk-WQFLKWBY.js";
 import {
   checkDrift,
   renderDriftText,
@@ -17,17 +37,12 @@ import {
   renderScoreText,
   scoreFromProgram,
   scoreProgram
-} from "./chunk-UWE6HAGS.js";
+} from "./chunk-F7QOW3IM.js";
 import {
   parseMintAccount,
   pumpPreflight,
   renderPreflightText
 } from "./chunk-WX3IR7LK.js";
-import {
-  batchScan,
-  parseMintList,
-  renderBatchText
-} from "./chunk-QC27GNQ7.js";
 import {
   analyzeToken,
   deployerFlagsFrom,
@@ -61,15 +76,19 @@ import {
   telemetryFilePath,
   totalLossUsd,
   validatePack
-} from "./chunk-5VYTURTO.js";
+} from "./chunk-HFYBK2VA.js";
 import {
   renderTrustGraphMd
-} from "./chunk-2UZGWXIX.js";
+} from "./chunk-QMJEZ6NO.js";
 import {
   DEFAULT_TTL_HOURS,
+  KNOWN_AUTHORITY_OWNERS,
+  SYSTEM_PROGRAM,
   buildTrustGraph,
   cacheSize,
+  classifyUpgradeAuthority,
   defaultCachePath,
+  enrichAuthorityClassification,
   getCacheEntry,
   getCacheEntryMeta,
   isEntryExpired,
@@ -77,7 +96,7 @@ import {
   loadProgramCache,
   putCacheEntry,
   saveProgramCache
-} from "./chunk-SVSVVW6U.js";
+} from "./chunk-GF37ANSW.js";
 import {
   PACK_MANIFEST_FILE,
   audit,
@@ -98,7 +117,7 @@ import {
   runChecker,
   testKinds,
   validatePackManifest
-} from "./chunk-5H5JQXXU.js";
+} from "./chunk-V4XS5DKD.js";
 import {
   CANONICAL_BY_MINT,
   CANONICAL_MINTS,
@@ -150,10 +169,14 @@ export {
   CANONICAL_BY_MINT,
   CANONICAL_MINTS,
   DEFAULT_REGISTRY_URL,
+  DEFAULT_STALENESS_SLOTS,
   DEFAULT_TTL_HOURS,
+  ECONOMIC_PATTERNS,
   EXPLOIT_PATTERNS,
+  KNOWN_AUTHORITY_OWNERS,
   KNOWN_PROGRAMS,
   PACK_MANIFEST_FILE,
+  SYSTEM_PROGRAM,
   analyzeCosts,
   analyzeInstructions,
   analyzeToken,
@@ -169,11 +192,16 @@ export {
   cacheSize,
   canonicalMintForSymbol,
   checkDrift,
+  checkOracleFreshness,
   checkerKinds,
+  classifyUpgradeAuthority,
   decodeTransaction,
   defaultCachePath,
   deployerFlagsFrom,
   diffVersions,
+  economicPatternsByCategory,
+  enforcedCount,
+  enrichAuthorityClassification,
   fileChanged,
   findCandidates,
   findConfigCandidates,
@@ -183,6 +211,7 @@ export {
   getCacheEntry,
   getCacheEntryMeta,
   getChangedRanges,
+  getEconomicPattern,
   getExploitPattern,
   getRepoHash,
   getUserHash,
@@ -219,10 +248,15 @@ export {
   renderDiffMd,
   renderDiffText,
   renderDriftText,
+  renderEconomicDetailText,
+  renderEconomicsMd,
+  renderEconomicsText,
   renderExploitDetailText,
   renderExploitsMd,
   renderExploitsText,
   renderFirewallText,
+  renderOracleMd,
+  renderOracleText,
   renderPreflightText,
   renderRicoText,
   renderRulesYaml,

package/dist/{mcp-EOTWSQK7.js → mcp-LITBQHBF.js}

@@ -1,7 +1,7 @@
 import {
   audit,
   resolveRules
-} from "./chunk-5H5JQXXU.js";
+} from "./chunk-V4XS5DKD.js";
 import "./chunk-2XJORJPQ.js";
 import "./chunk-O5Z4ZJHC.js";
 import {

package/dist/oracle-DVZLFJ43.js

@@ -0,0 +1,15 @@
+import {
+  DEFAULT_STALENESS_SLOTS,
+  checkOracleFreshness,
+  renderOracleMd,
+  renderOracleText
+} from "./chunk-WQFLKWBY.js";
+import "./chunk-XSVQSK53.js";
+import "./chunk-VG5FMOLW.js";
+import "./chunk-3RG5ZIWI.js";
+export {
+  DEFAULT_STALENESS_SLOTS,
+  checkOracleFreshness,
+  renderOracleMd,
+  renderOracleText
+};

package/dist/rules/metaplex-seller-fee-zero.yaml

@@ -0,0 +1,41 @@
+# Token Economics Validator (v0.7.5) — the generalized Bags exploit.
+# A revenue-bearing field omitted from a config object silently defaults to
+# zero: the call succeeds, nothing is collected, forever. Here: Metaplex
+# `sellerFeeBasisPoints` — the on-chain royalty creators earn on secondary
+# sales. Omit it (or set 0) and the creators earn nothing, permanently.
+id: metaplex-seller-fee-zero
+severity: high
+title: Metaplex token created with sellerFeeBasisPoints omitted or zero — creators earn no royalties
+component:
+  name: Metaplex Token Metadata
+  type: Blockchain
+  version: unversioned
+  sourceUrl: https://developers.metaplex.com/token-metadata/mint
+detect:
+  modules:
+    - "@metaplex-foundation/mpl-token-metadata"
+    - "@metaplex-foundation/js"
+  nameRegex: "metaplex|mpl|createNft|mint"
+  triggerCalls: [create, createV1, createNft, createFungible, createAndMint]
+check:
+  kind: economic-value-zero-or-missing
+  params:
+    calls: [create, createV1, createNft, createFungible, createAndMint]
+    field: sellerFeeBasisPoints
+    omittedDetail: >-
+      The Metaplex create call omits sellerFeeBasisPoints, which defaults to 0.
+      The token mints fine, but creators earn ZERO royalties on every secondary
+      sale — permanently and silently. There is no after-the-fact fix once
+      minted. Set sellerFeeBasisPoints explicitly (e.g. 500 = 5%).
+    zeroDetail: >-
+      sellerFeeBasisPoints is set to a literal 0 — creators will earn no royalty
+      on secondary sales. If this token is meant to be royalty-free that's fine;
+      otherwise set a non-zero basis-points value.
+    passDetail: >-
+      sellerFeeBasisPoints is set to a non-zero value — secondary-sale royalties
+      are configured.
+    absentDetail: >-
+      Handler is in Metaplex scope but does not call a token-create function;
+      the royalty-allocation rule does not apply here.
+test:
+  kind: none

package/dist/{score-VLKER37D.js → score-YXFXD6QG.js}

@@ -4,8 +4,8 @@ import {
   renderScoreText,
   scoreFromProgram,
   scoreProgram
-} from "./chunk-UWE6HAGS.js";
-import "./chunk-SVSVVW6U.js";
+} from "./chunk-F7QOW3IM.js";
+import "./chunk-GF37ANSW.js";
 import "./chunk-XSVQSK53.js";
 import "./chunk-VG5FMOLW.js";
 import "./chunk-3RG5ZIWI.js";

package/dist/tokenEconomics-HBF3DYNH.js

@@ -0,0 +1,19 @@
+import {
+  ECONOMIC_PATTERNS,
+  economicPatternsByCategory,
+  enforcedCount,
+  getEconomicPattern,
+  renderEconomicDetailText,
+  renderEconomicsMd,
+  renderEconomicsText
+} from "./chunk-S7X53LWF.js";
+import "./chunk-3RG5ZIWI.js";
+export {
+  ECONOMIC_PATTERNS,
+  economicPatternsByCategory,
+  enforcedCount,
+  getEconomicPattern,
+  renderEconomicDetailText,
+  renderEconomicsMd,
+  renderEconomicsText
+};

package/dist/{trustGraph-4SSJOQKT.js → trustGraph-K5PWNEL4.js}

@@ -1,12 +1,16 @@
 import {
   renderProgram,
   renderTrustGraphMd
-} from "./chunk-2UZGWXIX.js";
+} from "./chunk-QMJEZ6NO.js";
 import {
   DEFAULT_TTL_HOURS,
+  KNOWN_AUTHORITY_OWNERS,
+  SYSTEM_PROGRAM,
   buildTrustGraph,
   cacheSize,
+  classifyUpgradeAuthority,
   defaultCachePath,
+  enrichAuthorityClassification,
   getCacheEntry,
   getCacheEntryMeta,
   isEntryExpired,
@@ -14,7 +18,7 @@ import {
   loadProgramCache,
   putCacheEntry,
   saveProgramCache
-} from "./chunk-SVSVVW6U.js";
+} from "./chunk-GF37ANSW.js";
 import {
   DEFAULT_RPC,
   getAccountInfo,
@@ -29,11 +33,15 @@ import "./chunk-3RG5ZIWI.js";
 export {
   DEFAULT_RPC,
   DEFAULT_TTL_HOURS,
+  KNOWN_AUTHORITY_OWNERS,
+  SYSTEM_PROGRAM,
   base58Decode,
   base58Encode,
   buildTrustGraph,
   cacheSize,
+  classifyUpgradeAuthority,
   defaultCachePath,
+  enrichAuthorityClassification,
   getAccountInfo,
   getCacheEntry,
   getCacheEntryMeta,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "brainblast",
-  "version": "0.7.3",
+  "version": "0.7.5",
   "type": "module",
   "description": "Deterministic auditor for catastrophic AI-integration bugs: scan a repo, find the silent money/auth traps, and generate the behavioral test that proves they're fixed.",
   "keywords": [