brainblast 0.7.4 → 0.7.5

package/dist/{chunk-5VYTURTO.js → chunk-HFYBK2VA.js}

@@ -7,7 +7,7 @@ import {
   loadPack,
   resolveRules,
   walk
-} from "./chunk-5H5JQXXU.js";
+} from "./chunk-V4XS5DKD.js";
 
 // src/costAnalysis.ts
 import { Project, SyntaxKind } from "ts-morph";

package/dist/chunk-S7X53LWF.js

@@ -0,0 +1,129 @@
+// src/tokenEconomics.ts
+var ECONOMIC_PATTERNS = [
+  {
+    id: "metaplex-seller-fee",
+    category: "royalty",
+    sdk: "Metaplex Token Metadata",
+    call: "createV1 / createNft / createFungible",
+    field: "sellerFeeBasisPoints",
+    whatZeroMeans: "Omitted \u2192 defaults to 0. Creators earn no royalty on any secondary sale, permanently \u2014 the token mints fine and looks correct on-chain.",
+    fix: "Set sellerFeeBasisPoints explicitly at mint time (e.g. 500 = 5%). There is no after-the-fact migration once minted.",
+    ruleId: "metaplex-seller-fee-zero",
+    status: "enforced",
+    docsUrl: "https://developers.metaplex.com/token-metadata/mint"
+  },
+  {
+    id: "bags-fee-share-creator",
+    category: "fee",
+    sdk: "Bags",
+    call: "createBagsFeeShareConfig",
+    field: "feeClaimers[].userBps (creator inclusion)",
+    whatZeroMeans: "The creator wallet omitted from feeClaimers, or the userBps not summing to 10000 \u2192 the creator's share of trading fees is silently zero. This is the original Bags trap.",
+    fix: "Include the creator wallet as a feeClaimers entry and ensure every userBps sums to 10000.",
+    ruleId: "bags-fee-share-creator-included",
+    status: "enforced",
+    docsUrl: "https://bags.fm"
+  },
+  {
+    id: "token2022-transfer-fee",
+    category: "fee",
+    sdk: "SPL Token-2022 (Transfer Fee extension)",
+    call: "createInitializeTransferFeeConfigInstruction",
+    field: "transferFeeBasisPoints",
+    whatZeroMeans: "Initializing the transfer-fee extension with 0 basis points \u2192 no fee is ever withheld on transfers. The extension is 'configured' but collects nothing.",
+    fix: "Pass a non-zero transferFeeBasisPoints (and a sensible maximumFee) when initializing the extension.",
+    // Positional-argument call — not an object-literal field, so the bundled
+    // object-field checker doesn't cover it yet. Advisory until a positional
+    // variant ships.
+    ruleId: null,
+    status: "advisory",
+    docsUrl: "https://www.solana-program.com/docs/token-2022/extensions#transfer-fee"
+  },
+  {
+    id: "reward-rate-zero",
+    category: "reward",
+    sdk: "Staking / LP reward distributors (generic)",
+    call: "initialize / configureReward (varies)",
+    field: "rewardRate / emissionsPerSecond",
+    whatZeroMeans: "A reward-rate or emissions field omitted/zeroed \u2192 stakers and LPs accrue nothing while the pool looks live. A silent, ongoing zero-yield misconfiguration.",
+    fix: "Set the reward-rate field explicitly and assert it is non-zero in your deploy script; add a project-local economic-value-zero-or-missing rule for your SDK's call shape.",
+    ruleId: null,
+    status: "advisory"
+  }
+];
+function getEconomicPattern(id) {
+  return ECONOMIC_PATTERNS.find((e) => e.id === id || e.ruleId === id);
+}
+function economicPatternsByCategory(cat) {
+  return ECONOMIC_PATTERNS.filter((e) => e.category === cat);
+}
+function enforcedCount(patterns = ECONOMIC_PATTERNS) {
+  return patterns.filter((e) => e.status === "enforced").length;
+}
+var CATEGORY_LABEL = {
+  royalty: "Royalties",
+  fee: "Fees",
+  reward: "Reward distribution"
+};
+function renderEconomicsMd(patterns = ECONOMIC_PATTERNS) {
+  const L = ["## Token Economics \u2014 silent zero-revenue class\n"];
+  L.push(
+    "The Bags exploit generalized: a revenue-bearing field that, if omitted or zeroed, silently collects nothing \u2014 forever. Watch these across every protocol that touches fees, royalties, or rewards.\n"
+  );
+  L.push("| Category | SDK | Field | Status | Rule |");
+  L.push("|----------|-----|-------|--------|------|");
+  for (const e of patterns) {
+    const status = e.status === "enforced" ? "\u2705 enforced" : "\u26A0\uFE0F advisory";
+    L.push(`| ${CATEGORY_LABEL[e.category]} | ${e.sdk} | \`${e.field}\` | ${status} | ${e.ruleId ? `\`${e.ruleId}\`` : "\u2014"} |`);
+  }
+  L.push("");
+  L.push(`**${enforcedCount(patterns)} of ${patterns.length} enforced by a bundled rule; the rest are advisories (grep targets / project-local rule candidates).**
+`);
+  for (const e of patterns) {
+    L.push(`### ${e.sdk} \u2014 \`${e.field}\` (${CATEGORY_LABEL[e.category]})
+`);
+    L.push(`- **Call:** \`${e.call}\``);
+    L.push(`- **Zero/omitted means:** ${e.whatZeroMeans}`);
+    L.push(`- **Fix:** ${e.fix}`);
+    L.push(`- **Detection:** ${e.ruleId ? `\`${e.ruleId}\` (bundled)` : "advisory \u2014 no bundled rule yet"}`);
+    if (e.docsUrl) L.push(`- **Docs:** ${e.docsUrl}`);
+    L.push("");
+  }
+  return L.join("\n");
+}
+function renderEconomicsText(patterns = ECONOMIC_PATTERNS) {
+  const L = [];
+  L.push("\u2500\u2500 Token Economics \u2014 silent zero-revenue class \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500");
+  L.push("  fields that default to zero and silently collect nothing");
+  L.push("");
+  for (const e of patterns) {
+    const status = e.status === "enforced" ? "[enforced]" : "[advisory]";
+    L.push(`  ${status} ${CATEGORY_LABEL[e.category]}: ${e.sdk} \xB7 ${e.field}`);
+    L.push(`    ${e.whatZeroMeans}`);
+    if (e.ruleId) L.push(`    rule: ${e.ruleId}`);
+    L.push("");
+  }
+  L.push(`  ${enforcedCount(patterns)}/${patterns.length} enforced by a bundled rule`);
+  return L.join("\n");
+}
+function renderEconomicDetailText(e) {
+  const L = [];
+  L.push(`\u2500\u2500 ${e.sdk} \u2014 ${e.field} \u2500\u2500`);
+  L.push(`  category:    ${CATEGORY_LABEL[e.category]}`);
+  L.push(`  call:        ${e.call}`);
+  L.push(`  zero means:  ${e.whatZeroMeans}`);
+  L.push(`  fix:         ${e.fix}`);
+  L.push(`  detection:   ${e.ruleId ? `${e.ruleId} (bundled rule)` : "advisory \u2014 no bundled rule yet"}`);
+  if (e.docsUrl) L.push(`  docs:        ${e.docsUrl}`);
+  return L.join("\n");
+}
+
+export {
+  ECONOMIC_PATTERNS,
+  getEconomicPattern,
+  economicPatternsByCategory,
+  enforcedCount,
+  renderEconomicsMd,
+  renderEconomicsText,
+  renderEconomicDetailText
+};

package/dist/{chunk-5H5JQXXU.js → chunk-V4XS5DKD.js}

@@ -1050,6 +1050,75 @@ function anchorCpiUnverifiedProgram(c, p) {
   };
 }
 
+// src/checkers/economicValueZeroOrMissing.ts
+import { SyntaxKind as SyntaxKind12 } from "ts-morph";
+function callName6(call) {
+  const exp = call.getExpression();
+  if (exp.getKind() === SyntaxKind12.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind12.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind12.PropertyAccessExpression).getName();
+  }
+  return "";
+}
+function unwrap(expr) {
+  let e = expr;
+  while (e) {
+    const k = e.getKind();
+    if (k === SyntaxKind12.AsExpression || k === SyntaxKind12.ParenthesizedExpression || k === SyntaxKind12.TypeAssertionExpression || k === SyntaxKind12.NonNullExpression) {
+      e = e.getExpression();
+    } else break;
+  }
+  return e;
+}
+function isLiteralZero(expr) {
+  const u = unwrap(expr);
+  if (!u) return false;
+  const num = u.asKind(SyntaxKind12.NumericLiteral);
+  if (num) return Number(num.getLiteralValue()) === 0;
+  const big = u.asKind(SyntaxKind12.BigIntLiteral);
+  if (big) return /^0n?$/.test(big.getText().replace(/_/g, ""));
+  return false;
+}
+var economicValueZeroOrMissing = (c, p) => {
+  const names = Array.isArray(p.calls) ? p.calls : [p.calls];
+  const field = p.field;
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind12.CallExpression).filter((x) => names.includes(callName6(x)));
+  if (calls.length === 0) {
+    return {
+      result: "cant_tell",
+      detail: p.absentDetail ?? `No call to ${names.join("/")} in '${c.fnName}'; economic-value check does not apply.`
+    };
+  }
+  for (const call of calls) {
+    const obj = call.getArguments().map((a) => unwrap(a)?.asKind(SyntaxKind12.ObjectLiteralExpression)).find((o) => !!o);
+    if (!obj) continue;
+    const member = obj.getProperty(field);
+    if (!member) {
+      return {
+        result: "fail",
+        detail: p.omittedDetail ?? `'${field}' is omitted from the ${callName6(call)} config \u2014 it defaults to zero. This is a permanent, silent zero-revenue misconfiguration: the call succeeds and no value is ever collected. Set '${field}' explicitly.`
+      };
+    }
+    const pa = member.asKind(SyntaxKind12.PropertyAssignment);
+    const shorthand = member.asKind(SyntaxKind12.ShorthandPropertyAssignment);
+    const init = pa?.getInitializer() ?? shorthand?.getNameNode();
+    if (isLiteralZero(init)) {
+      return {
+        result: "fail",
+        detail: p.zeroDetail ?? `'${field}' is set to a literal 0 in the ${callName6(call)} config \u2014 zero revenue will ever be collected. If intentional, this is a footgun; otherwise set a non-zero value.`
+      };
+    }
+    return {
+      result: "pass",
+      detail: p.passDetail ?? `'${field}' is set to a non-zero value in the ${callName6(call)} config.`
+    };
+  }
+  return {
+    result: "cant_tell",
+    detail: p.absentDetail ?? `Call to ${names.join("/")} found but its config argument isn't an object literal; can't validate '${field}'.`
+  };
+};
+
 // src/checkers/index.ts
 var registry = {
   "positional-arg-identity": positionalArgIdentity,
@@ -1068,7 +1137,8 @@ var registry = {
   "anchor-account-missing-constraint": anchorAccountMissingConstraint,
   "anchor-forbidden-account-type": anchorForbiddenAccountType,
   "anchor-body-call-pattern": anchorBodyCallPattern,
-  "anchor-cpi-unverified-program": anchorCpiUnverifiedProgram
+  "anchor-cpi-unverified-program": anchorCpiUnverifiedProgram,
+  "economic-value-zero-or-missing": economicValueZeroOrMissing
 };
 function runChecker(kind, c, params) {
   const fn = registry[kind];
@@ -1284,7 +1354,7 @@ function findRustCandidates(targetDir, rule) {
 }
 
 // src/fixers/positionalArgIdentity.ts
-import { SyntaxKind as SyntaxKind12 } from "ts-morph";
+import { SyntaxKind as SyntaxKind13 } from "ts-morph";
 
 // src/fixers/diffUtil.ts
 function buildDiff(node, replacement) {
@@ -1309,9 +1379,9 @@ function buildDiff(node, replacement) {
 // src/fixers/positionalArgIdentity.ts
 var fixPositionalArgIdentity = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind12.CallExpression).filter((call) => {
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind13.CallExpression).filter((call) => {
     const exp = call.getExpression();
-    return exp.getKind() === SyntaxKind12.PropertyAccessExpression && exp.asKind(SyntaxKind12.PropertyAccessExpression).getName() === p.call;
+    return exp.getKind() === SyntaxKind13.PropertyAccessExpression && exp.asKind(SyntaxKind13.PropertyAccessExpression).getName() === p.call;
   });
   if (calls.length === 0) {
     const wantParam2 = c.params[p.paramIndex] ?? "<rawBodyParam>";
@@ -1326,7 +1396,7 @@ Do not call JSON.parse() on the body before this verification step.`
   }
   const arg = calls[0].getArguments()[p.argIndex];
   const wantParam = c.params[p.paramIndex];
-  if (arg && wantParam && arg.getKind() === SyntaxKind12.CallExpression) {
+  if (arg && wantParam && arg.getKind() === SyntaxKind13.CallExpression) {
     return {
       summary: `Pass the raw body parameter '${wantParam}' to ${p.call} instead of a parsed value`,
       diff: buildDiff(arg, wantParam)
@@ -1336,12 +1406,12 @@ Do not call JSON.parse() on the body before this verification step.`
 };
 
 // src/fixers/requiredCallWithOptions.ts
-import { SyntaxKind as SyntaxKind13 } from "ts-morph";
-function callName6(call) {
+import { SyntaxKind as SyntaxKind14 } from "ts-morph";
+function callName7(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind13.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind13.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind13.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind14.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind14.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind14.PropertyAccessExpression).getName();
   }
   return "";
 }
@@ -1359,15 +1429,15 @@ function placeholderFor(propName) {
 }
 var fixRequiredCallWithOptions = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind13.CallExpression);
-  const verify = calls.filter((x) => p.verifyCalls.includes(callName6(x)));
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind14.CallExpression);
+  const verify = calls.filter((x) => p.verifyCalls.includes(callName7(x)));
   if (verify.length > 0) {
     const call = verify[0];
     const args = call.getArguments();
     const lastArg = args[args.length - 1];
-    const obj = lastArg?.asKind(SyntaxKind13.ObjectLiteralExpression);
+    const obj = lastArg?.asKind(SyntaxKind14.ObjectLiteralExpression);
     const presentNames = obj ? obj.getProperties().map((pr) => {
-      const pa = pr.asKind(SyntaxKind13.PropertyAssignment) ?? pr.asKind(SyntaxKind13.ShorthandPropertyAssignment);
+      const pa = pr.asKind(SyntaxKind14.PropertyAssignment) ?? pr.asKind(SyntaxKind14.ShorthandPropertyAssignment);
       return pa?.getName() ?? "";
     }) : [];
     const missingGroups = p.requiredProps.filter(
@@ -1375,7 +1445,7 @@ var fixRequiredCallWithOptions = (c, p, outcome) => {
     );
     if (missingGroups.length === 0) return void 0;
     const newProps = missingGroups.map((g) => placeholderFor(g[0])).join(", ");
-    const summary = `Add ${missingGroups.map((g) => g[0]).join(" and ")} to the ${callName6(call)} call`;
+    const summary = `Add ${missingGroups.map((g) => g[0]).join(" and ")} to the ${callName7(call)} call`;
     if (obj) {
       const inner = obj.getText().slice(1, -1).trim();
       const newText = inner.length > 0 ? `{ ${inner}, ${newProps} }` : `{ ${newProps} }`;
@@ -1387,7 +1457,7 @@ var fixRequiredCallWithOptions = (c, p, outcome) => {
     }
     return {
       summary,
-      suggestion: `Add an options object ({ ${newProps} }) as an argument to ${callName6(call)}.`
+      suggestion: `Add an options object ({ ${newProps} }) as an argument to ${callName7(call)}.`
     };
   }
   return {
@@ -1401,22 +1471,22 @@ JWKS must come from Privy's published JWKS endpoint for your app.`
 };
 
 // src/fixers/literalMultiplierWrongConstant.ts
-import { SyntaxKind as SyntaxKind14 } from "ts-morph";
-function callName7(call) {
+import { SyntaxKind as SyntaxKind15 } from "ts-morph";
+function callName8(call) {
   const exp = call.getExpression();
-  if (exp.getKind() === SyntaxKind14.Identifier) return exp.getText();
-  if (exp.getKind() === SyntaxKind14.PropertyAccessExpression) {
-    return exp.asKind(SyntaxKind14.PropertyAccessExpression).getName();
+  if (exp.getKind() === SyntaxKind15.Identifier) return exp.getText();
+  if (exp.getKind() === SyntaxKind15.PropertyAccessExpression) {
+    return exp.asKind(SyntaxKind15.PropertyAccessExpression).getName();
   }
   return "";
 }
 function findIdentifier(node, name) {
-  if (node.getKind() === SyntaxKind14.Identifier && node.getText() === name) return node;
-  return node.getDescendantsOfKind(SyntaxKind14.Identifier).find((id) => id.getText() === name);
+  if (node.getKind() === SyntaxKind15.Identifier && node.getText() === name) return node;
+  return node.getDescendantsOfKind(SyntaxKind15.Identifier).find((id) => id.getText() === name);
 }
 var fixLiteralMultiplierWrongConstant = (c, p, outcome) => {
   if (outcome.result !== "fail") return void 0;
-  const calls = c.fn.getDescendantsOfKind(SyntaxKind14.CallExpression).filter((call) => callName7(call) === p.call);
+  const calls = c.fn.getDescendantsOfKind(SyntaxKind15.CallExpression).filter((call) => callName8(call) === p.call);
   if (calls.length === 0) return void 0;
   const arg = calls[0].getArguments()[p.argIndex];
   if (!arg) return void 0;

package/dist/cli.js

@@ -18,7 +18,7 @@ import {
   submitTelemetry,
   telemetryFilePath,
   validatePack
-} from "./chunk-5VYTURTO.js";
+} from "./chunk-HFYBK2VA.js";
 import {
   renderTrustGraphMd
 } from "./chunk-QMJEZ6NO.js";
@@ -32,7 +32,7 @@ import {
   audit,
   getChangedRanges,
   resolveRules
-} from "./chunk-5H5JQXXU.js";
+} from "./chunk-V4XS5DKD.js";
 import "./chunk-2XJORJPQ.js";
 import "./chunk-O5Z4ZJHC.js";
 import "./chunk-XSVQSK53.js";
@@ -480,7 +480,7 @@ if (args[0] === "drift") {
   process.exit(0);
 }
 if (args[0] === "mcp") {
-  const { startMcpServer } = await import("./mcp-EOTWSQK7.js");
+  const { startMcpServer } = await import("./mcp-LITBQHBF.js");
   await startMcpServer();
   process.exit(0);
 }
@@ -567,6 +567,10 @@ if (args[0] === "oracle") {
   await runOracle(args.slice(1));
   process.exit(0);
 }
+if (args[0] === "economics") {
+  await runEconomics(args.slice(1));
+  process.exit(0);
+}
 if (args[0] === "fix") {
   await runFix(args.slice(1));
   process.exit(0);
@@ -704,6 +708,45 @@ function runDeployPlan(argv) {
   writeFileSync2(mdPath, renderDeployPlanMd(plan));
   console.log(`  deploy plan: ${mdPath}`);
 }
+async function runEconomics(argv) {
+  const {
+    ECONOMIC_PATTERNS,
+    getEconomicPattern,
+    renderEconomicsText,
+    renderEconomicsMd,
+    renderEconomicDetailText
+  } = await import("./tokenEconomics-HBF3DYNH.js");
+  if (argv.includes("--help") || argv.includes("-h")) {
+    console.log("usage: brainblast economics [id] [--json]");
+    console.log("  Token Economics Validator: the silent zero-revenue class (fees, royalties,");
+    console.log("  rewards) \u2014 fields that default to zero and quietly collect nothing. Pass an");
+    console.log("  id to see one in detail. Known ids:");
+    console.log(`    ${ECONOMIC_PATTERNS.map((e) => e.id).join(", ")}`);
+    process.exit(0);
+  }
+  const json = argv.includes("--json");
+  const id = argv.find((a) => !a.startsWith("--"));
+  if (id) {
+    const e = getEconomicPattern(id);
+    if (!e) {
+      console.error(`error: no economic pattern '${id}'. Known: ${ECONOMIC_PATTERNS.map((x) => x.id).join(", ")}`);
+      process.exit(2);
+    }
+    if (json) console.log(JSON.stringify(e, null, 2));
+    else console.log(renderEconomicDetailText(e));
+    return;
+  }
+  if (json) {
+    console.log(JSON.stringify(ECONOMIC_PATTERNS, null, 2));
+    return;
+  }
+  console.log(renderEconomicsText());
+  const outDir2 = join3(process.cwd(), ".agent-research");
+  mkdirSync2(outDir2, { recursive: true });
+  writeFileSync2(join3(outDir2, "token-economics.md"), renderEconomicsMd());
+  console.log(`
+  catalog: ${join3(outDir2, "token-economics.md")}`);
+}
 async function runOracle(argv) {
   if (argv.includes("--help") || argv.includes("-h") || argv.filter((a) => !a.startsWith("--")).length === 0) {
     console.log("usage: brainblast oracle <account> [--rpc URL] [--max-staleness-slots N | --max-staleness-seconds N] [--json]");

package/dist/index.d.ts

@@ -918,6 +918,36 @@ declare function checkOracleFreshness(account: string, opts?: OracleOpts): Promi
 declare function renderOracleText(f: OracleFreshness): string;
 declare function renderOracleMd(f: OracleFreshness): string;
 
+type EconomicCategory = "royalty" | "fee" | "reward";
+type EconomicStatus = "enforced" | "advisory";
+interface EconomicPattern {
+    /** Stable slug. */
+    id: string;
+    category: EconomicCategory;
+    /** SDK / protocol the field belongs to. */
+    sdk: string;
+    /** The setup/config call that takes the field. */
+    call: string;
+    /** The revenue-bearing field that silently defaults to zero. */
+    field: string;
+    /** What a zero/omitted value costs you, in one sentence. */
+    whatZeroMeans: string;
+    /** The safe pattern. */
+    fix: string;
+    /** Bundled rule that detects this, or null for an advisory entry. */
+    ruleId: string | null;
+    status: EconomicStatus;
+    /** Optional reference / docs URL. */
+    docsUrl?: string;
+}
+declare const ECONOMIC_PATTERNS: EconomicPattern[];
+declare function getEconomicPattern(id: string): EconomicPattern | undefined;
+declare function economicPatternsByCategory(cat: EconomicCategory): EconomicPattern[];
+declare function enforcedCount(patterns?: EconomicPattern[]): number;
+declare function renderEconomicsMd(patterns?: EconomicPattern[]): string;
+declare function renderEconomicsText(patterns?: EconomicPattern[]): string;
+declare function renderEconomicDetailText(e: EconomicPattern): string;
+
 interface ExploitPattern {
     /** Stable slug, e.g. "wormhole". */
     id: string;
@@ -947,4 +977,4 @@ declare function renderExploitsMd(patterns?: ExploitPattern[]): string;
 declare function renderExploitsText(patterns?: ExploitPattern[]): string;
 declare function renderExploitDetailText(e: ExploitPattern): string;
 
-export { type AccountFlow, type AnchorIdl, type AuditRef, type AuthorityClassification, type BatchResult, type BatchRow, type BatchScanOpts, type BuildOpts, CANONICAL_BY_MINT, CANONICAL_MINTS, type Candidate, type CanonicalMint, type ChainEvent, type ChainWatchOpts, type ChainWatchState, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_REGISTRY_URL, DEFAULT_STALENESS_SLOTS, DEFAULT_TTL_HOURS, type DecodedInstruction, type DecodedTx, type DiffResult, type DriftAdvisory, type DriftBaseline, type DriftPackage, type DriftResult, EXPLOIT_PATTERNS, type ExploitPattern, type FirewallFinding, type FirewallOpts, type FirewallProgram, type FirewallReport, type FirewallSeverity, type FirewallVerdict, type Grade, type GraduationEvent, type IdentityStatus, type IdlAccount, type IdlConstraintParams, type IdlInstruction, KNOWN_AUTHORITY_OWNERS, KNOWN_PROGRAMS, type MintInfo, type OnChainProgram, type OracleFreshness, type OracleOpts, type OracleVerdict, type OsvAdvisory, PACK_MANIFEST_FILE, type PackInitOptions, type PackManifest, type PackRuleValidation, type PackValidateResult, type ParityNote, type ParsedDiff, type PreflightCheck, type PreflightOpts, type PreflightReport, type PreflightStatus, type PreflightVerdict, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type RicoOutcome, type RicoResult, type RicoTokenSecurity, type Rule, type RustAccountField, type RustCandidate, type RustChecker, SYSTEM_PROGRAM, type ScoreFactor, type Severity, type TelemetrySubmitResult, type TokenIdentity, type TrustGraph, type TrustScore, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type VerifyOpts, type WatchEvent, type WatchOptions, analyzeCosts, analyzeInstructions, analyzeToken, applyDiffToFile, audit, auditWithRule, base58Decode, base58Encode, batchScan, buildConstraintParams, buildTrustGraph, rules as bundledRules, cacheSize, canonicalMintForSymbol, checkDrift, checkOracleFreshness, checkerKinds, classifyUpgradeAuthority, decodeTransaction, defaultCachePath, deployerFlagsFrom, diffVersions, enrichAuthorityClassification, fileChanged, findCandidates, findConfigCandidates, formatUsd, generateRulesFromIdl, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getExploitPattern, getRepoHash, getUserHash, getWorkingTreeChanges, gradeAtLeast, gradeForScore, idlProgramName, initPack, initialChainWatchState, inspectTransaction, isCanonicalMint, isEntryExpired, isTelemetryEnabled, isValidSolanaAddress, lamportsToSol, loadDirectory, loadPack, loadPacksFromDir, loadProgramCache, loadRules, parseCpiPrograms, parseDiff, parseIdl, parseMintAccount, parseMintList, pollChainOnce, pumpPreflight, putCacheEntry, queryOsv, rangeChanged, recordGraduationEvents, renderBatchText, renderCostReportMd, renderDiffMd, renderDiffText, renderDriftText, renderExploitDetailText, renderExploitsMd, renderExploitsText, renderFirewallText, renderOracleMd, renderOracleText, renderPreflightText, renderRicoText, renderRulesYaml, renderScoreText, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, riskScore, runChecker, runIncrementalScan, saveProgramCache, scoreFromProgram, scoreProgram, seedPackages, startChainWatch, startWatch, submitTelemetry, telemetryFilePath, testKinds, toSnakeCase, totalLossUsd, validatePack, validatePackManifest, verifyTokenIdentity };
+export { type AccountFlow, type AnchorIdl, type AuditRef, type AuthorityClassification, type BatchResult, type BatchRow, type BatchScanOpts, type BuildOpts, CANONICAL_BY_MINT, CANONICAL_MINTS, type Candidate, type CanonicalMint, type ChainEvent, type ChainWatchOpts, type ChainWatchState, type ChangedRanges, type CheckOutcome, type CheckResult, type CheckResultKind, type Checker, type ConfigCandidate, type ConfigChecker, type CostReport, DEFAULT_REGISTRY_URL, DEFAULT_STALENESS_SLOTS, DEFAULT_TTL_HOURS, type DecodedInstruction, type DecodedTx, type DiffResult, type DriftAdvisory, type DriftBaseline, type DriftPackage, type DriftResult, ECONOMIC_PATTERNS, EXPLOIT_PATTERNS, type EconomicCategory, type EconomicPattern, type EconomicStatus, type ExploitPattern, type FirewallFinding, type FirewallOpts, type FirewallProgram, type FirewallReport, type FirewallSeverity, type FirewallVerdict, type Grade, type GraduationEvent, type IdentityStatus, type IdlAccount, type IdlConstraintParams, type IdlInstruction, KNOWN_AUTHORITY_OWNERS, KNOWN_PROGRAMS, type MintInfo, type OnChainProgram, type OracleFreshness, type OracleOpts, type OracleVerdict, type OsvAdvisory, PACK_MANIFEST_FILE, type PackInitOptions, type PackManifest, type PackRuleValidation, type PackValidateResult, type ParityNote, type ParsedDiff, type PreflightCheck, type PreflightOpts, type PreflightReport, type PreflightStatus, type PreflightVerdict, type PriorityFeePosture, type ProgramCache, type ProgramCacheEntry, type Recoverability, type RicoOutcome, type RicoResult, type RicoTokenSecurity, type Rule, type RustAccountField, type RustCandidate, type RustChecker, SYSTEM_PROGRAM, type ScoreFactor, type Severity, type TelemetrySubmitResult, type TokenIdentity, type TrustGraph, type TrustScore, type UpgradeAuthority, type UpgradeAuthorityKind, type UpgradeAuthoritySource, type VerifiedBuildState, type VerifyOpts, type WatchEvent, type WatchOptions, analyzeCosts, analyzeInstructions, analyzeToken, applyDiffToFile, audit, auditWithRule, base58Decode, base58Encode, batchScan, buildConstraintParams, buildTrustGraph, rules as bundledRules, cacheSize, canonicalMintForSymbol, checkDrift, checkOracleFreshness, checkerKinds, classifyUpgradeAuthority, decodeTransaction, defaultCachePath, deployerFlagsFrom, diffVersions, economicPatternsByCategory, enforcedCount, enrichAuthorityClassification, fileChanged, findCandidates, findConfigCandidates, formatUsd, generateRulesFromIdl, generateTestForResult, getCacheEntry, getCacheEntryMeta, getChangedRanges, getEconomicPattern, getExploitPattern, getRepoHash, getUserHash, getWorkingTreeChanges, gradeAtLeast, gradeForScore, idlProgramName, initPack, initialChainWatchState, inspectTransaction, isCanonicalMint, isEntryExpired, isTelemetryEnabled, isValidSolanaAddress, lamportsToSol, loadDirectory, loadPack, loadPacksFromDir, loadProgramCache, loadRules, parseCpiPrograms, parseDiff, parseIdl, parseMintAccount, parseMintList, pollChainOnce, pumpPreflight, putCacheEntry, queryOsv, rangeChanged, recordGraduationEvents, renderBatchText, renderCostReportMd, renderDiffMd, renderDiffText, renderDriftText, renderEconomicDetailText, renderEconomicsMd, renderEconomicsText, renderExploitDetailText, renderExploitsMd, renderExploitsText, renderFirewallText, renderOracleMd, renderOracleText, renderPreflightText, renderRicoText, renderRulesYaml, renderScoreText, renderTest, renderTrustGraphMd, rentExemptMinimum, resolveRules, riskScore, runChecker, runIncrementalScan, saveProgramCache, scoreFromProgram, scoreProgram, seedPackages, startChainWatch, startWatch, submitTelemetry, telemetryFilePath, testKinds, toSnakeCase, totalLossUsd, validatePack, validatePackManifest, verifyTokenIdentity };

package/dist/index.js

@@ -1,3 +1,17 @@
+import {
+  batchScan,
+  parseMintList,
+  renderBatchText
+} from "./chunk-QC27GNQ7.js";
+import {
+  ECONOMIC_PATTERNS,
+  economicPatternsByCategory,
+  enforcedCount,
+  getEconomicPattern,
+  renderEconomicDetailText,
+  renderEconomicsMd,
+  renderEconomicsText
+} from "./chunk-S7X53LWF.js";
 import {
   DEFAULT_STALENESS_SLOTS,
   checkOracleFreshness,
@@ -29,11 +43,6 @@ import {
   pumpPreflight,
   renderPreflightText
 } from "./chunk-WX3IR7LK.js";
-import {
-  batchScan,
-  parseMintList,
-  renderBatchText
-} from "./chunk-QC27GNQ7.js";
 import {
   analyzeToken,
   deployerFlagsFrom,
@@ -67,7 +76,7 @@ import {
   telemetryFilePath,
   totalLossUsd,
   validatePack
-} from "./chunk-5VYTURTO.js";
+} from "./chunk-HFYBK2VA.js";
 import {
   renderTrustGraphMd
 } from "./chunk-QMJEZ6NO.js";
@@ -108,7 +117,7 @@ import {
   runChecker,
   testKinds,
   validatePackManifest
-} from "./chunk-5H5JQXXU.js";
+} from "./chunk-V4XS5DKD.js";
 import {
   CANONICAL_BY_MINT,
   CANONICAL_MINTS,
@@ -162,6 +171,7 @@ export {
   DEFAULT_REGISTRY_URL,
   DEFAULT_STALENESS_SLOTS,
   DEFAULT_TTL_HOURS,
+  ECONOMIC_PATTERNS,
   EXPLOIT_PATTERNS,
   KNOWN_AUTHORITY_OWNERS,
   KNOWN_PROGRAMS,
@@ -189,6 +199,8 @@ export {
   defaultCachePath,
   deployerFlagsFrom,
   diffVersions,
+  economicPatternsByCategory,
+  enforcedCount,
   enrichAuthorityClassification,
   fileChanged,
   findCandidates,
@@ -199,6 +211,7 @@ export {
   getCacheEntry,
   getCacheEntryMeta,
   getChangedRanges,
+  getEconomicPattern,
   getExploitPattern,
   getRepoHash,
   getUserHash,
@@ -235,6 +248,9 @@ export {
   renderDiffMd,
   renderDiffText,
   renderDriftText,
+  renderEconomicDetailText,
+  renderEconomicsMd,
+  renderEconomicsText,
   renderExploitDetailText,
   renderExploitsMd,
   renderExploitsText,

package/dist/{mcp-EOTWSQK7.js → mcp-LITBQHBF.js}

@@ -1,7 +1,7 @@
 import {
   audit,
   resolveRules
-} from "./chunk-5H5JQXXU.js";
+} from "./chunk-V4XS5DKD.js";
 import "./chunk-2XJORJPQ.js";
 import "./chunk-O5Z4ZJHC.js";
 import {

package/dist/rules/metaplex-seller-fee-zero.yaml

@@ -0,0 +1,41 @@
+# Token Economics Validator (v0.7.5) — the generalized Bags exploit.
+# A revenue-bearing field omitted from a config object silently defaults to
+# zero: the call succeeds, nothing is collected, forever. Here: Metaplex
+# `sellerFeeBasisPoints` — the on-chain royalty creators earn on secondary
+# sales. Omit it (or set 0) and the creators earn nothing, permanently.
+id: metaplex-seller-fee-zero
+severity: high
+title: Metaplex token created with sellerFeeBasisPoints omitted or zero — creators earn no royalties
+component:
+  name: Metaplex Token Metadata
+  type: Blockchain
+  version: unversioned
+  sourceUrl: https://developers.metaplex.com/token-metadata/mint
+detect:
+  modules:
+    - "@metaplex-foundation/mpl-token-metadata"
+    - "@metaplex-foundation/js"
+  nameRegex: "metaplex|mpl|createNft|mint"
+  triggerCalls: [create, createV1, createNft, createFungible, createAndMint]
+check:
+  kind: economic-value-zero-or-missing
+  params:
+    calls: [create, createV1, createNft, createFungible, createAndMint]
+    field: sellerFeeBasisPoints
+    omittedDetail: >-
+      The Metaplex create call omits sellerFeeBasisPoints, which defaults to 0.
+      The token mints fine, but creators earn ZERO royalties on every secondary
+      sale — permanently and silently. There is no after-the-fact fix once
+      minted. Set sellerFeeBasisPoints explicitly (e.g. 500 = 5%).
+    zeroDetail: >-
+      sellerFeeBasisPoints is set to a literal 0 — creators will earn no royalty
+      on secondary sales. If this token is meant to be royalty-free that's fine;
+      otherwise set a non-zero basis-points value.
+    passDetail: >-
+      sellerFeeBasisPoints is set to a non-zero value — secondary-sale royalties
+      are configured.
+    absentDetail: >-
+      Handler is in Metaplex scope but does not call a token-create function;
+      the royalty-allocation rule does not apply here.
+test:
+  kind: none

package/dist/tokenEconomics-HBF3DYNH.js

@@ -0,0 +1,19 @@
+import {
+  ECONOMIC_PATTERNS,
+  economicPatternsByCategory,
+  enforcedCount,
+  getEconomicPattern,
+  renderEconomicDetailText,
+  renderEconomicsMd,
+  renderEconomicsText
+} from "./chunk-S7X53LWF.js";
+import "./chunk-3RG5ZIWI.js";
+export {
+  ECONOMIC_PATTERNS,
+  economicPatternsByCategory,
+  enforcedCount,
+  getEconomicPattern,
+  renderEconomicDetailText,
+  renderEconomicsMd,
+  renderEconomicsText
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "brainblast",
-  "version": "0.7.4",
+  "version": "0.7.5",
   "type": "module",
   "description": "Deterministic auditor for catastrophic AI-integration bugs: scan a repo, find the silent money/auth traps, and generate the behavioral test that proves they're fixed.",
   "keywords": [