npm - solana-privacy-scanner-core - Versions diffs - 0.1.4 → 0.2.0 - Mend

solana-privacy-scanner-core 0.1.4 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/index.cjs CHANGED Viewed

@@ -40,8 +40,12 @@ __export(index_exports, {
   detectAmountReuse: () => detectAmountReuse,
   detectBalanceTraceability: () => detectBalanceTraceability,
   detectCounterpartyReuse: () => detectCounterpartyReuse,
+  detectFeePayerReuse: () => detectFeePayerReuse,
+  detectInstructionFingerprinting: () => detectInstructionFingerprinting,
   detectKnownEntityInteraction: () => detectKnownEntityInteraction,
+  detectSignerOverlap: () => detectSignerOverlap,
   detectTimingPatterns: () => detectTimingPatterns,
+  detectTokenAccountLifecycle: () => detectTokenAccountLifecycle,
   evaluateHeuristics: () => evaluateHeuristics,
   generateReport: () => generateReport,
   normalizeProgramData: () => normalizeProgramData,
@@ -397,6 +401,162 @@ var PROGRAM_IDS = {
   MEMO: "MemoSq4gqABAXKb96qnH8TysNcWxMyWCqXgDLGmfcHr",
   MEMO_V1: "Memo1UhkJRfHyvLMcVucJwxXeuD728EqVDDwQDxFMNo"
 };
+function extractTransactionMetadata(tx, signature) {
+  if (!tx || !tx.transaction || !tx.transaction.message || !tx.transaction.message.accountKeys) {
+    return {
+      signature,
+      blockTime: tx?.blockTime || null,
+      feePayer: "unknown",
+      signers: []
+    };
+  }
+  const feePayer = tx.transaction.message.accountKeys[0];
+  const feePayerAddress = typeof feePayer === "string" ? feePayer : feePayer.pubkey.toString();
+  const signers = [];
+  const accountKeys = tx.transaction.message.accountKeys;
+  signers.push(feePayerAddress);
+  if (accountKeys && Array.isArray(accountKeys)) {
+    for (let i = 1; i < accountKeys.length; i++) {
+      const key = accountKeys[i];
+      const address = typeof key === "string" ? key : key.pubkey?.toString();
+      if (typeof key !== "string" && key.signer) {
+        if (address && !signers.includes(address)) {
+          signers.push(address);
+        }
+      }
+    }
+  }
+  let memo;
+  const instructions = tx.transaction.message.instructions;
+  if (instructions && Array.isArray(instructions)) {
+    for (const instruction of instructions) {
+      if (!instruction || !instruction.programId) continue;
+      const programId = instruction.programId.toString();
+      if (programId === PROGRAM_IDS.MEMO || programId === PROGRAM_IDS.MEMO_V1) {
+        if ("parsed" in instruction && instruction.parsed) {
+          const parsed = instruction.parsed;
+          if (parsed.type === "memo" && typeof parsed.info === "string") {
+            memo = parsed.info;
+          }
+        } else if ("data" in instruction && typeof instruction.data === "string") {
+          try {
+            memo = Buffer.from(instruction.data, "base64").toString("utf8");
+          } catch {
+            memo = instruction.data;
+          }
+        }
+        break;
+      }
+    }
+  }
+  let computeUnitsUsed;
+  let priorityFee;
+  if (tx.meta) {
+    computeUnitsUsed = tx.meta.computeUnitsConsumed;
+    if (tx.meta.fee !== void 0 && tx.meta.fee > 5e3) {
+      priorityFee = tx.meta.fee - 5e3;
+    }
+  }
+  return {
+    signature,
+    blockTime: tx.blockTime,
+    feePayer: feePayerAddress,
+    signers,
+    computeUnitsUsed,
+    priorityFee,
+    memo
+  };
+}
+function extractTokenAccountEvents(tx, signature) {
+  const events = [];
+  if (!tx.transaction?.message?.instructions) {
+    return events;
+  }
+  for (const instruction of tx.transaction.message.instructions) {
+    if (!instruction || !instruction.programId) continue;
+    const programId = instruction.programId.toString();
+    if (programId === PROGRAM_IDS.TOKEN || programId === PROGRAM_IDS.ASSOCIATED_TOKEN) {
+      if ("parsed" in instruction && instruction.parsed) {
+        const parsed = instruction.parsed;
+        if (parsed.type === "initializeAccount" || parsed.type === "create") {
+          const info = parsed.info;
+          events.push({
+            type: "create",
+            tokenAccount: info.account || info.newAccount,
+            owner: info.owner,
+            mint: info.mint,
+            signature,
+            blockTime: tx.blockTime
+          });
+        }
+        if (parsed.type === "closeAccount") {
+          const info = parsed.info;
+          let rentRefund;
+          if (tx.meta?.postBalances && tx.meta?.preBalances) {
+            const accountKeys = tx.transaction.message.accountKeys;
+            for (let i = 0; i < accountKeys.length; i++) {
+              const key = accountKeys[i];
+              const address = typeof key === "string" ? key : key.pubkey.toString();
+              if (address === info.destination) {
+                const diff = tx.meta.postBalances[i] - tx.meta.preBalances[i];
+                if (diff > 0) {
+                  rentRefund = diff / 1e9;
+                }
+                break;
+              }
+            }
+          }
+          events.push({
+            type: "close",
+            tokenAccount: info.account,
+            owner: info.owner || info.destination,
+            signature,
+            blockTime: tx.blockTime,
+            rentRefund
+          });
+        }
+      }
+    }
+  }
+  return events;
+}
+function extractPDAInteractions(tx, signature) {
+  const interactions = [];
+  if (!tx.transaction?.message?.accountKeys) {
+    return interactions;
+  }
+  const accountProgramMap = /* @__PURE__ */ new Map();
+  for (const instruction of tx.transaction.message.instructions) {
+    if (!instruction || !instruction.programId) continue;
+    const programId = instruction.programId.toString();
+    const accounts = [];
+    if ("accounts" in instruction && Array.isArray(instruction.accounts)) {
+      for (const acc of instruction.accounts) {
+        const address = typeof acc === "string" ? acc : acc.toString();
+        accounts.push(address);
+      }
+    }
+    for (const account of accounts) {
+      if (!accountProgramMap.has(account)) {
+        accountProgramMap.set(account, /* @__PURE__ */ new Set());
+      }
+      accountProgramMap.get(account).add(programId);
+    }
+  }
+  for (const [address, programs] of accountProgramMap) {
+    for (const programId of programs) {
+      if (programId === PROGRAM_IDS.SYSTEM || programId === PROGRAM_IDS.MEMO || programId === PROGRAM_IDS.MEMO_V1) {
+        continue;
+      }
+      interactions.push({
+        pda: address,
+        programId,
+        signature
+      });
+    }
+  }
+  return interactions;
+}
 function extractSOLTransfers(tx, signature) {
   const transfers = [];
   if (!tx.meta || !tx.transaction) {
@@ -560,12 +720,20 @@ function extractInstructions(tx, signature) {
     if ("parsed" in instruction) {
       data = instruction.parsed;
     }
+    const accounts = [];
+    if ("accounts" in instruction && Array.isArray(instruction.accounts)) {
+      for (const acc of instruction.accounts) {
+        const address = typeof acc === "string" ? acc : acc.toString();
+        accounts.push(address);
+      }
+    }
     instructions.push({
       programId,
       category,
       signature,
       blockTime: tx.blockTime,
-      data
+      data,
+      accounts: accounts.length > 0 ? accounts : void 0
     });
   }
   return instructions;
@@ -599,6 +767,9 @@ function calculateTimeRange(transactions) {
 function normalizeWalletData(rawData, labelProvider) {
   const allTransfers = [];
   const allInstructions = [];
+  const allTransactionMetadata = [];
+  const allTokenAccountEvents = [];
+  const allPDAInteractions = [];
   const transactions = rawData.transactions || [];
   for (const rawTx of transactions) {
     if (!rawTx.transaction) continue;
@@ -608,6 +779,12 @@ function normalizeWalletData(rawData, labelProvider) {
       allTransfers.push(...solTransfers, ...splTransfers);
       const instructions = extractInstructions(rawTx.transaction, rawTx.signature);
       allInstructions.push(...instructions);
+      const metadata = extractTransactionMetadata(rawTx.transaction, rawTx.signature);
+      allTransactionMetadata.push(metadata);
+      const tokenEvents = extractTokenAccountEvents(rawTx.transaction, rawTx.signature);
+      allTokenAccountEvents.push(...tokenEvents);
+      const pdaInteractions = extractPDAInteractions(rawTx.transaction, rawTx.signature);
+      allPDAInteractions.push(...pdaInteractions);
     } catch (error) {
       console.warn(`Failed to normalize transaction ${rawTx.signature}:`, error);
       continue;
@@ -627,22 +804,47 @@ function normalizeWalletData(rawData, labelProvider) {
       return null;
     }
   }).filter((ta) => ta !== null);
+  const feePayers = /* @__PURE__ */ new Set();
+  const signers = /* @__PURE__ */ new Set();
+  const programs = /* @__PURE__ */ new Set();
+  for (const metadata of allTransactionMetadata) {
+    feePayers.add(metadata.feePayer);
+    for (const signer of metadata.signers) {
+      signers.add(signer);
+    }
+  }
+  for (const instruction of allInstructions) {
+    programs.add(instruction.programId);
+  }
   return {
     target: rawData.address,
     targetType: "wallet",
     transfers: allTransfers,
     instructions: allInstructions,
     counterparties,
-    labels: /* @__PURE__ */ new Map(),
+    labels,
     tokenAccounts,
     timeRange,
-    transactionCount: transactions.length
+    transactionCount: transactions.length,
+    // Solana-specific fields
+    transactions: allTransactionMetadata,
+    tokenAccountEvents: allTokenAccountEvents,
+    pdaInteractions: allPDAInteractions,
+    feePayers,
+    signers,
+    programs
   };
 }
 function normalizeTransactionData(rawData, labelProvider) {
   const allTransfers = [];
   const allInstructions = [];
   const counterparties = /* @__PURE__ */ new Set();
+  const allTransactionMetadata = [];
+  const allTokenAccountEvents = [];
+  const allPDAInteractions = [];
+  const feePayers = /* @__PURE__ */ new Set();
+  const signers = /* @__PURE__ */ new Set();
+  const programs = /* @__PURE__ */ new Set();
   if (rawData.transaction) {
     try {
       const solTransfers = extractSOLTransfers(rawData.transaction, rawData.signature);
@@ -650,6 +852,16 @@ function normalizeTransactionData(rawData, labelProvider) {
       allTransfers.push(...solTransfers, ...splTransfers);
       const instructions = extractInstructions(rawData.transaction, rawData.signature);
       allInstructions.push(...instructions);
+      const metadata = extractTransactionMetadata(rawData.transaction, rawData.signature);
+      allTransactionMetadata.push(metadata);
+      feePayers.add(metadata.feePayer);
+      for (const signer of metadata.signers) {
+        signers.add(signer);
+      }
+      const tokenEvents = extractTokenAccountEvents(rawData.transaction, rawData.signature);
+      allTokenAccountEvents.push(...tokenEvents);
+      const pdaInteractions = extractPDAInteractions(rawData.transaction, rawData.signature);
+      allPDAInteractions.push(...pdaInteractions);
       const accountKeys = rawData.transaction.transaction.message.accountKeys;
       if (accountKeys && Array.isArray(accountKeys)) {
         for (const key of accountKeys) {
@@ -657,29 +869,46 @@ function normalizeTransactionData(rawData, labelProvider) {
           counterparties.add(address);
         }
       }
+      for (const instruction of instructions) {
+        programs.add(instruction.programId);
+      }
     } catch (error) {
       console.warn(`Failed to normalize transaction ${rawData.signature}:`, error);
     }
   }
+  const labels = labelProvider ? labelProvider.lookupMany(Array.from(counterparties)) : /* @__PURE__ */ new Map();
   return {
     target: rawData.signature,
     targetType: "transaction",
     transfers: allTransfers,
     instructions: allInstructions,
     counterparties,
-    labels: /* @__PURE__ */ new Map(),
+    labels,
     tokenAccounts: [],
     timeRange: {
       earliest: rawData.transaction ? rawData.blockTime : null,
       latest: rawData.transaction ? rawData.blockTime : null
     },
-    transactionCount: rawData.transaction ? 1 : 0
+    transactionCount: rawData.transaction ? 1 : 0,
+    // Solana-specific fields
+    transactions: allTransactionMetadata,
+    tokenAccountEvents: allTokenAccountEvents,
+    pdaInteractions: allPDAInteractions,
+    feePayers,
+    signers,
+    programs
   };
 }
 function normalizeProgramData(rawData, labelProvider) {
   const allTransfers = [];
   const allInstructions = [];
   const counterparties = /* @__PURE__ */ new Set();
+  const allTransactionMetadata = [];
+  const allTokenAccountEvents = [];
+  const allPDAInteractions = [];
+  const feePayers = /* @__PURE__ */ new Set();
+  const signers = /* @__PURE__ */ new Set();
+  const programs = /* @__PURE__ */ new Set();
   const transactions = rawData.relatedTransactions || [];
   for (const rawTx of transactions) {
     if (!rawTx.transaction) continue;
@@ -689,6 +918,16 @@ function normalizeProgramData(rawData, labelProvider) {
       allTransfers.push(...solTransfers, ...splTransfers);
       const instructions = extractInstructions(rawTx.transaction, rawTx.signature);
       allInstructions.push(...instructions);
+      const metadata = extractTransactionMetadata(rawTx.transaction, rawTx.signature);
+      allTransactionMetadata.push(metadata);
+      feePayers.add(metadata.feePayer);
+      for (const signer of metadata.signers) {
+        signers.add(signer);
+      }
+      const tokenEvents = extractTokenAccountEvents(rawTx.transaction, rawTx.signature);
+      allTokenAccountEvents.push(...tokenEvents);
+      const pdaInteractions = extractPDAInteractions(rawTx.transaction, rawTx.signature);
+      allPDAInteractions.push(...pdaInteractions);
       const accountKeys = rawTx.transaction.transaction.message.accountKeys;
       if (accountKeys && Array.isArray(accountKeys)) {
         for (const key of accountKeys) {
@@ -696,6 +935,9 @@ function normalizeProgramData(rawData, labelProvider) {
           counterparties.add(address);
         }
       }
+      for (const instruction of instructions) {
+        programs.add(instruction.programId);
+      }
     } catch (error) {
       console.warn(`Failed to normalize program transaction ${rawTx.signature}:`, error);
       continue;
@@ -709,61 +951,168 @@ function normalizeProgramData(rawData, labelProvider) {
     transfers: allTransfers,
     instructions: allInstructions,
     counterparties,
-    labels: /* @__PURE__ */ new Map(),
+    labels,
     tokenAccounts: [],
     timeRange,
-    transactionCount: transactions.length
+    transactionCount: transactions.length,
+    // Solana-specific fields
+    transactions: allTransactionMetadata,
+    tokenAccountEvents: allTokenAccountEvents,
+    pdaInteractions: allPDAInteractions,
+    feePayers,
+    signers,
+    programs
   };
 }
 // src/heuristics/counterparty-reuse.ts
 function detectCounterpartyReuse(context) {
-  if (context.targetType !== "wallet") {
-    return null;
+  const signals = [];
+  if (context.targetType !== "wallet" || context.transactionCount < 2) {
+    return signals;
   }
-  if (context.counterparties.size === 0 || context.transfers.length === 0) {
-    return null;
+  if (context.transfers.length > 0) {
+    const interactionCounts = /* @__PURE__ */ new Map();
+    for (const transfer of context.transfers) {
+      const counterparty = transfer.from === context.target ? transfer.to : transfer.from;
+      if (counterparty === context.target) continue;
+      interactionCounts.set(counterparty, (interactionCounts.get(counterparty) || 0) + 1);
+    }
+    const reusedCounterparties = Array.from(interactionCounts.entries()).filter(([_, count]) => count >= 3).sort((a, b) => b[1] - a[1]);
+    if (reusedCounterparties.length > 0) {
+      const totalInteractions = context.transfers.length;
+      const topCounterpartyInteractions = reusedCounterparties[0][1];
+      const concentration = topCounterpartyInteractions / totalInteractions;
+      let severity = "LOW";
+      if (concentration > 0.5 || reusedCounterparties.length >= 5) {
+        severity = "HIGH";
+      } else if (concentration > 0.3 || reusedCounterparties.length >= 3) {
+        severity = "MEDIUM";
+      }
+      const evidence = reusedCounterparties.slice(0, 5).map(([addr, count]) => {
+        const label = context.labels.get(addr);
+        return {
+          description: `${count} transfers with ${addr.slice(0, 8)}...${addr.slice(-8)}${label ? ` (${label.name})` : ""}`,
+          severity: count > totalInteractions * 0.3 ? "HIGH" : count > totalInteractions * 0.15 ? "MEDIUM" : "LOW",
+          type: "address",
+          data: { address: addr, interactionCount: count }
+        };
+      });
+      signals.push({
+        id: "counterparty-reuse",
+        name: "Repeated Transfer Counterparties",
+        severity,
+        category: "linkability",
+        reason: `Wallet repeatedly transfers with ${reusedCounterparties.length} address(es). Top counterparty: ${topCounterpartyInteractions}/${totalInteractions} transfers.`,
+        impact: "Repeated interactions with the same addresses can be used to cluster wallets and build transaction graphs.",
+        evidence,
+        mitigation: "Use different wallets for different counterparties, or use privacy-preserving protocols."
+      });
+    }
   }
-  const interactionCounts = /* @__PURE__ */ new Map();
-  for (const transfer of context.transfers) {
-    const counterparty = transfer.from === context.target ? transfer.to : transfer.from;
-    if (counterparty === context.target) continue;
-    interactionCounts.set(counterparty, (interactionCounts.get(counterparty) || 0) + 1);
+  if (context.programs && context.programs.size > 0) {
+    const programUsage = /* @__PURE__ */ new Map();
+    for (const instruction of context.instructions) {
+      programUsage.set(instruction.programId, (programUsage.get(instruction.programId) || 0) + 1);
+    }
+    const SYSTEM_PROGRAMS = [
+      "11111111111111111111111111111111",
+      "TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA",
+      "ATokenGPvbdGVxr1b2hvZbsiqW5xWH25efTNsLJA8knL",
+      "ComputeBudget111111111111111111111111111111"
+    ];
+    const significantPrograms = Array.from(programUsage.entries()).filter(([programId]) => !SYSTEM_PROGRAMS.includes(programId)).filter(([_, count]) => count >= Math.min(3, Math.ceil(context.instructions.length * 0.1))).sort((a, b) => b[1] - a[1]);
+    if (significantPrograms.length >= 2) {
+      const evidence = significantPrograms.slice(0, 5).map(([programId, count]) => {
+        const label = context.labels.get(programId);
+        return {
+          description: `${programId.slice(0, 8)}...${label ? ` (${label.name})` : ""} used in ${count} instruction(s)`,
+          severity: "LOW",
+          reference: `https://solscan.io/account/${programId}`
+        };
+      });
+      signals.push({
+        id: "program-reuse",
+        name: "Repeated Program Interactions",
+        severity: "LOW",
+        category: "behavioral",
+        reason: `Wallet interacts with ${significantPrograms.length} non-system program(s) repeatedly.`,
+        impact: "Program usage patterns create a behavioral fingerprint. Addresses with similar patterns are likely related.",
+        mitigation: "This is generally unavoidable when using DeFi. Diversifying protocols can reduce fingerprinting.",
+        evidence
+      });
+    }
   }
-  const reusedCounterparties = Array.from(interactionCounts.entries()).filter(([_, count]) => count >= 3).sort((a, b) => b[1] - a[1]);
-  if (reusedCounterparties.length === 0) {
-    return null;
+  if (context.pdaInteractions && context.pdaInteractions.length > 0) {
+    const pdaUsage = /* @__PURE__ */ new Map();
+    for (const pda of context.pdaInteractions) {
+      if (!pdaUsage.has(pda.pda)) {
+        pdaUsage.set(pda.pda, { count: 0, programId: pda.programId });
+      }
+      pdaUsage.get(pda.pda).count++;
+    }
+    const repeatedPDAs = Array.from(pdaUsage.entries()).filter(([_, { count }]) => count >= 2).sort((a, b) => b[1].count - a[1].count);
+    if (repeatedPDAs.length > 0) {
+      const evidence = repeatedPDAs.slice(0, 5).map(([pda, { count, programId }]) => ({
+        description: `PDA ${pda.slice(0, 8)}... (program: ${programId.slice(0, 8)}...) used ${count} times`,
+        severity: count > 3 ? "MEDIUM" : "LOW",
+        reference: `https://solscan.io/account/${pda}`
+      }));
+      const maxCount = repeatedPDAs[0][1].count;
+      const severity = maxCount > 5 ? "MEDIUM" : "LOW";
+      signals.push({
+        id: "pda-reuse",
+        name: "Repeated PDA Interactions",
+        severity,
+        category: "linkability",
+        reason: `${repeatedPDAs.length} Program-Derived Address(es) are used repeatedly. Max usage: ${maxCount} times.`,
+        impact: "PDAs often represent user-specific accounts (e.g., your position in a protocol). Repeated usage links all interactions.",
+        mitigation: "Some PDA reuse is inherent to Solana protocols. For sensitive operations, use fresh wallets.",
+        evidence
+      });
+    }
   }
-  const totalInteractions = context.transfers.length;
-  const topCounterpartyInteractions = reusedCounterparties[0][1];
-  const concentration = topCounterpartyInteractions / totalInteractions;
-  let severity = "LOW";
-  if (concentration > 0.5 || reusedCounterparties.length >= 5) {
-    severity = "HIGH";
-  } else if (concentration > 0.3 || reusedCounterparties.length >= 3) {
-    severity = "MEDIUM";
+  if (context.transfers.length > 0 && context.instructions.length > 0) {
+    const combos = /* @__PURE__ */ new Map();
+    for (const transfer of context.transfers) {
+      const counterparty = transfer.from === context.target ? transfer.to : transfer.from;
+      if (counterparty === context.target) continue;
+      const txInstructions = context.instructions.filter((inst) => inst.signature === transfer.signature);
+      for (const inst of txInstructions) {
+        const combo = `${counterparty}:${inst.programId}`;
+        combos.set(combo, (combos.get(combo) || 0) + 1);
+      }
+    }
+    const repeatedCombos = Array.from(combos.entries()).filter(([_, count]) => count >= 2).sort((a, b) => b[1] - a[1]);
+    if (repeatedCombos.length > 0) {
+      const evidence = repeatedCombos.slice(0, 3).map(([combo, count]) => {
+        const [counterparty, programId] = combo.split(":");
+        const label = context.labels.get(counterparty);
+        return {
+          description: `${counterparty.slice(0, 8)}...${label ? ` (${label.name})` : ""} + program ${programId.slice(0, 8)}... used ${count} times`,
+          severity: "MEDIUM"
+        };
+      });
+      signals.push({
+        id: "counterparty-program-combo",
+        name: "Repeated Counterparty-Program Combination",
+        severity: "MEDIUM",
+        category: "linkability",
+        reason: `${repeatedCombos.length} specific counterparty-program combination(s) are reused.`,
+        impact: "This creates a very specific fingerprint. The combination of WHO you interact with and WHAT program is highly identifying.",
+        mitigation: "Rotate both counterparties and programs if privacy is critical.",
+        evidence
+      });
+    }
   }
-  const evidence = reusedCounterparties.slice(0, 5).map(([addr, count]) => ({
-    type: "address",
-    description: `${count} interactions with ${addr.slice(0, 8)}...${addr.slice(-8)}`,
-    data: { address: addr, interactionCount: count }
-  }));
-  return {
-    id: "counterparty-reuse",
-    name: "Counterparty Reuse",
-    severity,
-    reason: `Wallet repeatedly interacts with ${reusedCounterparties.length} address(es)`,
-    impact: "Repeated interactions with the same addresses can be used to cluster wallets and build transaction graphs, enabling surveillance of your activity patterns.",
-    evidence,
-    mitigation: "Use different wallets for different counterparties, or use privacy-preserving protocols that obscure transaction graphs.",
-    confidence: 0.9
-  };
+  return signals;
 }
 // src/heuristics/amount-reuse.ts
 function detectAmountReuse(context) {
-  if (context.transfers.length < 3) {
-    return null;
+  const signals = [];
+  if (context.transfers.length < 5) {
+    return signals;
   }
   const amountCounts = /* @__PURE__ */ new Map();
   const roundNumbers = [];
@@ -772,49 +1121,114 @@ function detectAmountReuse(context) {
       roundNumbers.push(transfer.amount);
     }
     const amountKey = `${transfer.amount.toFixed(9)}-${transfer.token || "SOL"}`;
-    amountCounts.set(amountKey, (amountCounts.get(amountKey) || 0) + 1);
+    if (!amountCounts.has(amountKey)) {
+      amountCounts.set(amountKey, { count: 0, counterparties: /* @__PURE__ */ new Set(), signers: /* @__PURE__ */ new Set() });
+    }
+    const data = amountCounts.get(amountKey);
+    data.count++;
+    const counterparty = transfer.from === context.target ? transfer.to : transfer.from;
+    if (counterparty !== context.target) {
+      data.counterparties.add(counterparty);
+    }
+    const tx = context.transactions ? context.transactions.find((t) => t.signature === transfer.signature) : null;
+    if (tx) {
+      tx.signers.forEach((s) => data.signers.add(s));
+    }
   }
-  const reusedAmounts = Array.from(amountCounts.entries()).filter(([_, count]) => count >= 2).sort((a, b) => b[1] - a[1]);
-  const hasRoundNumbers = roundNumbers.length >= 2;
+  const reusedAmounts = Array.from(amountCounts.entries()).filter(([_, data]) => data.count >= 3).sort((a, b) => b[1].count - a[1].count);
+  const hasRoundNumbers = roundNumbers.length >= 3;
   const hasReusedAmounts = reusedAmounts.length >= 2;
-  if (!hasRoundNumbers && !hasReusedAmounts) {
-    return null;
+  if (hasRoundNumbers && roundNumbers.length >= 5) {
+    signals.push({
+      id: "amount-round-numbers",
+      name: "Frequent Round Number Transfers",
+      severity: "LOW",
+      category: "behavioral",
+      reason: `${roundNumbers.length} round-number transfers detected (e.g., 1 SOL, 10 SOL).`,
+      impact: "Round numbers are common on Solana and relatively benign alone. Combined with other patterns, they can contribute to fingerprinting.",
+      mitigation: "Vary amounts slightly if possible, but this is low priority on Solana.",
+      evidence: [{
+        description: `${roundNumbers.length} round-number transfers: ${roundNumbers.slice(0, 5).join(", ")}...`,
+        severity: "LOW",
+        type: "amount",
+        data: { roundNumbers: roundNumbers.slice(0, 5) }
+      }]
+    });
   }
-  let severity = "LOW";
-  if (hasRoundNumbers && roundNumbers.length >= 5 || reusedAmounts.length >= 5) {
-    severity = "HIGH";
-  } else if (hasRoundNumbers && roundNumbers.length >= 3 || reusedAmounts.length >= 3) {
-    severity = "MEDIUM";
+  const suspiciousReuse = reusedAmounts.filter(([_, data]) => {
+    return data.counterparties.size === 1 && data.count >= 3;
+  });
+  if (suspiciousReuse.length > 0) {
+    const evidence = suspiciousReuse.slice(0, 3).map(([amountKey, data]) => {
+      const [amount, token] = amountKey.split("-");
+      const counterparty = Array.from(data.counterparties)[0];
+      return {
+        description: `${amount} ${token} sent to ${counterparty.slice(0, 8)}... ${data.count} times`,
+        severity: "MEDIUM",
+        type: "amount",
+        data: { amount: parseFloat(amount), token, count: data.count, counterparty }
+      };
+    });
+    signals.push({
+      id: "amount-reuse-counterparty",
+      name: "Same Amount to Same Counterparty",
+      severity: "MEDIUM",
+      category: "behavioral",
+      reason: `${suspiciousReuse.length} amount(s) repeatedly sent to the same counterparty.`,
+      impact: "Sending the same amount to the same address multiple times creates a strong pattern. This is likely automated or habitual behavior.",
+      mitigation: "Vary amounts when sending to the same address, or use privacy protocols.",
+      evidence
+    });
   }
-  const evidence = [];
-  if (hasRoundNumbers) {
-    evidence.push({
-      type: "amount",
-      description: `${roundNumbers.length} round-number transfers detected`,
-      data: { roundNumbers: roundNumbers.slice(0, 5) }
+  const signerReuse = reusedAmounts.filter(([_, data]) => {
+    return data.signers.size <= 2 && data.count >= 3;
+  });
+  if (signerReuse.length > 0 && suspiciousReuse.length === 0) {
+    const evidence = signerReuse.slice(0, 3).map(([amountKey, data]) => {
+      const [amount, token] = amountKey.split("-");
+      return {
+        description: `${amount} ${token} used ${data.count} times with ${data.signers.size} signer(s)`,
+        severity: "LOW",
+        type: "amount",
+        data: { amount: parseFloat(amount), token, count: data.count }
+      };
+    });
+    signals.push({
+      id: "amount-reuse-pattern",
+      name: "Repeated Amount Pattern",
+      severity: "LOW",
+      category: "behavioral",
+      reason: `${signerReuse.length} amount(s) are reused multiple times with consistent signers.`,
+      impact: "Amount reuse alone is relatively weak on Solana, but combined with other signals it contributes to behavioral fingerprinting.",
+      mitigation: "Vary transaction amounts to reduce pattern visibility.",
+      evidence
     });
   }
-  if (hasReusedAmounts) {
-    const topReused = reusedAmounts.slice(0, 3);
-    for (const [amountKey, count] of topReused) {
+  const veryReused = reusedAmounts.filter(([_, data]) => data.count >= 5);
+  if (veryReused.length > 0 && suspiciousReuse.length === 0 && signerReuse.length === 0) {
+    const evidence = veryReused.slice(0, 3).map(([amountKey, data]) => {
       const [amount, token] = amountKey.split("-");
-      evidence.push({
+      return {
+        description: `${amount} ${token} used ${data.count} times across ${data.counterparties.size} counterparties`,
+        severity: data.count > 10 ? "MEDIUM" : "LOW",
         type: "amount",
-        description: `Amount ${amount} ${token} used ${count} times`,
-        data: { amount: parseFloat(amount), token, count }
-      });
-    }
+        data: { amount: parseFloat(amount), token, count: data.count }
+      };
+    });
+    const maxCount = veryReused[0][1].count;
+    const severity = maxCount > 10 ? "MEDIUM" : "LOW";
+    signals.push({
+      id: "amount-reuse-frequency",
+      name: "High-Frequency Amount Reuse",
+      severity,
+      category: "behavioral",
+      reason: `${veryReused.length} amount(s) are used very frequently (${maxCount} times for top amount).`,
+      impact: "Extremely frequent reuse of specific amounts suggests automation or habitual behavior, creating a detectable pattern.",
+      mitigation: "If running automated systems, add randomization to amounts.",
+      evidence
+    });
   }
-  return {
-    id: "amount-reuse",
-    name: "Deterministic Amount Patterns",
-    severity,
-    reason: `Wallet uses ${hasRoundNumbers ? "round numbers" : "repeated amounts"} in transactions`,
-    impact: "Using the same amounts repeatedly or sending round numbers creates fingerprints that can be used to link transactions and identify patterns in your activity.",
-    evidence,
-    mitigation: "Vary transaction amounts slightly, avoid round numbers, and consider using privacy protocols that obscure amounts.",
-    confidence: hasRoundNumbers ? 0.85 : 0.75
-  };
+  return signals;
 }
 // src/heuristics/timing-patterns.ts
@@ -984,13 +1398,545 @@ function detectBalanceTraceability(context) {
   };
 }
+// src/heuristics/fee-payer-reuse.ts
+function detectFeePayerReuse(context) {
+  const signals = [];
+  if (context.targetType === "transaction") {
+    return signals;
+  }
+  if (!context.feePayers || !context.transactions || context.transactions.length === 0) {
+    return signals;
+  }
+  const feePayers = context.feePayers;
+  const target = context.target;
+  const targetIsFeePayer = feePayers.has(target);
+  const onlyTargetPays = feePayers.size === 1 && targetIsFeePayer;
+  if (onlyTargetPays) {
+    return signals;
+  }
+  if (feePayers.size > 1 && targetIsFeePayer) {
+    const externalFeePayers = Array.from(feePayers).filter((fp) => fp !== target);
+    const feePayerCounts = /* @__PURE__ */ new Map();
+    for (const tx of context.transactions) {
+      if (tx.feePayer !== target) {
+        feePayerCounts.set(tx.feePayer, (feePayerCounts.get(tx.feePayer) || 0) + 1);
+      }
+    }
+    const evidence = [];
+    for (const [feePayer, count] of feePayerCounts) {
+      evidence.push({
+        description: `${feePayer} paid fees for ${count} transaction(s)`,
+        severity: count > 1 ? "HIGH" : "MEDIUM",
+        reference: void 0
+      });
+    }
+    const knownFeePayerLabel = externalFeePayers.find((fp) => context.labels.has(fp));
+    const knownLabel = knownFeePayerLabel ? context.labels.get(knownFeePayerLabel) : null;
+    signals.push({
+      id: "fee-payer-external",
+      name: "External Fee Payer Detected",
+      severity: knownLabel ? "HIGH" : "MEDIUM",
+      category: "linkability",
+      reason: `${externalFeePayers.length} external wallet(s) paid fees for transactions involving this address${knownLabel ? `, including known entity: ${knownLabel.name}` : ""}.`,
+      impact: "This address is linked to the fee payer(s). Anyone observing the blockchain can see this relationship. If the fee payer is identified, this address is also compromised.",
+      mitigation: "Always pay your own transaction fees. Never allow third parties to pay fees for your transactions unless absolutely necessary. If using a relayer, understand that this creates a permanent on-chain link.",
+      evidence
+    });
+  }
+  if (!targetIsFeePayer && feePayers.size > 0) {
+    const allFeePayers = Array.from(feePayers);
+    const feePayerCounts = /* @__PURE__ */ new Map();
+    for (const tx of context.transactions) {
+      feePayerCounts.set(tx.feePayer, (feePayerCounts.get(tx.feePayer) || 0) + 1);
+    }
+    const evidence = [];
+    for (const [feePayer, count] of feePayerCounts) {
+      const label = context.labels.get(feePayer);
+      evidence.push({
+        description: `${feePayer}${label ? ` (${label.name})` : ""} paid fees for ${count} transaction(s)`,
+        severity: "HIGH",
+        reference: void 0
+      });
+    }
+    const maxCount = Math.max(...Array.from(feePayerCounts.values()));
+    const repeatedFeePayer = maxCount > 1;
+    signals.push({
+      id: "fee-payer-never-self",
+      name: "Never Self-Pays Transaction Fees",
+      severity: repeatedFeePayer ? "HIGH" : "HIGH",
+      // Always HIGH - this is critical
+      category: "linkability",
+      reason: `This address has NEVER paid its own transaction fees. All ${context.transactionCount} transaction(s) were paid by ${allFeePayers.length} external wallet(s).`,
+      impact: "This is a CRITICAL privacy leak. This address is trivially linked to all fee payer(s). This pattern suggests a managed account, hot wallet, or program-controlled address. The controlling entity is fully exposed.",
+      mitigation: "This account model fundamentally compromises privacy. To improve: (1) Fund this address with SOL and pay your own fees, or (2) Use a fresh address for each operation, or (3) Accept that this address is permanently linked to its fee payer(s).",
+      evidence
+    });
+  }
+  if (context.targetType === "program") {
+    const feePayerCounts = /* @__PURE__ */ new Map();
+    for (const tx of context.transactions) {
+      if (!feePayerCounts.has(tx.feePayer)) {
+        feePayerCounts.set(tx.feePayer, /* @__PURE__ */ new Set());
+      }
+      for (const signer of tx.signers) {
+        feePayerCounts.get(tx.feePayer).add(signer);
+      }
+    }
+    const multiFeePayerOperators = [];
+    for (const [feePayer, signers] of feePayerCounts) {
+      if (signers.size > 1) {
+        const txCount = context.transactions.filter((tx) => tx.feePayer === feePayer).length;
+        multiFeePayerOperators.push({
+          feePayer,
+          signerCount: signers.size,
+          txCount
+        });
+      }
+    }
+    if (multiFeePayerOperators.length > 0) {
+      const evidence = multiFeePayerOperators.map((op) => ({
+        description: `${op.feePayer} paid fees for ${op.txCount} transaction(s) involving ${op.signerCount} different signer(s)`,
+        severity: "HIGH",
+        reference: void 0
+      }));
+      signals.push({
+        id: "fee-payer-multi-signer",
+        name: "Fee Payer Controls Multiple Signers",
+        severity: "HIGH",
+        category: "linkability",
+        reason: `${multiFeePayerOperators.length} fee payer(s) are paying fees for multiple different signers, suggesting centralized control or bot operation.`,
+        impact: "All addresses funded by the same fee payer are linkable. This pattern exposes operational infrastructure.",
+        mitigation: "If running bots or managing multiple accounts, use a unique fee payer for each to avoid linking them on-chain.",
+        evidence
+      });
+    }
+  }
+  return signals;
+}
+// src/heuristics/signer-overlap.ts
+function detectSignerOverlap(context) {
+  const signals = [];
+  if (context.transactionCount < 2) {
+    return signals;
+  }
+  if (!context.transactions || context.transactions.length === 0) {
+    return signals;
+  }
+  const signerFrequency = /* @__PURE__ */ new Map();
+  const signerTransactions = /* @__PURE__ */ new Map();
+  for (const tx of context.transactions) {
+    for (const signer of tx.signers) {
+      signerFrequency.set(signer, (signerFrequency.get(signer) || 0) + 1);
+      if (!signerTransactions.has(signer)) {
+        signerTransactions.set(signer, []);
+      }
+      signerTransactions.get(signer).push(tx.signature);
+    }
+  }
+  const target = context.target;
+  const frequentSigners = Array.from(signerFrequency.entries()).filter(([signer]) => signer !== target).filter(([_, count]) => count >= Math.min(3, Math.ceil(context.transactionCount * 0.3))).sort((a, b) => b[1] - a[1]);
+  if (frequentSigners.length > 0) {
+    const evidence = frequentSigners.map(([signer, count]) => {
+      const label = context.labels.get(signer);
+      return {
+        description: `${signer}${label ? ` (${label.name})` : ""} signed ${count}/${context.transactionCount} transactions`,
+        severity: count > context.transactionCount * 0.7 ? "HIGH" : "MEDIUM",
+        reference: void 0
+      };
+    });
+    const topSignerCount = frequentSigners[0][1];
+    const severity = topSignerCount > context.transactionCount * 0.7 ? "HIGH" : "MEDIUM";
+    signals.push({
+      id: "signer-repeated",
+      name: "Repeated Signer Across Transactions",
+      severity,
+      category: "linkability",
+      reason: `${frequentSigners.length} address(es) repeatedly sign transactions involving the target. The most frequent signer appears in ${topSignerCount}/${context.transactionCount} transactions.`,
+      impact: "Repeated signers create hard links between transactions. All transactions signed by the same address are trivially linkable.",
+      mitigation: "If you control multiple addresses that sign together, they are permanently linked. Use separate signing keys for unrelated activities.",
+      evidence
+    });
+  }
+  const signerSets = /* @__PURE__ */ new Map();
+  const signerSetExamples = /* @__PURE__ */ new Map();
+  for (const tx of context.transactions) {
+    const sortedSigners = [...tx.signers].sort();
+    const setKey = JSON.stringify(sortedSigners);
+    signerSets.set(setKey, (signerSets.get(setKey) || 0) + 1);
+    if (!signerSetExamples.has(setKey)) {
+      signerSetExamples.set(setKey, tx.signature);
+    }
+  }
+  const repeatedSets = Array.from(signerSets.entries()).filter(([_, count]) => count > 1).sort((a, b) => b[1] - a[1]);
+  if (repeatedSets.length > 0) {
+    const evidence = repeatedSets.map(([setKey, count]) => {
+      const signers = JSON.parse(setKey);
+      const exampleSig = signerSetExamples.get(setKey);
+      return {
+        description: `${count} transactions with identical signer set: [${signers.map((s) => s.slice(0, 8)).join(", ")}...]`,
+        severity: count > 2 ? "MEDIUM" : "LOW",
+        reference: `https://solscan.io/tx/${exampleSig}`
+      };
+    });
+    signals.push({
+      id: "signer-set-reuse",
+      name: "Repeated Multi-Signature Pattern",
+      severity: "MEDIUM",
+      category: "linkability",
+      reason: `${repeatedSets.length} distinct signer set(s) are reused multiple times. This creates a unique fingerprint.`,
+      impact: "Reused multi-sig patterns are highly unique and easily linkable. Even if addresses differ, the signer set pattern can identify related activity.",
+      mitigation: "If using multi-sig for multiple transactions, rotate signing keys or use threshold signatures to vary the signer set.",
+      evidence
+    });
+  }
+  if (context.targetType === "program" || context.transactionCount > 10) {
+    const signerCoSigners = /* @__PURE__ */ new Map();
+    for (const tx of context.transactions) {
+      for (const signer of tx.signers) {
+        if (!signerCoSigners.has(signer)) {
+          signerCoSigners.set(signer, /* @__PURE__ */ new Set());
+        }
+        for (const otherSigner of tx.signers) {
+          if (otherSigner !== signer) {
+            signerCoSigners.get(signer).add(otherSigner);
+          }
+        }
+      }
+    }
+    const authorityCandidates = Array.from(signerCoSigners.entries()).filter(([_, coSigners]) => coSigners.size >= 3).sort((a, b) => b[1].size - a[1].size);
+    if (authorityCandidates.length > 0) {
+      const evidence = authorityCandidates.slice(0, 3).map(([signer, coSigners]) => {
+        const label = context.labels.get(signer);
+        const txCount = signerFrequency.get(signer) || 0;
+        return {
+          description: `${signer}${label ? ` (${label.name})` : ""} co-signed with ${coSigners.size} different addresses across ${txCount} transactions`,
+          severity: "HIGH",
+          reference: void 0
+        };
+      });
+      signals.push({
+        id: "signer-authority-hub",
+        name: "Authority Signer Detected",
+        severity: "HIGH",
+        category: "linkability",
+        reason: `${authorityCandidates.length} address(es) act as an authority, co-signing with multiple different wallets. This exposes a control hub.`,
+        impact: "An authority signer links all accounts it co-signs with. This reveals organizational structure or bot infrastructure.",
+        mitigation: 'Use unique authority keys for each logical group of accounts. Avoid having a single "master" signer.',
+        evidence
+      });
+    }
+  }
+  return signals;
+}
+// src/heuristics/instruction-fingerprinting.ts
+function detectInstructionFingerprinting(context) {
+  const signals = [];
+  if (context.transactionCount < 3) {
+    return signals;
+  }
+  if (!context.transactions || context.transactions.length === 0) {
+    return signals;
+  }
+  const sequenceFingerprints = /* @__PURE__ */ new Map();
+  const sequenceExamples = /* @__PURE__ */ new Map();
+  for (const tx of context.transactions) {
+    const txInstructions = context.instructions.filter((inst) => inst.signature === tx.signature).map((inst) => inst.programId);
+    if (txInstructions.length === 0) continue;
+    const sequence = txInstructions.join("->");
+    sequenceFingerprints.set(sequence, (sequenceFingerprints.get(sequence) || 0) + 1);
+    if (!sequenceExamples.has(sequence)) {
+      sequenceExamples.set(sequence, []);
+    }
+    sequenceExamples.get(sequence).push(tx.signature);
+  }
+  const repeatedSequences = Array.from(sequenceFingerprints.entries()).filter(([_, count]) => count >= Math.min(3, Math.ceil(context.transactionCount * 0.2))).sort((a, b) => b[1] - a[1]);
+  if (repeatedSequences.length > 0) {
+    const evidence = repeatedSequences.slice(0, 5).map(([sequence, count]) => {
+      const exampleSigs = sequenceExamples.get(sequence).slice(0, 2);
+      const programs = sequence.split("->").map((p) => p.slice(0, 8) + "...").join(" \u2192 ");
+      return {
+        description: `Instruction sequence repeated ${count} times: ${programs}`,
+        severity: count > context.transactionCount * 0.5 ? "MEDIUM" : "LOW",
+        reference: `https://solscan.io/tx/${exampleSigs[0]}`
+      };
+    });
+    const topSequenceCount = repeatedSequences[0][1];
+    const severity = topSequenceCount > context.transactionCount * 0.5 ? "MEDIUM" : "LOW";
+    signals.push({
+      id: "instruction-sequence-pattern",
+      name: "Repeated Instruction Sequence Pattern",
+      severity,
+      category: "behavioral",
+      reason: `${repeatedSequences.length} distinct instruction sequence(s) are repeated multiple times. The most common pattern appears in ${topSequenceCount}/${context.transactionCount} transactions.`,
+      impact: "Repeated instruction patterns create a behavioral fingerprint. Even with different addresses, these patterns can link related activity.",
+      mitigation: "Vary the order or combination of operations. Add dummy instructions or randomize transaction structure where possible.",
+      evidence
+    });
+  }
+  const programUsage = /* @__PURE__ */ new Map();
+  for (const inst of context.instructions) {
+    programUsage.set(inst.programId, (programUsage.get(inst.programId) || 0) + 1);
+  }
+  const COMMON_PROGRAMS = [
+    "11111111111111111111111111111111",
+    // System
+    "TokenkegQfeZyiNwAJbNbGKPFXCWuBvf9Ss623VQ5DA",
+    // SPL Token
+    "ATokenGPvbdGVxr1b2hvZbsiqW5xWH25efTNsLJA8knL",
+    // Associated Token
+    "MemoSq4gqABAXKb96qnH8TysNcWxMyWCqXgDLGmfcHr",
+    // Memo
+    "ComputeBudget111111111111111111111111111111"
+    // Compute Budget
+  ];
+  const uniquePrograms = Array.from(programUsage.entries()).filter(([programId]) => !COMMON_PROGRAMS.includes(programId)).filter(([_, count]) => count >= Math.min(2, Math.ceil(context.transactionCount * 0.15))).sort((a, b) => b[1] - a[1]);
+  if (uniquePrograms.length >= 2) {
+    const evidence = uniquePrograms.slice(0, 5).map(([programId, count]) => {
+      const label = context.labels.get(programId);
+      return {
+        description: `${programId.slice(0, 8)}...${label ? ` (${label.name})` : ""} used in ${count} transactions`,
+        severity: "LOW",
+        reference: `https://solscan.io/account/${programId}`
+      };
+    });
+    signals.push({
+      id: "program-usage-profile",
+      name: "Distinctive Program Usage Profile",
+      severity: "LOW",
+      category: "behavioral",
+      reason: `This address uses ${uniquePrograms.length} less-common programs repeatedly. This creates a unique usage profile.`,
+      impact: "Program usage patterns can fingerprint wallet behavior. Addresses with similar program usage profiles are likely related.",
+      mitigation: "Using niche protocols creates a fingerprint. This is difficult to mitigate without changing your DeFi strategy.",
+      evidence
+    });
+  }
+  if (context.pdaInteractions.length > 0) {
+    const pdaUsage = /* @__PURE__ */ new Map();
+    for (const pda of context.pdaInteractions) {
+      if (!pdaUsage.has(pda.pda)) {
+        pdaUsage.set(pda.pda, { count: 0, programId: pda.programId });
+      }
+      pdaUsage.get(pda.pda).count++;
+    }
+    const repeatedPDAs = Array.from(pdaUsage.entries()).filter(([_, { count }]) => count > 1).sort((a, b) => b[1].count - a[1].count);
+    if (repeatedPDAs.length > 0) {
+      const evidence = repeatedPDAs.slice(0, 5).map(([pda, { count, programId }]) => ({
+        description: `PDA ${pda.slice(0, 8)}... used ${count} times (program: ${programId.slice(0, 8)}...)`,
+        severity: count > 3 ? "MEDIUM" : "LOW",
+        reference: `https://solscan.io/account/${pda}`
+      }));
+      const maxPDAUsage = repeatedPDAs[0][1].count;
+      const severity = maxPDAUsage > 3 ? "MEDIUM" : "LOW";
+      signals.push({
+        id: "pda-reuse-pattern",
+        name: "Repeated PDA Interaction",
+        severity,
+        category: "behavioral",
+        reason: `${repeatedPDAs.length} Program-Derived Address(es) are used repeatedly. The most common PDA appears in ${maxPDAUsage} transactions.`,
+        impact: "Repeated PDA usage links transactions. If the PDA is specific to you (e.g., a user account), all interactions with it are linked.",
+        mitigation: "Some PDA reuse is unavoidable (e.g., your DEX pool position). For sensitive operations, consider using fresh accounts or different protocols.",
+        evidence
+      });
+    }
+  }
+  const programInstructions = /* @__PURE__ */ new Map();
+  for (const inst of context.instructions) {
+    if (!programInstructions.has(inst.programId)) {
+      programInstructions.set(inst.programId, []);
+    }
+    if (inst.data) {
+      programInstructions.get(inst.programId).push(inst.data);
+    }
+  }
+  for (const [programId, dataList] of programInstructions) {
+    if (dataList.length < 2) continue;
+    const typeMap = /* @__PURE__ */ new Map();
+    for (const data of dataList) {
+      if (data && typeof data === "object" && "type" in data) {
+        const type = String(data.type);
+        typeMap.set(type, (typeMap.get(type) || 0) + 1);
+      }
+    }
+    const repeatedTypes = Array.from(typeMap.entries()).filter(([_, count]) => count >= 2).sort((a, b) => b[1] - a[1]);
+    if (repeatedTypes.length > 0 && repeatedTypes[0][1] >= 3) {
+      const [instructionType, count] = repeatedTypes[0];
+      const label = context.labels.get(programId);
+      signals.push({
+        id: `instruction-type-${programId.slice(0, 8)}`,
+        name: "Repeated Instruction Type",
+        severity: "LOW",
+        category: "behavioral",
+        reason: `The instruction type "${instructionType}" on program ${programId.slice(0, 8)}...${label ? ` (${label.name})` : ""} is used ${count} times.`,
+        impact: "Repeated instruction types on the same program suggest automated behavior or specific strategy execution.",
+        mitigation: "This is generally low-risk but contributes to behavioral fingerprinting. Diversify your transaction types if possible.",
+        evidence: [{
+          description: `"${instructionType}" instruction used ${count} times`,
+          severity: "LOW",
+          reference: void 0
+        }]
+      });
+    }
+  }
+  return signals;
+}
+// src/heuristics/token-account-lifecycle.ts
+function detectTokenAccountLifecycle(context) {
+  const signals = [];
+  if (!context.tokenAccountEvents || context.tokenAccountEvents.length === 0) {
+    return signals;
+  }
+  const accountEvents = /* @__PURE__ */ new Map();
+  for (const event of context.tokenAccountEvents) {
+    if (!accountEvents.has(event.tokenAccount)) {
+      accountEvents.set(event.tokenAccount, []);
+    }
+    accountEvents.get(event.tokenAccount).push(event);
+  }
+  const createEvents = context.tokenAccountEvents.filter((e) => e.type === "create");
+  const closeEvents = context.tokenAccountEvents.filter((e) => e.type === "close");
+  if (createEvents.length >= 2 && closeEvents.length >= 2) {
+    const refundDestinations = /* @__PURE__ */ new Map();
+    const totalRefunded = closeEvents.reduce((sum, event) => {
+      if (event.rentRefund) {
+        refundDestinations.set(event.owner, (refundDestinations.get(event.owner) || 0) + event.rentRefund);
+        return sum + event.rentRefund;
+      }
+      return sum;
+    }, 0);
+    if (refundDestinations.size > 0) {
+      const evidence = Array.from(refundDestinations.entries()).map(([owner, amount]) => ({
+        description: `${amount.toFixed(4)} SOL refunded to ${owner.slice(0, 8)}... from ${closeEvents.filter((e) => e.owner === owner).length} closed account(s)`,
+        severity: "MEDIUM",
+        reference: void 0
+      }));
+      signals.push({
+        id: "token-account-churn",
+        name: "Frequent Token Account Creation/Closure",
+        severity: "MEDIUM",
+        category: "behavioral",
+        reason: `${createEvents.length} token account(s) created and ${closeEvents.length} closed. Rent refunds totaling ${totalRefunded.toFixed(4)} SOL expose ownership.`,
+        impact: 'Rent refunds link temporary token accounts back to the owner wallet. This pattern defeats the purpose of using "burner" accounts.',
+        mitigation: "If using temporary token accounts for privacy, leave them open (accept the small rent cost) rather than closing and refunding to your main wallet.",
+        evidence
+      });
+    }
+  }
+  const completeLifecycles = [];
+  for (const [tokenAccount, events] of accountEvents) {
+    const creates = events.filter((e) => e.type === "create");
+    const closes = events.filter((e) => e.type === "close");
+    if (creates.length > 0 && closes.length > 0) {
+      const createTime = creates[0].blockTime;
+      const closeTime = closes[closes.length - 1].blockTime;
+      if (createTime && closeTime) {
+        const duration = closeTime - createTime;
+        completeLifecycles.push({ tokenAccount, events, duration });
+      }
+    }
+  }
+  const shortLived = completeLifecycles.filter((lc) => lc.duration < 3600);
+  if (shortLived.length >= 2) {
+    const evidence = shortLived.slice(0, 5).map((lc) => {
+      const durationMin = Math.floor(lc.duration / 60);
+      const closeEvent = lc.events.find((e) => e.type === "close");
+      return {
+        description: `${lc.tokenAccount.slice(0, 8)}... lived for ${durationMin} minute(s)${closeEvent?.rentRefund ? `, refunded ${closeEvent.rentRefund.toFixed(4)} SOL` : ""}`,
+        severity: "LOW",
+        reference: void 0
+      };
+    });
+    signals.push({
+      id: "token-account-short-lived",
+      name: "Short-Lived Token Accounts",
+      severity: "LOW",
+      category: "behavioral",
+      reason: `${shortLived.length} token account(s) were created and closed within an hour, suggesting burner account usage.`,
+      impact: "Short-lived accounts suggest privacy-conscious behavior, but rent refunds still create linkage.",
+      mitigation: "For true privacy, do not close accounts immediately. The rent refund links the burner back to you.",
+      evidence
+    });
+  }
+  const ownerAccounts = /* @__PURE__ */ new Map();
+  for (const event of context.tokenAccountEvents) {
+    if (event.type === "create") {
+      if (!ownerAccounts.has(event.owner)) {
+        ownerAccounts.set(event.owner, /* @__PURE__ */ new Set());
+      }
+      ownerAccounts.get(event.owner).add(event.tokenAccount);
+    }
+  }
+  const multiAccountOwners = Array.from(ownerAccounts.entries()).filter(([_, accounts]) => accounts.size >= 2).sort((a, b) => b[1].size - a[1].size);
+  if (multiAccountOwners.length > 0) {
+    const [owner, accounts] = multiAccountOwners[0];
+    const isTarget = owner === context.target;
+    if (!isTarget || multiAccountOwners.length > 1) {
+      const evidence = multiAccountOwners.slice(0, 3).map(([own, accs]) => {
+        const label = context.labels.get(own);
+        return {
+          description: `${own.slice(0, 8)}...${label ? ` (${label.name})` : ""} owns ${accs.size} token account(s)`,
+          severity: "LOW",
+          reference: void 0
+        };
+      });
+      signals.push({
+        id: "token-account-common-owner",
+        name: "Common Owner Across Token Accounts",
+        severity: "LOW",
+        category: "linkability",
+        reason: `${multiAccountOwners.length} wallet(s) control multiple token accounts. The top owner controls ${accounts.size} accounts.`,
+        impact: "All token accounts with the same owner are trivially linked.",
+        mitigation: "This is inherent to Solana's token account model and cannot be avoided.",
+        evidence
+      });
+    }
+  }
+  const rentRefundReceivers = /* @__PURE__ */ new Map();
+  for (const event of context.tokenAccountEvents) {
+    if (event.type === "close" && event.rentRefund) {
+      const current = rentRefundReceivers.get(event.owner) || { count: 0, total: 0 };
+      current.count++;
+      current.total += event.rentRefund;
+      rentRefundReceivers.set(event.owner, current);
+    }
+  }
+  const significantRefunds = Array.from(rentRefundReceivers.entries()).filter(([_, { count }]) => count >= 3).sort((a, b) => b[1].count - a[1].count);
+  if (significantRefunds.length > 0) {
+    const evidence = significantRefunds.slice(0, 3).map(([owner, { count, total }]) => ({
+      description: `${owner.slice(0, 8)}... received ${count} rent refunds totaling ${total.toFixed(4)} SOL`,
+      severity: "MEDIUM",
+      reference: void 0
+    }));
+    const [topOwner, topData] = significantRefunds[0];
+    signals.push({
+      id: "rent-refund-clustering",
+      name: "Rent Refund Clustering",
+      severity: "MEDIUM",
+      category: "linkability",
+      reason: `${significantRefunds.length} address(es) receive multiple rent refunds. ${topOwner.slice(0, 8)}... received ${topData.count} refunds.`,
+      impact: "Rent refunds link closed token accounts back to a central wallet. This exposes the control structure.",
+      mitigation: "Do not close token accounts if privacy is important. The small rent cost (~0.002 SOL) is cheaper than the privacy loss.",
+      evidence
+    });
+  }
+  return signals;
+}
 // src/scanner/index.ts
 var REPORT_VERSION = "1.0.0";
 var HEURISTICS = [
+  // Solana-specific (highest priority)
+  detectFeePayerReuse,
+  detectSignerOverlap,
+  detectKnownEntityInteraction,
   detectCounterpartyReuse,
-  detectAmountReuse,
+  detectInstructionFingerprinting,
+  detectTokenAccountLifecycle,
+  // Traditional heuristics
   detectTimingPatterns,
-  detectKnownEntityInteraction,
+  detectAmountReuse,
   detectBalanceTraceability
 ];
 function calculateOverallRisk(signals) {
@@ -1015,10 +1961,22 @@ function generateMitigations(signals) {
   }
   mitigations.add("Consider using multiple wallets to compartmentalize different activities.");
   const signalIds = new Set(signals.map((s) => s.id));
+  if (signalIds.has("fee-payer-never-self") || signalIds.has("fee-payer-external")) {
+    mitigations.add("Always pay your own transaction fees to avoid linkage.");
+  }
+  if (signalIds.has("signer-repeated") || signalIds.has("signer-set-reuse")) {
+    mitigations.add("Use separate signing keys for unrelated activities.");
+  }
+  if (signalIds.has("instruction-sequence-pattern") || signalIds.has("program-usage-profile")) {
+    mitigations.add("Diversify transaction patterns and protocols to reduce behavioral fingerprinting.");
+  }
+  if (signalIds.has("token-account-churn") || signalIds.has("rent-refund-clustering")) {
+    mitigations.add("Avoid closing token accounts if privacy is important - the rent refund creates linkage.");
+  }
   if (signalIds.has("known-entity-interaction")) {
     mitigations.add("Avoid direct interactions between privacy-sensitive wallets and KYC services.");
   }
-  if (signalIds.has("counterparty-reuse")) {
+  if (signalIds.has("counterparty-reuse") || signalIds.has("pda-reuse")) {
     mitigations.add("Use different addresses for different counterparties or contexts.");
   }
   if (signalIds.has("timing-correlation") || signalIds.has("balance-traceability")) {
@@ -1034,9 +1992,11 @@ function evaluateHeuristics(context) {
   const signals = [];
   for (const heuristic of HEURISTICS) {
     try {
-      const signal = heuristic(context);
-      if (signal) {
-        signals.push(signal);
+      const result = heuristic(context);
+      if (Array.isArray(result)) {
+        signals.push(...result);
+      } else if (result) {
+        signals.push(result);
       }
     } catch (error) {
       console.warn(`Heuristic evaluation failed:`, error);
@@ -1166,8 +2126,12 @@ var VERSION = "0.1.0";
   detectAmountReuse,
   detectBalanceTraceability,
   detectCounterpartyReuse,
+  detectFeePayerReuse,
+  detectInstructionFingerprinting,
   detectKnownEntityInteraction,
+  detectSignerOverlap,
   detectTimingPatterns,
+  detectTokenAccountLifecycle,
   evaluateHeuristics,
   generateReport,
   normalizeProgramData,