solana-privacy-scanner 0.3.2 → 0.4.0

package/dist/index.js

@@ -325,6 +325,430 @@ async function scanProgram(programId, options) {
   }
 }
 
+// src/commands/analyze.ts
+import chalk2 from "chalk";
+import { analyze } from "solana-privacy-scanner-core";
+import * as path from "path";
+import * as fs from "fs";
+async function analyzeCommand(paths, options) {
+  try {
+    if (!options.quiet) {
+      console.log(chalk2.blue("\u{1F512} Running Solana Privacy Analyzer...\n"));
+    }
+    const result = await analyze(paths, {
+      includeLow: options.low !== false
+    });
+    if (options.json) {
+      const output = JSON.stringify(result, null, 2);
+      if (options.output) {
+        fs.writeFileSync(options.output, output);
+        console.log(chalk2.green(`\u2705 Results written to ${options.output}`));
+      } else {
+        console.log(output);
+      }
+    } else {
+      printResults(result, options.quiet || false);
+      if (options.output) {
+        const jsonOutput = JSON.stringify(result, null, 2);
+        fs.writeFileSync(options.output, jsonOutput);
+        console.log(chalk2.green(`
+\u2705 Results also written to ${options.output}`));
+      }
+    }
+    if (result.summary.critical > 0 || result.summary.high > 0) {
+      process.exit(1);
+    }
+  } catch (error) {
+    console.error(chalk2.red("\u274C Analysis failed:"), error);
+    process.exit(1);
+  }
+}
+function printResults(result, quiet) {
+  console.log(chalk2.bold("\u{1F4CA} Scan Summary\n"));
+  console.log(`Files analyzed: ${result.filesAnalyzed}`);
+  console.log(`Total issues: ${result.summary.total}
+`);
+  if (result.summary.critical > 0) {
+    console.log(chalk2.red(`  \u{1F534} CRITICAL: ${result.summary.critical}`));
+  }
+  if (result.summary.high > 0) {
+    console.log(chalk2.yellow(`  \u{1F7E1} HIGH: ${result.summary.high}`));
+  }
+  if (result.summary.medium > 0) {
+    console.log(chalk2.blue(`  \u{1F535} MEDIUM: ${result.summary.medium}`));
+  }
+  if (result.summary.low > 0) {
+    console.log(chalk2.gray(`  \u26AA LOW: ${result.summary.low}`));
+  }
+  if (result.issues.length === 0) {
+    console.log(chalk2.green("\n\u2705 No issues found!"));
+    return;
+  }
+  if (quiet) {
+    return;
+  }
+  const byFile = result.issues.reduce((acc, issue) => {
+    if (!acc[issue.file]) acc[issue.file] = [];
+    acc[issue.file].push(issue);
+    return acc;
+  }, {});
+  console.log(chalk2.bold("\n\u{1F4CB} Detailed Issues\n"));
+  for (const [file, issues] of Object.entries(byFile)) {
+    console.log(chalk2.bold(`
+\u{1F4C1} ${path.relative(process.cwd(), file)}`));
+    console.log("\u2501".repeat(80));
+    issues.forEach((issue, index) => {
+      const severityColor = issue.severity === "CRITICAL" ? chalk2.red : issue.severity === "HIGH" ? chalk2.yellow : issue.severity === "MEDIUM" ? chalk2.blue : chalk2.gray;
+      const severityEmoji = issue.severity === "CRITICAL" ? "\u{1F534}" : issue.severity === "HIGH" ? "\u{1F7E1}" : issue.severity === "MEDIUM" ? "\u{1F535}" : "\u26AA";
+      console.log(`${index + 1}. ${severityEmoji} ${severityColor(issue.severity)} ${issue.message}`);
+      console.log(`   Line ${issue.line}:${issue.column}`);
+      if (issue.suggestion) {
+        console.log(chalk2.dim(`   Suggestion: ${issue.suggestion}`));
+      }
+      if (issue.codeSnippet) {
+        console.log(chalk2.dim("\n   Code:"));
+        console.log(chalk2.dim(issue.codeSnippet.split("\n").map((l) => `   ${l}`).join("\n")));
+      }
+      console.log();
+    });
+  }
+  if (result.summary.critical > 0 || result.summary.high > 0) {
+    console.log(chalk2.yellow("\n\u{1F4A1} Recommendations\n"));
+    console.log("Critical and high severity issues should be fixed before deployment.");
+    console.log("Run with --json to get machine-readable output for CI/CD integration.");
+  }
+}
+
+// src/commands/init.ts
+import { writeFileSync as writeFileSync5, existsSync, mkdirSync, chmodSync } from "fs";
+import { join } from "path";
+import prompts from "prompts";
+import chalk3 from "chalk";
+async function initCommand() {
+  console.log(chalk3.bold.blue("\n\u{1F50D} Solana Privacy Scanner - Setup Wizard\n"));
+  const configPath = join(process.cwd(), ".privacyrc");
+  if (existsSync(configPath)) {
+    const { overwrite } = await prompts({
+      type: "confirm",
+      name: "overwrite",
+      message: "Configuration file already exists. Overwrite?",
+      initial: false
+    });
+    if (!overwrite) {
+      console.log(chalk3.yellow("\nSetup cancelled."));
+      return;
+    }
+  }
+  const responses = await prompts([
+    {
+      type: "select",
+      name: "preset",
+      message: "Choose a configuration preset:",
+      choices: [
+        {
+          title: "Development (Permissive)",
+          value: "dev",
+          description: "Relaxed rules for development"
+        },
+        {
+          title: "Production (Strict)",
+          value: "prod",
+          description: "Strict rules for production code"
+        },
+        {
+          title: "Custom",
+          value: "custom",
+          description: "Configure manually"
+        }
+      ],
+      initial: 0
+    },
+    {
+      type: (prev) => prev === "custom" ? "select" : null,
+      name: "maxRiskLevel",
+      message: "Maximum acceptable risk level:",
+      choices: [
+        { title: "LOW", value: "LOW" },
+        { title: "MEDIUM", value: "MEDIUM" },
+        { title: "HIGH", value: "HIGH" }
+      ],
+      initial: 1
+    },
+    {
+      type: (_, values) => values.preset === "custom" ? "confirm" : null,
+      name: "enforceInCI",
+      message: "Enforce privacy checks in CI/CD?",
+      initial: true
+    },
+    {
+      type: (_, values) => values.preset === "custom" ? "confirm" : null,
+      name: "blockOnFailure",
+      message: "Block builds/commits on privacy policy violations?",
+      initial: false
+    },
+    {
+      type: "text",
+      name: "devnetWallet",
+      message: "Test wallet address (devnet):",
+      validate: (value) => !value || value.length === 44 || "Invalid Solana address"
+    },
+    {
+      type: "multiselect",
+      name: "integrations",
+      message: "Which integrations would you like to set up?",
+      choices: [
+        { title: "GitHub Actions", value: "github", selected: true },
+        { title: "Pre-commit Hook", value: "precommit", selected: true },
+        { title: "Testing Matchers", value: "testing", selected: true }
+      ]
+    }
+  ]);
+  if (!responses.preset) {
+    console.log(chalk3.yellow("\nSetup cancelled."));
+    return;
+  }
+  let config2;
+  switch (responses.preset) {
+    case "dev":
+      config2 = {
+        maxRiskLevel: "HIGH",
+        enforceInCI: false,
+        blockOnFailure: false,
+        thresholds: {
+          maxHighSeverity: 5
+        }
+      };
+      break;
+    case "prod":
+      config2 = {
+        maxRiskLevel: "LOW",
+        enforceInCI: true,
+        blockOnFailure: true,
+        thresholds: {
+          maxHighSeverity: 0,
+          maxMediumSeverity: 2,
+          minPrivacyScore: 80
+        }
+      };
+      break;
+    case "custom":
+      config2 = {
+        maxRiskLevel: responses.maxRiskLevel || "MEDIUM",
+        enforceInCI: responses.enforceInCI ?? true,
+        blockOnFailure: responses.blockOnFailure ?? false,
+        thresholds: {
+          maxHighSeverity: 0
+        }
+      };
+      break;
+    default:
+      config2 = {
+        maxRiskLevel: "MEDIUM",
+        enforceInCI: true,
+        blockOnFailure: false,
+        thresholds: {
+          maxHighSeverity: 0
+        }
+      };
+  }
+  if (responses.devnetWallet) {
+    config2.testWallets = {
+      devnet: responses.devnetWallet
+    };
+  }
+  writeFileSync5(configPath, JSON.stringify(config2, null, 2));
+  console.log(chalk3.green(`
+\u2713 Created ${configPath}`));
+  const integrations = responses.integrations || [];
+  if (integrations.includes("github")) {
+    setupGitHubActions();
+  }
+  if (integrations.includes("precommit")) {
+    setupPreCommitHook();
+  }
+  if (integrations.includes("testing")) {
+    setupTestingMatchers();
+  }
+  console.log(chalk3.bold.green("\n\u2713 Setup complete!\n"));
+  console.log(chalk3.bold("Next steps:\n"));
+  console.log("  1. Review your configuration in " + chalk3.cyan(".privacyrc"));
+  console.log("  2. Add a test wallet address to scan");
+  console.log("  3. Run " + chalk3.cyan("npx solana-privacy-scanner scan-wallet <ADDRESS>"));
+  console.log("\nFor more info: " + chalk3.cyan("https://sps.guide"));
+}
+function setupGitHubActions() {
+  const workflowDir = join(process.cwd(), ".github", "workflows");
+  const workflowPath = join(workflowDir, "privacy-check.yml");
+  if (!existsSync(workflowDir)) {
+    mkdirSync(workflowDir, { recursive: true });
+  }
+  const workflow = `name: Privacy Check
+
+on:
+  pull_request:
+  push:
+    branches: [main, develop]
+
+jobs:
+  privacy-scan:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - uses: actions/checkout@v3
+      
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: '20'
+      
+      - name: Install Dependencies
+        run: npm ci
+      
+      - name: Install Privacy Scanner
+        run: npm install -g solana-privacy-scanner
+      
+      - name: Run Privacy Check
+        run: |
+          # Get test wallet from config
+          TEST_WALLET=$(node -e "console.log(require('./.privacyrc').testWallets?.devnet || '')")
+          
+          if [ -n "$TEST_WALLET" ]; then
+            solana-privacy-scanner scan-wallet $TEST_WALLET --json --output privacy-report.json
+          else
+            echo "No test wallet configured, skipping scan"
+            exit 0
+          fi
+      
+      - name: Check Privacy Policy
+        run: |
+          # Parse report and check against policy
+          RISK_LEVEL=$(node -e "console.log(require('./privacy-report.json').overallRisk)")
+          MAX_RISK=$(node -e "console.log(require('./.privacyrc').maxRiskLevel)")
+          
+          echo "Risk Level: $RISK_LEVEL"
+          echo "Max Allowed: $MAX_RISK"
+          
+          # Simple comparison (can be enhanced)
+          if [ "$RISK_LEVEL" = "HIGH" ] && [ "$MAX_RISK" != "HIGH" ]; then
+            echo "Privacy policy violated!"
+            exit 1
+          fi
+      
+      - name: Upload Report
+        if: always()
+        uses: actions/upload-artifact@v3
+        with:
+          name: privacy-report
+          path: privacy-report.json
+`;
+  writeFileSync5(workflowPath, workflow);
+  console.log(chalk3.green(`
+\u2713 Created ${workflowPath}`));
+}
+function setupPreCommitHook() {
+  const hookPath = join(process.cwd(), ".husky", "pre-commit");
+  const huskyDir = join(process.cwd(), ".husky");
+  if (!existsSync(huskyDir)) {
+    mkdirSync(huskyDir, { recursive: true });
+  }
+  const hook = `#!/bin/sh
+. "$(dirname "$0")/_/husky.sh"
+
+# Load config
+CONFIG_FILE=".privacyrc"
+
+if [ ! -f "$CONFIG_FILE" ]; then
+  echo "No .privacyrc found, skipping privacy check"
+  exit 0
+fi
+
+# Get test wallet
+TEST_WALLET=$(node -e "const config = require('./.privacyrc'); console.log(config.testWallets?.devnet || '');" 2>/dev/null)
+
+if [ -z "$TEST_WALLET" ]; then
+  echo "No test wallet configured, skipping privacy check"
+  exit 0
+fi
+
+echo "\u{1F50D} Running privacy check..."
+
+# Run privacy scanner
+npx solana-privacy-scanner scan-wallet $TEST_WALLET --json > /tmp/privacy-report.json 2>&1
+
+# Check result
+RISK_LEVEL=$(node -e "const report = require('/tmp/privacy-report.json'); console.log(report.overallRisk);" 2>/dev/null)
+
+if [ "$RISK_LEVEL" = "HIGH" ]; then
+  echo "\u274C HIGH privacy risk detected!"
+  echo "Run 'npx solana-privacy-scanner scan-wallet $TEST_WALLET' for details"
+  echo ""
+  echo "To bypass this check, use: git commit --no-verify"
+  exit 1
+fi
+
+echo "\u2713 Privacy check passed"
+exit 0
+`;
+  writeFileSync5(hookPath, hook);
+  try {
+    chmodSync(hookPath, "755");
+  } catch (error) {
+    console.warn(chalk3.yellow("Could not make hook executable. Run: chmod +x .husky/pre-commit"));
+  }
+  console.log(chalk3.green(`
+\u2713 Created ${hookPath}`));
+  console.log(chalk3.yellow("  Note: Install husky with: npm install --save-dev husky && npx husky install"));
+}
+function setupTestingMatchers() {
+  const testSetupPath = join(process.cwd(), "tests", "setup.ts");
+  const testDir = join(process.cwd(), "tests");
+  if (!existsSync(testDir)) {
+    mkdirSync(testDir, { recursive: true });
+  }
+  const setup = `// Privacy testing setup
+import '@solana-privacy-scanner/ci-tools/matchers';
+
+// This file is automatically loaded by Vitest
+// Add any additional test setup here
+`;
+  writeFileSync5(testSetupPath, setup);
+  console.log(chalk3.green(`
+\u2713 Created ${testSetupPath}`));
+  const exampleTestPath = join(testDir, "privacy.example.test.ts");
+  const exampleTest = `import { describe, it, expect } from 'vitest';
+import { Connection, Transaction, SystemProgram, Keypair } from '@solana/web3.js';
+import { simulateTransactionPrivacy } from '@solana-privacy-scanner/ci-tools/simulator';
+
+describe('Privacy Tests Example', () => {
+  const connection = new Connection('https://api.devnet.solana.com');
+
+  it('should maintain privacy for basic transfer', async () => {
+    // Create a simple transfer transaction
+    const from = Keypair.generate();
+    const to = Keypair.generate();
+    
+    const tx = new Transaction().add(
+      SystemProgram.transfer({
+        fromPubkey: from.publicKey,
+        toPubkey: to.publicKey,
+        lamports: 1000000,
+      })
+    );
+
+    // Simulate and analyze privacy
+    const report = await simulateTransactionPrivacy(tx, connection);
+
+    // Make privacy assertions
+    expect(report).toHavePrivacyRisk('LOW');
+    expect(report).toHaveNoHighRiskSignals();
+    expect(report).toHaveAtMostSignals(2);
+  });
+});
+`;
+  writeFileSync5(exampleTestPath, exampleTest);
+  console.log(chalk3.green(`\u2713 Created ${exampleTestPath}`));
+}
+
 // src/index.ts
 import { VERSION } from "solana-privacy-scanner-core";
 dotenv.config({ path: ".env.local" });
@@ -334,5 +758,7 @@ program.name("solana-privacy-scanner").description("Privacy risk scanner for Sol
 program.command("scan-wallet").alias("wallet").description("Scan a Solana wallet address for privacy risks").argument("<address>", "Wallet address to scan").option("--rpc <url>", "Custom RPC endpoint URL (optional)", process.env.SOLANA_RPC).option("--json", "Output as JSON", false).option("--max-signatures <number>", "Maximum number of signatures to fetch", "100").option("--output <file>", "Write output to file").action(scanWallet);
 program.command("scan-transaction").alias("tx").description("Scan a single Solana transaction for privacy risks").argument("<signature>", "Transaction signature to scan").option("--rpc <url>", "Custom RPC endpoint URL (optional)", process.env.SOLANA_RPC).option("--json", "Output as JSON", false).option("--output <file>", "Write output to file").action(scanTransaction);
 program.command("scan-program").alias("program").description("Scan a Solana program for privacy risks").argument("<programId>", "Program ID to scan").option("--rpc <url>", "Custom RPC endpoint URL (optional)", process.env.SOLANA_RPC).option("--json", "Output as JSON", false).option("--max-accounts <number>", "Maximum number of accounts to fetch", "100").option("--max-transactions <number>", "Maximum number of transactions to fetch", "50").option("--output <file>", "Write output to file").action(scanProgram);
+program.command("analyze").description("Analyze source code for privacy vulnerabilities").argument("<paths...>", "Files or directories to analyze").option("--json", "Output as JSON", false).option("--no-low", "Exclude low severity issues").option("--quiet", "Only show summary").option("--output <file>", "Write output to file").action(analyzeCommand);
+program.command("init").description("Interactive setup wizard for privacy configuration").action(initCommand);
 program.parse();
 //# sourceMappingURL=index.js.map

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "solana-privacy-scanner",
-  "version": "0.3.2",
+  "version": "0.4.0",
   "type": "module",
-  "description": "CLI tool for analyzing Solana wallet privacy and on-chain exposure - scan wallets, transactions, and programs",
+  "description": "CLI tool for analyzing Solana privacy - scan wallets/transactions/programs, analyze source code, and set up CI/CD privacy checks",
   "bin": {
     "solana-privacy-scanner": "./dist/index.js"
   },
@@ -38,10 +38,11 @@
     "url": "https://github.com/taylorferran/solana-privacy-scanner/issues"
   },
   "dependencies": {
-    "solana-privacy-scanner-core": "^0.4.0",
+    "solana-privacy-scanner-core": "^0.5.0",
     "chalk": "^5.3.0",
     "commander": "^12.1.0",
-    "dotenv": "^16.4.7"
+    "dotenv": "^16.4.7",
+    "prompts": "^2.4.2"
   },
   "devDependencies": {
     "typescript": "^5.7.2",