solidity-argus 0.1.7 → 0.2.0

package/src/tools/solodit-search-tool.ts

@@ -3,6 +3,8 @@ import { tool, type ToolContext } from "@opencode-ai/plugin";
 const SOLODIT_MCP_SERVER = "solodit-mcp";
 const SOLODIT_MCP_TOOL = "search_findings";
 const DEFAULT_LIMIT = 10;
+const DEFAULT_SOLODIT_PORT = 3000;
+const SOLODIT_HTTP_TIMEOUT_MS = 10_000;
 
 type SoloditSearchArgs = {
   query: string;
@@ -68,6 +70,91 @@ function parseFindings(response: unknown): SoloditFinding[] {
   return response.map(parseFinding);
 }
 
+function parseSseData(body: string): unknown {
+  for (const line of body.split("\n")) {
+    if (line.startsWith("data: ")) {
+      try {
+        return JSON.parse(line.slice(6));
+      } catch {
+        continue;
+      }
+    }
+  }
+  try {
+    return JSON.parse(body);
+  } catch {
+    return null;
+  }
+}
+
+function extractFindingsFromMcpResponse(envelope: unknown): SoloditFinding[] {
+  if (typeof envelope !== "object" || envelope === null) return [];
+  const result = (envelope as Record<string, unknown>).result;
+  if (typeof result !== "object" || result === null) return [];
+
+  const structured = (result as Record<string, unknown>).structuredContent;
+  const reportsJson =
+    typeof structured === "object" && structured !== null
+      ? (structured as Record<string, unknown>).reportsJSON
+      : undefined;
+
+  if (typeof reportsJson === "string") {
+    try {
+      const parsed = JSON.parse(reportsJson);
+      if (Array.isArray(parsed)) return parsed.map(parseFinding);
+    } catch { /* fall through */ }
+  }
+
+  const content = (result as Record<string, unknown>).content;
+  if (Array.isArray(content) && content.length > 0) {
+    const first = content[0] as Record<string, unknown> | undefined;
+    if (typeof first?.text === "string") {
+      try {
+        const parsed = JSON.parse(first.text);
+        if (Array.isArray(parsed)) return parsed.map(parseFinding);
+      } catch { /* fall through */ }
+    }
+  }
+
+  return [];
+}
+
+async function callSoloditHttp(
+  query: string,
+  limit: number,
+  port: number = DEFAULT_SOLODIT_PORT,
+): Promise<SoloditSearchResult> {
+  try {
+    const response = await fetch(`http://localhost:${port}/mcp`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Accept: "application/json, text/event-stream",
+      },
+      body: JSON.stringify({
+        jsonrpc: "2.0",
+        method: "tools/call",
+        params: { name: "search", arguments: { keywords: query } },
+        id: 1,
+      }),
+      signal: AbortSignal.timeout(SOLODIT_HTTP_TIMEOUT_MS),
+    });
+
+    if (!response.ok) {
+      return { results: [], totalFound: 0, query, error: `Solodit HTTP ${response.status}` };
+    }
+
+    const body = await response.text();
+    const envelope = parseSseData(body);
+    const findings = extractFindingsFromMcpResponse(envelope);
+
+    return { results: findings.slice(0, limit), totalFound: findings.length, query };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error";
+    return { results: [], totalFound: 0, query, error: `Solodit MCP unreachable: ${message}` };
+  }
+}
+
 export async function executeSoloditSearch(
   args: SoloditSearchArgs,
   context: ToolContext,
@@ -82,12 +169,7 @@ export async function executeSoloditSearch(
     callMcpTool ?? (hasMcpCapability(context) ? context.callMcpTool : undefined);
 
   if (!mcpCaller) {
-    return {
-      results: [],
-      totalFound: 0,
-      query,
-      error: `Solodit MCP not available. Add to opencode.json mcp section or ensure solodit-mcp is running. Use @solodit-mcp directly: search_findings({query: '${query}', limit: ${limit}})`,
-    };
+    return callSoloditHttp(query, limit);
   }
 
   try {
@@ -105,14 +187,10 @@ export async function executeSoloditSearch(
       totalFound: findings.length,
       query,
     };
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Unknown error";
-    return {
-      results: [],
-      totalFound: 0,
-      query,
-      error: `Solodit MCP error: ${message}`,
-    };
+  } catch {
+    // MCP bridge failed (upstream crash, connection error, etc.)
+    // Fall through to HTTP fallback before giving up
+    return callSoloditHttp(query, limit);
   }
 }
 

package/src/utils/audit-artifact-detector.ts

@@ -0,0 +1,119 @@
+import { existsSync, readdirSync } from "fs";
+import { join } from "path";
+
+export interface AuditArtifact {
+  type: "audit-report" | "slither-output" | "deployment-artifact" | "security-tool-output";
+  path: string;
+  name: string;
+}
+
+/**
+ * Detects audit artifacts in a project directory (shallow scan, top-level only)
+ * @param projectDir Directory to scan for audit artifacts
+ * @returns Array of detected audit artifacts
+ */
+export function detectAuditArtifacts(projectDir: string): AuditArtifact[] {
+  const artifacts: AuditArtifact[] = [];
+
+  if (!existsSync(projectDir)) {
+    return artifacts;
+  }
+
+  try {
+    const entries = readdirSync(projectDir, { withFileTypes: true });
+
+    for (const entry of entries) {
+      const fullPath = join(projectDir, entry.name);
+
+      // Check directories
+      if (entry.isDirectory()) {
+        // Audit report directories
+        if (["audit", "audits", "security"].includes(entry.name)) {
+          artifacts.push({
+            type: "audit-report",
+            path: fullPath,
+            name: entry.name,
+          });
+          continue;
+        }
+
+        // Deployment artifact directories
+        if (entry.name === ".openzeppelin") {
+          artifacts.push({
+            type: "deployment-artifact",
+            path: fullPath,
+            name: entry.name,
+          });
+          continue;
+        }
+
+        // docs/audit* directories
+        if (entry.name === "docs") {
+          try {
+            const docsEntries = readdirSync(fullPath, { withFileTypes: true });
+            for (const docsEntry of docsEntries) {
+              if (docsEntry.isDirectory() && docsEntry.name.startsWith("audit")) {
+                artifacts.push({
+                  type: "audit-report",
+                  path: join(fullPath, docsEntry.name),
+                  name: docsEntry.name,
+                });
+              }
+            }
+          } catch {
+            // Ignore errors reading docs directory
+          }
+        }
+        continue;
+      }
+
+      // Check files
+      if (entry.isFile()) {
+        // Audit report files
+        if (
+          /^.*audit.*\.(md|pdf)$/i.test(entry.name) ||
+          /^.*security-review.*\.(md|pdf)$/i.test(entry.name)
+        ) {
+          artifacts.push({
+            type: "audit-report",
+            path: fullPath,
+            name: entry.name,
+          });
+          continue;
+        }
+
+        // Slither output files
+        if (
+          entry.name === "slither.json" ||
+          entry.name === "slither.sarif" ||
+          /^slither-report.*/.test(entry.name)
+        ) {
+          artifacts.push({
+            type: "slither-output",
+            path: fullPath,
+            name: entry.name,
+          });
+          continue;
+        }
+
+        // Security tool output files
+        if (
+          /^mythril-report.*/.test(entry.name) ||
+          /^securify-report.*/.test(entry.name)
+        ) {
+          artifacts.push({
+            type: "security-tool-output",
+            path: fullPath,
+            name: entry.name,
+          });
+          continue;
+        }
+      }
+    }
+  } catch {
+    // Return empty array if directory cannot be read
+    return [];
+  }
+
+  return artifacts;
+}

package/src/utils/dependency-scanner.ts

@@ -0,0 +1,93 @@
+export interface DependencyRisk {
+  package: string;
+  version: string;
+  risk: "high" | "medium" | "low";
+  category: string;
+  recommendation: string;
+}
+
+interface DependencyInput {
+  dependencies?: Record<string, string>;
+  devDependencies?: Record<string, string>;
+}
+
+function parseVersion(raw: string): [number, number, number] {
+  const cleaned = raw.replace(/^[^0-9]*/, "");
+  const parts = cleaned.split(".");
+  return [
+    parseInt(parts[0] ?? "0", 10),
+    parseInt(parts[1] ?? "0", 10),
+    parseInt(parts[2] ?? "0", 10),
+  ];
+}
+
+function versionLt(
+  raw: string,
+  major: number,
+  minor: number,
+  patch = 0
+): boolean {
+  const [a, b, c] = parseVersion(raw);
+  if (a !== major) return a < major;
+  if (b !== minor) return b < minor;
+  return c < patch;
+}
+
+export function scanDependencyRisks(input: DependencyInput): DependencyRisk[] {
+  const risks: DependencyRisk[] = [];
+  const deps = input.dependencies ?? {};
+  const devDeps = input.devDependencies ?? {};
+  const allDeps = { ...deps, ...devDeps };
+
+  const ozVersion = deps["@openzeppelin/contracts"];
+  if (ozVersion) {
+    if (versionLt(ozVersion, 4, 9)) {
+      risks.push({
+        package: "@openzeppelin/contracts",
+        version: ozVersion,
+        risk: "high",
+        category: "known-vulnerability",
+        recommendation:
+          "Upgrade to @openzeppelin/contracts >= 4.9.0 — known vulnerabilities in OZ < 4.9",
+      });
+    } else if (versionLt(ozVersion, 5, 0)) {
+      risks.push({
+        package: "@openzeppelin/contracts",
+        version: ozVersion,
+        risk: "low",
+        category: "upgrade-available",
+        recommendation:
+          "Consider upgrading to OZ v5 for latest patterns and Solidity 0.8.20+ support",
+      });
+    }
+  }
+
+  const ozUpgradeableVersion = deps["@openzeppelin/contracts-upgradeable"];
+  if (ozUpgradeableVersion) {
+    const hasUpgradeTooling =
+      "@openzeppelin/hardhat-upgrades" in allDeps;
+    if (!hasUpgradeTooling) {
+      risks.push({
+        package: "@openzeppelin/contracts-upgradeable",
+        version: ozUpgradeableVersion,
+        risk: "medium",
+        category: "missing-tooling",
+        recommendation:
+          "Add @openzeppelin/hardhat-upgrades to devDependencies for safe upgrade workflows",
+      });
+    }
+  }
+
+  const solmateVersion = deps["solmate"];
+  if (solmateVersion && versionLt(solmateVersion, 6, 0)) {
+    risks.push({
+      package: "solmate",
+      version: solmateVersion,
+      risk: "medium",
+      category: "outdated",
+      recommendation: "Upgrade solmate to >= 6.0.0 for latest fixes",
+    });
+  }
+
+  return risks;
+}

package/src/utils/project-detector.ts

@@ -1,5 +1,6 @@
 import { existsSync } from "fs";
 import { join, resolve } from "path";
+import { scanDependencyRisks, type DependencyRisk } from "./dependency-scanner";
 
 export interface ProjectConfig {
   type: "foundry" | "hardhat" | "mixed" | "unknown";
@@ -9,6 +10,16 @@ export interface ProjectConfig {
   remappings: string[];
   viaIr: boolean;
   rootDir: string;
+  optimizer?: { enabled: boolean; runs?: number };
+  evmVersion?: string;
+  profiles?: string[];
+  hasHardhat: boolean;
+  hasFoundry: boolean;
+  dependencies?: Record<string, string>;
+  devDependencies?: Record<string, string>;
+  isUpgradeable: boolean;
+  outDir?: string;
+  dependencyRisks: DependencyRisk[];
 }
 
 /**
@@ -39,14 +50,16 @@ export async function detectProject(dir: string): Promise<ProjectConfig> {
     type = "unknown";
   }
 
-  // Default values
   let srcDir = "src";
   let testDir = "test";
   let solcVersion: string | undefined;
   let remappings: string[] = [];
   let viaIr = false;
+  let optimizer: { enabled: boolean; runs?: number } | undefined;
+  let evmVersion: string | undefined;
+  let profiles: string[] | undefined;
+  let outDir: string | undefined;
 
-  // Parse Foundry config if present
   if (hasFoundry) {
     const foundryConfig = await parseFoundryToml(foundryTomlPath);
     srcDir = foundryConfig.srcDir || srcDir;
@@ -54,13 +67,25 @@ export async function detectProject(dir: string): Promise<ProjectConfig> {
     solcVersion = foundryConfig.solcVersion;
     remappings = foundryConfig.remappings;
     viaIr = foundryConfig.viaIr;
+    optimizer = foundryConfig.optimizer;
+    evmVersion = foundryConfig.evmVersion;
+    profiles = foundryConfig.profiles;
+    outDir = foundryConfig.outDir;
+  }
+
+  const remappingsFromTxt = parseRemappingsTxt(rootDir);
+  if (remappingsFromTxt.length > 0 && remappings.length === 0) {
+    remappings = remappingsFromTxt;
   }
 
-  // Set Hardhat defaults if it's a Hardhat project
   if (hasHardhat && !hasFoundry) {
     srcDir = "contracts";
   }
 
+  const isUpgradeable = existsSync(join(rootDir, ".openzeppelin"));
+
+  const { dependencies, devDependencies } = await parsePackageJson(rootDir);
+
   return {
     type,
     srcDir,
@@ -69,32 +94,53 @@ export async function detectProject(dir: string): Promise<ProjectConfig> {
     remappings,
     viaIr,
     rootDir,
+    optimizer,
+    evmVersion,
+    profiles,
+    hasHardhat,
+    hasFoundry,
+    dependencies,
+    devDependencies,
+    isUpgradeable,
+    outDir,
+    dependencyRisks: scanDependencyRisks({ dependencies, devDependencies }),
   };
 }
 
 /**
  * Parses foundry.toml file using regex-based parsing
  */
-async function parseFoundryToml(
-  filePath: string
-): Promise<{
+interface FoundryTomlResult {
   srcDir?: string;
   testDir?: string;
   solcVersion?: string;
   remappings: string[];
   viaIr: boolean;
-}> {
+  optimizer?: { enabled: boolean; runs?: number };
+  evmVersion?: string;
+  profiles?: string[];
+  outDir?: string;
+}
+
+async function parseFoundryToml(filePath: string): Promise<FoundryTomlResult> {
   const content = await Bun.file(filePath).text();
 
-  const result = {
-    srcDir: undefined as string | undefined,
-    testDir: undefined as string | undefined,
-    solcVersion: undefined as string | undefined,
-    remappings: [] as string[],
+  const result: FoundryTomlResult = {
+    srcDir: undefined,
+    testDir: undefined,
+    solcVersion: undefined,
+    remappings: [],
     viaIr: false,
   };
 
-  // Extract [profile.default] section - stop at next section or EOF
+  const profileNames = Array.from(
+    content.matchAll(/\[profile\.(\w+)\]/g),
+    (m) => m[1]!
+  );
+  if (profileNames.length > 0) {
+    result.profiles = profileNames;
+  }
+
   const profileDefaultMatch = content.match(
     /\[profile\.default\]([\s\S]*?)(?:\n\[|$)/
   );
@@ -104,38 +150,57 @@ async function parseFoundryToml(
 
   const profileSection = profileDefaultMatch[1];
 
-  // Parse src = "..."
   const srcMatch = profileSection.match(/^\s*src\s*=\s*["']([^"']+)["']/m);
-  if (srcMatch && srcMatch[1]) {
+  if (srcMatch?.[1]) {
     result.srcDir = srcMatch[1];
   }
 
-  // Parse test = "..."
   const testMatch = profileSection.match(/^\s*test\s*=\s*["']([^"']+)["']/m);
-  if (testMatch && testMatch[1]) {
+  if (testMatch?.[1]) {
     result.testDir = testMatch[1];
   }
 
-  // Parse solc = "..."
   const solcMatch = profileSection.match(/^\s*solc\s*=\s*["']([^"']+)["']/m);
-  if (solcMatch && solcMatch[1]) {
+  if (solcMatch?.[1]) {
     result.solcVersion = solcMatch[1];
   }
 
-  // Parse via_ir = true/false
   const viaIrMatch = profileSection.match(/^\s*via[_-]ir\s*=\s*(true|false)/m);
-  if (viaIrMatch && viaIrMatch[1] === "true") {
+  if (viaIrMatch?.[1] === "true") {
     result.viaIr = true;
   }
 
-  // Parse remappings array - handles both single line and multiline
+  const optimizerMatch = profileSection.match(
+    /^\s*optimizer\s*=\s*(true|false)/m
+  );
+  if (optimizerMatch?.[1]) {
+    const enabled = optimizerMatch[1] === "true";
+    const runsMatch = profileSection.match(
+      /^\s*optimizer_runs\s*=\s*(\d+)/m
+    );
+    result.optimizer = {
+      enabled,
+      runs: runsMatch?.[1] ? parseInt(runsMatch[1], 10) : undefined,
+    };
+  }
+
+  const evmMatch = profileSection.match(
+    /^\s*evm_version\s*=\s*["']([^"']+)["']/m
+  );
+  if (evmMatch?.[1]) {
+    result.evmVersion = evmMatch[1];
+  }
+
+  const outMatch = profileSection.match(/^\s*out\s*=\s*["']([^"']+)["']/m);
+  if (outMatch?.[1]) {
+    result.outDir = outMatch[1];
+  }
+
   const remappingsMatch = profileSection.match(
     /remappings\s*=\s*\[([\s\S]*?)\]/
   );
-  if (remappingsMatch && remappingsMatch[1]) {
-    const remappingsContent = remappingsMatch[1];
-    // Extract quoted strings from the array
-    const remappingMatches = remappingsContent.match(/["']([^"']+)["']/g);
+  if (remappingsMatch?.[1]) {
+    const remappingMatches = remappingsMatch[1].match(/["']([^"']+)["']/g);
     if (remappingMatches) {
       result.remappings = remappingMatches.map((m) => m.slice(1, -1));
     }
@@ -143,3 +208,40 @@ async function parseFoundryToml(
 
   return result;
 }
+
+async function parsePackageJson(
+  rootDir: string
+): Promise<{
+  dependencies?: Record<string, string>;
+  devDependencies?: Record<string, string>;
+}> {
+  const pkgPath = join(rootDir, "package.json");
+  if (!existsSync(pkgPath)) {
+    return {};
+  }
+  try {
+    const content = JSON.parse(await Bun.file(pkgPath).text());
+    return {
+      dependencies: content.dependencies,
+      devDependencies: content.devDependencies,
+    };
+  } catch {
+    return {};
+  }
+}
+
+function parseRemappingsTxt(rootDir: string): string[] {
+  const remappingsPath = join(rootDir, "remappings.txt");
+  if (!existsSync(remappingsPath)) {
+    return [];
+  }
+  try {
+    const content = require("fs").readFileSync(remappingsPath, "utf-8");
+    return content
+      .split("\n")
+      .map((line: string) => line.trim())
+      .filter((line: string) => line.length > 0);
+  } catch {
+    return [];
+  }
+}

package/src/utils/solidity-parser.ts

@@ -19,6 +19,20 @@ interface StorageLayout {
   types: Record<string, { label: string }>;
 }
 
+/**
+ * Extract the first JSON value from a string that may contain non-JSON
+ * prefix (e.g. forge table-format output, compilation progress).
+ * Falls back to the original string if no JSON delimiter is found.
+ */
+function extractJson(raw: string, opener: "[" | "{"): string {
+  const closer = opener === "[" ? "]" : "}";
+  const start = raw.indexOf(opener);
+  if (start === -1) return raw;
+  const end = raw.lastIndexOf(closer);
+  if (end === -1) return raw;
+  return raw.slice(start, end + 1);
+}
+
 /**
  * Extract contract information using forge inspect
  * Runs forge inspect <contractName> abi and storage-layout
@@ -43,7 +57,7 @@ export async function extractContractInfo(
   try {
     // Run forge inspect abi
     const abiResult = Bun.spawnSync(
-      ["forge", "inspect", contractName, "abi"],
+      ["forge", "inspect", contractName, "abi", "--json"],
       {
         cwd: projectDir,
         stdout: "pipe",
@@ -59,7 +73,7 @@ export async function extractContractInfo(
 
     // Run forge inspect storage-layout
     const storageResult = Bun.spawnSync(
-      ["forge", "inspect", contractName, "storage-layout"],
+      ["forge", "inspect", contractName, "storage-layout", "--json"],
       {
         cwd: projectDir,
         stdout: "pipe",
@@ -74,7 +88,8 @@ export async function extractContractInfo(
     }
 
     // Parse ABI
-    const abiOutput = abiResult.stdout?.toString() || "[]";
+    const abiRaw = abiResult.stdout?.toString() || "[]";
+    const abiOutput = extractJson(abiRaw, "[");
     let abi: ABIFunction[] = [];
     try {
       abi = JSON.parse(abiOutput);
@@ -84,7 +99,8 @@ export async function extractContractInfo(
     }
 
     // Parse storage layout
-    const storageOutput = storageResult.stdout?.toString() || "{}";
+    const storageRaw = storageResult.stdout?.toString() || "{}";
+    const storageOutput = extractJson(storageRaw, "{");
     let storageLayout: StorageLayout = { storage: [], types: {} };
     try {
       storageLayout = JSON.parse(storageOutput);

package/src/utils/solodit-health.ts

@@ -0,0 +1,29 @@
+export interface SoloditHealthStatus {
+  reachable: boolean
+  enabled: boolean
+  port: number
+  error?: string
+}
+
+export async function checkSoloditHealth(
+  port: number,
+  enabled: boolean,
+): Promise<SoloditHealthStatus> {
+  if (!enabled) {
+    return { reachable: false, enabled: false, port }
+  }
+
+  try {
+    const response = await fetch(`http://localhost:${port}/mcp`, {
+      signal: AbortSignal.timeout(2000),
+    })
+    return { reachable: response.ok, enabled: true, port }
+  } catch (error) {
+    return {
+      reachable: false,
+      enabled: true,
+      port,
+      error: error instanceof Error ? error.message : "Unknown error",
+    }
+  }
+}