solidity-argus 0.1.7 → 0.2.0

package/skills/patterns/signature.yaml

@@ -0,0 +1,31 @@
+pack_name: signature
+pack_version: "1.0"
+patterns:
+  - name: replay-attack
+    category: signature
+    severity: High
+    swc: SWC-117
+    confidence: Medium
+    version: "1.0"
+    regex: 'ecrecover|ECDSA\.recover'
+    description: Signature recovery without nonce tracking — signatures may be replayed across transactions or chains if nonce and chainId are not included in signed data
+    remediation: Include nonce, chainId, and contract address in signed message hash; increment nonce after use; use EIP-712 typed structured data
+
+  - name: sig-malleability
+    category: signature
+    severity: Medium
+    swc: SWC-117
+    confidence: Medium
+    version: "1.0"
+    regex: ecrecover
+    description: Raw ecrecover usage — ECDSA signatures are malleable (s-value can be flipped) allowing signature reuse if not checked against canonical form
+    remediation: Use OpenZeppelin ECDSA.recover which enforces s <= 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0; reject non-canonical signatures
+
+  - name: missing-nonce
+    category: signature
+    severity: High
+    confidence: Medium
+    version: "1.0"
+    regex: 'permit\(|signTypedData'
+    description: Permit or typed data signing without nonce validation — missing nonce allows signature replay after the original transaction is executed
+    remediation: Track per-address nonces mapping(address => uint256); include nonce in EIP-712 struct; increment nonce on each use

package/skills/protocol-patterns/amm-dex/SKILL.md

@@ -1,6 +1,9 @@
 ---
 name: amm-dex
 description: AMM and DEX security patterns covering pricing, LP accounting, MEV, and swap invariants.
+source_url: https://github.com/DeFiFoFum/fofum-solidity-skills
+source_license: MIT
+imported_at: "2025-01-15T00:00:00Z"
 ---
 <!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) -->
 

package/skills/references/exploit-reference/SKILL.md

@@ -1,6 +1,9 @@
 ---
 name: exploit-reference
 description: Reference guide to major DeFi exploits and reproducible Foundry workflows from DeFiHackLabs
+source_url: https://github.com/SunWeb3Sec/DeFiHackLabs
+source_license: reference-only
+imported_at: "2025-01-15T00:00:00Z"
 ---
 <!-- Source: SunWeb3Sec/DeFiHackLabs (reference only, no license) -->
 

package/skills/vulnerability-patterns/access-control/SKILL.md

@@ -1,6 +1,19 @@
 ---
 name: access-control
 description: Access-control exploit patterns and secure authorization approaches for privileged Solidity functions.
+source_url: https://github.com/kadenzipfel/smart-contract-vulnerabilities
+source_license: MIT
+imported_at: "2025-01-15T00:00:00Z"
+detection_rules:
+  - regex: 'onlyOwner'
+    severity: Medium
+    confidence: Medium
+    description: Privileged modifier usage that requires authorization review
+  - regex: 'require\(msg\.sender'
+    severity: Medium
+    confidence: Medium
+    swc: SWC-105
+    description: Inline sender authorization check on sensitive paths
 ---
 
 <!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) -->

package/skills/vulnerability-patterns/authorization-txorigin/SKILL.md

@@ -1,6 +1,12 @@
 ---
 name: authorization-txorigin
 description: - Contract uses `tx.origin` for authorization or access control checks (e.g., `require(tx.origin == owner)`)
+detection_rules:
+  - regex: 'tx\.origin'
+    severity: High
+    confidence: High
+    swc: SWC-115
+    description: tx.origin usage in authorization logic is phishing-prone
 ---
 <!-- Source: kadenzipfel/smart-contract-vulnerabilities (MIT) -->
 

package/skills/vulnerability-patterns/delegatecall-untrusted-callee/SKILL.md

@@ -1,6 +1,12 @@
 ---
 name: delegatecall-untrusted-callee
 description: - Contract uses `delegatecall`
+detection_rules:
+  - regex: 'delegatecall'
+    severity: High
+    confidence: High
+    swc: SWC-112
+    description: Delegatecall usage where callee trust boundary must be verified
 ---
 <!-- Source: kadenzipfel/smart-contract-vulnerabilities (MIT) -->
 

package/skills/vulnerability-patterns/dos-revert/SKILL.md

@@ -1,6 +1,18 @@
 ---
 name: dos-revert
-description: - Critical contract logic depends on an external call succeeding
+description: Denial-of-service attacks through unexpected reverts in external calls
+source_url: https://github.com/kadenzipfel/smart-contract-vulnerabilities
+source_license: MIT
+imported_at: "2025-01-15T00:00:00Z"
+detection_rules:
+  - regex: 'require\(.*\.send'
+    severity: Medium
+    confidence: Medium
+    description: Require-on-send pattern can cause full-transaction DoS
+  - regex: 'for\s*\('
+    severity: Low
+    confidence: Low
+    description: Loop construct that may combine with external calls for DoS risk
 ---
 <!-- Source: kadenzipfel/smart-contract-vulnerabilities (MIT) -->
 

package/skills/vulnerability-patterns/flash-loan-attacks/SKILL.md

@@ -1,6 +1,18 @@
 ---
 name: flash-loan-attacks
 description: Flash-loan attack mechanics, exploit archetypes, and mitigations for capital-amplified threats.
+source_url: https://github.com/kadenzipfel/smart-contract-vulnerabilities
+source_license: MIT
+imported_at: "2025-01-15T00:00:00Z"
+detection_rules:
+  - regex: 'flashLoan\('
+    severity: High
+    confidence: High
+    description: Flash loan primitive usage that can amplify economic attacks
+  - regex: 'balanceOf\(address\(this\)\)'
+    severity: Medium
+    confidence: Medium
+    description: In-transaction balance checks often used in flash-loan-sensitive logic
 ---
 
 <!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) -->

package/skills/vulnerability-patterns/oracle-manipulation/SKILL.md

@@ -1,6 +1,19 @@
 ---
 name: oracle-manipulation
 description: Oracle manipulation techniques, case studies, and secure pricing integration controls for DeFi.
+source_url: https://github.com/kadenzipfel/smart-contract-vulnerabilities
+source_license: MIT
+imported_at: "2025-01-15T00:00:00Z"
+detection_rules:
+  - regex: 'latestRoundData'
+    severity: Medium
+    confidence: High
+    swc: SWC-116
+    description: Chainlink price reads requiring freshness and sanity checks
+  - regex: 'getReserves\('
+    severity: High
+    confidence: High
+    description: AMM reserve spot-price usage vulnerable to manipulation
 ---
 
 <!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) -->

package/skills/vulnerability-patterns/overflow-underflow/SKILL.md

@@ -1,6 +1,15 @@
 ---
 name: overflow-underflow
-description: - Solidity <0.8.0 without SafeMath, OR
+description: Integer overflow and underflow vulnerabilities in Solidity contracts
+source_url: https://github.com/kadenzipfel/smart-contract-vulnerabilities
+source_license: MIT
+imported_at: "2025-01-15T00:00:00Z"
+detection_rules:
+  - regex: 'unchecked\s*\{'
+    severity: Medium
+    confidence: High
+    swc: SWC-101
+    description: Unchecked arithmetic block requiring manual overflow review
 ---
 <!-- Source: kadenzipfel/smart-contract-vulnerabilities (MIT) -->
 

package/skills/vulnerability-patterns/reentrancy/SKILL.md

@@ -1,6 +1,19 @@
 ---
 name: reentrancy
 description: Reentrancy attack patterns, real incidents, and defensive coding checks for Solidity protocols.
+source_url: https://github.com/kadenzipfel/smart-contract-vulnerabilities
+source_license: MIT
+imported_at: "2025-01-15T00:00:00Z"
+detection_rules:
+  - regex: '\.call\{value:'
+    severity: High
+    confidence: High
+    swc: SWC-107
+    description: External value transfer via low-level call before effects
+  - regex: '\.call\{.*\}\('
+    severity: Medium
+    confidence: Medium
+    description: Low-level external call that can open a reentrancy window
 ---
 
 <!-- Source: DeFiFoFum/fofum-solidity-skills (MIT) -->

package/skills/vulnerability-patterns/signature-malleability/SKILL.md

@@ -1,6 +1,15 @@
 ---
 name: signature-malleability
 description: - Contract uses ECDSA signatures for authorization or deduplication
+detection_rules:
+  - regex: 'ecrecover'
+    severity: Medium
+    confidence: High
+    description: Raw ecrecover usage needs strict signature normalization checks
+  - regex: 'ECDSA'
+    severity: Low
+    confidence: Medium
+    description: Signature verification path to inspect for nonce and domain separation
 ---
 <!-- Source: kadenzipfel/smart-contract-vulnerabilities (MIT) -->
 

package/skills/vulnerability-patterns/unchecked-return-values/SKILL.md

@@ -1,6 +1,17 @@
 ---
 name: unchecked-return-values
 description: - Contract uses low-level calls: `.call()`, `.send()`, or `.delegatecall()`
+detection_rules:
+  - regex: '\.call\{'
+    severity: Medium
+    confidence: Medium
+    swc: SWC-104
+    description: Low-level call usage requires explicit success handling
+  - regex: '\.send\('
+    severity: Medium
+    confidence: High
+    swc: SWC-104
+    description: send return value can fail silently if unchecked
 ---
 <!-- Source: kadenzipfel/smart-contract-vulnerabilities (MIT) -->
 

package/src/agents/argus-prompt.ts

@@ -269,17 +269,17 @@ Your subagents have access to these specialized tools. Know when to delegate eac
 
 ## SKILL SYSTEM
 
-You have access to OpenCode Skills through the \`skill\` tool. Skills are specialized knowledge modules and must be used proactively when they improve audit accuracy.
+Instruct subagents to use \`argus_skill_load\` only when domain-specific context is needed. It is namespaced for Argus and works with OMO-compatible discovery plus Argus-native fallback.
 
 - **Curated skill map (load these first)**:
-  - **Reconnaissance**: \`protocol-patterns/amm-dex\`, \`protocol-patterns/lending-borrowing\`, \`protocol-patterns/bridges-cross-chain\`
-  - **Manual Review**: \`vulnerability-patterns/reentrancy\`, \`vulnerability-patterns/oracle-manipulation\`, \`vulnerability-patterns/access-control\`
-  - **Verification**: \`checklists/cyfrin-defi-core\`, \`methodology/severity-classification\`, \`methodology/report-template\`
+   - **Reconnaissance**: \`amm-dex\`, \`lending-borrowing\`, \`bridges-cross-chain\`
+   - **Manual Review**: \`reentrancy\`, \`oracle-manipulation\`, \`access-control\`
+   - **Verification**: \`cyfrin-defi-core\`, \`severity-classification\`, \`report-template\`
 
 - **Deterministic trigger rules**:
-  - If the protocol uses AMM reserves or pool math, load \`protocol-patterns/amm-dex\` before Attack Surface Mapping.
-  - If price feeds or spot prices influence critical state changes, load \`vulnerability-patterns/oracle-manipulation\` before severity assessment.
-  - If proxy/upgrade patterns are present, load \`checklists/cyfrin-best-practices-upgrades\` before final recommendations.
+   - If the protocol uses AMM reserves or pool math, load \`amm-dex\` via \`argus_skill_load\` before Attack Surface Mapping.
+   - If price feeds or spot prices influence critical state changes, load \`oracle-manipulation\` via \`argus_skill_load\` before severity assessment.
+   - If proxy/upgrade patterns are present, load \`cyfrin-best-practices-upgrades\` via \`argus_skill_load\` before final recommendations.
 
 - **Trail of Bits skills**:
   - For pre-audit deep context modeling and attack-surface grounding: \`audit-context-building\`

package/src/agents/pythia-prompt.ts

@@ -91,20 +91,20 @@ OpenCode has a powerful **Skills** system that allows you to load specialized kn
 
 **How to use**:
 - Load a relevant skill before deep research when protocol context is non-trivial.
-- Prioritize \`vulnerability-patterns/*\`, \`protocol-patterns/*\`, and \`references/*\` skills for exploit precedent mapping.
-- Use the \`skill\` tool directly when available to load the exact skill you need.
+- Prioritize vulnerability pattern skills, protocol pattern skills, and reference skills for exploit precedent mapping.
+- Use \`argus_skill_load\` only when specialized context is needed, and load the exact skill you need.
 - **Curated skill map**:
-  - \`vulnerability-patterns/reentrancy\`, \`vulnerability-patterns/oracle-manipulation\`, \`vulnerability-patterns/flash-loan-attacks\`
-  - \`protocol-patterns/lending-borrowing\`, \`protocol-patterns/amm-dex\`
-  - \`references/exploit-reference\`
+   - \`reentrancy\`, \`oracle-manipulation\`, \`flash-loan-attacks\`
+   - \`lending-borrowing\`, \`amm-dex\`
+   - \`exploit-reference\`
 - **Deterministic trigger rules**:
-  - If you investigate spot-price dependencies, load \`vulnerability-patterns/oracle-manipulation\` first.
-  - If capital-efficient attacks or same-block loops are plausible, load \`vulnerability-patterns/flash-loan-attacks\` first.
-  - If the protocol integrates arbitrary ERC20s, load ToB \`token-integration-analyzer\` (building-secure-contracts plugin) before recommendation drafting.
+   - If you investigate spot-price dependencies, load \`oracle-manipulation\` with \`argus_skill_load\` first.
+   - If capital-efficient attacks or same-block loops are plausible, load \`flash-loan-attacks\` with \`argus_skill_load\` first.
+   - If the protocol integrates arbitrary ERC20s, load ToB \`token-integration-analyzer\` (building-secure-contracts plugin) with \`argus_skill_load\` before recommendation drafting.
 - **Examples**:
-  - "I am loading \`reentrancy\` to cross-reference known exploit patterns and missed edge cases."
-  - "I am loading \`lending-borrowing\` to map lending-specific oracle and liquidation failure modes."
-  - "I am loading \`audit-context-building\` (Trail of Bits) to build a line-by-line system model before vulnerability hypothesis generation."
+   - "I am loading \`reentrancy\` to cross-reference known exploit patterns and missed edge cases."
+   - "I am loading \`lending-borrowing\` to map lending-specific oracle and liquidation failure modes."
+   - "I am loading \`audit-context-building\` (Trail of Bits) to build a line-by-line system model before vulnerability hypothesis generation."
 - You are a generalist researcher. Use Skills to become a specialist on demand.
 
 ## OUTPUT FORMAT

package/src/agents/scribe-prompt.ts

@@ -62,15 +62,15 @@ Before generating the report, verify:
 
 ## SKILL SYSTEM
 
-Use the \`skill\` tool when needed to improve report quality and consistency.
+Use \`argus_skill_load\` only when needed to improve report quality and consistency.
 
 - **Curated skill map**:
-  - \`methodology/report-template\`, \`methodology/severity-classification\`
-  - \`checklists/cyfrin-defi-core\`
-  - \`references/exploit-reference\`
+   - \`report-template\`, \`severity-classification\`
+   - \`cyfrin-defi-core\`
+   - \`exploit-reference\`
 - **Deterministic trigger rules**:
-  - If severity wording drifts, load \`methodology/severity-classification\` before publishing.
-  - If recommendation quality is generic, load \`checklists/cyfrin-defi-core\` before final edits.
+   - If severity wording drifts, load \`severity-classification\` with \`argus_skill_load\` before publishing.
+   - If recommendation quality is generic, load \`cyfrin-defi-core\` with \`argus_skill_load\` before final edits.
 
 ## OUTPUT FORMAT
 

package/src/agents/sentinel-prompt.ts

@@ -89,16 +89,16 @@ You have access to a specific set of tools. Use them effectively.
 
 ## SKILL SYSTEM
 
-Use the \`skill\` tool to load specialized skills before deep verification work.
+Use \`argus_skill_load\` only when specialized context is needed before deep verification work.
 
 - **Curated skill map**:
-  - \`vulnerability-patterns/reentrancy\`, \`vulnerability-patterns/access-control\`, \`vulnerability-patterns/oracle-manipulation\`
-  - \`checklists/cyfrin-defi-integrations\`, \`methodology/severity-classification\`
-  - Trail of Bits: \`property-based-testing\`, \`variant-analysis\`
+   - \`reentrancy\`, \`access-control\`, \`oracle-manipulation\`
+   - \`cyfrin-defi-integrations\`, \`severity-classification\`
+   - Trail of Bits: \`property-based-testing\`, \`variant-analysis\`
 - **Deterministic trigger rules**:
-  - If external calls and mutable state interleave, load \`vulnerability-patterns/reentrancy\` before writing PoCs.
-  - If privileged flows are central to the finding, load \`vulnerability-patterns/access-control\` before severity scoring.
-  - If fuzzing strategy is unclear, load ToB \`property-based-testing\` before selecting invariants.
+   - If external calls and mutable state interleave, load \`reentrancy\` with \`argus_skill_load\` before writing PoCs.
+   - If privileged flows are central to the finding, load \`access-control\` with \`argus_skill_load\` before severity scoring.
+   - If fuzzing strategy is unclear, load ToB \`property-based-testing\` with \`argus_skill_load\` before selecting invariants.
 
 ## OUTPUT FORMAT
 

package/src/cli/cli-output.ts

@@ -0,0 +1,16 @@
+/**
+ * Thin CLI output abstraction for user-facing CLI output.
+ * Distinct from createLogger() which writes structured logs to file (~/.cache/solidity-argus/argus.log).
+ * CLI output goes to stdout/stderr for user-visible formatted output (doctor reports, init messages, etc.)
+ */
+export const cliOutput = {
+  log(...args: unknown[]): void {
+    console.log(...args)
+  },
+  warn(...args: unknown[]): void {
+    console.warn(...args)
+  },
+  error(...args: unknown[]): void {
+    console.error(...args)
+  },
+}

package/src/cli/cli-program.ts

@@ -2,13 +2,16 @@ import type { CliCommand } from "./types";
 import { doctorCommand } from "./commands/doctor";
 import { initCommand } from "./commands/init";
 import { installCommand } from "./commands/install";
+import { lintSkillsCommand } from "./commands/lint-skills";
+import { cliOutput } from "./cli-output";
 
 const HELP_TEXT = `argus — Solidity Security Auditor for OpenCode
 
 Commands:
-  doctor   Check Slither/Foundry installation and config health
-  init     Create solidity-argus config file
-  install  Configure argus plugin in opencode config
+  doctor       Check Slither/Foundry installation and config health
+  init         Create solidity-argus config file
+  install      Configure argus plugin in opencode config
+  lint-skills  Validate SKILL.md files against schema
 `;
 
 export class CliProgram {
@@ -22,13 +25,13 @@ export class CliProgram {
     const subcommand = args[0];
 
     if (!subcommand || subcommand === "--help" || subcommand === "-h") {
-      console.log(HELP_TEXT);
+      cliOutput.log(HELP_TEXT);
       return 0;
     }
 
     const command = this.commands.get(subcommand);
     if (!command) {
-      console.error(`Error: Unknown command '${subcommand}'. Run 'argus' for help.`);
+      cliOutput.error(`Unknown command '${subcommand}'. Run 'argus' for help.`);
       return 1;
     }
 
@@ -41,5 +44,6 @@ export function createCliProgram(): CliProgram {
   program.registerCommand(doctorCommand);
   program.registerCommand(initCommand);
   program.registerCommand(installCommand);
+  program.registerCommand(lintSkillsCommand);
   return program;
 }