solidity-argus 0.1.8 → 0.3.0

package/src/tools/pattern-checker-tool.ts

@@ -1,96 +1,78 @@
-import os from "node:os";
-import { readdirSync, readFileSync, statSync } from "node:fs";
-import { extname, join, resolve } from "node:path";
-import { tool, type ToolContext } from "@opencode-ai/plugin";
+import { readdirSync, readFileSync, statSync } from "node:fs"
+import os from "node:os"
+import { dirname, extname, join, resolve } from "node:path"
+import { type ToolContext, tool } from "@opencode-ai/plugin"
 import {
   loadIndex,
-  searchIndex,
   type ScvdIndex,
   type ScvdIndexEntry,
-} from "../knowledge/scvd-index";
+  searchIndex,
+} from "../knowledge/scvd-index"
+import { createLogger } from "../shared/logger"
+import { extractDetectionRulesFromSkills } from "./pattern-loader"
+import type { PatternDefinition } from "./pattern-schema"
+
+const logger = createLogger()
+
+export type PatternSource = "skill"
 
 export interface Match {
-  pattern: string;
-  severity: "Critical" | "High" | "Medium" | "Low" | "Informational";
-  file: string;
-  lines: [number, number];
-  description: string;
-  exploitReference?: string;
+  pattern: string
+  severity: "Critical" | "High" | "Medium" | "Low" | "Informational"
+  file: string
+  lines: [number, number]
+  description: string
+  exploitReference?: string
+  patternSource?: PatternSource
+  category?: string
 }
 
 export interface MatchSource {
-  source: string;
-  matches: Match[];
+  source: string
+  matches: Match[]
 }
 
 export interface PatternCheckResult {
-  sources: MatchSource[];
-  patternsChecked: number;
-  executionTime: number;
-  target: string;
+  success: boolean
+  error?: string
+  matches: Match[]
+  summary: {
+    total: number
+    bySeverity: Record<string, number>
+    byCategory: Record<string, number>
+  }
+  sources: MatchSource[]
+  patternsChecked: number
+  executionTime: number
+  target: string
+  patternVersion?: string
 }
 
 type PatternCheckArgs = {
-  target: string;
-  patterns?: string[];
-  include_scvd?: boolean;
-};
+  target: string
+  patterns?: string[]
+  include_scvd?: boolean
+}
 
 type PatternCheckDependencies = {
-  loadIndexFn?: (filePath: string) => Promise<ScvdIndex | null>;
+  loadIndexFn?: (filePath: string) => Promise<ScvdIndex | null>
   searchIndexFn?: (
     index: ScvdIndex,
-    query: { swc?: string; severity?: string; keyword?: string; limit?: number }
-  ) => ScvdIndexEntry[];
-};
-
-type BuiltinPattern = {
-  name: string;
-  category: string;
-  severity: Match["severity"];
-  regex: RegExp;
-  description: string;
-  exploitReference?: string;
-};
-
-const BUILTIN_PATTERNS: BuiltinPattern[] = [
-  {
-    name: "reentrancy",
-    category: "reentrancy",
-    severity: "High",
-    regex: /\.call\{value:/,
-    description: "Potential reentrancy: ETH transfer via low-level call",
-    exploitReference: "DAO hack ($60M), 2016",
-  },
-  {
-    name: "tx-origin-auth",
-    category: "access-control",
-    severity: "High",
-    regex: /tx\.origin/,
-    description: "Use of tx.origin for authorization - vulnerable to phishing",
-  },
-  {
-    name: "selfdestruct",
-    category: "access-control",
-    severity: "High",
-    regex: /selfdestruct\(|suicide\(/,
-    description: "Contract uses selfdestruct - can destroy contract",
-  },
-  {
-    name: "delegatecall",
-    category: "delegatecall",
-    severity: "High",
-    regex: /\.delegatecall\(/,
-    description: "Use of delegatecall - can overwrite storage",
-  },
-  {
-    name: "missing-zero-check",
-    category: "access-control",
-    severity: "Medium",
-    regex: /address\(0\)/,
-    description: "Potential missing zero-address validation",
-  },
-];
+    query: { swc?: string; severity?: string; keyword?: string; limit?: number },
+  ) => ScvdIndexEntry[]
+}
+
+type LoadedPattern = {
+  name: string
+  category: string
+  severity: Match["severity"]
+  regex: RegExp
+  description: string
+  exploitReference?: string
+  source?: PatternSource
+}
+
+export const PATTERN_PACK_VERSION = "1.0.0"
 
 const CATEGORY_TO_SWC: Record<string, string[]> = {
   reentrancy: ["SWC-107"],
@@ -99,66 +81,82 @@ const CATEGORY_TO_SWC: Record<string, string[]> = {
   delegatecall: ["SWC-112"],
   "signature-replay": ["SWC-121"],
   "integer-overflow": ["SWC-101"],
-};
-
-const PATTERN_NAME_TO_CATEGORY = new Map(
-  BUILTIN_PATTERNS.map((pattern) => [pattern.name, pattern.category])
-);
+  governance: ["SWC-105", "SWC-106"],
+  "front-running": ["SWC-114"],
+  "logic-error": ["SWC-101", "SWC-116"],
+  "gas-optimization": ["SWC-128"],
+  dos: ["SWC-128"],
+}
 
 function normalizeSeverity(value: string): Match["severity"] {
-  if (value === "Critical") return "Critical";
-  if (value === "High") return "High";
-  if (value === "Medium") return "Medium";
-  if (value === "Low") return "Low";
-  return "Informational";
+  if (value === "Critical") return "Critical"
+  if (value === "High") return "High"
+  if (value === "Medium") return "Medium"
+  if (value === "Low") return "Low"
+  return "Informational"
+}
+
+function normalizePatternDefinitions(
+  patterns: PatternDefinition[],
+  source: PatternSource,
+): LoadedPattern[] {
+  return patterns.map((patternDef) => ({
+    name: patternDef.name,
+    category: patternDef.category,
+    severity: patternDef.severity,
+    regex: new RegExp(patternDef.regex),
+    description: patternDef.description,
+    ...(patternDef.exploit_ref ? { exploitReference: patternDef.exploit_ref } : {}),
+    source,
+  }))
 }
 
 function uniqueScvdEntries(entries: ScvdIndexEntry[]): ScvdIndexEntry[] {
-  const deduped = new Map<string, ScvdIndexEntry>();
+  const deduped = new Map<string, ScvdIndexEntry>()
   for (const entry of entries) {
-    deduped.set(entry.id, entry);
+    deduped.set(entry.id, entry)
   }
-  return Array.from(deduped.values());
+  return Array.from(deduped.values())
 }
 
 async function collectScvdMatches(
   matches: Match[],
-  dependencies: Required<PatternCheckDependencies>
+  dependencies: Required<PatternCheckDependencies>,
 ): Promise<Match[]> {
-  const detectedCategories = new Set<string>();
+  const detectedCategories = new Set<string>()
   for (const match of matches) {
-    const category = PATTERN_NAME_TO_CATEGORY.get(match.pattern);
+    const category = match.category
     if (category) {
-      detectedCategories.add(category);
+      detectedCategories.add(category)
     }
   }
 
   if (detectedCategories.size === 0) {
-    return [];
+    return []
   }
 
-  const swcCodes = new Set<string>();
+  const swcCodes = new Set<string>()
   for (const category of detectedCategories) {
-    const mappedSwcs = CATEGORY_TO_SWC[category] ?? [];
+    const mappedSwcs = CATEGORY_TO_SWC[category] ?? []
     for (const swcCode of mappedSwcs) {
-      swcCodes.add(swcCode);
+      swcCodes.add(swcCode)
     }
   }
 
   if (swcCodes.size === 0) {
-    return [];
+    return []
   }
 
-  const indexPath = join(os.homedir(), ".cache", "solidity-argus", "scvd-index.json");
-  const index = await dependencies.loadIndexFn(indexPath);
+  const indexPath = join(os.homedir(), ".cache", "solidity-argus", "scvd-index.json")
+  const index = await dependencies.loadIndexFn(indexPath)
 
   if (!index) {
-    return [];
+    return []
   }
 
-  const entries: ScvdIndexEntry[] = [];
+  const entries: ScvdIndexEntry[] = []
   for (const swcCode of swcCodes) {
-    entries.push(...dependencies.searchIndexFn(index, { swc: swcCode }));
+    entries.push(...dependencies.searchIndexFn(index, { swc: swcCode }))
   }
 
   return uniqueScvdEntries(entries).map((entry) => ({
@@ -168,83 +166,86 @@ async function collectScvdMatches(
     lines: [1, 1],
     description: entry.title,
     exploitReference: entry.repoUrl,
-  }));
+  }))
 }
 
-function collectSolidityFiles(target: string): string[] {
-  const absoluteTarget = resolve(target);
-  let stats: ReturnType<typeof statSync>;
+function collectSolidityFiles(target: string, maxDepth = 8): string[] {
+  const absoluteTarget = resolve(target)
+  let stats: ReturnType<typeof statSync>
 
   try {
-    stats = statSync(absoluteTarget);
+    stats = statSync(absoluteTarget)
   } catch {
-    throw new Error(`Target does not exist: ${target}`);
+    return []
   }
 
   if (stats.isFile()) {
-    return extname(absoluteTarget) === ".sol" ? [absoluteTarget] : [];
+    return extname(absoluteTarget) === ".sol" ? [absoluteTarget] : []
   }
 
   if (!stats.isDirectory()) {
-    return [];
+    return []
   }
 
-  const discovered: string[] = [];
-  const stack = [absoluteTarget];
+  const discovered: string[] = []
+  const stack: Array<{ path: string; depth: number }> = [{ path: absoluteTarget, depth: 0 }]
 
   while (stack.length > 0) {
-    const current = stack.pop();
-    if (!current) {
-      continue;
+    const current = stack.pop()
+    if (!current || current.depth > maxDepth) {
+      continue
     }
 
-    const entries = readdirSync(current, { withFileTypes: true });
+    const entries = readdirSync(current.path, { withFileTypes: true })
     for (const entry of entries) {
-      const fullPath = resolve(current, entry.name);
+      const fullPath = resolve(current.path, entry.name)
       if (entry.isDirectory()) {
-        stack.push(fullPath);
-        continue;
+        stack.push({ path: fullPath, depth: current.depth + 1 })
+        continue
       }
 
       if (entry.isFile() && extname(entry.name) === ".sol") {
-        discovered.push(fullPath);
+        discovered.push(fullPath)
       }
     }
   }
 
-  return discovered;
+  return discovered
 }
 
 function lineNumberAt(content: string, index: number): number {
   if (index <= 0) {
-    return 1;
+    return 1
   }
 
-  let line = 1;
+  let line = 1
   for (let i = 0; i < index && i < content.length; i += 1) {
     if (content[i] === "\n") {
-      line += 1;
+      line += 1
     }
   }
-  return line;
+  return line
 }
 
 function lineWindow(content: string, index: number): [number, number] {
-  const linesCount = content.split("\n").length;
-  const line = lineNumberAt(content, index);
-  const start = Math.max(1, line - 5);
-  const end = Math.min(linesCount, line + 5);
-  return [start, end];
+  const linesCount = content.split("\n").length
+  const line = lineNumberAt(content, index)
+  const start = Math.max(1, line - 5)
+  const end = Math.min(linesCount, line + 5)
+  return [start, end]
 }
 
-function findMatches(file: string, patterns: BuiltinPattern[]): Match[] {
-  const content = readFileSync(file, "utf8");
-  const matches: Match[] = [];
+function findMatches(file: string, patterns: LoadedPattern[]): Match[] {
+  const content = readFileSync(file, "utf8")
+  const matches: Match[] = []
 
   for (const pattern of patterns) {
-    const regex = new RegExp(pattern.regex.source, pattern.regex.flags.includes("g") ? pattern.regex.flags : `${pattern.regex.flags}g`);
+    const regex = new RegExp(
+      pattern.regex.source,
+      pattern.regex.flags.includes("g") ? pattern.regex.flags : `${pattern.regex.flags}g`,
+    )
     for (const found of content.matchAll(regex)) {
-      const index = found.index ?? 0;
+      const index = found.index ?? 0
       matches.push({
         pattern: pattern.name,
         severity: pattern.severity,
@@ -252,48 +253,70 @@ function findMatches(file: string, patterns: BuiltinPattern[]): Match[] {
         lines: lineWindow(content, index),
         description: pattern.description,
         exploitReference: pattern.exploitReference,
-      });
+        patternSource: pattern.source ?? "skill",
+        category: pattern.category,
+      })
     }
   }
 
-  return matches;
+  return matches
 }
 
-function selectPatterns(categories?: string[]): BuiltinPattern[] {
+function selectPatterns(
+  availablePatterns: LoadedPattern[],
+  categories?: string[],
+): LoadedPattern[] {
   if (!categories || categories.length === 0) {
-    return BUILTIN_PATTERNS;
+    return availablePatterns
   }
 
-  const set = new Set(categories);
-  return BUILTIN_PATTERNS.filter((pattern) => set.has(pattern.category));
+  const set = new Set(categories)
+  return availablePatterns.filter((pattern) => set.has(pattern.category))
 }
 
 export async function executePatternCheck(
   args: PatternCheckArgs,
   context: ToolContext,
-  deps: PatternCheckDependencies = {}
+  deps: PatternCheckDependencies = {},
 ): Promise<PatternCheckResult> {
   const dependencies: Required<PatternCheckDependencies> = {
     loadIndexFn: loadIndex,
     searchIndexFn: searchIndex,
     ...deps,
-  };
+  }
+
+  const startedAt = Date.now()
+  context.metadata({ title: `Pattern check: ${args.target}` })
 
-  const startedAt = Date.now();
-  context.metadata({ title: `Pattern check: ${args.target}` });
+  const skillsDir = join(dirname(dirname(__dirname)), "skills")
+  const skillDetectionRules = extractDetectionRulesFromSkills(skillsDir)
 
-  const selectedPatterns = selectPatterns(args.patterns);
-  const solidityFiles = collectSolidityFiles(args.target);
+  const allPatterns: LoadedPattern[] = [
+    ...normalizePatternDefinitions(skillDetectionRules, "skill"),
+  ]
+
+  const selectedPatterns = selectPatterns(allPatterns, args.patterns)
+  const solidityFiles = collectSolidityFiles(args.target)
   if (solidityFiles.length === 0) {
-    throw new Error(`No Solidity files found for target: ${args.target}`);
+    return {
+      success: false,
+      error: `No Solidity files found for target: ${args.target}`,
+      matches: [],
+      summary: { total: 0, bySeverity: {}, byCategory: {} },
+      sources: [],
+      patternsChecked: selectedPatterns.length,
+      executionTime: Date.now() - startedAt,
+      target: args.target,
+      patternVersion: PATTERN_PACK_VERSION,
+    }
   }
 
-  const sourceMatches: Match[] = [];
+  const sourceMatches: Match[] = []
   for (const solidityFile of solidityFiles) {
     if (context.abort.aborted) {
-      throw new Error("pattern check aborted");
+      throw new Error("pattern check aborted")
     }
-    sourceMatches.push(...findMatches(solidityFile, selectedPatterns));
+    sourceMatches.push(...findMatches(solidityFile, selectedPatterns))
   }
 
   const sources: MatchSource[] = [
@@ -301,26 +324,42 @@ export async function executePatternCheck(
       source: "pattern-db",
       matches: sourceMatches,
     },
-  ];
-
-   if (args.include_scvd === true) {
-     try {
-       const scvdMatches = await collectScvdMatches(sourceMatches, dependencies);
-       if (scvdMatches.length > 0) {
-         sources.push({
-           source: "scvd",
-           matches: scvdMatches,
-         });
-       }
-     } catch (_e) { /* non-critical: SCVD enrichment is best-effort */ }
-   }
+  ]
+
+  if (args.include_scvd === true) {
+    try {
+      const scvdMatches = await collectScvdMatches(sourceMatches, dependencies)
+      if (scvdMatches.length > 0) {
+        sources.push({
+          source: "scvd",
+          matches: scvdMatches,
+        })
+      }
+    } catch (_e) {
+      logger.debug("SCVD enrichment failed, continuing without SCVD matches")
+    }
+  }
+
+  const allMatches = sources.flatMap((s) => s.matches)
+  const bySeverity: Record<string, number> = {}
+  const byCategory: Record<string, number> = {}
+  for (const m of allMatches) {
+    bySeverity[m.severity] = (bySeverity[m.severity] ?? 0) + 1
+    if (m.category) {
+      byCategory[m.category] = (byCategory[m.category] ?? 0) + 1
+    }
+  }
 
   return {
+    success: true,
+    matches: allMatches,
+    summary: { total: allMatches.length, bySeverity, byCategory },
     sources,
     patternsChecked: selectedPatterns.length,
     executionTime: Date.now() - startedAt,
     target: args.target,
-  };
+    patternVersion: PATTERN_PACK_VERSION,
+  }
 }
 
 export const patternCheckerTool = tool({
@@ -331,7 +370,7 @@ export const patternCheckerTool = tool({
     include_scvd: tool.schema.boolean().default(true),
   },
   async execute(args, context) {
-    const result = await executePatternCheck(args, context);
-    return JSON.stringify(result);
+    const result = await executePatternCheck(args, context)
+    return JSON.stringify(result)
   },
-});
+})

package/src/tools/pattern-loader.ts

@@ -0,0 +1,77 @@
+import { existsSync, readdirSync, readFileSync } from "node:fs"
+import { join } from "node:path"
+import { createLogger } from "../shared/logger"
+import { parseFrontmatter, SkillFrontmatterSchema } from "../skills/skill-schema"
+import type { PatternDefinition } from "./pattern-schema"
+
+const logger = createLogger()
+
+function listSkillMarkdownFiles(skillsDir: string): string[] {
+  if (!existsSync(skillsDir)) {
+    logger.warn(`Skills directory does not exist: ${skillsDir}`)
+    return []
+  }
+
+  const files: string[] = []
+  const stack = [skillsDir]
+
+  while (stack.length > 0) {
+    const current = stack.pop()
+    if (!current) continue
+
+    const entries = readdirSync(current, { withFileTypes: true })
+    for (const entry of entries) {
+      const fullPath = join(current, entry.name)
+      if (entry.isDirectory()) {
+        stack.push(fullPath)
+        continue
+      }
+
+      if (entry.isFile() && entry.name === "SKILL.md") {
+        files.push(fullPath)
+      }
+    }
+  }
+
+  return files
+}
+
+export function extractDetectionRulesFromSkills(skillsDir: string): PatternDefinition[] {
+  const skillFiles = listSkillMarkdownFiles(skillsDir)
+  const extracted: PatternDefinition[] = []
+
+  for (const filePath of skillFiles) {
+    try {
+      const content = readFileSync(filePath, "utf-8")
+      const frontmatter = parseFrontmatter(content)
+      if (!frontmatter) continue
+
+      const parsed = SkillFrontmatterSchema.safeParse(frontmatter)
+      if (!parsed.success) continue
+
+      const skillName = parsed.data.name
+      const category = parsed.data.pattern_category
+      if (!category) continue
+
+      const rules = parsed.data.detection_rules
+      if (!rules || rules.length === 0) continue
+
+      for (const [index, rule] of rules.entries()) {
+        extracted.push({
+          name: `${skillName}-rule-${index + 1}`,
+          category,
+          severity: rule.severity,
+          confidence: rule.confidence ?? "Medium",
+          version: "1.0",
+          regex: rule.regex,
+          description: rule.description ?? `Detection rule from ${skillName} SKILL.md`,
+          ...(rule.swc ? { swc: rule.swc } : {}),
+        })
+      }
+    } catch (err) {
+      logger.warn(`Skipping ${filePath}: ${err instanceof Error ? err.message : "parse error"}`)
+    }
+  }
+
+  return extracted
+}

package/src/tools/pattern-schema.ts

@@ -0,0 +1,51 @@
+import { z } from "zod"
+
+/**
+ * Canonical pattern category taxonomy.
+ * Every builtin, YAML, and skill-derived pattern must belong to one of these.
+ */
+export const PATTERN_CATEGORIES = [
+  "reentrancy",
+  "oracle-manipulation",
+  "flash-loan",
+  "access-control",
+  "erc4626",
+  "proxy",
+  "signature",
+  "dos",
+  "front-running",
+  "governance",
+  "token-standard",
+  "gas-optimization",
+  "logic-error",
+  "delegatecall",
+] as const
+
+export const PatternCategorySchema = z.enum(PATTERN_CATEGORIES)
+
+export const PatternDefinitionSchema = z.object({
+  name: z.string().min(1).max(128),
+  category: PatternCategorySchema,
+  severity: z.enum(["Critical", "High", "Medium", "Low", "Informational"]),
+  swc: z
+    .string()
+    .regex(/^SWC-\d+$/)
+    .optional(),
+  confidence: z.enum(["High", "Medium", "Low"]).default("Medium"),
+  version: z.string().default("1.0"),
+  regex: z.string().min(1),
+  description: z.string().min(1),
+  exploit_ref: z.string().url().optional(),
+  remediation: z.string().optional(),
+})
+
+export type PatternDefinition = z.infer<typeof PatternDefinitionSchema>
+export type PatternCategory = z.infer<typeof PatternCategorySchema>
+
+export const PatternPackSchema = z.object({
+  pack_name: z.string().optional(),
+  pack_version: z.string().default("1.0"),
+  patterns: z.array(PatternDefinitionSchema).min(1),
+})
+
+export type PatternPack = z.infer<typeof PatternPackSchema>