npm - solidity-argus - Versions diffs - 0.1.8 → 0.3.0 - Mend

solidity-argus 0.1.8 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (178) hide show

package/AGENTS.md +3 -3
package/README.md +229 -13
package/package.json +37 -8
package/skills/INVENTORY.md +88 -57
package/skills/README.md +72 -6
package/skills/case-studies/beanstalk-governance/SKILL.md +52 -0
package/skills/case-studies/bzx-flash-loan/SKILL.md +53 -0
package/skills/case-studies/cream-finance/SKILL.md +52 -0
package/skills/case-studies/curve-reentrancy/SKILL.md +52 -0
package/skills/case-studies/dao-hack/SKILL.md +51 -0
package/skills/case-studies/euler-finance/SKILL.md +52 -0
package/skills/case-studies/harvest-finance/SKILL.md +52 -0
package/skills/case-studies/level-finance/SKILL.md +51 -0
package/skills/case-studies/mango-markets/SKILL.md +53 -0
package/skills/case-studies/nomad-bridge/SKILL.md +51 -0
package/skills/case-studies/parity-multisig/SKILL.md +55 -0
package/skills/case-studies/poly-network/SKILL.md +51 -0
package/skills/case-studies/rari-fuse/SKILL.md +51 -0
package/skills/case-studies/ronin-bridge/SKILL.md +52 -0
package/skills/case-studies/wormhole-bridge/SKILL.md +51 -0
package/skills/checklists/cyfrin-defi-core/SKILL.md +3 -0
package/skills/manifests/cyfrin.json +16 -0
package/skills/manifests/defifofum.json +25 -0
package/skills/manifests/kadenzipfel.json +48 -0
package/skills/manifests/scvd.json +9 -0
package/skills/manifests/smartbugs.json +9 -0
package/skills/manifests/solodit.json +9 -0
package/skills/manifests/sunweb3sec.json +9 -0
package/skills/manifests/trailofbits.json +9 -0
package/skills/methodology/audit-workflow/SKILL.md +3 -0
package/skills/protocol-patterns/amm-dex/SKILL.md +3 -0
package/skills/references/exploit-reference/SKILL.md +3 -0
package/skills/vulnerability-patterns/access-control/SKILL.md +27 -0
package/skills/vulnerability-patterns/arbitrary-storage-location/SKILL.md +13 -1
package/skills/vulnerability-patterns/assert-violation/SKILL.md +8 -1
package/skills/vulnerability-patterns/asserting-contract-from-code-size/SKILL.md +12 -1
package/skills/vulnerability-patterns/authorization-txorigin/SKILL.md +8 -1
package/skills/vulnerability-patterns/cross-chain-bridge-vulnerabilities/SKILL.md +217 -0
package/skills/vulnerability-patterns/default-visibility/SKILL.md +13 -1
package/skills/vulnerability-patterns/delegatecall-untrusted-callee/SKILL.md +8 -1
package/skills/vulnerability-patterns/dos-gas-limit/SKILL.md +8 -1
package/skills/vulnerability-patterns/dos-revert/SKILL.md +14 -1
package/skills/vulnerability-patterns/erc4626-exchange-rate-manipulation/SKILL.md +64 -0
package/skills/vulnerability-patterns/fee-on-transfer-tokens/SKILL.md +93 -0
package/skills/vulnerability-patterns/flash-loan-attacks/SKILL.md +13 -0
package/skills/vulnerability-patterns/floating-pragma/SKILL.md +8 -1
package/skills/vulnerability-patterns/front-running-attacks/SKILL.md +209 -0
package/skills/vulnerability-patterns/gas-optimization-patterns/SKILL.md +203 -0
package/skills/vulnerability-patterns/governance-attacks/SKILL.md +208 -0
package/skills/vulnerability-patterns/hash-collision/SKILL.md +8 -1
package/skills/vulnerability-patterns/inadherence-to-standards/SKILL.md +12 -1
package/skills/vulnerability-patterns/incorrect-constructor/SKILL.md +8 -1
package/skills/vulnerability-patterns/incorrect-inheritance-order/SKILL.md +8 -1
package/skills/vulnerability-patterns/insufficient-gas-griefing/SKILL.md +12 -1
package/skills/vulnerability-patterns/lack-of-precision/SKILL.md +7 -1
package/skills/vulnerability-patterns/logic-errors/SKILL.md +10 -0
package/skills/vulnerability-patterns/missing-parameter-bounds/SKILL.md +44 -0
package/skills/vulnerability-patterns/missing-protection-signature-replay/SKILL.md +17 -1
package/skills/vulnerability-patterns/msgvalue-loop/SKILL.md +12 -1
package/skills/vulnerability-patterns/off-by-one/SKILL.md +7 -1
package/skills/vulnerability-patterns/oracle-manipulation/SKILL.md +22 -0
package/skills/vulnerability-patterns/outdated-compiler-version/SKILL.md +8 -1
package/skills/vulnerability-patterns/overflow-underflow/SKILL.md +11 -1
package/skills/vulnerability-patterns/proxy-vulnerabilities/SKILL.md +209 -0
package/skills/vulnerability-patterns/reentrancy/SKILL.md +22 -0
package/skills/vulnerability-patterns/shadowing-state-variables/SKILL.md +8 -1
package/skills/vulnerability-patterns/share-accounting-desynchronization/SKILL.md +44 -0
package/skills/vulnerability-patterns/signature-malleability/SKILL.md +11 -1
package/skills/vulnerability-patterns/stateful-parameter-update-drift/SKILL.md +44 -0
package/skills/vulnerability-patterns/unbounded-return-data/SKILL.md +12 -1
package/skills/vulnerability-patterns/unchecked-return-values/SKILL.md +13 -1
package/skills/vulnerability-patterns/unencrypted-private-data-on-chain/SKILL.md +8 -1
package/skills/vulnerability-patterns/unexpected-ecrecover-null-address/SKILL.md +8 -1
package/skills/vulnerability-patterns/uninitialized-storage-pointer/SKILL.md +8 -1
package/skills/vulnerability-patterns/unsafe-erc20-transfers/SKILL.md +132 -0
package/skills/vulnerability-patterns/unsafe-low-level-call/SKILL.md +12 -1
package/skills/vulnerability-patterns/unsecure-signatures/SKILL.md +12 -1
package/skills/vulnerability-patterns/unsupported-opcodes/SKILL.md +11 -1
package/skills/vulnerability-patterns/unused-variables/SKILL.md +8 -1
package/skills/vulnerability-patterns/use-of-deprecated-functions/SKILL.md +8 -1
package/skills/vulnerability-patterns/weak-sources-randomness/SKILL.md +8 -1
package/skills/vulnerability-patterns/weird-tokens/SKILL.md +10 -0
package/skills/vulnerability-patterns/zero-address-misconfiguration/SKILL.md +48 -0
package/src/agents/argus-prompt.ts +27 -10
package/src/agents/pythia-prompt.ts +7 -8
package/src/agents/scribe-prompt.ts +10 -5
package/src/agents/sentinel-prompt.ts +36 -7
package/src/cli/cli-output.ts +16 -0
package/src/cli/cli-program.ts +29 -22
package/src/cli/commands/check-skills.ts +135 -0
package/src/cli/commands/doctor.ts +303 -23
package/src/cli/commands/init.ts +8 -6
package/src/cli/commands/install.ts +10 -8
package/src/cli/commands/lint-skills.ts +118 -0
package/src/cli/index.ts +5 -5
package/src/cli/tui-prompts.ts +4 -2
package/src/cli/types.ts +3 -3
package/src/config/index.ts +1 -1
package/src/config/loader.ts +4 -6
package/src/config/schema.ts +6 -5
package/src/config/types.ts +2 -2
package/src/constants/defaults.ts +2 -0
package/src/create-hooks.ts +225 -29
package/src/create-managers.ts +10 -8
package/src/create-tools.ts +14 -8
package/src/features/background-agent/background-manager.ts +93 -87
package/src/features/background-agent/index.ts +1 -1
package/src/features/context-monitor/context-monitor.ts +3 -3
package/src/features/context-monitor/index.ts +2 -2
package/src/features/error-recovery/session-recovery.ts +2 -4
package/src/features/error-recovery/tool-error-recovery.ts +79 -19
package/src/features/index.ts +5 -5
package/src/features/persistent-state/audit-state-manager.ts +158 -52
package/src/features/persistent-state/global-run-index.ts +38 -0
package/src/features/persistent-state/index.ts +1 -1
package/src/features/persistent-state/run-journal.ts +86 -0
package/src/hooks/agent-tracker.ts +53 -0
package/src/hooks/compaction-hook.ts +46 -37
package/src/hooks/config-handler.ts +31 -11
package/src/hooks/context-budget.ts +42 -0
package/src/hooks/event-hook.ts +48 -23
package/src/hooks/hook-system.ts +4 -4
package/src/hooks/index.ts +5 -5
package/src/hooks/knowledge-sync-hook.ts +19 -21
package/src/hooks/recon-context-builder.ts +66 -0
package/src/hooks/safe-create-hook.ts +9 -11
package/src/hooks/system-prompt-hook.ts +128 -0
package/src/hooks/tool-tracking-hook.ts +162 -29
package/src/hooks/types.ts +2 -1
package/src/index.ts +23 -13
package/src/knowledge/retry.ts +53 -0
package/src/knowledge/scvd-client.ts +103 -83
package/src/knowledge/scvd-errors.ts +89 -0
package/src/knowledge/scvd-index.ts +110 -62
package/src/knowledge/scvd-sync.ts +223 -47
package/src/knowledge/source-manifest.ts +102 -0
package/src/managers/index.ts +1 -1
package/src/managers/types.ts +19 -14
package/src/plugin-interface.ts +19 -8
package/src/shared/binary-utils.ts +44 -34
package/src/shared/deep-merge.ts +55 -36
package/src/shared/file-utils.ts +21 -19
package/src/shared/index.ts +11 -5
package/src/shared/jsonc-parser.ts +123 -28
package/src/shared/logger.ts +91 -17
package/src/shared/project-utils.ts +30 -0
package/src/skills/analysis/cluster.ts +414 -0
package/src/skills/analysis/gates.ts +227 -0
package/src/skills/analysis/index.ts +33 -0
package/src/skills/analysis/normalize.ts +217 -0
package/src/skills/analysis/similarity.ts +224 -0
package/src/skills/argus-skill-resolver.ts +237 -0
package/src/skills/skill-schema.ts +99 -0
package/src/solodit-lifecycle.ts +202 -0
package/src/state/audit-state.ts +10 -8
package/src/state/finding-store.ts +68 -55
package/src/state/types.ts +96 -44
package/src/tools/argus-skill-load-tool.ts +78 -0
package/src/tools/contract-analyzer-tool.ts +60 -77
package/src/tools/forge-coverage-tool.ts +226 -0
package/src/tools/forge-fuzz-tool.ts +127 -127
package/src/tools/forge-test-tool.ts +153 -157
package/src/tools/gas-analysis-tool.ts +264 -0
package/src/tools/pattern-checker-tool.ts +206 -167
package/src/tools/pattern-loader.ts +77 -0
package/src/tools/pattern-schema.ts +51 -0
package/src/tools/proxy-detection-tool.ts +224 -0
package/src/tools/report-generator-tool.ts +333 -142
package/src/tools/slither-tool.ts +300 -210
package/src/tools/solodit-search-tool.ts +255 -80
package/src/tools/sync-knowledge-tool.ts +7 -11
package/src/utils/audit-artifact-detector.ts +118 -0
package/src/utils/dependency-scanner.ts +93 -0
package/src/utils/project-detector.ts +175 -86
package/src/utils/solidity-parser.ts +112 -67
package/src/utils/solodit-health.ts +29 -0
package/src/hooks/event-hook-v2.ts +0 -99
package/src/state/plugin-state.ts +0 -14

package/src/tools/proxy-detection-tool.ts ADDED Viewed

@@ -0,0 +1,224 @@
+import { isAbsolute, join } from "node:path"
+import { type ToolContext, tool } from "@opencode-ai/plugin"
+type ProxyDetectionArgs = {
+  file_path: string
+  project_dir?: string
+}
+type ProxyType = "diamond" | "uups" | "beacon" | "transparent" | "erc1967"
+type Confidence = "high" | "medium" | "low"
+export type ProxyDetectionResult = {
+  file: string
+  isProxy: boolean
+  proxyType: ProxyType | null
+  indicators: string[]
+  confidence: Confidence
+  error?: string
+}
+export type ReadFileFn = (path: string) => Promise<string>
+const ERC1967_IMPLEMENTATION_SLOT =
+  "0x360894a13ba1a3210667c828492db98dca3e2076cc3735a920a3ca505d382bbc"
+const ERC1967_ADMIN_SLOT = "0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103"
+const ERC1967_BEACON_SLOT = "0xa3f0ad74e5423aebfd80d3ef4346578335a9a72aeaee59ff6cb3582b35133d50"
+const readWithBunFile: ReadFileFn = async (path) => Bun.file(path).text()
+function hasMatch(source: string, pattern: RegExp): boolean {
+  return pattern.test(source)
+}
+function computeConfidence(indicatorCount: number): Confidence {
+  if (indicatorCount >= 3) {
+    return "high"
+  }
+  if (indicatorCount === 2) {
+    return "medium"
+  }
+  return "low"
+}
+function collectIndicators(source: string): Set<string> {
+  const indicators = new Set<string>()
+  const lower = source.toLowerCase()
+  if (lower.includes(ERC1967_IMPLEMENTATION_SLOT)) {
+    indicators.add("erc1967-implementation-slot")
+  }
+  if (lower.includes(ERC1967_ADMIN_SLOT)) {
+    indicators.add("erc1967-admin-slot")
+  }
+  if (lower.includes(ERC1967_BEACON_SLOT)) {
+    indicators.add("erc1967-beacon-slot")
+  }
+  if (hasMatch(source, /\b_implementation\s*\(/i)) {
+    indicators.add("transparent-implementation-getter")
+  }
+  if (hasMatch(source, /\b_admin\s*\(/i) || hasMatch(source, /\b_admin\b/i)) {
+    indicators.add("transparent-admin-getter")
+  }
+  if (hasMatch(source, /\b_setImplementation\s*\(/i)) {
+    indicators.add("transparent-set-implementation")
+  }
+  if (hasMatch(source, /\b_authorizeUpgrade\s*\(/i)) {
+    indicators.add("uups-authorize-upgrade")
+  }
+  if (hasMatch(source, /\bupgradeToAndCall\s*\(/i)) {
+    indicators.add("uups-upgrade-to-and-call")
+  }
+  if (hasMatch(source, /\bUUPSUpgradeable\b/)) {
+    indicators.add("uups-upgradeable")
+  }
+  if (hasMatch(source, /\bIBeacon\b/)) {
+    indicators.add("beacon-interface")
+  }
+  if (hasMatch(source, /\bBeaconProxy\b/)) {
+    indicators.add("beacon-proxy")
+  }
+  if (hasMatch(source, /\bUpgradeableBeacon\b/)) {
+    indicators.add("upgradeable-beacon")
+  }
+  if (hasMatch(source, /\bDiamondCut\b/)) {
+    indicators.add("diamond-cut")
+  }
+  if (hasMatch(source, /\bIDiamondCut\b/)) {
+    indicators.add("diamond-cut-interface")
+  }
+  if (hasMatch(source, /\bfacetAddress\s*\(/i)) {
+    indicators.add("facet-address")
+  }
+  if (hasMatch(source, /\bIDiamondLoupe\b/)) {
+    indicators.add("diamond-loupe")
+  }
+  if (hasMatch(source, /\bdelegatecall\b/)) {
+    indicators.add("delegatecall")
+  }
+  if (hasMatch(source, /\bfallback\s*\(/i)) {
+    indicators.add("fallback-function")
+  }
+  if (hasMatch(source, /\bProxy\b/)) {
+    indicators.add("proxy-keyword")
+  }
+  if (hasMatch(source, /\bERC1967\b/)) {
+    indicators.add("erc1967-keyword")
+  }
+  return indicators
+}
+function hasAny(indicators: Set<string>, candidates: string[]): boolean {
+  return candidates.some((candidate) => indicators.has(candidate))
+}
+function classifyProxyType(indicators: Set<string>): ProxyType | null {
+  if (
+    hasAny(indicators, ["diamond-cut", "diamond-cut-interface", "facet-address", "diamond-loupe"])
+  ) {
+    return "diamond"
+  }
+  if (
+    hasAny(indicators, ["uups-authorize-upgrade", "uups-upgrade-to-and-call", "uups-upgradeable"])
+  ) {
+    return "uups"
+  }
+  if (hasAny(indicators, ["beacon-interface", "beacon-proxy", "upgradeable-beacon"])) {
+    return "beacon"
+  }
+  if (
+    hasAny(indicators, [
+      "transparent-implementation-getter",
+      "transparent-admin-getter",
+      "transparent-set-implementation",
+    ])
+  ) {
+    return "transparent"
+  }
+  if (
+    hasAny(indicators, [
+      "erc1967-implementation-slot",
+      "erc1967-admin-slot",
+      "erc1967-beacon-slot",
+      "delegatecall",
+    ])
+  ) {
+    return "erc1967"
+  }
+  return null
+}
+export async function executeProxyDetection(
+  args: ProxyDetectionArgs,
+  context: ToolContext,
+  readFile: ReadFileFn = readWithBunFile,
+): Promise<ProxyDetectionResult> {
+  context.metadata({ title: `Detect proxy patterns: ${args.file_path}` })
+  const fileToRead =
+    args.project_dir && !isAbsolute(args.file_path)
+      ? join(args.project_dir, args.file_path)
+      : args.file_path
+  try {
+    const source = await readFile(fileToRead)
+    const indicators = collectIndicators(source)
+    const proxyType = classifyProxyType(indicators)
+    const indicatorList = [...indicators]
+    const isProxy = proxyType !== null
+    return {
+      file: args.file_path,
+      isProxy,
+      proxyType,
+      indicators: isProxy ? indicatorList : [],
+      confidence: computeConfidence(isProxy ? indicatorList.length : 0),
+    }
+  } catch (error) {
+    const maybeError = error as Error & { code?: string }
+    if (maybeError.code === "ENOENT") {
+      return {
+        file: args.file_path,
+        isProxy: false,
+        proxyType: null,
+        indicators: [],
+        confidence: "low",
+        error: `File not found: ${args.file_path}`,
+      }
+    }
+    return {
+      file: args.file_path,
+      isProxy: false,
+      proxyType: null,
+      indicators: [],
+      confidence: "low",
+      error: maybeError.message || "proxy detection failed",
+    }
+  }
+}
+export const proxyDetectionTool = tool({
+  description:
+    "Detects proxy patterns in Solidity contracts (ERC1967, UUPS, transparent, beacon, diamond) with confidence scoring.",
+  args: {
+    file_path: tool.schema.string(),
+    project_dir: tool.schema.string().optional(),
+  },
+  async execute(args, context) {
+    const result = await executeProxyDetection(args, context)
+    return JSON.stringify(result)
+  },
+})