solidity-argus 0.1.8 → 0.3.0

package/src/tools/solodit-search-tool.ts

@@ -1,41 +1,47 @@
-import { tool, type ToolContext } from "@opencode-ai/plugin";
+import type { ToolDefinition } from "@opencode-ai/plugin"
+import { type ToolContext, tool } from "@opencode-ai/plugin"
+import { createLogger } from "../shared/logger"
 
-const SOLODIT_MCP_SERVER = "solodit-mcp";
-const SOLODIT_MCP_TOOL = "search_findings";
-const DEFAULT_LIMIT = 10;
+const logger = createLogger()
+
+const SOLODIT_MCP_SERVER = "solodit-mcp"
+const SOLODIT_MCP_TOOLS = ["search", "search_findings"] as const
+const DEFAULT_LIMIT = 10
+const DEFAULT_SOLODIT_PORT = 3000
+const SOLODIT_HTTP_TIMEOUT_MS = 10_000
 
 type SoloditSearchArgs = {
-  query: string;
-  severity?: string[];
-  limit?: number;
-};
+  query: string
+  severity?: string[]
+  limit?: number
+}
 
 type SoloditFinding = {
-  title: string;
-  severity: string;
-  description: string;
-  protocol: string;
-  url: string;
-  remediation: string;
-};
+  title: string
+  severity: string
+  description: string
+  protocol: string
+  url: string
+  remediation: string
+}
 
 export type SoloditSearchResult = {
-  results: SoloditFinding[];
-  totalFound: number;
-  query: string;
-  error?: string;
-};
+  results: SoloditFinding[]
+  totalFound: number
+  query: string
+  error?: string
+}
 
 export type CallMcpTool = (
   server: string,
   tool: string,
-  args: Record<string, unknown>
-) => Promise<unknown>;
+  args: Record<string, unknown>,
+) => Promise<unknown>
 
-type McpCapableContext = ToolContext & { callMcpTool: CallMcpTool };
+type McpCapableContext = ToolContext & { callMcpTool: CallMcpTool }
 
 function hasMcpCapability(ctx: ToolContext): ctx is McpCapableContext {
-  return "callMcpTool" in ctx;
+  return "callMcpTool" in ctx
 }
 
 function parseFinding(raw: unknown): SoloditFinding {
@@ -47,85 +53,254 @@ function parseFinding(raw: unknown): SoloditFinding {
       protocol: "",
       url: "",
       remediation: "",
-    };
+    }
   }
 
-  const obj = raw as Record<string, unknown>;
+  const obj = raw as Record<string, unknown>
   return {
-    title: typeof obj["title"] === "string" ? obj["title"] : "",
-    severity: typeof obj["severity"] === "string" ? obj["severity"] : "",
-    description: typeof obj["description"] === "string" ? obj["description"] : "",
-    protocol: typeof obj["protocol"] === "string" ? obj["protocol"] : "",
-    url: typeof obj["url"] === "string" ? obj["url"] : "",
-    remediation: typeof obj["remediation"] === "string" ? obj["remediation"] : "",
-  };
+    title: typeof obj.title === "string" ? obj.title : "",
+    severity: typeof obj.severity === "string" ? obj.severity : "",
+    description: typeof obj.description === "string" ? obj.description : "",
+    protocol: typeof obj.protocol === "string" ? obj.protocol : "",
+    url: typeof obj.url === "string" ? obj.url : "",
+    remediation: typeof obj.remediation === "string" ? obj.remediation : "",
+  }
 }
 
 function parseFindings(response: unknown): SoloditFinding[] {
   if (!Array.isArray(response)) {
-    return [];
+    return []
+  }
+  return response.map(parseFinding)
+}
+
+function parseFindingsFromAnyResponse(response: unknown): SoloditFinding[] {
+  const direct = parseFindings(response)
+  if (direct.length > 0) return direct
+
+  if (typeof response === "object" && response !== null) {
+    const findings = (response as Record<string, unknown>).findings
+    if (Array.isArray(findings)) return findings.map(parseFinding)
+  }
+
+  return extractFindingsFromMcpResponse(response)
+}
+
+function hasMcpError(response: unknown): boolean {
+  if (typeof response !== "object" || response === null) return false
+  const obj = response as Record<string, unknown>
+  return "error" in obj
+}
+
+function normalizeImpacts(
+  severity?: string[],
+): Array<"HIGH" | "MEDIUM" | "LOW" | "GAS"> | undefined {
+  if (!severity || severity.length === 0) return undefined
+  const allowed = new Set(["HIGH", "MEDIUM", "LOW", "GAS"] as const)
+  const impacts = severity
+    .map((s) => s.toUpperCase())
+    .filter((s): s is "HIGH" | "MEDIUM" | "LOW" | "GAS" =>
+      allowed.has(s as "HIGH" | "MEDIUM" | "LOW" | "GAS"),
+    )
+  return impacts.length > 0 ? impacts : undefined
+}
+
+function buildMcpArgs(
+  toolName: (typeof SOLODIT_MCP_TOOLS)[number],
+  query: string,
+  limit: number,
+  severity?: string[],
+): Record<string, unknown> {
+  if (toolName === "search") {
+    return { keywords: query }
+  }
+
+  const impact = normalizeImpacts(severity)
+  return {
+    keywords: query,
+    ...(impact ? { impact } : {}),
+    pageSize: limit,
+  }
+}
+
+function filterFindingsBySeverity(
+  findings: SoloditFinding[],
+  severities?: string[],
+): SoloditFinding[] {
+  if (!severities || severities.length === 0) return findings
+
+  const allowed = new Set(severities.map((s) => s.toLowerCase()))
+  return findings.filter((finding) => allowed.has(finding.severity.toLowerCase()))
+}
+
+function parseSseData(body: string): unknown {
+  for (const line of body.split("\n")) {
+    if (line.startsWith("data: ")) {
+      try {
+        return JSON.parse(line.slice(6))
+      } catch {}
+    }
+  }
+  try {
+    return JSON.parse(body)
+  } catch {
+    return null
   }
-  return response.map(parseFinding);
+}
+
+function extractFindingsFromMcpResponse(envelope: unknown): SoloditFinding[] {
+  if (typeof envelope !== "object" || envelope === null) return []
+  const result = (envelope as Record<string, unknown>).result
+  if (typeof result !== "object" || result === null) return []
+
+  const structured = (result as Record<string, unknown>).structuredContent
+  const reportsJson =
+    typeof structured === "object" && structured !== null
+      ? (structured as Record<string, unknown>).reportsJSON
+      : undefined
+
+  if (typeof reportsJson === "string") {
+    try {
+      const parsed = JSON.parse(reportsJson)
+      if (Array.isArray(parsed)) return parsed.map(parseFinding)
+    } catch {
+      logger.debug("Failed to parse Solodit structured response")
+    }
+  }
+
+  const content = (result as Record<string, unknown>).content
+  if (Array.isArray(content) && content.length > 0) {
+    const first = content[0] as Record<string, unknown> | undefined
+    if (typeof first?.text === "string") {
+      try {
+        const parsed = JSON.parse(first.text)
+        if (Array.isArray(parsed)) return parsed.map(parseFinding)
+      } catch {
+        logger.debug("Failed to parse Solodit content text")
+      }
+    }
+  }
+
+  return []
+}
+
+async function callSoloditHttp(
+  query: string,
+  limit: number,
+  severities?: string[],
+  port: number = DEFAULT_SOLODIT_PORT,
+): Promise<SoloditSearchResult> {
+  let lastError: string | undefined
+
+  for (const toolName of SOLODIT_MCP_TOOLS) {
+    try {
+      const response = await fetch(`http://localhost:${port}/mcp`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Accept: "application/json, text/event-stream",
+        },
+        body: JSON.stringify({
+          jsonrpc: "2.0",
+          method: "tools/call",
+          params: { name: toolName, arguments: buildMcpArgs(toolName, query, limit, severities) },
+          id: 1,
+        }),
+        signal: AbortSignal.timeout(SOLODIT_HTTP_TIMEOUT_MS),
+      })
+
+      if (!response.ok) {
+        lastError = `Solodit HTTP ${response.status}`
+        continue
+      }
+
+      const body = await response.text()
+      const envelope = parseSseData(body)
+
+      if (hasMcpError(envelope)) {
+        continue
+      }
+
+      const findings = filterFindingsBySeverity(parseFindingsFromAnyResponse(envelope), severities)
+
+      return { results: findings.slice(0, limit), totalFound: findings.length, query }
+    } catch (error) {
+      const message = error instanceof Error ? error.message : "Unknown error"
+      lastError = `Solodit MCP unreachable: ${message}`
+    }
+  }
+
+  return { results: [], totalFound: 0, query, error: lastError ?? "Solodit MCP call failed" }
 }
 
 export async function executeSoloditSearch(
   args: SoloditSearchArgs,
   context: ToolContext,
-  callMcpTool?: CallMcpTool
+  callMcpTool?: CallMcpTool,
+  port: number = DEFAULT_SOLODIT_PORT,
 ): Promise<SoloditSearchResult> {
-  const { query } = args;
-  const limit = args.limit ?? DEFAULT_LIMIT;
+  const { query } = args
+  const limit = args.limit ?? DEFAULT_LIMIT
 
-  context.metadata({ title: `Solodit search: ${query}` });
+  context.metadata({ title: `Solodit search: ${query}` })
 
-  const mcpCaller =
-    callMcpTool ?? (hasMcpCapability(context) ? context.callMcpTool : undefined);
+  const mcpCaller = callMcpTool ?? (hasMcpCapability(context) ? context.callMcpTool : undefined)
 
   if (!mcpCaller) {
-    return {
-      results: [],
-      totalFound: 0,
-      query,
-      error: `Solodit MCP not available. Add to opencode.json mcp section or ensure solodit-mcp is running. Use @solodit-mcp directly: search_findings({query: '${query}', limit: ${limit}})`,
-    };
+    return callSoloditHttp(query, limit, args.severity, port)
   }
 
-  try {
-    const mcpArgs: Record<string, unknown> = { query, limit };
+  let hadMcpError = false
+  for (const toolName of SOLODIT_MCP_TOOLS) {
+    try {
+      const response = await mcpCaller(
+        SOLODIT_MCP_SERVER,
+        toolName,
+        buildMcpArgs(toolName, query, limit, args.severity),
+      )
 
-    if (args.severity && args.severity.length > 0) {
-      mcpArgs.filters = { severity: args.severity };
-    }
+      if (hasMcpError(response)) {
+        hadMcpError = true
+        continue
+      }
 
-    const response = await mcpCaller(SOLODIT_MCP_SERVER, SOLODIT_MCP_TOOL, mcpArgs);
-    const findings = parseFindings(response);
+      const findings = filterFindingsBySeverity(
+        parseFindingsFromAnyResponse(response),
+        args.severity,
+      )
 
-    return {
-      results: findings,
-      totalFound: findings.length,
-      query,
-    };
-  } catch (error) {
-    const message = error instanceof Error ? error.message : "Unknown error";
-    return {
-      results: [],
-      totalFound: 0,
-      query,
-      error: `Solodit MCP error: ${message}`,
-    };
+      return {
+        results: findings.slice(0, limit),
+        totalFound: findings.length,
+        query,
+      }
+    } catch {
+      hadMcpError = true
+    }
+  }
+
+  const fallback = await callSoloditHttp(query, limit, args.severity, port)
+  if (fallback.error || hadMcpError) {
+    return fallback
   }
+
+  return fallback
+}
+
+export function createSoloditSearchTool(port: number = DEFAULT_SOLODIT_PORT): ToolDefinition {
+  return tool({
+    description:
+      "Search Solodit audit findings database for known vulnerabilities and past audit results via the Solodit MCP server.",
+    args: {
+      query: tool.schema.string(),
+      severity: tool.schema.array(tool.schema.string()).optional(),
+      limit: tool.schema.number().optional(),
+    },
+    async execute(args, context) {
+      const result = await executeSoloditSearch(args, context, undefined, port)
+      return JSON.stringify(result)
+    },
+  })
 }
 
-export const soloditSearchTool = tool({
-  description:
-    "Search Solodit audit findings database for known vulnerabilities and past audit results via the Solodit MCP server.",
-  args: {
-    query: tool.schema.string(),
-    severity: tool.schema.array(tool.schema.string()).optional(),
-    limit: tool.schema.number().optional(),
-  },
-  async execute(args, context) {
-    const result = await executeSoloditSearch(args, context);
-    return JSON.stringify(result);
-  },
-});
+export const soloditSearchTool = createSoloditSearchTool()

package/src/tools/sync-knowledge-tool.ts

@@ -1,10 +1,11 @@
 import os from "node:os"
 import path from "node:path"
-import { tool, type ToolContext } from "@opencode-ai/plugin"
-import { ScvdClient } from "../knowledge/scvd-client"
-import { syncAll, syncIncremental, type SyncResult } from "../knowledge/scvd-sync"
+import { type ToolContext, tool } from "@opencode-ai/plugin"
 import { loadArgusConfig } from "../config/loader"
 import type { ArgusConfig } from "../config/types"
+import { ScvdClient } from "../knowledge/scvd-client"
+import { type SyncResult, syncAll, syncIncremental } from "../knowledge/scvd-sync"
+import { resolveProjectDir } from "../shared/project-utils"
 
 type SyncKnowledgeArgs = {
   force?: boolean
@@ -62,14 +63,14 @@ function toErrorMessage(error: unknown): string {
 export async function executeSyncKnowledge(
   args: SyncKnowledgeArgs,
   context: ToolContext,
-  deps: SyncKnowledgeDependencies = {}
+  deps: SyncKnowledgeDependencies = {},
 ): Promise<SyncKnowledgeResult> {
   const dependencies = { ...defaultDependencies(), ...deps }
 
   context.metadata({ title: "Syncing SCVD knowledge index..." })
 
   try {
-    const projectDir = context.directory ?? context.worktree ?? process.cwd()
+    const projectDir = resolveProjectDir(context)
     const argusConfig = dependencies.loadConfig(projectDir)
 
     if (!argusConfig.knowledge?.scvd?.enabled) {
@@ -81,12 +82,7 @@ export async function executeSyncKnowledge(
     }
 
     const apiUrl = argusConfig.knowledge?.scvd?.apiUrl ?? DEFAULT_SCVD_API_URL
-    const indexPath = path.join(
-      os.homedir(),
-      ".cache",
-      "solidity-argus",
-      "scvd-index.json"
-    )
+    const indexPath = path.join(os.homedir(), ".cache", "solidity-argus", "scvd-index.json")
 
     const client = dependencies.createClient(apiUrl, context.abort)
     const result = args.force

package/src/utils/audit-artifact-detector.ts

@@ -0,0 +1,118 @@
+import { existsSync, readdirSync } from "node:fs"
+import { join } from "node:path"
+import { createLogger } from "../shared/logger"
+
+const logger = createLogger()
+
+export interface AuditArtifact {
+  type: "audit-report" | "slither-output" | "deployment-artifact" | "security-tool-output"
+  path: string
+  name: string
+}
+
+/**
+ * Detects audit artifacts in a project directory (shallow scan, top-level only)
+ * @param projectDir Directory to scan for audit artifacts
+ * @returns Array of detected audit artifacts
+ */
+export function detectAuditArtifacts(projectDir: string): AuditArtifact[] {
+  const artifacts: AuditArtifact[] = []
+
+  if (!existsSync(projectDir)) {
+    return artifacts
+  }
+
+  try {
+    const entries = readdirSync(projectDir, { withFileTypes: true })
+
+    for (const entry of entries) {
+      const fullPath = join(projectDir, entry.name)
+
+      // Check directories
+      if (entry.isDirectory()) {
+        // Audit report directories
+        if (["audit", "audits", "security"].includes(entry.name)) {
+          artifacts.push({
+            type: "audit-report",
+            path: fullPath,
+            name: entry.name,
+          })
+          continue
+        }
+
+        // Deployment artifact directories
+        if (entry.name === ".openzeppelin") {
+          artifacts.push({
+            type: "deployment-artifact",
+            path: fullPath,
+            name: entry.name,
+          })
+          continue
+        }
+
+        // docs/audit* directories
+        if (entry.name === "docs") {
+          try {
+            const docsEntries = readdirSync(fullPath, { withFileTypes: true })
+            for (const docsEntry of docsEntries) {
+              if (docsEntry.isDirectory() && docsEntry.name.startsWith("audit")) {
+                artifacts.push({
+                  type: "audit-report",
+                  path: join(fullPath, docsEntry.name),
+                  name: docsEntry.name,
+                })
+              }
+            }
+          } catch {
+            logger.debug("Failed to read docs directory for audit artifacts")
+          }
+        }
+        continue
+      }
+
+      // Check files
+      if (entry.isFile()) {
+        // Audit report files
+        if (
+          /^.*audit.*\.(md|pdf)$/i.test(entry.name) ||
+          /^.*security-review.*\.(md|pdf)$/i.test(entry.name)
+        ) {
+          artifacts.push({
+            type: "audit-report",
+            path: fullPath,
+            name: entry.name,
+          })
+          continue
+        }
+
+        // Slither output files
+        if (
+          entry.name === "slither.json" ||
+          entry.name === "slither.sarif" ||
+          /^slither-report.*/.test(entry.name)
+        ) {
+          artifacts.push({
+            type: "slither-output",
+            path: fullPath,
+            name: entry.name,
+          })
+          continue
+        }
+
+        // Security tool output files
+        if (/^mythril-report.*/.test(entry.name) || /^securify-report.*/.test(entry.name)) {
+          artifacts.push({
+            type: "security-tool-output",
+            path: fullPath,
+            name: entry.name,
+          })
+        }
+      }
+    }
+  } catch {
+    // Return empty array if directory cannot be read
+    return []
+  }
+
+  return artifacts
+}

package/src/utils/dependency-scanner.ts

@@ -0,0 +1,93 @@
+export interface DependencyRisk {
+  package: string
+  version: string
+  risk: "high" | "medium" | "low"
+  category: string
+  recommendation: string
+}
+
+interface DependencyInput {
+  dependencies?: Record<string, string>
+  devDependencies?: Record<string, string>
+}
+
+function parseVersion(raw: string): [number, number, number] {
+  const cleaned = raw.replace(/^[^0-9]*/, "")
+  if (!cleaned) {
+    return [0, 0, 0]
+  }
+  const parts = cleaned.split(".")
+  const major = parseInt(parts[0] ?? "0", 10)
+  const minor = parseInt(parts[1] ?? "0", 10)
+  const patch = parseInt(parts[2] ?? "0", 10)
+  return [
+    Number.isNaN(major) ? 0 : major,
+    Number.isNaN(minor) ? 0 : minor,
+    Number.isNaN(patch) ? 0 : patch,
+  ]
+}
+
+function versionLt(raw: string, major: number, minor: number, patch = 0): boolean {
+  const [a, b, c] = parseVersion(raw)
+  if (a !== major) return a < major
+  if (b !== minor) return b < minor
+  return c < patch
+}
+
+export function scanDependencyRisks(input: DependencyInput): DependencyRisk[] {
+  const risks: DependencyRisk[] = []
+  const deps = input.dependencies ?? {}
+  const devDeps = input.devDependencies ?? {}
+  const allDeps = { ...deps, ...devDeps }
+
+  const ozVersion = deps["@openzeppelin/contracts"]
+  if (ozVersion) {
+    if (versionLt(ozVersion, 4, 9)) {
+      risks.push({
+        package: "@openzeppelin/contracts",
+        version: ozVersion,
+        risk: "high",
+        category: "known-vulnerability",
+        recommendation:
+          "Upgrade to @openzeppelin/contracts >= 4.9.0 — known vulnerabilities in OZ < 4.9",
+      })
+    } else if (versionLt(ozVersion, 5, 0)) {
+      risks.push({
+        package: "@openzeppelin/contracts",
+        version: ozVersion,
+        risk: "low",
+        category: "upgrade-available",
+        recommendation:
+          "Consider upgrading to OZ v5 for latest patterns and Solidity 0.8.20+ support",
+      })
+    }
+  }
+
+  const ozUpgradeableVersion = deps["@openzeppelin/contracts-upgradeable"]
+  if (ozUpgradeableVersion) {
+    const hasUpgradeTooling = "@openzeppelin/hardhat-upgrades" in allDeps
+    if (!hasUpgradeTooling) {
+      risks.push({
+        package: "@openzeppelin/contracts-upgradeable",
+        version: ozUpgradeableVersion,
+        risk: "medium",
+        category: "missing-tooling",
+        recommendation:
+          "Add @openzeppelin/hardhat-upgrades to devDependencies for safe upgrade workflows",
+      })
+    }
+  }
+
+  const solmateVersion = deps.solmate
+  if (solmateVersion && versionLt(solmateVersion, 6, 0)) {
+    risks.push({
+      package: "solmate",
+      version: solmateVersion,
+      risk: "medium",
+      category: "outdated",
+      recommendation: "Upgrade solmate to >= 6.0.0 for latest fixes",
+    })
+  }
+
+  return risks
+}