solidity-argus 0.2.0 → 0.3.0

package/AGENTS.md

@@ -13,19 +13,19 @@ CLI: `argus doctor`, `argus init`, `argus install`.
 **Role**: Primary security audit orchestrator
 **Description**: Argus Panoptes, the All-Seeing Guardian. Coordinates full Solidity security audits by dispatching Sentinel (analysis), Pythia (research), and Scribe (reporting). Follows a rigorous 7-step methodology: Reconnaissance, Automated Scanning, Manual Review, Attack Surface Mapping, Vulnerability Research, Testing & Verification, and Reporting.
 **Model**: anthropic/claude-opus-4-6
-**Tools**: All 8 argus_* tools (argus_slither_analyze, argus_analyze_contract, argus_check_patterns, argus_solodit_search, argus_forge_test, argus_forge_fuzz, argus_generate_report, argus_sync_knowledge)
+**Tools**: All 12 argus_* tools (argus_slither_analyze, argus_analyze_contract, argus_check_patterns, argus_proxy_detection, argus_solodit_search, argus_forge_test, argus_gas_analysis, argus_forge_fuzz, argus_forge_coverage, argus_skill_load, argus_generate_report, argus_sync_knowledge)
 
 ## sentinel
 
 **Role**: Static analysis and testing specialist
 **Description**: Finds vulnerabilities through Slither static analysis, Foundry testing, fuzzing, and pattern matching. The tactical executor — runs tools, writes PoC tests, and verifies findings. Dispatched by Argus during Automated Scanning and Testing & Verification phases.
 **Model**: anthropic/claude-sonnet-4-6
-**Tools**: argus_slither_analyze, argus_forge_test, argus_forge_fuzz, argus_analyze_contract, argus_check_patterns, skill
+**Tools**: argus_slither_analyze, argus_forge_test, argus_gas_analysis, argus_forge_fuzz, argus_forge_coverage, argus_analyze_contract, argus_check_patterns, argus_proxy_detection, skill
 
 ## pythia
 
 **Role**: Vulnerability researcher
-**Description**: Consults Solodit, SCVD, and the knowledge base to find historical precedents and known attack vectors. Searches 7,769+ real-world audit findings and 55 curated vulnerability pattern files. Dispatched by Argus during Vulnerability Research phase.
+**Description**: Consults Solodit, SCVD, and the knowledge base to find historical precedents and known attack vectors. Searches 7,769+ real-world audit findings and 44 curated vulnerability pattern files. Dispatched by Argus during Vulnerability Research phase.
 **Model**: anthropic/claude-sonnet-4-6
 **Tools**: argus_solodit_search, argus_check_patterns, skill
 

package/README.md

@@ -15,12 +15,12 @@ Argus Panoptes — the mythological all-seeing giant — orchestrates a team of
 **What it does:**
 - Runs Slither static analysis and Foundry tests automatically
 - Searches 7,769+ real-world audit findings via SCVD and Solodit
-- Matches code against 55 curated vulnerability pattern files
+- Matches code against 82 curated SKILL.md knowledge files
 - Generates professional markdown audit reports with severity classifications
 - Follows a rigorous 7-step audit methodology (Reconnaissance → Report)
 
 **Why it's useful:**
-- Catches reentrancy, oracle manipulation, access control flaws, flash loan vectors, and 35+ other vulnerability classes
+- Catches reentrancy, oracle manipulation, access control flaws, flash loan vectors, and 50+ vulnerability classes across 14 pattern categories
 - Integrates seamlessly into OpenCode's agent system — no separate tooling setup required
 - Knowledge base sourced from Trail of Bits, Cyfrin, DeFiFoFum, and the broader security community
 
@@ -88,10 +88,13 @@ Transforms raw findings into professional, structured markdown audit reports wit
 |------|-------|-------------|
 | `argus_slither_analyze` | Sentinel | Runs Slither static analysis on Solidity contracts; detects reentrancy, uninitialized variables, unchecked returns, and more |
 | `argus_analyze_contract` | Sentinel | Generates a deep structural profile of a contract: functions, state variables, modifiers, inheritance tree |
-| `argus_check_patterns` | Sentinel, Pythia | Scans code against a library of complex vulnerability patterns (regex/AST-based) covering 35+ vulnerability classes |
+| `argus_check_patterns` | Sentinel, Pythia | Scans code against a library of complex vulnerability patterns (regex/AST-based) covering 50+ vulnerability classes across 14 pattern categories |
+| `argus_proxy_detection` | Sentinel | Detects proxy patterns in Solidity contracts (ERC1967, UUPS, transparent, beacon, diamond) with confidence scoring |
 | `argus_solodit_search` | Pythia | Searches Solodit's database of real-world audit reports for similar protocols and historical findings |
 | `argus_forge_test` | Sentinel | Runs existing or newly written Foundry/Forge tests; essential for PoC verification |
+| `argus_gas_analysis` | Sentinel | Runs forge gas report analysis, parses per-function gas metrics, and identifies high-gas hotspots above configurable threshold |
 | `argus_forge_fuzz` | Sentinel | Fuzzes specific functions with random inputs to find edge cases and invariant violations |
+| `argus_forge_coverage` | Sentinel | Runs forge coverage analysis and returns structured per-file coverage metrics (lines, statements, branches, functions) |
 | `argus_generate_report` | Scribe | Generates the final structured audit report in professional markdown format |
 | `argus_sync_knowledge` | Argus | Syncs the local vulnerability database from SCVD (api.scvd.dev) |
 
@@ -99,49 +102,103 @@ Transforms raw findings into professional, structured markdown audit reports wit
 
 ## Knowledge Base
 
-The plugin ships with **55 curated SKILL.md files** organized into 5 categories:
+The plugin ships with **82 curated SKILL.md files** organized into 6 categories:
 
 | Category | Files | Description |
 |----------|-------|-------------|
-| Vulnerability Patterns | 38 | Reentrancy, oracle manipulation, flash loans, access control, overflow/underflow, and 33 more |
+| Vulnerability Patterns | 51 | Reentrancy, oracle manipulation, flash loans, access control, ERC4626, governance, front-running, and 44 more |
 | Methodology | 3 | Audit workflow, report templates, severity classification |
 | Protocol Patterns | 5 | AMM/DEX, bridges, governance, lending, staking security guides |
 | Checklists | 6 | Cyfrin audit checklists (DeFi core, integrations, upgrades, gas, best practices) |
 | References | 2 | DeFi exploit reference index, SmartBugs vulnerable contract examples |
+| Case Studies | 15 | Major DeFi exploit analyses (Euler, Nomad Bridge, Ronin, Cream Finance, etc.) |
 
-**Sources:** Trail of Bits, Cyfrin, DeFiFoFum, kadenzipfel, SunWeb3Sec, smartbugs
+**Sources:** Trail of Bits, Cyfrin, DeFiFoFum, kadenzipfel, SunWeb3Sec, smartbugs, BailSec, Argus
 
-### Pattern Packs
+### Detection Rules
 
-Pattern packs are YAML files containing collections of regular expression patterns used for vulnerability detection. These packs allow Argus to scan code for known security flaws without requiring full static analysis tools.
+Vulnerability detection patterns are defined as `detection_rules` in SKILL.md frontmatter. Each skill with a `pattern_category` field is automatically discovered by the pattern checker — no separate configuration needed.
 
-- **Location:** `skills/patterns/`
-- **Available Packs:**
-  - `access-control.yaml` — Ownership and permission checks
-  - `erc4626.yaml` — Vault standard security patterns
-  - `flash-loan.yaml` — Flash loan attack vectors
-  - `oracle.yaml` — Price manipulation and staleness checks
-  - `proxy.yaml` — Upgradeability and initialization flaws
-  - `reentrancy.yaml` — State change and external call ordering
-  - `signature.yaml` — Malleability and replay protection
+- **51 vulnerability pattern skills** with detection rules across **14 categories**
+- Categories: `reentrancy`, `oracle-manipulation`, `flash-loan`, `access-control`, `erc4626`, `proxy`, `signature`, `dos`, `front-running`, `governance`, `token-standard`, `gas-optimization`, `logic-error`, `delegatecall`
 
-#### Custom Pattern Packs
+#### Adding Custom Detection Rules
 
-You can create custom pattern packs by adding YAML files to your configured `customSkillsDir`. Each pack must follow this structure:
+Add custom detection rules by creating SKILL.md files in your `customSkillsDir`:
 
 ```yaml
-pack_name: "My Custom Pack"
-pack_version: "1.0"
-patterns:
-  - name: "Insecure Transfer"
-    category: "access-control"
-    severity: "High"
-    regex: "transfer\\(msg\\.sender, .+\\)"
-    description: "Detects potentially insecure transfers to the caller"
+---
+name: my-custom-pattern
+description: Detects insecure transfer patterns
+pattern_category: access-control
+detection_rules:
+  - regex: 'transfer\(msg\.sender, .+\)'
+    severity: High
+    description: Potentially insecure transfer to caller
+---
 ```
 
 **SCVD Integration:** The plugin connects to [api.scvd.dev](https://api.scvd.dev) for 7,769+ real-world audit findings. Sync with `argus_sync_knowledge` or configure `knowledge.autoSync: true`.
 
+### Audit PDF Extraction Pipeline
+
+A generic pipeline for extracting security findings from public audit report PDFs and converting them into structured data for pattern creation.
+
+**How it works:**
+1. Downloads PDFs from configured GitHub repositories
+2. Parses each PDF page-by-page using `pdf-parse`
+3. Extracts findings using regex-based heading/severity/description detection
+4. Deduplicates and categorizes findings into 11 categories
+5. Outputs structured JSON to `scripts/audit-pdf-output/`
+
+**Running the pipeline:**
+
+```bash
+bun scripts/audit-pdf-extract.ts
+```
+
+> **Note:** The extraction pipeline scripts are available in the [source repository](https://github.com/Apegurus/solidity-argus) only. They are not included in the npm package. If you installed `solidity-argus` via npm/bun, you'll need to clone the repository to run the extraction pipeline.
+
+**Output files:**
+- `scripts/audit-pdf-output/findings.json` — All extracted findings
+- `scripts/audit-pdf-output/metadata.json` — Extraction stats, errors, source info
+- `scripts/audit-pdf-output/by-category/*.json` — Findings grouped by category (reentrancy, access-control, oracle, etc.)
+
+**Adding new audit sources:**
+
+The pipeline uses a generic `AuditSource[]` interface. To add a new audit firm's reports, edit `scripts/audit-pdf-extract.ts` and add an entry to `DEFAULT_SOURCES`:
+
+```typescript
+{
+  name: "AuditFirmName",
+  repoRawBase: "https://raw.githubusercontent.com/org/repo/main",
+  repoUrl: "https://github.com/org/repo",
+  pdfFiles: [
+    "Audit Report - Protocol Name.pdf",
+    // ... more PDFs
+  ],
+}
+```
+
+**How agents leverage extracted findings:**
+
+The extracted findings are used to create new SKILL.md vulnerability pattern files (e.g., `erc4626-exchange-rate-manipulation`, `missing-parameter-bounds`). These patterns are loaded on-demand by agents via `argus_skill_load` during audits. The extraction pipeline is a developer tool — agents don't run it directly.
+
+### Case Studies
+
+15 detailed case studies of major DeFi exploits are included in `skills/case-studies/`. Each provides deep narrative context: root cause analysis, attack flow, impact assessment, key transactions, and lessons learned.
+
+**Sources:** Public exploit research from [rekt.news](https://rekt.news) and [SunWeb3Sec/DeFiHackLabs](https://github.com/SunWeb3Sec/DeFiHackLabs).
+
+**How they complement SCVD:** SCVD provides breadth (7,769+ searchable findings by keyword). Case studies provide depth (detailed narratives of 15 major exploits). The `@pythia` agent uses both — SCVD for "has this pattern been seen before?" and case studies for "how did this type of exploit actually unfold?"
+
+**Adding new case studies:**
+
+1. Create a new directory under `skills/case-studies/<exploit-name>/`
+2. Add a `SKILL.md` file with frontmatter (`name`, `description`, `category: reference`, `source_url`, `source_license`, `detection_rules`)
+3. Include sections: Overview, Root Cause, Attack Flow, Impact, Key Transactions, Lessons
+4. Add the entry to `skills/INVENTORY.md`
+
 ---
 
 ## Knowledge Ingestion Contract
@@ -173,7 +230,7 @@ Argus classifies knowledge sources into three trust tiers:
 Knowledge freshness is monitored automatically:
 
 - **SCVD local index** — Stale if not synced within 7 days. `argus doctor` will warn if stale and suggest running `argus_sync_knowledge`.
-- **Pattern packs** — Versioned via `PATTERN_PACK_VERSION` and updated on package release.
+- **Detection rules** — Versioned via `DETECTION_RULE_VERSION` and updated on package release.
 - **Baked-in curated skills** — Updated only on package release; no automatic refresh.
 - **On-demand live sources** — Retrieved per-request; never cached locally.
 
@@ -203,7 +260,7 @@ Argus supports three distinct knowledge ingestion patterns:
 **Sources:** SCVD local index, Trail of Bits companion skills
 
 - Local index synced periodically via `argus_sync_knowledge`
-- Cached locally in `~/.cache/opencode-argus/scvd-index.json`
+- Cached locally in `~/.cache/solidity-argus/scvd-index.json`
 - Refreshed on-demand when `knowledge.autoSync: true`
 - Trail of Bits skills git-cloned on install and updated via companion plugin
 - Example: SCVD findings indexed locally, queried without network latency
@@ -301,7 +358,7 @@ This prevents context pollution and ensures non-audit agents operate independent
 
 Agents load specialized knowledge on-demand via the `argus_skill_load` tool:
 
-- **Vulnerability Patterns** — 38 SKILL.md files covering reentrancy, oracle manipulation, flash loans, etc.
+- **Vulnerability Patterns** — 51 SKILL.md files covering reentrancy, oracle manipulation, flash loans, etc.
 - **Protocol Patterns** — 5 files for AMM/DEX, bridges, governance, lending, staking
 - **Methodology** — 3 files for audit workflow, report templates, severity classification
 - **Checklists** — 6 Cyfrin audit checklists
@@ -311,13 +368,13 @@ This channel is **lazy-loaded** — agents request skills only when needed, redu
 
 ### Implementation Notes
 
-- **Phase 1 (Current):** `system.transform` is `undefined` (line 84 in `src/create-hooks.ts`). Agent-gated injection will replace this in Phase 2.
+- **Dynamic injection:** `system.transform` uses agent-gated dynamic audit state injection via `createSystemPromptHook` (see `src/create-hooks.ts`).
 - **Global transforms forbidden:** No global system context injection unless agent-gated and minimal. Prevents context window overflow.
 - **Audit state persistence:** State is saved to `.opencode/argus-state.json` and restored on session restart (see `Persistent Audit State` section).
 
 ---
 
-## New in v2: Modular Architecture
+## Modular Architecture
 
 This release restructures solidity-argus into a modular factory-based architecture with several new infrastructure features:
 
@@ -335,7 +392,7 @@ argus init
 # Validate SKILL.md files against schema
 argus lint-skills
 
-# Install optional dependencies (Slither, Foundry)
+# Register solidity-argus in opencode.json (tools installed separately; see Requirements)
 argus install
 ```
 
@@ -354,18 +411,17 @@ Selectively disable any hook via config:
 Config is resolved by merging three layers (last wins):
 
 1. **Defaults** — Built-in sensible defaults
-2. **User-level** — `~/.config/solidity-argus/config.jsonc`
+2. **User-level** — `~/.config/opencode/solidity-argus.jsonc`
 3. **Project-level** — `.opencode/solidity-argus.jsonc`
 
 ### Background Agent Management
 
-Background tasks (knowledge sync, long-running analysis) are tracked with configurable concurrency limits and lifecycle callbacks:
+Background tasks (knowledge sync, long-running analysis) are tracked with configurable concurrency limits:
 
 ```jsonc
 {
   "background": {
-    "max_concurrent": 3,
-    "cleanup_interval_ms": 60000
+    "max_concurrent": 3
   }
 }
 ```

package/package.json

@@ -1,8 +1,19 @@
 {
   "name": "solidity-argus",
-  "version": "0.2.0",
-  "description": "Solidity smart contract security auditing plugin for OpenCode — 4 specialized agents, 8 tools, and a curated vulnerability knowledge base",
-  "keywords": ["solidity", "security", "audit", "opencode", "plugin", "smart-contract", "ethereum", "defi", "slither", "foundry"],
+  "version": "0.3.0",
+  "description": "Solidity smart contract security auditing plugin for OpenCode — 4 specialized agents, 12 tools (11 core + optional Solodit), and a curated vulnerability knowledge base",
+  "keywords": [
+    "solidity",
+    "security",
+    "audit",
+    "opencode",
+    "plugin",
+    "smart-contract",
+    "ethereum",
+    "defi",
+    "slither",
+    "foundry"
+  ],
   "author": "Apegurus",
   "license": "MIT",
   "type": "module",
@@ -17,24 +28,39 @@
     "solidity-argus": "./src/cli/index.ts",
     "argus": "./src/cli/index.ts"
   },
-  "files": ["src/", "!src/**/*.test.ts", "skills/", "README.md", "AGENTS.md", "LICENSE"],
+  "files": [
+    "src/",
+    "!src/**/*.test.ts",
+    "skills/",
+    "README.md",
+    "AGENTS.md",
+    "LICENSE"
+  ],
   "scripts": {
     "test": "bun test",
     "typecheck": "tsc --noEmit",
+    "lint": "biome lint .",
+    "format": "biome format --write .",
+    "format:check": "biome format .",
+    "check": "biome check .",
+    "check:fix": "biome check --write .",
+    "ci": "biome ci .",
     "cli": "bun src/cli/index.ts",
     "doctor": "bun src/cli/index.ts doctor",
     "init": "bun src/cli/index.ts init"
   },
   "dependencies": {
+    "@opencode-ai/plugin": "^1.2.10",
     "yaml": "^2.8.2",
-    "zod": "^4.3.6"
+    "zod": "^4.1.8"
   },
   "peerDependencies": {
-    "@opencode-ai/plugin": "^1.2.6"
+    "@opencode-ai/sdk": "^1.0.0"
   },
   "devDependencies": {
-    "@opencode-ai/plugin": "^1.2.6",
+    "@biomejs/biome": "^2.4.4",
     "@types/bun": "^1.2.0",
+    "pdf-parse": "^2.4.5",
     "typescript": "^5"
   },
   "repository": {

package/skills/INVENTORY.md

@@ -1,79 +1,110 @@
 # Argus Knowledge Base Inventory
 
-Generated: 2026-02-18
-Total SKILL.md files: 55
+Generated: 2026-02-20
+Total SKILL.md files: 82
 
 ## Vulnerability Patterns
 | File | Source(s) | Topic | Word Count |
 |------|-----------|-------|------------|
-| vulnerability-patterns/access-control/SKILL.md | DeFiFoFum, kadenzipfel | Access Control Exploits | 1018 |
-| vulnerability-patterns/arbitrary-storage-location/SKILL.md | kadenzipfel | Write to Arbitrary Storage Location | 309 |
-| vulnerability-patterns/assert-violation/SKILL.md | kadenzipfel | Assert Violation | 356 |
-| vulnerability-patterns/asserting-contract-from-code-size/SKILL.md | kadenzipfel | Asserting Contract from Code Size | 336 |
-| vulnerability-patterns/authorization-txorigin/SKILL.md | kadenzipfel | Authorization Through tx.origin | 266 |
-| vulnerability-patterns/default-visibility/SKILL.md | kadenzipfel | Default Visibility | 298 |
-| vulnerability-patterns/delegatecall-untrusted-callee/SKILL.md | kadenzipfel | Delegatecall to Untrusted Callee | 309 |
-| vulnerability-patterns/dos-gas-limit/SKILL.md | kadenzipfel | DoS with Block Gas Limit | 333 |
-| vulnerability-patterns/dos-revert/SKILL.md | kadenzipfel | DoS with (Unexpected) Revert | 408 |
-| vulnerability-patterns/flash-loan-attacks/SKILL.md | DeFiFoFum, kadenzipfel | Flash Loan Attack Exploits | 1000 |
-| vulnerability-patterns/floating-pragma/SKILL.md | kadenzipfel | Floating Pragma | 279 |
-| vulnerability-patterns/hash-collision/SKILL.md | kadenzipfel | Hash Collision with abi.encodePacked() | 318 |
-| vulnerability-patterns/inadherence-to-standards/SKILL.md | kadenzipfel | Inadherence to Standards | 361 |
-| vulnerability-patterns/incorrect-constructor/SKILL.md | kadenzipfel | Incorrect Constructor Name | 285 |
-| vulnerability-patterns/incorrect-inheritance-order/SKILL.md | kadenzipfel | Incorrect Inheritance Order | 289 |
-| vulnerability-patterns/insufficient-gas-griefing/SKILL.md | kadenzipfel | Insufficient Gas Griefing | 368 |
-| vulnerability-patterns/lack-of-precision/SKILL.md | kadenzipfel | Lack of Precision | 334 |
-| vulnerability-patterns/logic-errors/SKILL.md | DeFiFoFum, kadenzipfel | Logic Bug Exploits | 1192 |
-| vulnerability-patterns/missing-protection-signature-replay/SKILL.md | kadenzipfel | Missing Protection Against Signature Replay | 350 |
-| vulnerability-patterns/msgvalue-loop/SKILL.md | kadenzipfel | msg.value Reuse in Loops | 378 |
-| vulnerability-patterns/off-by-one/SKILL.md | kadenzipfel | Off-By-One Errors | 336 |
-| vulnerability-patterns/oracle-manipulation/SKILL.md | DeFiFoFum, kadenzipfel | Oracle Manipulation Exploits | 985 |
-| vulnerability-patterns/outdated-compiler-version/SKILL.md | kadenzipfel | Outdated Compiler Version | 327 |
-| vulnerability-patterns/overflow-underflow/SKILL.md | kadenzipfel | Integer Overflow and Underflow | 332 |
-| vulnerability-patterns/reentrancy/SKILL.md | DeFiFoFum, kadenzipfel | Reentrancy Exploits | 1034 |
-| vulnerability-patterns/shadowing-state-variables/SKILL.md | kadenzipfel | Shadowing State Variables | 363 |
-| vulnerability-patterns/signature-malleability/SKILL.md | kadenzipfel | Signature Malleability | 320 |
-| vulnerability-patterns/unbounded-return-data/SKILL.md | kadenzipfel | Unbounded Return Data | 359 |
-| vulnerability-patterns/unchecked-return-values/SKILL.md | kadenzipfel | Unchecked Return Values | 281 |
-| vulnerability-patterns/unencrypted-private-data-on-chain/SKILL.md | kadenzipfel | Unencrypted Private Data On-Chain | 330 |
-| vulnerability-patterns/unexpected-ecrecover-null-address/SKILL.md | kadenzipfel | Unexpected ecrecover Null Address | 324 |
-| vulnerability-patterns/uninitialized-storage-pointer/SKILL.md | kadenzipfel | Uninitialized Storage Pointer | 315 |
-| vulnerability-patterns/unsafe-low-level-call/SKILL.md | kadenzipfel | Unsafe Low-Level Call | 328 |
-| vulnerability-patterns/unsecure-signatures/SKILL.md | kadenzipfel | Unsecure Signatures | 441 |
-| vulnerability-patterns/unsupported-opcodes/SKILL.md | kadenzipfel | Unsupported Opcodes on EVM-Compatible Chains | 391 |
-| vulnerability-patterns/unused-variables/SKILL.md | kadenzipfel | Presence of Unused Variables | 333 |
-| vulnerability-patterns/use-of-deprecated-functions/SKILL.md | kadenzipfel | Use of Deprecated Functions | 323 |
-| vulnerability-patterns/weak-sources-randomness/SKILL.md | kadenzipfel | Weak Sources of Randomness from Chain Attributes | 377 |
-| vulnerability-patterns/weird-tokens/SKILL.md | DeFiFoFum | Weird ERC20 Tokens Reference | 852 |
+| vulnerability-patterns/access-control/SKILL.md | DeFiFoFum, kadenzipfel | Access Control Exploits | 1164 |
+| vulnerability-patterns/arbitrary-storage-location/SKILL.md | kadenzipfel | Write to Arbitrary Storage Location | 334 |
+| vulnerability-patterns/assert-violation/SKILL.md | kadenzipfel | Assert Violation | 369 |
+| vulnerability-patterns/asserting-contract-from-code-size/SKILL.md | kadenzipfel | Asserting Contract from Code Size | 367 |
+| vulnerability-patterns/authorization-txorigin/SKILL.md | kadenzipfel | Authorization Through tx.origin | 295 |
+| vulnerability-patterns/cross-chain-bridge-vulnerabilities/SKILL.md | Argus | Cross-Chain Bridge Vulnerabilities | 1195 |
+| vulnerability-patterns/default-visibility/SKILL.md | kadenzipfel | Default Visibility | 331 |
+| vulnerability-patterns/delegatecall-untrusted-callee/SKILL.md | kadenzipfel | Delegatecall to Untrusted Callee | 356 |
+| vulnerability-patterns/dos-gas-limit/SKILL.md | kadenzipfel | DoS with Block Gas Limit | 355 |
+| vulnerability-patterns/dos-revert/SKILL.md | kadenzipfel | DoS with (Unexpected) Revert | 481 |
+| vulnerability-patterns/erc4626-exchange-rate-manipulation/SKILL.md | BailSec | ERC4626 Exchange Rate Manipulation | 381 |
+| vulnerability-patterns/fee-on-transfer-tokens/SKILL.md | BailSec | Fee-on-Transfer Token Incompatibility | 540 |
+| vulnerability-patterns/flash-loan-attacks/SKILL.md | DeFiFoFum, kadenzipfel | Flash Loan Attack Exploits | 1116 |
+| vulnerability-patterns/floating-pragma/SKILL.md | kadenzipfel | Floating Pragma | 301 |
+| vulnerability-patterns/front-running-attacks/SKILL.md | Argus | Front-Running and MEV Vulnerabilities | 1147 |
+| vulnerability-patterns/gas-optimization-patterns/SKILL.md | Argus | Gas Optimization Vulnerability Patterns | 1219 |
+| vulnerability-patterns/governance-attacks/SKILL.md | Argus | Governance Attack Vulnerabilities | 1321 |
+| vulnerability-patterns/hash-collision/SKILL.md | kadenzipfel | Hash Collision with abi.encodePacked() | 326 |
+| vulnerability-patterns/inadherence-to-standards/SKILL.md | kadenzipfel | Inadherence to Standards | 369 |
+| vulnerability-patterns/incorrect-constructor/SKILL.md | kadenzipfel | Incorrect Constructor Name | 320 |
+| vulnerability-patterns/incorrect-inheritance-order/SKILL.md | kadenzipfel | Incorrect Inheritance Order | 325 |
+| vulnerability-patterns/insufficient-gas-griefing/SKILL.md | kadenzipfel | Insufficient Gas Griefing | 392 |
+| vulnerability-patterns/lack-of-precision/SKILL.md | kadenzipfel | Lack of Precision | 395 |
+| vulnerability-patterns/logic-errors/SKILL.md | DeFiFoFum, kadenzipfel | Logic Bug Exploits | 1336 |
+| vulnerability-patterns/missing-parameter-bounds/SKILL.md | BailSec | Missing Parameter Bounds | 407 |
+| vulnerability-patterns/missing-protection-signature-replay/SKILL.md | kadenzipfel | Missing Protection Against Signature Replay | 362 |
+| vulnerability-patterns/msgvalue-loop/SKILL.md | kadenzipfel | msg.value Reuse in Loops | 413 |
+| vulnerability-patterns/off-by-one/SKILL.md | kadenzipfel | Off-By-One Errors | 398 |
+| vulnerability-patterns/oracle-manipulation/SKILL.md | DeFiFoFum, kadenzipfel | Oracle Manipulation Exploits | 1126 |
+| vulnerability-patterns/outdated-compiler-version/SKILL.md | kadenzipfel | Outdated Compiler Version | 342 |
+| vulnerability-patterns/overflow-underflow/SKILL.md | kadenzipfel | Integer Overflow and Underflow | 385 |
+| vulnerability-patterns/proxy-vulnerabilities/SKILL.md | Argus | Proxy Pattern Vulnerabilities | 1063 |
+| vulnerability-patterns/reentrancy/SKILL.md | DeFiFoFum, kadenzipfel | Reentrancy Exploits | 1160 |
+| vulnerability-patterns/shadowing-state-variables/SKILL.md | kadenzipfel | Shadowing State Variables | 404 |
+| vulnerability-patterns/share-accounting-desynchronization/SKILL.md | BailSec | Share Accounting Desynchronization | 390 |
+| vulnerability-patterns/signature-malleability/SKILL.md | kadenzipfel | Signature Malleability | 370 |
+| vulnerability-patterns/stateful-parameter-update-drift/SKILL.md | BailSec | Stateful Parameter Update Drift | 388 |
+| vulnerability-patterns/unbounded-return-data/SKILL.md | kadenzipfel | Unbounded Return Data | 389 |
+| vulnerability-patterns/unchecked-return-values/SKILL.md | kadenzipfel | Unchecked Return Values | 331 |
+| vulnerability-patterns/unencrypted-private-data-on-chain/SKILL.md | kadenzipfel | Unencrypted Private Data On-Chain | 360 |
+| vulnerability-patterns/unexpected-ecrecover-null-address/SKILL.md | kadenzipfel | Unexpected ecrecover Null Address | 339 |
+| vulnerability-patterns/uninitialized-storage-pointer/SKILL.md | kadenzipfel | Uninitialized Storage Pointer | 337 |
+| vulnerability-patterns/unsafe-erc20-transfers/SKILL.md | BailSec | Unsafe ERC20 Transfer and Approve Calls | 620 |
+| vulnerability-patterns/unsafe-low-level-call/SKILL.md | kadenzipfel | Unsafe Low-Level Call | 347 |
+| vulnerability-patterns/unsecure-signatures/SKILL.md | kadenzipfel | Unsecure Signatures | 459 |
+| vulnerability-patterns/unsupported-opcodes/SKILL.md | kadenzipfel | Unsupported Opcodes on EVM-Compatible Chains | 432 |
+| vulnerability-patterns/unused-variables/SKILL.md | kadenzipfel | Presence of Unused Variables | 388 |
+| vulnerability-patterns/use-of-deprecated-functions/SKILL.md | kadenzipfel | Use of Deprecated Functions | 385 |
+| vulnerability-patterns/weak-sources-randomness/SKILL.md | kadenzipfel | Weak Sources of Randomness from Chain Attributes | 398 |
+| vulnerability-patterns/weird-tokens/SKILL.md | DeFiFoFum | Weird ERC20 Tokens Reference | 1013 |
+| vulnerability-patterns/zero-address-misconfiguration/SKILL.md | BailSec | Zero Address Misconfiguration | 426 |
 
 ## Methodology
 | File | Source(s) | Topic | Word Count |
 |------|-----------|-------|------------|
-| methodology/audit-workflow/SKILL.md | DeFiFoFum | audit-workflow | 382 |
-| methodology/report-template/SKILL.md | DeFiFoFum | Audit Report Template | 481 |
-| methodology/severity-classification/SKILL.md | DeFiFoFum | Severity Classification Guide | 465 |
+| methodology/audit-workflow/SKILL.md | DeFiFoFum | Audit Workflow | 523 |
+| methodology/report-template/SKILL.md | DeFiFoFum | Audit Report Template | 585 |
+| methodology/severity-classification/SKILL.md | DeFiFoFum | Severity Classification Guide | 603 |
 
 ## Protocol Patterns
 | File | Source(s) | Topic | Word Count |
 |------|-----------|-------|------------|
-| protocol-patterns/amm-dex/SKILL.md | DeFiFoFum | AMM (Automated Market Maker) Security Guide | 597 |
-| protocol-patterns/bridges-cross-chain/SKILL.md | DeFiFoFum | Cross-Chain Bridge Security Guide | 851 |
-| protocol-patterns/dao-governance/SKILL.md | DeFiFoFum | Governance Protocol Security Guide | 827 |
-| protocol-patterns/lending-borrowing/SKILL.md | DeFiFoFum | Lending Protocol Security Guide | 663 |
-| protocol-patterns/staking-vesting/SKILL.md | DeFiFoFum | Staking Protocol Security Guide | 698 |
+| protocol-patterns/amm-dex/SKILL.md | DeFiFoFum | AMM (Automated Market Maker) Security Guide | 852 |
+| protocol-patterns/bridges-cross-chain/SKILL.md | DeFiFoFum | Cross-Chain Bridge Security Guide | 1083 |
+| protocol-patterns/dao-governance/SKILL.md | DeFiFoFum | Governance Protocol Security Guide | 1024 |
+| protocol-patterns/lending-borrowing/SKILL.md | DeFiFoFum | Lending Protocol Security Guide | 871 |
+| protocol-patterns/staking-vesting/SKILL.md | DeFiFoFum | Staking Protocol Security Guide | 895 |
 
 ## Checklists
 | File | Source(s) | Topic | Word Count |
 |------|-----------|-------|------------|
-| checklists/cyfrin-best-practices-runtime/SKILL.md | Cyfrin | Cyfrin Audit Checklist — Best Practices (Runtime & Cross-chain) | 4766 |
-| checklists/cyfrin-best-practices-upgrades/SKILL.md | Cyfrin | Cyfrin Audit Checklist — Best Practices (Upgrades & Versioning) | 2269 |
-| checklists/cyfrin-defi-core/SKILL.md | Cyfrin | Cyfrin Audit Checklist — DeFi Security (Core) | 4555 |
-| checklists/cyfrin-defi-integrations/SKILL.md | Cyfrin | Cyfrin Audit Checklist — DeFi Security (Integrations & Tokens) | 4632 |
-| checklists/cyfrin-gas/SKILL.md | Cyfrin | Cyfrin Audit Checklist — Gas Optimization | 443 |
-| checklists/general-audit/SKILL.md | DeFiFoFum, Cyfrin | Solidity Audit Checklist | 2341 |
+| checklists/cyfrin-best-practices-runtime/SKILL.md | Cyfrin | Cyfrin Audit Checklist — Best Practices (Runtime & Cross-chain) | 4303 |
+| checklists/cyfrin-best-practices-upgrades/SKILL.md | Cyfrin | Cyfrin Audit Checklist — Best Practices (Upgrades & Versioning) | 2053 |
+| checklists/cyfrin-defi-core/SKILL.md | Cyfrin | Cyfrin Audit Checklist — DeFi Security (Core) | 4222 |
+| checklists/cyfrin-defi-integrations/SKILL.md | Cyfrin | Cyfrin Audit Checklist — DeFi Security (Integrations & Tokens) | 4290 |
+| checklists/cyfrin-gas/SKILL.md | Cyfrin | Cyfrin Audit Checklist — Gas Optimization | 342 |
+| checklists/general-audit/SKILL.md | DeFiFoFum, Cyfrin | Solidity Audit Checklist | 2878 |
 
 ## References
 | File | Source(s) | Topic | Word Count |
 |------|-----------|-------|------------|
-| references/exploit-reference/SKILL.md | SunWeb3Sec | DeFi Exploit Reference Index | 1133 |
-| references/smartbugs-examples/SKILL.md | smartbugs | SmartBugs Curated Dataset — Vulnerable Contract Examples | 3386 |
+| references/exploit-reference/SKILL.md | SunWeb3Sec | DeFi Exploit Reference Index | 1125 |
+| references/smartbugs-examples/SKILL.md | smartbugs | SmartBugs Curated Dataset — Vulnerable Contract Examples | 1677 |
+
+## Case Studies
+| File | Source(s) | Topic | Word Count |
+|------|-----------|-------|------------|
+| case-studies/beanstalk-governance/SKILL.md | DeFiFoFum | Beanstalk Governance Attack Case Study | 420 |
+| case-studies/bzx-flash-loan/SKILL.md | DeFiFoFum | bZx Flash Loan Attack Case Study | 370 |
+| case-studies/cream-finance/SKILL.md | DeFiFoFum | Cream Finance Attack Case Study | 420 |
+| case-studies/curve-reentrancy/SKILL.md | DeFiFoFum | Curve Reentrancy Attack Case Study | 395 |
+| case-studies/dao-hack/SKILL.md | DeFiFoFum | The DAO Hack Case Study | 350 |
+| case-studies/euler-finance/SKILL.md | DeFiFoFum | Euler Finance Attack Case Study | 419 |
+| case-studies/harvest-finance/SKILL.md | DeFiFoFum | Harvest Finance Attack Case Study | 405 |
+| case-studies/level-finance/SKILL.md | DeFiFoFum | Level Finance Attack Case Study | 371 |
+| case-studies/mango-markets/SKILL.md | DeFiFoFum | Mango Markets Attack Case Study | 422 |
+| case-studies/nomad-bridge/SKILL.md | DeFiFoFum | Nomad Bridge Attack Case Study | 429 |
+| case-studies/parity-multisig/SKILL.md | DeFiFoFum | Parity Multisig Wallet Attack Case Study | 395 |
+| case-studies/poly-network/SKILL.md | DeFiFoFum | Poly Network Attack Case Study | 395 |
+| case-studies/rari-fuse/SKILL.md | DeFiFoFum | Rari Fuse Attack Case Study | 391 |
+| case-studies/ronin-bridge/SKILL.md | DeFiFoFum | Ronin Bridge Attack Case Study | 384 |
+| case-studies/wormhole-bridge/SKILL.md | DeFiFoFum | Wormhole Bridge Attack Case Study | 337 |

package/skills/README.md

@@ -7,12 +7,13 @@ The Argus knowledge base provides a structured collection of Solidity security p
 ```
 OpenCode Skills System
 ├── skills/ (bundled with plugin)
-│   ├── vulnerability-patterns/ (37 patterns from kadenzipfel + DeFiFoFum)
+│   ├── vulnerability-patterns/ (51 patterns from kadenzipfel + DeFiFoFum + BailSec + Argus)
 │   ├── methodology/ (3 files from DeFiFoFum)
 │   ├── protocol-patterns/ (5 files from DeFiFoFum)
 │   ├── checklists/ (6 files from DeFiFoFum + Cyfrin)
-│   └── references/ (2 files: SmartBugs + DeFiHackLabs)
-├── SCVD Local Index (~/.cache/opencode-argus/scvd-index.json)
+│   ├── references/ (2 files: SmartBugs + DeFiHackLabs)
+│   └── case-studies/ (15 case studies from DeFiFoFum)
+├── SCVD Local Index (~/.cache/solidity-argus/scvd-index.json)
 │   └── 7,769+ findings, auto-synced from api.scvd.dev
 └── Companion Plugins (installed separately)
     ├── Trail of Bits Skills (trailofbits/skills)
@@ -29,11 +30,12 @@ All sources in the table below must include the following metadata in their SKIL
 
 | Source | License | URL | What Was Imported |
 |--------|---------|-----|-------------------|
-| DeFiFoFum/fofum-solidity-skills | MIT | https://github.com/DeFiFoFum/fofum-solidity-skills | 15 SKILL.md files: methodology, vulnerability patterns, protocol patterns |
+| DeFiFoFum/fofum-solidity-skills | MIT | https://github.com/DeFiFoFum/fofum-solidity-skills | 15 SKILL.md files: methodology, vulnerability patterns, protocol patterns, case studies |
 | kadenzipfel/smart-contract-vulnerabilities | MIT | https://github.com/kadenzipfel/smart-contract-vulnerabilities | 37 vulnerability reference files with Detection Heuristics |
 | Cyfrin/audit-checklist | Unspecified (attributed) | https://github.com/Cyfrin/audit-checklist | 221 structured checklist items organized by category |
 | smartbugs/smartbugs-curated | Apache-2.0 | https://github.com/smartbugs/smartbugs-curated | 143 annotated vulnerable contract references |
 | SunWeb3Sec/DeFiHackLabs | Reference only | https://github.com/SunWeb3Sec/DeFiHackLabs | 15 exploit PoC GitHub URL references |
+| BailSec | CC0 | https://github.com/bailsec/BailSec | Vulnerability patterns extracted from professional audit PDFs |
 | SCVD (api.scvd.dev) | CC0 | https://api.scvd.dev | 7,769+ findings via local index (auto-synced) |
 
 ## SKILL.md Format Specification
@@ -46,10 +48,9 @@ name: topic-name          # Must match parent directory name
 description: One sentence description (1-1024 chars)
 version: 1.0.0            # Optional semver
 category: vulnerability-pattern # methodology, protocol-pattern, checklist, reference
-provenance:
-  source: "Author Name"
-  license: "MIT"
-  lastVerified: "2024-01-01"
+source_url: "https://github.com/org/repo"
+source_license: "MIT"
+imported_at: "2024-01-01T00:00:00Z"
 detection_rules:
   - regex: "pattern here"
     severity: "High"
@@ -65,7 +66,7 @@ detection_rules:
 
 ## Custom Skills
 
-To add your own skills, use the `knowledge.customSkillsDir` configuration option in your `opencode-argus.jsonc` file. Point this to a directory containing your custom `SKILL.md` files organized into subdirectories.
+To add your own skills, use the `knowledge.customSkillsDir` configuration option in your `solidity-argus.jsonc` file. Point this to a directory containing your custom `SKILL.md` files organized into subdirectories.
 
 ### Skill Overrides
 
@@ -79,25 +80,27 @@ By default, built-in skills take priority. You can change this behavior using th
 
 When set to `custom-first`, skills in your `customSkillsDir` will override built-in skills with the same name. All custom skills must have valid frontmatter with at least `name` and `description` fields.
 
-## Pattern Pack Authoring
+## Detection Rules
 
-Pattern packs are YAML files that define collections of regex-based vulnerability detectors.
+Vulnerability patterns are defined as `detection_rules` in SKILL.md frontmatter. Each skill with a `pattern_category` field is automatically discovered and loaded by the pattern checker.
 
-### Structure
+### Adding Detection Rules to a Skill
 
 ```yaml
-pack_name: "My Security Pack"
-pack_version: "1.1"
-patterns:
-  - name: "Unprotected Selfdestruct"
-    category: "access-control"
-    severity: "Critical"
-    regex: "selfdestruct\\("
-    description: "Detects use of selfdestruct which may be unprotected"
-    swc: "SWC-106"
+---
+name: my-vulnerability
+description: Description of the vulnerability
+pattern_category: reentrancy
+detection_rules:
+  - regex: '\\.call\\{value:'
+    severity: High
+    confidence: High
+    swc: SWC-107
+    description: External value transfer via low-level call
+---
 ```
 
-### Available Categories
+### Available Pattern Categories
 
 - `reentrancy`
 - `oracle-manipulation`
@@ -116,4 +119,4 @@ patterns:
 
 ## Inventory
 
-See [INVENTORY.md](./INVENTORY.md) for a complete listing of all 55 SKILL.md files currently bundled with Argus.
+See [INVENTORY.md](./INVENTORY.md) for a complete listing of all 82 SKILL.md files currently bundled with Argus.