solidity-argus 0.3.6 → 0.5.6

package/src/tools/report-preflight.ts

@@ -45,6 +45,10 @@ function hasCompletedTool(events: AuditEvent[], toolName: string): boolean {
   return false
 }
 
+function hasRunFinalized(events: AuditEvent[]): boolean {
+  return events.some((event) => event.type === "run.finalized")
+}
+
 export function checkReportPreflight(
   events: AuditEvent[],
   options: PreflightOptions = {},
@@ -53,7 +57,7 @@ export function checkReportPreflight(
   if (!hasSessionCreated(events)) {
     missingLifecycle.push("session.created")
   }
-  if (!hasSessionDeleted(events)) {
+  if (!hasSessionDeleted(events) && !hasRunFinalized(events)) {
     missingLifecycle.push("session.deleted")
   }
 

package/src/tools/slither-tool.ts

@@ -230,20 +230,22 @@ async function defaultSpawnFn(
   return { stdout, exitCode }
 }
 
-const defaultFlattenDeps: FlattenFallbackDeps = {
-  runCommand: runSlitherCommand,
-  hasBinary,
-  ensureSolc,
-  parseSolcVersion,
-  extractContractNames,
-  spawnFn: defaultSpawnFn,
-  cwd: process.cwd(),
+function getDefaultFlattenDeps(): FlattenFallbackDeps {
+  return {
+    runCommand: runSlitherCommand,
+    hasBinary,
+    ensureSolc,
+    parseSolcVersion,
+    extractContractNames,
+    spawnFn: defaultSpawnFn,
+    cwd: process.cwd(),
+  }
 }
 
 export async function flattenFallback(
   args: SlitherArgs,
   context: ToolContext,
-  deps: FlattenFallbackDeps = defaultFlattenDeps,
+  deps: FlattenFallbackDeps = getDefaultFlattenDeps(),
 ): Promise<SlitherAnalyzeResult | undefined> {
   const startedAt = Date.now()
 
@@ -309,14 +311,37 @@ export async function flattenFallback(
         ],
         { timeout: 5_000 },
       )
-      if (findResult.exitCode !== 0) return undefined
+      if (findResult.exitCode !== 0) {
+        return {
+          success: false,
+          findingsCount: 0,
+          findings: [],
+          executionTime: Date.now() - startedAt,
+          errors: ["[flatten-fallback] find command failed — could not discover .sol files"],
+        }
+      }
       solFiles = findResult.stdout.trim().split("\n").filter(Boolean)
-    } catch (_e) {
-      return undefined
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e)
+      return {
+        success: false,
+        findingsCount: 0,
+        findings: [],
+        executionTime: Date.now() - startedAt,
+        errors: [`[flatten-fallback] file discovery failed: ${msg}`],
+      }
     }
   }
 
-  if (solFiles.length === 0) return undefined
+  if (solFiles.length === 0) {
+    return {
+      success: false,
+      findingsCount: 0,
+      findings: [],
+      executionTime: Date.now() - startedAt,
+      errors: ["[flatten-fallback] no .sol files found in target directory"],
+    }
+  }
 
   const tmpDir = mkdtempSync(join(tmpdir(), "argus-slither-"))
   const allFindings: Finding[] = []
@@ -412,6 +437,7 @@ function parseFindings(payload: SlitherPayload): Finding[] {
       id: createFindingID(check, file, lines),
       check,
       severity: mapSeverity(detector.impact),
+      impact: detector.impact,
       confidence: mapConfidence(detector.confidence),
       description: detector.description ?? "",
       file,
@@ -431,9 +457,22 @@ export async function executeSlitherAnalyze(
   const startedAt = Date.now()
   context.metadata({ title: `Slither analysis: ${args.target}` })
 
+  if (args.solc_version && !/^\d+\.\d+\.\d+$/.test(args.solc_version)) {
+    return {
+      success: false,
+      findingsCount: 0,
+      findings: [],
+      executionTime: Date.now() - startedAt,
+      errors: [
+        `Invalid solc_version format: "${args.solc_version}". Expected semver format (e.g. 0.8.20)`,
+      ],
+      error: `Invalid solc_version format: "${args.solc_version}". Expected semver format (e.g. 0.8.20)`,
+    }
+  }
+
   if (args.via_ir) {
     const fallbackResult = await flattenFallback(args, context, {
-      ...defaultFlattenDeps,
+      ...getDefaultFlattenDeps(),
       runCommand,
       cwd: projectDir,
     })
@@ -471,7 +510,7 @@ export async function executeSlitherAnalyze(
       const message = error instanceof Error ? error.message : "Unknown parse error"
       if (shouldTryFlattenFallback(errors, runResult.stderr)) {
         const fallbackResult = await flattenFallback(args, context, {
-          ...defaultFlattenDeps,
+          ...getDefaultFlattenDeps(),
           runCommand,
           cwd: projectDir,
         })
@@ -496,7 +535,7 @@ export async function executeSlitherAnalyze(
 
     if (!success && findings.length === 0 && shouldTryFlattenFallback(errors, runResult.stderr)) {
       const fallbackResult = await flattenFallback(args, context, {
-        ...defaultFlattenDeps,
+        ...getDefaultFlattenDeps(),
         runCommand,
         cwd: projectDir,
       })

package/src/tools/solodit-search-tool.ts

@@ -1,24 +1,25 @@
 import type { ToolDefinition } from "@opencode-ai/plugin"
 import { type ToolContext, tool } from "@opencode-ai/plugin"
 import { createLogger } from "../shared/logger"
-import { soloditAvailable } from "../solodit-lifecycle"
+import { isSoloditAvailable } from "../solodit-lifecycle"
 
 const logger = createLogger()
 
-const SOLODIT_MCP_SERVER = "solodit-mcp"
 const SOLODIT_MCP_TOOLS = ["search", "search_findings"] as const
 const DEFAULT_LIMIT = 10
-const DEFAULT_SOLODIT_PORT = 3000
+export const DEFAULT_SOLODIT_PORT = 54173
 const SOLODIT_HTTP_TIMEOUT_MS = 10_000
+const SOLODIT_TRPC_TIMEOUT_MS = 15_000
+const SOLODIT_TRPC_ENDPOINT = "https://solodit.cyfrin.io/api/trpc/findings.get"
 
 type SoloditSearchArgs = {
   query: string
-  severity?: string[]
   limit?: number
 }
 
-type SoloditFinding = {
+export type SoloditFinding = {
   title: string
+  slug: string
   severity: string
   description: string
   protocol: string
@@ -33,22 +34,38 @@ export type SoloditSearchResult = {
   error?: string
 }
 
-export type CallMcpTool = (
-  server: string,
-  tool: string,
-  args: Record<string, unknown>,
-) => Promise<unknown>
+/** Fetch abstraction for testing */
+export type SoloditFetch = (input: string | URL | Request, init?: RequestInit) => Promise<Response>
 
-type McpCapableContext = ToolContext & { callMcpTool: CallMcpTool }
+// ---------------------------------------------------------------------------
+// Shared helpers
+// ---------------------------------------------------------------------------
 
-function hasMcpCapability(ctx: ToolContext): ctx is McpCapableContext {
-  return "callMcpTool" in ctx
+/** Extract severity from common audit title prefixes like [H-01], [M-17], H-1:, M-2: */
+function extractSeverityFromTitle(title: string): string {
+  const match = title.match(/^\[?([HMhm])[-\s]?\d+\]?[:\s]/)
+  if (match) {
+    const letter = match[1]?.toUpperCase()
+    if (letter === "H") return "High"
+    if (letter === "M") return "Medium"
+  }
+  const prefixMatch = title.match(/^\[?(Critical|High|Medium|Low|Informational)\]?[:\s-]/i)
+  if (prefixMatch) {
+    const severity = prefixMatch[1]
+    if (!severity) return ""
+    const s = severity.toLowerCase()
+    return s.charAt(0).toUpperCase() + s.slice(1)
+  }
+  return ""
 }
 
+const SOLODIT_BASE_URL = "https://solodit.cyfrin.io/issues"
+
 function parseFinding(raw: unknown): SoloditFinding {
   if (typeof raw !== "object" || raw === null) {
     return {
       title: "",
+      slug: "",
       severity: "",
       description: "",
       protocol: "",
@@ -58,20 +75,32 @@ function parseFinding(raw: unknown): SoloditFinding {
   }
 
   const obj = raw as Record<string, unknown>
+  const title = typeof obj.title === "string" ? obj.title : ""
+  const slug = typeof obj.slug === "string" ? obj.slug : ""
+  const severity =
+    typeof obj.severity === "string" && obj.severity.length > 0
+      ? obj.severity
+      : extractSeverityFromTitle(title)
+  const url =
+    typeof obj.url === "string" && obj.url.length > 0
+      ? obj.url
+      : slug.length > 0
+        ? `${SOLODIT_BASE_URL}/${slug}`
+        : ""
+
   return {
-    title: typeof obj.title === "string" ? obj.title : "",
-    severity: typeof obj.severity === "string" ? obj.severity : "",
-    description: typeof obj.description === "string" ? obj.description : "",
+    title,
+    slug,
+    severity,
+    description: typeof obj.description === "string" ? obj.description : title,
     protocol: typeof obj.protocol === "string" ? obj.protocol : "",
-    url: typeof obj.url === "string" ? obj.url : "",
+    url,
     remediation: typeof obj.remediation === "string" ? obj.remediation : "",
   }
 }
 
 function parseFindings(response: unknown): SoloditFinding[] {
-  if (!Array.isArray(response)) {
-    return []
-  }
+  if (!Array.isArray(response)) return []
   return response.map(parseFinding)
 }
 
@@ -89,49 +118,18 @@ function parseFindingsFromAnyResponse(response: unknown): SoloditFinding[] {
 
 function hasMcpError(response: unknown): boolean {
   if (typeof response !== "object" || response === null) return false
-  const obj = response as Record<string, unknown>
-  return "error" in obj
-}
-
-function normalizeImpacts(
-  severity?: string[],
-): Array<"HIGH" | "MEDIUM" | "LOW" | "GAS"> | undefined {
-  if (!severity || severity.length === 0) return undefined
-  const allowed = new Set(["HIGH", "MEDIUM", "LOW", "GAS"] as const)
-  const impacts = severity
-    .map((s) => s.toUpperCase())
-    .filter((s): s is "HIGH" | "MEDIUM" | "LOW" | "GAS" =>
-      allowed.has(s as "HIGH" | "MEDIUM" | "LOW" | "GAS"),
-    )
-  return impacts.length > 0 ? impacts : undefined
+  return "error" in (response as Record<string, unknown>)
 }
 
 function buildMcpArgs(
   toolName: (typeof SOLODIT_MCP_TOOLS)[number],
   query: string,
   limit: number,
-  severity?: string[],
 ): Record<string, unknown> {
   if (toolName === "search") {
     return { keywords: query }
   }
-
-  const impact = normalizeImpacts(severity)
-  return {
-    keywords: query,
-    ...(impact ? { impact } : {}),
-    pageSize: limit,
-  }
-}
-
-function filterFindingsBySeverity(
-  findings: SoloditFinding[],
-  severities?: string[],
-): SoloditFinding[] {
-  if (!severities || severities.length === 0) return findings
-
-  const allowed = new Set(severities.map((s) => s.toLowerCase()))
-  return findings.filter((finding) => allowed.has(finding.severity.toLowerCase()))
+  return { keywords: query, pageSize: limit }
 }
 
 function parseSseData(body: string): unknown {
@@ -185,17 +183,26 @@ function extractFindingsFromMcpResponse(envelope: unknown): SoloditFinding[] {
   return []
 }
 
-async function callSoloditHttp(
+// ---------------------------------------------------------------------------
+// Primary path: MCP HTTP
+// ---------------------------------------------------------------------------
+
+async function callSoloditMcpHttp(
   query: string,
   limit: number,
-  severities?: string[],
-  port: number = DEFAULT_SOLODIT_PORT,
-): Promise<SoloditSearchResult> {
+  port: number,
+  fetchImpl: SoloditFetch = fetch,
+): Promise<SoloditSearchResult | null> {
+  if (!isSoloditAvailable()) {
+    logger.debug(`[solodit] MCP not available — skipping HTTP primary path`)
+    return null
+  }
+
   let lastError: string | undefined
 
   for (const toolName of SOLODIT_MCP_TOOLS) {
     try {
-      const response = await fetch(`http://localhost:${port}/mcp`, {
+      const response = await fetchImpl(`http://localhost:${port}/mcp`, {
         method: "POST",
         headers: {
           "Content-Type": "application/json",
@@ -204,7 +211,7 @@ async function callSoloditHttp(
         body: JSON.stringify({
           jsonrpc: "2.0",
           method: "tools/call",
-          params: { name: toolName, arguments: buildMcpArgs(toolName, query, limit, severities) },
+          params: { name: toolName, arguments: buildMcpArgs(toolName, query, limit) },
           id: 1,
         }),
         signal: AbortSignal.timeout(SOLODIT_HTTP_TIMEOUT_MS),
@@ -222,8 +229,7 @@ async function callSoloditHttp(
         continue
       }
 
-      const findings = filterFindingsBySeverity(parseFindingsFromAnyResponse(envelope), severities)
-
+      const findings = parseFindingsFromAnyResponse(envelope)
       return { results: findings.slice(0, limit), totalFound: findings.length, query }
     } catch (error) {
       const message = error instanceof Error ? error.message : "Unknown error"
@@ -231,86 +237,228 @@ async function callSoloditHttp(
     }
   }
 
-  return { results: [], totalFound: 0, query, error: lastError ?? "Solodit MCP call failed" }
+  logger.debug(
+    `[solodit] MCP HTTP failed: ${lastError ?? "all tools failed"} — will try tRPC fallback`,
+  )
+  return null
+}
+
+// ---------------------------------------------------------------------------
+// Fallback path: tRPC direct to solodit.cyfrin.io
+// ---------------------------------------------------------------------------
+
+function buildTrpcInput(query: string, page: number = 1): string {
+  const inner = JSON.stringify([
+    { filters: 1, page: 20 },
+    {
+      keywords: 2,
+      firms: 3,
+      tags: 4,
+      forked: 5,
+      impact: 6,
+      user: -1,
+      protocol: -1,
+      reported: 10,
+      reportedAfter: -1,
+      protocolCategory: 13,
+      minFinders: 14,
+      maxFinders: 15,
+      rarityScore: 16,
+      qualityScore: 16,
+      bookmarked: 17,
+      read: 17,
+      unread: 17,
+      sortField: 18,
+      sortDirection: 19,
+    },
+    query,
+    [],
+    [],
+    [],
+    [7, 8, 9],
+    "HIGH",
+    "MEDIUM",
+    "LOW",
+    { label: 11, value: 12 },
+    "All time",
+    "alltime",
+    [],
+    "1",
+    "100",
+    1,
+    true,
+    "Recency",
+    "Desc",
+    page,
+  ])
+  return JSON.stringify({ 0: inner })
 }
 
-export async function executeSoloditSearch(
-  args: SoloditSearchArgs,
-  context: ToolContext,
-  callMcpTool?: CallMcpTool,
-  port: number = DEFAULT_SOLODIT_PORT,
-): Promise<SoloditSearchResult> {
-  const { query } = args
-  const limit = args.limit ?? DEFAULT_LIMIT
+function truncateDescription(content: string): string {
+  return content.length > 500 ? `${content.slice(0, 500)}...` : content
+}
 
-  context.metadata({ title: `Solodit search: ${query}` })
+function mapTrpcFinding(raw: unknown): SoloditFinding {
+  if (typeof raw !== "object" || raw === null) {
+    return {
+      title: "",
+      slug: "",
+      severity: "",
+      description: "",
+      protocol: "",
+      url: "",
+      remediation: "",
+    }
+  }
 
-  const mcpCaller = callMcpTool ?? (hasMcpCapability(context) ? context.callMcpTool : undefined)
+  const finding = raw as Record<string, unknown>
+  const slug = typeof finding.slug === "string" ? finding.slug : ""
+  const content = typeof finding.content === "string" ? finding.content : ""
 
-  // When MCP is unavailable or no caller exists, go straight to HTTP fallback
-  if (!mcpCaller) {
-    const reason = !soloditAvailable ? "MCP unavailable" : "no callMcpTool"
-    logger.debug(`[solodit] ${reason} — using HTTP fallback for query: ${query}`)
-    return callSoloditHttp(query, limit, args.severity, port)
+  return {
+    title: typeof finding.title === "string" ? finding.title : "",
+    slug,
+    severity: typeof finding.impact === "string" ? finding.impact : "",
+    description: truncateDescription(content),
+    protocol: typeof finding.protocol_name === "string" ? finding.protocol_name : "",
+    url: slug ? `https://solodit.cyfrin.io/issues/${slug}` : "",
+    remediation: "",
   }
+}
 
-  // MCP path: try each tool name in order, fall back to HTTP on any failure
-  let hadMcpError = false
-  for (const toolName of SOLODIT_MCP_TOOLS) {
-    try {
-      logger.debug(
-        `[solodit] Trying MCP tool '${toolName}' on server '${SOLODIT_MCP_SERVER}' for query: ${query}`,
-      )
-      const response = await mcpCaller(
-        SOLODIT_MCP_SERVER,
-        toolName,
-        buildMcpArgs(toolName, query, limit, args.severity),
-      )
-
-      if (hasMcpError(response)) {
-        logger.debug(`[solodit] MCP tool '${toolName}' returned error envelope — trying next tool`)
-        hadMcpError = true
-        continue
+function parseTrpcData(dataStr: string): { findings?: unknown } {
+  const cleaned = dataStr.trim().replace(/^\(/, "").replace(/\)$/, "")
+
+  // Try standard JSON first
+  try {
+    return JSON.parse(cleaned) as { findings?: unknown }
+  } catch {
+    // Fall through to unquoted-key fixup
+  }
+
+  // Fallback: attempt to fix unquoted keys
+  try {
+    const fixed = cleaned.replace(/([{,]\s*)([a-zA-Z_]\w*)\s*:/g, '$1"$2":')
+    return JSON.parse(fixed) as { findings?: unknown }
+  } catch {
+    return {}
+  }
+}
+
+async function callSoloditTrpc(
+  query: string,
+  limit: number,
+  fetchImpl: SoloditFetch = fetch,
+): Promise<SoloditSearchResult> {
+  try {
+    const input = buildTrpcInput(query)
+    const url = `${SOLODIT_TRPC_ENDPOINT}?batch=1&input=${encodeURIComponent(input)}`
+    const response = await fetchImpl(url, {
+      method: "GET",
+      headers: {
+        accept: "*/*",
+        referer: "https://solodit.cyfrin.io/",
+        origin: "https://solodit.cyfrin.io",
+      },
+      signal: AbortSignal.timeout(SOLODIT_TRPC_TIMEOUT_MS),
+    })
+
+    if (!response.ok) {
+      return {
+        results: [],
+        totalFound: 0,
+        query,
+        error: `Solodit tRPC returned ${response.status}`,
       }
+    }
 
-      const findings = filterFindingsBySeverity(
-        parseFindingsFromAnyResponse(response),
-        args.severity,
-      )
+    const responseText = await response.text()
+    const batchResults = JSON.parse(responseText) as Array<Record<string, unknown>>
+    const first = batchResults[0] as { result?: { data?: unknown } } | undefined
+    const dataStr = typeof first?.result?.data === "string" ? first.result.data : ""
 
-      logger.debug(`[solodit] MCP tool '${toolName}' succeeded — found ${findings.length} findings`)
+    if (!dataStr) {
       return {
-        results: findings.slice(0, limit),
-        totalFound: findings.length,
+        results: [],
+        totalFound: 0,
         query,
+        error: "Solodit tRPC response did not include result data",
       }
-    } catch {
-      logger.debug(`[solodit] MCP tool '${toolName}' threw — trying next tool`)
-      hadMcpError = true
     }
+
+    const parsed = parseTrpcData(dataStr)
+    if (!Array.isArray(parsed.findings)) {
+      return { results: [], totalFound: 0, query, error: "Failed to parse Solodit response" }
+    }
+    const findingsRaw = parsed.findings
+    const findings = findingsRaw.map(mapTrpcFinding)
+    return { results: findings.slice(0, limit), totalFound: findings.length, query }
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Unknown error"
+    logger.debug(`[solodit] tRPC fallback error for query '${query}': ${message}`)
+    return { results: [], totalFound: 0, query, error: `Solodit tRPC fallback failed: ${message}` }
   }
+}
 
-  // All MCP tools failed — fall back to HTTP
-  logger.debug(
-    `[solodit] All MCP tools failed (hadMcpError=${hadMcpError}) — falling back to HTTP for query: ${query}`,
-  )
-  return callSoloditHttp(query, limit, args.severity, port)
+// ---------------------------------------------------------------------------
+// Main entry point
+// ---------------------------------------------------------------------------
+
+export async function executeSoloditSearch(
+  args: SoloditSearchArgs,
+  context: ToolContext,
+  port: number = DEFAULT_SOLODIT_PORT,
+  fetchImpl: SoloditFetch = fetch,
+): Promise<SoloditSearchResult> {
+  const { query } = args
+  const limit = args.limit ?? DEFAULT_LIMIT
+
+  context.metadata({ title: `Solodit search: ${query}` })
+
+  // Primary: MCP HTTP to local solodit-mcp server
+  const mcpResult = await callSoloditMcpHttp(query, limit, port, fetchImpl)
+  if (mcpResult !== null && mcpResult.results.length > 0) {
+    logger.debug(`[solodit] MCP HTTP returned ${mcpResult.results.length} findings for '${query}'`)
+    return mcpResult
+  }
+
+  // Fallback: tRPC direct to solodit.cyfrin.io
+  logger.debug(`[solodit] Falling back to tRPC for query: ${query}`)
+  return callSoloditTrpc(query, limit, fetchImpl)
 }
 
 export function createSoloditSearchTool(port: number = DEFAULT_SOLODIT_PORT): ToolDefinition {
   return tool({
     description:
-      "Search Solodit audit findings database for known vulnerabilities and past audit results via the Solodit MCP server.",
+      "Search Solodit audit findings database for known vulnerabilities and past audit results.",
     args: {
       query: tool.schema.string(),
-      severity: tool.schema.array(tool.schema.string()).optional(),
       limit: tool.schema.number().optional(),
     },
     async execute(args, context) {
-      const result = await executeSoloditSearch(args, context, undefined, port)
+      const result = await executeSoloditSearch(args, context, port)
       return JSON.stringify(result)
     },
   })
 }
 
 export const soloditSearchTool = createSoloditSearchTool()
+
+// ---------------------------------------------------------------------------
+// Test-only exports
+// ---------------------------------------------------------------------------
+
+export const _testExports = {
+  buildTrpcInput,
+  mapTrpcFinding,
+  truncateDescription,
+  callSoloditMcpHttp,
+  callSoloditTrpc,
+  parseSseData,
+  extractFindingsFromMcpResponse,
+  parseFindingsFromAnyResponse,
+  parseFinding,
+  buildMcpArgs,
+  hasMcpError,
+  parseTrpcData,
+}

package/src/tools/sync-knowledge-tool.ts

@@ -1,10 +1,9 @@
-import os from "node:os"
-import path from "node:path"
 import { type ToolContext, tool } from "@opencode-ai/plugin"
 import { loadArgusConfig } from "../config/loader"
 import type { ArgusConfig } from "../config/types"
 import { ScvdClient } from "../knowledge/scvd-client"
 import { type SyncResult, syncAll, syncIncremental } from "../knowledge/scvd-sync"
+import { getScvdIndexPath } from "../shared/cache-paths"
 import { resolveProjectDir } from "../shared/project-utils"
 
 type SyncKnowledgeArgs = {
@@ -82,7 +81,7 @@ export async function executeSyncKnowledge(
     }
 
     const apiUrl = argusConfig.knowledge?.scvd?.apiUrl ?? DEFAULT_SCVD_API_URL
-    const indexPath = path.join(os.homedir(), ".cache", "solidity-argus", "scvd-index.json")
+    const indexPath = getScvdIndexPath()
 
     const client = dependencies.createClient(apiUrl, context.abort)
     const result = args.force