white-hat-scanner 1.0.1

package/dist/analyzer.js

@@ -0,0 +1,852 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.analyzeProtocol = exports.contractPriority = exports.installDeps = exports.resolveCloneUrl = exports.detectSolcVersion = void 0;
+const child_process_1 = require("child_process");
+const fs_1 = require("fs");
+const path_1 = require("path");
+const os_1 = require("os");
+const redis_1 = require("./redis");
+// ---------------------------------------------------------------------------
+// solc-select helpers
+// ---------------------------------------------------------------------------
+function findSolcSelectBin() {
+    const candidates = [
+        '/opt/homebrew/bin/solc-select',
+        '/usr/local/bin/solc-select',
+        '/usr/bin/solc-select',
+    ];
+    for (const p of candidates) {
+        if ((0, fs_1.existsSync)(p))
+            return p;
+    }
+    try {
+        const fromWhich = (0, child_process_1.execSync)('which solc-select 2>/dev/null', { encoding: 'utf8', stdio: 'pipe' }).trim();
+        if (fromWhich)
+            return fromWhich;
+    }
+    catch { }
+    return null;
+}
+/**
+ * Parse pragma solidity version constraints from .sol files in repoDir.
+ * Returns the most commonly required version string (e.g. "0.7.6", "0.8.17").
+ * Returns null if no pragmas found or version can't be resolved.
+ */
+function detectSolcVersion(repoDir) {
+    try {
+        const result = (0, child_process_1.spawnSync)('grep', ['-rh', '--include=*.sol', 'pragma solidity', repoDir], { encoding: 'utf8', timeout: 10000 });
+        if (result.status !== 0 && !result.stdout)
+            return null;
+        const lines = result.stdout.trim().split('\n').filter(Boolean);
+        // Extract version strings, e.g. "=0.7.6", "^0.8.17", ">=0.8.0 <0.9.0"
+        const versionCounts = {};
+        for (const line of lines) {
+            // Match pinned versions first (=0.x.y), then caret/tilde, then bare ranges
+            const pinned = line.match(/pragma solidity\s*=\s*(0\.\d+\.\d+)/);
+            if (pinned) {
+                versionCounts[pinned[1]] = (versionCounts[pinned[1]] ?? 0) + 1;
+                continue;
+            }
+            const caretOrTilde = line.match(/pragma solidity\s*[\^~]\s*(0\.\d+\.\d+)/);
+            if (caretOrTilde) {
+                versionCounts[caretOrTilde[1]] = (versionCounts[caretOrTilde[1]] ?? 0) + 1;
+                continue;
+            }
+            // >=0.x.y or just 0.x.y
+            const any = line.match(/pragma solidity[^;]*?(0\.\d+\.\d+)/);
+            if (any) {
+                versionCounts[any[1]] = (versionCounts[any[1]] ?? 0) + 1;
+            }
+        }
+        if (Object.keys(versionCounts).length === 0)
+            return null;
+        // Return the most common version
+        return Object.entries(versionCounts).sort((a, b) => b[1] - a[1])[0][0];
+    }
+    catch {
+        return null;
+    }
+}
+exports.detectSolcVersion = detectSolcVersion;
+// Known good fallback versions installed on this machine (by minor series)
+const FALLBACK_VERSIONS = {
+    '0.4': '0.4.26',
+    '0.5': '0.5.17',
+    '0.6': '0.6.12',
+    '0.7': '0.7.6',
+    '0.8': '0.8.20',
+};
+/**
+ * Ensure a specific solc version is installed and active via solc-select.
+ * Returns the version that was set, or null on failure.
+ */
+function setSolcVersion(version) {
+    const bin = findSolcSelectBin();
+    if (!bin)
+        return null;
+    const toolEnv = {
+        ...process.env,
+        PATH: ['/opt/homebrew/bin', '/usr/local/bin', '/usr/bin', '/bin', process.env.PATH].filter(Boolean).join(':'),
+    };
+    // Resolve to a known stable patch version if only major.minor is given
+    const minor = version.match(/^(0\.\d+)/);
+    const resolvedVersion = FALLBACK_VERSIONS[minor?.[1] ?? ''] ?? version;
+    try {
+        // Try to use directly first (already installed)
+        const useResult = (0, child_process_1.spawnSync)(bin, ['use', resolvedVersion], {
+            encoding: 'utf8', timeout: 15000, stdio: 'pipe', env: toolEnv,
+        });
+        if (useResult.status === 0)
+            return resolvedVersion;
+    }
+    catch { }
+    // Not installed — install it
+    try {
+        (0, child_process_1.spawnSync)(bin, ['install', resolvedVersion], {
+            encoding: 'utf8', timeout: 120000, stdio: 'pipe', env: toolEnv,
+        });
+        const useResult2 = (0, child_process_1.spawnSync)(bin, ['use', resolvedVersion], {
+            encoding: 'utf8', timeout: 15000, stdio: 'pipe', env: toolEnv,
+        });
+        if (useResult2.status === 0)
+            return resolvedVersion;
+    }
+    catch { }
+    return null;
+}
+/**
+ * Detect import remappings from remappings.txt or foundry.toml.
+ * Returns array of remapping strings like ["@openzeppelin/=lib/openzeppelin/"].
+ */
+function detectRemappings(repoDir) {
+    // remappings.txt (one per line)
+    const remappingsTxt = (0, path_1.join)(repoDir, 'remappings.txt');
+    if ((0, fs_1.existsSync)(remappingsTxt)) {
+        try {
+            return (0, fs_1.readFileSync)(remappingsTxt, 'utf8')
+                .split('\n')
+                .map((l) => l.trim())
+                .filter(Boolean);
+        }
+        catch { }
+    }
+    // foundry.toml — extract remappings array
+    const foundryToml = (0, path_1.join)(repoDir, 'foundry.toml');
+    if ((0, fs_1.existsSync)(foundryToml)) {
+        try {
+            const content = (0, fs_1.readFileSync)(foundryToml, 'utf8');
+            const remappingsMatch = content.match(/remappings\s*=\s*\[([\s\S]*?)\]/);
+            if (remappingsMatch) {
+                return remappingsMatch[1]
+                    .split('\n')
+                    .map((l) => l.replace(/["',]/g, '').trim())
+                    .filter(Boolean);
+            }
+        }
+        catch { }
+    }
+    return [];
+}
+/**
+ * Docker-based Slither fallback using trailofbits/eth-security-toolbox.
+ * Only attempted if Docker is available and image is present (no auto-pull to avoid long waits).
+ */
+function runSlitherDocker(repoDir, solcVersion) {
+    try {
+        // Check docker is available
+        const dockerCheck = (0, child_process_1.spawnSync)('docker', ['info'], { encoding: 'utf8', timeout: 5000, stdio: 'pipe' });
+        if (dockerCheck.status !== 0)
+            return { findings: [], status: 'compilation_error' };
+        // Check image is already pulled (don't auto-pull — too slow and bandwidth-heavy)
+        const imageCheck = (0, child_process_1.spawnSync)('docker', ['image', 'inspect', 'trailofbits/eth-security-toolbox'], { encoding: 'utf8', timeout: 5000, stdio: 'pipe' });
+        if (imageCheck.status !== 0)
+            return { findings: [], status: 'compilation_error' };
+        const outputPath = '/tmp/slither-docker-out.json';
+        const versionCmd = solcVersion
+            ? `solc-select install ${solcVersion} 2>/dev/null; solc-select use ${solcVersion} 2>/dev/null; `
+            : '';
+        const dockerResult = (0, child_process_1.spawnSync)('docker', [
+            'run', '--rm',
+            '-v', `${repoDir}:/src`,
+            'trailofbits/eth-security-toolbox',
+            'bash', '-c',
+            `cd /src && ${versionCmd}slither . --json ${outputPath} --no-fail-pedantic 2>/dev/null; cat ${outputPath} 2>/dev/null`,
+        ], { encoding: 'utf8', timeout: 240000, stdio: 'pipe' });
+        if (!dockerResult.stdout)
+            return { findings: [], status: 'compilation_error' };
+        // Output may have extra lines before the JSON
+        const jsonStart = dockerResult.stdout.indexOf('{');
+        if (jsonStart === -1)
+            return { findings: [], status: 'compilation_error' };
+        const parsed = JSON.parse(dockerResult.stdout.slice(jsonStart));
+        const detectors = parsed?.results?.detectors || [];
+        const findings = detectors.filter((d) => d.impact === 'High' || d.impact === 'Medium' || d.impact === 'Critical');
+        return { findings, status: 'success' };
+    }
+    catch {
+        return { findings: [], status: 'compilation_error' };
+    }
+}
+function findClaudeBin() {
+    const candidates = [
+        process.env.CLAUDE_BIN,
+        '/Users/feral/.npm-global/bin/claude',
+        '/usr/local/bin/claude',
+        '/opt/homebrew/bin/claude',
+    ].filter(Boolean);
+    try {
+        const fromWhich = (0, child_process_1.execSync)('which claude 2>/dev/null', { encoding: 'utf8' }).trim();
+        if (fromWhich)
+            candidates.unshift(fromWhich);
+    }
+    catch { }
+    for (const p of candidates) {
+        if ((0, fs_1.existsSync)(p))
+            return p;
+    }
+    return candidates[0] || 'claude';
+}
+function ensureSlither() {
+    // Check common explicit paths first (launchd may not have full PATH)
+    const slitherPaths = [
+        '/opt/homebrew/bin/slither',
+        '/usr/local/bin/slither',
+        '/usr/bin/slither',
+    ];
+    for (const p of slitherPaths) {
+        if ((0, fs_1.existsSync)(p))
+            return true;
+    }
+    try {
+        const fromWhich = (0, child_process_1.execSync)('which slither 2>/dev/null', { encoding: 'utf8', stdio: 'pipe' }).trim();
+        if (fromWhich)
+            return true;
+    }
+    catch { }
+    console.log('[whiteh] Slither not found, attempting pip3 install...');
+    try {
+        (0, child_process_1.execSync)('pip3 install slither-analyzer --break-system-packages 2>&1', { encoding: 'utf8', timeout: 120000, stdio: 'pipe' });
+        return (0, fs_1.existsSync)('/opt/homebrew/bin/slither') || (0, fs_1.existsSync)('/usr/local/bin/slither');
+    }
+    catch (e) {
+        return false;
+    }
+}
+/**
+ * DeFiLlama's `github` field is either an org name (e.g. "pendle-finance"),
+ * a full repo URL (e.g. "https://github.com/pendle-finance/pendle-core"),
+ * or an org URL (e.g. "https://github.com/BeltFi").
+ * This function resolves it to a clonable https URL by querying the GitHub API for the
+ * org's most relevant public repo (preferring Solidity repos, then by star count).
+ */
+async function resolveCloneUrl(orgOrUrl) {
+    if (orgOrUrl.startsWith('https://github.com/')) {
+        // Distinguish org URL (1 path segment) from repo URL (2 path segments)
+        const path = orgOrUrl.replace('https://github.com/', '').replace(/\/$/, '');
+        const parts = path.split('/').filter(Boolean);
+        if (parts.length >= 2) {
+            // Already a repo URL — return as-is
+            return orgOrUrl;
+        }
+        // Org URL — extract org name and resolve via API
+        const org = parts[0];
+        if (!org)
+            return null;
+        return resolveOrgToRepo(org);
+    }
+    if (orgOrUrl.startsWith('git@')) {
+        return orgOrUrl;
+    }
+    const org = orgOrUrl.trim();
+    if (!org)
+        return null;
+    return resolveOrgToRepo(org);
+}
+exports.resolveCloneUrl = resolveCloneUrl;
+async function resolveOrgToRepo(org) {
+    try {
+        const res = await fetch(`https://api.github.com/orgs/${org}/repos?sort=stars&per_page=20&type=public`, {
+            headers: {
+                'User-Agent': 'white-hat-scanner/1.0',
+                Accept: 'application/vnd.github.v3+json',
+            },
+            signal: AbortSignal.timeout(15000),
+        });
+        if (!res.ok) {
+            // Might be a user account rather than an org — try /users/:org/repos
+            const res2 = await fetch(`https://api.github.com/users/${org}/repos?sort=stars&per_page=20&type=public`, {
+                headers: {
+                    'User-Agent': 'white-hat-scanner/1.0',
+                    Accept: 'application/vnd.github.v3+json',
+                },
+                signal: AbortSignal.timeout(15000),
+            });
+            if (!res2.ok)
+                return null;
+            const repos = (await res2.json());
+            return pickBestRepo(org, repos);
+        }
+        const repos = (await res.json());
+        return pickBestRepo(org, repos);
+    }
+    catch {
+        return null;
+    }
+}
+// Repo names that are almost certainly upstream library copies, not the protocol's own code.
+const LIBRARY_REPO_PATTERNS = [
+    /^openzeppelin/i,
+    /^solmate/i,
+    /^solady/i,
+    /^forge-std/i,
+    /^hardhat/i,
+    /^foundry/i,
+    /war-room/i,
+    /^ds-/i,
+    /^dapp-/i,
+];
+function isLibraryRepo(name) {
+    return LIBRARY_REPO_PATTERNS.some((p) => p.test(name));
+}
+/** Score a repo: higher = better candidate for the protocol's core contracts. */
+function repoScore(org, r) {
+    const name = r.name.toLowerCase();
+    const orgLower = org.toLowerCase();
+    let score = 0;
+    // Heavily penalise known library copies
+    if (isLibraryRepo(r.name))
+        return -1000;
+    // Reward: org name appears in repo name (e.g. tornadocash/tornado-core)
+    if (name.includes(orgLower) || name.replace(/-/g, '').includes(orgLower.replace(/-/g, ''))) {
+        score += 50;
+    }
+    // Reward: Solidity (the protocol's actual language)
+    if (r.language === 'Solidity')
+        score += 30;
+    // Reward: contract / core / protocol / vault / pool keyword in name
+    if (/\b(core|protocol|vault|pool|main|primary)\b/.test(name))
+        score += 20;
+    if (name.includes('contract'))
+        score += 10;
+    // Stars as tiebreaker (capped to avoid inflated library star counts dominating)
+    score += Math.min(r.stargazers_count, 200) * 0.01;
+    return score;
+}
+function pickBestRepo(org, repos) {
+    if (!repos || repos.length === 0)
+        return null;
+    const active = repos.filter((r) => !r.archived && !r.fork);
+    const candidates = active.length > 0 ? active : repos;
+    const scored = candidates
+        .map((r) => ({ r, score: repoScore(org, r) }))
+        .filter(({ score }) => score > -1000)
+        .sort((a, b) => b.score - a.score);
+    if (scored.length === 0)
+        return null;
+    const best = scored[0].r;
+    return `https://github.com/${org}/${best.name}`;
+}
+function cloneRepo(githubUrl, destDir) {
+    try {
+        const result = (0, child_process_1.spawnSync)('git', ['clone', '--depth', '1', '--quiet', githubUrl, destDir], {
+            timeout: 60000,
+            encoding: 'utf8',
+        });
+        return result.status === 0;
+    }
+    catch {
+        return false;
+    }
+}
+function findSlitherBin() {
+    const candidates = [
+        '/opt/homebrew/bin/slither',
+        '/usr/local/bin/slither',
+        '/usr/bin/slither',
+    ];
+    for (const p of candidates) {
+        if ((0, fs_1.existsSync)(p))
+            return p;
+    }
+    try {
+        const fromWhich = (0, child_process_1.execSync)('which slither 2>/dev/null', { encoding: 'utf8', stdio: 'pipe' }).trim();
+        if (fromWhich)
+            return fromWhich;
+    }
+    catch { }
+    return 'slither';
+}
+function findForgeBin() {
+    const candidates = [
+        '/Users/feral/.foundry/bin/forge',
+        '/opt/homebrew/bin/forge',
+        '/usr/local/bin/forge',
+    ];
+    for (const p of candidates) {
+        if ((0, fs_1.existsSync)(p))
+            return p;
+    }
+    try {
+        const fromWhich = (0, child_process_1.execSync)('which forge 2>/dev/null', { encoding: 'utf8', stdio: 'pipe' }).trim();
+        if (fromWhich)
+            return fromWhich;
+    }
+    catch { }
+    return null;
+}
+/**
+ * Install project dependencies so Slither can compile the contracts.
+ * Returns a brief status string for logging.
+ */
+function installDeps(repoDir) {
+    // Hardhat / Truffle — npm install (most common for DeFi)
+    if ((0, fs_1.existsSync)((0, path_1.join)(repoDir, 'package.json'))) {
+        try {
+            (0, child_process_1.spawnSync)('npm', ['install', '--ignore-scripts', '--prefer-offline', '--no-audit'], {
+                cwd: repoDir,
+                timeout: 120000,
+                encoding: 'utf8',
+                stdio: 'pipe',
+            });
+        }
+        catch {
+            return 'npm-failed';
+        }
+        // Best-effort pre-compilation: Hardhat downloads the right solc version and
+        // caches compilation artifacts, which dramatically improves Slither's compile rate.
+        try {
+            const hardhatBin = (0, path_1.join)(repoDir, 'node_modules', '.bin', 'hardhat');
+            if ((0, fs_1.existsSync)(hardhatBin)) {
+                (0, child_process_1.spawnSync)('node', [hardhatBin, 'compile', '--quiet'], {
+                    cwd: repoDir,
+                    timeout: 120000,
+                    encoding: 'utf8',
+                    stdio: 'pipe',
+                });
+            }
+        }
+        catch { }
+        return 'npm';
+    }
+    // Foundry — forge install + forge build
+    if ((0, fs_1.existsSync)((0, path_1.join)(repoDir, 'foundry.toml'))) {
+        const forgeBin = findForgeBin();
+        const toolEnv = {
+            ...process.env,
+            PATH: [
+                '/opt/homebrew/bin',
+                '/usr/local/bin',
+                '/usr/bin',
+                '/bin',
+                '/Users/feral/.foundry/bin',
+                process.env.PATH,
+            ].filter(Boolean).join(':'),
+        };
+        const libDir = (0, path_1.join)(repoDir, 'lib');
+        // A shallow git clone (--depth 1) may create lib/ as an empty directory when
+        // submodules are registered but not populated. Check for actual content so we
+        // don't skip forge install on a repo that still needs its dependencies fetched.
+        let libHasContent = false;
+        try {
+            libHasContent = (0, fs_1.existsSync)(libDir) && (0, fs_1.readdirSync)(libDir).length > 0;
+        }
+        catch { }
+        if (forgeBin) {
+            if (!libHasContent) {
+                // Fetch registered dependencies without cloning full git history
+                (0, child_process_1.spawnSync)(forgeBin, ['install', '--no-git'], {
+                    cwd: repoDir,
+                    timeout: 120000,
+                    encoding: 'utf8',
+                    stdio: 'pipe',
+                    env: toolEnv,
+                });
+            }
+            // Pre-build so Slither can use Foundry's compilation artifacts (out/).
+            // Best-effort: continue even if some contracts fail to compile.
+            (0, child_process_1.spawnSync)(forgeBin, ['build', '--skip', 'test', 'script'], {
+                cwd: repoDir,
+                timeout: 180000,
+                encoding: 'utf8',
+                stdio: 'pipe',
+                env: toolEnv,
+            });
+        }
+        return libHasContent ? 'foundry-lib-present' : 'forge';
+    }
+    return 'no-pkg-manager';
+}
+exports.installDeps = installDeps;
+/**
+ * Count .sol files in a directory (recursive, ignores node_modules).
+ * Returns quickly (milliseconds) and is used as a fast Slither gate —
+ * no .sol files means no point running Slither.
+ */
+function countSolFiles(dir) {
+    try {
+        const result = (0, child_process_1.spawnSync)('find', [dir, '-name', '*.sol', '-not', '-path', '*/node_modules/*', '-not', '-path', '*/.git/*'], { encoding: 'utf8', timeout: 10000 });
+        if (result.status !== 0)
+            return 0;
+        return result.stdout.trim().split('\n').filter(Boolean).length;
+    }
+    catch {
+        return 0;
+    }
+}
+function runSlither(repoDir) {
+    const outputPath = (0, path_1.join)((0, os_1.tmpdir)(), `slither-${Date.now()}.json`);
+    const slitherBin = findSlitherBin();
+    // Install deps so Slither can compile — without this, Hardhat repos always return 0 findings
+    installDeps(repoDir);
+    // Detect the required solc version from pragma statements and switch to it
+    const detectedVersion = detectSolcVersion(repoDir);
+    if (detectedVersion) {
+        setSolcVersion(detectedVersion);
+    }
+    // Detect import remappings (remappings.txt or foundry.toml)
+    const remappings = detectRemappings(repoDir);
+    // Build PATH that includes common tool locations (launchd has minimal PATH)
+    const toolEnv = {
+        ...process.env,
+        PATH: [
+            '/opt/homebrew/bin',
+            '/usr/local/bin',
+            '/usr/bin',
+            '/bin',
+            '/Users/feral/.foundry/bin',
+            process.env.PATH,
+        ].filter(Boolean).join(':'),
+    };
+    const slitherArgs = [
+        '.',
+        '--json', outputPath,
+        '--disable-color',
+        '--no-fail-pedantic', // continue analysis even if some files fail to compile
+    ];
+    if (remappings.length > 0) {
+        slitherArgs.push('--solc-remaps', remappings.join(' '));
+    }
+    // For Foundry projects, pass --foundry-compile-all to get better coverage
+    if ((0, fs_1.existsSync)((0, path_1.join)(repoDir, 'foundry.toml'))) {
+        slitherArgs.push('--foundry-compile-all');
+    }
+    try {
+        const result = (0, child_process_1.spawnSync)(slitherBin, slitherArgs, {
+            cwd: repoDir,
+            timeout: 180000,
+            encoding: 'utf8',
+            stdio: 'pipe',
+            env: toolEnv,
+        });
+        // Log stderr for debugging (first 500 chars)
+        const errSnippet = (result.stderr ?? '').slice(0, 500);
+        if (errSnippet && !(0, fs_1.existsSync)(outputPath)) {
+            (0, fs_1.writeFileSync)((0, path_1.join)((0, os_1.tmpdir)(), `slither-err-${Date.now()}.txt`), errSnippet);
+        }
+        if (!(0, fs_1.existsSync)(outputPath)) {
+            // Native Slither failed — try Docker fallback
+            const dockerResult = runSlitherDocker(repoDir, detectedVersion);
+            if (dockerResult.status === 'success')
+                return dockerResult;
+            return { findings: [], status: 'compilation_error' };
+        }
+        const raw = (0, fs_1.readFileSync)(outputPath, 'utf8');
+        const parsed = JSON.parse(raw);
+        const detectors = parsed?.results?.detectors || [];
+        const findings = detectors.filter((d) => d.impact === 'High' || d.impact === 'Medium' || d.impact === 'Critical');
+        return { findings, status: 'success' };
+    }
+    catch {
+        return { findings: [], status: 'compilation_error' };
+    }
+    finally {
+        try {
+            if ((0, fs_1.existsSync)(outputPath))
+                (0, fs_1.rmSync)(outputPath);
+        }
+        catch { }
+    }
+}
+/**
+ * Returns true if a Solidity file is likely a test, mock, or interface file
+ * that shouldn't be prioritized for security review.
+ */
+function isTestOrMockFile(filePath) {
+    const base = filePath.split('/').pop() ?? '';
+    const baseLower = base.toLowerCase();
+    const pathLower = filePath.toLowerCase();
+    // Files in test/mock/interface directories
+    if (/\/(test|tests|mock|mocks|interface|interfaces|fixture|fixtures|stub|stubs|spec)\//.test(pathLower))
+        return true;
+    // Filenames starting with test/mock/interface etc. (case-insensitive)
+    if (/^(test|mock|interface|fixture|stub|spec)/.test(baseLower))
+        return true;
+    // Interface files: IPool.sol, IERC20.sol (capital I + capital letter)
+    if (/^I[A-Z]/.test(base))
+        return true;
+    // Foundry test style: Foo.t.sol
+    if (baseLower.endsWith('.t.sol'))
+        return true;
+    // Files ending with Test/Mock/Interface (e.g. PoolTest.sol, TokenMock.sol)
+    if (/(test|mock|interface|fixture|stub)\.sol$/.test(baseLower))
+        return true;
+    return false;
+}
+/**
+ * Returns a priority score for a Solidity file path.
+ * Higher = more likely to be a core protocol contract worth auditing.
+ */
+function contractPriority(filePath) {
+    const base = filePath.split('/').pop() ?? '';
+    // Deprioritise test/mock/interface files
+    if (isTestOrMockFile(filePath))
+        return 0;
+    // Boost core protocol contracts
+    if (/^(Pool|Vault|Core|Main|Protocol|Manager|Controller|Factory|Router|Staking|Lending|Borrow|Exchange|Swap|Bridge|Token|Governor|Governance|Treasury|Strategy|Proxy|Upgradeable)/i.test(base))
+        return 3;
+    if (/^(Base|Abstract|Lib|Library|Helper|Utils|Math)/i.test(base))
+        return 1;
+    return 2; // default: include, medium priority
+}
+exports.contractPriority = contractPriority;
+function summarizeContracts(repoDir) {
+    const solidityFiles = [];
+    function findSol(dir, depth = 0) {
+        if (depth > 4)
+            return;
+        try {
+            const entries = (0, child_process_1.execSync)(`ls -1 "${dir}" 2>/dev/null`, { encoding: 'utf8' })
+                .trim()
+                .split('\n')
+                .filter(Boolean);
+            for (const entry of entries) {
+                const fullPath = (0, path_1.join)(dir, entry);
+                if (entry.endsWith('.sol')) {
+                    solidityFiles.push(fullPath);
+                }
+                else if (!entry.startsWith('.') && !entry.includes('node_modules')) {
+                    try {
+                        const stat = (0, child_process_1.execSync)(`stat -f "%HT" "${fullPath}" 2>/dev/null`, { encoding: 'utf8' }).trim();
+                        if (stat === 'Directory')
+                            findSol(fullPath, depth + 1);
+                    }
+                    catch { }
+                }
+            }
+        }
+        catch { }
+    }
+    findSol(repoDir);
+    // Sort by priority: core contracts first, test/mock/interface files filtered out
+    const prioritized = solidityFiles
+        .map((f) => ({ path: f, priority: contractPriority(f) }))
+        .filter((f) => f.priority > 0)
+        .sort((a, b) => b.priority - a.priority)
+        .map((f) => f.path);
+    const snippets = [];
+    let totalChars = 0;
+    const MAX_CHARS = 16000;
+    const MAX_FILES = 15;
+    for (const f of prioritized.slice(0, MAX_FILES)) {
+        if (totalChars >= MAX_CHARS)
+            break;
+        try {
+            const content = (0, fs_1.readFileSync)(f, 'utf8');
+            const budget = Math.min(1200, MAX_CHARS - totalChars);
+            const snippet = content.slice(0, budget);
+            snippets.push(`// File: ${f.replace(repoDir, '')}\n${snippet}`);
+            totalChars += snippet.length;
+        }
+        catch { }
+    }
+    return snippets.join('\n\n---\n\n') || 'No Solidity files found';
+}
+async function runClaudeReview(protocol, slitherFindings, contractCode, sourceAvailable) {
+    const claudeBin = findClaudeBin();
+    const claudeToken = process.env.CLAUDE_CODE_OAUTH_TOKEN || process.env.ANTHROPIC_API_KEY || '';
+    const slitherSummary = slitherFindings.length > 0
+        ? slitherFindings
+            .map((f) => `[${f.impact}/${f.confidence}] ${f.check}: ${f.description?.slice(0, 200)}`)
+            .join('\n')
+        : 'No Slither findings (Slither may not be installed or no Solidity files found)';
+    const noCodeWarning = sourceAvailable
+        ? ''
+        : `
+IMPORTANT: No contract source code is available for this protocol. Your review MUST be an architecture-level threat model only.
+- Do NOT claim specific vulnerabilities exist without code evidence.
+- Set RISK_LEVEL to MEDIUM at most unless there is documented public evidence of a critical flaw.
+- Set BOUNTY_ESTIMATE_USD to 0 — speculative findings are not bounty-eligible.
+- The SUMMARY must clearly state: "Architecture review only — no source code analyzed."
+`;
+    const prompt = `You are a smart contract security auditor. Review this protocol and its contracts for critical vulnerabilities.
+
+Protocol: ${protocol.name}
+Chain: ${protocol.chain}
+TVL: $${(protocol.tvl / 1000000).toFixed(1)}M
+Source code available: ${sourceAvailable ? 'YES' : 'NO'}
+${noCodeWarning}
+Focus on:
+- Governance/voting manipulation
+- Flash loan attack vectors
+- Oracle price manipulation
+- Reentrancy
+- Access control issues
+- Economic exploits
+
+Slither findings:
+${slitherSummary}
+
+Contract code summary:
+${contractCode}
+
+Respond in this exact format:
+RISK_LEVEL: <CRITICAL|HIGH|MEDIUM|LOW>
+BOUNTY_ESTIMATE_USD: <number>
+SUMMARY: <one paragraph disclosure summary>
+FULL_REVIEW: <detailed analysis>`;
+    const promptFile = (0, path_1.join)((0, os_1.tmpdir)(), `whiteh-prompt-${Date.now()}.txt`);
+    try {
+        (0, fs_1.writeFileSync)(promptFile, prompt, 'utf8');
+        const env = { ...process.env };
+        if (claudeToken) {
+            if (claudeToken.startsWith('sk-ant-oat')) {
+                env.CLAUDE_CODE_OAUTH_TOKEN = claudeToken;
+            }
+            else {
+                env.ANTHROPIC_API_KEY = claudeToken;
+            }
+        }
+        const result = (0, child_process_1.spawnSync)(claudeBin, ['--print', '--dangerously-skip-permissions', '-p', prompt], {
+            encoding: 'utf8',
+            timeout: 120000,
+            env,
+            stdio: 'pipe',
+        });
+        const output = result.stdout || '';
+        const riskMatch = output.match(/RISK_LEVEL:\s*(CRITICAL|HIGH|MEDIUM|LOW)/i);
+        const bountyMatch = output.match(/BOUNTY_ESTIMATE_USD:\s*(\d+)/i);
+        const summaryMatch = output.match(/SUMMARY:\s*(.+?)(?=\nFULL_REVIEW:|$)/is);
+        return {
+            review: output,
+            riskLevel: riskMatch?.[1]?.toUpperCase() || 'UNKNOWN',
+            bounty: bountyMatch ? parseInt(bountyMatch[1], 10) : 0,
+            summary: summaryMatch?.[1]?.trim() || 'No summary generated',
+        };
+    }
+    catch (err) {
+        return {
+            review: `Claude review failed: ${err.message}`,
+            riskLevel: 'UNKNOWN',
+            bounty: 0,
+            summary: 'Review failed',
+        };
+    }
+    finally {
+        try {
+            if ((0, fs_1.existsSync)(promptFile))
+                (0, fs_1.rmSync)(promptFile);
+        }
+        catch { }
+    }
+}
+async function analyzeProtocol(protocol) {
+    await (0, redis_1.log)(`Analyzing protocol: ${protocol.name} (TVL: $${(protocol.tvl / 1000000).toFixed(1)}M)`);
+    const result = {
+        protocolId: protocol.id,
+        protocolName: protocol.name,
+        chain: protocol.chain,
+        tvl: protocol.tvl,
+        slitherFindings: [],
+        slitherStatus: 'not_applicable',
+        claudeReview: '',
+        riskLevel: 'UNKNOWN',
+        estimatedBounty: 0,
+        disclosureSummary: '',
+        scannedAt: Date.now(),
+        sourceAvailable: false,
+    };
+    if (!protocol.github) {
+        await (0, redis_1.log)(`${protocol.name}: no GitHub URL, running Claude-only review`);
+        const { review, riskLevel, bounty, summary } = await runClaudeReview(protocol, [], 'No repository available', false);
+        result.claudeReview = review;
+        result.riskLevel = riskLevel;
+        result.estimatedBounty = bounty;
+        result.disclosureSummary = summary;
+        result.sourceAvailable = false;
+        return result;
+    }
+    const tempDir = (0, path_1.join)((0, os_1.tmpdir)(), `whiteh-${protocol.id}-${Date.now()}`);
+    try {
+        (0, fs_1.mkdirSync)(tempDir, { recursive: true });
+        const cloneUrl = await resolveCloneUrl(protocol.github);
+        if (!cloneUrl) {
+            await (0, redis_1.log)(`${protocol.name}: could not resolve GitHub org "${protocol.github}" to a clone URL, running Claude-only review`);
+            const { review, riskLevel, bounty, summary } = await runClaudeReview(protocol, [], 'Repository URL could not be resolved', false);
+            result.claudeReview = review;
+            result.riskLevel = riskLevel;
+            result.estimatedBounty = bounty;
+            result.disclosureSummary = summary;
+            result.sourceAvailable = false;
+            return result;
+        }
+        await (0, redis_1.log)(`${protocol.name}: cloning ${cloneUrl} (org: ${protocol.github})`);
+        const cloned = cloneRepo(cloneUrl, tempDir);
+        if (!cloned) {
+            await (0, redis_1.log)(`${protocol.name}: clone failed, running Claude-only review`);
+            const { review, riskLevel, bounty, summary } = await runClaudeReview(protocol, [], 'Repository clone failed', false);
+            result.claudeReview = review;
+            result.riskLevel = riskLevel;
+            result.estimatedBounty = bounty;
+            result.disclosureSummary = summary;
+            result.sourceAvailable = false;
+            return result;
+        }
+        result.sourceAvailable = true;
+        const solCount = countSolFiles(tempDir);
+        if (solCount === 0) {
+            result.slitherStatus = 'not_applicable';
+            await (0, redis_1.log)(`${protocol.name}: no .sol files found — skipping Slither (non-EVM or frontend repo)`);
+        }
+        else {
+            await (0, redis_1.log)(`${protocol.name}: found ${solCount} .sol file(s)`);
+            const slitherAvailable = ensureSlither();
+            if (slitherAvailable) {
+                await (0, redis_1.log)(`${protocol.name}: running Slither analysis`);
+                const slitherResult = runSlither(tempDir);
+                result.slitherFindings = slitherResult.findings;
+                result.slitherStatus = slitherResult.status;
+                if (slitherResult.status === 'compilation_error') {
+                    await (0, redis_1.log)(`${protocol.name}: Slither compilation error — no static findings (contracts may use unsupported compiler or missing deps)`);
+                }
+                else {
+                    await (0, redis_1.log)(`${protocol.name}: Slither found ${result.slitherFindings.length} HIGH/CRITICAL findings`);
+                }
+            }
+            else {
+                result.slitherStatus = 'unavailable';
+                await (0, redis_1.log)(`${protocol.name}: Slither unavailable, skipping static analysis`);
+            }
+        }
+        const contractCode = summarizeContracts(tempDir);
+        await (0, redis_1.log)(`${protocol.name}: running Claude security review`);
+        const { review, riskLevel, bounty, summary } = await runClaudeReview(protocol, result.slitherFindings, contractCode, true);
+        result.claudeReview = review;
+        result.riskLevel = riskLevel;
+        result.estimatedBounty = bounty;
+        result.disclosureSummary = summary;
+        await (0, redis_1.log)(`${protocol.name}: analysis complete — risk=${riskLevel}, bounty=$${bounty}`);
+    }
+    catch (err) {
+        result.error = err.message;
+        await (0, redis_1.log)(`${protocol.name}: analysis error: ${result.error}`);
+    }
+    finally {
+        try {
+            if ((0, fs_1.existsSync)(tempDir))
+                (0, fs_1.rmSync)(tempDir, { recursive: true, force: true });
+        }
+        catch { }
+    }
+    return result;
+}
+exports.analyzeProtocol = analyzeProtocol;