white-hat-scanner 1.0.1

package/dist/scorer.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scoreFindings = void 0;
+const RISK_SCORES = {
+    CRITICAL: 10,
+    HIGH: 7,
+    MEDIUM: 4,
+    LOW: 1,
+    UNKNOWN: 0,
+};
+function scoreFindings(result) {
+    const severity = RISK_SCORES[result.riskLevel] ?? 0;
+    const slitherBonus = Math.min(result.slitherFindings.length * 0.5, 3);
+    const finalScore = severity + slitherBonus;
+    // Alert rules:
+    // - Source code must have been reviewed (no speculative architecture assessments)
+    // - CRITICAL requires at least 1 Slither finding to confirm — Claude-only CRITICAL is too noisy
+    // - HIGH without Slither is acceptable (Claude can catch logic issues Slither misses)
+    const needsAlert = result.sourceAvailable &&
+        (result.riskLevel === 'HIGH' ||
+            (result.riskLevel === 'CRITICAL' && result.slitherFindings.length > 0));
+    return {
+        protocolName: result.protocolName,
+        riskLevel: result.riskLevel,
+        severity: finalScore,
+        estimatedBounty: result.estimatedBounty,
+        disclosureSummary: result.disclosureSummary,
+        slitherCount: result.slitherFindings.length,
+        needsAlert,
+        sourceAvailable: result.sourceAvailable,
+    };
+}
+exports.scoreFindings = scoreFindings;

package/dist/submission.js

@@ -0,0 +1,103 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateSubmissionDraft = exports.formatImmunefireport = void 0;
+const redis_1 = require("./redis");
+const NOTIFY_CHANNEL = 'cca:notify:money-brain';
+/** Minimum bounty to bother generating an Immunefi submission draft */
+const MIN_BOUNTY_USD = 10000;
+/**
+ * Format an Immunefi-style bug report from the Claude analysis summary.
+ * This is a draft for human review — never auto-submitted.
+ */
+function slitherStatusNote(scored, status) {
+    if (scored.slitherCount > 0) {
+        return `Slither static analysis confirmed ${scored.slitherCount} HIGH/CRITICAL finding(s).`;
+    }
+    switch (status) {
+        case 'compilation_error':
+            return 'Note: Slither could not compile the contracts (likely missing compiler version or unresolved imports). Static analysis results are unavailable; the above is Claude-only analysis. A PoC is required before submission.';
+        case 'unavailable':
+            return 'Note: Slither was not available in this scan environment. Static analysis results are unavailable; the above is Claude-only analysis.';
+        case 'not_applicable':
+            return 'Note: Slither static analysis was not applicable (non-EVM chain or no source code available). The above is Claude-only analysis based on protocol architecture.';
+        case 'success':
+        default:
+            return 'Note: Slither ran successfully but found no HIGH/CRITICAL findings. The above is Claude\'s manual review.';
+    }
+}
+function formatImmunefireport(result, scored) {
+    const severity = scored.riskLevel === 'CRITICAL' ? 'Critical' : 'High';
+    const slitherNote = slitherStatusNote(scored, result.slitherStatus ?? 'not_applicable');
+    return `# Immunefi Bug Report Draft — ${result.protocolName}
+<!-- AUTO-GENERATED DRAFT — requires human review before submission -->
+<!-- Immunefi portal: https://immunefi.com/bug-bounty/${result.protocolName.toLowerCase().replace(/\s+/g, '-')}/information/ -->
+
+## Severity
+${severity}
+
+## Affected Protocol
+- Name: ${result.protocolName}
+- Chain: ${result.chain ?? 'Ethereum'}
+- TVL at time of report: ${result.tvl != null ? `$${(result.tvl / 1e6).toFixed(1)}M` : 'unknown'}
+
+## Vulnerability Description
+${result.disclosureSummary}
+
+## Static Analysis
+${slitherNote}
+
+## Impact
+A successful exploit could result in loss of funds or protocol compromise. Estimated maximum bounty: $${scored.estimatedBounty.toLocaleString()}.
+
+## Proof of Concept
+<!-- TODO: Add PoC exploit code / transaction trace here before submitting -->
+<!-- Without a PoC, most Immunefi programs will reject the report -->
+
+## Recommended Mitigation
+<!-- TODO: Add specific remediation steps here -->
+
+## References
+- Analysis timestamp: ${new Date(result.scannedAt).toISOString()}
+- Internal disclosure ID: ${result.protocolId}
+`;
+}
+exports.formatImmunefireport = formatImmunefireport;
+/**
+ * Generate and store an Immunefi submission draft for a qualifying finding.
+ * Only called for HIGH/CRITICAL findings with real source code and bounty > MIN_BOUNTY_USD.
+ * The draft is stored in Redis for human review — never auto-submitted.
+ */
+async function generateSubmissionDraft(result, scored) {
+    if (!scored.sourceAvailable)
+        return;
+    if (scored.riskLevel !== 'HIGH' && scored.riskLevel !== 'CRITICAL')
+        return;
+    if (scored.estimatedBounty < MIN_BOUNTY_USD)
+        return;
+    const redis = (0, redis_1.getRedis)();
+    const report = formatImmunefireport(result, scored);
+    const draft = {
+        id: `${result.protocolId}-${Date.now()}`,
+        protocolName: result.protocolName,
+        riskLevel: scored.riskLevel,
+        bounty: scored.estimatedBounty,
+        slitherCount: scored.slitherCount,
+        report,
+        createdAt: Date.now(),
+        status: 'pending_review',
+    };
+    await redis.lpush('whiteh:submissions', JSON.stringify(draft));
+    await redis.ltrim('whiteh:submissions', 0, 99);
+    // Notify for human review — include the first 400 chars of the report so the reviewer
+    // can decide whether it's worth submitting without opening Redis manually.
+    const preview = report.slice(0, 400).replace(/\n/g, ' ');
+    const notification = JSON.stringify({
+        text: `📋 IMMUNEFI DRAFT READY — ${scored.riskLevel}: ${result.protocolName}\n` +
+            `Bounty: $${(scored.estimatedBounty / 1000).toFixed(0)}k | Slither: ${scored.slitherCount} findings\n` +
+            `Preview: ${preview}\n` +
+            `Full draft: redis-cli LINDEX whiteh:submissions 0`,
+    });
+    await redis.rpush(NOTIFY_CHANNEL, notification);
+    await (0, redis_1.log)(`Immunefi submission draft created for ${result.protocolName} (${scored.riskLevel}, bounty: $${scored.estimatedBounty})`);
+}
+exports.generateSubmissionDraft = generateSubmissionDraft;

package/dist/test/smoke.js

@@ -0,0 +1,511 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const fs_1 = require("fs");
+const path_1 = require("path");
+const os_1 = require("os");
+const redis_1 = require("../redis");
+const scorer_1 = require("../scorer");
+const disclosure_1 = require("../disclosure");
+const discovery_1 = require("../discovery");
+const analyzer_1 = require("../analyzer");
+const submission_1 = require("../submission");
+const contest_1 = require("../contest");
+async function runSmoke() {
+    console.log('[smoke] Starting smoke tests...');
+    // Test 1: Redis connection
+    const redis = (0, redis_1.getRedis)();
+    await redis.ping();
+    console.log('[smoke] ✓ Redis connection OK');
+    // Test 2: Logging
+    await (0, redis_1.log)('smoke test log entry');
+    const logEntry = await redis.lindex('whiteh:log', 0);
+    if (!logEntry)
+        throw new Error('Log entry not written');
+    const parsed = JSON.parse(logEntry);
+    if (!parsed.message.includes('smoke test'))
+        throw new Error('Log entry malformed');
+    console.log('[smoke] ✓ Redis logging OK');
+    // Test 3: Scorer — with source code (should alert)
+    const mockResultWithCode = {
+        protocolId: 'test-protocol',
+        protocolName: 'Test Protocol',
+        chain: 'ethereum',
+        tvl: 100000000,
+        slitherFindings: [
+            { check: 'reentrancy', impact: 'High', confidence: 'High', description: 'test', elements: [] },
+        ],
+        slitherStatus: 'success',
+        claudeReview: 'RISK_LEVEL: HIGH\nBOUNTY_ESTIMATE_USD: 50000\nSUMMARY: Test summary',
+        riskLevel: 'HIGH',
+        estimatedBounty: 50000,
+        disclosureSummary: 'Test summary',
+        scannedAt: Date.now(),
+        sourceAvailable: true,
+    };
+    const scored = (0, scorer_1.scoreFindings)(mockResultWithCode);
+    if (!scored.needsAlert)
+        throw new Error('HIGH risk with source should trigger alert');
+    if (scored.severity < 7)
+        throw new Error('HIGH risk severity too low');
+    if (!scored.sourceAvailable)
+        throw new Error('sourceAvailable should be true');
+    console.log('[smoke] ✓ Scorer (with source) OK');
+    // Test 4: Scorer — no source code (should NOT alert, bounty should be 0)
+    const mockResultNoCode = {
+        ...mockResultWithCode,
+        protocolId: 'test-protocol-nocode',
+        sourceAvailable: false,
+        estimatedBounty: 0,
+    };
+    const scoredNoCode = (0, scorer_1.scoreFindings)(mockResultNoCode);
+    if (scoredNoCode.needsAlert)
+        throw new Error('HIGH risk without source should NOT trigger alert');
+    if (scoredNoCode.sourceAvailable)
+        throw new Error('sourceAvailable should be false');
+    console.log('[smoke] ✓ Scorer (no source, no alert) OK');
+    // Test 5: No-source finding does NOT create a disclosure record
+    const disclosuresBefore = await redis.llen('whiteh:disclosures');
+    // Simulate what index.ts does: only call createDisclosureRecord when sourceAvailable
+    if (scoredNoCode.sourceAvailable) {
+        await (0, disclosure_1.createDisclosureRecord)(mockResultNoCode, scoredNoCode);
+    }
+    const disclosuresAfter = await redis.llen('whiteh:disclosures');
+    if (disclosuresAfter !== disclosuresBefore) {
+        throw new Error('No-source finding should not create a disclosure record');
+    }
+    console.log('[smoke] ✓ No-source finding skips disclosure record OK');
+    // Test 6: pruneNoGithubFromQueue removes low-TVL no-GitHub entries but keeps high-TVL + github ones
+    const testKey = 'whiteh:queue';
+    const noGithubLowTvl = { id: 'smoke-no-gh-low', name: 'Smoke No GitHub Low TVL', chain: 'eth', tvl: 50000000 };
+    const noGithubHighTvl = { id: 'smoke-no-gh-high', name: 'Smoke No GitHub High TVL', chain: 'eth', tvl: 600000000 };
+    const withGithub = { id: 'smoke-with-gh', name: 'Smoke With GitHub', github: 'https://github.com/test', chain: 'eth', tvl: 50000000 };
+    // Ensure clean state
+    await redis.lrem(testKey, 0, JSON.stringify(noGithubLowTvl));
+    await redis.lrem(testKey, 0, JSON.stringify(noGithubHighTvl));
+    await redis.lrem(testKey, 0, JSON.stringify(withGithub));
+    await redis.rpush(testKey, JSON.stringify(noGithubLowTvl));
+    await redis.rpush(testKey, JSON.stringify(noGithubHighTvl));
+    await redis.rpush(testKey, JSON.stringify(withGithub));
+    await (0, discovery_1.pruneNoGithubFromQueue)();
+    // noGithubLowTvl should be gone
+    const lowTvlPos = await redis.lpos(testKey, JSON.stringify(noGithubLowTvl));
+    if (lowTvlPos !== null)
+        throw new Error('Low-TVL no-GitHub entry should have been pruned');
+    // high-TVL no-GitHub should remain
+    const highTvlPos = await redis.lpos(testKey, JSON.stringify(noGithubHighTvl));
+    if (highTvlPos === null)
+        throw new Error('High-TVL no-GitHub entry should NOT have been pruned');
+    // with-GitHub should remain
+    const githubPos = await redis.lpos(testKey, JSON.stringify(withGithub));
+    if (githubPos === null)
+        throw new Error('GitHub-available entry should NOT have been pruned');
+    // clean up test entries
+    await redis.lrem(testKey, 0, JSON.stringify(noGithubHighTvl));
+    await redis.lrem(testKey, 0, JSON.stringify(withGithub));
+    console.log('[smoke] ✓ pruneNoGithubFromQueue removes low-TVL no-GitHub entries OK');
+    // Test 7: resolveCloneUrl passthrough for already-URL values
+    const fullUrl = 'https://github.com/aave/aave-v3-core';
+    const resolved = await (0, analyzer_1.resolveCloneUrl)(fullUrl);
+    if (resolved !== fullUrl)
+        throw new Error(`resolveCloneUrl should pass through full URLs unchanged, got: ${resolved}`);
+    console.log('[smoke] ✓ resolveCloneUrl passthrough OK');
+    // Test 8: resolveCloneUrl resolves org name to a valid https URL
+    const orgUrl = await (0, analyzer_1.resolveCloneUrl)('uniswap');
+    if (!orgUrl || !orgUrl.startsWith('https://github.com/uniswap/')) {
+        throw new Error(`resolveCloneUrl should resolve org to https URL, got: ${orgUrl}`);
+    }
+    console.log(`[smoke] ✓ resolveCloneUrl org resolution OK (${orgUrl})`);
+    // Test 9: Alert payload uses 'text' field (not 'message') for Telegram compatibility
+    const { sendAlert } = await Promise.resolve().then(() => __importStar(require('../notifier')));
+    // Use a unique name to avoid dedup from prior smoke runs
+    const testFinding = { ...scored, protocolName: `Smoke-Test-${Date.now()}` };
+    // Pre-clear any prior dedup entry for this name just in case
+    const alertsBefore = await redis.llen('cca:notify:money-brain');
+    await sendAlert(testFinding);
+    const alertsAfter = await redis.llen('cca:notify:money-brain');
+    if (alertsAfter <= alertsBefore)
+        throw new Error('Alert should have been pushed to notification channel');
+    const rawAlert = await redis.lindex('cca:notify:money-brain', 0);
+    if (!rawAlert)
+        throw new Error('Alert not found in channel');
+    const alertPayload = JSON.parse(rawAlert);
+    if (!alertPayload.text)
+        throw new Error(`Alert payload missing 'text' field (got keys: ${Object.keys(alertPayload).join(', ')})`);
+    if (alertPayload.message)
+        throw new Error(`Alert payload should not have 'message' field (Telegram compatibility)`);
+    // clean up test alert
+    await redis.lrem('cca:notify:money-brain', 1, rawAlert);
+    await redis.lrem('whiteh:alerts', 1, JSON.stringify({ ts: Date.now() }));
+    console.log('[smoke] ✓ Alert payload uses text field (Telegram-compatible) OK');
+    // Test 10: contractPriority filters out test/mock/interface files
+    // Test files should be filtered out (priority = 0)
+    if ((0, analyzer_1.contractPriority)('/repo/test/PoolTest.sol') !== 0)
+        throw new Error('test/ dir should be filtered');
+    if ((0, analyzer_1.contractPriority)('/repo/contracts/MockToken.sol') !== 0)
+        throw new Error('Mock*.sol should be filtered');
+    if ((0, analyzer_1.contractPriority)('/repo/contracts/IPool.sol') !== 0)
+        throw new Error('ICapitalized.sol should be filtered');
+    if ((0, analyzer_1.contractPriority)('/repo/contracts/PoolTest.sol') !== 0)
+        throw new Error('*Test.sol should be filtered');
+    if ((0, analyzer_1.contractPriority)('/repo/contracts/Pool.t.sol') !== 0)
+        throw new Error('*.t.sol should be filtered');
+    // Core contracts should have boosted priority
+    if ((0, analyzer_1.contractPriority)('/repo/contracts/Pool.sol') <= 0)
+        throw new Error('Pool.sol should have positive priority');
+    if ((0, analyzer_1.contractPriority)('/repo/contracts/Vault.sol') < (0, analyzer_1.contractPriority)('/repo/contracts/Library.sol')) {
+        throw new Error('Vault.sol should have higher priority than Library.sol');
+    }
+    // Regular contracts have default priority
+    if ((0, analyzer_1.contractPriority)('/repo/contracts/MyProtocol.sol') <= 0)
+        throw new Error('MyProtocol.sol should have positive priority');
+    console.log('[smoke] ✓ contractPriority filters test/mock/interface files OK');
+    // Test 11: CRITICAL without Slither should NOT alert (Claude-only CRITICAL = noisy)
+    const mockCriticalNoSlither = {
+        ...mockResultWithCode,
+        protocolId: 'test-critical-no-slither',
+        protocolName: 'Test Critical No Slither',
+        slitherFindings: [],
+        slitherStatus: 'compilation_error',
+        riskLevel: 'CRITICAL',
+        estimatedBounty: 1000000,
+    };
+    const scoredCriticalNoSlither = (0, scorer_1.scoreFindings)(mockCriticalNoSlither);
+    if (scoredCriticalNoSlither.needsAlert) {
+        throw new Error('CRITICAL without Slither should NOT trigger alert (too noisy)');
+    }
+    console.log('[smoke] ✓ CRITICAL without Slither = no alert OK');
+    // Test 12: CRITICAL WITH Slither SHOULD alert
+    const mockCriticalWithSlither = {
+        ...mockResultWithCode,
+        protocolId: 'test-critical-with-slither',
+        protocolName: 'Test Critical With Slither',
+        slitherFindings: [
+            { check: 'arbitrary-send', impact: 'Critical', confidence: 'High', description: 'test', elements: [] },
+        ],
+        riskLevel: 'CRITICAL',
+        estimatedBounty: 500000,
+    };
+    const scoredCriticalWithSlither = (0, scorer_1.scoreFindings)(mockCriticalWithSlither);
+    if (!scoredCriticalWithSlither.needsAlert) {
+        throw new Error('CRITICAL with Slither findings SHOULD trigger alert');
+    }
+    console.log('[smoke] ✓ CRITICAL with Slither findings = alert OK');
+    // Test 13: formatImmunefireport generates valid Immunefi-style report
+    const scoredForReport = (0, scorer_1.scoreFindings)(mockResultWithCode);
+    const report = (0, submission_1.formatImmunefireport)(mockResultWithCode, scoredForReport);
+    if (!report.includes('# Immunefi Bug Report Draft'))
+        throw new Error('Report missing header');
+    if (!report.includes('Test Protocol'))
+        throw new Error('Report missing protocol name');
+    if (!report.includes('High'))
+        throw new Error('Report missing severity');
+    if (!report.includes('AUTO-GENERATED DRAFT'))
+        throw new Error('Report missing review warning');
+    console.log('[smoke] ✓ formatImmunefireport generates valid report structure OK');
+    // Test 14: generateSubmissionDraft creates Redis entry and Telegram notification for qualifying finding
+    const submissionsBefore = await redis.llen('whiteh:submissions');
+    const notifyBefore = await redis.llen('cca:notify:money-brain');
+    await (0, submission_1.generateSubmissionDraft)(mockResultWithCode, scoredForReport);
+    const submissionsAfter = await redis.llen('whiteh:submissions');
+    const notifyAfter = await redis.llen('cca:notify:money-brain');
+    if (submissionsAfter !== submissionsBefore + 1)
+        throw new Error('generateSubmissionDraft should push to whiteh:submissions');
+    if (notifyAfter !== notifyBefore + 1)
+        throw new Error('generateSubmissionDraft should push Telegram notification');
+    // Verify the notification has the right format — rpush appends to the right end (index -1)
+    const rawNotify = await redis.lindex('cca:notify:money-brain', -1);
+    if (!rawNotify)
+        throw new Error('Submission notification not found');
+    const notifyPayload = JSON.parse(rawNotify);
+    if (!notifyPayload.text || !notifyPayload.text.includes('IMMUNEFI DRAFT READY')) {
+        throw new Error(`Submission notification missing expected text (got: ${JSON.stringify(notifyPayload)})`);
+    }
+    // clean up test entries
+    const rawSub = await redis.lindex('whiteh:submissions', 0);
+    if (rawSub)
+        await redis.lrem('whiteh:submissions', 1, rawSub);
+    await redis.lrem('cca:notify:money-brain', 1, rawNotify);
+    console.log('[smoke] ✓ generateSubmissionDraft creates submission + notification OK');
+    // Test 15: generateSubmissionDraft skips low-bounty findings
+    const lowBountyResult = { ...mockResultWithCode, estimatedBounty: 5000 };
+    const scoredLowBounty = (0, scorer_1.scoreFindings)(lowBountyResult);
+    const subsBefore = await redis.llen('whiteh:submissions');
+    await (0, submission_1.generateSubmissionDraft)(lowBountyResult, scoredLowBounty);
+    const subsAfter = await redis.llen('whiteh:submissions');
+    if (subsAfter !== subsBefore)
+        throw new Error('generateSubmissionDraft should skip bounty < $10k');
+    console.log('[smoke] ✓ generateSubmissionDraft skips low-bounty findings OK');
+    // Test 16: isExploitTarget matches known exploit targets
+    if (!(0, discovery_1.isExploitTarget)('Compound Finance'))
+        throw new Error('Compound should be an exploit target');
+    if (!(0, discovery_1.isExploitTarget)('Ronin Network'))
+        throw new Error('Ronin should be an exploit target');
+    if (!(0, discovery_1.isExploitTarget)('Curve Finance'))
+        throw new Error('Curve should be an exploit target');
+    if (!(0, discovery_1.isExploitTarget)('BadgerDAO'))
+        throw new Error('Badger should be an exploit target');
+    if ((0, discovery_1.isExploitTarget)('MyRandomProtocol'))
+        throw new Error('Random protocol should NOT be an exploit target');
+    if ((0, discovery_1.isExploitTarget)('SafeToken'))
+        throw new Error('SafeToken should NOT be an exploit target');
+    console.log('[smoke] ✓ isExploitTarget matches known exploit history protocols OK');
+    // Test 17: prioritizeExploitTargets moves exploit-history entries before normal entries.
+    // Append both to the real queue (normal first, exploit second — reversed from desired order),
+    // then verify that after reorder the exploit entry has a lower index than the normal one.
+    const exploitProto = { id: 'smoke-exploit-t17', name: 'Compound Fork Protocol', github: 'https://github.com/test/compound-fork', chain: 'eth', tvl: 50000000 };
+    const normalProto = { id: 'smoke-normal-t17', name: 'Some Normal Protocol T17', github: 'https://github.com/test/normal', chain: 'eth', tvl: 50000000 };
+    // Clean any leftover test entries
+    await redis.lrem('whiteh:queue', 0, JSON.stringify(exploitProto));
+    await redis.lrem('whiteh:queue', 0, JSON.stringify(normalProto));
+    // Insert normal first, then exploit — wrong order intentionally
+    await redis.rpush('whiteh:queue', JSON.stringify(normalProto));
+    await redis.rpush('whiteh:queue', JSON.stringify(exploitProto));
+    // Run reorder
+    await (0, discovery_1.prioritizeExploitTargets)();
+    // Check: exploit entry must appear before normal entry
+    const reorderedAll = await redis.lrange('whiteh:queue', 0, -1);
+    const exploitIdx = reorderedAll.findIndex((r) => { try {
+        return JSON.parse(r).id === 'smoke-exploit-t17';
+    }
+    catch {
+        return false;
+    } });
+    const normalIdx = reorderedAll.findIndex((r) => { try {
+        return JSON.parse(r).id === 'smoke-normal-t17';
+    }
+    catch {
+        return false;
+    } });
+    if (exploitIdx === -1 || normalIdx === -1)
+        throw new Error(`Test entries missing after reorder (exploit: ${exploitIdx}, normal: ${normalIdx})`);
+    if (exploitIdx >= normalIdx)
+        throw new Error(`Exploit target (idx ${exploitIdx}) should come before normal (idx ${normalIdx})`);
+    // Clean up
+    await redis.lrem('whiteh:queue', 0, JSON.stringify(exploitProto));
+    await redis.lrem('whiteh:queue', 0, JSON.stringify(normalProto));
+    console.log('[smoke] ✓ prioritizeExploitTargets moves exploit-history targets to queue front OK');
+    // Test 18: resolveCloneUrl handles GitHub org URLs (https://github.com/OrgName with no repo)
+    // DeFiLlama sometimes returns org URLs rather than plain org names — these were previously
+    // passed through as-is, causing git clone to fail on a URL that has no repo path.
+    const orgUrlResolved = await (0, analyzer_1.resolveCloneUrl)('https://github.com/uniswap');
+    if (!orgUrlResolved || !orgUrlResolved.startsWith('https://github.com/uniswap/')) {
+        throw new Error(`resolveCloneUrl should resolve org URL to repo URL, got: ${orgUrlResolved}`);
+    }
+    // Full repo URLs with 2 path segments must still pass through unchanged
+    const fullRepoUrl = 'https://github.com/aave/aave-v3-core';
+    const fullResolved = await (0, analyzer_1.resolveCloneUrl)(fullRepoUrl);
+    if (fullResolved !== fullRepoUrl) {
+        throw new Error(`resolveCloneUrl should not modify full repo URLs, got: ${fullResolved}`);
+    }
+    console.log(`[smoke] ✓ resolveCloneUrl org URL resolution OK (${orgUrlResolved})`);
+    // Test 19: queueNewProtocols uses whiteh:queued set — does NOT re-queue protocols already in set
+    const { queueNewProtocols, dequeueProtocol } = await Promise.resolve().then(() => __importStar(require('../discovery')));
+    const dedupeProto = {
+        id: `smoke-dedup-${Date.now()}`,
+        name: 'Smoke Dedup Test Protocol',
+        github: 'https://github.com/test/dedup-proto',
+        chain: 'eth',
+        tvl: 50000000,
+    };
+    // Ensure protocol is NOT already scanned
+    await redis.srem('whiteh:scanned', dedupeProto.id);
+    // Simulate it already being in the queue (add to whiteh:queued set, not the list)
+    await redis.sadd('whiteh:queued', dedupeProto.id);
+    const queueLenBefore = await redis.llen('whiteh:queue');
+    await queueNewProtocols([dedupeProto]);
+    const queueLenAfter = await redis.llen('whiteh:queue');
+    if (queueLenAfter !== queueLenBefore) {
+        throw new Error(`queueNewProtocols should skip protocols already in whiteh:queued (queue grew by ${queueLenAfter - queueLenBefore})`);
+    }
+    await redis.srem('whiteh:queued', dedupeProto.id);
+    console.log('[smoke] ✓ queueNewProtocols skips protocols in whiteh:queued set OK');
+    // Test 20: dequeueProtocol skips already-scanned entries (duplicate cleanup)
+    const skipProto = {
+        id: `smoke-skip-${Date.now()}`,
+        name: 'Smoke Skip Already Scanned',
+        github: 'https://github.com/test/skip-proto',
+        chain: 'eth',
+        tvl: 50000000,
+    };
+    const keepProto = {
+        id: `smoke-keep-${Date.now()}`,
+        name: 'Smoke Keep Unscanned',
+        github: 'https://github.com/test/keep-proto',
+        chain: 'eth',
+        tvl: 50000000,
+    };
+    // Mark skipProto as already scanned, keepProto is fresh
+    await redis.sadd('whiteh:scanned', skipProto.id);
+    await redis.srem('whiteh:scanned', keepProto.id);
+    // Push skipProto at front, keepProto behind it (skipProto is the "duplicate")
+    await redis.lpush('whiteh:queue', JSON.stringify(keepProto));
+    await redis.lpush('whiteh:queue', JSON.stringify(skipProto));
+    const dequeued = await dequeueProtocol();
+    if (!dequeued)
+        throw new Error('dequeueProtocol returned null — should have skipped skipProto and returned keepProto');
+    if (dequeued.id !== keepProto.id) {
+        throw new Error(`dequeueProtocol should skip already-scanned entry and return next, got id=${dequeued.id}`);
+    }
+    // Cleanup
+    await redis.lrem('whiteh:queue', 0, JSON.stringify(keepProto));
+    await redis.lrem('whiteh:queue', 0, JSON.stringify(skipProto));
+    await redis.srem('whiteh:scanned', skipProto.id);
+    console.log('[smoke] ✓ dequeueProtocol skips already-scanned entries OK');
+    // Test 21: parseProtocolName — Code4rena repo naming convention
+    if ((0, contest_1.parseProtocolName)('code-423n4', '2024-01-myprotocol') !== 'Myprotocol (C4)') {
+        throw new Error(`parseProtocolName C4 basic failed: got "${(0, contest_1.parseProtocolName)('code-423n4', '2024-01-myprotocol')}"`);
+    }
+    if ((0, contest_1.parseProtocolName)('code-423n4', '2024-01-uniswap-v4') !== 'Uniswap V4 (C4)') {
+        throw new Error(`parseProtocolName C4 multi-word failed: got "${(0, contest_1.parseProtocolName)('code-423n4', '2024-01-uniswap-v4')}"`);
+    }
+    console.log('[smoke] ✓ parseProtocolName Code4rena convention OK');
+    // Test 22: parseProtocolName — Sherlock repo naming convention
+    if ((0, contest_1.parseProtocolName)('sherlock-audit', '2024-curve-audit') !== 'Curve (Sherlock)') {
+        throw new Error(`parseProtocolName Sherlock basic failed: got "${(0, contest_1.parseProtocolName)('sherlock-audit', '2024-curve-audit')}"`);
+    }
+    if ((0, contest_1.parseProtocolName)('sherlock-audit', '2024-aave-v3-audit') !== 'Aave V3 (Sherlock)') {
+        throw new Error(`parseProtocolName Sherlock multi-word failed: got "${(0, contest_1.parseProtocolName)('sherlock-audit', '2024-aave-v3-audit')}"`);
+    }
+    console.log('[smoke] ✓ parseProtocolName Sherlock convention OK');
+    // Test 23: fetchContestProtocols — returns Protocol objects with correct shape
+    // (live network call; only verify shape, not exact count)
+    const contestProtocols = await (0, contest_1.fetchContestProtocols)();
+    if (!Array.isArray(contestProtocols))
+        throw new Error('fetchContestProtocols should return an array');
+    for (const p of contestProtocols) {
+        if (!p.id.startsWith('contest-'))
+            throw new Error(`Contest protocol id should start with 'contest-': ${p.id}`);
+        if (!p.github || !p.github.startsWith('https://github.com/')) {
+            throw new Error(`Contest protocol github should be a full GitHub URL: ${p.github}`);
+        }
+        if (p.tvl <= 0)
+            throw new Error(`Contest protocol TVL should be positive: ${p.tvl}`);
+        if (!p.name)
+            throw new Error(`Contest protocol name should be non-empty`);
+    }
+    console.log(`[smoke] ✓ fetchContestProtocols returns valid Protocol objects (${contestProtocols.length} found) OK`);
+    // Test 24: installDeps — no package manager files → 'no-pkg-manager'
+    const tmpEmpty = (0, path_1.join)((0, os_1.tmpdir)(), `smoke-empty-${Date.now()}`);
+    (0, fs_1.mkdirSync)(tmpEmpty, { recursive: true });
+    try {
+        const status24 = (0, analyzer_1.installDeps)(tmpEmpty);
+        if (status24 !== 'no-pkg-manager')
+            throw new Error(`Expected 'no-pkg-manager', got '${status24}'`);
+        console.log('[smoke] ✓ installDeps no-pkg-manager OK');
+    }
+    finally {
+        (0, fs_1.rmSync)(tmpEmpty, { recursive: true, force: true });
+    }
+    // Test 25: installDeps — foundry.toml + non-empty lib/ → 'foundry-lib-present'
+    // lib/ must have actual content (a subdirectory) to be considered populated.
+    // An empty lib/ means submodules weren't fetched and forge install should run.
+    const tmpFoundry = (0, path_1.join)((0, os_1.tmpdir)(), `smoke-foundry-${Date.now()}`);
+    (0, fs_1.mkdirSync)((0, path_1.join)(tmpFoundry, 'lib', 'forge-std'), { recursive: true });
+    (0, fs_1.writeFileSync)((0, path_1.join)(tmpFoundry, 'foundry.toml'), '[profile.default]\n');
+    try {
+        const status25 = (0, analyzer_1.installDeps)(tmpFoundry);
+        if (status25 !== 'foundry-lib-present')
+            throw new Error(`Expected 'foundry-lib-present', got '${status25}'`);
+        console.log('[smoke] ✓ installDeps foundry-lib-present OK');
+    }
+    finally {
+        (0, fs_1.rmSync)(tmpFoundry, { recursive: true, force: true });
+    }
+    // Test 26: installDeps — package.json present → should run npm and return 'npm'
+    const tmpNpm = (0, path_1.join)((0, os_1.tmpdir)(), `smoke-npm-${Date.now()}`);
+    (0, fs_1.mkdirSync)(tmpNpm, { recursive: true });
+    (0, fs_1.writeFileSync)((0, path_1.join)(tmpNpm, 'package.json'), JSON.stringify({ name: 'test', version: '1.0.0', dependencies: {} }));
+    try {
+        const status26 = (0, analyzer_1.installDeps)(tmpNpm);
+        if (status26 !== 'npm')
+            throw new Error(`Expected 'npm', got '${status26}'`);
+        console.log('[smoke] ✓ installDeps npm install OK');
+    }
+    finally {
+        (0, fs_1.rmSync)(tmpNpm, { recursive: true, force: true });
+    }
+    // Test 27: slitherStatus in Immunefi report — compilation_error shows correct note
+    const compilationErrResult = {
+        ...mockResultWithCode,
+        protocolId: 'test-compilation-err',
+        protocolName: 'Test Compilation Error Protocol',
+        slitherFindings: [],
+        slitherStatus: 'compilation_error',
+    };
+    const scoredCompErr = (0, scorer_1.scoreFindings)(compilationErrResult);
+    const compilationErrReport = (0, submission_1.formatImmunefireport)(compilationErrResult, scoredCompErr);
+    if (!compilationErrReport.includes('could not compile')) {
+        throw new Error(`Compilation error report should mention compilation failure, got: ${compilationErrReport.slice(0, 300)}`);
+    }
+    console.log('[smoke] ✓ slitherStatus compilation_error report note OK');
+    // Test 28: slitherStatus 'success' with 0 findings shows correct "ran but found nothing" note
+    const successZeroResult = {
+        ...mockResultWithCode,
+        protocolId: 'test-success-zero',
+        protocolName: 'Test Clean Slither Protocol',
+        slitherFindings: [],
+        slitherStatus: 'success',
+    };
+    const scoredSuccessZero = (0, scorer_1.scoreFindings)(successZeroResult);
+    const successZeroReport = (0, submission_1.formatImmunefireport)(successZeroResult, scoredSuccessZero);
+    if (!successZeroReport.includes('ran successfully but found no')) {
+        throw new Error(`Success+0 findings report should mention "ran successfully", got: ${successZeroReport.slice(0, 300)}`);
+    }
+    console.log('[smoke] ✓ slitherStatus success+0 findings report note OK');
+    // Test 29: detectSolcVersion — parses pragma from a temp directory
+    const solcTestDir = (0, path_1.join)((0, os_1.tmpdir)(), `smoke-solc-${Date.now()}`);
+    (0, fs_1.mkdirSync)(solcTestDir, { recursive: true });
+    try {
+        (0, fs_1.writeFileSync)((0, path_1.join)(solcTestDir, 'Token.sol'), `// SPDX-License-Identifier: MIT\npragma solidity =0.7.6;\ncontract Token {}\n`);
+        (0, fs_1.writeFileSync)((0, path_1.join)(solcTestDir, 'Pool.sol'), `// SPDX-License-Identifier: MIT\npragma solidity =0.7.6;\ncontract Pool {}\n`);
+        const detected = (0, analyzer_1.detectSolcVersion)(solcTestDir);
+        if (detected !== '0.7.6')
+            throw new Error(`detectSolcVersion expected 0.7.6, got ${detected}`);
+        console.log('[smoke] ✓ detectSolcVersion parses pinned pragma OK');
+    }
+    finally {
+        (0, fs_1.rmSync)(solcTestDir, { recursive: true, force: true });
+    }
+    // Test 30: detectSolcVersion with caret pragma
+    const solcCaretDir = (0, path_1.join)((0, os_1.tmpdir)(), `smoke-solc-caret-${Date.now()}`);
+    (0, fs_1.mkdirSync)(solcCaretDir, { recursive: true });
+    try {
+        (0, fs_1.writeFileSync)((0, path_1.join)(solcCaretDir, 'A.sol'), `pragma solidity ^0.8.17;\ncontract A {}\n`);
+        const detected2 = (0, analyzer_1.detectSolcVersion)(solcCaretDir);
+        if (detected2 !== '0.8.17')
+            throw new Error(`detectSolcVersion caret expected 0.8.17, got ${detected2}`);
+        console.log('[smoke] ✓ detectSolcVersion parses caret pragma OK');
+    }
+    finally {
+        (0, fs_1.rmSync)(solcCaretDir, { recursive: true, force: true });
+    }
+    console.log('[smoke] All smoke tests passed (30/30) ✓');
+    await (0, redis_1.closeRedis)();
+}
+runSmoke().catch((err) => {
+    console.error('[smoke] FAILED:', err);
+    process.exit(1);
+});