white-hat-scanner 1.0.1

package/src/analyzer.ts

@@ -0,0 +1,974 @@
+import { execSync, spawnSync } from 'child_process'
+import { mkdirSync, rmSync, existsSync, readFileSync, writeFileSync, readdirSync } from 'fs'
+import { join } from 'path'
+import { tmpdir } from 'os'
+import { log } from './redis'
+import type { Protocol } from './discovery'
+
+// ---------------------------------------------------------------------------
+// solc-select helpers
+// ---------------------------------------------------------------------------
+
+function findSolcSelectBin(): string | null {
+  const candidates = [
+    '/opt/homebrew/bin/solc-select',
+    '/usr/local/bin/solc-select',
+    '/usr/bin/solc-select',
+  ]
+  for (const p of candidates) {
+    if (existsSync(p)) return p
+  }
+  try {
+    const fromWhich = execSync('which solc-select 2>/dev/null', { encoding: 'utf8', stdio: 'pipe' }).trim()
+    if (fromWhich) return fromWhich
+  } catch {}
+  return null
+}
+
+/**
+ * Parse pragma solidity version constraints from .sol files in repoDir.
+ * Returns the most commonly required version string (e.g. "0.7.6", "0.8.17").
+ * Returns null if no pragmas found or version can't be resolved.
+ */
+export function detectSolcVersion(repoDir: string): string | null {
+  try {
+    const result = spawnSync(
+      'grep',
+      ['-rh', '--include=*.sol', 'pragma solidity', repoDir],
+      { encoding: 'utf8', timeout: 10_000 }
+    )
+    if (result.status !== 0 && !result.stdout) return null
+
+    const lines = result.stdout.trim().split('\n').filter(Boolean)
+    // Extract version strings, e.g. "=0.7.6", "^0.8.17", ">=0.8.0 <0.9.0"
+    const versionCounts: Record<string, number> = {}
+    for (const line of lines) {
+      // Match pinned versions first (=0.x.y), then caret/tilde, then bare ranges
+      const pinned = line.match(/pragma solidity\s*=\s*(0\.\d+\.\d+)/)
+      if (pinned) {
+        versionCounts[pinned[1]] = (versionCounts[pinned[1]] ?? 0) + 1
+        continue
+      }
+      const caretOrTilde = line.match(/pragma solidity\s*[\^~]\s*(0\.\d+\.\d+)/)
+      if (caretOrTilde) {
+        versionCounts[caretOrTilde[1]] = (versionCounts[caretOrTilde[1]] ?? 0) + 1
+        continue
+      }
+      // >=0.x.y or just 0.x.y
+      const any = line.match(/pragma solidity[^;]*?(0\.\d+\.\d+)/)
+      if (any) {
+        versionCounts[any[1]] = (versionCounts[any[1]] ?? 0) + 1
+      }
+    }
+
+    if (Object.keys(versionCounts).length === 0) return null
+
+    // Return the most common version
+    return Object.entries(versionCounts).sort((a, b) => b[1] - a[1])[0][0]
+  } catch {
+    return null
+  }
+}
+
+// Known good fallback versions installed on this machine (by minor series)
+const FALLBACK_VERSIONS: Record<string, string> = {
+  '0.4': '0.4.26',
+  '0.5': '0.5.17',
+  '0.6': '0.6.12',
+  '0.7': '0.7.6',
+  '0.8': '0.8.20',
+}
+
+/**
+ * Ensure a specific solc version is installed and active via solc-select.
+ * Returns the version that was set, or null on failure.
+ */
+function setSolcVersion(version: string): string | null {
+  const bin = findSolcSelectBin()
+  if (!bin) return null
+
+  const toolEnv = {
+    ...process.env,
+    PATH: ['/opt/homebrew/bin', '/usr/local/bin', '/usr/bin', '/bin', process.env.PATH].filter(Boolean).join(':'),
+  }
+
+  // Resolve to a known stable patch version if only major.minor is given
+  const minor = version.match(/^(0\.\d+)/)
+  const resolvedVersion = FALLBACK_VERSIONS[minor?.[1] ?? ''] ?? version
+
+  try {
+    // Try to use directly first (already installed)
+    const useResult = spawnSync(bin, ['use', resolvedVersion], {
+      encoding: 'utf8', timeout: 15_000, stdio: 'pipe', env: toolEnv,
+    })
+    if (useResult.status === 0) return resolvedVersion
+  } catch {}
+
+  // Not installed — install it
+  try {
+    spawnSync(bin, ['install', resolvedVersion], {
+      encoding: 'utf8', timeout: 120_000, stdio: 'pipe', env: toolEnv,
+    })
+    const useResult2 = spawnSync(bin, ['use', resolvedVersion], {
+      encoding: 'utf8', timeout: 15_000, stdio: 'pipe', env: toolEnv,
+    })
+    if (useResult2.status === 0) return resolvedVersion
+  } catch {}
+
+  return null
+}
+
+/**
+ * Detect import remappings from remappings.txt or foundry.toml.
+ * Returns array of remapping strings like ["@openzeppelin/=lib/openzeppelin/"].
+ */
+function detectRemappings(repoDir: string): string[] {
+  // remappings.txt (one per line)
+  const remappingsTxt = join(repoDir, 'remappings.txt')
+  if (existsSync(remappingsTxt)) {
+    try {
+      return readFileSync(remappingsTxt, 'utf8')
+        .split('\n')
+        .map((l) => l.trim())
+        .filter(Boolean)
+    } catch {}
+  }
+
+  // foundry.toml — extract remappings array
+  const foundryToml = join(repoDir, 'foundry.toml')
+  if (existsSync(foundryToml)) {
+    try {
+      const content = readFileSync(foundryToml, 'utf8')
+      const remappingsMatch = content.match(/remappings\s*=\s*\[([\s\S]*?)\]/)
+      if (remappingsMatch) {
+        return remappingsMatch[1]
+          .split('\n')
+          .map((l) => l.replace(/["',]/g, '').trim())
+          .filter(Boolean)
+      }
+    } catch {}
+  }
+
+  return []
+}
+
+/**
+ * Docker-based Slither fallback using trailofbits/eth-security-toolbox.
+ * Only attempted if Docker is available and image is present (no auto-pull to avoid long waits).
+ */
+function runSlitherDocker(repoDir: string, solcVersion: string | null): SlitherResult {
+  try {
+    // Check docker is available
+    const dockerCheck = spawnSync('docker', ['info'], { encoding: 'utf8', timeout: 5_000, stdio: 'pipe' })
+    if (dockerCheck.status !== 0) return { findings: [], status: 'compilation_error' }
+
+    // Check image is already pulled (don't auto-pull — too slow and bandwidth-heavy)
+    const imageCheck = spawnSync(
+      'docker', ['image', 'inspect', 'trailofbits/eth-security-toolbox'],
+      { encoding: 'utf8', timeout: 5_000, stdio: 'pipe' }
+    )
+    if (imageCheck.status !== 0) return { findings: [], status: 'compilation_error' }
+
+    const outputPath = '/tmp/slither-docker-out.json'
+    const versionCmd = solcVersion
+      ? `solc-select install ${solcVersion} 2>/dev/null; solc-select use ${solcVersion} 2>/dev/null; `
+      : ''
+    const dockerResult = spawnSync(
+      'docker',
+      [
+        'run', '--rm',
+        '-v', `${repoDir}:/src`,
+        'trailofbits/eth-security-toolbox',
+        'bash', '-c',
+        `cd /src && ${versionCmd}slither . --json ${outputPath} --no-fail-pedantic 2>/dev/null; cat ${outputPath} 2>/dev/null`,
+      ],
+      { encoding: 'utf8', timeout: 240_000, stdio: 'pipe' }
+    )
+
+    if (!dockerResult.stdout) return { findings: [], status: 'compilation_error' }
+
+    // Output may have extra lines before the JSON
+    const jsonStart = dockerResult.stdout.indexOf('{')
+    if (jsonStart === -1) return { findings: [], status: 'compilation_error' }
+
+    const parsed = JSON.parse(dockerResult.stdout.slice(jsonStart)) as SlitherOutput
+    const detectors = parsed?.results?.detectors || []
+    const findings = detectors.filter(
+      (d) => d.impact === 'High' || d.impact === 'Medium' || d.impact === 'Critical'
+    )
+    return { findings, status: 'success' }
+  } catch {
+    return { findings: [], status: 'compilation_error' }
+  }
+}
+
+export type SlitherStatus = 'success' | 'compilation_error' | 'unavailable' | 'not_applicable'
+
+export interface AnalysisResult {
+  protocolId: string
+  protocolName: string
+  chain: string
+  tvl: number
+  slitherFindings: SlitherFinding[]
+  slitherStatus: SlitherStatus
+  claudeReview: string
+  riskLevel: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW' | 'UNKNOWN'
+  estimatedBounty: number
+  disclosureSummary: string
+  scannedAt: number
+  sourceAvailable: boolean
+  error?: string
+}
+
+interface SlitherFinding {
+  check: string
+  impact: string
+  confidence: string
+  description: string
+  elements: unknown[]
+}
+
+interface SlitherOutput {
+  results?: {
+    detectors?: SlitherFinding[]
+  }
+}
+
+function findClaudeBin(): string {
+  const candidates = [
+    process.env.CLAUDE_BIN,
+    '/Users/feral/.npm-global/bin/claude',
+    '/usr/local/bin/claude',
+    '/opt/homebrew/bin/claude',
+  ].filter(Boolean) as string[]
+
+  try {
+    const fromWhich = execSync('which claude 2>/dev/null', { encoding: 'utf8' }).trim()
+    if (fromWhich) candidates.unshift(fromWhich)
+  } catch {}
+
+  for (const p of candidates) {
+    if (existsSync(p)) return p
+  }
+  return candidates[0] || 'claude'
+}
+
+function ensureSlither(): boolean {
+  // Check common explicit paths first (launchd may not have full PATH)
+  const slitherPaths = [
+    '/opt/homebrew/bin/slither',
+    '/usr/local/bin/slither',
+    '/usr/bin/slither',
+  ]
+  for (const p of slitherPaths) {
+    if (existsSync(p)) return true
+  }
+  try {
+    const fromWhich = execSync('which slither 2>/dev/null', { encoding: 'utf8', stdio: 'pipe' }).trim()
+    if (fromWhich) return true
+  } catch {}
+  console.log('[whiteh] Slither not found, attempting pip3 install...')
+  try {
+    execSync('pip3 install slither-analyzer --break-system-packages 2>&1', { encoding: 'utf8', timeout: 120_000, stdio: 'pipe' })
+    return existsSync('/opt/homebrew/bin/slither') || existsSync('/usr/local/bin/slither')
+  } catch (e) {
+    return false
+  }
+}
+
+interface GHRepo {
+  name: string
+  stargazers_count: number
+  language: string | null
+  archived: boolean
+  fork: boolean
+}
+
+/**
+ * DeFiLlama's `github` field is either an org name (e.g. "pendle-finance"),
+ * a full repo URL (e.g. "https://github.com/pendle-finance/pendle-core"),
+ * or an org URL (e.g. "https://github.com/BeltFi").
+ * This function resolves it to a clonable https URL by querying the GitHub API for the
+ * org's most relevant public repo (preferring Solidity repos, then by star count).
+ */
+export async function resolveCloneUrl(orgOrUrl: string): Promise<string | null> {
+  if (orgOrUrl.startsWith('https://github.com/')) {
+    // Distinguish org URL (1 path segment) from repo URL (2 path segments)
+    const path = orgOrUrl.replace('https://github.com/', '').replace(/\/$/, '')
+    const parts = path.split('/').filter(Boolean)
+    if (parts.length >= 2) {
+      // Already a repo URL — return as-is
+      return orgOrUrl
+    }
+    // Org URL — extract org name and resolve via API
+    const org = parts[0]
+    if (!org) return null
+    return resolveOrgToRepo(org)
+  }
+
+  if (orgOrUrl.startsWith('git@')) {
+    return orgOrUrl
+  }
+
+  const org = orgOrUrl.trim()
+  if (!org) return null
+  return resolveOrgToRepo(org)
+}
+
+async function resolveOrgToRepo(org: string): Promise<string | null> {
+  try {
+    const res = await fetch(
+      `https://api.github.com/orgs/${org}/repos?sort=stars&per_page=20&type=public`,
+      {
+        headers: {
+          'User-Agent': 'white-hat-scanner/1.0',
+          Accept: 'application/vnd.github.v3+json',
+        },
+        signal: AbortSignal.timeout(15_000),
+      }
+    )
+
+    if (!res.ok) {
+      // Might be a user account rather than an org — try /users/:org/repos
+      const res2 = await fetch(
+        `https://api.github.com/users/${org}/repos?sort=stars&per_page=20&type=public`,
+        {
+          headers: {
+            'User-Agent': 'white-hat-scanner/1.0',
+            Accept: 'application/vnd.github.v3+json',
+          },
+          signal: AbortSignal.timeout(15_000),
+        }
+      )
+      if (!res2.ok) return null
+      const repos = (await res2.json()) as GHRepo[]
+      return pickBestRepo(org, repos)
+    }
+
+    const repos = (await res.json()) as GHRepo[]
+    return pickBestRepo(org, repos)
+  } catch {
+    return null
+  }
+}
+
+// Repo names that are almost certainly upstream library copies, not the protocol's own code.
+const LIBRARY_REPO_PATTERNS = [
+  /^openzeppelin/i,
+  /^solmate/i,
+  /^solady/i,
+  /^forge-std/i,
+  /^hardhat/i,
+  /^foundry/i,
+  /war-room/i,
+  /^ds-/i,
+  /^dapp-/i,
+]
+
+function isLibraryRepo(name: string): boolean {
+  return LIBRARY_REPO_PATTERNS.some((p) => p.test(name))
+}
+
+/** Score a repo: higher = better candidate for the protocol's core contracts. */
+function repoScore(org: string, r: GHRepo): number {
+  const name = r.name.toLowerCase()
+  const orgLower = org.toLowerCase()
+  let score = 0
+
+  // Heavily penalise known library copies
+  if (isLibraryRepo(r.name)) return -1000
+
+  // Reward: org name appears in repo name (e.g. tornadocash/tornado-core)
+  if (name.includes(orgLower) || name.replace(/-/g, '').includes(orgLower.replace(/-/g, ''))) {
+    score += 50
+  }
+
+  // Reward: Solidity (the protocol's actual language)
+  if (r.language === 'Solidity') score += 30
+
+  // Reward: contract / core / protocol / vault / pool keyword in name
+  if (/\b(core|protocol|vault|pool|main|primary)\b/.test(name)) score += 20
+  if (name.includes('contract')) score += 10
+
+  // Stars as tiebreaker (capped to avoid inflated library star counts dominating)
+  score += Math.min(r.stargazers_count, 200) * 0.01
+
+  return score
+}
+
+function pickBestRepo(org: string, repos: GHRepo[]): string | null {
+  if (!repos || repos.length === 0) return null
+
+  const active = repos.filter((r) => !r.archived && !r.fork)
+  const candidates = active.length > 0 ? active : repos
+
+  const scored = candidates
+    .map((r) => ({ r, score: repoScore(org, r) }))
+    .filter(({ score }) => score > -1000)
+    .sort((a, b) => b.score - a.score)
+
+  if (scored.length === 0) return null
+  const best = scored[0].r
+
+  return `https://github.com/${org}/${best.name}`
+}
+
+function cloneRepo(githubUrl: string, destDir: string): boolean {
+  try {
+    const result = spawnSync('git', ['clone', '--depth', '1', '--quiet', githubUrl, destDir], {
+      timeout: 60_000,
+      encoding: 'utf8',
+    })
+    return result.status === 0
+  } catch {
+    return false
+  }
+}
+
+function findSlitherBin(): string {
+  const candidates = [
+    '/opt/homebrew/bin/slither',
+    '/usr/local/bin/slither',
+    '/usr/bin/slither',
+  ]
+  for (const p of candidates) {
+    if (existsSync(p)) return p
+  }
+  try {
+    const fromWhich = execSync('which slither 2>/dev/null', { encoding: 'utf8', stdio: 'pipe' }).trim()
+    if (fromWhich) return fromWhich
+  } catch {}
+  return 'slither'
+}
+
+function findForgeBin(): string | null {
+  const candidates = [
+    '/Users/feral/.foundry/bin/forge',
+    '/opt/homebrew/bin/forge',
+    '/usr/local/bin/forge',
+  ]
+  for (const p of candidates) {
+    if (existsSync(p)) return p
+  }
+  try {
+    const fromWhich = execSync('which forge 2>/dev/null', { encoding: 'utf8', stdio: 'pipe' }).trim()
+    if (fromWhich) return fromWhich
+  } catch {}
+  return null
+}
+
+/**
+ * Install project dependencies so Slither can compile the contracts.
+ * Returns a brief status string for logging.
+ */
+export function installDeps(repoDir: string): string {
+  // Hardhat / Truffle — npm install (most common for DeFi)
+  if (existsSync(join(repoDir, 'package.json'))) {
+    try {
+      spawnSync('npm', ['install', '--ignore-scripts', '--prefer-offline', '--no-audit'], {
+        cwd: repoDir,
+        timeout: 120_000,
+        encoding: 'utf8',
+        stdio: 'pipe',
+      })
+    } catch {
+      return 'npm-failed'
+    }
+    // Best-effort pre-compilation: Hardhat downloads the right solc version and
+    // caches compilation artifacts, which dramatically improves Slither's compile rate.
+    try {
+      const hardhatBin = join(repoDir, 'node_modules', '.bin', 'hardhat')
+      if (existsSync(hardhatBin)) {
+        spawnSync('node', [hardhatBin, 'compile', '--quiet'], {
+          cwd: repoDir,
+          timeout: 120_000,
+          encoding: 'utf8',
+          stdio: 'pipe',
+        })
+      }
+    } catch {}
+    return 'npm'
+  }
+
+  // Foundry — forge install + forge build
+  if (existsSync(join(repoDir, 'foundry.toml'))) {
+    const forgeBin = findForgeBin()
+
+    const toolEnv = {
+      ...process.env,
+      PATH: [
+        '/opt/homebrew/bin',
+        '/usr/local/bin',
+        '/usr/bin',
+        '/bin',
+        '/Users/feral/.foundry/bin',
+        process.env.PATH,
+      ].filter(Boolean).join(':'),
+    }
+
+    const libDir = join(repoDir, 'lib')
+    // A shallow git clone (--depth 1) may create lib/ as an empty directory when
+    // submodules are registered but not populated. Check for actual content so we
+    // don't skip forge install on a repo that still needs its dependencies fetched.
+    let libHasContent = false
+    try {
+      libHasContent = existsSync(libDir) && readdirSync(libDir).length > 0
+    } catch {}
+
+    if (forgeBin) {
+      if (!libHasContent) {
+        // Fetch registered dependencies without cloning full git history
+        spawnSync(forgeBin, ['install', '--no-git'], {
+          cwd: repoDir,
+          timeout: 120_000,
+          encoding: 'utf8',
+          stdio: 'pipe',
+          env: toolEnv,
+        })
+      }
+
+      // Pre-build so Slither can use Foundry's compilation artifacts (out/).
+      // Best-effort: continue even if some contracts fail to compile.
+      spawnSync(forgeBin, ['build', '--skip', 'test', 'script'], {
+        cwd: repoDir,
+        timeout: 180_000,
+        encoding: 'utf8',
+        stdio: 'pipe',
+        env: toolEnv,
+      })
+    }
+
+    return libHasContent ? 'foundry-lib-present' : 'forge'
+  }
+
+  return 'no-pkg-manager'
+}
+
+/**
+ * Count .sol files in a directory (recursive, ignores node_modules).
+ * Returns quickly (milliseconds) and is used as a fast Slither gate —
+ * no .sol files means no point running Slither.
+ */
+function countSolFiles(dir: string): number {
+  try {
+    const result = spawnSync(
+      'find',
+      [dir, '-name', '*.sol', '-not', '-path', '*/node_modules/*', '-not', '-path', '*/.git/*'],
+      { encoding: 'utf8', timeout: 10_000 }
+    )
+    if (result.status !== 0) return 0
+    return result.stdout.trim().split('\n').filter(Boolean).length
+  } catch {
+    return 0
+  }
+}
+
+interface SlitherResult {
+  findings: SlitherFinding[]
+  status: 'success' | 'compilation_error'
+}
+
+function runSlither(repoDir: string): SlitherResult {
+  const outputPath = join(tmpdir(), `slither-${Date.now()}.json`)
+  const slitherBin = findSlitherBin()
+
+  // Install deps so Slither can compile — without this, Hardhat repos always return 0 findings
+  installDeps(repoDir)
+
+  // Detect the required solc version from pragma statements and switch to it
+  const detectedVersion = detectSolcVersion(repoDir)
+  if (detectedVersion) {
+    setSolcVersion(detectedVersion)
+  }
+
+  // Detect import remappings (remappings.txt or foundry.toml)
+  const remappings = detectRemappings(repoDir)
+
+  // Build PATH that includes common tool locations (launchd has minimal PATH)
+  const toolEnv = {
+    ...process.env,
+    PATH: [
+      '/opt/homebrew/bin',
+      '/usr/local/bin',
+      '/usr/bin',
+      '/bin',
+      '/Users/feral/.foundry/bin',
+      process.env.PATH,
+    ].filter(Boolean).join(':'),
+  }
+
+  const slitherArgs = [
+    '.',
+    '--json', outputPath,
+    '--disable-color',
+    '--no-fail-pedantic',  // continue analysis even if some files fail to compile
+  ]
+
+  if (remappings.length > 0) {
+    slitherArgs.push('--solc-remaps', remappings.join(' '))
+  }
+
+  // For Foundry projects, pass --foundry-compile-all to get better coverage
+  if (existsSync(join(repoDir, 'foundry.toml'))) {
+    slitherArgs.push('--foundry-compile-all')
+  }
+
+  try {
+    const result = spawnSync(
+      slitherBin,
+      slitherArgs,
+      {
+        cwd: repoDir,
+        timeout: 180_000,
+        encoding: 'utf8',
+        stdio: 'pipe',
+        env: toolEnv,
+      }
+    )
+
+    // Log stderr for debugging (first 500 chars)
+    const errSnippet = (result.stderr ?? '').slice(0, 500)
+    if (errSnippet && !existsSync(outputPath)) {
+      writeFileSync(join(tmpdir(), `slither-err-${Date.now()}.txt`), errSnippet)
+    }
+
+    if (!existsSync(outputPath)) {
+      // Native Slither failed — try Docker fallback
+      const dockerResult = runSlitherDocker(repoDir, detectedVersion)
+      if (dockerResult.status === 'success') return dockerResult
+      return { findings: [], status: 'compilation_error' }
+    }
+
+    const raw = readFileSync(outputPath, 'utf8')
+    const parsed = JSON.parse(raw) as SlitherOutput
+    const detectors = parsed?.results?.detectors || []
+
+    const findings = detectors.filter(
+      (d) => d.impact === 'High' || d.impact === 'Medium' || d.impact === 'Critical'
+    )
+    return { findings, status: 'success' }
+  } catch {
+    return { findings: [], status: 'compilation_error' }
+  } finally {
+    try {
+      if (existsSync(outputPath)) rmSync(outputPath)
+    } catch {}
+  }
+}
+
+/**
+ * Returns true if a Solidity file is likely a test, mock, or interface file
+ * that shouldn't be prioritized for security review.
+ */
+function isTestOrMockFile(filePath: string): boolean {
+  const base = filePath.split('/').pop() ?? ''
+  const baseLower = base.toLowerCase()
+  const pathLower = filePath.toLowerCase()
+
+  // Files in test/mock/interface directories
+  if (/\/(test|tests|mock|mocks|interface|interfaces|fixture|fixtures|stub|stubs|spec)\//.test(pathLower)) return true
+
+  // Filenames starting with test/mock/interface etc. (case-insensitive)
+  if (/^(test|mock|interface|fixture|stub|spec)/.test(baseLower)) return true
+
+  // Interface files: IPool.sol, IERC20.sol (capital I + capital letter)
+  if (/^I[A-Z]/.test(base)) return true
+
+  // Foundry test style: Foo.t.sol
+  if (baseLower.endsWith('.t.sol')) return true
+
+  // Files ending with Test/Mock/Interface (e.g. PoolTest.sol, TokenMock.sol)
+  if (/(test|mock|interface|fixture|stub)\.sol$/.test(baseLower)) return true
+
+  return false
+}
+
+/**
+ * Returns a priority score for a Solidity file path.
+ * Higher = more likely to be a core protocol contract worth auditing.
+ */
+export function contractPriority(filePath: string): number {
+  const base = filePath.split('/').pop() ?? ''
+
+  // Deprioritise test/mock/interface files
+  if (isTestOrMockFile(filePath)) return 0
+
+  // Boost core protocol contracts
+  if (/^(Pool|Vault|Core|Main|Protocol|Manager|Controller|Factory|Router|Staking|Lending|Borrow|Exchange|Swap|Bridge|Token|Governor|Governance|Treasury|Strategy|Proxy|Upgradeable)/i.test(base)) return 3
+  if (/^(Base|Abstract|Lib|Library|Helper|Utils|Math)/i.test(base)) return 1
+
+  return 2 // default: include, medium priority
+}
+
+function summarizeContracts(repoDir: string): string {
+  const solidityFiles: string[] = []
+
+  function findSol(dir: string, depth = 0): void {
+    if (depth > 4) return
+    try {
+      const entries = execSync(`ls -1 "${dir}" 2>/dev/null`, { encoding: 'utf8' })
+        .trim()
+        .split('\n')
+        .filter(Boolean)
+      for (const entry of entries) {
+        const fullPath = join(dir, entry)
+        if (entry.endsWith('.sol')) {
+          solidityFiles.push(fullPath)
+        } else if (!entry.startsWith('.') && !entry.includes('node_modules')) {
+          try {
+            const stat = execSync(`stat -f "%HT" "${fullPath}" 2>/dev/null`, { encoding: 'utf8' }).trim()
+            if (stat === 'Directory') findSol(fullPath, depth + 1)
+          } catch {}
+        }
+      }
+    } catch {}
+  }
+
+  findSol(repoDir)
+
+  // Sort by priority: core contracts first, test/mock/interface files filtered out
+  const prioritized = solidityFiles
+    .map((f) => ({ path: f, priority: contractPriority(f) }))
+    .filter((f) => f.priority > 0)
+    .sort((a, b) => b.priority - a.priority)
+    .map((f) => f.path)
+
+  const snippets: string[] = []
+  let totalChars = 0
+  const MAX_CHARS = 16000
+  const MAX_FILES = 15
+
+  for (const f of prioritized.slice(0, MAX_FILES)) {
+    if (totalChars >= MAX_CHARS) break
+    try {
+      const content = readFileSync(f, 'utf8')
+      const budget = Math.min(1200, MAX_CHARS - totalChars)
+      const snippet = content.slice(0, budget)
+      snippets.push(`// File: ${f.replace(repoDir, '')}\n${snippet}`)
+      totalChars += snippet.length
+    } catch {}
+  }
+
+  return snippets.join('\n\n---\n\n') || 'No Solidity files found'
+}
+
+async function runClaudeReview(
+  protocol: Protocol,
+  slitherFindings: SlitherFinding[],
+  contractCode: string,
+  sourceAvailable: boolean
+): Promise<{ review: string; riskLevel: AnalysisResult['riskLevel']; bounty: number; summary: string }> {
+  const claudeBin = findClaudeBin()
+  const claudeToken = process.env.CLAUDE_CODE_OAUTH_TOKEN || process.env.ANTHROPIC_API_KEY || ''
+
+  const slitherSummary =
+    slitherFindings.length > 0
+      ? slitherFindings
+          .map((f) => `[${f.impact}/${f.confidence}] ${f.check}: ${f.description?.slice(0, 200)}`)
+          .join('\n')
+      : 'No Slither findings (Slither may not be installed or no Solidity files found)'
+
+  const noCodeWarning = sourceAvailable
+    ? ''
+    : `
+IMPORTANT: No contract source code is available for this protocol. Your review MUST be an architecture-level threat model only.
+- Do NOT claim specific vulnerabilities exist without code evidence.
+- Set RISK_LEVEL to MEDIUM at most unless there is documented public evidence of a critical flaw.
+- Set BOUNTY_ESTIMATE_USD to 0 — speculative findings are not bounty-eligible.
+- The SUMMARY must clearly state: "Architecture review only — no source code analyzed."
+`
+
+  const prompt = `You are a smart contract security auditor. Review this protocol and its contracts for critical vulnerabilities.
+
+Protocol: ${protocol.name}
+Chain: ${protocol.chain}
+TVL: $${(protocol.tvl / 1_000_000).toFixed(1)}M
+Source code available: ${sourceAvailable ? 'YES' : 'NO'}
+${noCodeWarning}
+Focus on:
+- Governance/voting manipulation
+- Flash loan attack vectors
+- Oracle price manipulation
+- Reentrancy
+- Access control issues
+- Economic exploits
+
+Slither findings:
+${slitherSummary}
+
+Contract code summary:
+${contractCode}
+
+Respond in this exact format:
+RISK_LEVEL: <CRITICAL|HIGH|MEDIUM|LOW>
+BOUNTY_ESTIMATE_USD: <number>
+SUMMARY: <one paragraph disclosure summary>
+FULL_REVIEW: <detailed analysis>`
+
+  const promptFile = join(tmpdir(), `whiteh-prompt-${Date.now()}.txt`)
+
+  try {
+    writeFileSync(promptFile, prompt, 'utf8')
+
+    const env: Record<string, string> = { ...(process.env as Record<string, string>) }
+    if (claudeToken) {
+      if (claudeToken.startsWith('sk-ant-oat')) {
+        env.CLAUDE_CODE_OAUTH_TOKEN = claudeToken
+      } else {
+        env.ANTHROPIC_API_KEY = claudeToken
+      }
+    }
+
+    const result = spawnSync(claudeBin, ['--print', '--dangerously-skip-permissions', '-p', prompt], {
+      encoding: 'utf8',
+      timeout: 120_000,
+      env,
+      stdio: 'pipe',
+    })
+
+    const output = result.stdout || ''
+    const riskMatch = output.match(/RISK_LEVEL:\s*(CRITICAL|HIGH|MEDIUM|LOW)/i)
+    const bountyMatch = output.match(/BOUNTY_ESTIMATE_USD:\s*(\d+)/i)
+    const summaryMatch = output.match(/SUMMARY:\s*(.+?)(?=\nFULL_REVIEW:|$)/is)
+
+    return {
+      review: output,
+      riskLevel: (riskMatch?.[1]?.toUpperCase() as AnalysisResult['riskLevel']) || 'UNKNOWN',
+      bounty: bountyMatch ? parseInt(bountyMatch[1], 10) : 0,
+      summary: summaryMatch?.[1]?.trim() || 'No summary generated',
+    }
+  } catch (err) {
+    return {
+      review: `Claude review failed: ${(err as Error).message}`,
+      riskLevel: 'UNKNOWN',
+      bounty: 0,
+      summary: 'Review failed',
+    }
+  } finally {
+    try {
+      if (existsSync(promptFile)) rmSync(promptFile)
+    } catch {}
+  }
+}
+
+export async function analyzeProtocol(protocol: Protocol): Promise<AnalysisResult> {
+  await log(`Analyzing protocol: ${protocol.name} (TVL: $${(protocol.tvl / 1_000_000).toFixed(1)}M)`)
+
+  const result: AnalysisResult = {
+    protocolId: protocol.id,
+    protocolName: protocol.name,
+    chain: protocol.chain,
+    tvl: protocol.tvl,
+    slitherFindings: [],
+    slitherStatus: 'not_applicable',
+    claudeReview: '',
+    riskLevel: 'UNKNOWN',
+    estimatedBounty: 0,
+    disclosureSummary: '',
+    scannedAt: Date.now(),
+    sourceAvailable: false,
+  }
+
+  if (!protocol.github) {
+    await log(`${protocol.name}: no GitHub URL, running Claude-only review`)
+    const { review, riskLevel, bounty, summary } = await runClaudeReview(protocol, [], 'No repository available', false)
+    result.claudeReview = review
+    result.riskLevel = riskLevel
+    result.estimatedBounty = bounty
+    result.disclosureSummary = summary
+    result.sourceAvailable = false
+    return result
+  }
+
+  const tempDir = join(tmpdir(), `whiteh-${protocol.id}-${Date.now()}`)
+
+  try {
+    mkdirSync(tempDir, { recursive: true })
+
+    const cloneUrl = await resolveCloneUrl(protocol.github)
+    if (!cloneUrl) {
+      await log(`${protocol.name}: could not resolve GitHub org "${protocol.github}" to a clone URL, running Claude-only review`)
+      const { review, riskLevel, bounty, summary } = await runClaudeReview(
+        protocol,
+        [],
+        'Repository URL could not be resolved',
+        false
+      )
+      result.claudeReview = review
+      result.riskLevel = riskLevel
+      result.estimatedBounty = bounty
+      result.disclosureSummary = summary
+      result.sourceAvailable = false
+      return result
+    }
+
+    await log(`${protocol.name}: cloning ${cloneUrl} (org: ${protocol.github})`)
+    const cloned = cloneRepo(cloneUrl, tempDir)
+
+    if (!cloned) {
+      await log(`${protocol.name}: clone failed, running Claude-only review`)
+      const { review, riskLevel, bounty, summary } = await runClaudeReview(
+        protocol,
+        [],
+        'Repository clone failed',
+        false
+      )
+      result.claudeReview = review
+      result.riskLevel = riskLevel
+      result.estimatedBounty = bounty
+      result.disclosureSummary = summary
+      result.sourceAvailable = false
+      return result
+    }
+
+    result.sourceAvailable = true
+
+    const solCount = countSolFiles(tempDir)
+    if (solCount === 0) {
+      result.slitherStatus = 'not_applicable'
+      await log(`${protocol.name}: no .sol files found — skipping Slither (non-EVM or frontend repo)`)
+    } else {
+      await log(`${protocol.name}: found ${solCount} .sol file(s)`)
+      const slitherAvailable = ensureSlither()
+      if (slitherAvailable) {
+        await log(`${protocol.name}: running Slither analysis`)
+        const slitherResult = runSlither(tempDir)
+        result.slitherFindings = slitherResult.findings
+        result.slitherStatus = slitherResult.status
+        if (slitherResult.status === 'compilation_error') {
+          await log(`${protocol.name}: Slither compilation error — no static findings (contracts may use unsupported compiler or missing deps)`)
+        } else {
+          await log(`${protocol.name}: Slither found ${result.slitherFindings.length} HIGH/CRITICAL findings`)
+        }
+      } else {
+        result.slitherStatus = 'unavailable'
+        await log(`${protocol.name}: Slither unavailable, skipping static analysis`)
+      }
+    }
+
+    const contractCode = summarizeContracts(tempDir)
+
+    await log(`${protocol.name}: running Claude security review`)
+    const { review, riskLevel, bounty, summary } = await runClaudeReview(
+      protocol,
+      result.slitherFindings,
+      contractCode,
+      true
+    )
+    result.claudeReview = review
+    result.riskLevel = riskLevel
+    result.estimatedBounty = bounty
+    result.disclosureSummary = summary
+
+    await log(`${protocol.name}: analysis complete — risk=${riskLevel}, bounty=$${bounty}`)
+  } catch (err) {
+    result.error = (err as Error).message
+    await log(`${protocol.name}: analysis error: ${result.error}`)
+  } finally {
+    try {
+      if (existsSync(tempDir)) rmSync(tempDir, { recursive: true, force: true })
+    } catch {}
+  }
+
+  return result
+}