BrainblastbrainblastComing soon
Docs

How Brainblast works

The unit of the corpus, how records are proven, how to license and pull them, and how to contribute traps and earn.

Start here

Overview

Brainblast is an open corpus of machine-verified SDK footguns — the specific ways correct-looking integration code silently does the wrong thing. Each record is a Verified Trap Instance: failing code, the fix, and a test that proves the difference, pinned to the exact SDK version the bug lives in.

Three things you can do with it:

Read & sample the whole catalog free — no signup. Browse.
License curated lots to train or evaluate models on real, proven fixes. Pricing.
Contribute a trap and earn when your records are used. Earn.
The unit

What's a VTI

A Verified Trap Instance is a single, machine-checked record of one SDK footgun. Every VTI carries:

Component — the SDK and exact version the bug applies to.
Class — one of nine error classes (auth-bypass, missing-slippage-guard, silent-zero-revenue, unconfirmed-state, missing-verification, unchecked-staleness, immutable-after-deploy, wrong-constant, other).
RED fixture — a minimal repro that compiles, runs, and trips the footgun.
GREEN fixture — the corrected code that does the same job the right way.
The check — a vetted rule that FAILs RED and PASSes GREEN. The diff is the lesson.
Provenance — a commit-pinned source and the verbatim line, so the trap is confirmed real.
Receipt & corroboration — a re-runnable proof, plus how many independent repos exhibit it.

Records are grouped into curated lots by ecosystem or domain (Solana, EVM, Auth & Sessions, Transport/TLS, Web Hardening, Cloud & Storage, Cryptography, Browser & Desktop). Coverage shows the live class × lot surface.

Trust

How it's proven

A VTI is a claim that's been mechanically proven and can be re-proven by anyone — no answer key. A generalized oracle proves each record with the cheapest backend that can: a static AST checker, a compiler type-check against the pinned SDK, a sandboxed executed test, or a differential input→output table.

Contributed records also clear a fail-closed funnel — secret scan, RED→GREEN reproduction (the anti-poisoning gate), and consent/license — in order. Any rejection stops the record. Re-prove any pack yourself:

# vulnerable → RED fixed → GREEN
npx brainblast verify ./pack

Coverage & proof → the full pipeline and the live reproduced rate.

Use it

Subscriptions

The catalog is open to read; you pay for the fixtures — the vulnerable+fixed code and tests you train on. Buy at three granularities:

Lot — one ecosystem or security domain.
Package — Web3 (both chains) or AppSec (every web, backend, cloud & crypto lot), at a discount.
Scale — every lot, plus every lot added later, plus the zero-holdback firehose.

Lots are priced by coverage — distinct footgun patterns × SDKs × quality, not raw row count. Every license ships the full RED+GREEN fixtures and proving test, the live verified delta as the fleet finds more, and a signed grant. Bill monthly or annually — annual is the committed rate, ~17% off (2 months free) — and pay in USD or $BRAIN (10% off), which stacks on either. See Pricing and build a license on Access.

Use it

Integrate

Three ways to pull the corpus, one entitlement model behind all three.

CLI — stream your entitled delta as NDJSON:

brainblast feed \
--remote registry.brainblast.tech \
--grant ./grant.json --since <cursor>

MCP — wire the corpus into your agent so it recalls the verified record for an SDK before writing the integration:

{ "mcpServers": {
"brainblast": {
"command": "npx",
"args": ["brainblast", "mcp"] } } }

REST — vendor-neutral HTTP:

GET /api/catalog # public
GET /api/feed # grant-gated
GET /api/healthz # liveness

Everything ships in one package — npx brainblast — built in CI with SLSA provenance. No install required.

Use it

The feed & grant

Paid access is a signed grant you pass in the x-brainblast-grant header (or --grant). It's verified server-side with only the distributor's public key — vendor-neutral, no phone-home.

free — a receipt-only sample of the public catalog, no fixtures.
standard — the lots your grant names, full fixtures.
firehose (Scale) — every record, zero freshness holdback.

Lower tiers get a freshness holdback; the newest records land in higher tiers first. The feed streams oldest-first and returns a cursor — pass it as --since to resume without re-pulling.

Contribute

Submissions

Contribution is open and permissionless — no application, no reviewer. If your submission clears the automated gate, it's in. Four steps:

# 1. author + prove locally (RED→GREEN must hold)
brainblast pack init ./my-pack --id my-sdk
brainblast pack validate ./my-pack
# 2. submit — no PR, no branch
brainblast submit:vti --candidate ./my-trap.json --dry-run # check first
brainblast submit:vti --candidate ./my-trap.json

A valid submission needs a real bug, a minimal RED+GREEN pair that reproduces, a commit-pinned source citation plus the verbatim vulnerable line, no secrets, and the pinned SDK + version. The server re-checks all of it end-to-end before recording. Full requirements on Earn.

Contribute

Earn

Confirmed findings become permanent VTIs, scored by severity × corroboration. Each period, a fixed share of license revenue — the contributor pool — is split by score: your cut is your records' score over the corpus's. Paid on usage, not volume.

$BRAIN is optional — you never need a token to contribute. You can bond $BRAIN on a VTI to signal confidence and amplify your share; the reproduction gate is the slash trigger, so a trap that ever stops reproducing forfeits its bond. Try the estimator on Earn.