DST Engine

Quick Start

git clone https://github.com/MassDeterministicEngines/dst-engine.git
cd dst-engine
npm install --legacy-peer-deps
npx tsx src/dst-cli.ts --demo --prove

What You'll See

DST parses source code into a graph, traces tainted data flows, verifies 783 CWE properties, and generates proof certificates for exploitable findings:

[FAIL] CWE-89: SQL Injection
  CRITICAL: User input from req.body.login flows to SQL query
  at db.query(query, ...) without parameterization.
    Source: req.body.login (line 10)
    Sink:   db.query(query, ...) (line 11)
    Missing: CONTROL (input validation or parameterized query)
    PROOF [strong]:
      Payload: ' UNION SELECT 'DST_CANARY_SQLI' --
      Deliver: http POST /
      Oracle:  hybrid — payload reaches sink unmodified

That PROOF block is the difference. DST doesn't just say "this looks vulnerable" — it gives you the payload to prove it.

Architecture

Source code → tree-sitter AST
  → Phoneme classification (API calls → universal semantic types)
  → NeuralMap graph (nodes + tainted data flow edges)
  → CWE verification (783 properties checked against graph)
  → Proof generation (payload + delivery + oracle per finding)

Supported Languages

Benchmarked: Java, JavaScript/TypeScript
Profiles built: Python, Go, Rust, PHP, C#, Ruby, Kotlin, Swift

AI Security Extensions

DST's phoneme architecture extends naturally to AI/LLM security. With ~190 lines of mapper code (LLM SDK phonemes + a taint-transformer rule), DST can detect 67.9% of the AI security vulnerability landscape — including Text2SQL injection, prompt injection (CWE-1427), and MCP server vulnerabilities.

Read the research →