Thank you for contributing a smart contract template to the StarForge library! This document covers every step from writing your template to getting it accepted.
Before opening a pull request, confirm each item:
- Template compiles with
cargo buildtargetingwasm32-unknown-unknown - Template passes its own test suite (
cargo test) - Template source uses
{{PROJECT_NAME_PASCAL}}as the contract struct name - A
README.mdis included describing the contract and its public functions -
registry.jsonentry is present with all required fields -
security_reviewfield is present (status"pending"is acceptable for new submissions) -
changelogfield has at least one entry for the initial version - License is declared via the
licensefield (MIT or Apache-2.0 preferred) -
TEMPLATE_CONTRIBUTING.mdchecklist items have all been addressed
Every template lives under templates/examples/<template-name>/ and follows this layout:
templates/examples/<template-name>/
├── Cargo.toml # crate manifest — uses {{project_name_snake}}
├── README.md # user-facing documentation
└── src/
└── lib.rs # contract source
[package]
name = "{{project_name_snake}}"
version = "0.1.0"
edition = "2021"
[lib]
crate-type = ["cdylib"]
[dependencies]
soroban-sdk = { version = "22.0.0", features = ["alloc"] }
[dev-dependencies]
soroban-sdk = { version = "22.0.0", features = ["testutils"] }Use {{project_name_snake}} as the crate name — StarForge replaces this with the
user's project name when scaffolding.
- Must start with
#![no_std] - Must use
{{PROJECT_NAME_PASCAL}}as the contract struct name (double-brace placeholder) - Must include a module-level doc comment (
//! …) explaining the contract - Must include a
#[cfg(test)] mod test { … }block with at least two meaningful tests - Must compile without warnings
#![no_std]
//! Brief description of the contract.
use soroban_sdk::{contract, contractimpl, Env};
#[contract]
pub struct {{PROJECT_NAME_PASCAL}};
#[contractimpl]
impl {{PROJECT_NAME_PASCAL}} {
// ...
}
#[cfg(test)]
mod test {
use super::*;
#[test]
fn test_happy_path() { /* ... */ }
#[test]
#[should_panic(expected = "…")]
fn test_error_case() { /* ... */ }
}Every template must have a corresponding entry in templates/registry.json.
Below is the minimum required shape:
{
"name": "my-template",
"version": "1.0.0",
"description": "One-line description of what the contract does",
"author": "Your Name",
"tags": ["defi", "my-category"],
"source": { "type": "builtin", "id": "my-template" },
"created_at": "2025-01-01T00:00:00Z",
"updated_at": "2025-01-01T00:00:00Z",
"verified": false,
"documented": true,
"maintenance": "active",
"license": "MIT",
"security_review": {
"status": "pending",
"audited_at": null,
"auditor": null,
"findings": null,
"score": null
},
"changelog": [
{ "version": "1.0.0", "date": "2025-01-01", "notes": "Initial release" }
]
}| Field | Required | Description |
|---|---|---|
name |
✓ | Unique kebab-case identifier |
version |
✓ | Semver string (major.minor.patch) |
description |
✓ | One-line summary (≤ 120 chars) |
author |
✓ | Author name or GitHub handle |
tags |
✓ | At least one tag from the tag taxonomy |
source |
✓ | builtin, git, or local source descriptor |
license |
recommended | SPDX identifier (MIT, Apache-2.0, …) |
security_review |
recommended | Audit status — pending is fine initially |
changelog |
recommended | At least one entry |
maintenance |
recommended | active, maintained, deprecated, or unknown |
Use at least one of these standard tags so search works reliably:
| Tag | Used for |
|---|---|
token |
Fungible token contracts |
nft |
Non-fungible token contracts |
defi |
DeFi primitives (AMM, lending, staking, …) |
dao |
Governance / DAO contracts |
governance |
Voting and proposal contracts |
multisig |
Multi-signature wallets and vaults |
security |
Auth, access-control, and audit-focused contracts |
payments |
Payment channels, escrow, and invoicing |
staking |
Yield / staking contracts |
standard |
SEP-conformant contracts |
The StarForge Security Team reviews every new template before setting
verified: true. Until review is complete, the template is published with
"status": "pending".
- Authorization checks — every mutating function calls
require_auth()on the right principal; no function can be called by an arbitrary address. - Re-entrancy — state is updated before external token transfers.
- Integer arithmetic — no unchecked arithmetic that could overflow or wrap.
- Initialization guards — contracts cannot be re-initialized.
- Storage hygiene — correct use of
instance,persistent, andtemporarystorage lifetimes. - Panic messages — descriptive error strings, no empty panics.
| Priority | Target turnaround |
|---|---|
| Security fix | 48 hours |
| New template | 7 days |
| Version bump | 5 days |
Open a GitHub issue with the label security-review-request and link your PR.
The Security Team triages these daily.
When updating an existing template:
- Increment the
versionfield in theregistry.jsonentry following semver:- Patch (
x.y.Z) — bug fixes, doc improvements, no API changes. - Minor (
x.Y.0) — new optional functions, backward-compatible changes. - Major (
X.0.0) — breaking changes to the public API.
- Patch (
- Add a new entry at the top of the
changelogarray. - Update
updated_atto the current date. - Reset
security_review.statusto"pending"if the change affects contract logic.
Run the template's own tests from the StarForge CLI before submitting:
# Run tests via cargo directly
cargo test --manifest-path templates/examples/my-template/Cargo.toml
# Or via the CLI (once registered)
starforge template test my-templateAll tests must pass with zero warnings.
After adding your registry entry you can preview the generated Markdown docs:
starforge template docs my-template
# write to a file
starforge template docs my-template --output docs/templates/my-template.md- Fork the repo and create a branch:
git checkout -b feat/template-my-template - Add your template files and registry entry.
- Run
cargo testfrom the repo root to verify nothing is broken. - Open a PR against
mainwith the titlefeat(templates): add my-template. - Fill in the PR description template, including the checklist above.
- The Security Team will review and either approve or request changes within 7 days.
We appreciate every contribution — thank you for making the Stellar ecosystem stronger!