Skip to content

feat(skill): add solana-roast — pre-audit design & security interrogation#26

Open
Shawnchee wants to merge 3 commits into
solanabr:mainfrom
Shawnchee:feat/skill-solana-roast-21-06-2026
Open

feat(skill): add solana-roast — pre-audit design & security interrogation#26
Shawnchee wants to merge 3 commits into
solanabr:mainfrom
Shawnchee:feat/skill-solana-roast-21-06-2026

Conversation

@Shawnchee

Copy link
Copy Markdown

What this adds

Adds solana-roast as an ext/ skill submodule — an adversarial pre-ship design & security interrogator for Solana programs.

Repo: https://github.com/Shawnchee/solana-roast-skill (MIT)

It fills the gap between the kit's idea-stage skills and its audit-stage skills (ext/trailofbits, ext/qedgen, ext/safe-solana-builder, review-and-iterate): there's nothing that interrogates the design before the code is finished, where the most expensive Solana mistakes are made. solana-roast is the design gate before the audit gate — and its pre-audit-checklist.md is built to be the direct input the scanners/auditors consume.

How it works

  • Reads the user's Anchor/native code first, then interrogates the design one question at a time, each with a recommended answer, across 9 branches: accounts/PDAs, authority/signers, CPI, state/data, economic invariants, upgrade/governance, compute/DoS, tokens (SPL/Token-2022), and the client↔chain integration boundary. (Generic web2/infra is explicitly handed off to cso.)
  • Emits design-spec.md, threat-model.md (+ a Design Safety score), pre-audit-checklist.md, and an optional teaching lecture.md that explains each finding and the real exploit it mirrors.
  • Current to the Anchor 1.0 / Token-2022 / Solana 3.x stack. Every check is sourced in the skill's SOURCES.md (no-guessing policy); a verified exploit-library.md (Wormhole, Cashio, Mango, Drift, …) backs the lecture.
  • Ships an intentionally-vulnerable demo + a full worked roast as proof it runs end-to-end.

Ripple Map followed

Per CLAUDE.md, a submodule add updates:

  • .gitmodulesext/solana-roast entry
  • README.md — submodules table row + tree + bumped the 18 → 19 ext/ count (×2)
  • QUICK-START.md — tree + bumped 18 → 19 ext/ count
  • .claude/skills/SKILL.md — routing entry (Security Auditing section, as the pre-audit gate) + routing table row + hub description

Notes for maintainers

  • I left .claude/VERSION / CHANGELOG.md untouched — version bumps are yours to own. Happy to add a minor bump if you'd like.
  • validate.sh in a fresh fork clone reports broken-link/init FAILs for all ext/ submodules because they aren't checked out (git submodule update --init). With submodules initialized, ext/solana-roast's links resolve and pass — my change adds no new failure class (solana-roast appears only as PASS).
  • It's a design-stage interrogator, not an audit — it reduces design risk and produces a triaged checklist, then hands off. The skill says so explicitly.

License

MIT — ready to be submoduled into the kit.

…tion

Adds ext/solana-roast (https://github.com/Shawnchee/solana-roast-skill, MIT): an
adversarial program design & security interrogator that runs BEFORE the audit-stage
skills. 9 branches, one question at a time with recommended answers, grounded in the
user's Anchor/native code; emits design-spec + threat-model (with a Design Safety
score) + pre-audit checklist + optional teaching lecture. Current to Anchor 1.0 /
Token-2022 / Solana 3.x; every check sourced (SOURCES.md).

Ripple Map: .gitmodules, README table+tree+count, QUICK-START tree+count, skill-hub
SKILL.md routing. VERSION/CHANGELOG left for maintainers.
@vercel

vercel Bot commented Jun 21, 2026

Copy link
Copy Markdown

@Shawnchee is attempting to deploy a commit to the STBR TRUE Team on Vercel.

A member of the Team first needs to authorize it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant