Detection
- •Anchor project:
Anchor.tomlexists OR a programCargo.tomldepends onanchor-lang - •Native Solana program: depends on
solana-programwithoutanchor-lang - •TS client/tests:
package.jsonuses@coral-xyz/anchorand/or@solana/web3.js
Common layout
- •
Anchor.toml - •
programs/<program>/src/lib.rs - •
tests/*.ts(Anchor) - •
migrations/(Anchor)
Worker rules
- •Do not run tests: avoid
anchor testandcargo test - •Formatting is OK:
cargo fmt - •Never include secrets in chat, commits, or logs: seed phrases, private keys,
id.json, RPC tokens
Overseer verification (run the repo's canonical scripts first)
- •Prefer repo scripts (Makefile, package.json, justfile) if present
- •Anchor:
- •
anchor build - •
anchor test
- •
- •Rust:
- •
cargo fmt --all -- --check - •
cargo clippy --all-targets --all-features -D warnings
- •
Solana security spot-check
- •Authority checks: explicit
Signer/owner/authority validation - •Anchor constraints:
#[account(...)]has the righthas_one, seeds, bumps, and ownership rules - •Math safety: checked math for amounts/fees; avoid unchecked casts
- •CPI signer seeds: correct seeds/bump; no user-controlled seed injection
- •Close/realloc/rent: funds go to expected recipient; no data corruption
- •Logging:
msg!does not print secrets