Skip to content

Code Checker

This repo is onboarded to the local Code Checker tool through scripts/run-code-checker.cjs. The helper uses CODE_CHECKER_BIN when set and otherwise looks in the local personal Code Checker locations:

text
/Users/maybe/Documents/code checker/bin/code-checker.js
/Users/maybe/Documents/repos/code checker/bin/code-checker.js

Use it before calling changes shippable.

Normal Local Flow

Run relevant project checks:

bash
forge fmt --check
forge build --sizes
forge test
npm run test:fuzz
npm --prefix frontend run build
npm --prefix services run typecheck
npm --prefix services run build
npm --prefix services run test:approval-scanner
npm run test:smoke:safeguard
npm run check:abi-parity
npm run code-checker:workflow-permissions

npm run test:fuzz, npm run test:smoke:safeguard, and npm run check:abi-parity write automated check reports that Code Checker evidence includes when those risk rules apply.

If a check has a known pre-existing failure, capture that honestly through the matching environment variable before generating evidence:

bash
CODE_CHECKER_FRONTEND_BUILD_STATUS=fail npm run code-checker:evidence

Otherwise, after passing checks:

bash
npm run code-checker:evidence
npm run code-checker:evaluate:bot
npm run code-checker:ceremony

Use npm run code-checker:evaluate:bot for daily development handoff. Use npm run code-checker:evaluate for strict production release gates.

Checker-bot mode still blocks failed automated checks, bad hashes, failed safety/adversarial checks, and missing automated gates. It turns missing manual reviews, notes, plans, runbooks, dry-runs, and approvals into warnings.

Safety And Adversarial Scans

Set an explicitly authorized target:

bash
export CODE_CHECKER_TARGET_URL="https://preview.example.com"
export CODE_CHECKER_AUTHORIZED_HOSTS="preview.example.com"

Run the baseline user safety scanner:

bash
npm run code-checker:safety

Run adversarial suites for changed risk areas:

bash
npm run code-checker:adversarial:frontend
npm run code-checker:adversarial:keeper

Then regenerate evidence so those reports are included:

bash
npm run code-checker:evidence
npm run code-checker:evaluate:bot

Release Gates

Create a private status file for a release:

bash
npm run code-checker:init-status

Edit private-release-gate-status.json as evidence is collected. Do not commit the private status file.

Require every current release gate to be complete or explicitly deferred:

bash
npm run code-checker:gates

For strict production release gates, use:

bash
npm run code-checker:evaluate

Deferred gates must be named in release notes with accepted risk and follow-up owner.

High-Risk Areas

Code Checker raises risk for:

  • core lending, deposit, collateral, liquidation, helper, and interface contracts
  • Safe Guard, liquidation module, approval scanner, Safe configuration, and Safe transaction boundaries
  • deployment scripts, generated ABIs, deployed address assumptions, and Foundry config
  • Supabase migrations, RLS-sensitive schema, service database access, and frontend API routes
  • keeper, monitor, notifications, event selectors, and Railway/service runtime
  • frontend wallet, transaction, borrow/lend, dashboard, and message flows
  • environment templates, Vercel/Railway/GitHub Actions config, and dependency lockfiles

Built for the 6529 community