Code Checker
This repo is onboarded to the local Code Checker tool through scripts/run-code-checker.cjs. The helper uses CODE_CHECKER_BIN when set and otherwise looks in the local personal Code Checker locations:
/Users/maybe/Documents/code checker/bin/code-checker.js
/Users/maybe/Documents/repos/code checker/bin/code-checker.jsUse it before calling changes shippable.
Normal Local Flow
Run relevant project checks:
forge fmt --check
forge build --sizes
forge test
npm run test:fuzz
npm --prefix frontend run build
npm --prefix services run typecheck
npm --prefix services run build
npm --prefix services run test:approval-scanner
npm run test:smoke:safeguard
npm run check:abi-parity
npm run code-checker:workflow-permissionsnpm run test:fuzz, npm run test:smoke:safeguard, and npm run check:abi-parity write automated check reports that Code Checker evidence includes when those risk rules apply.
If a check has a known pre-existing failure, capture that honestly through the matching environment variable before generating evidence:
CODE_CHECKER_FRONTEND_BUILD_STATUS=fail npm run code-checker:evidenceOtherwise, after passing checks:
npm run code-checker:evidence
npm run code-checker:evaluate:bot
npm run code-checker:ceremonyUse npm run code-checker:evaluate:bot for daily development handoff. Use npm run code-checker:evaluate for strict production release gates.
Checker-bot mode still blocks failed automated checks, bad hashes, failed safety/adversarial checks, and missing automated gates. It turns missing manual reviews, notes, plans, runbooks, dry-runs, and approvals into warnings.
Safety And Adversarial Scans
Set an explicitly authorized target:
export CODE_CHECKER_TARGET_URL="https://preview.example.com"
export CODE_CHECKER_AUTHORIZED_HOSTS="preview.example.com"Run the baseline user safety scanner:
npm run code-checker:safetyRun adversarial suites for changed risk areas:
npm run code-checker:adversarial:frontend
npm run code-checker:adversarial:keeperThen regenerate evidence so those reports are included:
npm run code-checker:evidence
npm run code-checker:evaluate:botRelease Gates
Create a private status file for a release:
npm run code-checker:init-statusEdit private-release-gate-status.json as evidence is collected. Do not commit the private status file.
Require every current release gate to be complete or explicitly deferred:
npm run code-checker:gatesFor strict production release gates, use:
npm run code-checker:evaluateDeferred gates must be named in release notes with accepted risk and follow-up owner.
High-Risk Areas
Code Checker raises risk for:
- core lending, deposit, collateral, liquidation, helper, and interface contracts
- Safe Guard, liquidation module, approval scanner, Safe configuration, and Safe transaction boundaries
- deployment scripts, generated ABIs, deployed address assumptions, and Foundry config
- Supabase migrations, RLS-sensitive schema, service database access, and frontend API routes
- keeper, monitor, notifications, event selectors, and Railway/service runtime
- frontend wallet, transaction, borrow/lend, dashboard, and message flows
- environment templates, Vercel/Railway/GitHub Actions config, and dependency lockfiles