Skip to content

docs: add concise AI contract review guide#5880

Open
moul wants to merge 3 commits into
masterfrom
claude/hopeful-shannon-474dae
Open

docs: add concise AI contract review guide#5880
moul wants to merge 3 commits into
masterfrom
claude/hopeful-shannon-474dae

Conversation

@moul

@moul moul commented Jul 2, 2026

Copy link
Copy Markdown
Member

Summary

Adds docs/resources/gno-ai-contract-review.md — a short, checklist-style guide specifically for AI agents reviewing Gno realm code.

The guide covers the seven highest-yield issues:

  1. Caller identity via cur realm, not attacker-controlled address parameters
  2. Payment guards: IsUserCall() not IsUser()
  3. No exported pointers to mutable state
  4. No caller-supplied callbacks invoked under realm authority
  5. Interface parameters need canonical-type assertion
  6. Never store realm values (store Address() strings instead)
  7. /p/-embedded types with callback iterators must stay unexported

Relationship to existing work

This is intentionally more minimal than the other security resources:

Resource Scope
gno-security-guide.md Deep technical threat model, borrow rules, proofs — for realm authors who want to understand why
misc/audit-pattern-harness/ (#5835) Automated tooling: YAML-defined patterns, sanitized fixtures, gno test execution, Markdown/JSON reports
gno-mcp audit skill MCP-packaged harness for AI agents to run audits programmatically
this file Concise checklist an AI can apply inline during code review without tooling

The audit harness and gno-mcp skill are powerful when you want to run automated checks. This guide fills the lighter-weight use case: an AI agent reading a contract and knowing what to look for, without needing a separate tool invocation.

@Gno2D2

Gno2D2 commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

🛠 PR Checks Summary

All Automated Checks passed. ✅

Manual Checks (for Reviewers):
  • IGNORE the bot requirements for this PR (force green CI check)
Read More

🤖 This bot helps streamline PR reviews by verifying automated checks and providing guidance for contributors and reviewers.

✅ Automated Checks (for Contributors):

No automated checks match this pull request.

☑️ Contributor Actions:
  1. Fix any issues flagged by automated checks.
  2. Follow the Contributor Checklist to ensure your PR is ready for review.
    • Add new tests, or document why they are unnecessary.
    • Provide clear examples/screenshots, if necessary.
    • Update documentation, if required.
    • Ensure no breaking changes, or include BREAKING CHANGE notes.
    • Link related issues/PRs, where applicable.
☑️ Reviewer Actions:
  1. Complete manual checks for the PR, including the guidelines and additional checks if applicable.
📚 Resources:
Debug
Manual Checks
**IGNORE** the bot requirements for this PR (force green CI check)

If

🟢 Condition met
└── 🟢 On every pull request

Can be checked by

  • Any user with comment edit permission

@davd-gzl davd-gzl self-requested a review July 6, 2026 12:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

📖 documentation Improvements or additions to documentation 📄 top-level-md

Projects

Status: 📥 Inbox

Development

Successfully merging this pull request may close these issues.

2 participants