Skip to content

feat: add /solana skill — 7-mode Solana development lifecycle#735

Open
scriptscrypt wants to merge 1 commit intogarrytan:mainfrom
scriptscrypt:feat/solana-skills
Open

feat: add /solana skill — 7-mode Solana development lifecycle#735
scriptscrypt wants to merge 1 commit intogarrytan:mainfrom
scriptscrypt:feat/solana-skills

Conversation

@scriptscrypt
Copy link
Copy Markdown

@scriptscrypt scriptscrypt commented Apr 1, 2026
edited
Loading

Summary

  • Adds /solana skill with 7 modes: ideas, build, audit, deploy, monitor, debug, ecosystem — covering the full Solana development lifecycle from idea to production
  • Build mode includes specialized sub-routes for DeFi protocols, token launches (SPL + Token-2022), Blinks/Actions, data pipelines, mobile apps, AI agents, and NFTs — with support for both Anchor and Pinocchio frameworks
  • Adds Solana specialist reviewer that auto-triggers during /review when Anchor/solana-program code is detected, covering 9 vulnerability categories including Sealevel-specific exploits and Token-2022 extension patterns
  • Ecosystem mode integrates the solana-new CLI catalog (67 repos, 71 skills, 49 MCPs) for project-specific tool recommendations

What's in the skill

Mode What it does
/solana ideas Product discovery — ecosystem gap analysis, kill test, 3 ranked ideas
/solana build Guided dev with sub-modes for DeFi, tokens, blinks, pipelines, mobile, agents, NFTs
/solana audit Security audit — 9 vulnerability categories (signer, PDA, CPI, arithmetic, DeFi, Token-2022)
/solana deploy Mainnet deployment — pre-flight, devnet-first, upgrade authority, program verification
/solana monitor Post-deploy health — existence, authority, tx rate, balance checks
/solana debug Error diagnosis — Anchor error codes, CPI tracing, tx simulation
/solana ecosystem Browse repos, skills, MCPs with recommendations by project type

Key features

  • Pinocchio support — zero-dep framework option (88-95% CU savings) alongside Anchor
  • Token-2022 extensions — TransferFee, TransferHook, ConfidentialTransfer, NonTransferable, etc.
  • Compute unit optimization — CU budget reference table, profiling techniques
  • Fast local testing — Bankrun, LiteSVM, Surfpool patterns
  • DeFi non-negotiables — checked arithmetic, oracle staleness, slippage protection, emergency pause
  • Security test patterns — unauthorized access, double-init, overflow protection
  • Space calculation cheat sheet — account sizing reference for Anchor programs

Files changed

File What
solana/SKILL.md.tmpl New skill template (1,670 lines)
solana/SKILL.md Generated output (2,344 lines)
review/specialists/solana.md Solana specialist reviewer (76 lines, 9 vuln categories)
review/SKILL.md Regenerated (specialist routing)
scripts/resolvers/review-army.ts Solana stack detection for specialist dispatch

Test plan

  • bun test test/skill-validation.test.ts test/gen-skill-docs.test.ts — 658 pass, 0 fail
  • bun run gen:skill-docs regenerates cleanly
  • All bash blocks pass zsh-safety check (setopt guard)
  • Manual test: run /solana in a project with Anchor.toml — should route to build mode
  • Manual test: run /solana ideas in empty dir — should start discovery flow
  • Manual test: run /review on Solana program — should dispatch Solana specialist

@scriptscrypt
feat: add /solana skill — 7-mode Solana development lifecycle
62f3a7a 
Adds a comprehensive /solana skill with seven modes covering the full
Solana development lifecycle: ideas, build, audit, deploy, monitor,
debug, and ecosystem discovery.

Build mode includes specialized sub-routes for DeFi protocols, token
launches, Blinks/Actions, data pipelines, mobile apps, AI agents, and
NFTs. Supports both Anchor and Pinocchio frameworks, Token-2022
extensions, compute unit optimization, and fast local testing with
Bankrun/LiteSVM/Surfpool.

Also adds a Solana specialist reviewer that auto-triggers during
/review when Anchor or solana-program code is detected, covering 9
vulnerability categories including Sealevel-specific exploits and
Token-2022 extension patterns.

Ecosystem mode references the solana-new CLI catalog (67 repos, 71
skills, 49 MCPs) for project-specific tool recommendations.
mehmoodosman pushed a commit to mehmoodosman/gstack that referenced this pull request Apr 1, 2026
Fix IPv4-mapped IPv6 metadata IP bypass vulnerability
edd492a 
This commit fixes a critical security vulnerability where IPv4-mapped IPv6 addresses
could bypass the cloud metadata endpoint protection.

Vulnerability Details:
- The metadata IP 169.254.169.254 (AWS/GCP/Azure metadata endpoint) could be accessed
  using IPv4-mapped IPv6 addresses like ::ffff:169.254.169.254 or ::ffff:a9fe:a9fe
- These formats bypassed the existing isMetadataIp() check which only normalized
  via the URL constructor, not handling the IPv4-in-IPv6 embedding

Changes Made:
1. Added extractIpv4FromMappedIpv6() function to detect and extract IPv4 addresses
   from IPv4-mapped IPv6 formats:
   - ::ffff:x.x.x.x (standard IPv4-mapped)
   - ::x.x.x.x (deprecated IPv4-compatible)
   - Full forms with all 8 groups
   - Hex-encoded forms (a9fe:a9fe representing 169.254.169.254)

2. Updated isMetadataIp() to use the new extraction function and check if the
   extracted IPv4 is a blocked metadata endpoint

3. Added comprehensive test cases for all IPv4-mapped IPv6 bypass variants:
   - ::ffff:169.254.169.254
   - ::ffff:a9fe:a9fe (hex encoding)
   - ::169.254.169.254 (deprecated)
   - Full forms with 8 groups
   - Hex-encoded full forms

Security Impact: HIGH - This prevents SSRF attacks targeting cloud metadata endpoints
via IPv6 address encoding bypasses.

Fixes: garrytan#735 (security advisory)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@scriptscrypt