v1.9.0 — Integrator rules (SOL-029/030/031)

The standard's first client-side / integrator rules — for the TypeScript/web3.js that builds and sends transactions (bots, keepers, integrators), alongside the 28 on-chain Rust rules.

• SOL-029 — preflight simulation disabled (skipPreflight: true)
• SOL-030 — static priority fee (hardcoded microLamports)
• SOL-031 — stale Jupiter quote (no contextSlot freshness check)

20 of 31 rules now have a deterministic pattern. All surfaces (CLI, GitHub Action, Semgrep, VS Code, MCP, AI-agent rules files, content pages) regenerate from the two sources of truth. Reviewed to 0 Critical/High/Medium by three independent reviewers to convergence. Verified in both engines (scanner + real Semgrep).

Full notes: CHANGELOG.md.

Solana Security Standard v1.3.1

Solana Security Standard — now installable everywhere.

The SOL-0XX rule set (28 Solana/Anchor bug classes drawn from real audits) now runs wherever you work, all from one source of truth:

• GitHub Action — scan every PR in CI: uses: Copenhagen0x/solana-security-guidance@v1. Uploads SARIF for inline annotations + an adoption badge.
• CLI — npx @jelleo/solana-security-standard scan ./programs (human / JSON / SARIF output; non-zero exit gates CI).
• VS Code extension — inline SOL-0XX squiggles as you type, in VS Code, Cursor, and Windsurf. 100% local, no telemetry.
• Semgrep ruleset — semgrep --config for any Semgrep pipeline.
• Claude Code plugin — the original guidance file + patterns.

Same 17 deterministic patterns + 28 documented rules, no logic duplicated. SOL-001 is backed by two confirmed bounty wins. Built by Jelleo — the team that finds the bugs.

v1.0.1 — Honest-provenance correction

Released within hours of v1.0.0. Corrects bounty attributions for SOL-002, SOL-003, SOL-004, SOL-005 after Anatoly Yakovenko's triage of percolator-cli#78 clarified which findings translated to paid bounties.

What changed

• SOL-001 now cites TWO bounty wins (same class, both maintainer-acknowledged via Lean theorem-prover models):
  • ACTIVATE branch: percolator-prog#107, fixed in 6512fa1
  • RETIRE branch: percolator-cli#78 F33, fixed in 3fd9b1d
• SOL-002 reframed: the cross-market pnl_pos_bound_tot class was publicly disclosed at percolator-prog#104 by another researcher. Not our bounty.
• SOL-003 reframed: F1 was independently fixed in 0925ed4 before our submission was triaged. Real pattern, no paid bounty.
• SOL-004 reframed: F2 classified as engine-side by maintainer; separate disclosure pending at aeyakovenko/percolator.
• SOL-005 reframed: F12 classified as latent (reachable only when 14-asset cap is lifted).

Why this matters

v1.0.0's framing implicitly claimed bounty credit for findings that didn't translate to paid bounties. The bug-class rules themselves are unchanged — every one is a real Solana attack surface worth flagging — but provenance now matches what's actually paid + maintainer-confirmed. Honesty over inflated credentials.

See CHANGELOG.md for the full per-rule diff.

Install in 30 seconds

mkdir -p .claude &&   curl -sL https://raw.githubusercontent.com/Copenhagen0x/solana-security-guidance/v1.0.1/claude-security-guidance.md -o .claude/claude-security-guidance.md &&   curl -sL https://raw.githubusercontent.com/Copenhagen0x/solana-security-guidance/v1.0.1/security-patterns.yaml -o .claude/security-patterns.yaml

Maintained by Jelleo.

v1.0.0 — Initial release

First public release of the Solana ruleset for Anthropic's Claude Code security-guidance plugin.

What's in v1.0.0:

• 20 Solana security rules in claude-security-guidance.md (model-backed review checklist, 7.4KB / 8KB cap)
• 15 deterministic regex/substring patterns in security-patterns.yaml (per-edit check)
• 5 paired vulnerable/fixed example snippets
• CI workflow validating size caps, YAML parse, regex compilation
• MIT licensed

5 headline rules drawn from real published bounty findings:

• SOL-001 Unauthenticated now_slot — Bounty 6 H2 (percolator-prog#107, closed/fixed by Toly)
• SOL-002 Cross-market state asymmetry — Bounty 5 primary class
• SOL-003 Wrapper re-implements engine logic — Bounty 5 F1 (percolator-cli#78)
• SOL-004 Penalty/health terms omitted — Bounty 5 F2 (percolator-cli#78)
• SOL-005 Anchor realloc() without guards — Bounty 5 F12 (percolator-cli#78)

15 generic Solana hygiene rules: signer checks, owner verification, PDA validation, CPI authority, reinit attacks, lamport drains, Token Program ID confusion, integer overflow, Anchor constraints, bump validation, discriminator checks, SetAuthority verification.

Install in 30 seconds:

mkdir -p .claude &&   curl -sL https://raw.githubusercontent.com/Copenhagen0x/solana-security-guidance/v1.0.0/claude-security-guidance.md -o .claude/claude-security-guidance.md &&   curl -sL https://raw.githubusercontent.com/Copenhagen0x/solana-security-guidance/v1.0.0/security-patterns.yaml -o .claude/security-patterns.yaml

Maintained by Jelleo — continuous Solana program audits.