ShellDAO · LucienSong · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026
@@ -1,32 +1,26 @@
 ## Overview
-
-<!-- Provide a brief description of the changes in this PR and the motivation behind them. -->
+<!-- Provide a brief description of the changes in this PR -->
 
 ## Type of Change
-
-<!-- Mark the relevant option with an [x]. -->
-
-- [ ] Bug Fix
-- [ ] New Feature
-- [ ] Documentation Update
-- [ ] Refactor
+- [ ] 🐛 Bug Fix
+- [ ] ✨ New Feature
+- [ ] 📝 Documentation Update
+- [ ] ♻️ Refactor
+- [ ] 🔧 Configuration/CI
 - [ ] Other (please specify):
 
 ## Checklist
-
-<!-- Verify each item before requesting a review. See .github/REVIEW_CHECKLIST.md for details. -->
-
-- [ ] Code follows the project's style guidelines (`cargo fmt` passes)
-- [ ] No Clippy warnings (`cargo clippy -- -D warnings` passes)
-- [ ] Unit tests have been added or modified (`cargo test` passes)
-- [ ] Documentation has been updated (`cargo doc --no-deps` passes)
-- [ ] No sensitive information (keys, secrets, PII) is exposed
-- [ ] Commit messages follow the conventional commit format (e.g., `feat:`, `fix:`, `chore:`)
+<!-- Review the checklist before submitting. See .github/review-checklist.md for details -->
+- [ ] Code follows the project's style guidelines (`cargo fmt`)
+- [ ] Code passes lint checks (`cargo clippy`)
+- [ ] Unit tests have been added/modified for changes
+- [ ] Documentation has been updated (code comments, README, API docs)
+- [ ] No sensitive information is exposed
+- [ ] Commit messages follow [conventional format](https://www.conventionalcommits.org/) (`feat:`, `fix:`, `chore:`, etc.)
+- [ ] For crypto changes: reviewed against [Rust Crypto Review Guidelines](.github/rust-crypto-review.md)
 
 ## Related Issues
-
-<!-- Link any related issues here, e.g. "Closes #123" or "Relates to #456". -->
+<!-- Link any related issues: Fixes #123, Closes #456 -->
 
 ## Additional Notes
-
-<!-- Any extra context, screenshots, or information for the reviewer. -->
+<!-- Any additional context, screenshots, or information for reviewers -->
@@ -1,5 +1,7 @@
 # PR Review Checklist
 
+> **Note:** This checklist is used as a reference during both manual and automated PR reviews. Automated checks are run via GitHub Actions on every PR (see `.github/workflows/pr-review.yml`).
+
 This document outlines the comprehensive checklist for reviewing pull requests to ensure high standards of quality across various aspects of the codebase.
 
 ## 1. Code Quality
@@ -14,7 +16,7 @@ This document outlines the comprehensive checklist for reviewing pull requests t
 - [ ] All public-facing functions/modules have corresponding doc comments.
 
 ## 3. Rust Best Practices
-- [ ] Use of idiomatic Rust constructs (e.g., ownership, borrowing)._ 
+- [ ] Use of idiomatic Rust constructs (e.g., ownership, borrowing).
 - [ ] Proper error handling practices.
 - [ ] Avoiding unnecessary clones or references.
 - [ ] Utilization of Rust's powerful type system effectively.
@@ -36,7 +38,7 @@ This document outlines the comprehensive checklist for reviewing pull requests t
 - [ ] Ensure that tests can run in the CI/CD pipeline without issues.
 
 ## 7. Commit Message Standards
-- [ ] Commit messages follow the conventional format (e.g., `feat:`, `fix:`, `chore:`).
+- [ ] The **latest (HEAD) commit** message follows the conventional format (e.g., `feat:`, `fix:`, `chore:`). This is enforced as a hard failure by CI.
 - [ ] Each commit message is clear and explains the purpose of the change.
 - [ ] For multiple commits, ensure they are squashed into a single coherent commit where applicable.
 
@@ -45,6 +47,18 @@ This document outlines the comprehensive checklist for reviewing pull requests t
 - [ ] Package metadata is correctly filled out (name, version, author).
 - [ ] Ensure compatibility settings are verified (e.g., Rust edition).
 
+## 9. CI/CD Integration
+
+Automated checks are run via GitHub Actions on every PR. See `.github/workflows/pr-review.yml` for the full configuration. The following checks are enforced automatically:
+
+- [ ] `cargo fmt --check` passes (code formatting)
+- [ ] `cargo clippy -- -D warnings` passes (lint checks)
+- [ ] `cargo test` passes (unit tests)
+- [ ] `cargo doc --no-deps` passes (documentation builds)
+- [ ] `cargo audit` passes (security audit — no known vulnerabilities in dependencies)
+- [ ] `cargo build --release` passes (release build succeeds)
+- [ ] Commit messages follow the conventional commit format
+
 ---
 
-_Last updated on: 2026-03-22 09:53:20 UTC_  
+_Last updated on: 2026-03-23_
@@ -15,13 +15,21 @@ These guidelines are designed to help contributors ensure that code related to R
 3. **Unsafe Code**: Limit the use of `unsafe` blocks. Document why it is necessary if used.
 
 ## Cryptography-Specific Guidelines
-1. **Use Standard Libraries**: Whenever possible, use established cryptographic libraries like `rust-crypto` or `ring` instead of implementing your own cryptographic functions.
+1. **Use Standard Libraries**: Whenever possible, use established cryptographic libraries from the [RustCrypto](https://github.com/RustCrypto) crate family (e.g., `sha2`, `aes`, `ed25519-dalek`) or `ring` instead of implementing your own cryptographic functions. Avoid the unmaintained `rust-crypto` crate — use the actively-maintained `RustCrypto` ecosystem instead. The project already uses `ed25519-dalek` for digital signatures.
 2. **Security Practices**: Follow best practices for cryptographic implementations:
    - Use established algorithms with good security properties.
    - Avoid using obsolete algorithms such as MD5 and SHA-1.
    - Regularly update dependencies and apply security patches.
 3. **Randomness**: Use secure random number generators provided by the `rand` crate. Avoid using `rand::random()` in security-sensitive contexts.
 
+## Dependency Pinning
+
+Cryptographic dependencies should be pinned to specific versions to ensure reproducible builds and avoid unexpected breakage from upstream changes.
+
+- Pin cryptographic crate versions in `Cargo.toml` (e.g., `ed25519-dalek = "2.1.1"` rather than `ed25519-dalek = "2"`).
+- Run `cargo audit` regularly to check for known vulnerabilities in dependencies. This is also enforced automatically on every PR via the GitHub Actions workflow (`.github/workflows/pr-review.yml`).
+- Review and update dependency versions deliberately, especially for security-sensitive crates.
+
 ## Review Process
 1. **Peer Review**: All cryptographic code must undergo peer review.
 2. **Automated Tools**: Utilize automated tools like Clippy and Rustfmt for linting and formatting.
@@ -32,4 +40,4 @@ By adhering to these guidelines, we can maintain high standards for Rust and cry
 
 ---
 
-_Last updated: 2026-03-22 09:58:38 (UTC)_
+_Last updated: 2026-03-23_