docs: surface sub-parser trust model on the using-words-from pragma (#496)

[thedavidmeister]

Summary

• Adds an explicit `@dev` block to `LibParsePragma` covering audit assumption audit assumption — sub-parser trust (using-words-from pragma) #496.
• Sub-parsers run during parse and emit bytecode spliced into the result; `integrityCheck2` validates structural correctness only and cannot verify semantic equivalence between source text and emitted bytecode.
• Integrators must vet every sub-parser address under the same trust model as the expression itself — a hostile sub-parser is equivalent to a hostile expression.

Closes #496

Test plan

• CI passes

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Expanded developer documentation clarifying the trust model for sub-parsers and the scope of integrity validation (stack-shape and pointer-bounds checks).

[coderabbitai]

📝 Walkthrough

Walkthrough

LibParsePragma.sol receives a detailed comment block documenting the trust model for using-words-from sub-parsers. The addition clarifies what the integrity check validates (stack-shape and pointer-bounds) versus what it does not (semantic equivalence), and establishes integrator responsibilities for vetting sub-parser addresses.

Changes

Sub-parser Trust Model Documentation

Layer / File(s)	Summary
Sub-parser trust model documentation src/lib/parse/LibParsePragma.sol	Comment block documents the trust assumptions and security boundaries of sub-parsers, including potential malicious behaviors, integrity check scope, and integrator vetting expectations for the using-words-from pragma.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

📝 A rabbit hops through pragma land,
Documenting trust so clear and grand,
"Sub-parsers need your watchful eye,"
The comment whispers way up high,
Security bounds now crystalline! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding documentation to surface the sub-parser trust model on the using-words-from pragma.
Linked Issues check	✅ Passed	The PR fulfills the key requirement from issue #496: documenting the trust model explicitly in NatSpec, clarifying that sub-parsers must be trusted and integrity checks validate structural correctness only.
Out of Scope Changes check	✅ Passed	All changes are in-scope documentation additions to LibParsePragma related to the trust model, with no unrelated modifications to parsing logic or other systems.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 2026-05-14-audit-496-subparser-doc

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/parse/LibParsePragma.sol`:
- Around line 35-53: The NatSpec doc block in LibParsePragma.sol (the
multi-paragraph comment at the top of the file describing the trust model) mixes
explicit tags with untagged /// lines, which are not treated as continuations;
revise that comment so each paragraph is explicitly tagged (for example, prepend
`@dev` to implementation/behavior paragraphs and `@custom`:security to
threat-model/security paragraphs) so every line is a valid NatSpec entry and no
untagged /// lines remain.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 498ba1ad-bb92-4741-82ba-1fb1f8692211

📥 Commits

Reviewing files that changed from the base of the PR and between ca9047a and 44a47b8.

📒 Files selected for processing (1)

• src/lib/parse/LibParsePragma.sol

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add explicit NatSpec tags to each paragraph in this doc block.

Line 35-Line 53 uses untagged /// lines after an explicit-tag block; per repo rule, those lines are not treated as continuations. Please tag each paragraph explicitly (e.g., @dev or @custom:security).

Proposed compliant rewrite

-/// Trust model: sub-parsers run under the same trust assumption as the
-/// expression author. A buggy or malicious sub-parser can:
+/// `@dev` Trust model: sub-parsers run under the same trust assumption as the
+/// expression author. A buggy or malicious sub-parser can:
 /// - emit syntactically valid bytecode that nevertheless encodes
 ///   behaviour the user did not write (e.g. wrong opcode index, swapped
 ///   inputs);
 /// - emit constants of its choosing, including ones that look like
 ///   addresses the user did not specify;
 /// - decline to parse legitimate input and revert the entire expression.
 ///
-/// The integrity check on the assembled bytecode catches stack-shape and
+/// `@dev` The integrity check on the assembled bytecode catches stack-shape and
 /// pointer-bounds violations. It does NOT verify semantic equivalence
 /// between the source text and the bytecode the sub-parser produced —
 /// that's a function of the sub-parser's correctness, not the
 /// interpreter's.
 ///
-/// Integrators MUST vet every sub-parser address they accept (or that
+/// `@dev` Integrators MUST vet every sub-parser address they accept (or that
 /// users include via the `using-words-from` pragma) under the same trust
 /// model they apply to the expression itself. An expression with a
 /// hostile sub-parser is equivalent to a hostile expression.

As per coding guidelines, “In NatSpec doc blocks containing explicit tags (e.g., @title), all entries must be explicitly tagged; untagged lines do not continue the previous tag”.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	/// Trust model: sub-parsers run under the same trust assumption as the
	/// expression author. A buggy or malicious sub-parser can:
	/// - emit syntactically valid bytecode that nevertheless encodes
	/// behaviour the user did not write (e.g. wrong opcode index, swapped
	/// inputs);
	/// - emit constants of its choosing, including ones that look like
	/// addresses the user did not specify;
	/// - decline to parse legitimate input and revert the entire expression.
	///
	/// The integrity check on the assembled bytecode catches stack-shape and
	/// pointer-bounds violations. It does NOT verify semantic equivalence
	/// between the source text and the bytecode the sub-parser produced —
	/// that's a function of the sub-parser's correctness, not the
	/// interpreter's.
	///
	/// Integrators MUST vet every sub-parser address they accept (or that
	/// users include via the `using-words-from` pragma) under the same trust
	/// model they apply to the expression itself. An expression with a
	/// hostile sub-parser is equivalent to a hostile expression.
	/// `@dev` Trust model: sub-parsers run under the same trust assumption as the
	/// expression author. A buggy or malicious sub-parser can:
	/// - emit syntactically valid bytecode that nevertheless encodes
	/// behaviour the user did not write (e.g. wrong opcode index, swapped
	/// inputs);
	/// - emit constants of its choosing, including ones that look like
	/// addresses the user did not specify;
	/// - decline to parse legitimate input and revert the entire expression.
	///
	/// `@dev` The integrity check on the assembled bytecode catches stack-shape and
	/// pointer-bounds violations. It does NOT verify semantic equivalence
	/// between the source text and the bytecode the sub-parser produced —
	/// that's a function of the sub-parser's correctness, not the
	/// interpreter's.
	///
	/// `@dev` Integrators MUST vet every sub-parser address they accept (or that
	/// users include via the `using-words-from` pragma) under the same trust
	/// model they apply to the expression itself. An expression with a
	/// hostile sub-parser is equivalent to a hostile expression.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/parse/LibParsePragma.sol` around lines 35 - 53, The NatSpec doc block
in LibParsePragma.sol (the multi-paragraph comment at the top of the file
describing the trust model) mixes explicit tags with untagged /// lines, which
are not treated as continuations; revise that comment so each paragraph is
explicitly tagged (for example, prepend `@dev` to implementation/behavior
paragraphs and `@custom`:security to threat-model/security paragraphs) so every
line is a valid NatSpec entry and no untagged /// lines remain.

[github-actions]

@coderabbitai assess this PR size classification for the totality of the PR with the following criterias and report it in your comment:

S/M/L PR Classification Guidelines:

This guide helps classify merged pull requests by effort and complexity rather than just line count. The goal is to assess the difficulty and scope of changes after they have been completed.

Small (S)

Characteristics:

• Simple bug fixes, typos, or minor refactoring
• Single-purpose changes affecting 1-2 files
• Documentation updates
• Configuration tweaks
• Changes that require minimal context to review

Review Effort: Would have taken 5-10 minutes

Examples:

• Fix typo in variable name
• Update README with new instructions
• Adjust configuration values
• Simple one-line bug fixes
• Import statement cleanup

Medium (M)

Characteristics:

• Feature additions or enhancements
• Refactoring that touches multiple files but maintains existing behavior
• Breaking changes with backward compatibility
• Changes requiring some domain knowledge to review

Review Effort: Would have taken 15-30 minutes

Examples:

• Add new feature or component
• Refactor common utility functions
• Update dependencies with minor breaking changes
• Add new component with tests
• Performance optimizations
• More complex bug fixes

Large (L)

Characteristics:

• Major feature implementations
• Breaking changes or API redesigns
• Complex refactoring across multiple modules
• New architectural patterns or significant design changes
• Changes requiring deep context and multiple review rounds

Review Effort: Would have taken 45+ minutes

Examples:

• Complete new feature with frontend/backend changes
• Protocol upgrades or breaking changes
• Major architectural refactoring
• Framework or technology upgrades

Additional Factors to Consider

When deciding between sizes, also consider:

• Test coverage impact: More comprehensive test changes lean toward larger classification
• Risk level: Changes to critical systems bump up a size category
• Team familiarity: Novel patterns or technologies increase complexity

Notes:

• the assessment must be for the totality of the PR, that means comparing the base branch to the last commit of the PR
• the assessment output must be exactly one of: S, M or L (single-line comment) in format of: SIZE={S/M/L}
• do not include any additional text, only the size classification
• your assessment comment must not include tips or additional sections
• do NOT tag me or anyone else on your comment

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

SIZE=S