Introduction
Parity is an AI-native verification layer for Solana smart contracts. It provides composable analysis skills and APIs that enable AI agents — such as Claude Code, Cursor, OpenClaw, Cline, and OpenCode — to perform audit-level code review with full program context.
Playground
Browser IDE with build, deploy, and AI analysis — no local setup.
Agent Skills
SKILL.md modules for security audits, best practices, and optimization.
Context Engine
500+ audit patterns and framework intelligence powering every analysis.
SDK & API
TypeScript SDK and CLI for CI/CD integration and programmatic access.
Installation
The SDK and CLI are currently in development. The following shows the planned interface.
Install the Parity SDK via npm:
npm install @parity/sdkSet your API key in the environment:
# .env PARITY_KEY=your_api_key_here
Alternatively, use the CLI directly:
npx parity analyze ./programs/counter/src/lib.rs \ --framework anchor \ --skills security-audit,best-practices
Want to explore without waiting? Try the Playground — available now in your browser.
Quick Start
A minimal example of analyzing a Solana program with the planned SDK:
// Planned SDK interface — not yet published
import { Parity } from "@parity/sdk";
const client = new Parity({
apiKey: process.env.PARITY_KEY,
});
const result = await client.analyze({
program: "./programs/counter/src/lib.rs",
framework: "anchor",
skills: ["security-audit", "best-practices"],
});
console.log(result.score); // 0–100
console.log(result.findings); // Finding[]
console.log(result.summary); // human-readable summaryParse
The SDK parses Rust/Anchor source into an AST and resolves account structures, CPI calls, and PDA derivations.
Analyze
Selected skills run against the AST — matching against 500+ vulnerability signatures and best-practice patterns.
Report
Findings are returned with severity, location, explanation, and recommended fixes as structured data.
What Are Skills?
Skills are modular analysis workflows defined in SKILL.md files — an open format compatible with OpenClaw's ClawHub registry. Each skill encapsulates a focused verification task that AI agents can execute autonomously.
| Skill | Description |
|---|---|
security-audit | Permission checks, arithmetic safety, CPI verification, account constraint validation, and signer checks. |
best-practices | Anchor conventions, discriminator usage, rent exemption, error handling, and 9 Solana-specific best practices. |
gas-optimization | Compute unit reduction, account size optimization, and transaction cost analysis. |
deep-audit | Full security audit + best-practice check + optimized code generation with inline fix suggestions. |
Agent Integrations
Parity skills are accessible from any AI coding agent through standard integration points:
SKILL.md Format
Skills follow the SKILL.md specification — a YAML frontmatter header followed by natural-language instructions. This format is compatible with OpenClaw's ClawHub registry and can be composed into multi-step workflows.
---
name: security-audit
version: 1.0.0
description: Comprehensive Solana program security analysis
inputs:
- name: program
type: file
required: true
- name: framework
type: string
default: anchor
outputs:
- name: findings
type: Finding[]
- name: score
type: number
---
# Security Audit Skill
Analyze the provided Solana program for security vulnerabilities.
## Steps
1. Parse the program source and resolve all account structures
2. Check for missing signer validations on privileged instructions
3. Verify arithmetic operations use checked math or overflow protection
4. Validate CPI calls have correct program ID checks
5. Ensure PDA seeds are deterministic and not attacker-controlled
6. Check account constraints (has_one, constraint, seeds)
7. Verify close account logic drains lamports and zeros data
8. Score the program 0–100 based on finding severitySkill Chaining
Skills can be composed into pipelines. The output of one skill feeds the next:
The deep-audit skill runs this full chain automatically and produces an optimized code artifact.
Context Engine
The Context Engine is Parity's core differentiator. It provides structured knowledge that transforms general-purpose AI agents into Solana-specialized auditors. The engine operates across three layers:
Static Analysis Rules
AST-level vulnerability patterns extracted from 500+ audited Solana programs. Covers missing signer checks, unchecked arithmetic, unvalidated PDAs, insecure CPI invocations, and account data deserialization issues.
Curated Audit Knowledge
Finding-and-fix patterns extracted from public audit reports by OtterSec, Sec3, Neodyme, and other leading Solana auditors. Research shows 163 Solana audits identified 1,669 vulnerabilities — an average of 1.4 critical/high findings per audit.
Framework Intelligence
Deep understanding of Anchor macros (#[program], #[derive(Accounts)], #[account]), PDA derivation patterns, CPI safety patterns, and the Solana runtime model (rent, clock, system program).
Common Vulnerability Patterns
Patterns the Context Engine detects include:
| Pattern | Risk |
|---|---|
| Missing signer check | Critical |
| Unchecked arithmetic overflow | Critical |
| Unvalidated PDA seeds | High |
| Missing account owner check | High |
| Insecure CPI without program ID check | High |
| Account data reallocation without zeroing | Medium |
| Missing rent exemption check | Medium |
| Duplicate mutable account references | Medium |
Playground Overview
The Parity Playground is a browser-based IDE for writing, building, deploying, and analyzing Solana programs. No local toolchain required.
Editor
Rust/Anchor syntax highlighting with autocomplete
AI Analysis
One-click security and best-practice analysis
Build Pipeline
Cloud-based Anchor build with real-time output
Devnet Deploy
Deploy to Solana devnet directly from the browser
Security Reports
Detailed findings with severity, location, and fixes
Optimized Code
AI-generated optimized version of your program
Paths
The Playground offers three guided paths tailored to different experience levels. Each path walks you through a complete analysis workflow.
Beginner Path
6 steps · counter.rs · Expected score: ~92
Generates a simple counter program, walks through the code, builds it, and runs AI analysis. Ideal for understanding the Parity workflow.
Developer Path
5 steps · token_vault.rs · Expected score: ~38
Analyzes a deliberately vulnerable token vault program. Demonstrates critical finding detection, severity scoring, and AI-generated optimized code with fixes.
Explorer Path
5 steps · transfer.rs · Expected score: ~85
Quick interactive demo of Parity's analysis capabilities using a SOL transfer program. Minimal steps, maximum insight.
Analysis Results
Every analysis produces structured findings with severity levels, locations, and recommended fixes.
Severity Levels
Finding Example
A typical critical finding from a security audit:
{
severity: "critical",
title: "Missing signer check on withdraw instruction",
location: {
file: "programs/vault/src/lib.rs",
line: 47,
instruction: "withdraw"
},
description: "The withdraw instruction does not verify that the authority account has signed the transaction. Any user can drain funds from the vault by calling withdraw with an arbitrary authority.",
recommendation: "Add a Signer constraint to the authority account in the Withdraw accounts struct.",
pattern: "missing-signer-check"
}AnalysisResult Type
interface AnalysisResult {
score: number; // 0–100
findings: Finding[];
summary: string;
skills: string[]; // skills that were executed
metadata: {
framework: string;
programId?: string;
analyzedAt: string; // ISO 8601
duration: number; // ms
};
}
interface Finding {
severity: "critical" | "high" | "medium" | "info" | "pass";
title: string;
location: {
file: string;
line: number;
instruction?: string;
};
description: string;
recommendation: string;
pattern: string;
}SDK Overview
The SDK and API are under active development. Code examples below reflect the planned interface.
The Parity TypeScript SDK will provide programmatic access to all analysis capabilities. It wraps the REST API with typed methods and handles authentication, retries, and streaming.
// Planned SDK interface
import { Parity } from "@parity/sdk";
const client = new Parity({
apiKey: process.env.PARITY_KEY,
});Available Methods
| Method | Description |
|---|---|
client.analyze() | Analyze a Solana program with selected skills |
client.skills.list() | List all available analysis skills |
client.skills.get() | Get details of a specific skill |
client.context.get() | Retrieve context engine data for a program |
API Reference
All API signatures below are planned and subject to change before release.
client.analyze()
Analyze a Solana program with one or more skills.
| Parameter | Type | Required | Description |
|---|---|---|---|
program | string | Yes | Path to Rust source file or program ID |
framework | string | No | Framework hint — "anchor" | "native". Default: auto-detect |
skills | string[] | No | Skills to execute. Default: ["security-audit"] |
output | string | No | "json" | "markdown" | "sarif". Default: "json" |
const result = await client.analyze({
program: "./programs/vault/src/lib.rs",
framework: "anchor",
skills: ["security-audit", "best-practices"],
output: "json",
});
// result.score → 38
// result.findings → Finding[]
// result.summary → "Found 3 critical and 2 high severity issues..."client.skills.list()
Returns all available skills with their metadata.
const skills = await client.skills.list();
// skills → [
// { name: "security-audit", version: "1.0.0", ... },
// { name: "best-practices", version: "1.0.0", ... },
// { name: "gas-optimization", version: "1.0.0", ... },
// { name: "deep-audit", version: "1.0.0", ... },
// ]client.skills.get()
Get the full SKILL.md definition for a specific skill.
const skill = await client.skills.get("security-audit");
// skill.name → "security-audit"
// skill.version → "1.0.0"
// skill.inputs → [{ name: "program", type: "file", required: true }]
// skill.outputs → [{ name: "findings", type: "Finding[]" }]client.context.get()
Retrieve context engine data for a specific program or pattern.
const ctx = await client.context.get({
pattern: "missing-signer-check",
framework: "anchor",
});
// ctx.rules → StaticRule[]
// ctx.auditFindings → AuditFinding[]
// ctx.frameworkPatterns → FrameworkPattern[]CI/CD Integration
CI/CD tooling will be available alongside the SDK release. Examples below show the planned workflow.
Integrate Parity into your CI/CD pipeline to catch vulnerabilities before they reach production.
GitHub Actions
name: Parity Analysis
on: [push, pull_request]
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Parity CLI
run: npm install -g @parity/sdk
- name: Run Analysis
env:
PARITY_KEY: ${{ secrets.PARITY_KEY }}
run: |
parity analyze ./programs/*/src/lib.rs \
--framework anchor \
--skills security-audit,best-practices \
--min-score 70 \
--fail-on critical,high \
--output sarif > results.sarif
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarifProgrammatic CI Script
import { Parity } from "@parity/sdk";
const client = new Parity({ apiKey: process.env.PARITY_KEY });
const result = await client.analyze({
program: "./programs/vault/src/lib.rs",
framework: "anchor",
skills: ["security-audit", "best-practices"],
});
if (result.score < 70) {
console.error(`Score ${result.score} below threshold 70`);
process.exit(1);
}
const criticals = result.findings.filter(
(f) => f.severity === "critical"
);
if (criticals.length > 0) {
console.error(`Found ${criticals.length} critical findings`);
process.exit(1);
}
console.log("Analysis passed:", result.summary);CLI Options
| Flag | Description | Default |
|---|---|---|
--framework | Framework hint (anchor | native) | auto-detect |
--skills | Comma-separated skill names | security-audit |
--min-score | Minimum passing score (0–100) | 0 |
--fail-on | Fail on severity levels | none |
--output | Output format (json | markdown | sarif) | json |