Document Slither baseline

[punk6529]

Summary

• add a minimal slither.config.json and route make slither through it without suppressing detectors
• add ops/SLITHER_BASELINE.md with the current high/medium Slither baseline and triage status
• link the baseline from README, tooling docs, known blockers, and the roadmap
• update the autonomous run state so Queue Item 5 is the active PR

Important Notes

• This PR does not change Solidity contracts or tests.
• Slither is intentionally still non-gating. It currently exits non-zero because real findings exist.
• The config only filters generated artifact paths; no detector suppressions are added.

Validation

• slither . --config-file slither.config.json --foundry-compile-all --json <temp-file> produced JSON success with 530 total findings: 13 High, 26 Medium, 51 Low, 434 Informational, and 6 Optimization. The command exited -1 as expected because findings exist.
• python -m json.tool slither.config.json
• make -n slither
• git check-ignore -v slither-baseline.json slither-report.json slither-results.json slither.db.json export.sarif export.sarif.sarifexplorer
• rg -n "^#|^##|^###" docs/slither.md ops/SLITHER_BASELINE.md ops/ROADMAP.md
• make check passed with 17 tests and the known existing warnings.
• powershell -ExecutionPolicy Bypass -File scripts\check.ps1 passed with 17 tests and the known existing warnings.
• git diff --cached --check

Summary by CodeRabbit

• Documentation

  • Added comprehensive Slither baseline and tooling guides, expanded verification/roadmap and known-blockers guidance, and linked operational/security docs from the README.
  • Recorded operational run and decision-log updates related to the Slither baseline work.

• Chores

  • Added a dedicated static-analysis configuration and updated the build target to use it.
  • Ignored static-analysis report artifacts and normalized JSON line endings.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 870d46c0-9967-4696-bf7c-542127dc2135

📥 Commits

Reviewing files that changed from the base of the PR and between 868f9d8 and a0fa95b.

📒 Files selected for processing (11)

• .gitattributes
• .gitignore
• Makefile
• README.md
• docs/known-blockers.md
• docs/slither.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md
• ops/ROADMAP.md
• ops/SLITHER_BASELINE.md
• slither.config.json

✅ Files skipped from review due to trivial changes (6)

• .gitignore
• docs/slither.md
• slither.config.json
• ops/SLITHER_BASELINE.md
• docs/tooling.md
• ops/AUTONOMOUS_RUN.md

🚧 Files skipped from review as they are similar to previous changes (5)

• docs/known-blockers.md
• Makefile
• .gitattributes
• README.md
• ops/ROADMAP.md

---

📝 Walkthrough

Walkthrough

This PR configures Slither (path filters + Makefile target), enforces JSON LF endings, ignores Slither outputs in git, adds a tracked Slither baseline with triage rules, provides workflow/docs for running and maintaining the baseline, and updates project state and roadmap entries to reference the baseline.

Changes

Slither Baseline Setup

Layer / File(s)	Summary
Slither Configuration and Build Integration slither.config.json, Makefile, .gitattributes, .gitignore	Adds slither.config.json with path filters; updates make slither to pass --config-file slither.config.json; forces *.json to LF in .gitattributes; ignores Slither JSON/SARIF artifacts in .gitignore.
Workflow and Tooling Documentation docs/slither.md, docs/tooling.md, README.md, docs/known-blockers.md	Adds docs/slither.md with run/bootstrap/refresh guidance; documents make slither in docs/tooling.md; updates README tooling/Important Docs list; expands known-blockers to reference the tracked baseline.
Baseline Findings and Triage Rules ops/SLITHER_BASELINE.md	Adds a captured baseline document with tool metadata, aggregate counts, a High/Medium findings table, triage status semantics, and rules for fix order, regression tests, and CI-gate conversion.
Project State and Roadmap Updates ops/AUTONOMOUS_RUN.md, ops/ROADMAP.md	Advances autonomous-run state and PR worklogs for the baseline work, appends decision-log entries, pins Slither/version evidence locations in roadmap, expands Appendix A capture spec and acceptance criteria, and adds related test-matrix linkage.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• 6529-Collections/6529Stream#3: Modifies the same operational control documents (ops/AUTONOMOUS_RUN.md, ops/ROADMAP.md) and overlaps with this PR’s roadmap/autonomous-run updates.
• 6529-Collections/6529Stream#4: Alters Makefile/tooling baseline and touches Slither-related targets; related to this PR’s Makefile and tooling docs changes.

Poem

🐰 I hopped through configs, docs, and log,

Slither paths now clean the fog,
Baseline rows in tidy view,
Makefile knows what to do,
JSONs line-fed, reports tucked snug.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Document Slither baseline' accurately and concisely describes the main objective of the PR: adding Slither baseline documentation and configuration (ops/SLITHER_BASELINE.md, docs/slither.md, slither.config.json, and related updates).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/slither-baseline

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[punk6529]

@claude please review this Slither baseline PR. Focus on whether the baseline is honest and reproducible, whether Slither remains correctly non-gating, and whether the high/medium rows are issue-ready enough for follow-up triage.

@coderabbitai review

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -e

# Get PR details and file list
gh pr view 7 --repo 6529-Collections/6529Stream

echo "=== PR FILES ==="
gh pr diff 7 --repo 6529-Collections/6529Stream --name-only

Length of output: 2083

---

🏁 Script executed:

#!/bin/bash
# Read key files introduced/modified in the PR
echo "=== slither.config.json ==="
cat slither.config.json 2>/dev/null || echo "NOT FOUND"

echo ""
echo "=== ops/SLITHER_BASELINE.md ==="
cat ops/SLITHER_BASELINE.md 2>/dev/null || echo "NOT FOUND"

echo ""
echo "=== docs/slither.md ==="
cat docs/slither.md 2>/dev/null || echo "NOT FOUND"

echo ""
echo "=== Makefile slither target ==="
grep -A 20 "slither" Makefile 2>/dev/null || echo "NOT FOUND"

echo ""
echo "=== ops/ROADMAP.md ==="
cat ops/ROADMAP.md 2>/dev/null || echo "NOT FOUND"

echo ""
echo "=== README relevant sections ==="
grep -n -A 5 -B 2 -i "slither\|baseline\|known.block" README.md 2>/dev/null || echo "NOT FOUND"

echo ""
echo "=== .gitignore relevant lines ==="
grep -i "slither\|sarif\|export" .gitignore 2>/dev/null || echo "NOT FOUND"

Length of output: 79358

---

---

@punk6529 — here is the review across the three focal areas.

---

Overall verdict

The PR is honest, internally consistent, and structurally sound. The baseline table is good enough to open issues from. Three items below are worth addressing before or alongside the follow-up triage issues.

---

1. Honest and reproducible?

Passes on honesty. Every first-party production finding is Open. Nothing has been prematurely accepted. The header explicitly says "triage input, not an accepted security baseline." The five Accepted rows (one locked-ether, four unused-return, one uninitialized-local in mocks) all carry concrete rationale and are correctly scoped to test-only code. The count breakdown matches the PR description (530 total, 13 High, 26 Medium).

Minor reproducibility gap — solc-select activation.
slither.config.json contains only filter_paths; there is no solc key. That means whoever regenerates the baseline must have already run solc-select use 0.8.19 in their shell before invoking make slither. docs/slither.md documents the version but does not tell the reader to activate it. A stale or wrong compiler will silently produce different findings counts.

Suggested addition to the "Local Run" section of docs/slither.md:

# Activate the pinned compiler before running
solc-select use 0.8.19
make slither

Or add "solc": "0.8.19" to slither.config.json so the config is self-contained (Slither 0.11 respects this key).

---

2. Slither correctly non-gating?

Yes. The Makefile is clean:

check: build test          # slither is NOT here

slither:
    slither . --config-file slither.config.json --foundry-compile-all

No || true, no exit-code suppression, no --no-fail-pedantic. Slither will exit non-zero when findings exist, and CI won't invoke that target as part of its gate. The roadmap ties the CI gate to Gate C (after high/medium findings are fixed, accepted, or documented as false positives). All of this is consistent.

One forward note worth tracking: until the gate is active, a future PR that introduces a new high/medium finding will not be caught automatically. That is documented as the current accepted state in Gate C exit criteria, so it is not a defect in this PR — just something to re-examine when Gate C work begins.

---

3. Are the high/medium rows issue-ready?

Structurally yes; two content gaps need attention.

What works well

• Every row has the columns needed to open an issue: detector, contract, function, source kind, file + line range, resolution sketch, required test, P0 slug (where applicable), gate.
• The source-kind column (first-party / vendored / test-only) is particularly useful for prioritisation.
• Accepted test-only rows are cleanly separated and won't pollute the first-party issue queue.

Gap 1 — Vendored library rows look like Open production bugs but are almost certainly false positives

The incorrect-exp row on Math.mulDiv (High / Medium confidence) and the 8 divide-before-multiply rows also on Math.mulDiv plus the 1 on Base64.encode (Medium / Medium confidence) are almost certainly Slither false positives against the standard OpenZeppelin mulDiv implementation. Slither's incorrect-exp detector fires on **-style exponentiation patterns and can misfire on bitshift/mul sequences; divide-before-multiply fires on a structural pattern that mulDiv intentionally uses to avoid overflow.

Leaving these as Open without comment will cause a triage engineer to open issues against vendored code that likely needs no fix. Suggested fix — add a "Likely false positive; requires proof" note in the Resolution column and bump them to a separate provenance-review row, or change Status to Needs Issue with the issue scoped to "confirm FP or replace with pinned upstream" rather than treating them as real bugs:

| `incorrect-exp` | 1 | `Math` | `mulDiv(...)` | vendored |
  ...| Open → **Needs Issue** | Confirm FP or replace with pinned upstream OZ copy;
     high probability this is a Slither false positive on mulDiv bit-shift sequence |

Gap 2 — encode-packed-collision in StreamCore.retrieveDependencyScript has no P0 slug

The two encode-packed-collision rows in StreamDrops (both auth-related) already carry P0-AUTH-002 / TBD. The third row — StreamCore.retrieveDependencyScript — has only TBD. Since it fires on a dependency script hash and is High / High confidence, it should get its own slug (e.g., P0-CORE-001 or be rolled into a new P0-AUTH-002C child) so the follow-up issue can be tracked.

Minor: all owners are TBD

This is acceptable for a baseline drop, but none of the rows will move without an owner assignment. A follow-up step after this PR merges should be to assign at minimum the High findings to someone before Gate C begins.

---

Summary table

Area	Result	Action needed
Honesty	✅	None
Reproducibility	⚠️ Minor	Document solc-select use 0.8.19 or add "solc" key to config
Non-gating	✅	None
High/medium row quality	⚠️ Two gaps	(1) Mark vendored Math/Base64 rows as likely FP; (2) assign P0 slug to StreamCore.retrieveDependencyScript encode-packed row
Issue-readiness	✅ Structurally	Open the actual GitHub issues post-merge

The two content gaps are small enough that this can merge and the fixes folded into the first triage issue wave, but they are worth noting before someone opens 9 issues against Math.sol.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[punk6529]

Addressed the review follow-up on the new head a0fa95b:

• documented explicit solc-select use 0.8.19 activation before Slither refreshes
• changed vendored Math/Base64 rows to Needs Issue with likely-false-positive/provenance wording and P0-LIB-001
• assigned P0-META-001 to the StreamCore.retrieveDependencyScript packed-encoding row and added a test-matrix row
• reran python -m json.tool slither.config.json, targeted rg checks, heading scan, git diff --check, and make check

@claude please review the refreshed head when available.

[claude]

Docs/config-only PR; slither.config.json only filters generated artifact paths and make slither stays non-gating, so the surface here is documentation triage.

Extended reasoning...

Overview

This PR is entirely documentation and tooling configuration: a new ops/SLITHER_BASELINE.md triage table, a new docs/slither.md workflow doc, link updates in README/known-blockers/tooling, roadmap appendix updates, autonomous-run state advancement, a new minimal slither.config.json (only filter_paths for out|cache|broadcast), a Makefile change that just adds --config-file slither.config.json to the existing slither target, .gitignore entries for Slither output artifacts, and a .gitattributes LF pin for JSON. No Solidity sources, tests, or CI gating logic change.

Security risks

None meaningful. The config file adds no detector suppressions — only path filters scoped to generated build artifacts. The Slither target remains explicitly non-gating (not in make check), so a future regression in static-analysis output cannot mask itself as a passing build. No auth, crypto, signing, or fund-handling code is touched.

Level of scrutiny

Low. This is the kind of triage/doc change where the cost of a wrong claim is a stale ticket reference, not a protocol bug. The author already absorbed a full CodeRabbit review pass on the previous head (compiler activation, vendored-library FP labeling, P0-META-001 assignment) and validated with make check, scripts/check.ps1, JSON parse, and git diff --check.

Other factors

The one finding surfaced by the bug hunt is a ticket-reference labeling nit on the four arbitrary-send-eth baseline rows (cite P0-PAY-008 (tests) where they should cite P0-PAY-007 (impl)). It is inline-commented and worth a follow-up edit, but it does not change any code, gate, or security posture — the Resolution and Required-test columns already correctly describe the work, and both tickets are TBD placeholders. The roadmap, README, known-blockers, and tooling docs cross-references are consistent, the impact counts in ops/SLITHER_BASELINE.md match the roadmap appendix and PR description (530/13/26/51/434/6), and the ops/AUTONOMOUS_RUN.md worklog/decision-log entries are aligned with the actual PR scope.

[claude]

🟡 All four arbitrary-send-eth rows in ops/SLITHER_BASELINE.md cite P0-PAY-008 (the tests ticket: "Add payment invariants and forced-ETH tests") in the Issue column, but their Resolution "Replace emergency payout push with bounded owed/surplus accounting" describes implementation work which maps to P0-PAY-007 ("Bound emergency withdrawals by surplus"). A triage engineer opening the cited ticket would land on the tests ticket instead of the fix ticket; the Required-test column already correctly references P0-PAY-008. Change the Issue cell to P0-PAY-007 on all four rows (StreamAuctions, NextGenRandomizerRNG, StreamCuratorsPool, StreamMinter emergencyWithdraw).

Extended reasoning...

What is wrong

All four arbitrary-send-eth rows in the new high/medium baseline table at ops/SLITHER_BASELINE.md L49-L52 share the same Issue cell, P0-PAY-008 / TBD. Their Resolution column reads verbatim:

Replace emergency payout push with bounded owed/surplus accounting

and their Required-test column reads:

Payment invariant and emergency withdrawal tests

Why this is a labeling mistake

The P0-PAY-001 epic in ops/ROADMAP.md lines 786-792 breaks into child tickets:

• P0-PAY-007: Bound emergency withdrawals by surplus — implementation work.
• P0-PAY-008: Add payment invariants and forced-ETH tests — testing work.

So the Resolution wording ("Replace … with bounded owed/surplus accounting") matches PAY-007 word-for-word, while the Required-test wording ("Payment invariant and emergency withdrawal tests") matches PAY-008 word-for-word. The Issue column should be referencing the implementation ticket (PAY-007), but instead reuses PAY-008, which is what the Required-test column already correctly points at. Note that ops/ROADMAP.md L1659 separately uses PAY-008 for the Forced-ETH accounting test matrix row, confirming PAY-008 is the tests slot in the ticket map.

Concrete trace

1. Open ops/SLITHER_BASELINE.md.
2. Read the row for StreamAuctions.emergencyWithdraw() (L49): Issue = P0-PAY-008 / TBD, Resolution mentions "bounded owed/surplus accounting", Required test mentions "Payment invariant and emergency withdrawal tests".
3. A triage engineer clicks / opens the issue for P0-PAY-008 per the row's Issue cell.
4. They land in ops/ROADMAP.md L792, which describes a tests ticket, not the implementation work the Resolution they were just reading describes.
5. The implementation work that should be tracked (PAY-007, L791) gets no Issue reference from any of the four arbitrary-send-eth rows.

Impact

Functional impact is low because both tickets are TBD-marked placeholders under the same epic and no real GitHub issues exist yet — no code-time consequence. But the table is explicitly described as "triage input" (ops/SLITHER_BASELINE.md L3-L4) and the file's own triage rules state "Every Open row is blocking triage until it has a GitHub issue link". When those issues are opened from the baseline, four high-severity rows would cross-reference the tests ticket instead of the implementation ticket whose work the Resolution describes — which means either the wrong tickets get opened, or one ticket ends up overloaded with both responsibilities while PAY-007 stays unused.

Fix

In ops/SLITHER_BASELINE.md L49-L52, change the Issue cell of each of the four arbitrary-send-eth rows from P0-PAY-008 / TBD to P0-PAY-007 / TBD. The Required-test column already correctly cites the PAY-008 scope and does not change.