Background
The security team flagged that the current docs/guides/security/ section contains AI-generated rewrites that diverge from the carefully reviewed portal best practices. At least one correctness bug was identified in inter-canister-calls.md (a refund after a bounded_wait error where the transfer could still have gone through, causing a double spend). The security best practices represent significant work and review effort — "almost right" is not acceptable for security content.
What happened
The portal had 13 focused best-practices files in a strict Security concern / Recommendation format. Those were replaced with 6 rewritten files in a tutorial style. Additionally, 2 prerequisite reference pages were never ported.
Scope of this issue
Replace rewritten content with portal source (1:1 port, keep existing file names)
| Current file |
Portal source |
Action |
guides/security/access-management.mdx |
building-apps/security/iam.mdx |
Replace content |
guides/security/inter-canister-calls.md |
building-apps/security/inter-canister-calls.mdx |
Replace content (contains correctness bug) |
guides/security/data-integrity.md |
building-apps/security/data-integrity-and-authenticity.mdx |
Replace content |
guides/security/canister-upgrades.md |
building-apps/security/canister-upgrades.mdx |
Replace content |
guides/security/dos-prevention.md |
building-apps/security/dos.mdx |
Replace content |
Add missing topic files
| File to create |
Portal source |
guides/security/overview.md |
building-apps/security/overview.mdx |
guides/security/data-storage.md |
building-apps/security/data-storage.mdx |
guides/security/decentralization.md |
building-apps/security/decentralization.mdx |
guides/security/formal-verification.md |
building-apps/security/formal-verification.mdx |
guides/security/https-outcalls.md |
building-apps/security/https-outcalls.mdx |
guides/security/misc.md |
building-apps/security/misc.mdx |
guides/security/observability.md |
building-apps/security/observability-and-monitoring.mdx |
guides/security/resources.md |
building-apps/security/resources.mdx |
Add missing prerequisite reference pages
| File to create |
Portal source |
Rationale |
references/message-execution-properties.md |
references/message-execution-properties.mdx |
Pure reference: the IC's 5 message execution properties. Prerequisites reading for the inter-canister-calls security page. |
guides/canister-calls/idempotency.md |
building-apps/best-practices/idempotency.mdx |
Calling pattern (retry safety for bounded-wait calls and ingress messages), not a security rule. Lives next to inter-canister-calls.mdx and calling-from-clients.md. Cross-linked from guides/security/inter-canister-calls.md. |
Out of scope for this issue (separate follow-ups)
guides/security/encryption.mdx — new content covering vetKeys, not in portal. Keep as-is, flag for security team review.concepts/security.md — new architectural overview page, not in portal. Keep as-is, flag for security team review.- JS SDK references (
@dfinity/agent) — leave as-is in this PR; a separate issue will cover SDK modernization.
Adaptation rules
Only mechanical changes are allowed in this port — no content judgment:
- Remove Docusaurus MDX component imports (
MarkdownChipRow, AdornedTabs, etc.)
- Convert
mo:base imports to mo:core equivalents per project rules
- Fix internal links to match current site structure
- Add Astro/Starlight frontmatter (
title, description)
- No rewriting, summarizing, or restructuring of security guidance
Acceptance criteria
Background
The security team flagged that the current
docs/guides/security/section contains AI-generated rewrites that diverge from the carefully reviewed portal best practices. At least one correctness bug was identified ininter-canister-calls.md(a refund after abounded_waiterror where the transfer could still have gone through, causing a double spend). The security best practices represent significant work and review effort — "almost right" is not acceptable for security content.What happened
The portal had 13 focused best-practices files in a strict Security concern / Recommendation format. Those were replaced with 6 rewritten files in a tutorial style. Additionally, 2 prerequisite reference pages were never ported.
Scope of this issue
Replace rewritten content with portal source (1:1 port, keep existing file names)
guides/security/access-management.mdxbuilding-apps/security/iam.mdxguides/security/inter-canister-calls.mdbuilding-apps/security/inter-canister-calls.mdxguides/security/data-integrity.mdbuilding-apps/security/data-integrity-and-authenticity.mdxguides/security/canister-upgrades.mdbuilding-apps/security/canister-upgrades.mdxguides/security/dos-prevention.mdbuilding-apps/security/dos.mdxAdd missing topic files
guides/security/overview.mdbuilding-apps/security/overview.mdxguides/security/data-storage.mdbuilding-apps/security/data-storage.mdxguides/security/decentralization.mdbuilding-apps/security/decentralization.mdxguides/security/formal-verification.mdbuilding-apps/security/formal-verification.mdxguides/security/https-outcalls.mdbuilding-apps/security/https-outcalls.mdxguides/security/misc.mdbuilding-apps/security/misc.mdxguides/security/observability.mdbuilding-apps/security/observability-and-monitoring.mdxguides/security/resources.mdbuilding-apps/security/resources.mdxAdd missing prerequisite reference pages
references/message-execution-properties.mdreferences/message-execution-properties.mdxguides/canister-calls/idempotency.mdbuilding-apps/best-practices/idempotency.mdxinter-canister-calls.mdxandcalling-from-clients.md. Cross-linked fromguides/security/inter-canister-calls.md.Out of scope for this issue (separate follow-ups)
guides/security/encryption.mdx— new content covering vetKeys, not in portal. Keep as-is, flag for security team review.concepts/security.md— new architectural overview page, not in portal. Keep as-is, flag for security team review.@dfinity/agent) — leave as-is in this PR; a separate issue will cover SDK modernization.Adaptation rules
Only mechanical changes are allowed in this port — no content judgment:
MarkdownChipRow,AdornedTabs, etc.)mo:baseimports tomo:coreequivalents per project rulestitle,description)Acceptance criteria
references/message-execution-properties.mdaddedguides/canister-calls/idempotency.mdadded, cross-linked fromguides/security/inter-canister-calls.mdnpm run buildpasses