Voltar para Documentação

Docs Técnicas

AI Audit Predeploy

AI Audit is a predeploy gate for TREA contracts. It combines deterministic compiler facts with an optional LLM explanation, then binds the report to the published artifact.

O conteúdo abaixo vem das fontes técnicas do repositório e é prerenderizado no site para leitura direta por pessoas, crawlers e agentes.

AI Audit is a predeploy gate for TREA contracts. It combines deterministic compiler facts with an optional LLM explanation, then binds the report to the published artifact.

The LLM does not decide protocol truth. It receives facts derived from the contract and translates them into wallet/explorer language. Invalid provider responses are rejected.

Static Facts

The deterministic analyzer extracts ContractFacts from AST, IR, ABI, and the compiled artifact:

  • contract name and entrypoints;
  • storage fields and type descriptors;
  • balance effects and posting effects;
  • KYC queries;
  • cross-contract references;
  • @describe text;
  • compiler and artifact hashes.

These facts feed the risk classifier and remain auditable even when no LLM provider is configured.

Risk Flags

Risk flags describe observable contract behavior. Examples:

| Flag | Meaning | |------|---------| | monetary_effects_present | Contract can move or post monetary effects | | creates_debt | Contract can create debt-like positions | | admin_can_mint | Privileged path can mint or issue value | | spends_from_owner | Contract can spend from an owner/delegated path | | factory_template | Contract approves and binds on-demand children | | child_of_template | Contract carries lineage to a parent template | | author_description_mismatch | @describe conflicts with verified effects |

High-risk findings can block deploy depending on tier/policy. Medium-risk contracts are explainable but require careful wallet presentation.

CLI Flow

Use --audit on deploy:

bash
trea deploy vault-brl --audit basic
trea deploy credit-card-brl --audit pro

The CLI:

  1. compiles the contract;
  2. runs deterministic predeploy audit;
  3. optionally requests an external AI review;
  4. prints the report;
  5. quotes and pays/reserves the audit fee;
  6. publishes the artifact with audit metadata.

Audit metadata bound to the artifact includes:

text
audit_report_id
audit_report_hash
audit_fee_quote_id
audit_tier

API Surface

Nodes expose the same predeploy capabilities:

| Endpoint | Purpose | |----------|---------| | POST /api/contracts/predeploy-audit | Audit a source/artifact before deploy | | POST /api/contracts/audit-diff | Compare two audit reports and mark whether re-audit is required | | POST /api/contracts/{id}/explain-transaction | Simulate a call and produce wallet-facing explanation | | GET /api/contracts/artifacts/{id} | Returns audit badge and audit metadata |

Explorer badges should treat an artifact without bound audit metadata as unaudited. Wallets should rely on simulated effects plus audit facts rather than author text alone.