Introduction

In on-chain development, security and performance are paramount. This page outlines best practices for writing secure Anchor code, automating audit schedules, profiling test/build pipelines, scaling CODI agents, and consolidating observability with logs and metrics.

1. Secure Coding Standards in Anchor

• Avoid Common Pitfalls: Enforce checked arithmetic (? operator), explicit account validation, and authority checks via require! or assert!.

• Use #[derive(Accounts)] Wisely: Declare only necessary accounts with proper has_one and seeds constraints.

• Immutable State Patterns: Prefer PDAs (Program Derived Addresses) over mutable global accounts.

• Examples:

2. Scheduling Regular AI-Driven Audits

• Automated CI Jobs: Integrate codi audit as a nightly or weekly CI task.

• Severity Thresholds: Configure severity_threshold in codi.toml to fail builds on high-risk findings.

• Audit Reports: Store JSON/Markdown reports in artifacts and notify stakeholders on new issues.

3. Performance Profiling & Benchmarking

• Build Time Profiling: Measure Rust compile times (cargo build --timings) and optimize by limiting dependencies.

• Test Execution Metrics: Use codi test --profile to capture duration per test; identify slow cases.

• Benchmark Scripts: Add Rust benchmarks via criterion and run under codi test for routine performance checks.

4. Scaling Agents: Parallelism & Resource Quotas

• Parallel Agent Execution: Enable parallel runs in codi.toml under [planner] (e.g., max_concurrency = 4).

• Resource Quotas: Configure CPU/memory limits per agent to prevent overload (via codi config set quotas).

• Retry Policies: Set retry counts and backoff strategies for flaky tasks.

5. Centralized Logging, Metrics, and Alerting

• Structured Logs: Ensure agents use ctx.logger with JSON output for ingestion by ELK/Datadog.

• Metrics Endpoint: Expose /metrics (Prometheus format) from CODI server for request rates, agent latencies, error counts.

• Alerting: Configure alerts on high error rates or threshold breaches (e.g., audit severity spikes).

Conclusion

By following these security and performance best practices—secure coding in Anchor, automated audits, thorough profiling, scalable agent orchestration, and centralized observability—you’ll maintain a robust, efficient CODI-driven development lifecycle.