SPECTRE Distribution + DevEx Roadmap (Tier 1 + 2 Follow-ups)
Author: spectre-solana-max engineering
Status: Roadmap. Each item is a discrete follow-up ticket.
Companion: spectre-vs-competitors-gap-analysis-2026-05-16.md
Context
The competitor gap analysis identified distribution as the single highest-leverage gap separating SPECTRE from production usage by Solana devs. This doc captures tier-1 and tier-2 items as concrete tickets so each can be scheduled independently.
The rule pack and substrate are good. The wrapper isn't yet dev-grade. These items close the wrapper gap.
Tier 1 — Blocks adoption today
T1.1 — Distribution / install path
Effort: ~3-5 days for an MVP path; ~1 week for full polish.
Three sub-tracks, in increasing reach:
a. cargo install pinpoint-spectre (1 day). Publish pinpoint-cli
(or a stripped subset crate pinpoint-spectre containing only the
spectre scan command) to crates.io. Acceptance: cargo install pinpoint-spectre on a clean machine works; pinpoint-spectre spectre scan --help returns usage.
b. GitHub release with prebuilt binaries (1 day). Linux x86_64, macOS x86_64, macOS aarch64. Acceptance: tagged release pushes binaries to GitHub Releases; checksums published.
c. GitHub Action pinpoint-tech/spectre-action@v1 (2-3 days).
Composite action that downloads the prebuilt binary, scans the PR diff,
posts findings as PR review comments. Acceptance: any Solana repo can
add uses: pinpoint-tech/spectre-action@v1 and get findings in a PR.
Why it matters: every direct competitor (Sec3 X-Ray, L3X, Solana Fender) has all three. Without these, the SPECTRE rule pack's 100% exact-rule + 100% class-level historical coverage is academic.
T1.2 — SARIF output
Effort: ~1 day.
Add --output sarif to pinpoint spectre scan. Map each Finding to a
SARIF result with ruleId, level (warn/error from Severity),
message, locations (the existing Location maps directly to SARIF
physicalLocation), and properties.confidence.
Acceptance: GitHub PR shows annotations on the right lines; GitLab MR diffs show inline comments. Both consume SARIF natively.
Why it matters: SARIF is the lingua franca of modern CI code scanning. Without it, SPECTRE findings live in a JSON file the dev has to know to read. With it, findings appear directly in the PR diff where the dev is already looking.
T1.3 — Suppression + baseline
Effort: ~1 week for both modes.
a. Inline suppression markers (3 days). Recognize a comment-based
suppression: // spectre-allow: CROSS-007 — reviewed 2026-05-16, see docs/security/cross-007-mango.md. The scanner skips findings whose
nearest-preceding suppression marker matches the rule id. Reason text
is required (cannot suppress with no justification).
b. Baseline file (4 days). pinpoint spectre baseline --write .spectre-baseline.json snapshots the current finding set. Subsequent
pinpoint spectre scan --baseline .spectre-baseline.json diffs findings
and reports only new ones — making PR-time scanning practical even
on protocols with 1000+ pre-existing findings.
Acceptance: existing findings don't gate a PR; net-new findings do. Suppression markers survive across runs (no nondeterministic FP/FN).
Why it matters: real CI usage requires both. First scan of a mature protocol returns hundreds of findings; without suppression and baseline, the dev disables the scanner.
Tier 2 — Feature parity for serious bake-offs
T2.1 — AI / LLM marketing surface (corrected 2026-05-17)
Effort: ~1-2 weeks of docs / demo work. NOT engineering.
Correction: SPECTRE already ships a five-stage agentic
remediation chain in code/agents/
(spectre.investigate → spectre.testgen → spectre.verify_pre
→ spectre.remediate → spectre.verify_post → spectre.report).
Uses Qwen3.6-35b-a3b with docker-sandboxed reproduce-then-fix
verification. This is materially deeper than what Sec3 Premium
auto-auditor / L3X / Octane ship. See
spectre-vs-competitors-gap-analysis-2026-05-17.md for the
positioning.
The actual residual items on the AI front are:
- Public docs that front the agent chain. Today no public marketing page mentions it. Bake-off prospects who ask "do you have AI?" hear silence, not the five-stage chain.
- Model-choice optics. Qwen3.6-35b-a3b is a defensible
workhorse; Claude / GPT / Gemini have stronger marketing pull.
The
pinpoint-agent-runtimeLLM abstraction makes this a config- change, not engineering. - One-screen demo (paste a buggy
lib.rs, get a sandboxed- verified fix in ~60s). Currently no such demo exists.
Why it matters: bake-off marketing increasingly assumes "AI-powered" features. SPECTRE has more than Sec3 / L3X / Octane, but no public surface communicates that. Closing the visibility gap is ~1-2 weeks of work, not engineering.
T2.2 — Hosted scan UI
Effort: ~3-4 weeks for an MVP.
Sec3 has pro.sec3.dev; SPECTRE has nothing self-serve.
MVP shape:
- Submit a public GitHub repo URL + commit SHA via a web form.
- Backend pulls the repo, runs
pinpoint spectre scan, persists the finding JSON. - Web UI renders the finding set with per-rule grouping, severity filters, and source-code inline highlights.
This is real engineering (auth, billing, queue, isolated scan sandboxes). Not a 1-week project. But it's the on-ramp for protocol teams who won't wire CI themselves.
T2.3 — Bug-bounty marketing channel
Effort: ~1 week of content + outreach (after T1.1 ships).
Sec3 actively positions X-Ray for bug-bounty hunters, who file findings on Immunefi and credit the tool. SPECTRE has zero ecosystem visibility.
Plan:
- Once T1.1 (install path) lands, publish a "SPECTRE for Bug Bounty Hunters" guide.
- Catalogue which protocols on Immunefi accept Anchor / native Solana programs and run SPECTRE on each (public source).
- Submit findings to active bounties under a "discovered via SPECTRE scan" attribution.
Distribution (T1.1) is the prerequisite. Without an install path, bounty hunters can't run the tool.
Sequencing
The dependency graph is straightforward:
T1.1 (install) ─┬─→ T1.3 (suppression + baseline)
├─→ T2.3 (bounty channel)
└─→ T2.2 (hosted UI)
T1.2 (SARIF) is independent; ship anytime.
T2.1 (AI marketing surface — docs + demo only) is independent; ship anytime.
T1.1 is the linchpin. Everything downstream that touches a Solana dev depends on it.
Effort summary
| Ticket | Effort | Blocker / Dep |
|---|---|---|
| T1.1 install + GH Action | ~1 week | none |
| T1.2 SARIF | ~1 day | none |
| T1.3 suppression + baseline | ~1 week | none |
| T2.1 AI marketing-surface (docs + demo, NOT engineering) | ~1-2 weeks | none |
| T2.2 hosted UI MVP | ~3-4 weeks | T1.1 |
| T2.3 bounty channel | ~1 week | T1.1 |
Total to "Solana devs can use it": T1.1 + T1.2 + T1.3 ≈ 2.5 weeks of focused work. That's the entire gap between "research preview" and "production-shippable static analyzer."