SPECTRE for Solana: Production-Readiness Audit (Signup to Dashboard)
Date: 2026-05-18
Branch: feat/spectre-solana-max
Scope: Distribution model where a customer signs up, runs a scan through the spectre scan end-to-end pipeline, and reviews audit results in the dashboard.
Author: spectre-solana-max engineering
Executive summary
The static analyzer, agent runtime, API, and multi-tenant infrastructure are production-grade. The customer activation loop (signup, in-dashboard scan kickoff, AI-artifact rendering, observability, end-to-end test coverage) has five concrete gaps that should be closed before unattended onboarding of paid customers. Estimated total remediation effort: roughly 2 to 3 weeks of focused work, with a high-touch onboarding model viable for the first one to two customers in the interim.
What is wired end-to-end
Web, auth, billing
- Next.js 14 dashboard at
code/web/covering projects, findings, billing, environments. - JWT auth with thread-local
TenantContextenforced at the query layer viacode/api/src/main/java/dev/getpinpoint/api/filter/TenantFilter.java, so multi-tenancy is enforced beyond the controller surface. - Stripe wired completely through
SubscriptionLifecycleService, webhooks, plan tiers (Core, Professional, Enterprise), coupons, and rate limiting viaRateLimitFilter.
Scan dispatch and agent chain
- CLI dispatch path:
pinpoint pushcalls/api/v1/analysis/spectre-upload-url, uploads tensor + findings via S3 presigned URL, persists acode_analysis_runsrow. - Dashboard dispatch path:
/api/v1/requestsPOST, routed byDispatchServiceinto aDispatchEvent. - Agent pipeline tables:
agent_jobs(V065),agent_runs(V065),spectre_pipelines(V068) state machine. - Redis Streams wired between stages.
- Four of the five documented agent binaries exist in
code/agents/crates/:pinpoint-investigation-agent,pinpoint-testgen-agent,pinpoint-verify-agent(dual-stream forverify_preandverify_post),pinpoint-remediation-agent.
Operational substrate
- 16 Dockerfiles across API, Web, agents, render-engine, health-monitor.
- Working
infrastructure/docker/docker-compose.ymlfor local dev with Postgres, Redis, MinIO, API, Web, agents. - Terraform infrastructure-as-code for AWS (ECS, RDS, S3, CloudFront, Lambda).
- GitLab CI pipeline with an ECR vulnerability gate before production deploy.
MCP tooling
code/mcp/TypeScript server with 25 tools (list_scan_findings,update_finding_status,get_blast_radius, etc).- Auth via
PINPOINT_TOKENagainst the Spring Boot API. - Positioned as an editor-side AI integration (Claude Code, Cursor, Windsurf), not the primary customer interface.
Top 5 blockers between today and self-serve onboarding
| # | Blocker | Where | Fix |
|---|---|---|---|
| 1 | No in-dashboard "Run Scan" button | code/web/app/(app)/dashboard/projects/[projectId]/ |
Add button that either uploads from browser or prints the pinpoint push snippet |
| 2 | spectre.report agent missing |
code/agents/crates/ (4 of 5 stages present) |
Implement pinpoint-report-agent, or move report assembly into the API after verify_post |
| 3 | AI agent artifacts not rendered | code_analysis_findings columns investigation_summary, generated_tests_path, remediation_patch_path written but no UI surface |
Add expandable panels in the finding detail view |
| 4 | Zero production observability outside agents | API and Web have no Sentry, APM, or trace aggregation (Prometheus only on agent binaries :9091/9092/9093) |
Wire Sentry across all three services |
| 5 | No end-to-end signup-to-finding test | No Playwright or Cypress test exercises signup, scan, finding visibility | Add e2e test as a CI gate |
Recommended sequencing
| Window | Work |
|---|---|
| Half day to one day | Resolve blocker 2 (report stage clarification or implementation) |
| 2 to 3 days | Wire Sentry across API, Web, agents (blocker 4) |
| 1 to 2 weeks | Ship blockers 1, 3, 5 (UI scan button, agent-artifact panels, e2e Playwright test) |
First-customer onboarding playbook
While the above are in flight, paid customers can be onboarded in a high-touch mode:
- Run them on
--profile balanced(strict tier plus measured-precision rules in the 0.50 to 0.95 F1 band). - Initiate the scan via CLI for them on a screenshare or async via
pinpoint push. - Walk findings in the dashboard, which is already feature-complete for triage (severity filter, category filter, status updates:
OPEN,ACKNOWLEDGED,RESOLVED,FALSE_POSITIVE). - Surface AI artifacts manually from S3 until blocker 3 is closed.
- Treat the 5 mined detectors from Day 26 (ARI-060, STATE-020, GOV-003, TOK-040, PKT-003) as experimental, gated behind
--profile all, and hidden from the default dashboard view.
Verdict
The static analyzer is the hard part, and it is solid (52 single-program + 8 cross-program rules, 24/24 historical-incident replay, three calibrated profiles, complete Token-2022 coverage). The customer pipeline is mostly built. What remains is closing the activation loop and adding eyes-on observability, both of which are well-scoped engineering tasks rather than open research questions.