|
| 1 | +# Trident Development Review Passes |
| 2 | + |
| 3 | +> Instead of "make it perfect", invoke passes by number. |
| 4 | +> Example: "Run PASS 3 and PASS 7 on this module." |
| 5 | +
|
| 6 | +--- |
| 7 | + |
| 8 | +## PASS 1: DETERMINISM |
| 9 | +- [ ] No floating point anywhere — all arithmetic over Goldilocks p = 2⁶⁴ − 2³² + 1 |
| 10 | +- [ ] No HashMap iteration (non-deterministic order) — use BTreeMap or indexed vec |
| 11 | +- [ ] No system clock, no randomness without explicit seed |
| 12 | +- [ ] Serialization is canonical — single valid encoding per value |
| 13 | +- [ ] Cross-platform: same input → same state root, always |
| 14 | + |
| 15 | +**Ask:** *"Find any source of non-determinism in this code."* |
| 16 | + |
| 17 | +--- |
| 18 | + |
| 19 | +## PASS 2: BOUNDED LOCALITY |
| 20 | +- [ ] Every function's read-set is O(k)-bounded — trace it |
| 21 | +- [ ] No hidden global state access (singletons, lazy_static with mutation) |
| 22 | +- [ ] Graph walks have explicit depth/hop limits |
| 23 | +- [ ] State updates touch only declared write-set — no side effects beyond it |
| 24 | +- [ ] Verify: local change cannot trigger unbounded cascade |
| 25 | + |
| 26 | +**Ask:** *"What is the maximum read-set and write-set of this function? Can a local change cascade globally?"* |
| 27 | + |
| 28 | +--- |
| 29 | + |
| 30 | +## PASS 3: FIELD ARITHMETIC CORRECTNESS |
| 31 | +- [ ] All reductions are correct mod p — no overflow before reduce |
| 32 | +- [ ] Multiplication uses proper widening (u64 → u128 → reduce) |
| 33 | +- [ ] Inverse/division handles zero case explicitly (panic or Option) |
| 34 | +- [ ] Batch operations maintain invariant: individual vs batch results match |
| 35 | +- [ ] Montgomery/Barrett boundaries are correct at edge values (0, 1, p−1, p) |
| 36 | + |
| 37 | +**Ask:** *"Check edge cases: 0, 1, p−1, and values near 2⁶⁴. Does reduction ever overflow?"* |
| 38 | + |
| 39 | +--- |
| 40 | + |
| 41 | +## PASS 4: CRYPTO HYGIENE |
| 42 | +- [ ] No secret-dependent branching (constant-time operations) |
| 43 | +- [ ] No secret data in error messages, logs, or Debug impls |
| 44 | +- [ ] Zeroize sensitive memory on drop |
| 45 | +- [ ] Hash domain separation — every use has unique prefix/tag |
| 46 | +- [ ] Commitment scheme: binding + hiding properties preserved |
| 47 | +- [ ] Proof constraints are neither under-constrained (soundness hole) nor over-constrained (completeness break) |
| 48 | + |
| 49 | +**Ask:** *"Is there any path where secret material leaks through timing, errors, or logs?"* |
| 50 | + |
| 51 | +--- |
| 52 | + |
| 53 | +## PASS 5: TYPE SAFETY & INVARIANTS |
| 54 | +- [ ] Newtypes for distinct domains: ParticleId ≠ NeuronId ≠ CyberlinkId |
| 55 | +- [ ] States encoded in types (e.g., `Unverified<Proof>` vs `Verified<Proof>`) |
| 56 | +- [ ] `unsafe` blocks have safety comments explaining why invariant holds |
| 57 | +- [ ] No `.unwrap()` on fallible paths — use `?` or explicit error |
| 58 | +- [ ] Phantom types or sealed traits prevent invalid state construction |
| 59 | + |
| 60 | +**Ask:** *"Can a caller construct an invalid state? Can types from different domains be accidentally mixed?"* |
| 61 | + |
| 62 | +--- |
| 63 | + |
| 64 | +## PASS 6: ERROR HANDLING & DEGRADATION |
| 65 | +- [ ] Every error type is meaningful — no `anyhow` in library code |
| 66 | +- [ ] Errors propagate without losing context (error chains) |
| 67 | +- [ ] No panic in library code — only in binary entry points or proved-unreachable |
| 68 | +- [ ] Resource cleanup on all error paths (RAII, Drop impls) |
| 69 | +- [ ] Partial failure doesn't corrupt shared state |
| 70 | + |
| 71 | +**Ask:** *"What happens when this fails halfway through? Is state still consistent?"* |
| 72 | + |
| 73 | +--- |
| 74 | + |
| 75 | +## PASS 7: ADVERSARIAL INPUT |
| 76 | +- [ ] All external inputs are validated before processing |
| 77 | +- [ ] Sizes, lengths, indices are bounds-checked |
| 78 | +- [ ] No allocation proportional to untrusted input without cap |
| 79 | +- [ ] Graph operations handle: empty graph, single node, disconnected components, self-loops, duplicate edges |
| 80 | +- [ ] Malformed proofs/signatures rejected before expensive computation |
| 81 | + |
| 82 | +**Ask:** *"What's the cheapest input an attacker can craft to cause maximum damage (CPU, memory, state corruption)?"* |
| 83 | + |
| 84 | +--- |
| 85 | + |
| 86 | +## PASS 8: ARCHITECTURE & COMPOSABILITY |
| 87 | +- [ ] Module has single responsibility — one reason to change |
| 88 | +- [ ] Dependencies point inward (domain ← application ← infra) |
| 89 | +- [ ] Traits define boundaries — implementations are swappable |
| 90 | +- [ ] No circular dependencies between modules |
| 91 | +- [ ] Public API is minimal — nothing exposed without reason |
| 92 | + |
| 93 | +**Ask:** *"Can I replace the implementation behind this trait without touching callers? What would break?"* |
| 94 | + |
| 95 | +--- |
| 96 | + |
| 97 | +## PASS 9: READABILITY & NAMING |
| 98 | +- [ ] Names match the whitepaper terminology exactly (π, τ, Δπ, neuron, particle, cyberlink) |
| 99 | +- [ ] Functions do what their name says — no hidden side effects |
| 100 | +- [ ] Complex logic has comments explaining *why*, not *what* |
| 101 | +- [ ] Magic numbers are named constants with units in the name (e.g., `MAX_HOP_DEPTH`, `CONVERGENCE_EPSILON`) |
| 102 | +- [ ] Code reads top-down — high-level flow visible without diving into helpers |
| 103 | + |
| 104 | +**Ask:** *"Can someone reading only this file understand what it does and why, without reading other files?"* |
| 105 | + |
| 106 | +--- |
| 107 | + |
| 108 | +## PASS 10: COMPACTNESS & ELIMINATION |
| 109 | +- [ ] No dead code, no commented-out blocks |
| 110 | +- [ ] No premature abstraction — if only one impl exists, don't trait it yet |
| 111 | +- [ ] No duplicate logic — if two functions share structure, extract or explain why not |
| 112 | +- [ ] No unnecessary allocations (clone, to_vec, collect where iter suffices) |
| 113 | +- [ ] Ask: "what can I delete?" before "what should I add?" |
| 114 | + |
| 115 | +**Ask:** *"What can be removed from this code without changing behavior?"* |
| 116 | + |
| 117 | +--- |
| 118 | + |
| 119 | +## PASS 11: PERFORMANCE & SCALABILITY |
| 120 | +- [ ] Hot path is allocation-free (pre-allocated buffers, arena allocation) |
| 121 | +- [ ] No O(n²) or worse without explicit justification and n-bound |
| 122 | +- [ ] Batch operations exist for anything called in loops |
| 123 | +- [ ] Cache-friendly access patterns (sequential over random) |
| 124 | +- [ ] Profiled, not guessed — benchmark before and after optimization |
| 125 | + |
| 126 | +**Ask:** *"What is the complexity of this at 10⁹ nodes? Where does it break first?"* |
| 127 | + |
| 128 | +--- |
| 129 | + |
| 130 | +## PASS 12: TESTABILITY |
| 131 | +- [ ] Pure functions where possible — output depends only on input |
| 132 | +- [ ] Side effects are injected (trait objects, closures), not hardcoded |
| 133 | +- [ ] Property-based tests for invariants (proptest/quickcheck) |
| 134 | +- [ ] Edge case tests: empty, one, max, overflow, malicious |
| 135 | +- [ ] Test names describe the property being verified, not the method being called |
| 136 | + |
| 137 | +**Ask:** *"What property should always hold? Write a proptest for it."* |
| 138 | + |
| 139 | +--- |
| 140 | + |
| 141 | +## Quick Reference — Copy-Paste Prompts |
| 142 | + |
| 143 | +``` |
| 144 | +"Run PASS 1 (determinism) on this module." |
| 145 | +"Run PASS 4 (crypto) and PASS 7 (adversarial) on this function." |
| 146 | +"Run PASS 10 (compactness) — what can I delete?" |
| 147 | +"Run PASS 3 (field arithmetic) — check edge values 0, 1, p−1." |
| 148 | +"Run PASS 8 (architecture) — draw the dependency graph." |
| 149 | +"Run all security passes (1, 3, 4, 7) on this PR." |
| 150 | +``` |
| 151 | + |
| 152 | +### Severity Tiers |
| 153 | + |
| 154 | +| Tier | Passes | When | |
| 155 | +|------|--------|------| |
| 156 | +| **Every commit** | 1, 5, 6, 9 | Determinism, types, errors, readability | |
| 157 | +| **Every PR** | + 2, 7, 8, 10 | Locality, adversarial, architecture, compactness | |
| 158 | +| **Every release** | + 3, 4, 11, 12 | Crypto, field math, performance, full test coverage | |
0 commit comments