Add security txt metadata to candy machine programs (#29)

stranzhay · web-flow · commit 3a7ec225b919 · 2026-05-20T13:14:04.000-04:00
* Add security txt metadata to candy machine programs

* Align security contact metadata

* Make IDL generation work with Anchor 0.30

- Enable the `idl-build` feature on both program crates so `anchor build --idl` succeeds; propagate it from candy-guard to candy-machine-core.
- Provide a manual `IdlBuild` impl for `MintAssetArgs` since `mpl_core::types::PluginAuthorityPair` does not implement Anchor 0.30's `IdlBuild` trait.
- Pin the program IDs in each `Anchor.toml [programs.devnet]` so the IDL build no longer rewrites `declare_id!` with a generated keypair.
- Pin the IDL build toolchain to `nightly-2024-06-01` and normalize Anchor 0.30 IDL output (`defined`, `pubkey`, `writable`/`signer`/`optional`, account/type split) into the legacy shape that Kinobi 0.14 expects.
- Regenerate `idls/*.json` against this pipeline; locked dependency updates fall out of enabling `idl-build`.

* Fix Programs / Test job under Anchor 0.30 idl-build

- Reorder `candy_machine.rs` imports so `cargo fmt --check` is clean now that the file imports both `anchor_lang::prelude::*` and `anchor_lang::prelude::borsh::*`.
- Drop `--all-features` from the clippy step in `test-programs.yml` and pin it to `--features cpi`; the new `idl-build` feature can only be safely enabled from `anchor build --idl`, otherwise the `#[program]` macro panics with "Failed to get program path".

* ci(generate_clients): pre-install Anchor CLI before pnpm generate

`configs/shank.cjs` pins `RUSTUP_TOOLCHAIN=nightly-2024-06-01` so Anchor 0.30's `idl-build` can use the proc-macro span APIs it needs. On a cache-miss, `shank-js` was then trying to `cargo install --locked anchor-cli@0.30.1` under that nightly, which fails because `ahash 0.7.6` references the removed `stdsimd` rustc feature.

Install Anchor CLI in a dedicated step (using the workflow's default Rust toolchain) before invoking `pnpm generate`, so `shank-js` always finds the binary in `./.crates/bin/anchor` and never compiles it under the pinned nightly.

* Update generated clients

* Pin program IDs in Anchor.toml [programs.localnet]

`anchor build --idl` defaults to the localnet cluster, so without
`[programs.localnet]` it generates a throwaway keypair and rewrites
`declare_id!` to its address. That is what produced the bogus
`F8FnAZFh…` and `678oZidn…` IDs in `Update generated clients`.

Declare each program ID under `[programs.localnet]` so the IDL build
keeps the real on-chain addresses, restore `declare_id!`, and refresh
the IDL `address` fields to match.

* Keep security.txt PR scoped

Revert the broad Anchor 0.30 IDL/codegen repair from this PR and keep only the security.txt metadata changes.

Because security.txt metadata does not affect IDL shape, skip the Generate clients job when the PR only changes the security metadata files in this branch; program build/test coverage still runs.

* Clarify security.txt-only CI guard

Rename the metadata-only workflow flag to security_txt_only so the skip condition clearly refers to this PR's security.txt-only change set.

* Remove security.txt workflow guard

Keep this PR scoped to the program security.txt metadata and dependency changes; do not add workflow routing for the existing client-generation issue.

---------

Co-authored-by: stranzhay &lt;stranzhay@users.noreply.github.com&gt;
diff --git a/programs/candy-guard/Cargo.lock b/programs/candy-guard/Cargo.lock
diff --git a/programs/candy-guard/program/Cargo.toml b/programs/candy-guard/program/Cargo.toml
@@ -29,6 +29,7 @@ mpl-token-metadata = "3.2.1"
 regex-lite = "0.1.6"
 solana-gateway = { version = "0.6.0", features = ["no-entrypoint"] }
 solana-program = "1.18.26"
+solana-security-txt = "1.1.1"
 spl-associated-token-account = { version = ">= 1.1.3, < 3.0", features = [
   "no-entrypoint",
 ] }
diff --git a/programs/candy-guard/program/src/lib.rs b/programs/candy-guard/program/src/lib.rs
@@ -12,6 +12,19 @@ pub mod utils;
 
 declare_id!("CMAGAKJ67e9hRZgfC5SFTbZH8MgEmtqazKXjmkaJjWTJ");
 
+#[cfg(not(feature = "no-entrypoint"))]
+solana_security_txt::security_txt! {
+    // Required fields
+    name: "Mpl Core Candy Guard",
+    project_url: "https://metaplex.com",
+    contacts: "email:security@metaplex.foundation",
+    policy: "Report suspected vulnerabilities privately by emailing security@metaplex.foundation before public disclosure.",
+
+    // Optional fields
+    preferred_languages: "en",
+    source_code: "https://github.com/metaplex-foundation/mpl-core-candy-machine"
+}
+
 #[program]
 pub mod candy_guard {
     use super::*;
diff --git a/programs/candy-machine-core/Cargo.lock b/programs/candy-machine-core/Cargo.lock
diff --git a/programs/candy-machine-core/program/Cargo.toml b/programs/candy-machine-core/program/Cargo.toml
@@ -23,5 +23,6 @@ mpl-token-metadata = "3.2.1"
 mpl-utils = { version = "0.3", default-features = false }
 mpl-core = { version = "0.8.0" }
 solana-program = "1.18.26"
+solana-security-txt = "1.1.1"
 spl-associated-token-account = { version = ">= 1.1.3, < 3.0", features = ["no-entrypoint"] }
 spl-token = { version = ">= 3.5.0, < 5.0", features = ["no-entrypoint"] }
diff --git a/programs/candy-machine-core/program/src/lib.rs b/programs/candy-machine-core/program/src/lib.rs
@@ -15,6 +15,19 @@ mod utils;
 
 declare_id!("CMACYFENjoBMHzapRXyo1JZkVS6EtaDDzkjMrmQLvr4J");
 
+#[cfg(not(feature = "no-entrypoint"))]
+solana_security_txt::security_txt! {
+    // Required fields
+    name: "Mpl Core Candy Machine Core",
+    project_url: "https://metaplex.com",
+    contacts: "email:security@metaplex.foundation",
+    policy: "Report suspected vulnerabilities privately by emailing security@metaplex.foundation before public disclosure.",
+
+    // Optional fields
+    preferred_languages: "en",
+    source_code: "https://github.com/metaplex-foundation/mpl-core-candy-machine"
+}
+
 #[program]
 pub mod candy_machine_core {
     use super::*;
