code-maturity-assessor
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCode Maturity Assessor
代码成熟度评估工具
Purpose
用途
Systematically assesses codebase maturity using Trail of Bits' 9-category framework. Provides evidence-based ratings and actionable recommendations.
Framework: Building Secure Contracts - Code Maturity Evaluation v0.1.0
利用Trail of Bits的9类框架系统化评估代码库成熟度。提供基于证据的评级和可落地的改进建议。
框架:Building Secure Contracts - 代码成熟度评估 v0.1.0
How This Works
工作流程
Phase 1: Discovery
阶段1:发现
Explores the codebase to understand:
- Project structure and platform
- Contract/module files
- Test coverage
- Documentation availability
探索代码库以了解:
- 项目结构与平台
- 合约/模块文件
- 测试覆盖率
- 文档可用性
Phase 2: Analysis
阶段2:分析
For each of 9 categories, I'll:
- Search the code for relevant patterns
- Read key files to assess implementation
- Present findings with file references
- Ask clarifying questions about processes I can't see in code
- Determine rating based on criteria
针对9个类别中的每一个,我会:
- 搜索代码以寻找相关模式
- 阅读关键文件评估实现情况
- 呈现发现结果并附带文件引用
- 提出澄清问题询问代码中无法体现的流程
- 基于标准确定评级
Phase 3: Report
阶段3:报告
Generates:
- Executive summary
- Maturity scorecard (ratings for all 9 categories)
- Detailed analysis with evidence
- Priority-ordered improvement roadmap
生成:
- 执行摘要
- 成熟度评分卡(所有9个类别的评级)
- 附带证据的详细分析
- 按优先级排序的改进路线图
Rating System
评级体系
- Missing (0): Not present/not implemented
- Weak (1): Several significant improvements needed
- Moderate (2): Adequate, can be improved
- Satisfactory (3): Above average, minor improvements
- Strong (4): Exceptional, only small improvements possible
Rating Logic:
- ANY "Weak" criteria → Weak
- NO "Weak" + SOME "Moderate" unmet → Moderate
- ALL "Moderate" + SOME "Satisfactory" met → Satisfactory
- ALL "Satisfactory" + exceptional practices → Strong
- 缺失(0分):未存在/未实现
- 薄弱(1分):需要多项重大改进
- 中等(2分):足够可用,但仍有改进空间
- 良好(3分):高于平均水平,仅需小幅改进
- 优秀(4分):表现卓越,仅需微小改进
评级逻辑:
- 存在任何“薄弱”标准 → 薄弱
- 无“薄弱”标准 + 部分“中等”标准未满足 → 中等
- 满足所有“中等”标准 + 部分“良好”标准 → 良好
- 满足所有“良好”标准 + 卓越实践 → 优秀
The 9 Categories
9个评估类别
I assess 9 comprehensive categories covering all aspects of code maturity. For detailed criteria, analysis approaches, and rating thresholds, see ASSESSMENT_CRITERIA.md.
我会评估涵盖代码成熟度所有方面的9个综合类别。如需详细标准、分析方法和评级阈值,请查看ASSESSMENT_CRITERIA.md。
Quick Reference:
快速参考:
1. ARITHMETIC
- Overflow protection mechanisms
- Precision handling and rounding
- Formula specifications
- Edge case testing
2. AUDITING
- Event definitions and coverage
- Monitoring infrastructure
- Incident response planning
3. AUTHENTICATION / ACCESS CONTROLS
- Privilege management
- Role separation
- Access control testing
- Key compromise scenarios
4. COMPLEXITY MANAGEMENT
- Function scope and clarity
- Cyclomatic complexity
- Inheritance hierarchies
- Code duplication
5. DECENTRALIZATION
- Centralization risks
- Upgrade control mechanisms
- User opt-out paths
- Timelock/multisig patterns
6. DOCUMENTATION
- Specifications and architecture
- Inline code documentation
- User stories
- Domain glossaries
7. TRANSACTION ORDERING RISKS
- MEV vulnerabilities
- Front-running protections
- Slippage controls
- Oracle security
8. LOW-LEVEL MANIPULATION
- Assembly usage
- Unsafe code sections
- Low-level calls
- Justification and testing
9. TESTING & VERIFICATION
- Test coverage
- Fuzzing and formal verification
- CI/CD integration
- Test quality
For complete assessment criteria including what I'll analyze, what I'll ask you, and detailed rating thresholds (WEAK/MODERATE/SATISFACTORY/STRONG), see ASSESSMENT_CRITERIA.md.
1. 算术安全
- 溢出防护机制
- 精度处理与舍入
- 公式规范
- 边缘情况测试
2. 审计实践
- 事件定义与覆盖范围
- 监控基础设施
- 事件响应预案
3. 认证/访问控制
- 权限管理
- 角色分离
- 访问控制测试
- 密钥泄露场景
4. 复杂度管理
- 函数范围与清晰度
- 圈复杂度
- 继承层次
- 代码重复情况
5. 去中心化程度
- 中心化风险
- 升级控制机制
- 用户退出路径
- 时间锁/多签模式
6. 文档
- 规范与架构文档
- 内联代码文档
- 用户场景
- 领域术语表
7. 交易排序风险
- MEV漏洞
- 抢先交易防护
- 滑点控制
- 预言机安全性
8. 底层代码操作
- 汇编代码使用
- 不安全代码段
- 底层调用
- 合理性说明与测试
9. 测试与验证
- 测试覆盖率
- 模糊测试与形式化验证
- CI/CD集成
- 测试质量
如需完整评估标准,包括我将分析的内容、会向您询问的问题以及详细评级阈值(薄弱/中等/良好/优秀),请查看ASSESSMENT_CRITERIA.md。
Example Output
示例输出
When the assessment is complete, you'll receive a comprehensive maturity report including:
- Executive Summary: Overall score, top 3 strengths, top 3 gaps, priority recommendations
- Maturity Scorecard: Table with all 9 categories rated with scores and notes
- Detailed Analysis: Category-by-category breakdown with evidence (file:line references)
- Improvement Roadmap: Priority-ordered recommendations (CRITICAL/HIGH/MEDIUM) with effort estimates
For a complete example assessment report, see EXAMPLE_REPORT.md.
评估完成后,您将收到一份全面的成熟度报告,包括:
- 执行摘要:总体得分、Top3优势、Top3差距、优先级建议
- 成熟度评分卡:包含所有9个类别评级、分数及备注的表格
- 详细分析:按类别拆解,附带证据(文件:行号引用)
- 改进路线图:按优先级排序的建议(关键/高/中)及工作量估算
如需完整的评估报告示例,请查看EXAMPLE_REPORT.md。
Assessment Process
评估流程
When invoked, I will:
-
Explore codebase
- Find contract/module files
- Identify test files
- Locate documentation
-
Analyze each category
- Search for relevant code patterns
- Read key implementations
- Assess against criteria
- Collect evidence
-
Interactive assessment
- Present my findings with file references
- Ask about processes I can't see in code
- Discuss borderline cases
- Determine ratings together
-
Generate report
- Executive summary
- Maturity scorecard table
- Detailed category analysis with evidence
- Priority-ordered improvement roadmap
当启动评估时,我会:
-
探索代码库
- 查找合约/模块文件
- 识别测试文件
- 定位文档
-
分析每个类别
- 搜索相关代码模式
- 阅读关键实现
- 对照标准评估
- 收集证据
-
交互式评估
- 呈现带有文件引用的发现结果
- 询问代码中无法体现的流程
- 讨论边界情况
- 共同确定评级
-
生成报告
- 执行摘要
- 成熟度评分卡表格
- 附带证据的类别详细分析
- 按优先级排序的改进路线图
Rationalizations (Do Not Skip)
常见误区(请勿忽略)
| Rationalization | Why It's Wrong | Required Action |
|---|---|---|
| "Found some findings, assessment complete" | Assessment requires evaluating ALL 9 categories | Complete assessment of all 9 categories with evidence for each |
| "I see events, auditing category looks good" | Events alone don't equal auditing maturity | Check logging comprehensiveness, testing, incident response processes |
| "Code looks simple, complexity is low" | Visual simplicity masks composition complexity | Analyze cyclomatic complexity, dependency depth, state machine transitions |
| "Not a DeFi protocol, MEV category doesn't apply" | MEV extends beyond DeFi (governance, NFTs, games) | Verify with transaction ordering analysis before declaring N/A |
| "No assembly found, low-level category is N/A" | Low-level risks include external calls, delegatecall, inline assembly | Search for all low-level patterns before skipping category |
| "This is taking too long" | Thorough assessment requires time per category | Complete all 9 categories, ask clarifying questions about off-chain processes |
| "I can rate this without evidence" | Ratings without file:line references = unsubstantiated claims | Collect concrete code evidence for every category assessment |
| "User will know what to improve" | Vague guidance = no action | Provide priority-ordered roadmap with specific improvements and effort estimates |
| 误区 | 错误原因 | 要求操作 |
|---|---|---|
| “发现一些问题,评估完成” | 评估需要覆盖所有9个类别 | 完成所有9个类别的评估,并为每个类别提供证据 |
| “我看到事件了,审计类别看起来没问题” | 仅事件并不等同于审计成熟度 | 检查日志全面性、测试情况及事件响应流程 |
| “代码看起来简单,复杂度很低” | 视觉上的简单可能掩盖组合复杂度 | 分析圈复杂度、依赖深度、状态机转换 |
| “这不是DeFi协议,MEV类别不适用” | MEV的影响范围超出DeFi(治理、NFT、游戏等) | 在标记为不适用前,先进行交易排序分析 |
| “未发现汇编代码,底层类别不适用” | 底层风险包括外部调用、delegatecall、内联汇编 | 在跳过该类别前,搜索所有底层代码模式 |
| “这太耗时了” | 全面评估需要为每个类别投入时间 | 完成所有9个类别评估,询问链下流程的澄清问题 |
| “我可以不用证据直接评级” | 没有文件:行号引用的评级是无根据的声明 | 为每个类别评估收集具体的代码证据 |
| “用户知道该怎么改进” | 模糊的指导无法推动行动 | 提供按优先级排序的路线图,包含具体改进措施和工作量估算 |
Report Format
报告格式
For detailed report structure and templates, see REPORT_FORMAT.md.
如需详细报告结构和模板,请查看REPORT_FORMAT.md。
Structure:
结构:
-
Executive Summary
- Project name and platform
- Overall maturity (average rating)
- Top 3 strengths
- Top 3 critical gaps
- Priority recommendations
-
Maturity Scorecard
- Table with all 9 categories
- Ratings and scores
- Key findings notes
-
Detailed Analysis
- Per-category breakdown
- Evidence with file:line references
- Gaps and improvement actions
-
Improvement Roadmap
- CRITICAL (immediate)
- HIGH (1-2 months)
- MEDIUM (2-4 months)
- Effort estimates and impact
-
执行摘要
- 项目名称与平台
- 总体成熟度(平均评级)
- Top3优势
- Top3关键差距
- 优先级建议
-
成熟度评分卡
- 包含所有9个类别的表格
- 评级与分数
- 关键发现备注
-
详细分析
- 按类别拆解
- 附带证据(文件:行号引用)
- 差距与改进措施
-
改进路线图
- 关键(立即处理)
- 高优先级(1-2个月)
- 中优先级(2-4个月)
- 工作量估算与影响
Ready to Begin
准备开始
Estimated Time: 30-40 minutes
I'll need:
- Access to full codebase
- Your knowledge of processes (monitoring, incident response, team practices)
- Context about the project (DeFi, NFT, infrastructure, etc.)
Let's assess this codebase!
预计时间:30-40分钟
我需要:
- 完整代码库的访问权限
- 您对相关流程的了解(监控、事件响应、团队实践)
- 项目背景信息(DeFi、NFT、基础设施等)
开始评估您的代码库吧!