Skip to main content
[ ARKIV ]HUB
Tools
Tools · proposed · Correctness & safetyNot yet

A guardrail that catches Arkiv footguns in CI — even when the AI slips.

A linter is an automated checker that scans your code for mistakes WITHOUT running it — a spell-checker for code. "The AI read the skill" is not a guardrail; CI is. This gates a PR deterministically, catches footguns in existing code, and stops the ones the agent still slips on (category c).

arkiv-lintlintCIsecuritydoctor
Status
Not yet built
Type
Tool
Feasibility
Medium
THE IDEA

A linter + checker that flags the dangerous patterns at build time (exposed keys, removed APIs, partial updates, millisecond TTLs) and decodes opaque SDK errors into the exact fix.

The problem today

  • The expensive mistakes look harmless: `NEXT_PUBLIC_PRIVATE_KEY` (leaks your signing key to the browser), a partial `updateEntity` (silently drops attributes), `.orderBy()` (removed), TTL in milliseconds (instant expiry), looping single writes (nonce collisions).
  • Runtime errors are opaque — the DX audit flagged a useless "Account required" message.
  • An AI that read the skill won't write these — but existing code, teammates, and slips still do.

What it would do

  • Static rules: exposed/public private keys, partial updateEntity, removed `.orderBy()`, millisecond TTLs, missing project namespace / createdBy scoping, raw Promise.all writes, forbidden positioning copy ("decentralized/trustless/permanent").
  • `doctor` mode: pre-flight wallet balance, chain, SDK version range, RPC reachability; decode common SDK errors → exact fix + the relevant skill section.
  • Runs in CI or your editor; each finding links the doc/skill that explains it.
WHY IT’S A BETTER EXPERIENCE
  • Moves the worst footguns from "data-loss/leak in prod" to "red squiggle in the editor."
  • Security: the exposed-key check alone is worth it — that's the exact bug in the community scaffolder.
  • Deterministic: it fires every build, with or without an AI in the loop.
HOW IT COMPARES
Prisma error reference / lintnamed errors + fixes — the model for turning failures into learning.
eslint-plugin-* ecosystemsdomain linters are how every framework encodes its footguns. Arkiv has none.
Just a skillguides the AI as it writes; it can't gate a PR. Lint does.
FEASIBILITY — AND WHY THIS ISN’T HAND-WAVING
Medium to build

Static rules (AST/regex) + setup checks + an error-shape catalog. No protocol changes; could also ship as an MCP capability.

Grounded in

  • Real footguns confirmed: NEXT_PUBLIC_PRIVATE_KEY in the wild, full-replace updates, orderBy removed (PR #70), nonce collisions.
  • Arkiv DX audit lists unhelpful errors (e.g. "Account required") as friction.
  • Wallet/balance/chain checks proven via the live accountInfo + getConfig calls.
PAIRS WITH
arkiv-lintThis is a proposal— not built yet. It’s here so the case can be read and the idea ranked. Want it? Open an issue on the Arkiv GitHub.
© 2026 Golem Factory · Braga testnet · Proposed tool — status: not yet.