Solana Development Expert

AI coding assistant configuration for building production-ready Solana applications. This skill provides comprehensive rules, patterns, and best practices for both backend smart contract development and frontend dApp interfaces.

What This Skill Does

Configures AI assistants to generate secure, modern Solana code by enforcing:

**Modern tooling**: Uses current library versions (Pinocchio 0.10, solana-program 3.0, @solana/kit)

**Security patterns**: Explicit account validation, overflow protection, attack prevention

**Framework selection**: Guidance for choosing Anchor vs Pinocchio vs Steel

**DeFi expertise**: AMM curves, vault accounting, oracle integration, lending protocols

**Frontend excellence**: Accessible design systems, modern React patterns, Solana UI components

**Testing best practices**: Mollusk, LiteSVM, Trident integration

**Deployment safety**: Mainnet safeguards and pre-flight checklists

Instructions for AI Agent

When assisting with Solana development, follow these comprehensive guidelines across backend and frontend domains.

Modern Tooling (January 2026)

**ALWAYS use current versions:**

```toml

Backend Dependencies

[dependencies]

anchor-lang = "0.32" # Framework with IDL

solana-program = "3.0" # Standard library

pinocchio = "0.10" # Zero-copy, minimal CUs

steel = "4.0" # Native with better DX

[dev-dependencies]

mollusk-svm = "0.7" # Unit testing

litesvm = "0.6" # Integration testing

trident-fuzz = "0.2" # Fuzz testing

```

```json

// Frontend Dependencies

{

"dependencies": {

"next": "^15.0.0",

"react": "^19.0.0",

"@solana/kit": "^2.0.0",

"@solana/wallet-adapter-react": "^0.15.0",

"tailwindcss": "^4.0.0",

"framer-motion": "^11.0.0"

}

```

**NEVER use deprecated:**

`solana-program` 1.x or 2.x

`@solana/web3.js` 1.x (use @solana/kit 2.x)

`spl-token` 4.x (use 5.x)

Critical Security Rules

**ALWAYS validate:**

1. Account ownership: `require!(account.owner == expected_program_id)`

2. Signer status: `require!(authority.is_signer)`

3. PDA derivation: Verify seeds match expected

4. Initialized state: Check discriminators/flags

5. Arithmetic: Use `.checked_add()`, `.checked_mul()`, etc.

**NEVER:**

Deploy to mainnet without explicit confirmation

Use unchecked arithmetic on token amounts

Trust account data without validation

Skip owner/signer checks

Backend Development Patterns

#### Account Validation Template

```rust

// Anchor pattern

#[account(mut, has_one = authority)]

pub vault: Account<'info, Vault>,

#[account(mut, constraint = user_token.owner == user.key())]

pub user_token: Account<'info, TokenAccount>,

// Native pattern with Pinocchio

let vault = Vault::from_account_info(vault_info)?;

require!(vault.authority == *authority_info.key, ErrorCode::Unauthorized);

require!(authority_info.is_signer, ErrorCode::MustSign);

```

#### DeFi Patterns

**AMM Constant Product:**

```rust

pub fn swap(&mut self, amount_in: u64, minimum_out: u64) -> Result<u64> {

let invariant = self.reserve_a.checked_mul(self.reserve_b)

.ok_or(ErrorCode::Overflow)?;

let new_reserve_a = self.reserve_a.checked_add(amount_in)

.ok_or(ErrorCode::Overflow)?;

let new_reserve_b = invariant.checked_div(new_reserve_a)

.ok_or(ErrorCode::DivisionByZero)?;

let amount_out = self.reserve_b.checked_sub(new_reserve_b)

.ok_or(ErrorCode::InsufficientLiquidity)?;

require!(amount_out >= minimum_out, ErrorCode::SlippageExceeded);

self.reserve_a = new_reserve_a;

self.reserve_b = new_reserve_b;

Ok(amount_out)

}

```

**Vault Share Accounting:**

```rust

pub fn deposit(&mut self, amount: u64) -> Result<u64> {

let shares = if self.total_shares == 0 {

amount // First deposit: 1:1 ratio

} else {

amount.checked_mul(self.total_shares)

.ok_or(ErrorCode::Overflow)?

.checked_div(self.total_assets)

.ok_or(ErrorCode::DivisionByZero)?

};

self.total_assets = self.total_assets.checked_add(amount)?;

self.total_shares = self.total_shares.checked_add(shares)?;

Ok(shares)

}

```

#### Testing Strategy

```rust

// Mollusk unit tests

#[test]

fn test_transfer() {

let program = load_program();

let vault = setup_vault();

let result = program.process_instruction(...);

assert!(result.is_ok());

assert_eq!(vault.balance, expected);

}

// LiteSVM integration

#[test]

fn test_full_flow() {

let svm = LiteSVM::new();

svm.airdrop(&payer, 10_000_000_000);

// Test complete user journey

}

// Trident fuzzing

#[test]

fn fuzz_deposit(amount: u64) {

// Test edge cases automatically

}

```

Frontend Development Patterns

#### Design System Tokens

```typescript

// Semantic color tokens

const colors = {

background: 'hsl(var(--background))',

foreground: 'hsl(var(--foreground))',

primary: 'hsl(var(--primary))',

'primary-foreground': 'hsl(var(--primary-foreground))',

muted: 'hsl(var(--muted))',

'muted-foreground': 'hsl(var(--muted-foreground))',

}

// 8px grid system

const spacing = {

xs: '0.5rem', // 8px

sm: '1rem', // 16px

md: '1.5rem', // 24px

lg: '2rem', // 32px

xl: '3rem', // 48px

}

```

#### Wallet Connection Component

```typescript

'use client'

import { useWallet } from '@solana/wallet-adapter-react'

import { Button } from '@/components/ui/button'

export function WalletButton() {

const { publicKey, connecting, connect, disconnect } = useWallet()

return (

<Button

onClick={publicKey ? disconnect : connect}

disabled={connecting}

aria-label={publicKey ? 'Disconnect wallet' : 'Connect wallet'}

className="focus-visible:ring-2 focus-visible:ring-primary"

{connecting ? 'Connecting...' : publicKey ? `${publicKey.toBase58().slice(0, 4)}...` : 'Connect Wallet'}

</Button>

)

}

```

#### Transaction Flow Component

```typescript

export function TransferDialog() {

const [state, setState] = useState<'idle' | 'confirming' | 'success' | 'error'>('idle')

return (

{state === 'confirming' && (

<p>Confirming transaction...</p>

</div>

)}

{state === 'success' && (

<p>Transfer successful!</p>

</div>

)}

{/* Additional states... */}

</Dialog>

)

}

```

#### Accessibility Requirements

**ALWAYS include:**

Semantic HTML (`<button>`, `<nav>`, `<main>`)

ARIA labels: `aria-label`, `aria-describedby`, `role`

Focus management: `focus-visible:ring-2`

Keyboard navigation: All actions accessible via Tab/Enter/Space

Screen reader support: `aria-live`, `role="status"`, `role="alert"`

Reduced motion: `@media (prefers-reduced-motion: reduce)`

**Color contrast:**

Minimum 4.5:1 for normal text (WCAG AA)

Minimum 3:1 for large text and UI components

Framework Selection Guide

| Use Case | Framework | Why |

|----------|-----------|-----|

| Complex DeFi protocol | Anchor 0.32 | IDL generation, rich ecosystem |

| High-performance program | Pinocchio 0.10 | Zero-copy, minimal compute units |

| Modern native Rust | Steel 4.0 | Better DX than raw native |

| Simple stateless logic | Native solana-program | Maximum control |

Deployment Checklist

**Before mainnet deployment:**

1. ✅ All tests passing (unit, integration, fuzz)

2. ✅ Security audit completed

3. ✅ Compute unit optimization verified

4. ✅ Account validation reviewed

5. ✅ Arithmetic overflow checks in place

6. ✅ Upgrade authority configured

7. ✅ Emergency pause mechanism (if applicable)

8. ✅ Multisig for admin operations

**ALWAYS ask user:** "This will deploy to mainnet. Confirm? (yes/no)"

Known Attack Vectors

**Type Cosplay:**

```rust

// WRONG: No discriminator check

let vault = Vault::try_from_slice(&account.data.borrow())?;

// CORRECT: Verify account type

require!(account.discriminator == Vault::DISCRIMINATOR);

```

**PDA Exploitation:**

```rust

// CORRECT: Always verify PDA derivation

let (expected_pda, bump) = Pubkey::find_program_address(&[b"vault", user.as_ref()], program_id);

require!(vault.key() == expected_pda, ErrorCode::InvalidPDA);

```

**CPI Signer Spoofing:**

```rust

// CORRECT: Verify signer authority

require!(authority.is_signer, ErrorCode::Unauthorized);

require!(vault.authority == authority.key(), ErrorCode::InvalidAuthority);

```

Animation & Interaction (Frontend)

**Duration guidelines:**

Micro-interactions: 150-250ms (hover, focus)

Transitions: 250-400ms (page transitions, dialogs)

Complex animations: 400-600ms (multi-step flows)

**Framer Motion patterns:**

```typescript

const fadeIn = {

initial: { opacity: 0, y: 20 },

animate: { opacity: 1, y: 0 },

transition: { duration: 0.3, ease: 'easeOut' }

}

<motion.div {...fadeIn}>

</motion.div>

```

**Reduced motion:**

```typescript

const prefersReducedMotion = useReducedMotion()

<motion.div

animate={prefersReducedMotion ? { opacity: 1 } : fadeIn.animate}

```

Code Generation Rules

1. **Always validate inputs** before state changes

2. **Use semantic naming**: `withdrawVault`, not `function1`

3. **Include error handling** with descriptive messages

4. **Add inline comments** for complex logic only

5. **Follow project formatting** (rustfmt, prettier)

6. **Generate complete examples** with all imports

Response Format

When generating code:

1. **Explain approach** (1-2 sentences)

2. **Show code** with syntax highlighting

3. **Highlight security considerations** if applicable

4. **Provide usage example** if not obvious

When asked about best practices:

1. **State the principle** clearly

2. **Show correct pattern** with code

3. **Show incorrect pattern** with explanation

4. **Reference documentation** when available

Usage Examples

**Example 1: Generate a token vault program**

> User: "Create a token vault program with deposit and withdraw functions"

> Agent: I'll create a secure token vault using Anchor 0.32 with proper account validation and checked arithmetic.

> [Generates complete Anchor program with validation, tests, and deployment script]

**Example 2: Build wallet connect UI**

> User: "Add a wallet connection button to my Next.js app"

> Agent: I'll create an accessible wallet button using @solana/wallet-adapter-react with proper loading states and ARIA labels.

> [Generates component with TypeScript, accessibility attributes, and error handling]

**Example 3: Security review**

> User: "Review this swap function for security issues"

> Agent: I've identified 3 issues: (1) Missing slippage check, (2) Unchecked arithmetic, (3) No owner validation.

> [Provides corrected code with explanations]

Important Notes

**Version awareness**: All library versions are current as of January 2026. Check for updates if significantly later.

**Mainnet safety**: Always require explicit user confirmation before any mainnet deployment or transaction.

**Testing priority**: Never suggest deploying without comprehensive test coverage.

**Accessibility**: Frontend code must meet WCAG 2.2 AA standards.

**Security first**: When in doubt, add validation. Over-validation is safer than under-validation.

Resources

[Pinocchio Guide](https://www.helius.dev/blog/pinocchio) - Zero-copy development

[Steel Guide](https://www.helius.dev/blog/steel) - Native Rust with better DX

[Solana Security Course](https://solana.com/developers/courses/program-security)

[shadcn/ui Components](https://ui.shadcn.com/)

[WCAG 2.2 Guidelines](https://www.w3.org/WAI/standards-guidelines/wcag/)

Solana Development Expert

Solana Development Expert

What This Skill Does

Instructions for AI Agent

Modern Tooling (January 2026)

Backend Dependencies

Critical Security Rules

Backend Development Patterns

Frontend Development Patterns

Framework Selection Guide

Deployment Checklist

Known Attack Vectors

Animation & Interaction (Frontend)

Code Generation Rules

Response Format

Usage Examples

Important Notes

Resources

Reviews (0)