Code Maturity Assessor

Purpose

Systematically assesses codebase maturity using Trail of Bits' 9-category framework. Provides evidence-based ratings and actionable recommendations.

Framework: Building Secure Contracts - Code Maturity Evaluation v0.1.0

How This Works

Phase 1: Discovery

Explores the codebase to understand:

• Project structure and platform
• Contract/module files
• Test coverage
• Documentation availability

Phase 2: Analysis

For each of 9 categories, I'll:

• Search the code for relevant patterns
• Read key files to assess implementation
• Present findings with file references
• Ask clarifying questions about processes I can't see in code
• Determine rating based on criteria

Phase 3: Report

Generates:

• Executive summary
• Maturity scorecard (ratings for all 9 categories)
• Detailed analysis with evidence
• Priority-ordered improvement roadmap

Rating System

• Missing (0): Not present/not implemented
• Weak (1): Several significant improvements needed
• Moderate (2): Adequate, can be improved
• Satisfactory (3): Above average, minor improvements
• Strong (4): Exceptional, only small improvements possible

Rating Logic:

• ANY "Weak" criteria → Weak
• NO "Weak" + SOME "Moderate" unmet → Moderate
• ALL "Moderate" + SOME "Satisfactory" met → Satisfactory
• ALL "Satisfactory" + exceptional practices → Strong

The 9 Categories

I assess 9 comprehensive categories covering all aspects of code maturity. For detailed criteria, analysis approaches, and rating thresholds, see ASSESSMENT_CRITERIA.md.

Quick Reference:

1. ARITHMETIC

• Overflow protection mechanisms
• Precision handling and rounding
• Formula specifications
• Edge case testing

2. AUDITING

• Event definitions and coverage
• Monitoring infrastructure
• Incident response planning

3. AUTHENTICATION / ACCESS CONTROLS

• Privilege management
• Role separation
• Access control testing
• Key compromise scenarios

4. COMPLEXITY MANAGEMENT

• Function scope and clarity
• Cyclomatic complexity
• Inheritance hierarchies
• Code duplication

5. DECENTRALIZATION

• Centralization risks
• Upgrade control mechanisms
• User opt-out paths
• Timelock/multisig patterns

6. DOCUMENTATION

• Specifications and architecture
• Inline code documentation
• User stories
• Domain glossaries

7. TRANSACTION ORDERING RISKS

• MEV vulnerabilities
• Front-running protections
• Slippage controls
• Oracle security

8. LOW-LEVEL MANIPULATION

• Assembly usage
• Unsafe code sections
• Low-level calls
• Justification and testing

9. TESTING & VERIFICATION

• Test coverage
• Fuzzing and formal verification
• CI/CD integration
• Test quality

For complete assessment criteria including what I'll analyze, what I'll ask you, and detailed rating thresholds (WEAK/MODERATE/SATISFACTORY/STRONG), see ASSESSMENT_CRITERIA.md.

Example Output

When the assessment is complete, you'll receive a comprehensive maturity report including:

• Executive Summary: Overall score, top 3 strengths, top 3 gaps, priority recommendations
• Maturity Scorecard: Table with all 9 categories rated with scores and notes
• Detailed Analysis: Category-by-category breakdown with evidence (file:line references)
• Improvement Roadmap: Priority-ordered recommendations (CRITICAL/HIGH/MEDIUM) with effort estimates

For a complete example assessment report, see EXAMPLE_REPORT.md.

Assessment Process

When invoked, I will:

1. Explore codebase

   • Find contract/module files
   • Identify test files
   • Locate documentation

2. Analyze each category

   • Search for relevant code patterns
   • Read key implementations
   • Assess against criteria
   • Collect evidence

3. Interactive assessment

   • Present my findings with file references
   • Ask about processes I can't see in code
   • Discuss borderline cases
   • Determine ratings together

4. Generate report

   • Executive summary
   • Maturity scorecard table
   • Detailed category analysis with evidence
   • Priority-ordered improvement roadmap

Rationalizations (Do Not Skip)

Report Format

For detailed report structure and templates, see REPORT_FORMAT.md.

Structure:

1. Executive Summary

   • Project name and platform
   • Overall maturity (average rating)
   • Top 3 strengths
   • Top 3 critical gaps
   • Priority recommendations

2. Maturity Scorecard

   • Table with all 9 categories
   • Ratings and scores
   • Key findings notes

3. Detailed Analysis

   • Per-category breakdown
   • Evidence with file:line references
   • Gaps and improvement actions

4. Improvement Roadmap

   • CRITICAL (immediate)
   • HIGH (1-2 months)
   • MEDIUM (2-4 months)
   • Effort estimates and impact

Ready to Begin

Estimated Time: 30-40 minutes

I'll need:

• Access to full codebase
• Your knowledge of processes (monitoring, incident response, team practices)
• Context about the project (DeFi, NFT, infrastructure, etc.)

Let's assess this codebase!