pnpm workspace monorepo using TypeScript. EVM smart contract security auditing engine with a React dashboard.
- Monorepo tool: pnpm workspaces
- Node.js version: 24
- Package manager: pnpm
- TypeScript version: 5.9
- API framework: Express 5
- Database: PostgreSQL + Drizzle ORM
- Validation: Zod (
zod/v4),drizzle-zod - API codegen: Orval (from OpenAPI spec)
- Build: esbuild (CJS bundle)
- Frontend: React + Vite + Tailwind CSS + shadcn/ui
pnpm run typecheck— full typecheck across all packagespnpm run build— typecheck + build all packagespnpm --filter @workspace/api-spec run codegen— regenerate API hooks and Zod schemas from OpenAPI spec- CRITICAL: After codegen always overwrite
lib/api-zod/src/index.tswith onlyexport * from "./generated/api";
- CRITICAL: After codegen always overwrite
pnpm --filter @workspace/db run push— push DB schema changes (dev only)pnpm --filter @workspace/api-server run dev— run API server locally
- API Server (
artifacts/api-server/) — Express 5 REST API on port from$PORT(8080 dev)- Routes:
/api/reports,/api/scanner/status,/api/scanner/endpoints,/api/scanner/run(SSE)
- Routes:
- UI (
artifacts/contract-scanner-ui/) — React dashboard at/- Pages: Dashboard, Scanner (live scan with SSE logs), Reports, ReportDetail, Endpoints
lib/db/— Drizzle ORM schema + DB connection (vulnerability_reportstable)lib/api-spec/— OpenAPI YAML spec (source of truth for all API shapes)lib/api-client-react/— Generated React Query hooks (via Orval)lib/api-zod/— Generated Zod validators (via Orval)
POST with { contractAddress, mode, simulation, fork } returns a real-time SSE stream:
- Bytecode fetch + decode
- Opcode analysis (DELEGATECALL, SELFDESTRUCT, CALLCODE)
- ABI selector extraction (4-byte database)
- eth_call simulation (optional, +50 confidence)
- Anvil fork validation (conditional on confidence ≥ 60 in auto mode)
- Confidence score output + persist to DB
0-100 integer score on every report:
- Dangerous opcodes found: +15 each
- Flagged selectors: +10 each
- Simulation success: +50
- Value transfer in simulation: +30
- Fork validation confirms: +20
≥ 80→ CRITICAL,≥ 60→ HIGH,≥ 40→ MEDIUM,≥ 20→ LOW, else INFO
vulnerability_reportstable hasconfidence_score INTEGER NOT NULL DEFAULT 0- Always run
pnpm --filter @workspace/db run push-forceafter schema changes
See the pnpm-workspace skill for workspace structure, TypeScript setup, and package details.