ARES Solana Security Tool (ASST) — a multi-agent security stack for teams shipping Solana (and related) software. Deployed as Assurance Run: orchestrated checks + commit-bound evidence, not a one-shot "audit".

Canonical source: github.com/ares-system/ares-system

New here? Read docs/REPO_MAP.md, then ARCHITECTURE.md, then packages/engine/README.md (engine API) and apps/web/README.md (public web + dashboard).

Given a Solana repository, ASST can:

1. Run a deterministic 6-agent full scan — Solana vulnerabilities, DeFi security, rug-pull risk, secret hygiene, supply chain, report synthesis.
2. Chat interactively — the orchestrator delegates to the right sub-agent.
3. Emit assurance manifests: signed-ish JSON bundles of tool output
   • SARIF + git metadata, reproducible across runs.
4. Expose the same tools to Cursor / Claude Desktop via MCP.
5. Surface results in a Next.js web app — marketing pages plus a security dashboard (/dashboard) backed by the same engine.

           ┌────────────────────────────────────────────────┐
           │                 @ares/engine                   │  ← single source of
           │  orchestrator · 6 sub-agents · assurance tools │    truth for agent
           │  model factory · skills loader · sqlite store  │    logic
           └────────────────────────────────────────────────┘
                                   ▲
               ┌───────────────────┼───────────────────┐
               │                   │                   │
         ┌─────────────┐      ┌────────────┐      ┌────────────┐
         │  @asst/web  │      │@asst/mcp-  │      │@asst/chain-│
         │  (Next.js)  │      │ server     │      │ intake     │
         └─────────────┘      └────────────┘      └────────────┘
             public API         stdio MCP          Helius → PG

• All agent logic lives in packages/engine/ (@ares/engine).
• Every active surface (web, MCP, chain-intake) imports from @ares/engine. No duplication.
• Public surfaces (web) default to read-only; mutating tools require explicit opt-in + per-call HITL confirmation.

• Stack: Next.js 15, Tailwind, shared layout across landing and /dashboard/*.
• Theme: global dark / light toggle; preference is stored in localStorage (ares-theme) and applied before first paint to avoid flash.
• Product / billing: there is no live in-repo payment processor. Planned auth, tiers, and billing are described in docs/design/public-web-auth-billing.md.

# From repo root
pnpm install
pnpm -r build

# Typecheck all packages that define a `typecheck` script
pnpm typecheck

# Web app
pnpm --filter @asst/web dev    # http://localhost:3000

# MCP server (wire into Cursor / Claude Desktop)
pnpm --filter @asst/mcp-server start

Copy .env.example to .env.local and fill in the keys you need. Only the provider matching your chosen orchestrator model is required — Ollama / local-model users don't need any cloud keys.

The orchestrator model is configurable, never hardcoded. Supported:

• google:gemini-2.5-flash — default, needs GOOGLE_API_KEY
• openrouter:<model> — needs OPENROUTER_API_KEY
• openai:<model> — OpenAI or any OpenAI-compatible endpoint
• ollama:<model> — local, no key required
• local:<model>@<baseUrl> — LM Studio etc.

Set via --model, .asst/config.json, or $ASST_ORCHESTRATOR_MODEL. Full list in packages/engine/README.md.

The public surface rule is: read-only by default, mutations require HITL.

• Mutating tools (write_file, run_terminal_cmd) are produced by a factory that calls a permission callback before every write/exec.
• The web uses default-deny write policy and protected API routes for production.
• The MCP server doesn't register mutating tools at all.

Details: packages/engine/README.md § Security model.

See LICENSE.

Assurance Run is a pattern you implement and extend; it is not a substitute for professional audits or formal verification when your threat model requires them.