feat(llms): AI integrator metadata for all public modules

[bidzyyys]

Summary

Adds a complete AI-integrator metadata layer for OpenZeppelin Contracts for Sui: discovery files, schema-validated per-module metadata, a generator skill, three validation layers, and CI. The goal is to let AI coding agents (Cursor, Claude Code, Cline, Copilot, Aider, Gemini CLI) that consume this library ground their code generation at the schema level — instead of re-deriving structure from Move source on every call.

This is integrator-facing metadata (downstream consumers), distinct from contributor docs.

Discovery

1. llms.txt (root) — narrative entry point (llmstxt.org convention) pointing at the catalog, per-package indexes, MVR, audits, and schemas.
2. llms/index.yaml (root catalog) — machine-readable enumeration of every package (name, group, MVR slug, path to each package index). Single-fetch list_packages entry for MCP servers / agents.
3. <pkg>/llms/index.yaml (per package) — enumerates the package's module YAMLs (name, path, one-line summary).
4. <pkg>/llms/<...>/<module>.yaml (per module) — full schema-level metadata: API signatures, errors, types, preconditions, decisions (which function to pick), anti-patterns (do_not[] with example_bad/example_good + detection heuristics), and an opt-in _audit_grounding block (canonical test, precondition proofs).

Coverage

100% of public modules — 19 module YAMLs across 3 packages (openzeppelin_access ×3, openzeppelin_math ×10, openzeppelin_fp_math ×6) + 3 package indexes + 1 root catalog. Private helpers under sources/internal/ are intentionally excluded (not integrator-facing).

Schemas (public, v1.0)

• schemas/llms-metadata-v1.json — per-module YAML (JSON Schema Draft 2020-12, strict additionalProperties: false).
• schemas/llms-package-index-v1.json — a oneOf covering both the root catalog (packages[]) and the per-package index (modules[]) forms.

Package-level install fields (mvr, repo_ref, release, Move.toml snippets) are hoisted into each package index.yaml; per-module install: carries only use_statement — eliminates ~250 lines of duplication and the cross-file repo_ref drift surface.

Validation & CI — three layers

.github/workflows/llms-schema-validation.yml runs on PRs touching metadata, schemas, validators, or sources/**:

1. Schema (validate-llms-schema.py) — JSON Schema conformance; dispatches catalog/index/module by filename.
2. Semantics (validate-llms-semantics.py) — 7 cross-field referential-integrity checks: api[].aborts ⊆ errors, preconditions[].fails_with ⊆ errors, affects = exhaustive union, audit-grounding refs resolve, do_not_detection/do_not_demonstrations ids ⊆ do_not[].id, and canonical_test points at a real fun in the named test file.
3. Completeness (validate-llms-completeness.py) — whole-tree source↔metadata sync: every non-internal sources/** module (by declared module name, not file basename) has a YAML + index entry; no orphan YAMLs; all index paths resolve; the root catalog lists every package index. Always runs (even on a sources-only diff) so adding a module without its YAML is caught.

Layers 1–2 are diff-scoped (full re-validation when a schema/validator/workflow changes). Current: 23/23 schema + 19/19 semantics + 3/3 packages complete.

Generator skill

.claude/skills/generate-sui-metadata/ regenerates a module's YAML from its GitHub source + (optional) Notion R&D + docs PR. Extractors surface API/errors/types/events and DOC_GUIDANCE hazard doc-blocks (#### Security/#### Misuse/...) that deterministically drive do_not[]. Includes operation-aware anti-pattern clustering and type-capability inference for do_not[] id stability.

Empirical validation

A fresh-context agent built a working contract using RBAC + fixed-point math + decimal_scaling from the metadata alone (no library source) — sui move build --lint clean on the first try. The decisions[]/do_not[] fields demonstrably steered correct choices (e.g. from_u64 not wrap, mul_away for fees, no redundant registry-ID comparison). A /move-quality pass on the generated code surfaced a single idiom gap (error-const form), now fixed across the snippets.

Follow-ups (out of scope for this PR)

• External distribution — /contracts-sui/llms.txt on docs.openzeppelin.com, per-package MVR documentation_url, llmstxt.site.
• MCP server + consumption skills — the query layer over this data (the metadata is the data layer; reach is gated on this).

Summary by CodeRabbit

New Features

• AI Integrator Metadata: Added machine-readable specifications for Sui Move modules under per-package llms/ directories, including API signatures, error codes, and security patterns.
• Module Catalog: Introduced llms.txt and llms/index.yaml discovery system for locating and understanding available packages and modules.
• Module Documentation: Added comprehensive specifications for math (u8–u256, fixed-point types, rounding) and access control (RBAC, ownership transfer) modules.

Documentation

• Updated README and CONTRIBUTING.md with guidance on accessing AI integrator metadata and regenerating specs when public APIs change.
• Added installation instructions across all packages.

[coderabbitai]

Walkthrough

This PR introduces a comprehensive machine-readable metadata system for OpenZeppelin's Sui Move libraries, enabling AI integrators to discover, validate, and consume standardized specifications for smart contracts via YAML. The implementation includes v1.0 JSON schemas, deterministic Move source extraction scripts, three-tier validation (schema/semantic/completeness), GitHub Actions CI integration, and golden metadata specs covering access control and all math libraries.

Changes

AI integrator metadata system

Layer / File(s)	Summary
Schema definitions and metadata format specification schemas/llms-metadata-v1.json, schemas/llms-package-index-v1.json, .claude/skills/generate-sui-metadata/references/format-spec.md, .claude/skills/generate-sui-metadata/SKILL.md, llms.txt, llms/index.yaml	Foundational v1.0 YAML/JSON schemas defining per-module metadata structure (staged selection/install/bootstrap/integration/anti-pattern sections), per-package discovery indexes, and the skill orchestration process. Root catalog and format specification document all required/optional fields, cross-references, and authoring rules.
Source staging and Move structure extraction .claude/skills/generate-sui-metadata/scripts/stage_sources.sh, .claude/skills/generate-sui-metadata/scripts/stage_docs_pr.sh, .claude/skills/generate-sui-metadata/scripts/extract_move_structure.sh, .claude/skills/generate-sui-metadata/scripts/extract_tests.sh	Deterministic extraction and staging pipeline: stage_sources.sh fetches Move sources from GitHub PRs/blobs, extract_move_structure.sh parses module declarations/functions/types/errors/events via multi-pass awk, extract_tests.sh enumerates test functions with expected failures, and stage_docs_pr.sh stages MDX guides. All emit line-oriented structured output for downstream composition.
Metadata validation and CI integration .claude/skills/generate-sui-metadata/scripts/validate_metadata.sh, scripts/validate-llms-schema.py, scripts/validate-llms-semantics.py, scripts/validate-llms-completeness.py, .github/workflows/llms-schema-validation.yml	Three-layer validation: JSON Schema conformance via validate-llms-schema.py, cross-field semantic integrity via validate-llms-semantics.py (error references, precondition affects sets, canonical test existence), and completeness via validate-llms-completeness.py (source↔YAML coverage). GitHub Actions workflow scopes and orchestrates validation on PR changes.
Access control module specifications contracts/access/llms/index.yaml, contracts/access/llms/access_control.yaml, contracts/access/llms/ownership_transfer/delayed_transfer.yaml, contracts/access/llms/ownership_transfer/two_step_transfer.yaml, .claude/skills/generate-sui-metadata/references/golden-rbac.yaml	Complete golden metadata for three access control modules: access_control (role-based authorization with typed Auth<Role> proofs), delayed_transfer (time-locked single-owned wrapper), and two_step_transfer (approval-based transfer). Each includes types, APIs, error codes, preconditions, anti-pattern compliance with example bad/good, and audit grounding.
Integer arithmetic module specifications math/core/llms/index.yaml, math/core/llms/rounding.yaml, math/core/llms/decimal_scaling.yaml, math/core/llms/u{8,16,32,64,128,256,512}.yaml, math/core/llms/vector.yaml	Metadata for 12 math modules: rounding (enum mode selectors), decimal_scaling (cross-decimal conversion), eight unsigned integer widths with overflow-safe operations and rounding semantics, u512 for wide intermediates, and vector sorting macros. Each specifies API surface, decision guidance, anti-patterns with severity levels and detection heuristics.
Fixed-point arithmetic module specifications math/fixed_point/llms/index.yaml, math/fixed_point/llms/ud30x9/{ud30x9,ud30x9_base,ud30x9_convert}.yaml, math/fixed_point/llms/sd29x9/{sd29x9,sd29x9_base,sd29x9_convert}.yaml	Metadata for 6 fixed-point modules: unsigned UD30x9 (10^9 scale, Sui coin precision) and signed SD29x9 (two's-complement with asymmetric min boundary), each split into wrapper/constructor, operations layer, and scale-aware conversion modules with full arithmetic API and boundary semantics.
CI workflow, documentation, and contributing guidelines .github/workflows/llms-schema-validation.yml, .github/pull_request_template.md, CONTRIBUTING.md, README.md, contracts/README.md, math/core/README.md, math/fixed_point/README.md, .gitignore	GitHub Actions workflow validates scoped YAML on PR changes, PR template enforces metadata regeneration on API changes, CONTRIBUTING documents maintenance requirements and release process, READMEs direct integrators to llms.txt and per-package metadata directories. .gitignore now tracks .claude/skills/ while excluding personal config.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Suggested reviewers

• immrsd
• ericnordelo

---

🐰 Hop skip, a schema defined,
Move modules now unified,
AI reads with delight,
Metadata shining bright,
Integration simplified! 🎯

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/ai-metadata

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.88%. Comparing base (55a7971) to head (f4be6c4).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #330   +/-   ##
=======================================
  Coverage   95.88%   95.88%           
=======================================
  Files          22       22           
  Lines        2186     2186           
  Branches      595      592    -3     
=======================================
  Hits         2096     2096           
  Misses         65       65           
  Partials       25       25           

Flag	Coverage Δ
contracts/access	64.03% <ø> (ø)
math/core	86.12% <ø> (ø)
math/fixed_point	55.61% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 9

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

README.md (1)

38-38: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use <package> instead of <module> in the doc command.

--path takes a package directory, so this placeholder can mislead copy/paste usage.

Suggested fix

-sui move build --doc --path <module>
+sui move build --doc --path <package>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` at line 38, Update the README command example "sui move build
--doc --path <module>" to use the correct placeholder "<package>" since --path
expects a package directory; locate the string "sui move build --doc --path
<module>" and replace "<module>" with "<package>" and optionally adjust
surrounding text to clarify that a package directory path is required.

🧹 Nitpick comments (1)

schemas/llms-metadata-v1.json (1)

223-225: ⚡ Quick win

Enforce at least two options per decision.

decisions[] models a branch, but minItems: 1 permits non-decisions. Tightening this to 2 will prevent low-signal entries.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@schemas/llms-metadata-v1.json` around lines 223 - 225, The schema currently
allows a decisions array with "minItems": 1 which permits non-decision branches;
update the JSON schema for the decisions array (the "decisions" property where
"type": "array" and "minItems": 1 appears) to use "minItems": 2 so every
decisions[] entry requires at least two options, preserving the existing "items"
definition and any other constraints.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.claude/skills/generate-sui-metadata/scripts/extract_move_structure.sh:
- Around line 220-229: The multiline field-extraction loop in
extract_move_structure.sh incorrectly stops only for a `}` at column 0 (the
condition `next_line ~ /^\}/`), so indented closing braces are missed; update
the loop’s termination check to match optional leading whitespace (e.g. use
`next_line ~ /^[[:space:]]*\}/` or equivalent) so the `while ((getline
next_line) > 0)` loop breaks on indented `}` and prevents emitting corrupted
EVENT fields (adjust the same pattern if there are other `}` checks near the
`fields`, `field_name`, and `gsub` logic).

In @.claude/skills/generate-sui-metadata/scripts/stage_sources.sh:
- Around line 114-115: The script currently assigns PR_BASE_REF from PR_JSON
using .baseRefName which is mutable; replace those assignments to capture the PR
base commit SHA instead (e.g., use .baseRefOid or the JSON key that holds the
base commit SHA) and store it in a variable (rename or add PR_BASE_SHA or
overwrite PR_BASE_REF with the SHA) so checkout/fetch operations are
deterministic; update both occurrences (the block around PR_BASE_REF="$(jq -r
'.baseRefName' <<<"$PR_JSON")" and the similar assignments at lines referenced
193-194) and ensure any later git commands use the SHA variable rather than the
branch name.
- Around line 117-125: The candidate file filter only matches paths under
contracts/<pkg>/sources and thus misses other top-level package directories
(e.g., math/<pkg>/sources); update the grep regex used when populating
CANDIDATES in the mapfile pipeline to accept any top-level package name by
replacing the '^contracts/[^/]+/sources/.+\.move$' pattern with a generalized
pattern such as '^[^/]+/[^/]+/sources/.+\.move$' so that the CANDIDATES array
(populated in the mapfile -t CANDIDATES < <(...) block) includes sources from
non-`contracts` packages as well.

In `@contracts/access/llms/access_control.yaml`:
- Around line 380-383: The EUnauthorized coverage list is incomplete—update the
audit grounding entries that enumerate which APIs are affected so they exactly
match the "fails_with: EUnauthorized" declaration; add all referenced symbols
(grant_role, revoke_role, set_role_admin, new_auth, assert_has_role,
begin_default_admin_transfer, begin_default_admin_renounce,
cancel_default_admin_transfer, accept_default_admin_renounce,
begin_default_admin_delay_change, cancel_default_admin_delay_change and any
other root-flow APIs mentioned) to the coverage block (the list around lines
510–519) so the metadata fully mirrors the fails_with list and maintains
one-to-one traceability with EUnauthorized.

In `@math/core/llms/u32.yaml`:
- Around line 349-354: The "fix" guidance for the rule id
default-rounding-without-thinking is self-contradictory; update the fix text so
it consistently prescribes one clear rounding policy (e.g., "Round AGAINST the
user on both deposits-into-vault and withdrawals-from-vault so the protocol
always keeps the remainder") and ensure the wording explicitly states the
direction for each flow and asks reviewers to make the choice visible in code
review.

In `@math/core/llms/u8.yaml`:
- Around line 54-70: The quick_start snippet is missing imports and the error
constant; make it self-contained by adding the appropriate imports for rounding
and u8 (e.g., use openzeppelin_math::{u8, rounding};) and include or import the
error constant used (EMathOverflow) so the example compiles; update the snippet
that exercises u8::mul_div, u8::sqrt, and u8::checked_shl to either declare
#[error] const EMathOverflow or import it from its module so abort EMathOverflow
and assert!(..., EMathOverflow) resolve.

In `@math/fixed_point/llms/ud30x9/ud30x9_base.yaml`:
- Around line 307-311: Update the documentation text around the lshift/rshift
guidance to say: lshift/rshift operate on the raw integer representation (they
perform bit shifts on the stored fixed-point integer and will abort with
EInvalidShiftSize or EOverflow as described) — they are not decimal
multiply/divide operations, but because this implementation uses a fixed 10^9
scale, a bit shift on the raw bits will correspond to multiplying/dividing the
decoded value by powers of two (subject to overflow/truncation); for pure
decimal scaling by 2 use x.add(x) or proper decimal multiply routines instead of
lshift(1). Replace the ambiguous sentences in the blocks mentioning
lshift/rshift (the passages around the current lshift/rshift guidance at lines
~307, ~407-412, and the contradictory note near ~474) with this clarified
wording and keep references to errors EInvalidShiftSize and EOverflow.

In `@schemas/llms-metadata-v1.json`:
- Around line 323-329: The "composes_with" property currently defines items as
"type": "string" but must be an array of structured objects per the documented
contract; update the "composes_with" schema in schemas/llms-metadata-v1.json so
each item is an object with properties "module" (string), "when" (string,
optional/nullable), "source" (object with at least "type"/"uri" or simple string
— choose the project's citation shape), and "example" (string, optional), and
mark "module" as required; also provide appropriate types/formats and a
description for each sub-property to enforce source-citation and composition
metadata.
- Around line 192-201: The errors.code property is currently required and
integer-only which will reject legacy metadata; update the schema so "code" is
not mandatory under the errors object (remove "code" from the "required" array)
and relax its type to accept null as well as integer (e.g., "type":
["integer","null"]) so missing/unknown codes are allowed while preserving
integer validation for present values; locate the errors object and the "code"
property in the schema (errors.code) to make these changes.

---

Outside diff comments:
In `@README.md`:
- Line 38: Update the README command example "sui move build --doc --path
<module>" to use the correct placeholder "<package>" since --path expects a
package directory; locate the string "sui move build --doc --path <module>" and
replace "<module>" with "<package>" and optionally adjust surrounding text to
clarify that a package directory path is required.

---

Nitpick comments:
In `@schemas/llms-metadata-v1.json`:
- Around line 223-225: The schema currently allows a decisions array with
"minItems": 1 which permits non-decision branches; update the JSON schema for
the decisions array (the "decisions" property where "type": "array" and
"minItems": 1 appears) to use "minItems": 2 so every decisions[] entry requires
at least two options, preserving the existing "items" definition and any other
constraints.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a17f0365-cd9b-4ede-aeb4-1269a104ccdf

📥 Commits

Reviewing files that changed from the base of the PR and between 55a7971 and f4be6c4.

📒 Files selected for processing (45)

• .claude/skills/generate-sui-metadata/SKILL.md
• .claude/skills/generate-sui-metadata/references/format-spec.md
• .claude/skills/generate-sui-metadata/references/golden-rbac.yaml
• .claude/skills/generate-sui-metadata/scripts/extract_move_structure.sh
• .claude/skills/generate-sui-metadata/scripts/extract_tests.sh
• .claude/skills/generate-sui-metadata/scripts/stage_docs_pr.sh
• .claude/skills/generate-sui-metadata/scripts/stage_sources.sh
• .claude/skills/generate-sui-metadata/scripts/validate_metadata.sh
• .github/pull_request_template.md
• .github/workflows/llms-schema-validation.yml
• .gitignore
• CONTRIBUTING.md
• README.md
• contracts/README.md
• contracts/access/llms/access_control.yaml
• contracts/access/llms/index.yaml
• contracts/access/llms/ownership_transfer/delayed_transfer.yaml
• contracts/access/llms/ownership_transfer/two_step_transfer.yaml
• llms.txt
• llms/index.yaml
• math/core/README.md
• math/core/llms/decimal_scaling.yaml
• math/core/llms/index.yaml
• math/core/llms/rounding.yaml
• math/core/llms/u128.yaml
• math/core/llms/u16.yaml
• math/core/llms/u256.yaml
• math/core/llms/u32.yaml
• math/core/llms/u512.yaml
• math/core/llms/u64.yaml
• math/core/llms/u8.yaml
• math/core/llms/vector.yaml
• math/fixed_point/README.md
• math/fixed_point/llms/index.yaml
• math/fixed_point/llms/sd29x9/sd29x9.yaml
• math/fixed_point/llms/sd29x9/sd29x9_base.yaml
• math/fixed_point/llms/sd29x9/sd29x9_convert.yaml
• math/fixed_point/llms/ud30x9/ud30x9.yaml
• math/fixed_point/llms/ud30x9/ud30x9_base.yaml
• math/fixed_point/llms/ud30x9/ud30x9_convert.yaml
• schemas/llms-metadata-v1.json
• schemas/llms-package-index-v1.json
• scripts/validate-llms-completeness.py
• scripts/validate-llms-schema.py
• scripts/validate-llms-semantics.py

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix multiline event parsing termination for indented }.

Line 223 only matches } at column 0. In normal Move formatting, struct closing braces are indented, so the loop may continue past the struct and emit corrupted EVENT fields.

Suggested patch

-        if (next_line ~ /^\}/) break
+        if (next_line ~ /^[[:space:]]*\}/) break
         field_name = next_line
         gsub(/^[[:space:]]+/, "", field_name)
-        gsub(/:.*$/, "", field_name)
+        gsub(/:.*$/, "", field_name)
+        gsub(/,[[:space:]]*$/, "", field_name)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if ($0 ~ /\{[[:space:]]*$/) {
	fields = ""
	while ((getline next_line) > 0) {
	if (next_line ~ /^\}/) break
	field_name = next_line
	gsub(/^[[:space:]]+/, "", field_name)
	gsub(/:.*$/, "", field_name)
	if (length(field_name) > 0 && field_name !~ /^\/\//) {
	fields = fields (length(fields) > 0 ? "," : "") field_name
	}
	if ($0 ~ /\{[[:space:]]*$/) {
	fields = ""
	while ((getline next_line) > 0) {
	if (next_line ~ /^[[:space:]]*\}/) break
	field_name = next_line
	gsub(/^[[:space:]]+/, "", field_name)
	gsub(/:.*$/, "", field_name)
	gsub(/,[[:space:]]*$/, "", field_name)
	if (length(field_name) > 0 && field_name !~ /^\/\//) {
	fields = fields (length(fields) > 0 ? "," : "") field_name
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/skills/generate-sui-metadata/scripts/extract_move_structure.sh
around lines 220 - 229, The multiline field-extraction loop in
extract_move_structure.sh incorrectly stops only for a `}` at column 0 (the
condition `next_line ~ /^\}/`), so indented closing braces are missed; update
the loop’s termination check to match optional leading whitespace (e.g. use
`next_line ~ /^[[:space:]]*\}/` or equivalent) so the `while ((getline
next_line) > 0)` loop breaks on indented `}` and prevents emitting corrupted
EVENT fields (adjust the same pattern if there are other `}` checks near the
`fields`, `field_name`, and `gsub` logic).

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Base-branch fallback is non-reproducible due to moving ref.

Using baseRefName can fetch different files over time as the branch advances. For deterministic staging, use the PR base commit SHA instead.

Proposed fix

-  PR_JSON="$(gh pr view "$SOURCE_URL" \
-    --json files,headRefOid,baseRefName,title \
+  PR_JSON="$(gh pr view "$SOURCE_URL" \
+    --json files,headRefOid,baseRefOid,baseRefName,title \
     2>/dev/null)" || {
@@
-  PR_BASE_REF="$(jq -r '.baseRefName' <<<"$PR_JSON")"
+  PR_BASE_REF="$(jq -r '.baseRefOid' <<<"$PR_JSON")"

Also applies to: 193-194

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/skills/generate-sui-metadata/scripts/stage_sources.sh around lines
114 - 115, The script currently assigns PR_BASE_REF from PR_JSON using
.baseRefName which is mutable; replace those assignments to capture the PR base
commit SHA instead (e.g., use .baseRefOid or the JSON key that holds the base
commit SHA) and store it in a variable (rename or add PR_BASE_SHA or overwrite
PR_BASE_REF with the SHA) so checkout/fetch operations are deterministic; update
both occurrences (the block around PR_BASE_REF="$(jq -r '.baseRefName'
<<<"$PR_JSON")" and the similar assignments at lines referenced 193-194) and
ensure any later git commands use the SHA variable rather than the branch name.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

PR candidate path filter excludes non-contracts/ packages.

This regex only accepts contracts/<pkg>/sources/..., so PRs touching math/.../sources/... are incorrectly reported as having no modules.

Proposed fix

   mapfile -t CANDIDATES < <(
     jq -r '.files[].path' <<<"$PR_JSON" \
-      | grep -E '^contracts/[^/]+/sources/.+\.move$' \
+      | grep -E '^[^/]+(/[^/]+)?/sources/.+\.move$' \
       || true
   )

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	mapfile -t CANDIDATES < <(
	jq -r '.files[].path' <<<"$PR_JSON" \
	| grep -E '^contracts/[^/]+/sources/.+\.move$' \
	|| true
	)
	if [[ "${#CANDIDATES[@]}" -eq 0 ]]; then
	echo "ERR|PR $SOURCE_URL does not touch any contracts/<pkg>/sources/<name>.move file" >&2
	exit 4
	mapfile -t CANDIDATES < <(
	jq -r '.files[].path' <<<"$PR_JSON" \
	| grep -E '^[^/]+(/[^/]+)?/sources/.+\.move$' \
	|| true
	)
	if [[ "${`#CANDIDATES`[@]}" -eq 0 ]]; then
	echo "ERR|PR $SOURCE_URL does not touch any contracts/<pkg>/sources/<name>.move file" >&2
	exit 4

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.claude/skills/generate-sui-metadata/scripts/stage_sources.sh around lines
117 - 125, The candidate file filter only matches paths under
contracts/<pkg>/sources and thus misses other top-level package directories
(e.g., math/<pkg>/sources); update the grep regex used when populating
CANDIDATES in the mapfile pipeline to accept any top-level package name by
replacing the '^contracts/[^/]+/sources/.+\.move$' pattern with a generalized
pattern such as '^[^/]+/[^/]+/sources/.+\.move$' so that the CANDIDATES array
(populated in the mapfile -t CANDIDATES < <(...) block) includes sources from
non-`contracts` packages as well.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Complete EUnauthorized audit grounding coverage list.

Line 380 states EUnauthorized affects multiple root-flow APIs, but Lines 510–519 only enumerate a subset of corresponding tests. This weakens audit traceability in this metadata file.

Suggested patch

   - precondition_fails_with: EUnauthorized
     test_file: contracts/access/tests/access_control_tests.move
     test_functions:
       - test_grant_role_rejects_non_admin
       - test_revoke_role_rejects_non_admin
       - test_set_role_admin_rejects_non_admin
       - test_new_auth_aborts_for_non_member
       - test_assert_has_role_aborts_for_non_member
       - test_begin_admin_transfer_rejects_non_root
+      - test_begin_admin_renounce_rejects_non_root
+      - test_cancel_admin_transfer_rejects_non_root
+      - test_accept_admin_renounce_rejects_non_root
+      - test_begin_delay_change_rejects_non_root
+      - test_cancel_delay_change_rejects_non_root

Also applies to: 510-519

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@contracts/access/llms/access_control.yaml` around lines 380 - 383, The
EUnauthorized coverage list is incomplete—update the audit grounding entries
that enumerate which APIs are affected so they exactly match the "fails_with:
EUnauthorized" declaration; add all referenced symbols (grant_role, revoke_role,
set_role_admin, new_auth, assert_has_role, begin_default_admin_transfer,
begin_default_admin_renounce, cancel_default_admin_transfer,
accept_default_admin_renounce, begin_default_admin_delay_change,
cancel_default_admin_delay_change and any other root-flow APIs mentioned) to the
coverage block (the list around lines 510–519) so the metadata fully mirrors the
fails_with list and maintains one-to-one traceability with EUnauthorized.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix contradictory rounding-direction guidance in anti-pattern remediation.

The fix text says to round for the user on withdrawals, but the same section (and example below) says the protocol should keep remainder (round down both directions in vault flows). This contradiction can drive unsafe implementation choices.

Proposed wording fix

-    fix: "Pick rounding per call. Round AGAINST the user on deposits-into-vault and FOR the user on withdrawals-from-vault, so the protocol always keeps the remainder. Make the choice visible in code review."
+    fix: "Pick rounding per call. In vault/share accounting, round AGAINST the user on both deposit and withdrawal paths (typically `rounding::down()`) so the protocol keeps the remainder. Make the policy explicit in code review."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- id: default-rounding-without-thinking
	severity: medium
	description: "Pass `rounding::nearest()` (or any single mode) to every `mul_div` / `sqrt` / `log*` call without considering who absorbs the remainder."
	why_bad: "Rounding direction determines which side of the transaction wins on fractional remainders. A protocol that rounds up on deposits and up on withdrawals leaks value on every round-trip — exploitable by repeated small operations."
	fix: "Pick rounding per call. Round AGAINST the user on deposits-into-vault and FOR the user on withdrawals-from-vault, so the protocol always keeps the remainder. Make the choice visible in code review."
	example_bad: |
	- id: default-rounding-without-thinking
	severity: medium
	description: "Pass `rounding::nearest()` (or any single mode) to every `mul_div` / `sqrt` / `log*` call without considering who absorbs the remainder."
	why_bad: "Rounding direction determines which side of the transaction wins on fractional remainders. A protocol that rounds up on deposits and up on withdrawals leaks value on every round-trip — exploitable by repeated small operations."
	fix: "Pick rounding per call. In vault/share accounting, round AGAINST the user on both deposit and withdrawal paths (typically `rounding::down()`) so the protocol keeps the remainder. Make the policy explicit in code review."
	example_bad: |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@math/core/llms/u32.yaml` around lines 349 - 354, The "fix" guidance for the
rule id default-rounding-without-thinking is self-contradictory; update the fix
text so it consistently prescribes one clear rounding policy (e.g., "Round
AGAINST the user on both deposits-into-vault and withdrawals-from-vault so the
protocol always keeps the remainder") and ensure the wording explicitly states
the direction for each flow and asks reviewers to make the choice visible in
code review.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
python - <<'PY'
from pathlib import Path
text = Path("math/core/llms/u8.yaml").read_text()
start = text.index("quick_start: |")
end = text.index("# ============================================================", start)
qs = text[start:end]
print("uses u8 module:", "u8::" in qs)
print("uses rounding module:", "rounding::" in qs)
print("uses EMathOverflow:", "EMathOverflow" in qs)
print("declares import:", "use openzeppelin_math::{u8, rounding};" in qs)
print("declares EMathOverflow const:", "const EMathOverflow" in qs)
PY

Repository: OpenZeppelin/contracts-sui

Length of output: 202

---

Make math/core/llms/u8.yaml quick_start self-contained (lines 54-70): the snippet uses rounding::... and EMathOverflow but doesn’t declare use openzeppelin_math::{u8, rounding}; or the #[error] const EMathOverflow inside the block, so copying just quick_start will fail symbol resolution.

Proposed fix

 quick_start: |
   // u8 end-to-end — overflow-safe arithmetic in the typical 3-call shape.
   // Choose a rounding mode, call the operation, and handle `Option<u8>`
   // for paths that can overflow.
+
+  use openzeppelin_math::{u8, rounding};
+
+  #[error(code = 0)]
+  const EMathOverflow: vector<u8> = "arithmetic overflow";
 
   // 1. Multiply-then-divide with explicit rounding. Returns Option<u8>;
   //    aborts EDivideByZero only if `denominator == 0`.
   let fee_quote = u8::mul_div(amount, 5u8, 100u8, rounding::nearest());

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	quick_start: |
	// u8 end-to-end — overflow-safe arithmetic in the typical 3-call shape.
	// Choose a rounding mode, call the operation, and handle `Option<u8>`
	// for paths that can overflow.
	// 1. Multiply-then-divide with explicit rounding. Returns Option<u8>;
	// aborts EDivideByZero only if `denominator == 0`.
	let fee_quote = u8::mul_div(amount, 5u8, 100u8, rounding::nearest());
	let value = fee_quote.destroy_or!(abort EMathOverflow);
	// 2. Square root rounded down (cannot overflow; always returns u8).
	let root = u8::sqrt(value, rounding::down());
	// 3. Lossless left shift; returns None if non-zero bits would be lost.
	let scaled = u8::checked_shl(root, 2u8);
	assert!(scaled.is_some(), EMathOverflow);
	quick_start: |
	// u8 end-to-end — overflow-safe arithmetic in the typical 3-call shape.
	// Choose a rounding mode, call the operation, and handle `Option<u8>`
	// for paths that can overflow.
	use openzeppelin_math::{u8, rounding};
	#[error(code = 0)]
	const EMathOverflow: vector<u8> = "arithmetic overflow";
	// 1. Multiply-then-divide with explicit rounding. Returns Option<u8>;
	// aborts EDivideByZero only if `denominator == 0`.
	let fee_quote = u8::mul_div(amount, 5u8, 100u8, rounding::nearest());
	let value = fee_quote.destroy_or!(abort EMathOverflow);
	// 2. Square root rounded down (cannot overflow; always returns u8).
	let root = u8::sqrt(value, rounding::down());
	// 3. Lossless left shift; returns None if non-zero bits would be lost.
	let scaled = u8::checked_shl(root, 2u8);
	assert!(scaled.is_some(), EMathOverflow);

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@math/core/llms/u8.yaml` around lines 54 - 70, The quick_start snippet is
missing imports and the error constant; make it self-contained by adding the
appropriate imports for rounding and u8 (e.g., use openzeppelin_math::{u8,
rounding};) and include or import the error constant used (EMathOverflow) so the
example compiles; update the snippet that exercises u8::mul_div, u8::sqrt, and
u8::checked_shl to either declare #[error] const EMathOverflow or import it from
its module so abort EMathOverflow and assert!(..., EMathOverflow) resolve.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Correct the shift semantics guidance for powers-of-two scaling.

Line 307 and Line 411 state lshift/rshift are not decimal * 2^k / / 2^k, but with fixed 10^9 scale they do scale decoded values by powers of two (subject to overflow/truncation). This conflicts with Line 474 and can mislead agents/integrators.

Suggested wording fix

-      Bit shift on raw bits, NOT a decimal multiply by `2^bits`. Aborts
+      Bit shift on raw bits. In UD30x9, this corresponds to scaling the
+      decoded numeric value by `2^bits` (subject to overflow / truncation),
+      but it does NOT apply or remove the fixed-point `10^9` scale. Aborts
       `EInvalidShiftSize` if `bits >= 128`; aborts `EOverflow` if the
       shift would consume non-zero high bits. For decimal `x * 2` use
       `x.add(x)`, not `x.lshift(1)`.

-        why: "`lshift` / `rshift` operate on RAW BITS — they multiply / divide the underlying `u128`, not the decimal value. `x.lshift(1)` is NOT `x * 2.0` in decimal terms."
+        why: "`lshift` / `rshift` operate on RAW BITS. In UD30x9 they correspond to `* 2^k` / floor(`/ 2^k`) on the decoded value, but they are not decimal-scale conversions (`* 10^k` / `/ 10^k`)."

Also applies to: 407-412

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@math/fixed_point/llms/ud30x9/ud30x9_base.yaml` around lines 307 - 311, Update
the documentation text around the lshift/rshift guidance to say: lshift/rshift
operate on the raw integer representation (they perform bit shifts on the stored
fixed-point integer and will abort with EInvalidShiftSize or EOverflow as
described) — they are not decimal multiply/divide operations, but because this
implementation uses a fixed 10^9 scale, a bit shift on the raw bits will
correspond to multiplying/dividing the decoded value by powers of two (subject
to overflow/truncation); for pure decimal scaling by 2 use x.add(x) or proper
decimal multiply routines instead of lshift(1). Replace the ambiguous sentences
in the blocks mentioning lshift/rshift (the passages around the current
lshift/rshift guidance at lines ~307, ~407-412, and the contradictory note near
~474) with this clarified wording and keep references to errors
EInvalidShiftSize and EOverflow.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

errors.code is over-constrained and will reject valid legacy metadata.

code is required and integer-only, but your own generator/spec path allows legacy entries with missing/unknown codes. This schema will fail those files.

Proposed schema fix

       "additionalProperties": {
         "type": "object",
-        "required": [
-          "code",
-          "message"
-        ],
+        "required": ["message"],
         "additionalProperties": false,
         "properties": {
           "code": {
-            "type": "integer",
-            "minimum": 0
+            "oneOf": [
+              { "type": "integer", "minimum": 0 },
+              { "type": "null" }
+            ]
           },
           "message": {
             "type": "string"
           }
         }
       },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"required": [
	"code",
	"message"
	],
	"additionalProperties": false,
	"properties": {
	"code": {
	"type": "integer",
	"minimum": 0
	},
	"required": ["message"],
	"additionalProperties": false,
	"properties": {
	"code": {
	"oneOf": [
	{ "type": "integer", "minimum": 0 },
	{ "type": "null" }
	]
	},

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@schemas/llms-metadata-v1.json` around lines 192 - 201, The errors.code
property is currently required and integer-only which will reject legacy
metadata; update the schema so "code" is not mandatory under the errors object
(remove "code" from the "required" array) and relax its type to accept null as
well as integer (e.g., "type": ["integer","null"]) so missing/unknown codes are
allowed while preserving integer validation for present values; locate the
errors object and the "code" property in the schema (errors.code) to make these
changes.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

composes_with schema shape does not match the documented object contract.

It is currently string[], but the format spec requires structured entries (module, when, source, example). This blocks valid metadata and weakens source-citation guarantees.

Proposed schema fix

     "composes_with": {
       "type": "array",
       "items": {
-        "type": "string"
+        "type": "object",
+        "required": ["module", "when", "source", "example"],
+        "additionalProperties": false,
+        "properties": {
+          "module": { "type": "string" },
+          "when": { "type": "string" },
+          "source": { "type": "string" },
+          "example": { "type": "string" }
+        }
       },
       "description": "Modules this one composes with in real protocols. Empty array is a valid value; populate as composition patterns are validated. Cross-module composability queries are the natural fit for an MCP server — see the project's MCP roadmap."
     },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"composes_with": {
	"type": "array",
	"items": {
	"type": "string"
	},
	"description": "Modules this one composes with in real protocols. Empty array is a valid value; populate as composition patterns are validated. Cross-module composability queries are the natural fit for an MCP server \u2014 see the project's MCP roadmap."
	},
	"composes_with": {
	"type": "array",
	"items": {
	"type": "object",
	"required": ["module", "when", "source", "example"],
	"additionalProperties": false,
	"properties": {
	"module": { "type": "string" },
	"when": { "type": "string" },
	"source": { "type": "string" },
	"example": { "type": "string" }
	}
	},
	"description": "Modules this one composes with in real protocols. Empty array is a valid value; populate as composition patterns are validated. Cross-module composability queries are the natural fit for an MCP server — see the project's MCP roadmap."
	},

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@schemas/llms-metadata-v1.json` around lines 323 - 329, The "composes_with"
property currently defines items as "type": "string" but must be an array of
structured objects per the documented contract; update the "composes_with"
schema in schemas/llms-metadata-v1.json so each item is an object with
properties "module" (string), "when" (string, optional/nullable), "source"
(object with at least "type"/"uri" or simple string — choose the project's
citation shape), and "example" (string, optional), and mark "module" as
required; also provide appropriate types/formats and a description for each
sub-property to enforce source-citation and composition metadata.

[0xNeshi]

Update branch and add openzeppelin_utils and related AI metadata

[bidzyyys]

Closing without merge — superseded by the V2 approach to AI-integrator metadata.

V1 here built a parallel per-module metadata layer (llms/*.yaml + JSON schema + 3 validators + generator). It works, but it is a second copy of what already lives in source, docs, and examples, so it drifts (CI catches structural, not content, drift). V2 removes the parallel layer: metadata lives in its natural single sources of truth — compilable examples/ (composition), doc-comments via sui move build --doc (API, now guarded by a docgen-clean CI gate), the group README catalog table (slug↔pkg↔dir↔docs), and audits/README.md (audit→module). The doc-comment contract is codified in STYLEGUIDE.md.

Tracked as epic #375 — delivered/in-review: #380 (PR #390), #381 (PR #391), #385 (PR #392, completed); remaining: #386 examples. Rationale: see the V2 decision note.

The V1 empirical result (an agent built a working contract from metadata alone) stands as evidence the direction works — the heavy implementation is simply not the path.