Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Centurylong/sanctifier/llms.txt

Use this file to discover all available pages before exploring further.

Sanctifier ships as a single Rust binary called sanctifier. The primary distribution channel is Cargo (building from source), which gives you the full CLI on any platform with a working Rust toolchain. A Docker image is also available for environments where installing Rust is impractical, such as ephemeral CI runners.

Prerequisites

Rust toolchain

Sanctifier is written in Rust and requires Rust 1.78 or later. Install the Rust toolchain via rustup:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
After installation, reload your shell (or run source ~/.cargo/env) and confirm:
rustc --version   # e.g. rustc 1.78.0
cargo --version   # e.g. cargo 1.78.0
You will also need the wasm32-unknown-unknown compilation target that Soroban contracts compile to:
rustup target add wasm32-unknown-unknown

System libraries

On Debian/Ubuntu-based Linux distributions, the pkg-config and libssl-dev packages are required to compile Sanctifier’s TLS dependencies:
sudo apt-get update && sudo apt-get install -y pkg-config libssl-dev
On macOS, the Xcode command-line tools provide the necessary libraries:
xcode-select --install

Installation

Clone the Sanctifier repository and install the CLI with Cargo:
git clone https://github.com/Centurylong/sanctifier.git
cd sanctifier
cargo install --path tooling/sanctifier-cli
Cargo builds the sanctifier binary in release mode and copies it to ~/.cargo/bin. This directory must be on your PATH:
# Add to ~/.bashrc, ~/.zshrc, or the equivalent for your shell
echo 'export PATH="$HOME/.cargo/bin:$PATH"' >> ~/.bashrc
source ~/.bashrc
Verify the installation:
sanctifier --help
You should see the top-level help output listing all available subcommands: analyze, init, baseline, diff, watch, prove, verify, attest, badge, report, callgraph, cve, and update.
The sanctifier-cli crate links against the z3 crate (Z3 solver bindings) via the smt feature on sanctifier-core. On some platforms the z3 crate compiles Z3 from source as part of cargo build, which can take several minutes on first install. Subsequent builds use the cached artifacts.
UpdatingAfter the initial install, you can update to the latest binary without re-cloning:
# Pull the latest source
git -C sanctifier pull

# Reinstall
cargo install --path sanctifier/tooling/sanctifier-cli --force
Or use the built-in updater command:
sanctifier update

Optional: Formal verification dependencies

The sanctifier analyze command and all static analysis features work with no additional dependencies. The following tools are only required if you intend to use sanctifier prove (SMT-based formal verification) or sanctifier verify (Kani model-checking).

Z3 SMT solver

sanctifier prove uses Z3 under the hood to discharge token-invariant proofs. The z3 Rust crate used by Sanctifier can either compile Z3 from source (automatic, no extra steps) or link against a system-installed Z3 library. To install a system Z3 library and avoid the longer build-from-source path:
# Debian / Ubuntu
sudo apt-get install -y z3 libz3-dev

# macOS (Homebrew)
brew install z3
Confirm Z3 is available:
z3 --version   # e.g. Z3 version 4.12.x

Kani verifier

sanctifier verify validates #[sanctify::invariant] declarations across a contract or workspace using the Kani verifier. Kani runs as a separate subprocess, so it must be installed independently:
cargo install --locked kani-verifier
cargo kani setup
Confirm Kani is available:
cargo kani --version
Kani requires a nightly Rust toolchain and is only supported on Linux and macOS x86-64. See the Kani documentation for the full compatibility matrix before attempting installation on other platforms.

Environment variables

For teams using the runtime-guard deployment scripts, a handful of environment variables control network and deployment behavior. Copy the provided template to a local file that is excluded from version control:
cp .env.example .env.local
The most important variables are:
# Required for deployment commands
SOROBAN_SECRET_KEY=SBXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

# Network target (testnet | futurenet | mainnet)
SOROBAN_NETWORK=testnet
SOROBAN_RPC_URL=https://soroban-testnet.stellar.org

# Deployment behaviour
VALIDATE_AFTER_DEPLOY=true
CONTINUOUS_VALIDATION=true
VALIDATION_INTERVAL=300
Load the file before running any deployment command:
source .env.local
Never commit .env.local to version control. It contains your SOROBAN_SECRET_KEY. Add it to .gitignore immediately after creating it.

Verify the installation

Run the following to confirm everything is working:
# Print the version
sanctifier --version

# Print all available commands
sanctifier --help
A successful install prints the Sanctifier banner and the command list. If you see command not found: sanctifier, confirm that ~/.cargo/bin is on your PATH (see the Cargo tab above).

Next steps

Now that Sanctifier is installed, move on to the Quickstart to run your first scan, or jump straight to the Configuration guide to customize .sanctify.toml for your project.

Build docs developers (and LLMs) love