docs(security): Solana v4 consolidation investigation

[WomB0ComB0]

Documents the investigation into the workspace's multi-version solana-* split and whether a full v4 consolidation is feasible. Documentation only — no dependency changes.

TL;DR

• Yes, there's a newer Solana (solana-program-test 4.0.0, Agave v4.0.1, anchor stable 1.0.2).
• The version mismatch is real but expected — post-monorepo, each solana-* crate versions independently; the lockfile spans majors 0–6 (143 crates on v3, 13 on v4).
• solana-program-test is vendored only for agave-unstable-api — it's plain cargo vendor output, not a fork (Cargo.toml.orig + cargo banner, only an added license header).
• The blocker is Anchor, not program-test. anchor-lang is on 1.0.0-rc.2 deliberately: rc.2 is the only 1.0 release that admits solana-pubkey v4 — stable 1.0.0–1.0.2 narrowed it back to ^3.0.0. This is why the prior "upgrade anchor and solana sdk stack" work (1200aa7e) stopped at rc.2.

Option A was attempted and proven infeasible

Re-vendoring solana-program-test → 4.0.0 while keeping anchor rc.2 fails to resolve:

failed to select a version for `solana-sysvar`.
  ... required by solana-program-test v4.0.0 (vendored)
  ... conflicts with solana-sysvar = "~3.0.0" required by anchor-lang v1.0.0-rc.2

A blanket cargo update only looked like it worked because it silently drifted anchor to 1.0.2, which then fails cargo check (AnchorDeserialize macro breakage). The scratch branch was fully reverted.

Tooling caveat: anchor/cargo-build-sbf weren't available in the investigation env, so verification is cargo resolution + cargo check. The resolve-time solana-sysvar conflict is decisive regardless.

Recommendation

1. Keep current pins (they build and work; the split is intentional).
2. Optional low-risk: patch-bump solana-program-test 3.1.10 → 3.1.12 within the 3.x line.
3. Track Anchor upstream — full v4 consolidation needs an Anchor release compatible with program-test 4.x's sysvar line. Re-evaluate when it lands.

See docs/solana-v4-migration.md for the full analysis, conflict tables, and verification commands.

Summary by CodeRabbit

Documentation

• Added migration guide covering the Solana dependency landscape, including upgrade pathways, known compatibility challenges, evaluated options, and step-by-step verification procedures for dependency consolidation.

[coderabbitai]

Warning

Review limit reached

@WomB0ComB0, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 33 minutes and 29 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ec723a43-487b-4b54-9dba-2192e4829cb7

📥 Commits

Reviewing files that changed from the base of the PR and between 45b88f4 and 36e0141.

📒 Files selected for processing (1)

• docs/solana-v4-migration.md

📝 Walkthrough

Walkthrough

This PR adds a new migration investigation document to docs/solana-v4-migration.md. It records the workspace's current Solana v3/v4 dependency split, explains why solana-program-test must be vendored, identifies Anchor as the upstream blocker preventing full consolidation, and provides four migration options with recommendations and verification commands.

Changes

Solana v3/v4 Migration Investigation Documentation

Layer / File(s)	Summary
Current Dependency State and Available Versions docs/solana-v4-migration.md (lines 1–63)	Document header, metadata, and security note; pinned crate versions from root Cargo.toml and the observed multi-major version split in Cargo.lock; summary of latest stable releases showing where the workspace lags.
Vendoring and Upstream Constraints docs/solana-v4-migration.md (lines 65–110)	Explains vendoring of solana-program-test via [patch.crates-io] tied to agave-unstable-api; identifies Anchor-driven solana-pubkey and solana-sysvar conflicts that block consolidation and why anchor-lang rc.2 must be retained.
Upgrade Exploration, Options, and Recommendations docs/solana-v4-migration.md (lines 111–205)	Empirical upgrade verification steps and observed resolution conflicts; enumeration of four migration options (A: infeasible immediate v4, B: low-risk patch bump, C: full v4 blocked upstream, D: document-only); concrete recommendation sequence; and reproducible verification commands for inspection and validation.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

---

A doc to guide us through the v3/v4 mix,
With Anchor's call, we cannot fix,
Vendored and stable, a working state,
Upstream awaits our future fate. 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title 'docs(security): Solana v4 consolidation investigation' partially relates to the changeset, covering a real aspect (Solana v4 investigation), but the 'security' label is not justified by the documentation content, which is purely technical investigation without explicit security implications.	Change the title to 'docs: Solana v4 consolidation investigation' or 'docs(solana): Solana v4 consolidation investigation' to accurately reflect that this is technical documentation, not a security fix.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch docs/solana-v4-migration

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a detailed investigation and migration plan document (docs/solana-v4-migration.md) for the Solana v4 consolidation, outlining the dependency conflicts and blockers involving Anchor. The feedback suggests a more robust and idiomatic way to verify the version spread using cargo tree instead of parsing Cargo.lock with grep.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[coderabbitai]

🧹 Nitpick comments (3)

docs/solana-v4-migration.md (3)

36-41: ⚡ Quick win

Add language specifier to code block.

The code block should specify a language identifier for proper rendering and syntax highlighting.

📝 Proposed fix

-```
+```text
 major v0:   3 crates      major v3: 143 crates   (the bulk)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/solana-v4-migration.md` around lines 36 - 41, Update the fenced code
block in the Solana migration doc so it includes a language specifier for proper
rendering (e.g., change the opening ``` to ```text or another appropriate
identifier) around the lines showing crate counts (the block containing "major
v0:   3 crates      major v3: 143 crates   (the bulk)" through "major v6:   1
crate (solana-loader-v3-interface)") so the renderer applies correct syntax
highlighting.

---

128-133: ⚡ Quick win

Add language specifier to error code block.

The error output block should specify a language identifier for proper rendering.

📝 Proposed fix

-   ```
+   ```text
    failed to select a version for `solana-sysvar`.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/solana-v4-migration.md` around lines 128 - 133, The fenced code block
showing the dependency error containing the line "failed to select a version for
`solana-sysvar`." needs a language specifier for proper rendering; update the
opening fence from ``` to ```text (i.e., add "text" after the backticks) so the
error block (the block that includes "required by solana-program-test v4.0.0
(vendored)" and "required by anchor-lang v1.0.0-rc.2") is rendered as plain
text.

---

22-23: ⚡ Quick win

Add blank line before table.

The table should be preceded by a blank line for proper markdown rendering.

📝 Proposed fix

 ### Declared (root `Cargo.toml`)
+
 | Crate | Pinned | Major |

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/solana-v4-migration.md` around lines 22 - 23, Add a blank line
immediately before the Markdown table under the "Declared (root `Cargo.toml`)"
heading so the table renders correctly; locate the heading text "### Declared
(root `Cargo.toml`)" and insert one empty line between that heading and the
table starting with "| Crate | Pinned | Major |".

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@docs/solana-v4-migration.md`:
- Around line 36-41: Update the fenced code block in the Solana migration doc so
it includes a language specifier for proper rendering (e.g., change the opening
``` to ```text or another appropriate identifier) around the lines showing crate
counts (the block containing "major v0:   3 crates      major v3: 143 crates  
(the bulk)" through "major v6:   1 crate (solana-loader-v3-interface)") so the
renderer applies correct syntax highlighting.
- Around line 128-133: The fenced code block showing the dependency error
containing the line "failed to select a version for `solana-sysvar`." needs a
language specifier for proper rendering; update the opening fence from ``` to
```text (i.e., add "text" after the backticks) so the error block (the block
that includes "required by solana-program-test v4.0.0 (vendored)" and "required
by anchor-lang v1.0.0-rc.2") is rendered as plain text.
- Around line 22-23: Add a blank line immediately before the Markdown table
under the "Declared (root `Cargo.toml`)" heading so the table renders correctly;
locate the heading text "### Declared (root `Cargo.toml`)" and insert one empty
line between that heading and the table starting with "| Crate | Pinned | Major
|".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 56c8e431-9215-49ef-9878-8e27c27a16fd

📥 Commits

Reviewing files that changed from the base of the PR and between 8528936 and 45b88f4.

📒 Files selected for processing (1)

• docs/solana-v4-migration.md