Team Best Practices
Shared practices that keep a Solana engineering team fast and safe across Agave 4.1.1 validators, Anchor 0.32.1 programs, and @solana/kit 7.0.0 clients.
How to Use This List
- Adopt in team working agreement during onboarding week 2.
- Revisit quarterly or after any mainnet incident.
- Map each rule to an owner (platform, security, frontend).
A - Toolchain & Repos
- Single source of truth for version pins.
rust-toolchain.toml,Anchor.toml,.nvmrccommitted. - CI runs
anchor build, tests, and client typecheck on every PR. No manual-only verification. - Program ids and cluster URLs live in env tables. Not scattered magic strings.
- IDL and Codama outputs versioned or regenerated in CI. Clients never drift silently.
- Document upgrade authority holders in runbook. On-call knows who can patch programs.
B - Development Workflow
- Default to devnet and local validators for feature work. Mainnet requires explicit checklist.
- Use LiteSVM 0.6.x for fast unit tests; validator smoke for integration. Pyramid documented in README.
- Simulate transactions in clients before send on staging. Match production RPC features.
- Feature flags for risky instructions until audited. Governance or multisig where required.
- Small PRs with test plans in description. Reviewers know negative cases covered.
C - Security & Keys
- Separate dev, staging, and prod keys and RPC providers. No shared hot wallet across envs.
- Multisig or hardware custody for upgrade authorities on mainnet. Document signers.
- Mandatory security review lane for token movement changes. Two-person rule.
- Run internal review guide before external audit. Fix obvious P0s first.
- Incident runbook linked from repo. Rollback, pause, comms templates ready.
D - Communication & Docs
- Every program change updates user-facing changelog or migration note. Wallets and indexers depend on it.
- Architecture Decision Records for framework choices. Anchor vs Pinocchio, RPC vendor picks.
- On-call rotation familiar with Solana CLI 3.0.10 ops commands. Deploy, dump logs, verify builds.
- New hires complete onboarding checklists with buddy sign-off. Repeatable ramp.
- Post-mortems blameless with tracked follow-ups. Link regression tests in tickets.
E - Release & Operations
- Verifiable builds for mainnet deploys.
solana-verifyhash published. - Devnet soak period before mainnet promotion. DORA-style lead time metrics optional.
- Monitor RPC error rates, tx landing rate, and program CU usage. Dashboards per environment.
- Surfpool 0.12.0 or fork tests for mainnet-dependent features. Before big launches.
- Rollback strategy documented per program. Immutable vs upgradeable paths explicit.
FAQs
Team size minimum?
Practices scale down - keep security and version pin sections even for 3 engineers.
Remote/async teams?
Written checklists and recorded demo of First Program capstone replace hallway pairing.
Agency + client team?
Split practices: agency owns toolchain doc, client owns keys and mainnet approval.
Audit frequency?
Major release or material CPI change - not every typo fix.
Tech debt time?
Allocate fixed sprint % for dependency upgrades and CU optimizations.
Product pressure?
Explicit risk acceptance ticket when skipping soak or audit recommendation.
Multiple programs?
Per-program owners listed in CODEOWNERS with escalation path.
Data team alignment?
Share IDL/event schemas when indexers consume your programs.
Open source?
Security practices still apply - redact keys in public issue templates.
Metrics?
Track deploy frequency, failed tx rate, mean review time - adapt from DORA as needed.
Related
- Onboarding Devs Checklist - new hire ramp
- Code Review Guidelines - PR review depth
- Team Best Practices in Standards - contribution norms
- Deployment Basics - release ops
Stack versions: This page was written for Agave 4.1.1, Solana CLI 3.0.10, Anchor 0.32.1, anchor-lang 0.32.1, Rust 1.91.1, @solana/kit 7.0.0, Surfpool 0.12.0, and LiteSVM 0.6.x.