OpenZeppelin · CoveMB · Jun 26, 2025 · Feb 21, 2025 · Feb 21, 2025 · Feb 21, 2025
@@ -0,0 +1,5 @@
+---
+'@openzeppelin/wizard-stellar': patch
+---
+
+Add security contact in contract info
@@ -3,6 +3,7 @@ import test from 'ava';
 import type { BaseFunction, BaseTraitImplBlock } from './contract';
 import { ContractBuilder } from './contract';
 import { printContract } from './print';
+import { TAG_SECURITY_CONTACT } from './set-info';
 
 test('contract basics', t => {
   const Foo = new ContractBuilder('Foo');
@@ -82,3 +83,9 @@ test('contract with sorted use clauses', t => {
   Foo.addUseClause('another::library', 'self', { alias: 'custom1' });
   t.snapshot(printContract(Foo));
 });
+
+test('contract with info', t => {
+  const Foo = new ContractBuilder('Foo');
+  Foo.addDocumentationTag(TAG_SECURITY_CONTACT, '[email protected]');
+  t.snapshot(printContract(Foo));
+});
@@ -140,3 +140,17 @@ Generated by [AVA](https://avajs.dev).
     #[contract]␊
     pub struct Foo;␊
     `
+
+## contract with info
+
+> Snapshot 1
+
+    `// SPDX-License-Identifier: MIT␊
+    // Compatible with OpenZeppelin Stellar Soroban Contracts ^0.2.0␊
+    #![no_std]␊
+    ␊
+    /// @custom:security-contact [email protected]␊
+    ␊
+    #[contract]␊
+    pub struct Foo;␊
+    `
@@ -2,6 +2,7 @@ import { toIdentifier } from './utils/convert-strings';
 
 export interface Contract {
   license: string;
+  documentationTags: DocumentationTag[];
   name: string;
   useClauses: UseClause[];
   constructorCode: string[];
@@ -69,11 +70,18 @@ export interface Argument {
   type?: string;
 }
 
+export interface DocumentationTag {
+  key: string;
+  value: string;
+}
+
 export class ContractBuilder implements Contract {
   readonly name: string;
   license = 'MIT';
   ownable = false;
 
+  readonly documentationTags: DocumentationTag[] = [];
+
   readonly constructorArgs: Argument[] = [];
   readonly constructorCode: string[] = [];
 
@@ -250,4 +258,10 @@ export class ContractBuilder implements Contract {
   addDerives(derive: string): void {
     this.derivesSet.add(derive);
   }
+
+  addDocumentationTag(key: string, value: string) {
+    // eslint-disable-next-line no-useless-escape
+    if (!/^(@custom:)?[a-z][a-z\-]*$/.exec(key)) throw new Error(`Invalid documentation key: ${key}`);
+    this.documentationTags.push({ key, value });
+  }
 }
@@ -1,4 +1,4 @@
-import type { Contract, Argument, ContractFunction, TraitImplBlock, UseClause } from './contract';
+import type { Contract, Argument, ContractFunction, TraitImplBlock, UseClause, DocumentationTag } from './contract';
 
 import type { Lines } from './utils/format-lines';
 import { formatLines, spaceBetween } from './utils/format-lines';
@@ -21,6 +21,7 @@ export function printContract(contract: Contract): string {
       spaceBetween(
         printUseClauses(contract),
         printVariables(contract),
+        printDocumentationTags(contract.documentationTags),
         printContractStruct(contract),
         printContractErrors(contract),
         printContractFunctions(contract),
@@ -353,3 +354,7 @@ function printArgument(arg: Argument): string {
     return `${arg.name}`;
   }
 }
+
+function printDocumentationTags(tags: DocumentationTag[] = []): string[] {
+  return tags.map(({ key, value }) => `/// ${key} ${value}`);
+}
@@ -1,15 +1,22 @@
 import type { ContractBuilder } from './contract';
 
+export const TAG_SECURITY_CONTACT = `@custom:security-contact`;
+
 export const infoOptions = [{}, { license: 'WTFPL' }] as const;
 
 export const defaults: Info = { license: 'MIT' };
 
 export type Info = {
   license?: string;
+  securityContact?: string;
 };
 
 export function setInfo(c: ContractBuilder, info: Info): void {
-  const { license } = info;
+  const { securityContact, license } = info;
+
+  if (securityContact) {
+    c.addDocumentationTag(TAG_SECURITY_CONTACT, securityContact);
+  }
 
   if (license) {
     c.license = license;

@@ -13,6 +13,12 @@ export const stellarCommonFunctionDescription = {
     type: 'object',
     description: 'Metadata about the contract and author',
     properties: {
+      securityContact: {
+        type: 'string',
+        description:
+          'Email where people can contact you to report security issues. Will only be visible if contract metadata is verified.',
+      },
+
       license: {
         type: 'string',
         description: 'The license used by the contract, default is "MIT"',

@@ -1,6 +1,7 @@
 <script lang="ts">
   import type { Info } from '@openzeppelin/wizard-stellar';
   import { infoDefaults } from '@openzeppelin/wizard-stellar';
+  import HelpTooltip from '../common/HelpTooltip.svelte';
 
   export let info: Info;
 </script>
@@ -13,6 +14,16 @@
     </label>
   </h1>
 
+  <label class="labeled-input">
+    <span class="flex justify-between pr-2">
+      Security Contact
+      <HelpTooltip>
+        Where people can contact you to report security issues. Will only be visible if contract metadata is verified.
+      </HelpTooltip>
+    </span>
+    <input bind:value={info.securityContact} placeholder="[email protected]" />
+  </label>
+
   <label class="labeled-input">
     <span>License</span>
     <input bind:value={info.license} placeholder={infoDefaults.license} />