Kiro-CI
Trustless CI: AI fixes, Chain verifies.
Created on 30th December 2025
•
Kiro-CI
Trustless CI: AI fixes, Chain verifies.
The problem Kiro-CI solves
The problem it solves
The Problem: "Blind Trust" in DevOps Modern CI/CD pipelines (like GitHub Actions or CircleCI) are centralized "black boxes." Developers blindly trust that the code they wrote is the code being deployed.
Supply Chain Attacks: If a CI server is compromised, hackers can inject malicious backdoors into trusted apps (similar to the infamous SolarWinds or xz-utils attacks).
Slow Feedback Loops: Developers waste hours waiting for cloud pipelines to queue and run, only to fail on a simple error.
The "Web3 Verification Gap": In crypto, "Code is Law," but we currently have no on-chain proof that a deployed smart contract actually passed its security tests.
The Solution: Kiro-CI (The Trustless Pipeline) Kiro-CI moves the entire DevOps pipeline "Left"—running it locally and securely inside the Kiro IDE before the code ever leaves your machine.
Eliminates Centralized Risk (Local-First): By using Kiro Native Hooks, we run tests and security audits locally. No external CI server has access to your private keys or uncompiled code.
Agentic "Self-Healing" Workflows: Most tools just report errors. Kiro-CI fixes them. Our AI Agent detects vulnerabilities (like Reentrancy), autonomously rewrites the code to patch them, and re-runs the tests to ensure safety without human intervention.
Cryptographic Enforcement (EAS on Base): We replace "trust me, I tested it" with on-chain proof. Kiro-CI mints an Ethereum Attestation (EAS) linked to the specific Git Commit Hash. Our custom "Gatekeeper" smart contract prevents deployment unless this validity proof exists on-chain.
Challenges we ran into
- The "Fragile Regex" Problem (Agentic Repair) Building the "Self-Healing" agent was the hardest part. Initially, our regex patterns for detecting and fixing Solidity vulnerabilities (like Reentrancy) were too brittle. If a developer formatted their code with different spacing or comments, the Agent would break the file while trying to inject the nonReentrant modifier.
How we solved it: We moved from simple string replacement to a more robust AST-like parsing strategy. We created a rigorous test suite of "badly formatted" contracts to ensure the Agent could identify the correct injection point 100% of the time without corrupting the syntax.
- Verifying Attestations On-Chain (Foundry + EAS) Integrating the Ethereum Attestation Service (EAS) into a Foundry deployment script was tricky. We needed the deployment transaction to revert if an attestation didn't exist, but checking dynamic bytes and schema UIDs inside a Solidity constructor is complex and prone to gas errors.
How we solved it: We built a custom "Gatekeeper" contract that acts as a proxy. It uses a specialized Resolver to pre-validate the schema structure before allowing the final CREATE2 deployment call. This ensured that our "Code is Law" promise was mathematically enforced on Base Sepolia.
- Async Race Conditions (Local vs. Cloud) We faced a race condition where the CLI would try to upload the build artifact to AWS S3 before the file zipping process had fully closed the stream, resulting in corrupted 0-byte uploads.
How we solved it: We refactored the CLI's control flow to use strict await promises. We implemented a "lockfile" system that prevents the S3 upload from initializing until the local archiver library emits a distinct finalize event, ensuring data integrity.
Tracks Applied (3)
Ethereum Track
ETHIndia
Best Innovation
AWS
AWS
Technologies used
Cheer Project
Cheering for a project means supporting a project you like with as little as 0.0025 ETH. Right now, you can Cheer using ETH on Arbitrum, Optimism and Base.