Forem: Pavel Espitia The latest articles on Forem by Pavel Espitia (@pavelespitia). https://forem.com/pavelespitia https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F337213%2Fb21fb081-ae15-4041-9ab6-829aea593a28.jpeg Forem: Pavel Espitia https://forem.com/pavelespitia en The Provider Pattern: How I Added Ollama Support in 50 Lines Pavel Espitia Tue, 21 Apr 2026 12:03:03 +0000 https://forem.com/pavelespitia/the-provider-pattern-how-i-added-ollama-support-in-50-lines-4nhc https://forem.com/pavelespitia/the-provider-pattern-how-i-added-ollama-support-in-50-lines-4nhc <p>When I started building spectr-ai, it only worked with Claude. The Anthropic SDK was hardcoded everywhere — in the analysis function, the prompt formatting, the response parsing. It worked, but it meant every user needed an Anthropic API key and an internet connection.</p> <p>I wanted to add Ollama support so developers could run audits locally, completely offline, using open-source models. The naive approach would have been scattering <code>if (useOllama)</code> checks throughout the codebase. Instead, I used the Provider pattern, and the entire Ollama integration took about 50 lines of code.</p> <h2> The Interface </h2> <p>The core idea is simple: define what a "provider" does, not how it does it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">Provider</span> <span class="p">{</span> <span class="nf">analyze</span><span class="p">(</span><span class="nx">systemPrompt</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">userContent</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">name</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="k">readonly</span> <span class="nx">model</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>That's it. Three members. A provider takes a system prompt and user content, returns a string. It has a name and a model identifier. Every LLM API in existence can satisfy this contract — they all accept text and return text.</p> <p>The interface deliberately returns a raw string, not a parsed object. Parsing and validation happen in a separate layer (the Zod schemas from yesterday's post). The provider's only job is to talk to the model and give back its response.</p> <h2> The Anthropic Provider </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="nx">Anthropic</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@anthropic-ai/sdk</span><span class="dl">"</span><span class="p">;</span> <span class="kd">function</span> <span class="nf">createAnthropicProvider</span><span class="p">(</span> <span class="nx">apiKey</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">model</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">):</span> <span class="nx">Provider</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Anthropic</span><span class="p">({</span> <span class="nx">apiKey</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">anthropic</span><span class="dl">"</span><span class="p">,</span> <span class="nx">model</span><span class="p">,</span> <span class="k">async</span> <span class="nf">analyze</span><span class="p">(</span><span class="nx">systemPrompt</span><span class="p">,</span> <span class="nx">userContent</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">messages</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="nx">model</span><span class="p">,</span> <span class="na">max_tokens</span><span class="p">:</span> <span class="mi">8192</span><span class="p">,</span> <span class="na">system</span><span class="p">:</span> <span class="nx">systemPrompt</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="p">[{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="nx">userContent</span> <span class="p">}],</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">block</span> <span class="o">=</span> <span class="nx">response</span><span class="p">.</span><span class="nx">content</span><span class="p">[</span><span class="mi">0</span><span class="p">];</span> <span class="k">if </span><span class="p">(</span><span class="nx">block</span><span class="p">.</span><span class="kd">type</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">text</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="s2">`Unexpected response type: </span><span class="p">${</span><span class="nx">block</span><span class="p">.</span><span class="kd">type</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">block</span><span class="p">.</span><span class="nx">text</span><span class="p">;</span> <span class="p">},</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>The Anthropic-specific details — the SDK client, the message format, the content block extraction — are all encapsulated. Nothing outside this function knows or cares about Anthropic's API shape.</p> <h2> The Ollama Provider </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">createOllamaProvider</span><span class="p">(</span> <span class="nx">model</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">baseUrl</span><span class="p">:</span> <span class="kr">string</span> <span class="o">=</span> <span class="dl">"</span><span class="s2">http://localhost:11434</span><span class="dl">"</span><span class="p">,</span> <span class="p">):</span> <span class="nx">Provider</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">ollama</span><span class="dl">"</span><span class="p">,</span> <span class="nx">model</span><span class="p">,</span> <span class="k">async</span> <span class="nf">analyze</span><span class="p">(</span><span class="nx">systemPrompt</span><span class="p">,</span> <span class="nx">userContent</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span> <span class="s2">`</span><span class="p">${</span><span class="nx">baseUrl</span><span class="p">}</span><span class="s2">/api/chat`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">model</span><span class="p">,</span> <span class="na">stream</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">system</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="nx">systemPrompt</span> <span class="p">},</span> <span class="p">{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="nx">userContent</span> <span class="p">},</span> <span class="p">],</span> <span class="p">}),</span> <span class="p">},</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="s2">`Ollama returned </span><span class="p">${</span><span class="nx">response</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">: </span><span class="p">${</span><span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">text</span><span class="p">()}</span><span class="s2">`</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">return</span> <span class="nx">data</span><span class="p">.</span><span class="nx">message</span><span class="p">.</span><span class="nx">content</span><span class="p">;</span> <span class="p">},</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>No SDK dependency. Just a <code>fetch</code> call to Ollama's local API. The provider returns the same raw string that the Anthropic provider returns. The rest of the application can't tell the difference.</p> <h2> The Factory </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">ProviderConfig</span> <span class="p">{</span> <span class="nl">provider</span><span class="p">:</span> <span class="dl">"</span><span class="s2">anthropic</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">ollama</span><span class="dl">"</span><span class="p">;</span> <span class="nl">model</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">apiKey</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">baseUrl</span><span class="p">?:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">}</span> <span class="kd">function</span> <span class="nf">createProvider</span><span class="p">(</span><span class="nx">config</span><span class="p">:</span> <span class="nx">ProviderConfig</span><span class="p">):</span> <span class="nx">Provider</span> <span class="p">{</span> <span class="k">switch </span><span class="p">(</span><span class="nx">config</span><span class="p">.</span><span class="nx">provider</span><span class="p">)</span> <span class="p">{</span> <span class="k">case</span> <span class="dl">"</span><span class="s2">anthropic</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">config</span><span class="p">.</span><span class="nx">apiKey</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="dl">"</span><span class="s2">Anthropic provider requires an API key. </span><span class="dl">"</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">Set ANTHROPIC_API_KEY or pass --api-key.</span><span class="dl">"</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">createAnthropicProvider</span><span class="p">(</span> <span class="nx">config</span><span class="p">.</span><span class="nx">apiKey</span><span class="p">,</span> <span class="nx">config</span><span class="p">.</span><span class="nx">model</span><span class="p">,</span> <span class="p">);</span> <span class="p">}</span> <span class="k">case</span> <span class="dl">"</span><span class="s2">ollama</span><span class="dl">"</span><span class="p">:</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">createOllamaProvider</span><span class="p">(</span> <span class="nx">config</span><span class="p">.</span><span class="nx">model</span><span class="p">,</span> <span class="nx">config</span><span class="p">.</span><span class="nx">baseUrl</span><span class="p">,</span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The factory reads from configuration and returns the right provider. The switch is exhaustive — TypeScript will error if you add a new provider to the union type without handling it here.</p> <h2> Using It </h2> <p>The analysis pipeline doesn't know which provider it's using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">runAudit</span><span class="p">(</span> <span class="nx">provider</span><span class="p">:</span> <span class="nx">Provider</span><span class="p">,</span> <span class="nx">contract</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">AuditResult</span><span class="o">&gt;</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span> <span class="s2">`Analyzing with </span><span class="p">${</span><span class="nx">provider</span><span class="p">.</span><span class="nx">name</span><span class="p">}</span><span class="s2"> (</span><span class="p">${</span><span class="nx">provider</span><span class="p">.</span><span class="nx">model</span><span class="p">}</span><span class="s2">)...`</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">raw</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">provider</span><span class="p">.</span><span class="nf">analyze</span><span class="p">(</span><span class="nx">SYSTEM_PROMPT</span><span class="p">,</span> <span class="nx">contract</span><span class="p">);</span> <span class="k">return</span> <span class="nf">parseAuditResult</span><span class="p">(</span><span class="nx">raw</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>From the CLI, the user switches with a flag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Use Claude (default)</span> spectr-ai analyze contract.sol <span class="c"># Use a local Ollama model</span> spectr-ai analyze contract.sol <span class="nt">--provider</span> ollama <span class="nt">--model</span> llama3 <span class="c"># Use a specific Anthropic model</span> spectr-ai analyze contract.sol <span class="nt">--model</span> claude-sonnet-4-20250514 </code></pre> </div> <h2> Why This Matters </h2> <p><strong>Testing becomes trivial.</strong> You can create a mock provider that returns predetermined responses:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">createMockProvider</span><span class="p">(</span> <span class="nx">response</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="p">):</span> <span class="nx">Provider</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="dl">"</span><span class="s2">mock</span><span class="dl">"</span><span class="p">,</span> <span class="na">model</span><span class="p">:</span> <span class="dl">"</span><span class="s2">test</span><span class="dl">"</span><span class="p">,</span> <span class="k">async</span> <span class="nf">analyze</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">response</span><span class="p">;</span> <span class="p">},</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// In tests</span> <span class="kd">const</span> <span class="nx">provider</span> <span class="o">=</span> <span class="nf">createMockProvider</span><span class="p">(</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">vulnerabilities</span><span class="p">:</span> <span class="p">[],</span> <span class="na">summary</span><span class="p">:</span> <span class="dl">"</span><span class="s2">No issues found</span><span class="dl">"</span><span class="p">,</span> <span class="na">riskScore</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="p">}),</span> <span class="p">);</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">runAudit</span><span class="p">(</span><span class="nx">provider</span><span class="p">,</span> <span class="nx">sampleContract</span><span class="p">);</span> </code></pre> </div> <p>No HTTP mocking, no SDK stubs, no environment variables. Just a function that returns a string.</p> <p><strong>Adding new providers is isolated.</strong> Want to add OpenAI? Write a <code>createOpenAIProvider</code> function, add <code>"openai"</code> to the union type, handle it in the factory. Zero changes to the analysis pipeline, the CLI, the web frontend, or the tests.</p> <p><strong>Users choose their tradeoffs.</strong> Claude gives better audit quality. Ollama gives privacy, offline access, and zero API costs. The application doesn't need to have an opinion — it just needs a string back from the model.</p> <h2> The Pattern Beyond LLMs </h2> <p>This isn't a new idea. The Provider pattern is just the Strategy pattern with a more descriptive name. You see it everywhere:</p> <ul> <li>Database drivers: same query interface, different backends (Postgres, MySQL, SQLite)</li> <li>Storage: same read/write interface, different destinations (local disk, S3, GCS)</li> <li>Auth: same verify interface, different mechanisms (JWT, session, API key)</li> <li>Logging: same log interface, different transports (console, file, remote service)</li> </ul> <p>The principle is always the same: define the smallest interface that captures what you need, then implement it for each backend. The consuming code depends on the interface, never the implementation.</p> <h2> What Makes a Good Provider Interface </h2> <p>Keep it minimal. My first draft of the Provider interface had methods for <code>streamAnalyze</code>, <code>countTokens</code>, <code>getModelInfo</code>, and <code>estimateCost</code>. I deleted all of them. The only method the application actually needed was <code>analyze</code>. Everything else was speculative — features I might want someday but didn't need today.</p> <p>If you need streaming later, add a <code>StreamingProvider</code> interface that extends <code>Provider</code>. If you need token counting, add it to the providers that support it. Don't pollute the base interface with capabilities that not every implementation can satisfy.</p> <p>The 50-line Ollama provider worked because the interface was small enough that any LLM API could implement it. That's the goal: an interface so simple that adding a new provider is boring. Boring is good. Boring means your abstraction is right.</p> typescript design ai programming Zod + LLMs: How to Validate AI Responses Without Losing Your Mind Pavel Espitia Mon, 20 Apr 2026 12:02:08 +0000 https://forem.com/pavelespitia/zod-llms-how-to-validate-ai-responses-without-losing-your-mind-4c5j https://forem.com/pavelespitia/zod-llms-how-to-validate-ai-responses-without-losing-your-mind-4c5j <p>You ask an LLM a carefully crafted question with a system prompt demanding JSON output. You get back a beautifully formatted response wrapped in triple backticks, prefixed with "Here's the JSON you requested:", and trailing with "Let me know if you need any changes!" The actual JSON is buried somewhere in the middle. Sometimes it's valid. Sometimes it's not.</p> <p>This is the fundamental challenge of building tools on top of LLMs: they're probabilistic text generators, not API endpoints. And if you're using smaller local models through Ollama, the problem gets worse. Much worse.</p> <p>Here's how I solved it in spectr-ai, an AI-powered smart contract auditor, using Zod for runtime validation.</p> <h2> The Schema Is Your Contract </h2> <p>Every structured response from the LLM passes through a Zod schema. The schema defines exactly what shape the data must have, what types each field must be, and what values are acceptable.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">z</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">zod</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">SeveritySchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span> <span class="dl">"</span><span class="s2">critical</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">high</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">medium</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">low</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">informational</span><span class="dl">"</span><span class="p">,</span> <span class="p">]);</span> <span class="kd">const</span> <span class="nx">VulnerabilitySchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">title</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">severity</span><span class="p">:</span> <span class="nx">SeveritySchema</span><span class="p">,</span> <span class="na">description</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">lineStart</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">number</span><span class="p">().</span><span class="nf">int</span><span class="p">().</span><span class="nf">positive</span><span class="p">(),</span> <span class="na">lineEnd</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">number</span><span class="p">().</span><span class="nf">int</span><span class="p">().</span><span class="nf">positive</span><span class="p">(),</span> <span class="na">recommendation</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">AuditResultSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">vulnerabilities</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span><span class="nx">VulnerabilitySchema</span><span class="p">),</span> <span class="na">summary</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">riskScore</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">number</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">0</span><span class="p">).</span><span class="nf">max</span><span class="p">(</span><span class="mi">100</span><span class="p">),</span> <span class="p">});</span> <span class="kd">type</span> <span class="nx">AuditResult</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nx">infer</span><span class="o">&lt;</span><span class="nx">AuditResult</span><span class="o">&gt;</span><span class="p">;</span> </code></pre> </div> <p>The <code>z.infer</code> at the bottom is the magic — your runtime validation and your TypeScript types are derived from the same source. No drift between what you validate and what you type-check.</p> <h2> Extracting JSON from LLM Chaos </h2> <p>LLMs love wrapping their JSON in markdown fences, adding explanatory text, or returning partial objects. The first step is extracting the actual JSON from whatever the model sends back.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">extractJson</span><span class="p">(</span><span class="nx">raw</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="c1">// Strip markdown code fences</span> <span class="kd">const</span> <span class="nx">fencePattern</span> <span class="o">=</span> <span class="sr">/``</span><span class="err">` </span><span class="p">{</span><span class="o">%</span> <span class="nx">endraw</span> <span class="o">%</span><span class="p">}</span> <span class="p">(?:</span><span class="nx">json</span><span class="p">)?</span><span class="err">\</span><span class="nx">s</span><span class="o">*</span><span class="err">\</span><span class="nx">n</span><span class="p">?([</span><span class="err">\</span><span class="nx">s</span><span class="err">\</span><span class="nx">S</span><span class="p">]</span><span class="o">*</span><span class="p">?)</span><span class="err">\</span><span class="nx">n</span><span class="p">?</span><span class="err">\</span><span class="nx">s</span><span class="o">*</span> <span class="p">{</span><span class="o">%</span> <span class="nx">raw</span> <span class="o">%</span><span class="p">}</span> <span class="s2">```/; const match = raw.match(fencePattern); if (match?.[1]) { return match[1].trim(); } // Try to find a JSON object directly const objectStart = raw.indexOf("{"); const objectEnd = raw.lastIndexOf("}"); if (objectStart !== -1 &amp;&amp; objectEnd &gt; objectStart) { return raw.slice(objectStart, objectEnd + 1); } // Last resort: return the raw string and let Zod handle the error return raw.trim(); } </span></code></pre> </div> <p>This function handles the three most common cases: JSON wrapped in code fences, JSON with surrounding text, and bare JSON. The key insight is that <code>lastIndexOf("}")</code> grabs the outermost closing brace, so even if there's trailing text, you still get the complete object.</p> <h2> safeParse Over parse, Every Time </h2> <p>Zod offers two parsing methods: <code>parse</code> throws on invalid input, <code>safeParse</code> returns a discriminated union. For LLM responses, always use <code>safeParse</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">parseAuditResult</span><span class="p">(</span><span class="nx">raw</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">AuditResult</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">json</span> <span class="o">=</span> <span class="nf">extractJson</span><span class="p">(</span><span class="nx">raw</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">parsed</span><span class="p">:</span> <span class="nx">unknown</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">parsed</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">json</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ParseError</span><span class="p">(</span> <span class="s2">`LLM returned invalid JSON. `</span> <span class="o">+</span> <span class="s2">`First 200 chars: </span><span class="p">${</span><span class="nx">json</span><span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">200</span><span class="p">)}</span><span class="s2">`</span> <span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="nx">AuditResultSchema</span><span class="p">.</span><span class="nf">safeParse</span><span class="p">(</span><span class="nx">parsed</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">result</span><span class="p">.</span><span class="nx">success</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">issues</span> <span class="o">=</span> <span class="nx">result</span><span class="p">.</span><span class="nx">error</span><span class="p">.</span><span class="nx">issues</span> <span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">i</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="s2">` </span><span class="p">${</span><span class="nx">i</span><span class="p">.</span><span class="nx">path</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="s2">.</span><span class="dl">"</span><span class="p">)}</span><span class="s2">: </span><span class="p">${</span><span class="nx">i</span><span class="p">.</span><span class="nx">message</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="dl">"</span><span class="se">\n</span><span class="dl">"</span><span class="p">);</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ParseError</span><span class="p">(</span> <span class="s2">`LLM response failed schema validation:\n</span><span class="p">${</span><span class="nx">issues</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">result</span><span class="p">.</span><span class="nx">data</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>Why <code>safeParse</code>? Because <code>parse</code> throws a <code>ZodError</code> with a stack trace and internal formatting that's useless for debugging LLM behavior. With <code>safeParse</code>, you control the error message. You can log exactly which fields failed and why, include a preview of the raw response, and surface something actionable to the user.</p> <h2> The Error Messages Matter </h2> <p>When a local model returns garbage, you need to know <em>why</em> it failed. Zod's error issues tell you exactly what went wrong:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">LLM</span><span class="w"> </span><span class="err">response</span><span class="w"> </span><span class="err">failed</span><span class="w"> </span><span class="err">schema</span><span class="w"> </span><span class="err">validation:</span><span class="w"> </span><span class="err">vulnerabilities.</span><span class="mi">0</span><span class="err">.severity:</span><span class="w"> </span><span class="err">Invalid</span><span class="w"> </span><span class="err">enum</span><span class="w"> </span><span class="err">value.</span><span class="w"> </span><span class="err">Expected</span><span class="w"> </span><span class="err">'critical'</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="err">'high'</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="err">'medium'</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="err">'low'</span><span class="w"> </span><span class="err">|</span><span class="w"> </span><span class="err">'informational',</span><span class="w"> </span><span class="err">received</span><span class="w"> </span><span class="err">'Critical'</span><span class="w"> </span><span class="err">riskScore:</span><span class="w"> </span><span class="err">Expected</span><span class="w"> </span><span class="err">number,</span><span class="w"> </span><span class="err">received</span><span class="w"> </span><span class="err">string</span><span class="w"> </span></code></pre> </div> <p>That first error is incredibly common with smaller models — they capitalize enum values, use "High" instead of "high", or invent new severity levels like "moderate". The fix is either to normalize the data before validation or to make your schema more forgiving:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">SeveritySchema</span> <span class="o">=</span> <span class="nx">z</span> <span class="p">.</span><span class="nf">string</span><span class="p">()</span> <span class="p">.</span><span class="nf">transform</span><span class="p">((</span><span class="nx">s</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">s</span><span class="p">.</span><span class="nf">toLowerCase</span><span class="p">())</span> <span class="p">.</span><span class="nf">pipe</span><span class="p">(</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span> <span class="dl">"</span><span class="s2">critical</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">high</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">medium</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">low</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">informational</span><span class="dl">"</span><span class="p">,</span> <span class="p">])</span> <span class="p">);</span> </code></pre> </div> <p>The <code>transform</code> + <code>pipe</code> pattern lets you preprocess the value before validating it. The input is any string, the transform lowercases it, and the pipe validates the transformed value against the enum. Clean and composable.</p> <h2> Handling the riskScore Problem </h2> <p>Models frequently return <code>"85"</code> instead of <code>85</code> — a string instead of a number. You can handle this with <code>z.coerce</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">AuditResultSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">vulnerabilities</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">array</span><span class="p">(</span><span class="nx">VulnerabilitySchema</span><span class="p">),</span> <span class="na">summary</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">riskScore</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nx">coerce</span><span class="p">.</span><span class="nf">number</span><span class="p">().</span><span class="nf">min</span><span class="p">(</span><span class="mi">0</span><span class="p">).</span><span class="nf">max</span><span class="p">(</span><span class="mi">100</span><span class="p">),</span> <span class="p">});</span> </code></pre> </div> <p><code>z.coerce.number()</code> calls <code>Number()</code> on the input first. So <code>"85"</code> becomes <code>85</code>, and <code>"not a number"</code> becomes <code>NaN</code> which fails the subsequent validation. This is the right tradeoff: be lenient on types the model frequently gets wrong, strict on values.</p> <h2> Retry With Context </h2> <p>Sometimes the model just fails. When it does, retry with the error message injected into the prompt:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">async</span> <span class="kd">function</span> <span class="nf">auditWithRetry</span><span class="p">(</span> <span class="nx">provider</span><span class="p">:</span> <span class="nx">Provider</span><span class="p">,</span> <span class="nx">contract</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">maxAttempts</span><span class="p">:</span> <span class="kr">number</span> <span class="o">=</span> <span class="mi">3</span><span class="p">,</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">AuditResult</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">lastError</span> <span class="o">=</span> <span class="dl">""</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">attempt</span> <span class="o">=</span> <span class="mi">1</span><span class="p">;</span> <span class="nx">attempt</span> <span class="o">&lt;=</span> <span class="nx">maxAttempts</span><span class="p">;</span> <span class="nx">attempt</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">prompt</span> <span class="o">=</span> <span class="nx">lastError</span> <span class="p">?</span> <span class="s2">`</span><span class="p">${</span><span class="nx">basePrompt</span><span class="p">}</span><span class="s2">\n\nYour previous response had errors:\n</span><span class="p">${</span><span class="nx">lastError</span><span class="p">}</span><span class="s2">\nPlease fix and respond with valid JSON only.`</span> <span class="p">:</span> <span class="nx">basePrompt</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">raw</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">provider</span><span class="p">.</span><span class="nf">analyze</span><span class="p">(</span><span class="nx">prompt</span><span class="p">,</span> <span class="nx">contract</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="k">return</span> <span class="nf">parseAuditResult</span><span class="p">(</span><span class="nx">raw</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">lastError</span> <span class="o">=</span> <span class="nx">err</span> <span class="k">instanceof</span> <span class="nx">ParseError</span> <span class="p">?</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">:</span> <span class="nc">String</span><span class="p">(</span><span class="nx">err</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span> <span class="s2">`Failed to get valid response after </span><span class="p">${</span><span class="nx">maxAttempts</span><span class="p">}</span><span class="s2"> attempts. Last error: </span><span class="p">${</span><span class="nx">lastError</span><span class="p">}</span><span class="s2">`</span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>This works surprisingly well. Most models self-correct when you tell them what went wrong. The key is including the specific Zod error — "severity must be one of critical, high, medium, low, informational" gives the model enough context to fix its output.</p> <h2> What I Learned </h2> <ol> <li><p><strong>Never trust LLM output.</strong> Validate everything at the boundary, just like you would with user input or API responses.</p></li> <li><p><strong>safeParse is non-negotiable.</strong> You need control over error formatting to debug model behavior.</p></li> <li><p><strong>Be lenient on representation, strict on semantics.</strong> Use <code>z.coerce</code> and <code>transform</code> for type mismatches. Keep enum validation tight.</p></li> <li><p><strong>Extract JSON defensively.</strong> Models wrap, prefix, suffix, and annotate their JSON output in creative ways.</p></li> <li><p><strong>Retry with error context.</strong> Models are good at self-correction when you tell them exactly what failed.</p></li> </ol> <p>The combination of Zod's runtime validation and TypeScript's static types gives you a safety net that catches model failures before they propagate through your application. Your schema becomes the contract between your code and the LLM — and unlike the LLM, Zod never hallucinates.</p> typescript ai webdev tutorial I Made a CLI That Talks to Any Smart Contract in Plain English Pavel Espitia Sun, 19 Apr 2026 23:31:44 +0000 https://forem.com/pavelespitia/i-made-a-cli-that-talks-to-any-smart-contract-in-plain-english-1hoi https://forem.com/pavelespitia/i-made-a-cli-that-talks-to-any-smart-contract-in-plain-english-1hoi <p>What if you could just <em>ask</em> a smart contract questions in plain English?</p> <p>"What's the total supply?" → calls <code>totalSupply()</code> → "1,000,000 USDC"<br> "Who is the owner?" → calls <code>owner()</code> → "0x1234...abcd"<br> "How many holders are there?" → "This contract doesn't have a holder count function, but you could check Transfer events."</p> <p>I built <a href="https://github.com/pavelEspitia/abilens" rel="noopener noreferrer">AbiLens</a> — a chat interface for EVM smart contracts. Paste an address, pick a chain, start asking.</p> <h2> How It Works </h2> <p>The architecture is simple — four steps:</p> <h3> 1. Resolve the ABI </h3> <p>When you paste a contract address, AbiLens tries two approaches:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Etherscan API → verified ABI (best case) ↓ (if not verified) whatsabi → reconstruct ABI from bytecode </code></pre> </div> <p><a href="https://github.com/shazow/whatsabi" rel="noopener noreferrer">whatsabi</a> is the secret weapon here. It reads the deployed bytecode, detects function selectors, follows proxy patterns (EIP-1967), and looks up signatures in the 4byte directory. You get a usable ABI even for unverified contracts.</p> <h3> 2. Build Context for the LLM </h3> <p>The system prompt tells the LLM what functions are available:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>You are AbiLens. This contract is USDC at 0xA0b8...eB48 on Ethereum. Available read functions: name() → string symbol() → string decimals() → uint8 totalSupply() → uint256 balanceOf(address account) → uint256 allowance(address owner, address spender) → uint256 </code></pre> </div> <p>The LLM now knows exactly what it can call.</p> <h3> 3. LLM Decides What to Call </h3> <p>When you ask "what's the total supply?", the LLM responds with:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"calls"</span><span class="p">:</span><span class="w"> </span><span class="p">[{</span><span class="nl">"functionName"</span><span class="p">:</span><span class="w"> </span><span class="s2">"totalSupply"</span><span class="p">,</span><span class="w"> </span><span class="nl">"args"</span><span class="p">:</span><span class="w"> </span><span class="p">[]}]}</span><span class="w"> </span></code></pre> </div> <p>AbiLens executes the call using viem:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">call</span><span class="p">({</span> <span class="na">to</span><span class="p">:</span> <span class="nx">contractAddress</span><span class="p">,</span> <span class="na">data</span><span class="p">:</span> <span class="nf">encodeFunctionData</span><span class="p">({</span> <span class="nx">abi</span><span class="p">,</span> <span class="na">functionName</span><span class="p">:</span> <span class="dl">"</span><span class="s2">totalSupply</span><span class="dl">"</span><span class="p">,</span> <span class="na">args</span><span class="p">:</span> <span class="p">[]</span> <span class="p">}),</span> <span class="p">});</span> </code></pre> </div> <h3> 4. LLM Explains the Result </h3> <p>The raw result goes back to the LLM: <code>totalSupply() = 43941622816877670</code>. The LLM knows USDC has 6 decimals (it checked <code>decimals()</code> first) and responds:</p> <p>"The total supply of USDC is approximately 43.94 billion tokens."</p> <h2> Supported Chains </h2> <p>AbiLens works with any EVM chain. Currently configured:</p> <ul> <li>Ethereum</li> <li>Base</li> <li>Arbitrum</li> <li>Polygon</li> <li>Optimism</li> <li>Sepolia (testnet)</li> </ul> <p>Adding a new chain is one object in the config.</p> <h2> Unverified Contracts </h2> <p>This is where AbiLens gets interesting. Most tools require a verified ABI from Etherscan. AbiLens doesn't.</p> <p>For unverified contracts, whatsabi reconstructs an approximate ABI. The function names might be generic (<code>function_0x1a2b3c</code>), but the types are correct. The LLM adapts:</p> <p>"This contract has an unverified ABI. I can see a function at selector 0x1a2b3c4d that takes an address and returns a uint256 — this is likely a balance lookup."</p> <h2> The Stack </h2> <ul> <li> <strong>viem</strong> — EVM interaction (lighter than ethers.js, fully typed)</li> <li> <strong>whatsabi</strong> — ABI reconstruction from bytecode</li> <li> <strong>Next.js 15</strong> — Web UI with App Router</li> <li> <strong>Claude / Ollama</strong> — LLM provider (works with both)</li> </ul> <h2> Try It </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/pavelEspitia/abilens <span class="nb">cd </span>abilens <span class="nb">cp</span> .env.example .env <span class="c"># Add your ETHERSCAN_API_KEY to .env</span> pnpm <span class="nb">install</span> <span class="o">&amp;&amp;</span> pnpm dev </code></pre> </div> <p>Paste the USDC address: <code>0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48</code></p> <p>Ask: "What is this contract and what can I do with it?"</p> <h2> What's Next </h2> <ul> <li>Write support (with wallet connection)</li> <li>Event log querying ("show me the last 10 transfers")</li> <li>Multi-contract conversations ("compare the TVL of these two pools")</li> </ul> <p>The code is open source at <a href="https://github.com/pavelEspitia/abilens" rel="noopener noreferrer">github.com/pavelEspitia/abilens</a>.</p> web3 ai typescript showdev How to Run LLMs Locally with Ollama — A Developer's Guide Pavel Espitia Fri, 17 Apr 2026 15:10:50 +0000 https://forem.com/pavelespitia/how-to-run-llms-locally-with-ollama-a-developers-guide-25nh https://forem.com/pavelespitia/how-to-run-llms-locally-with-ollama-a-developers-guide-25nh <p>You don't need an API key or a cloud subscription to use LLMs. Ollama lets you run models locally on your machine — completely free, completely private. Here's how to set it up and start building with it.</p> <h2> What is Ollama? </h2> <p>Ollama is a tool that downloads, manages, and serves LLMs locally. It exposes an OpenAI-compatible API at <code>localhost:11434</code>, so any code that works with the OpenAI API works with Ollama — zero changes.</p> <h2> Installation </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Linux / WSL</span> curl <span class="nt">-fsSL</span> https://ollama.com/install.sh | sh <span class="c"># macOS</span> brew <span class="nb">install </span>ollama <span class="c"># Windows</span> <span class="c"># Download from https://ollama.com/download</span> </code></pre> </div> <p>Start the server:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ollama serve </code></pre> </div> <h2> Pick a Model </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Code-focused (best for dev tools)</span> ollama pull qwen2.5-coder:7b <span class="c"># 4.7GB, good balance</span> ollama pull qwen2.5-coder:1.5b <span class="c"># 1.0GB, fast, good enough for many tasks</span> ollama pull deepseek-coder-v2 <span class="c"># 8.9GB, top quality</span> <span class="c"># General purpose</span> ollama pull llama3.1:8b <span class="c"># 4.7GB, Meta's latest</span> ollama pull mistral:7b <span class="c"># 4.1GB, fast and capable</span> </code></pre> </div> <p>My recommendation: start with <code>qwen2.5-coder:1.5b</code> for speed, upgrade to <code>7b</code> when you need quality.</p> <h2> Your First API Call </h2> <p>Ollama serves an OpenAI-compatible endpoint. Here's a call with plain <code>fetch</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">http://localhost:11434/v1/chat/completions</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="dl">"</span><span class="s2">qwen2.5-coder:7b</span><span class="dl">"</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">system</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">"</span><span class="s2">You are a helpful assistant.</span><span class="dl">"</span> <span class="p">},</span> <span class="p">{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Explain what a closure is in JavaScript.</span><span class="dl">"</span> <span class="p">},</span> <span class="p">],</span> <span class="na">temperature</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">stream</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">}),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">choices</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">message</span><span class="p">.</span><span class="nx">content</span><span class="p">);</span> </code></pre> </div> <p>That's it. No API key, no SDK, no account.</p> <h2> Structured Output (JSON Mode) </h2> <p>The key to building real tools with LLMs is getting structured output. Tell the model to respond with JSON:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">http://localhost:11434/v1/chat/completions</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="dl">"</span><span class="s2">qwen2.5-coder:7b</span><span class="dl">"</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">system</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="s2">`Respond with ONLY valid JSON matching this schema: { "summary": "string", "topics": ["string"], "difficulty": "beginner|intermediate|advanced" }`</span><span class="p">,</span> <span class="p">},</span> <span class="p">{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Analyze this article topic: Building REST APIs with Express.js</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="na">temperature</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">stream</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">}),</span> <span class="p">});</span> </code></pre> </div> <p>Tip: always validate the response with Zod or a similar schema validator. Smaller models sometimes return invalid JSON.</p> <h2> Building a Provider Abstraction </h2> <p>If you want your app to work with both Ollama (local) and Claude/OpenAI (cloud), create a simple interface:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">LlmProvider</span> <span class="p">{</span> <span class="nf">chat</span><span class="p">(</span><span class="nx">system</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">messages</span><span class="p">:</span> <span class="nx">Message</span><span class="p">[]):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">}</span> <span class="kd">class</span> <span class="nc">OllamaProvider</span> <span class="k">implements</span> <span class="nx">LlmProvider</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="nx">model</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{}</span> <span class="k">async</span> <span class="nf">chat</span><span class="p">(</span><span class="nx">system</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">messages</span><span class="p">:</span> <span class="nx">Message</span><span class="p">[]):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">http://localhost:11434/v1/chat/completions</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/json</span><span class="dl">"</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">model</span><span class="p">:</span> <span class="k">this</span><span class="p">.</span><span class="nx">model</span><span class="p">,</span> <span class="na">messages</span><span class="p">:</span> <span class="p">[{</span> <span class="na">role</span><span class="p">:</span> <span class="dl">"</span><span class="s2">system</span><span class="dl">"</span><span class="p">,</span> <span class="na">content</span><span class="p">:</span> <span class="nx">system</span> <span class="p">},</span> <span class="p">...</span><span class="nx">messages</span><span class="p">],</span> <span class="na">temperature</span><span class="p">:</span> <span class="mi">0</span><span class="p">,</span> <span class="na">stream</span><span class="p">:</span> <span class="kc">false</span><span class="p">,</span> <span class="p">}),</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">return</span> <span class="nx">data</span><span class="p">.</span><span class="nx">choices</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">message</span><span class="p">.</span><span class="nx">content</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Now your code doesn't care where the model runs. Swap <code>OllamaProvider</code> for <code>AnthropicProvider</code> with a flag.</p> <h2> Performance Tips </h2> <ol> <li> <strong>First call is slow</strong> — the model loads into memory. Subsequent calls are fast.</li> <li> <strong>Keep the server running</strong> — don't start/stop per request.</li> <li> <strong>Use smaller models for dev</strong> — <code>1.5b</code> for iteration, <code>7b</code> for production quality.</li> <li> <strong>Set <code>temperature: 0</code></strong> for deterministic output (important for structured responses).</li> <li> <strong>Add a timeout</strong> — local models on CPU can take minutes for long prompts.</li> </ol> <h2> When to Use Local vs Cloud </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Use Case</th> <th>Local (Ollama)</th> <th>Cloud (Claude/GPT)</th> </tr> </thead> <tbody> <tr> <td>Development</td> <td>Great</td> <td>Expensive</td> </tr> <tr> <td>Privacy-sensitive data</td> <td>Required</td> <td>Risky</td> </tr> <tr> <td>Production quality</td> <td>Good (7b+)</td> <td>Best</td> </tr> <tr> <td>Speed</td> <td>Depends on hardware</td> <td>Fast</td> </tr> <tr> <td>Cost</td> <td>Free</td> <td>Per-token</td> </tr> </tbody> </table></div> <h2> What I Built With It </h2> <p><a href="https://github.com/pavelEspitia/spectr-ai" rel="noopener noreferrer">spectr-ai</a> — an AI smart contract auditor that works with both Claude and Ollama. The <code>--model ollama:qwen2.5-coder:1.5b</code> flag runs everything locally, free, no API key.</p> <p>Local LLMs are good enough for real developer tools. The quality gap is closing fast.</p> ai tutorial beginners typescript 5 Smart Contract Vulnerabilities That AI Catches Better Than Static Analyzers Pavel Espitia Thu, 16 Apr 2026 12:46:45 +0000 https://forem.com/pavelespitia/5-smart-contract-vulnerabilities-that-ai-catches-better-than-static-analyzers-1fef https://forem.com/pavelespitia/5-smart-contract-vulnerabilities-that-ai-catches-better-than-static-analyzers-1fef <p>Static analysis tools like Slither and Mythril are essential for smart contract security. But they work by pattern matching — they can only find what they've been programmed to look for. LLMs reason about code differently. They understand intent, context, and business logic.</p> <p>Here are 5 vulnerability classes where AI consistently outperforms traditional static analyzers.</p> <h2> 1. Business Logic Flaws </h2> <p>Static analyzers check for known patterns: reentrancy, integer overflow, unchecked return values. But they can't understand what your contract is <em>supposed</em> to do.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function withdraw(uint256 amount) external { require(balances[msg.sender] &gt;= amount); balances[msg.sender] -= amount; payable(msg.sender).transfer(amount); } </code></pre> </div> <p>A static analyzer sees this as safe — checks-effects-interactions pattern is followed. But an AI auditor can ask: "Should there be a minimum withdrawal? A cooldown period? A daily limit?" It reasons about the <em>business context</em>, not just the code pattern.</p> <h2> 2. Access Control Gaps Across Multiple Functions </h2> <p>Slither will flag a function that's missing <code>onlyOwner</code>. But it won't notice that <code>setFeeRecipient()</code> and <code>withdrawFees()</code> together create a privilege escalation path — even if each function individually looks fine.</p> <p>AI can analyze the interaction between functions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// AI catches: anyone can set themselves as fee recipient, then withdraw function setFeeRecipient(address _recipient) external { feeRecipient = _recipient; } function withdrawFees() external { require(msg.sender == feeRecipient); payable(feeRecipient).transfer(address(this).balance); } </code></pre> </div> <p>The AI output: "These two functions together allow any address to drain the contract. <code>setFeeRecipient</code> has no access control, and <code>withdrawFees</code> only checks the caller matches the recipient — which they just set to themselves."</p> <h2> 3. Incorrect Event Parameters </h2> <p>Static analyzers verify that events exist. They don't verify that the emitted values are correct.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>event Transfer(address indexed from, address indexed to, uint256 amount); function transfer(address to, uint256 amount) external { balances[msg.sender] -= amount; balances[to] += amount; emit Transfer(msg.sender, to, balances[to]); // Bug: emits balance, not amount } </code></pre> </div> <p>An AI catches this because it understands that the <code>Transfer</code> event should emit the <code>amount</code> transferred, not the resulting balance. No static rule covers this — it requires understanding what the event <em>means</em>.</p> <h2> 4. Inconsistent Decimal Handling </h2> <p>DeFi protocols interact with tokens that have different decimal places (USDC has 6, WETH has 18). Static analyzers don't track decimal context across function calls.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function swap(uint256 usdcAmount) external { uint256 ethAmount = usdcAmount * getEthPrice() / 1e18; // Bug: usdcAmount is 6 decimals, but division assumes 18 } </code></pre> </div> <p>AI recognizes that USDC uses 6 decimals and flags the math: "The division by 1e18 assumes 18-decimal precision, but USDC has 6 decimals. This will return values 1e12 times smaller than expected."</p> <h2> 5. Missing Edge Case Handlers </h2> <p>What happens when the array is empty? When the balance is zero? When the deadline has already passed? Static analyzers check for specific known edge cases. AI reasons about all of them.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>function getAveragePrice(uint256[] memory prices) public pure returns (uint256) { uint256 sum; for (uint256 i = 0; i &lt; prices.length; i++) { sum += prices[i]; } return sum / prices.length; // Division by zero if empty array } </code></pre> </div> <p>Beyond the obvious division-by-zero, AI also asks: "What if one price is extremely large and causes sum to overflow? Should there be a maximum array length to prevent gas exhaustion?"</p> <h2> The Bottom Line </h2> <p>Static analyzers are <em>necessary</em> — they're fast, deterministic, and catch the obvious stuff. But AI auditors add a layer that reasons about intent, context, and cross-function interactions.</p> <p>The best approach: run both. Use Slither/Mythril for deterministic checks, then use an AI auditor for the things only reasoning can catch.</p> <p>If you want to try this yourself:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Free, local, no API key needed</span> ollama pull qwen2.5-coder:1.5b npx spectr-ai <span class="nt">--model</span> ollama:qwen2.5-coder:1.5b your-contract.sol </code></pre> </div> <p><a href="https://github.com/pavelEspitia/spectr-ai" rel="noopener noreferrer">spectr-ai</a> is open source and works with Claude or local models via Ollama.</p> web3 ai security solidity I Built an AI Smart Contract Auditor in a Weekend — Here's How Pavel Espitia Tue, 14 Apr 2026 18:20:10 +0000 https://forem.com/pavelespitia/i-built-an-ai-smart-contract-auditor-in-a-weekend-heres-how-2kkn https://forem.com/pavelespitia/i-built-an-ai-smart-contract-auditor-in-a-weekend-heres-how-2kkn <p>Smart contract audits cost $5K-$50K and take weeks. I built a CLI tool that catches the same classes of vulnerabilities in seconds, using AI — and it works with free local models too.</p> <h2> What is spectr-ai? </h2> <p><a href="https://github.com/pavelEspitia/spectr-ai" rel="noopener noreferrer">spectr-ai</a> is a command-line tool that analyzes Solidity and Vyper smart contracts for security vulnerabilities, gas optimizations, and best practice violations. It uses Claude (Anthropic's API) or local models via Ollama.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>spectr-ai contracts/Vault.sol </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> CRITICAL — 2 issues ● Reentrancy vulnerability in withdraw() #1 withdraw() at contracts/Vault.sol:20 External call via msg.sender.call() before updating balances. → Apply checks-effects-interactions pattern. ┌─ suggested fix │ function withdraw() public { │ uint256 amount = balances[msg.sender]; │ balances[msg.sender] = 0; │ (bool success, ) = msg.sender.call{value: amount}(""); │ require(success, "Transfer failed"); │ } └─ ┌────────────────────────────────────────┐ │ Summary │ │ ● critical 2 ████████████████ │ │ ● high 1 ████████ │ │ ▲ medium 1 ████████ │ │ RISK: CRITICAL │ └────────────────────────────────────────┘ </code></pre> </div> <h2> Why I Built It </h2> <p>I'm a fullstack TypeScript developer getting deeper into blockchain and AI. The intersection of these two fields has a clear gap: <strong>security tooling that's accessible to individual developers</strong>.</p> <p>Static analyzers like Slither and Mythril are powerful but limited to pattern matching. They can't reason about business logic or explain <em>why</em> something is dangerous. LLMs can.</p> <p>The question was: can an LLM reliably audit smart contracts and produce structured, actionable output?</p> <h2> The Architecture </h2> <p>spectr-ai is intentionally simple — ~800 lines of TypeScript across 12 source files:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>src/ cli.ts → Arg parsing, orchestration analyzer.ts → Sends contract to provider, parses response provider.ts → Anthropic + Ollama abstraction schema.ts → Zod validation of model responses prompts.ts → Language-specific system prompts validator.ts → Input validation (Solidity + Vyper) formatter.ts → Color terminal output sarif.ts → SARIF format for GitHub Code Scanning html.ts → Self-contained HTML reports files.ts → Recursive file finder diff.ts → Git diff integration watcher.ts → File watch mode </code></pre> </div> <h3> Key Design Decisions </h3> <p><strong>1. Provider abstraction over SDK lock-in</strong></p> <p>Instead of coupling to the Anthropic SDK, I created a <code>Provider</code> interface:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kr">interface</span> <span class="nx">Provider</span> <span class="p">{</span> <span class="nf">complete</span><span class="p">(</span><span class="nx">system</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">userMessage</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">CompletionResult</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>This let me add Ollama support in ~50 lines. The <code>OllamaProvider</code> uses the OpenAI-compatible endpoint at <code>localhost:11434</code> — zero additional dependencies.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Free, local, no API key</span> spectr-ai <span class="nt">--model</span> ollama:qwen2.5-coder:7b contracts/ </code></pre> </div> <p><strong>2. Structured output with Zod validation</strong></p> <p>LLMs sometimes return malformed JSON, especially smaller models. Instead of blindly <code>JSON.parse</code>-ing, every response is validated against a Zod schema:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">issueSchema</span> <span class="o">=</span> <span class="nx">z</span><span class="p">.</span><span class="nf">object</span><span class="p">({</span> <span class="na">severity</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">enum</span><span class="p">([</span><span class="dl">"</span><span class="s2">critical</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">high</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">medium</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">low</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">info</span><span class="dl">"</span><span class="p">]),</span> <span class="na">title</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">location</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">description</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">recommendation</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">(),</span> <span class="na">codefix</span><span class="p">:</span> <span class="nx">z</span><span class="p">.</span><span class="nf">string</span><span class="p">().</span><span class="nf">optional</span><span class="p">(),</span> <span class="p">});</span> </code></pre> </div> <p>When validation fails, the error message tells you exactly what the model got wrong — instead of a cryptic <code>undefined is not an object</code> deep in the formatter.</p> <p><strong>3. Multiple output formats for different workflows</strong></p> <ul> <li> <strong>Text</strong> (default): Color-coded terminal output grouped by severity</li> <li> <strong>JSON</strong>: Structured data for scripting</li> <li> <strong>SARIF</strong>: GitHub Code Scanning integration</li> <li> <strong>HTML</strong>: Self-contained audit report you can share</li> </ul> <p>This means spectr-ai fits into CI pipelines, PR reviews, and manual audits.</p> <p><strong>4. Language-specific prompts</strong></p> <p>Solidity and Vyper have different vulnerability profiles. The system prompt adapts:</p> <ul> <li> <strong>Solidity</strong>: reentrancy, tx.origin, delegatecall, selfdestruct</li> <li> <strong>Vyper</strong>: raw_call misuse, storage collisions, default visibility, @nonreentrant limitations</li> </ul> <h2> What I Learned </h2> <h3> LLMs are surprisingly good at security analysis </h3> <p>The model consistently catches the OWASP-equivalent vulnerabilities in smart contracts — reentrancy, access control, integer handling, input validation. For a contract like the classic "VulnerableVault", it finds every intentional vulnerability and suggests correct fixes.</p> <h3> Smaller models are usable but not great </h3> <p>I tested with <code>qwen2.5-coder:1.5b</code> (runs on CPU, free). It finds the right vulnerabilities but the code fixes are generic ("add access control" instead of actual code). The 7B model is better but needs a GPU or patience. Claude Sonnet produces the best output by far.</p> <h3> Structured output is the hard part </h3> <p>Getting the model to return valid JSON with the exact schema you want is the main engineering challenge. The combination of a strict system prompt + Zod validation + markdown fence stripping handles 99% of cases.</p> <h3> CI integration is the killer feature </h3> <p>The <code>--fail-on</code> flag with exit codes makes spectr-ai a CI gate:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Fail the pipeline if medium+ issues are found</span> spectr-ai <span class="nt">--fail-on</span> medium <span class="nt">--json</span> contracts/ <span class="o">||</span> <span class="nb">exit </span>1 </code></pre> </div> <p>Combined with <code>--diff HEAD~1</code>, you only analyze changed contracts per PR — saving tokens and time.</p> <h2> Try It </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># With Claude</span> <span class="nb">export </span><span class="nv">ANTHROPIC_API_KEY</span><span class="o">=</span>sk-ant-... npx spectr-ai examples/vulnerable.sol <span class="c"># With Ollama (free)</span> ollama pull qwen2.5-coder:1.5b npx spectr-ai <span class="nt">--model</span> ollama:qwen2.5-coder:1.5b examples/vulnerable.sol </code></pre> </div> <p>The full source is at <a href="https://github.com/pavelEspitia/spectr-ai" rel="noopener noreferrer">github.com/pavelEspitia/spectr-ai</a>. MIT licensed.</p> <h2> What's Next </h2> <ul> <li>Rate limit retry with exponential backoff for multi-file analysis</li> <li>Streaming output (see results as the model generates)</li> <li>Comparative mode (before/after analysis)</li> <li>Support for more chains (Cairo for StarkNet, Move for Aptos)</li> </ul> <p>If you're building with smart contracts and want to catch vulnerabilities before deployment, give spectr-ai a try. And if you have ideas or find bugs, <a href="https://github.com/pavelEspitia/spectr-ai/issues" rel="noopener noreferrer">open an issue</a>.</p> web3 ai security typescript