Proof: Live dashboard-triggered request settled at the relay without the expected EURe decrease and BTC increase, exposing self-matching between our taker preflight and our maker responder. This change suppresses maker quote responses while an own-request preflight is collecting solver quotes, refreshes relay status before outcome derivation, and records relay SETTLED without expected durable inventory delta as failed rather than completed or not_filled.
Assumptions: Suppressing maker responses during the short quote RPC window prevents our own quote from being selected for our own taker request. Relay SETTLED remains insufficient for success unless durable inventory shows the expected source decrease and destination increase.
Still fake: Venue-native fill id parsing and fee-complete realized PnL for request-created trades are still not modeled; completed still depends on durable inventory delta attribution.
Proof: Live request validation showed a not_filled own-request row still displayed the earlier relay-accepted text; the normalizer now prefers terminal outcome reason text and has a regression test for deadline_elapsed_without_settlement.
Assumptions: Terminal request outcome rows are more decisive than submission result text for operator-facing reason copy.
Still fake: Venue-native fill ids and fee-complete realized PnL remain unavailable; completed still depends on durable inventory delta attribution.
Proof: Adds repo-owned EURe-to-BTC request preflight, signing, gated live submission, durable request/result/outcome persistence, dashboard request lifecycle rows, and tests proving submitted/relay accepted are not completed without inventory movement.
Assumptions: The NEAR Intents solver relay quote, publish_intent, and get_status JSON-RPC methods accept signed raw_ed25519 token_diff payloads with quote_hashes; live validation remains bounded to 5 EUR per attempt, at most five attempts, and 200 bps slippage.
Still fake: Venue-native terminal fill linkage and fee-complete realized PnL are still unavailable; request completion is attributed from durable inventory deltas unless the venue later exposes a linked settlement id.
Proof: NEAR Intents quote ingest now schedules reconnect on websocket error even when the runtime does not emit close; regression test, dashboard build, and full npm test pass.
Assumptions: The observed live ingest outage after the 0.49 percent rollout was caused by the startup socket_error path leaving the websocket disconnected; reconnecting preserves the existing pair filter and topics without changing trading size or funds exposure.
Still fake: Venue-native terminal fill events, fee attribution, realized per-trade PnL, and full inventory-skew strategy controls remain incomplete.
Proof: Strategy gross edge threshold is lowered to the user-approved 0.49 percent in repo defaults and Kubernetes deploy config; targeted threshold tests, dashboard build, and full npm test pass.
Assumptions: User explicitly approved lowering below the previous 0.99 percent threshold for the active BTC/EURe NEAR Intents pair; max notional and funds exposure are unchanged.
Still fake: Venue-native terminal fill events, fee attribution, realized per-trade PnL, and full inventory-skew strategy controls remain incomplete.
Proof: Strategy gross edge threshold is lowered to the user-approved 0.99 percent in repo defaults and Kubernetes deploy config; targeted threshold tests, dashboard build, and full npm test pass.
Assumptions: User explicitly approved lowering below the previous 1.49 percent guard for the active BTC/EURe NEAR Intents pair; max notional and funds exposure are unchanged.
Still fake: Venue-native terminal fill events, fee attribution, realized per-trade PnL, and full inventory-skew strategy controls remain incomplete.
Proof: Live investigation found the executor could stay disconnected from the solver relay after websocket error without close; relay client now reconnects after error and request timeout covers connection wait. Added regression coverage and npm test passes.
Assumptions: Historical relay OK responses were technically accepted and mostly not filled because they were not selected or settled, while the current disconnected relay state was a repo-side runtime bug affecting new submissions.
Still fake: Venue-native terminal fill events, fee attribution, realized per-trade PnL, and full inventory-skew strategy controls remain incomplete.
Proof: Mobile dashboard status bar now uses static document flow below 720px; static UI regression test, dashboard build, and full npm test pass.
Assumptions: The viewport-covering mobile issue is caused by the sticky status bar occupying too much of the small screen while pinned.
Still fake: Venue-native terminal fill events, fee attribution, realized per-trade PnL, and full inventory-skew strategy controls remain incomplete.
Proof: Operator dashboard now renders one full-width quote lifecycle table and one successful-trades-only table from durable lifecycle evidence; targeted dashboard tests, dashboard build, and full npm test pass.
Assumptions: Gross edge estimate is edge percent times EUR notional and is labeled separately from realized PnL; realized per-trade PnL remains unavailable until fee and venue-terminal fill data are stored.
Still fake: Venue-native terminal fill events, fee attribution, realized per-trade PnL, and full inventory-skew strategy controls remain incomplete.
Proof: ops-sentinel runtime evaluation no longer throws ReferenceError while checking disabled executor containment; covered by a regression test and full npm test.
Assumptions: Runtime containment remains intentionally disabled by shouldContainExecutorForAlerts returning false; this change only restores the symbol needed for evaluation to complete.
Still fake: Alert surfaces remain suppressed per the current safety/alert simplification; venue-native terminal fill events and realized per-trade PnL are still unavailable.
Proof: Fixes quote outcome expiry so no-settlement submissions age to not_filled using the latest durable inventory snapshot, even when the last actual inventory movement is older.
Assumptions: A later unchanged inventory snapshot after the quote deadline plus settlement grace is valid evidence that no matching settled inventory delta occurred in the repo-owned path.
Still fake: Not-filled remains inferred from deadline plus inventory evidence until venue-native terminal outcome events are persisted.
Proof: Adds a durable quote outcome attribution model, refreshes it from submitted execution results plus inventory snapshots, and updates dashboard lifecycle rows so submitted, blocked, rejected, not-filled, and completed states are separated by durable evidence. Lowers the approved live strategy edge threshold to 1.49%.
Assumptions: Exact asset-unit inventory deltas inside the attribution window are acceptable as heuristic settlement evidence for the active BTC/EURe NEAR Intents path when the uncertainty is stored and shown. Deadline-plus-inventory non-fill is inferred until venue terminal events are persisted.
Still fake: No venue-native terminal fill event or per-trade fee/cost ledger is stored yet; heuristic completed and not-filled records remain explicitly labeled as inferred where applicable, and realized net PnL is still not claimed.
Proof: Operator dashboard now starts from successful trades with linked outcome evidence, keeps submitted-only rows in awaiting/no-trade buckets, and explains why recent quotes are not proven asset-changing trades.
Assumptions: Until durable terminal outcome and settlement attribution are implemented, successful trade count must remain zero for submitted-only evidence.
Still fake: Per-quote terminal outcome and settled asset delta plumbing is still not implemented; the page now exposes that absence directly instead of hiding it behind submission counts.
Proof: Remove repo-owned automatic safety disarms and operator alert severity surfaces so arming state is no longer silently reverted by stale-quote alerts.
Assumptions: The operator now wants arming to remain explicit and durable even when quote-truth checks are stale or noisy, and simple reachability/state is a better surface than derived alert severity for now.
Still fake: The upstream quote-truth and health heuristics remain unreliable; this change removes their automatic containment effect instead of fixing their underlying accuracy.
Proof: Operator-facing dashboard payloads no longer expose the forbidden actionable decision vocabulary while preserving lifecycle truth and executor-versus-strategy separation.
Assumptions: Existing stored decision records may still use actionable internally, so the dashboard layer must normalize them before exposure.
Still fake: Downstream venue completion evidence is still unavailable for submission-only rows, so submitted remains a non-terminal evidence state.
Proof: Quote lifecycle truth and execution explanation is rendered from durable quote, decision, command, and execution evidence without treating submission as completion or realized asset movement.
Assumptions: Pushes to main trigger the repo-owned deployment workflow, and current durable records do not yet contain authoritative downstream venue outcomes for recent submissions.
Still fake: Completed and not-filled terminal trade outcomes remain unavailable unless explicit durable outcome evidence is stored; submitted rows therefore remain submission-only evidence.
Proof: Dashboard copy now describes durable submitted quote responses as submissions rather than successful trades or asset deltas, and regression coverage locks the new wording in place.
Assumptions: The current durable execution result still means quote-response submission, not settled execution or realized inventory change.
Still fake: The backend still stores and aggregates these rows under trade-oriented names, and the full quote lifecycle model is still the active follow-up turn.
Proof: Sentinel no longer raises publish-stale before any matching quote exists, preventing false executor auto-disarm during quiet or pre-match periods; regression tests cover both the false case and the real stalled-after-match case.
Assumptions: A publish-path failure is only meaningful after at least one matching quote has been observed for the active pair.
Still fake: The dashboard still lacks deep ingest diagnostics for why quotes are filtered, so pair-filter mismatch analysis is not yet visible at a glance.
Proof: Sentinel auto-containment now ignores quote-stale-only conditions, executor arming is exposed in the dashboard safe controls, and regression tests cover both containment gating and control routing.
Assumptions: Quote silence alone is not sufficient evidence of a broken execution truth path, while ingest disconnect, publish stall, and history-writer stall remain containment-grade failures.
Still fake: Live deployment still depends on the repo pipeline completing for this commit; executor disarm provenance is still not durably explained in the dashboard.
Proof: Automatic rollout now reconciles a repo-owned deployment list that explicitly includes operator-dashboard, instead of depending on mutable Forgejo variables or deployment metadata labels.
Assumptions: Repo-owned application deployments are the set enumerated in scripts/deploy/repo_deployments.py and each deployment still uses container name app for image updates.
Still fake: Forgejo still shows older workflow behavior on prior runs, so this commit must be validated by one more push-driven deployment cycle.
Proof: Push-driven repo workflow now renders and applies the built image across all repo-owned deployments instead of resetting services to placeholder images or relying on a manual rollout list.
Assumptions: All repo-owned workloads that should roll on push carry app.kubernetes.io/part-of= in the manifests, and namespace bootstrap can happen before the image build without applying placeholder deployments.
Still fake: This turn fixes the repo deployment path in code, but I have not yet exercised the new Forgejo workflow end-to-end from a fresh push on the cluster.
Proof: Dashboard system controls and alert history stay operator-legible under runtime health flapping without implying nonexistent arm behavior.
Assumptions: Manual executor arming remains intentionally absent from the dashboard for this turn, so resume should mean intake resume only.
Still fake: Ops-sentinel still emits raw runtime transition churn underneath; this change collapses it in the dashboard instead of changing runtime alert hysteresis.
Proof: Connected ingest without recent quotes now renders as a warning-level no-recent-quotes state instead of a generic critical service failure, while disconnected and publish-stalled cases remain critical.
Assumptions: Operators need transport failure and quote-quiet conditions separated on the service card; stale quote truth should still block trust without pretending the websocket is broken.
Still fake: External alert delivery remains unconfigured; live alert routing is still through the generic webhook path only when configured.
Proof: Runtime health sentinel, alert routing, and anomaly detection for stale/disconnected quote truth, truthful dashboard severity, webhook notifications, and safe executor containment.
Assumptions: Existing control APIs remain the service-local truth surface; external notification stays as a generic webhook sink; executor disarm is an allowed non-fund-moving containment action; current dashboard/operator files in the worktree belong to this turn and are intended to ship together.
Still fake: No live external receiver is configured; webhook delivery is implemented but unverified end-to-end in production; cluster rollout still depends on deploying the new image; no automatic deployment restart path was added.
Proof: Strategy and executor arm state now survives pod restarts through durable control-state files mounted in their service state directories.
Assumptions: The strategy-state PVC can be seeded before the first rollout restart, and both service state directories remain writable on the cluster.
Still fake: Armed-state durability is local to the cluster volumes; there is no cross-cluster or database-backed operator control-state replication.
Proof: Implement the active turn for pre-credit funding visibility and durable operator alerts while keeping spendable inventory truth limited to bridge/verifier credit.
Assumptions: The BTC deposit handle can be observed through a mempool.space-compatible API, bridge recent_deposits remains the credit truth for correlation, and pausing market-reference-ingest or inventory-sync briefly for alert validation is safe without disarming strategy or executor.
Still fake: Gnosis pre-credit observation is not implemented, executor failure alert validation may still depend on an existing real failure unless a separate live failure is explicitly approved, and a new live deposit is still required to prove a fresh pre-credit-to-credit path if no suitable recent funding exists.
Proof: Persist portfolio value and PnL snapshots from the live inventory and reference-price path so operators can inspect trading performance from repo-controlled data.
Assumptions: The last credited inventory snapshot before the first live command is the correct baseline for trade-driven PnL, and EURe remains explicit 1:1 with EUR.
Still fake: The new portfolio metrics and watch output are implemented and tested locally but are not live until the updated app image is deployed to k3s.
Proof: The funded NEAR Intents operator path should have a stable configured withdrawal destination for the active assets so exits do not depend on retyping recipient addresses.
Assumptions: Active asset withdrawal destinations are long-lived operator settings and can safely live in runtime config; actual withdrawals still require explicit unfreeze and operator action.
Still fake: Strategy and executor remain disarmed, no live trade quote has been submitted, and the live withdrawal transaction itself has not been exercised yet.
Proof: The active NEAR Intents funded market-maker loop needs a first-class operator withdrawal action so funded inventory can be exited through repo-controlled code rather than manual follow-up.
Assumptions: The configured signer key is also a full-access key on the named NEAR account, and external-chain exits for active OMFT assets are triggered by intents.near::ft_withdraw with the token contract as receiver_id plus memo=WITHDRAW_TO:<destination>.
Still fake: Strategy and executor remain disarmed, no live inventory is credited yet, and no live mainnet trade quote has been submitted.
Proof: Liquidity manager must persist live deposit handles and funding observations so the active NEAR Intents proof can reach credited inventory and real execution.
Assumptions: Services commonly mutate store.getState() in place before calling setState, so the state store must preserve same-reference updates instead of clearing them.
Still fake: Strategy and executor remain disarmed, no live inventory is credited yet, and no live mainnet quote response has been sent.
Proof: active BTC/EURe tradeable loop on k3s must expose funding state cleanly, preserve durable history, and avoid inheriting dummy executor state.
Assumptions: retained Kafka topics may contain legacy dummy records; those should be tolerated in history ingestion without weakening the current live command shape.
Still fake: internal inventory is still unfunded, strategy and executor remain disarmed, and no live quote response has been submitted yet.
Proof: first non-mocked tradeable loop for one pair using funded NEAR Intents inventory, Kafka, and PostgreSQL.
Assumptions: solver-side execution is performed by signed token_diff quote responses over the Solver Relay; EURe is treated as 1:1 with EUR; k3s runtime uses unrip-dev.near as the named signer account.
Still fake: signer key is not yet registered on intents.near, strategy and executor remain disarmed by default, and no live mainnet quote response has been submitted from this repo yet.
