Proof: npm test passed 166/166; npm run operator-dashboard:build passed; focused dashboard static tests cover removing the 20-row asset registry cap and requesting 250 catalog rows.
Assumptions: Current 1Click import has 163 supported tokens, so a 250-row dashboard catalog cap exposes the full current catalog while keeping the bootstrap bounded.
Still fake: no live funds movement; imported assets remain catalog-visible only unless explicitly inventory/trading enabled.
Proof: npm test passed 159/159; npm run operator-dashboard:build passed; repo-local Postgres importer smoke test imported 163 live 1Click tokens with only 3 inventory-enabled seed assets and nBTC/EURe pairs at 49 bps.
Assumptions: Forgejo main push is the repo deployment path; production has existing repo-managed POSTGRES_URL/POSTGRES_PASSWORD/NEAR_INTENTS_API_KEY secrets; startup seed may create initial current nBTC/EURe config but must preserve DB runtime pair flags after creation.
Still fake: no live funds movement was attempted; imported supported assets remain catalog-only unless explicitly enabled in DB; production rollout evidence still depends on the Forgejo deploy job completing after this push.
Proof: npm test; npm run operator-dashboard:build; live NEAR Intents status API normalized the current HOT destination-chain incident as operational for btc:mainnet and eth:100 tracked assets.
Assumptions: BSC, MONAD, XLAYER, PLASMA, POL, TON, OP, AVAX, STELLAR, and ADI incidents do not block our configured BTC/Gnosis NEAR Intents quote or executor paths unless the official incident also names core 1Click, solver, message bus, protocol-wide swaps, BTC, or Gnosis scope.
Still fake: Status relevance is text/service scoped to configured assets; it is not backed by a venue-provided per-asset machine-readable impact matrix.
Proof: npm test (147 passing); npm run operator-dashboard:build; git diff --cached --check.
Assumptions: Bridge recent_deposits created_at is the authoritative source time for deposit activity; rows without created_at must be deduped to their earliest observed status instead of the latest replay ingestion.
Still fake: No fund movement or bridge migration was performed; ntfy messages already sent before this fix cannot be unsent.
Proof: npm test (140 passing); npm run operator-dashboard:build; git diff --cached --check.
Assumptions: Events older than HISTORY_WRITER_DERIVED_REFRESH_MAX_EVENT_AGE_MS are replay/backfill work; writing them remains required, but expensive derived portfolio/outcome refreshes can wait until the writer reaches fresh events.
Still fake: This does not move or migrate BTC assets; it only improves durable catch-up so fresh inventory can reach request preflight.
Proof: npm test (138 passing); npm run operator-dashboard:build; git diff --cached --check.
Assumptions: Bridge deposits expose near_token_id/intents_token_id for credited asset attribution; nBTC is the solver trading reserve while btc.omft.near remains a tracked legacy BTC wrapper.
Still fake: No live asset migration was submitted; existing btc.omft.near balance is only tracked and withdrawable until a separately approved conversion or withdrawal is executed.
Proof: npm test; node --test test/history-writer-static.test.mjs test/kafka-topics.test.mjs test/environment-status-history.test.mjs; node --check src/apps/history-writer.mjs.
Assumptions: Durable history consumers are idempotent by event_id, so from-beginning subscription is safe when a topic has no committed group offset.
Still fake: This protects durable event capture for repo-owned Kafka topics; it does not backfill events that were never published to Kafka.
Proof: npm test; npm run operator-dashboard:build; node --test test/near-intents-status.test.mjs test/environment-status-history.test.mjs test/operator-dashboard.test.mjs test/operator-dashboard-ui-static.test.mjs test/ops-sentinel-static.test.mjs; PYTHONPATH=. python3 test/repo_deployments_test.py; kubectl kustomize deploy/k8s/base.
Assumptions: NEAR Intents public status page API remains the official upstream environmental-status source; status fingerprint changes are the durable boundary for saving environmental history.
Still fake: This stores and displays official upstream status changes, but it does not create an alternate quote source or make NEAR quoting operational during an upstream pause.
Proof: npm test; npm run operator-dashboard:build; node --test test/near-intents-status.test.mjs test/operator-dashboard.test.mjs test/operator-dashboard-ui-static.test.mjs; PYTHONPATH=. python3 test/repo_deployments_test.py; kubectl kustomize deploy/k8s/base; live normalization against https://status.near-intents.org returned disrupted/upstream paused for the current 1Click quoting pause.
Assumptions: NEAR Intents public status page API is the official upstream disruption source for operator display; relay websocket reachability remains separately observed by ingest and executor state.
Still fake: This does not add an alternate quote source or recover trading while NEAR Intents quoting is paused; it only makes the upstream disruption explicit and separates it from local service freshness.
Proof: npm test; npm run operator-dashboard:build; PYTHONPATH=. python3 test/render_release_manifest_test.py; PYTHONPATH=. python3 test/repo_deployments_test.py; PYTHONPATH=. python3 test/ntfy_manifest_test.py; kubectl kustomize deploy/k8s/base.
Assumptions: notifications should be emitted by history-writer after durable writes and outcome refreshes, and only for credited deposits, completed withdrawals, and completed trades with linked inventory movement evidence.
Still fake: Generic alert notification policy is not re-enabled; withdrawal submitted notifications are not emitted; old historical outcomes are not backfilled as notifications; fee-complete realized PnL is still unavailable.
Proof: npm test; npm run operator-dashboard:build; PYTHONPATH=. python3 test/render_release_manifest_test.py; PYTHONPATH=. python3 test/repo_deployments_test.py
Assumptions: Kafka live topics carry normalized quote, decision, command, and execution result envelopes; durable quote outcomes still refresh through history/bootstrap when inventory attribution is recomputed.
Still fake: Venue-native terminal fill events and fee-complete realized PnL remain unavailable; submitted and relay-accepted evidence still cannot prove settlement without durable inventory movement.
Proof: Live dashboard preflight waited through the generic 3s proxy timeout while trade-executor later recorded solver_quote_unanswered after the 10s relay quote wait. Request controls now use action-aware timeouts and unanswered requests render with plain reason text.
Assumptions: Own-request preflight needs at least quote_timeout plus small overhead; submit needs publish plus relay-status wait. Generic service refresh controls should keep the shorter dashboard upstream timeout.
Still fake: This does not create external solver liquidity; it only lets the dashboard observe whether the request was answered, submitted, or blocked without timing out first.
Proof: Live dashboard preflight returned an empty client response because an upstream control timeout rejected outside the server catch path and restarted operator-dashboard. The server now awaits API handlers, wraps control proxy failures, and returns structured JSON errors instead of crashing.
Assumptions: A timed-out control proxy should be observable as a dashboard control failure, not as process death. Returning 504/502 JSON is safer than treating the action as successful or hiding the upstream state.
Still fake: This does not make unanswered solver quote requests fill; it only makes the dashboard control surface truthful and non-crashing for failed or timed-out controls.
Proof: Live dashboard-triggered request settled at the relay without the expected EURe decrease and BTC increase, exposing self-matching between our taker preflight and our maker responder. This change suppresses maker quote responses while an own-request preflight is collecting solver quotes, refreshes relay status before outcome derivation, and records relay SETTLED without expected durable inventory delta as failed rather than completed or not_filled.
Assumptions: Suppressing maker responses during the short quote RPC window prevents our own quote from being selected for our own taker request. Relay SETTLED remains insufficient for success unless durable inventory shows the expected source decrease and destination increase.
Still fake: Venue-native fill id parsing and fee-complete realized PnL for request-created trades are still not modeled; completed still depends on durable inventory delta attribution.
Proof: Adds repo-owned EURe-to-BTC request preflight, signing, gated live submission, durable request/result/outcome persistence, dashboard request lifecycle rows, and tests proving submitted/relay accepted are not completed without inventory movement.
Assumptions: The NEAR Intents solver relay quote, publish_intent, and get_status JSON-RPC methods accept signed raw_ed25519 token_diff payloads with quote_hashes; live validation remains bounded to 5 EUR per attempt, at most five attempts, and 200 bps slippage.
Still fake: Venue-native terminal fill linkage and fee-complete realized PnL are still unavailable; request completion is attributed from durable inventory deltas unless the venue later exposes a linked settlement id.
Proof: ops-sentinel runtime evaluation no longer throws ReferenceError while checking disabled executor containment; covered by a regression test and full npm test.
Assumptions: Runtime containment remains intentionally disabled by shouldContainExecutorForAlerts returning false; this change only restores the symbol needed for evaluation to complete.
Still fake: Alert surfaces remain suppressed per the current safety/alert simplification; venue-native terminal fill events and realized per-trade PnL are still unavailable.
Proof: Adds a durable quote outcome attribution model, refreshes it from submitted execution results plus inventory snapshots, and updates dashboard lifecycle rows so submitted, blocked, rejected, not-filled, and completed states are separated by durable evidence. Lowers the approved live strategy edge threshold to 1.49%.
Assumptions: Exact asset-unit inventory deltas inside the attribution window are acceptable as heuristic settlement evidence for the active BTC/EURe NEAR Intents path when the uncertainty is stored and shown. Deadline-plus-inventory non-fill is inferred until venue terminal events are persisted.
Still fake: No venue-native terminal fill event or per-trade fee/cost ledger is stored yet; heuristic completed and not-filled records remain explicitly labeled as inferred where applicable, and realized net PnL is still not claimed.
Proof: Remove repo-owned automatic safety disarms and operator alert severity surfaces so arming state is no longer silently reverted by stale-quote alerts.
Assumptions: The operator now wants arming to remain explicit and durable even when quote-truth checks are stale or noisy, and simple reachability/state is a better surface than derived alert severity for now.
Still fake: The upstream quote-truth and health heuristics remain unreliable; this change removes their automatic containment effect instead of fixing their underlying accuracy.
Proof: Quote lifecycle truth and execution explanation is rendered from durable quote, decision, command, and execution evidence without treating submission as completion or realized asset movement.
Assumptions: Pushes to main trigger the repo-owned deployment workflow, and current durable records do not yet contain authoritative downstream venue outcomes for recent submissions.
Still fake: Completed and not-filled terminal trade outcomes remain unavailable unless explicit durable outcome evidence is stored; submitted rows therefore remain submission-only evidence.
Proof: Sentinel no longer raises publish-stale before any matching quote exists, preventing false executor auto-disarm during quiet or pre-match periods; regression tests cover both the false case and the real stalled-after-match case.
Assumptions: A publish-path failure is only meaningful after at least one matching quote has been observed for the active pair.
Still fake: The dashboard still lacks deep ingest diagnostics for why quotes are filtered, so pair-filter mismatch analysis is not yet visible at a glance.
Proof: Sentinel auto-containment now ignores quote-stale-only conditions, executor arming is exposed in the dashboard safe controls, and regression tests cover both containment gating and control routing.
Assumptions: Quote silence alone is not sufficient evidence of a broken execution truth path, while ingest disconnect, publish stall, and history-writer stall remain containment-grade failures.
Still fake: Live deployment still depends on the repo pipeline completing for this commit; executor disarm provenance is still not durably explained in the dashboard.
Proof: Runtime health sentinel, alert routing, and anomaly detection for stale/disconnected quote truth, truthful dashboard severity, webhook notifications, and safe executor containment.
Assumptions: Existing control APIs remain the service-local truth surface; external notification stays as a generic webhook sink; executor disarm is an allowed non-fund-moving containment action; current dashboard/operator files in the worktree belong to this turn and are intended to ship together.
Still fake: No live external receiver is configured; webhook delivery is implemented but unverified end-to-end in production; cluster rollout still depends on deploying the new image; no automatic deployment restart path was added.
Proof: Strategy and executor arm state now survives pod restarts through durable control-state files mounted in their service state directories.
Assumptions: The strategy-state PVC can be seeded before the first rollout restart, and both service state directories remain writable on the cluster.
Still fake: Armed-state durability is local to the cluster volumes; there is no cross-cluster or database-backed operator control-state replication.
Proof: Implement the active turn for pre-credit funding visibility and durable operator alerts while keeping spendable inventory truth limited to bridge/verifier credit.
Assumptions: The BTC deposit handle can be observed through a mempool.space-compatible API, bridge recent_deposits remains the credit truth for correlation, and pausing market-reference-ingest or inventory-sync briefly for alert validation is safe without disarming strategy or executor.
Still fake: Gnosis pre-credit observation is not implemented, executor failure alert validation may still depend on an existing real failure unless a separate live failure is explicitly approved, and a new live deposit is still required to prove a fresh pre-credit-to-credit path if no suitable recent funding exists.
Proof: Persist portfolio value and PnL snapshots from the live inventory and reference-price path so operators can inspect trading performance from repo-controlled data.
Assumptions: The last credited inventory snapshot before the first live command is the correct baseline for trade-driven PnL, and EURe remains explicit 1:1 with EUR.
Still fake: The new portfolio metrics and watch output are implemented and tested locally but are not live until the updated app image is deployed to k3s.
Proof: The funded NEAR Intents operator path should have a stable configured withdrawal destination for the active assets so exits do not depend on retyping recipient addresses.
Assumptions: Active asset withdrawal destinations are long-lived operator settings and can safely live in runtime config; actual withdrawals still require explicit unfreeze and operator action.
Still fake: Strategy and executor remain disarmed, no live trade quote has been submitted, and the live withdrawal transaction itself has not been exercised yet.
Proof: The active NEAR Intents funded market-maker loop needs a first-class operator withdrawal action so funded inventory can be exited through repo-controlled code rather than manual follow-up.
Assumptions: The configured signer key is also a full-access key on the named NEAR account, and external-chain exits for active OMFT assets are triggered by intents.near::ft_withdraw with the token contract as receiver_id plus memo=WITHDRAW_TO:<destination>.
Still fake: Strategy and executor remain disarmed, no live inventory is credited yet, and no live mainnet trade quote has been submitted.
Proof: active BTC/EURe tradeable loop on k3s must expose funding state cleanly, preserve durable history, and avoid inheriting dummy executor state.
Assumptions: retained Kafka topics may contain legacy dummy records; those should be tolerated in history ingestion without weakening the current live command shape.
Still fake: internal inventory is still unfunded, strategy and executor remain disarmed, and no live quote response has been submitted yet.
Proof: first non-mocked tradeable loop for one pair using funded NEAR Intents inventory, Kafka, and PostgreSQL.
Assumptions: solver-side execution is performed by signed token_diff quote responses over the Solver Relay; EURe is treated as 1:1 with EUR; k3s runtime uses unrip-dev.near as the named signer account.
Still fake: signer key is not yet registered on intents.near, strategy and executor remain disarmed by default, and no live mainnet quote response has been submitted from this repo yet.
