Proof: Preserve the completed implementation turn and record its outcome in the tracked archive.
Assumptions: The archived files capture the relevant planning state for the completed turn.
Still fake: Archiving does not validate the work by itself; external evidence still governs whether the result is trustworthy.
Proof: Adds a durable quote outcome attribution model, refreshes it from submitted execution results plus inventory snapshots, and updates dashboard lifecycle rows so submitted, blocked, rejected, not-filled, and completed states are separated by durable evidence. Lowers the approved live strategy edge threshold to 1.49%.
Assumptions: Exact asset-unit inventory deltas inside the attribution window are acceptable as heuristic settlement evidence for the active BTC/EURe NEAR Intents path when the uncertainty is stored and shown. Deadline-plus-inventory non-fill is inferred until venue terminal events are persisted.
Still fake: No venue-native terminal fill event or per-trade fee/cost ledger is stored yet; heuristic completed and not-filled records remain explicitly labeled as inferred where applicable, and realized net PnL is still not claimed.
Proof: Operator dashboard now starts from successful trades with linked outcome evidence, keeps submitted-only rows in awaiting/no-trade buckets, and explains why recent quotes are not proven asset-changing trades.
Assumptions: Until durable terminal outcome and settlement attribution are implemented, successful trade count must remain zero for submitted-only evidence.
Still fake: Per-quote terminal outcome and settled asset delta plumbing is still not implemented; the page now exposes that absence directly instead of hiding it behind submission counts.
Proof: Remove repo-owned automatic safety disarms and operator alert severity surfaces so arming state is no longer silently reverted by stale-quote alerts.
Assumptions: The operator now wants arming to remain explicit and durable even when quote-truth checks are stale or noisy, and simple reachability/state is a better surface than derived alert severity for now.
Still fake: The upstream quote-truth and health heuristics remain unreliable; this change removes their automatic containment effect instead of fixing their underlying accuracy.
Proof: Open the next implementation turn focused on durable downstream outcome linkage and settled inventory attribution for executed quotes.
Assumptions: I017 and I018 belong to one coherent proof topic for the active NEAR Intents BTC/EURe path.
Still fake: Planning defines the next truth gap and validation target, but no downstream outcome or settlement attribution implementation exists yet.
Proof: Preserve the completed implementation turn and record its outcome in the tracked archive.
Assumptions: The archived files capture the relevant planning state for the completed turn.
Still fake: Archiving does not validate the work by itself; external evidence still governs whether the result is trustworthy.
Proof: Operator-facing dashboard payloads no longer expose the forbidden actionable decision vocabulary while preserving lifecycle truth and executor-versus-strategy separation.
Assumptions: Existing stored decision records may still use actionable internally, so the dashboard layer must normalize them before exposure.
Still fake: Downstream venue completion evidence is still unavailable for submission-only rows, so submitted remains a non-terminal evidence state.
Proof: Quote lifecycle truth and execution explanation is rendered from durable quote, decision, command, and execution evidence without treating submission as completion or realized asset movement.
Assumptions: Pushes to main trigger the repo-owned deployment workflow, and current durable records do not yet contain authoritative downstream venue outcomes for recent submissions.
Still fake: Completed and not-filled terminal trade outcomes remain unavailable unless explicit durable outcome evidence is stored; submitted rows therefore remain submission-only evidence.
Proof: The active quote-lifecycle turn now explicitly requires semantic truth, forbidden overclaim labels, negative invariant tests, and naming cleanup so submission evidence cannot be presented as trade completion.
Assumptions: The repo can derive truthful first-pass quote lifecycle states from existing decision and execution records, and prevention should be enforced by code and tests rather than reviewer memory.
Still fake: This commit only tightens the live planning docs; the implementation work to rename legacy fields and derive lifecycle-backed summaries is still outstanding.
Proof: Dashboard copy now describes durable submitted quote responses as submissions rather than successful trades or asset deltas, and regression coverage locks the new wording in place.
Assumptions: The current durable execution result still means quote-response submission, not settled execution or realized inventory change.
Still fake: The backend still stores and aggregates these rows under trade-oriented names, and the full quote lifecycle model is still the active follow-up turn.
Proof: Archive the completed runtime-health turn and open a new implementation turn that replaces ambiguous quote verdicts with explicit lifecycle truth and durable execution explanation.
Assumptions: Recent decision and execution records already contain enough repo-owned evidence to derive a truthful first-pass quote lifecycle for the active pair.
Still fake: The new turn is planning state only; the dashboard still contains the existing lifecycle ambiguity until this proof is implemented.
Proof: Sentinel no longer raises publish-stale before any matching quote exists, preventing false executor auto-disarm during quiet or pre-match periods; regression tests cover both the false case and the real stalled-after-match case.
Assumptions: A publish-path failure is only meaningful after at least one matching quote has been observed for the active pair.
Still fake: The dashboard still lacks deep ingest diagnostics for why quotes are filtered, so pair-filter mismatch analysis is not yet visible at a glance.
Proof: Sentinel auto-containment now ignores quote-stale-only conditions, executor arming is exposed in the dashboard safe controls, and regression tests cover both containment gating and control routing.
Assumptions: Quote silence alone is not sufficient evidence of a broken execution truth path, while ingest disconnect, publish stall, and history-writer stall remain containment-grade failures.
Still fake: Live deployment still depends on the repo pipeline completing for this commit; executor disarm provenance is still not durably explained in the dashboard.
Proof: Automatic rollout now reconciles a repo-owned deployment list that explicitly includes operator-dashboard, instead of depending on mutable Forgejo variables or deployment metadata labels.
Assumptions: Repo-owned application deployments are the set enumerated in scripts/deploy/repo_deployments.py and each deployment still uses container name app for image updates.
Still fake: Forgejo still shows older workflow behavior on prior runs, so this commit must be validated by one more push-driven deployment cycle.
Proof: This follow-up push verifies that the corrected Forgejo deployment variable now includes operator-dashboard in the automatic rollout path without any manual kubectl step.
Assumptions: The previous run may have started before the updated repo action variables were visible to the workflow runner.
Still fake: If this run still skips operator-dashboard, the remaining issue is in Forgejo workflow resolution rather than repo variable state.
Proof: Deployment repair may use kubectl only when the same fix is backported into repo workflow or scripts in the same turn, keeping push-driven automation as the steady-state path.
Assumptions: Emergency break-glass incidents remain rare exceptions and should not redefine the normal deployment workflow.
Still fake: Repo automation should prevent routine kubectl repair, but that guarantee depends on continued verification of the push-driven deploy path.
Proof: Follow-up push exercises the new label-driven release apply path so operator-dashboard no longer depends on the old PROJECT_DEPLOYMENTS rollout list.
Assumptions: Forgejo Actions picks up workflow-definition changes on the next push if the current push was still handled by the prior workflow definition.
Still fake: This commit exists only to force one more workflow run and should be unnecessary once the new deploy workflow has been proven live.
Proof: Push-driven repo workflow now renders and applies the built image across all repo-owned deployments instead of resetting services to placeholder images or relying on a manual rollout list.
Assumptions: All repo-owned workloads that should roll on push carry app.kubernetes.io/part-of= in the manifests, and namespace bootstrap can happen before the image build without applying placeholder deployments.
Still fake: This turn fixes the repo deployment path in code, but I have not yet exercised the new Forgejo workflow end-to-end from a fresh push on the cluster.
Proof: Dashboard system controls and alert history stay operator-legible under runtime health flapping without implying nonexistent arm behavior.
Assumptions: Manual executor arming remains intentionally absent from the dashboard for this turn, so resume should mean intake resume only.
Still fake: Ops-sentinel still emits raw runtime transition churn underneath; this change collapses it in the dashboard instead of changing runtime alert hysteresis.
Proof: Connected ingest without recent quotes now renders as a warning-level no-recent-quotes state instead of a generic critical service failure, while disconnected and publish-stalled cases remain critical.
Assumptions: Operators need transport failure and quote-quiet conditions separated on the service card; stale quote truth should still block trust without pretending the websocket is broken.
Still fake: External alert delivery remains unconfigured; live alert routing is still through the generic webhook path only when configured.
Proof: Include the full operator-dashboard frontend source tree so the deployment image can build and serve the dashboard UI that consumes runtime health severity.
Assumptions: The current static dashboard source tree in the worktree is the intended frontend for this turn and belongs with the deployed operator-dashboard backend.
Still fake: External alert receiver remains unconfigured; this commit only resolves the dashboard asset source gap in the deploy.
Proof: Include the Vite config required for the dashboard-builder image stage to build operator-dashboard static assets during deployment.
Assumptions: The current Vite config in the worktree is the intended build config for the deployed operator-dashboard frontend.
Still fake: External alert receiver remains unconfigured; this commit only resolves the image-build blocker for the dashboard deploy.
Proof: Include the multistage Dockerfile needed to build operator-dashboard static assets and copy them into the production image so the deployed dashboard backend can serve the new UI.
Assumptions: The dashboard frontend should be built during image creation rather than committed as generated dist artifacts.
Still fake: External alert receiver remains unconfigured; this commit only resolves the live dashboard asset packaging blocker.
Proof: Include the postgres loader exports required by the deployed operator-dashboard backend bootstrap path.
Assumptions: The current postgres loader additions in the worktree are part of the operator-dashboard runtime surface and intended to ship with the dashboard backend.
Still fake: External alert delivery remains unconfigured; this commit only resolves the live operator-dashboard startup blocker.
Proof: Include operator dashboard auth module and runtime package manifest updates required for the deployed operator-dashboard and ops-sentinel processes to start successfully.
Assumptions: React and ws belong in production dependencies because operator-dashboard now ships in the runtime image; operator-dashboard-auth is part of the deployed backend surface.
Still fake: External alert receiver remains unconfigured; this commit only fixes rollout blockers for the runtime-health/dashboard deploy.
Proof: Runtime health sentinel, alert routing, and anomaly detection for stale/disconnected quote truth, truthful dashboard severity, webhook notifications, and safe executor containment.
Assumptions: Existing control APIs remain the service-local truth surface; external notification stays as a generic webhook sink; executor disarm is an allowed non-fund-moving containment action; current dashboard/operator files in the worktree belong to this turn and are intended to ship together.
Still fake: No live external receiver is configured; webhook delivery is implemented but unverified end-to-end in production; cluster rollout still depends on deploying the new image; no automatic deployment restart path was added.
Proof: Strategy and executor arm state now survives pod restarts through durable control-state files mounted in their service state directories.
Assumptions: The strategy-state PVC can be seeded before the first rollout restart, and both service state directories remain writable on the cluster.
Still fake: Armed-state durability is local to the cluster volumes; there is no cross-cluster or database-backed operator control-state replication.
Proof: Implement the active turn for pre-credit funding visibility and durable operator alerts while keeping spendable inventory truth limited to bridge/verifier credit.
Assumptions: The BTC deposit handle can be observed through a mempool.space-compatible API, bridge recent_deposits remains the credit truth for correlation, and pausing market-reference-ingest or inventory-sync briefly for alert validation is safe without disarming strategy or executor.
Still fake: Gnosis pre-credit observation is not implemented, executor failure alert validation may still depend on an existing real failure unless a separate live failure is explicitly approved, and a new live deposit is still required to prove a fresh pre-credit-to-credit path if no suitable recent funding exists.
Proof: Preserve the completed first live BTC/EURe trade loop and establish the next approved implementation proof around pre-credit funding visibility and operator alerts.
Assumptions: The live-trade loop is sufficiently proven by the recorded deposits, withdrawals, durable command/result chain, and successful mainnet quote responses; the next highest-value slice is operational visibility rather than new execution breadth.
Still fake: The newly opened funding-visibility and alert turn is planning only; no pre-credit watcher or durable alert evaluator is implemented yet.
Proof: Persist portfolio value and PnL snapshots from the live inventory and reference-price path so operators can inspect trading performance from repo-controlled data.
Assumptions: The last credited inventory snapshot before the first live command is the correct baseline for trade-driven PnL, and EURe remains explicit 1:1 with EUR.
Still fake: The new portfolio metrics and watch output are implemented and tested locally but are not live until the updated app image is deployed to k3s.
Proof: The funded NEAR Intents operator path should have a stable configured withdrawal destination for the active assets so exits do not depend on retyping recipient addresses.
Assumptions: Active asset withdrawal destinations are long-lived operator settings and can safely live in runtime config; actual withdrawals still require explicit unfreeze and operator action.
Still fake: Strategy and executor remain disarmed, no live trade quote has been submitted, and the live withdrawal transaction itself has not been exercised yet.
Proof: The active NEAR Intents funded market-maker loop needs a first-class operator withdrawal action so funded inventory can be exited through repo-controlled code rather than manual follow-up.
Assumptions: The configured signer key is also a full-access key on the named NEAR account, and external-chain exits for active OMFT assets are triggered by intents.near::ft_withdraw with the token contract as receiver_id plus memo=WITHDRAW_TO:<destination>.
Still fake: Strategy and executor remain disarmed, no live inventory is credited yet, and no live mainnet trade quote has been submitted.
Proof: Liquidity manager must persist live deposit handles and funding observations so the active NEAR Intents proof can reach credited inventory and real execution.
Assumptions: Services commonly mutate store.getState() in place before calling setState, so the state store must preserve same-reference updates instead of clearing them.
Still fake: Strategy and executor remain disarmed, no live inventory is credited yet, and no live mainnet quote response has been sent.
Proof: active BTC/EURe tradeable loop on k3s must expose funding state cleanly, preserve durable history, and avoid inheriting dummy executor state.
Assumptions: retained Kafka topics may contain legacy dummy records; those should be tolerated in history ingestion without weakening the current live command shape.
Still fake: internal inventory is still unfunded, strategy and executor remain disarmed, and no live quote response has been submitted yet.
Proof: first non-mocked tradeable loop for one pair using funded NEAR Intents inventory, Kafka, and PostgreSQL.
Assumptions: solver-side execution is performed by signed token_diff quote responses over the Solver Relay; EURe is treated as 1:1 with EUR; k3s runtime uses unrip-dev.near as the named signer account.
Still fake: signer key is not yet registered on intents.near, strategy and executor remain disarmed by default, and no live mainnet quote response has been submitted from this repo yet.
