Proof: npm test; npm run operator-dashboard:build; PYTHONPATH=. python3 test/render_release_manifest_test.py; PYTHONPATH=. python3 test/repo_deployments_test.py; PYTHONPATH=. python3 test/ntfy_manifest_test.py; kubectl kustomize deploy/k8s/base.
Assumptions: notifications should be emitted by history-writer after durable writes and outcome refreshes, and only for credited deposits, completed withdrawals, and completed trades with linked inventory movement evidence.
Still fake: Generic alert notification policy is not re-enabled; withdrawal submitted notifications are not emitted; old historical outcomes are not backfilled as notifications; fee-complete realized PnL is still unavailable.
Proof: npm test; PYTHONPATH=. python3 test/render_release_manifest_test.py; PYTHONPATH=. python3 test/repo_deployments_test.py; PYTHONPATH=. python3 test/ntfy_manifest_test.py; kubectl kustomize deploy/k8s/base.
Assumptions: ntfy is a shared cluster utility owned by ../unrip3, while this app repo only consumes the internal ntfy endpoint and keeps publisher-side client/config.
Still fake: No public ntfy ingress, auth token, iOS subscription, or runtime notification emission path is wired yet.
Proof: npm test; PYTHONPATH=. python3 test/render_release_manifest_test.py; PYTHONPATH=. python3 test/repo_deployments_test.py; PYTHONPATH=. python3 test/ntfy_manifest_test.py; kubectl kustomize deploy/k8s/base.
Assumptions: ntfy should start as an internal ClusterIP utility so repo-owned services can publish without exposing an unauthenticated public notification endpoint; mobile delivery needs a separate authenticated ingress or external endpoint decision.
Still fake: No public ntfy ingress or operator mobile subscription exists yet; no existing runtime path emits ntfy notifications by default; ntfy cache storage is ephemeral emptyDir.
Proof: npm test; npm run operator-dashboard:build; PYTHONPATH=. python3 test/render_release_manifest_test.py; PYTHONPATH=. python3 test/repo_deployments_test.py
Assumptions: Service freshness timestamps remain snapshot evidence from service state; the UI should show their advancing age rather than imply a refreshed service poll happened.
Still fake: Service health snapshots are not a venue event stream; exact quote settlement still requires durable inventory movement and no submitted-only evidence is treated as a completed trade.
Proof: npm test; npm run operator-dashboard:build; PYTHONPATH=. python3 test/render_release_manifest_test.py; PYTHONPATH=. python3 test/repo_deployments_test.py
Assumptions: Kafka live topics carry normalized quote, decision, command, and execution result envelopes; durable quote outcomes still refresh through history/bootstrap when inventory attribution is recomputed.
Still fake: Venue-native terminal fill events and fee-complete realized PnL remain unavailable; submitted and relay-accepted evidence still cannot prove settlement without durable inventory movement.
Proof: successful trade summary now aggregates gross edge estimates only from completed lifecycle rows with linked settlement evidence; tests prove completed-without-delta rows are excluded.
Assumptions: gross edge estimate is useful operator evidence but remains pre-fee and not venue-native realized PnL.
Still fake: fee-complete realized trade PnL and venue-native terminal fill events remain unavailable.
Proof: quote lifecycle rows now anchor row time and sorting to quote/submission activity instead of later outcome recomputation; regression covers an old 2% not-filled outcome recomputed after a current 0.49% quote.
Assumptions: outcome-only historical rows still belong in lifecycle evidence, but their dashboard recency must come from original command/submission time when quote evidence is not loaded.
Still fake: venue-native terminal fill events and fee-complete realized PnL remain unavailable.
Proof: Live dashboard preflight waited through the generic 3s proxy timeout while trade-executor later recorded solver_quote_unanswered after the 10s relay quote wait. Request controls now use action-aware timeouts and unanswered requests render with plain reason text.
Assumptions: Own-request preflight needs at least quote_timeout plus small overhead; submit needs publish plus relay-status wait. Generic service refresh controls should keep the shorter dashboard upstream timeout.
Still fake: This does not create external solver liquidity; it only lets the dashboard observe whether the request was answered, submitted, or blocked without timing out first.
Proof: Live dashboard preflight returned an empty client response because an upstream control timeout rejected outside the server catch path and restarted operator-dashboard. The server now awaits API handlers, wraps control proxy failures, and returns structured JSON errors instead of crashing.
Assumptions: A timed-out control proxy should be observable as a dashboard control failure, not as process death. Returning 504/502 JSON is safer than treating the action as successful or hiding the upstream state.
Still fake: This does not make unanswered solver quote requests fill; it only makes the dashboard control surface truthful and non-crashing for failed or timed-out controls.
Proof: Live dashboard-triggered request settled at the relay without the expected EURe decrease and BTC increase, exposing self-matching between our taker preflight and our maker responder. This change suppresses maker quote responses while an own-request preflight is collecting solver quotes, refreshes relay status before outcome derivation, and records relay SETTLED without expected durable inventory delta as failed rather than completed or not_filled.
Assumptions: Suppressing maker responses during the short quote RPC window prevents our own quote from being selected for our own taker request. Relay SETTLED remains insufficient for success unless durable inventory shows the expected source decrease and destination increase.
Still fake: Venue-native fill id parsing and fee-complete realized PnL for request-created trades are still not modeled; completed still depends on durable inventory delta attribution.
Proof: Live request validation showed a not_filled own-request row still displayed the earlier relay-accepted text; the normalizer now prefers terminal outcome reason text and has a regression test for deadline_elapsed_without_settlement.
Assumptions: Terminal request outcome rows are more decisive than submission result text for operator-facing reason copy.
Still fake: Venue-native fill ids and fee-complete realized PnL remain unavailable; completed still depends on durable inventory delta attribution.
Proof: Adds repo-owned EURe-to-BTC request preflight, signing, gated live submission, durable request/result/outcome persistence, dashboard request lifecycle rows, and tests proving submitted/relay accepted are not completed without inventory movement.
Assumptions: The NEAR Intents solver relay quote, publish_intent, and get_status JSON-RPC methods accept signed raw_ed25519 token_diff payloads with quote_hashes; live validation remains bounded to 5 EUR per attempt, at most five attempts, and 200 bps slippage.
Still fake: Venue-native terminal fill linkage and fee-complete realized PnL are still unavailable; request completion is attributed from durable inventory deltas unless the venue later exposes a linked settlement id.
Proof: Archive index, implementation proof, and implementation plan now define the approved NEAR Intents EURe-to-BTC request-creation turn with explicit lifecycle, settlement, and safety invariants.
Assumptions: The next turn is approved by the operator and will verify the NEAR Intents request API before any live fund movement; all live submission remains behind repo-owned preflight and explicit operator action.
Still fake: Request API shape is not yet verified, repo-owned request submission is not implemented, and no EURe-to-BTC live request has been created by this planning commit.
Proof: Preserve the completed implementation turn and record its outcome in the tracked archive.
Assumptions: The archived files capture the relevant planning state for the completed turn.
Still fake: Archiving does not validate the work by itself; external evidence still governs whether the result is trustworthy.
Proof: NEAR Intents quote ingest now schedules reconnect on websocket error even when the runtime does not emit close; regression test, dashboard build, and full npm test pass.
Assumptions: The observed live ingest outage after the 0.49 percent rollout was caused by the startup socket_error path leaving the websocket disconnected; reconnecting preserves the existing pair filter and topics without changing trading size or funds exposure.
Still fake: Venue-native terminal fill events, fee attribution, realized per-trade PnL, and full inventory-skew strategy controls remain incomplete.
Proof: Strategy gross edge threshold is lowered to the user-approved 0.49 percent in repo defaults and Kubernetes deploy config; targeted threshold tests, dashboard build, and full npm test pass.
Assumptions: User explicitly approved lowering below the previous 0.99 percent threshold for the active BTC/EURe NEAR Intents pair; max notional and funds exposure are unchanged.
Still fake: Venue-native terminal fill events, fee attribution, realized per-trade PnL, and full inventory-skew strategy controls remain incomplete.
Proof: Strategy gross edge threshold is lowered to the user-approved 0.99 percent in repo defaults and Kubernetes deploy config; targeted threshold tests, dashboard build, and full npm test pass.
Assumptions: User explicitly approved lowering below the previous 1.49 percent guard for the active BTC/EURe NEAR Intents pair; max notional and funds exposure are unchanged.
Still fake: Venue-native terminal fill events, fee attribution, realized per-trade PnL, and full inventory-skew strategy controls remain incomplete.
Proof: Live investigation found the executor could stay disconnected from the solver relay after websocket error without close; relay client now reconnects after error and request timeout covers connection wait. Added regression coverage and npm test passes.
Assumptions: Historical relay OK responses were technically accepted and mostly not filled because they were not selected or settled, while the current disconnected relay state was a repo-side runtime bug affecting new submissions.
Still fake: Venue-native terminal fill events, fee attribution, realized per-trade PnL, and full inventory-skew strategy controls remain incomplete.
Proof: Mobile dashboard status bar now uses static document flow below 720px; static UI regression test, dashboard build, and full npm test pass.
Assumptions: The viewport-covering mobile issue is caused by the sticky status bar occupying too much of the small screen while pinned.
Still fake: Venue-native terminal fill events, fee attribution, realized per-trade PnL, and full inventory-skew strategy controls remain incomplete.
Proof: Operator dashboard now renders one full-width quote lifecycle table and one successful-trades-only table from durable lifecycle evidence; targeted dashboard tests, dashboard build, and full npm test pass.
Assumptions: Gross edge estimate is edge percent times EUR notional and is labeled separately from realized PnL; realized per-trade PnL remains unavailable until fee and venue-terminal fill data are stored.
Still fake: Venue-native terminal fill events, fee attribution, realized per-trade PnL, and full inventory-skew strategy controls remain incomplete.
Proof: ops-sentinel runtime evaluation no longer throws ReferenceError while checking disabled executor containment; covered by a regression test and full npm test.
Assumptions: Runtime containment remains intentionally disabled by shouldContainExecutorForAlerts returning false; this change only restores the symbol needed for evaluation to complete.
Still fake: Alert surfaces remain suppressed per the current safety/alert simplification; venue-native terminal fill events and realized per-trade PnL are still unavailable.
Proof: Fixes quote outcome expiry so no-settlement submissions age to not_filled using the latest durable inventory snapshot, even when the last actual inventory movement is older.
Assumptions: A later unchanged inventory snapshot after the quote deadline plus settlement grace is valid evidence that no matching settled inventory delta occurred in the repo-owned path.
Still fake: Not-filled remains inferred from deadline plus inventory evidence until venue-native terminal outcome events are persisted.
Proof: Establishes the approved next implementation turn around inventory-aware strategy decisions, threshold truth, and outcome-confidence semantics.
Assumptions: Backlog item I015 is the right next scope after quote outcome attribution because the current live gap is strategy side selection and inventory policy, not another dashboard-only surface.
Still fake: Planning does not implement inventory-skew strategy controls, venue-native fills, fee/cost attribution, or realized net PnL.
Proof: Preserve the completed implementation turn and record its outcome in the tracked archive.
Assumptions: The archived files capture the relevant planning state for the completed turn.
Still fake: Archiving does not validate the work by itself; external evidence still governs whether the result is trustworthy.
Proof: Adds a durable quote outcome attribution model, refreshes it from submitted execution results plus inventory snapshots, and updates dashboard lifecycle rows so submitted, blocked, rejected, not-filled, and completed states are separated by durable evidence. Lowers the approved live strategy edge threshold to 1.49%.
Assumptions: Exact asset-unit inventory deltas inside the attribution window are acceptable as heuristic settlement evidence for the active BTC/EURe NEAR Intents path when the uncertainty is stored and shown. Deadline-plus-inventory non-fill is inferred until venue terminal events are persisted.
Still fake: No venue-native terminal fill event or per-trade fee/cost ledger is stored yet; heuristic completed and not-filled records remain explicitly labeled as inferred where applicable, and realized net PnL is still not claimed.
Proof: Operator dashboard now starts from successful trades with linked outcome evidence, keeps submitted-only rows in awaiting/no-trade buckets, and explains why recent quotes are not proven asset-changing trades.
Assumptions: Until durable terminal outcome and settlement attribution are implemented, successful trade count must remain zero for submitted-only evidence.
Still fake: Per-quote terminal outcome and settled asset delta plumbing is still not implemented; the page now exposes that absence directly instead of hiding it behind submission counts.
Proof: Remove repo-owned automatic safety disarms and operator alert severity surfaces so arming state is no longer silently reverted by stale-quote alerts.
Assumptions: The operator now wants arming to remain explicit and durable even when quote-truth checks are stale or noisy, and simple reachability/state is a better surface than derived alert severity for now.
Still fake: The upstream quote-truth and health heuristics remain unreliable; this change removes their automatic containment effect instead of fixing their underlying accuracy.
Proof: Open the next implementation turn focused on durable downstream outcome linkage and settled inventory attribution for executed quotes.
Assumptions: I017 and I018 belong to one coherent proof topic for the active NEAR Intents BTC/EURe path.
Still fake: Planning defines the next truth gap and validation target, but no downstream outcome or settlement attribution implementation exists yet.
Proof: Preserve the completed implementation turn and record its outcome in the tracked archive.
Assumptions: The archived files capture the relevant planning state for the completed turn.
Still fake: Archiving does not validate the work by itself; external evidence still governs whether the result is trustworthy.
Proof: Operator-facing dashboard payloads no longer expose the forbidden actionable decision vocabulary while preserving lifecycle truth and executor-versus-strategy separation.
Assumptions: Existing stored decision records may still use actionable internally, so the dashboard layer must normalize them before exposure.
Still fake: Downstream venue completion evidence is still unavailable for submission-only rows, so submitted remains a non-terminal evidence state.
Proof: Quote lifecycle truth and execution explanation is rendered from durable quote, decision, command, and execution evidence without treating submission as completion or realized asset movement.
Assumptions: Pushes to main trigger the repo-owned deployment workflow, and current durable records do not yet contain authoritative downstream venue outcomes for recent submissions.
Still fake: Completed and not-filled terminal trade outcomes remain unavailable unless explicit durable outcome evidence is stored; submitted rows therefore remain submission-only evidence.
Proof: The active quote-lifecycle turn now explicitly requires semantic truth, forbidden overclaim labels, negative invariant tests, and naming cleanup so submission evidence cannot be presented as trade completion.
Assumptions: The repo can derive truthful first-pass quote lifecycle states from existing decision and execution records, and prevention should be enforced by code and tests rather than reviewer memory.
Still fake: This commit only tightens the live planning docs; the implementation work to rename legacy fields and derive lifecycle-backed summaries is still outstanding.
Proof: Dashboard copy now describes durable submitted quote responses as submissions rather than successful trades or asset deltas, and regression coverage locks the new wording in place.
Assumptions: The current durable execution result still means quote-response submission, not settled execution or realized inventory change.
Still fake: The backend still stores and aggregates these rows under trade-oriented names, and the full quote lifecycle model is still the active follow-up turn.
Proof: Archive the completed runtime-health turn and open a new implementation turn that replaces ambiguous quote verdicts with explicit lifecycle truth and durable execution explanation.
Assumptions: Recent decision and execution records already contain enough repo-owned evidence to derive a truthful first-pass quote lifecycle for the active pair.
Still fake: The new turn is planning state only; the dashboard still contains the existing lifecycle ambiguity until this proof is implemented.
Proof: Sentinel no longer raises publish-stale before any matching quote exists, preventing false executor auto-disarm during quiet or pre-match periods; regression tests cover both the false case and the real stalled-after-match case.
Assumptions: A publish-path failure is only meaningful after at least one matching quote has been observed for the active pair.
Still fake: The dashboard still lacks deep ingest diagnostics for why quotes are filtered, so pair-filter mismatch analysis is not yet visible at a glance.
Proof: Sentinel auto-containment now ignores quote-stale-only conditions, executor arming is exposed in the dashboard safe controls, and regression tests cover both containment gating and control routing.
Assumptions: Quote silence alone is not sufficient evidence of a broken execution truth path, while ingest disconnect, publish stall, and history-writer stall remain containment-grade failures.
Still fake: Live deployment still depends on the repo pipeline completing for this commit; executor disarm provenance is still not durably explained in the dashboard.
Proof: Automatic rollout now reconciles a repo-owned deployment list that explicitly includes operator-dashboard, instead of depending on mutable Forgejo variables or deployment metadata labels.
Assumptions: Repo-owned application deployments are the set enumerated in scripts/deploy/repo_deployments.py and each deployment still uses container name app for image updates.
Still fake: Forgejo still shows older workflow behavior on prior runs, so this commit must be validated by one more push-driven deployment cycle.
Proof: This follow-up push verifies that the corrected Forgejo deployment variable now includes operator-dashboard in the automatic rollout path without any manual kubectl step.
Assumptions: The previous run may have started before the updated repo action variables were visible to the workflow runner.
Still fake: If this run still skips operator-dashboard, the remaining issue is in Forgejo workflow resolution rather than repo variable state.
Proof: Deployment repair may use kubectl only when the same fix is backported into repo workflow or scripts in the same turn, keeping push-driven automation as the steady-state path.
Assumptions: Emergency break-glass incidents remain rare exceptions and should not redefine the normal deployment workflow.
Still fake: Repo automation should prevent routine kubectl repair, but that guarantee depends on continued verification of the push-driven deploy path.
Proof: Follow-up push exercises the new label-driven release apply path so operator-dashboard no longer depends on the old PROJECT_DEPLOYMENTS rollout list.
Assumptions: Forgejo Actions picks up workflow-definition changes on the next push if the current push was still handled by the prior workflow definition.
Still fake: This commit exists only to force one more workflow run and should be unnecessary once the new deploy workflow has been proven live.
Proof: Push-driven repo workflow now renders and applies the built image across all repo-owned deployments instead of resetting services to placeholder images or relying on a manual rollout list.
Assumptions: All repo-owned workloads that should roll on push carry app.kubernetes.io/part-of= in the manifests, and namespace bootstrap can happen before the image build without applying placeholder deployments.
Still fake: This turn fixes the repo deployment path in code, but I have not yet exercised the new Forgejo workflow end-to-end from a fresh push on the cluster.
Proof: Dashboard system controls and alert history stay operator-legible under runtime health flapping without implying nonexistent arm behavior.
Assumptions: Manual executor arming remains intentionally absent from the dashboard for this turn, so resume should mean intake resume only.
Still fake: Ops-sentinel still emits raw runtime transition churn underneath; this change collapses it in the dashboard instead of changing runtime alert hysteresis.
Proof: Connected ingest without recent quotes now renders as a warning-level no-recent-quotes state instead of a generic critical service failure, while disconnected and publish-stalled cases remain critical.
Assumptions: Operators need transport failure and quote-quiet conditions separated on the service card; stale quote truth should still block trust without pretending the websocket is broken.
Still fake: External alert delivery remains unconfigured; live alert routing is still through the generic webhook path only when configured.
Proof: Include the full operator-dashboard frontend source tree so the deployment image can build and serve the dashboard UI that consumes runtime health severity.
Assumptions: The current static dashboard source tree in the worktree is the intended frontend for this turn and belongs with the deployed operator-dashboard backend.
Still fake: External alert receiver remains unconfigured; this commit only resolves the dashboard asset source gap in the deploy.
Proof: Include the Vite config required for the dashboard-builder image stage to build operator-dashboard static assets during deployment.
Assumptions: The current Vite config in the worktree is the intended build config for the deployed operator-dashboard frontend.
Still fake: External alert receiver remains unconfigured; this commit only resolves the image-build blocker for the dashboard deploy.
Proof: Include the multistage Dockerfile needed to build operator-dashboard static assets and copy them into the production image so the deployed dashboard backend can serve the new UI.
Assumptions: The dashboard frontend should be built during image creation rather than committed as generated dist artifacts.
Still fake: External alert receiver remains unconfigured; this commit only resolves the live dashboard asset packaging blocker.
Proof: Include the postgres loader exports required by the deployed operator-dashboard backend bootstrap path.
Assumptions: The current postgres loader additions in the worktree are part of the operator-dashboard runtime surface and intended to ship with the dashboard backend.
Still fake: External alert delivery remains unconfigured; this commit only resolves the live operator-dashboard startup blocker.
Proof: Include operator dashboard auth module and runtime package manifest updates required for the deployed operator-dashboard and ops-sentinel processes to start successfully.
Assumptions: React and ws belong in production dependencies because operator-dashboard now ships in the runtime image; operator-dashboard-auth is part of the deployed backend surface.
Still fake: External alert receiver remains unconfigured; this commit only fixes rollout blockers for the runtime-health/dashboard deploy.
Proof: Runtime health sentinel, alert routing, and anomaly detection for stale/disconnected quote truth, truthful dashboard severity, webhook notifications, and safe executor containment.
Assumptions: Existing control APIs remain the service-local truth surface; external notification stays as a generic webhook sink; executor disarm is an allowed non-fund-moving containment action; current dashboard/operator files in the worktree belong to this turn and are intended to ship together.
Still fake: No live external receiver is configured; webhook delivery is implemented but unverified end-to-end in production; cluster rollout still depends on deploying the new image; no automatic deployment restart path was added.
Proof: Strategy and executor arm state now survives pod restarts through durable control-state files mounted in their service state directories.
Assumptions: The strategy-state PVC can be seeded before the first rollout restart, and both service state directories remain writable on the cluster.
Still fake: Armed-state durability is local to the cluster volumes; there is no cross-cluster or database-backed operator control-state replication.
