Antilles identity-trust · Stable · all-models converged roadmap

Deployment roadmap — identity first, then trust, then scale

The best-path, least-over-engineered sequence to ship the whole identity-trust stack to Stable. Synthesized from an independent cross-model panel; ordering principle is unanimous: identity correctness → reputation correctness → deployability → institutional/mainnet, governance recovery first.

Grok 4.3 · CEO
4-phase, risk-first. Identity base → tier enforcement → oracle+deploy → institutional hardening.
Gemini 3.1-pro · CTO
4-phase, identity-first. Governance baseline (unquarantine + slither) → identity → reputation core → mainnet.
Codex GPT-5.5 · CTO
5-phase, risk-first. Quarantine recovery → identity substrate → agent identity → tier-safe reputation → deployability → mainnet.
CONVERGED: governance recovery first · do NOT ship oracle intelligence or x402/market until the L1 identity + tier-provenance path is non-attacker-controlled.

The phased roadmap (synthesized 0→5)

0
Quarantine Recoverygovernance only
Ship TIER_1_SIGNED_DISPATCH_EVIDENCE_v1 (A0); re-converge STABLE_DEPLOY_v1 with signed receipts; resume from PLAN. Fix the slither || true fail-open now.
Entry
Track remains quarantined; no FSM ceremony permitted
Exit
Signed receipts recorded; re-based on non-reverted SHA; PLAN re-validated
governance Unblocks all downstream FSM work.
1
Identity SubstrateL1 · S1 + EAS
Restore Shyft core from git 710536b; self-deploy canonical MIT EAS + SchemaRegistry; read schemaUID back; validate ShyftGatedResolver against real EAS (not mocks).
Entry
Phase 0 complete
Exit
Shyft + real EAS live on Stable testnet; resolver tested against real EAS; dual-pragma compile
missing EASShyft not restored
2
Agent IdentityERC-8004
Build Erc8004Registry.sol (registerAgent/ownerOf/agentCard/transferAgent); integrate the existing ERC8004Bridge.
Entry
Phase 1 complete (registry deploys before bridge)
Exit
Agents have owner/card identity; bridge reads stable identity refs
ERC-8004 not integrated
3
Tier-Safe Reputationthe critical fix
On-chain tier derivation (never the attacker-controlled byte); resolver-gated recordCitationWithTier; uniform cap clamp across every read path; bounded setTierCap (0<cap≤10000); unknown/T1 → most-restrictive cap.
Entry
Phase 2 complete; cross-tier-sybil documented as known-issue
Exit
All read paths enforce derived caps; attacker-controlled tier bytes removed; negative tests pass
CRIT tier spoof
4
DeployabilityS4 deploy script
Real wiring PageRankOracle ↔ ReputationEngine (not the fictional RE↔CitationCounters); multisig=deployer on testnet; idempotent/resumable; USDT0 0-tip + per-tx dry-run; output .deployments/stable-testnet.json.
Entry
Phase 3 complete; S33 oracle validated
Exit
One-command dry-run + testnet deploy succeeds repeatedly from clean state
fictional wiringnon-resumable deploy
5
Mainnet Readinessinstitutional
Gnosis Safe owner; frozen upgradeability policy; monitoring/alerting; slither fail-closed; external audit; stablecoin fee refactor (UR-2/S31); resolve or formally accept the sybil funnel.
Entry
Phase 4 complete (testnet proven)
Exit
Audit-ready package; mainnet launch checklist signed
institutional blockers

Critical path (dependency order)

  1. Recover governance — signed evidence + re-convergence before any implementation
  2. Restore Shyft core from 710536b
  3. Self-deploy canonical MIT EAS + SchemaRegistry on Stable
  4. Read back schemaUID; validate resolver vs real EAS
  5. Build / integrate Erc8004Registry
  6. Wire ERC8004Bridge to registry + Shyft identity
  7. On-chain tier derivation + resolver-gated citation recording
  8. Clamp reputation uniformly across every read path
  9. Wire real cycle PageRankOracle ↔ ReputationEngine
  10. Idempotent, resumable, dry-runnable, USDT0-gas deploy script

Institutional gates — testnet vs mainnet

TESTNET
  • Slither fail-closed before Phase 4 exit
  • Monitoring before prolonged operation
  • Deployer-EOA multisig substitute — explicitly temporary
MAINNET
  • Gnosis Safe required before any mainnet deploy
  • External audit after Phase 4, before Phase 5 exit
  • Upgradeability policy frozen before audit
  • Fee refactor decided before launch
  • Sybil funnel fixed (citerTierWeight) or formally accepted

Get these right, or it fails

1

On-chain, non-spoofable tier provenance

If citation tier bytes stay caller-controlled, the system fails at the trust boundary. Derive tier from authoritative on-chain state.

2

Real canonical EAS, read back

Mock EAS is tests-only. Stable has no predeploy → self-deploy canonical MIT EAS + verify schemaUID from the event.

3

Deploy reflects the real graph

The real cycle is PageRankOracle ↔ ReputationEngine. A script assuming RE ↔ CitationCounters produces a misleading, broken deploy.

Cut / deferred from the launch critical path (anti-over-engineering): HITS promotion, citerTierWeight, compliance-DeFi module, Stable Market USDT0, x402 trust channels, contract upgradeability proxies, full V1 calibration (9 of 11 params). Document the cross-tier sybil funnel as a known issue until S34 / Sprint 2.