Shyft core + RMT + ERC‑8004 → Stable testnet
Cross‑model convergence + red‑team audit of the deployment plan, verified diff‑by‑diff against the live antilles‑v2 codebase and the canonical roadmap. Ground‑truth only; every claim is source‑cited.
Executive Verdict / 01
The plan and design are sound enough to build against, but the system is not ready to broadcast. Build is greenfield (S1/S3/S4/S5 unwritten); the FSM track is quarantined; and a convergent set of critical/high tier‑enforcement and deploy‑sequencing defects must be closed first.
- Consensus across 11 independent reviews — Grok, Gemini, Codex (live cross‑model) + 6 Claude verification lenses + the 2026‑05‑19 codex‑deep‑audit (7 BLOCKERs) + the 7/10 steelman — all land on the same core defects.
- Division of labor (your directive): engineering prep + CI = agent; audits, convergence, and the live deploy = operator.
- This audit recorded zero FSM ceremony — analysis only, honoring the quarantine.
Cross‑Model Convergence Matrix / 02
Eleven reviewers, one verdict surface
| Reviewer | Role | Verdict | Headline finding |
|---|---|---|---|
| Grok 4.3 | CEO / CTO | request_changes conditional‑go | Tier classifier bypassable by direct calls to recordCitationWithTier / ReputationEngine — no on‑contract tier source‑of‑truth. MNEMONIC from env = key‑exposure (no KMS/HW). Must pass a 7‑model panel under a non‑quarantined sprint. |
| Gemini 3.1‑pro | CTO | request_changes NO‑GO | EAS self‑deploy must be explicit in S4 (Stable has no canonical EAS); deploy script must be idempotent; any unknown/T1 tier must default to the most restrictive T0 cap. |
| Codex GPT‑5.5 | CTO | approve conditional‑go | Tier must not be derived from weak ERC‑8004 registration alone; recordCitationWithTier is a trust boundary — gate to resolver only; clamp by stored tier across every read path. |
| Claude — verify S1 | lens | verified | S1 sound: all named Shyft core present at 710536b, absent now, dual‑pragma compilers configured. |
| Claude — verify prep | lens | verified | S2 prep correct. Gaps: .deployments/ not gitignored (med); legacy testnets not dropped (low). |
| Claude — verify S3a/b/c | lens | 2 plan claims false | S3a "T0 hard‑block at lines 167‑170" false (no tier logic exists); S3c "Administrable‑gated" wrong (RMT uses OZ Ownable). S3b accurate. |
| Claude — red‑team tier | lens | HIGH risk | Citation tier byte is attacker‑controlled and discarded; no on‑chain tier identity; batch path lacks trust‑channel + attester binding. |
| Claude — red‑team deploy | lens | 3 HIGH | Seed‑brief's "RE↔CitationCounters circular dep" is fictional (real cycle = PageRankOracle↔RE); setReputationEngine is onlyMultisig; no partial‑deploy resume. |
| Claude — institutional | lens | HIGH gap | slither.config.json missing yet CI runs it with || true (fail‑open); stablecoin fee refactor unresolved; target drift vs locked multichain doc. |
| codex‑deep‑audit 2026‑05‑19 | historical | BLOCK until re‑audited | 7 BLOCKERs — attester semantics conflict, tier misclassification, caps bypass on batch/composite, missing PageRankOracle.setReputationEngine wiring, missing Erc8004Registry, Stable config absent. |
| steelman | adversarial | 7/10 approve +4 augmentations | Cross‑tier sybil funnel: N cheap T0 bots inflate a T2 bot's PageRank; cap clamps the readout, not the manipulation. Simulator stuck 892 iters — unsuppressed until citerTierWeight (Sprint 2). |
Live dispatch IDs — grok e1ae673a · gemini 72f83466 · codex 88c82240. Reviews are analysis input only; none were recorded as FSM attestations (quarantine).
Verified Diffs vs Existing Infrastructure / 03
Every plan claim, checked against the live tree
| Plan claim | Ground truth | Evidence |
|---|---|---|
Shyft core exists at 710536b, absent now | TRUE | git ls‑tree 710536b: 104 non‑RMT .sol present; 0 in HEAD tree |
| Dual‑pragma (0.7.x + 0.8.x) configured | TRUE | hardhat.config.ts solc 0.5.12–0.8.26 |
stable_testnet net, chainId 2201, MetaMask path | TRUE | hardhat.config.ts:202‑211, path m/44'/60'/0'/0/ |
| S3a: "T0 hard‑blocked in attest() at lines 167‑170" | FALSE | 167‑170 = both‑bots Shyft‑attestation gate; no tier logic anywhere; attest() @139, recordCitation @184 |
S3c: setTierCap "gated by Administrable" | FALSE | RMT contracts use OZ Ownable/onlyOwner; Administrable not in tree (it's an S1 restore) |
getReputation clamps scores today | FALSE | ReputationEngine.sol:196‑200 — raw pageRankOracle.getScore passthrough |
| "ReputationEngine↔CitationCounters circular dep" | FALSE | setCitationCounters doesn't exist; real cycle = PageRankOracle↔ReputationEngine |
recordCitationWithTier / tier event field exist | FALSE (to add) | CitationCounters.sol:36 event has no tier field; no overload |
| Erc8004Registry / deploy / smoke scripts exist | FALSE (greenfield, as planned) | all three absent — correct per S3/S4/S5 |
deploy-rmt-unified.js deploys mocks + writes test key | TRUE (R4) | :51‑69 mocks; :304/:323 hardcoded Hardhat test key |
| Canonical EAS source vendored | FALSE | only mocks/MockEAS, MockSchemaRegistry — must vendor or self‑deploy + read schemaUID back |
.deployments/ gitignored | FALSE | only /deployments ignored; deploy artifact would be committable |
| CI baseline 524 pass / 1 pending | TRUE | ran hardhat test test/rmt/test_*.js, 29s, exit 0 |
| Canonical multichain doc names Stable | FALSE — drift | MULTICHAIN_DEPLOYMENT_ARCHITECTURE = Base/OP‑Stack only; Stable only in RMT_PROTOCOL_DESIGN §6 |
slither.config.json exists | FALSE | CI references it with || true → fail‑open |
| R7: "Hardhat 2.22+ rejects 0n tip" | REFUTED | ethers 5.8 / hardhat 2.28 accept 0n; real risk is sequencer‑side (untested) |
| L0 scenario evidence file present | FALSE | QUARANTINE cites it, but file never committed to any branch |
Requirement Scorecard / 04
S‑prep through S6
| ID | Requirement | Status | Note / what must change |
|---|---|---|---|
| PREP | S2 network + env template + operator runbook + CI baseline | DONE | On uncommitted branch stable-testnet-deploy-prep. Add .deployments/ to .gitignore; optionally drop legacy testnets. |
| S1 | Restore real Shyft core from 710536b | NOT STARTED feasible | Watch OZ import collision (R11 — route via OZ4 backport); scope the checkout to the S1 set, not all 104 files. |
| S3 | Erc8004Registry.sol (top‑level) + interface + tests | NOT STARTED | Design has full body. Bridge needs only ownerOf; deploy registry before ERC8004Bridge. |
| S3a | ShyftGatedResolver tier classifier | NOT STARTED | Derive tier on‑chain from verifiedBots + Shyft attestation — never from the attestation data byte. Re‑anchor the stale "167‑170" reference. |
| S3b | CitationCounters tier‑tagged events | NOT STARTED | Gate recordCitationWithTier to the resolver; default the legacy 2‑arg / batch path to lowest tier (T0). |
| S3c | ReputationEngine per‑tier caps + setter | NOT STARTED | Clamp in all read paths (getReputation/getScore/batch/composite); bound 0<cap≤10000; reconcile Ownable‑vs‑Administrable; unknown/T1 → T0 cap. |
| S4 | deploy-stable-testnet.js (22‑step, real Shyft) | NOT STARTED | Fix wiring (PageRankOracle.setReputationEngine, multisig=deployer); make idempotent/resumable; explicit EAS self‑deploy + schemaUID read‑back; USDT0 overrides + dry‑run. |
| S5 | Smoke test register-test-agent.js | BLOCKED faucet | Operator funds deployer EOA via faucet (USDT0 ERC‑20 balance, not native ETH). |
| S6 | Docs (3 paths) | PARTIAL | Operator runbook done; EXECUTIVE_SUMMARY.md stale; add post‑deploy + Known‑Issues sections. |
Red‑Team Findings by Severity / 05
Confirmed, source‑verified, deduped across all reviewers
| Sev | Finding | Converged sources | Mitigation |
|---|---|---|---|
| CRIT | Tier spoof / no on‑chain tier identity. The citation tier byte is attacker‑supplied and currently discarded; tier today is only the verifiedBots bool. | Claude F1 · Codex · Grok · deep‑audit #1/#2 | Derive tier on‑chain from authoritative state; never trust the attestation payload byte; cross‑check if kept for hints. |
| HIGH | recordCitationWithTier trust boundary. If callable by arbitrary accounts or tier is caller‑supplied, attackers mint T2 citations directly. | Codex · Grok · deep‑audit | Gate to resolver/authorized engine only; negative test proving direct unauthorized T2 reverts. |
| HIGH | Cap‑clamp bypass. getReputation/getScore/batch/composite return unclamped scores; a cap applied only in one path leaks. | deep‑audit #4 · Claude F5 · Codex | Clamp uniformly across every read path; clamp by the tier stored at record time; re‑clamp on setTierCap. |
| HIGH | Deploy wiring + sequencing. Seed‑brief names a fictional circular dep; real wiring is onlyMultisig; no partial‑deploy resume → stranded funds + inconsistent state. | Claude SD‑01/02/03 · Gemini · Grok | Correct wiring (PageRankOracle.setReputationEngine, multisig=deployer); idempotent JSON ledger; pre‑flight asserts. |
| HIGH | setTierCap unbounded + wrong admin axis. Out‑of‑range cap (0 or >10000) silently wipes/disables a tier; Ownable vs Administrable vs Multisig split. | Claude F3/F4 · Grok | Bound 0<cap≤10000; validate tier enum; single documented admin authority. |
| HIGH | Cross‑tier sybil funnel. ~100 T0 bots × ~100 RMT cite a T2 target → PageRank inflates linearly; cap clamps readout, not manipulation. Simulator stuck 892 iters. | steelman · deep‑audit §F | Known‑issue in runbook; real fix = citerTierWeight (Sprint 2, ≤2‑week timebox); add pauseCitations switch. |
| MED | EAS‑on‑Stable. No canonical EAS; risk of silently deploying MockEAS to a public testnet (no access control) → false E2E confidence. | Gemini blocker · Claude SD‑06/07 · Codex | Vendor canonical MIT EAS+SchemaRegistry; record addresses; read schemaUID from the event, don't recompute. |
| MED | Unknown/T1 tier handling. Deferred T1 or an unhandled tier could yield no cap (infinite) or a revert. | Gemini | Default‑deny: any tier other than T2 → T0 cap (3500 BP). |
| MED | USDT0 gas. R7 over‑stated (ethers accepts 0n), but the Stable sequencer's 0‑tip acceptance is untested. | Claude SD‑04 · all 3 models | Re‑fetch baseFee per tx; dry‑run step 1 before the full chain; clean legacy type:0 fallback (no mixed fields). |
| MED | Secrets hygiene. Hardcoded test key in unified script; .deployments/ committable; MNEMONIC from env (no KMS). | Claude SD‑08/09 · Grok · Codex | Dedicated testnet‑only key; gitignore .deployments/; never carry the hardcoded key into S4; fail‑closed on missing mnemonic. |
| LOW | MockEAS access‑control gap if used on a public testnet (msg.sender==eas bypassable). | steelman · design §9.3 | Operator allowlist; or use the vendored canonical EAS. |
Institutional Gaps & Mainnet Pre‑Reqs / 06
Testnet‑grade today — what stands between here and institution‑grade
| Gap | Status | Gate |
|---|---|---|
| Multisig / Gnosis Safe owner (currently deployer EOA) | testnet OK | MAINNET BLOCKER — RMT_PROTOCOL_DESIGN §9‑11: "single‑key multisig is security theater" |
| Upgradeability / immutability policy (no proxy) | undocumented | Document redeploy‑and‑rewire blast radius before mainnet |
| Monitoring / alerting (oracle SLO, 2‑missed‑epoch alert) | deferred | Hard mainnet pre‑req (oracle/src untouched this sprint) |
Slither config + remove || true + external audit | fail‑open | Concrete institutional defect — fix the CI gate now; external audit before mainnet |
| Stablecoin fee refactor (UR‑2 / S31) | unresolved | ReputationEngine still uses rmtToken.safeTransferFrom; testnet fee=0 so no live conflict; mainnet pre‑req |
| Reputation calibration | provisional | tierAccuracy 0.30 vs 0.70, composite 0.512 vs 0.80; only T0/T2 caps enforced — testnet IS the calibration corpus |
| Roadmap reconciliation (target drift) | drift | Locked multichain doc = Base/OP‑Stack; Stable only in design doc — reconcile the two source‑of‑truth docs |
| L0 end‑to‑end scenario evidence | missing | File cited by QUARANTINE but never committed — author before PLAN re‑validation |
Corrected Deploy Sequence / 07
22‑step chain — with the audit's wiring fix
Restored real Shyft core (S1)
Administrable · TrustAnchorStorage/Manager · ShyftCacheGraph · ShyftConduit · Antilles/* · libs — from 710536b. Not mocks.
EAS + SchemaRegistry (self‑deploy)
Canonical MIT contracts (vendored). Read schemaUID back from the event — don't recompute off‑chain.
RMT core + tier contracts
RMTToken · ReputationEngine (caps) · PageRankOracle · ShyftGatedResolver (on‑chain tier classifier) · CitationCounters (resolver‑gated tier events).
Erc8004Registry → ERC8004Bridge
Registry first (S3); bridge consumes its ownerOf via constructor. Then Domain registry/factory.
Wiring — corrected
Real cycle is PageRankOracle↔ReputationEngine, not RE↔CitationCounters. Call PageRankOracle.setReputationEngine (gated onlyMultisig → set multisig=deployer on testnet) + resolver set*.
Idempotent JSON ledger
Append each address to .deployments/stable-testnet.json as deployed; resume by skipping addresses with code. Gitignore the dir.
Smoke (S5, faucet‑gated)
register test agent → Erc8004Registry.ownerOf(1) → tier‑aware citation E2E → assert T0 clamps at 3500 BP.
Locked decisions
- Q4 — Erc8004Registry at top‑level
contracts/contracts/, not under RMT/. - Q5 — Two PRs: PR‑INFRA (S1+S2+S3+S6) and PR‑TIER (S3a/b/c+S4+S5); tier work gets a dedicated audit panel.
- Q6 — USDT0 gas via per‑tx
maxPriorityFeePerGas:0, baseFee re‑fetched per tx (0.7s blocks; 22 txs span 15+ blocks).
Scope discipline (don't over‑engineer)
- Only 2 of 11 calibrated params reach this deploy (T0/T2 caps). The other 9 +
citerTierWeightdefer to Sprint 2 — by design. - Testnet uses a deployer EOA, fee=0, self‑deployed EAS. Multisig/upgradeability/fee‑refactor are explicit mainnet pre‑reqs, not testnet scope.
- Zero changes to
oracle/src/. Mainnet, bridges, x402 marketplace all out of scope.
Quarantine & Gated Path / 08
The FSM track is frozen — ceremony, not content
SEED→PLAN and PLAN→DESIGN were attested under the synthetic‑review failure mode (operator‑authored summaries, no Tier‑1 signed dispatch evidence). The recorded SHA 1110d45 was fabricated‑provenance and reverted by 5c6e1cf.
Valid: seed‑brief, plan, design, steelman, this audit. Invalid: the reviews/attestations at 6c6e8753 & 1110d45.
Do NOT run forge review/attest/transition on this track, push commits referencing its sprint state, or drop a design-doc artifact that silently satisfies the FSM guard — until TIER_1_SIGNED_DISPATCH_EVIDENCE_v1 (A0) ships.
Path back to a real, audited deploy
1. Ship A0 (Tier‑1 signed dispatch evidence). 2. Re‑base STABLE_DEPLOY_v1 on a non‑reverted SHA. 3. Re‑run the 7‑model convergence panel with signed receipts (this audit is the dry‑run). 4. Re‑record reviews + attestations via the overwatch‑signed path. 5. Resume from PLAN, then BUILD the named hardening, VALIDATE, CODE_REVIEW, AUDIT.
Then, and only then: operator funds the faucet, runs the idempotent deploy, and verifies on testnet.stablescan.xyz. No on‑chain action is irreversible until you broadcast.