[real-value/contracts] add pilot proof command

contracts/ACCESS_CONTROL_REVIEW.md

@@ -10,6 +10,83 @@ They also do not enforce cross-contract dependency existence. For example, a wor
 
 No current contract exposes bridge finality or a challenge lifecycle. `REORGED` is an allowed verifier-report status for local/test reconciliation, not a Solidity finality proof, production bridge state, or challenge-resolution mechanism.
 
+## BaseBridgeLockbox
+
+Owner model: one constructor `initialOwner` controls the lockbox configuration.
+
+Owner-gated functions:
+
+- `transferOwnership`
+- `setReleaseAuthority`
+- `setPaused`
+- `configureToken`
+
+Release-authority-gated functions:
+
+- `releaseNative`
+- `releaseERC20`
+
+Current protections:
+
+- zero owner and zero release authority rejected
+- only allowlisted tokens can be deposited
+- allowed tokens require a nonzero per-deposit cap
+- optional per-asset total cap prevents total locked accounting from exceeding
+  the configured pilot cap
+- total cap cannot be lowered below currently locked amount
+- pause blocks new deposits
+- releases require explicit release authority, a recorded deposit, matching
+  token, available amount, and nonzero evidence hash
+- release replay is blocked for identical deposit, recipient, token, amount, and
+  evidence hash
+- direct native transfers outside `lockNative` are rejected
+
+Launch risk to watch:
+
+- pause intentionally does not block releases, so pilot operators can unwind
+  deposits while deposits are stopped.
+- release authority is a trusted pilot role, not a decentralized validator set
+  or finality proof.
+- nonstandard ERC-20 behavior such as transfer fees, rebasing, or callbacks is
+  outside the pilot safety claim.
+- native releases use Solidity `transfer`; gas-heavy smart-contract recipients
+  can fail and should not be used for pilot recovery without separate review.
+- a compromised owner or release authority can misuse the POC; emergency
+  response is limited to pause, cap changes, allowlist disablement, authority
+  rotation, and explicit release/recovery calls.
+
+## FlowChainSettlementSpine
+
+Owner model: one constructor `initialOwner` controls submitter authorization.
+
+Owner-gated functions:
+
+- `transferOwnership`
+- `setSubmitterAuthorization`
+
+Submitter-gated functions:
+
+- `commitObject` requires an authorized submitter.
+
+Current protections:
+
+- zero owner rejected
+- zero submitter rejected for authorization changes
+- owner is authorized as the first submitter
+- unauthorized submitters cannot commit objects
+- zero object type, object id, rootfield id, and commitment rejected
+- duplicate object ids rejected
+- committed object records can be read by object id
+
+Launch risk to watch:
+
+- submitter authorization is a coordination control, not proof of object
+  correctness.
+- unknown object types are allowed so local experiments can proceed, but
+  downstream agents should treat unknown types as unsupported until documented.
+- events omit `txHash`, `logIndex`, receipt status, and finality status;
+  indexers derive locator fields after receipts and logs exist.
+
 ## RootfieldRegistry
 
 Owner model: each `rootfieldId` has one owner.

contracts/DEPLOYMENT_BOUNDARY.md

@@ -1,6 +1,6 @@
 # Contracts Deployment Boundary
 
-Status: V0 local and Base Sepolia readiness boundary.
+Status: V0 local, Base Sepolia, and capped Base public-network pilot boundary.
 
 The current contracts are a compact event and commitment spine. They store intentional roots, receipt/report commitments, registry metadata hashes, counters, and status fields only. Heavy artifacts, AI memory, media, model data, verifier evidence, and receipt reconstruction data remain off-chain.
 
@@ -15,6 +15,10 @@ For the private/local FlowChain testnet package, these Solidity contracts are op
   including CREATE2 salt mining for the exact hook flag target.
 - Base Sepolia reads from explicit RPC URLs.
 - Guarded Base mainnet canary reads and source-verification dry runs for the documented V0 canary addresses only.
+- Capped Base chain id `8453` bridge-pilot dry runs and explicit broadcasts for
+  `BaseBridgeLockbox` and `FlowChainSettlementSpine` only, with local env
+  acknowledgement, explicit owner/release authority, allowlisted assets, and
+  nonzero configured total caps.
 - Public docs that describe emitted events, roots, receipts, and off-chain verification paths.
 
 ## Not Allowed Yet
@@ -28,7 +32,7 @@ For the private/local FlowChain testnet package, these Solidity contracts are op
 - Broad Base mainnet scans outside the documented canary reader guardrails.
 - Token launch, rewards, slashing, or fee-market mechanics.
 - Dynamic Uniswap v4 fee hooks.
-- Custody of user tokens.
+- Uncapped or unreviewed custody of user tokens.
 - Claims that contracts can know `txHash` or `logIndex` during execution.
 - Claims that on-chain storage is free or that arbitrary AI data is stored on-chain.
 
@@ -140,6 +144,13 @@ outside Git.
 The detailed public testnet rehearsal runbook is
 `docs/DEPLOYMENTS/BASE_SEPOLIA_REHEARSAL.md`.
 
+`script/DeployBridgeSpine.s.sol` is a separate dry-run-by-default bridge-spine
+script for local Anvil `31337`, Base Sepolia `84532`, and the capped Base
+`8453` pilot. The `8453` path requires `FLOWCHAIN_BASE8453_PILOT_ACK=true` and
+nonzero total caps for every configured asset. The script deploys the existing
+lockbox and settlement spine only; it does not create a new bridge architecture
+or broad public bridge approval.
+
 `verify:base-canary:sources` reads `fixtures/deployments/base-canary-v0.json`
 and prints a dry-run verification plan by default. It also writes the same
 non-secret plan to
@@ -164,6 +175,11 @@ submission uses `npm run verify:base-canary:sources:submit` and requires
 - `ArtifactRegistry`: artifact commitment metadata.
 - `CursorRegistry`: off-chain cursor commitment metadata.
 - `WorkDebtScheduler`: work-state commitments without token debt.
+- `BaseBridgeLockbox`: capped bridge-pilot lockbox with owner configuration,
+  explicit release authority, pause, allowlisted assets, per-deposit caps,
+  per-asset total caps, deposit replay guards, and release replay guards.
+- `FlowChainSettlementSpine`: object commitment event spine for bridge,
+  control-plane, memory, and finality object references.
 
 ## Post-Deploy Checks
 

contracts/FlowChainSettlementSpine.sol

@@ -18,6 +18,9 @@ contract FlowChainSettlementSpine {
     }
 
     bytes32 public constant BRIDGE_DEPOSIT_OBJECT = keccak256("flowchain.object.bridge-deposit.v0");
+    bytes32 public constant BRIDGE_CREDIT_OBJECT = keccak256("flowchain.object.bridge-credit.v0");
+    bytes32 public constant BRIDGE_WITHDRAWAL_INTENT_OBJECT =
+        keccak256("flowchain.object.bridge-withdrawal-intent.v0");
     bytes32 public constant MEMORY_OBJECT = keccak256("flowchain.object.memory.v0");
     bytes32 public constant FINALITY_OBJECT = keccak256("flowchain.object.finality.v0");
 

contracts/bridge/BaseBridgeLockbox.sol

@@ -204,11 +204,11 @@ contract BaseBridgeLockbox {
         nonReentrant
         returns (bytes32 releaseId)
     {
-        releaseId = _recordRelease(depositId, recipient, NATIVE_TOKEN, amount, evidenceHash);
-        (bool ok,) = recipient.call{value: amount}("");
-        if (!ok) {
-            revert TransferFailed();
+        if (recipient == address(0)) {
+            revert ZeroRecipient();
         }
+        releaseId = _recordRelease(depositId, recipient, NATIVE_TOKEN, amount, evidenceHash);
+        recipient.transfer(amount);
     }
 
     function releaseERC20(bytes32 depositId, address recipient, address token, uint256 amount, bytes32 evidenceHash)

docs/FLOWCHAIN_REAL_VALUE_PILOT.md

@@ -19,8 +19,8 @@ approval.
 
 ## Current Baseline
 
-Current `main` after PR #144 merged at
-`6272bf1f41761ddd5cb80a0b780fd000d74b5026`:
+Current `main` after PR #145 merged at
+`91b4d5d033857f1d10526912d852d13ff2e86a23`:
 
 - `npm run flowchain:product-e2e` exists as the local product testnet gate.
 - `npm run flowchain:full-smoke` exists as the private/local L1 baseline gate.
@@ -35,6 +35,8 @@ Current `main` after PR #144 merged at
   #143 merged.
 - `npm run flowchain:real-value-pilot:ops` exists on `main` after PR #144
   merged.
+- `npm run flowchain:real-value-pilot:bridge` exists on `main` after PR #145
+  merged.
 
 GitHub source-of-truth state checked for this pass:
 
@@ -48,8 +50,9 @@ GitHub source-of-truth state checked for this pass:
 - Issue #136 is closed; PR #143 merged the wallet/operator pilot proof
   command.
 - Issue #135 is closed; PR #144 merged the ops/installer pilot proof command.
-- Issues #133, #138, and #134 remain the open subsystem proof blockers for
-  strict pilot-gate pass.
+- Issue #138 is closed; PR #145 merged the bridge relayer pilot proof command.
+- Issues #133 and #134 remain the open subsystem proof blockers for strict
+  pilot-gate pass.
 
 ## Final Gate
 
@@ -139,11 +142,11 @@ the proof is branch-local or verified from `main`.
 | --- | --- | --- | --- |
 | Existing product testnet gate remains green. | HQ/Ops | `npm run flowchain:product-e2e` | Existing command; run before PR when practical. |
 | L1 baseline gate remains green. | HQ/Ops | `npm run flowchain:l1-e2e` | Exists on `main` as current alias to `flowchain:full-smoke`; latest local main-equivalent run passed. |
-| Base chain ID `8453` is verified before any live observer or deployment action. | Contracts + Bridge + Ops | `npm run flowchain:real-value-pilot:contracts`; `npm run flowchain:real-value-pilot:bridge`; `npm run flowchain:real-value-pilot:ops` | Contracts command is still missing; bridge branch command added here pending PR merge; ops is merged. |
-| Lockbox address is loaded from ignored local config or env, not hardcoded as a blanket endorsement. | Contracts + Ops | `npm run flowchain:real-value-pilot:contracts`; `npm run flowchain:real-value-pilot:ops` | Contracts command is still missing; ops is merged. |
-| Per-deposit cap, total pilot cap, supported-asset allowlist, pause, release, recovery, and replay protection are covered by tests and dry-run deployment evidence. | Contracts | `npm run flowchain:real-value-pilot:contracts` | Missing dedicated pilot command. |
-| Deposit observation writes deterministic observation, credit, and evidence files. | Bridge relayer | `npm run flowchain:real-value-pilot:bridge` | Branch command added here; local proof passes, pending PR merge. |
-| Duplicate Base event replay is rejected or idempotent with explicit evidence. | Bridge relayer + Chain runtime | `npm run flowchain:real-value-pilot:bridge`; `npm run flowchain:real-value-pilot:runtime` | Bridge branch command added here; runtime command still missing. |
+| Base chain ID `8453` is verified before any live observer or deployment action. | Contracts + Bridge + Ops | `npm run flowchain:real-value-pilot:contracts`; `npm run flowchain:real-value-pilot:bridge`; `npm run flowchain:real-value-pilot:ops` | Contracts branch command added here; bridge and ops are merged. |
+| Lockbox address is loaded from ignored local config or env, not hardcoded as a blanket endorsement. | Contracts + Ops | `npm run flowchain:real-value-pilot:contracts`; `npm run flowchain:real-value-pilot:ops` | Contracts branch command added here; ops is merged. |
+| Per-deposit cap, total pilot cap, supported-asset allowlist, pause, release, recovery, and replay protection are covered by tests and dry-run deployment evidence. | Contracts | `npm run flowchain:real-value-pilot:contracts` | Branch command added here; local proof passes, pending PR merge. |
+| Deposit observation writes deterministic observation, credit, and evidence files. | Bridge relayer | `npm run flowchain:real-value-pilot:bridge` | Merged on `main` by PR #145; latest local main-equivalent proof passed. |
+| Duplicate Base event replay is rejected or idempotent with explicit evidence. | Bridge relayer + Chain runtime | `npm run flowchain:real-value-pilot:bridge`; `npm run flowchain:real-value-pilot:runtime` | Bridge proof is merged; runtime command still missing. |
 | Local runtime applies each pilot bridge credit exactly once and preserves state across restart/export/import. | Chain runtime | `npm run flowchain:real-value-pilot:runtime` | Missing dedicated pilot command. |
 | Operator wallet can sign pilot acknowledgements, withdrawal intents, release evidence, and emergency messages without committing secrets. | Wallet/operator | `npm run flowchain:real-value-pilot:wallet` | Merged on `main` by PR #143; latest local main-equivalent proof passed. |
 | Wallet verification rejects wrong chain ID, wrong contract, wrong operator, mutated payload, replay nonce, expired message, and missing cap fields. | Wallet/operator | `npm run flowchain:real-value-pilot:wallet` | Merged on `main` by PR #143; latest local main-equivalent proof passed. |
@@ -162,9 +165,9 @@ from `main`.
 
 | Area | In-flight branch state | Required next step |
 | --- | --- | --- |
-| Contracts | `agent/real-value-pilot-contracts` checklist reports the contracts proof complete, including hardening, deploy dry-run, and product E2E. | Rebase onto `6272bf1`, expose `flowchain:real-value-pilot:contracts`, rerun evidence, and open a PR. |
-| Bridge relayer | This branch adapts `agent/real-value-pilot-bridge` work onto `6272bf1` and exposes branch-local `flowchain:real-value-pilot:bridge`. | Open a PR for issue #138 so the proof command lands on `main`. |
-| Chain runtime | `agent/real-value-pilot-chain` checklist reports runtime credit/replay/restart/export proof complete through the direct wrapper; root package command is missing. | Rebase onto `6272bf1`, expose `flowchain:real-value-pilot:runtime`, rerun evidence, and open a PR. |
+| Contracts | This branch adapts `agent/real-value-pilot-contracts` work onto `91b4d5d` and exposes branch-local `flowchain:real-value-pilot:contracts`. | Open a PR for issue #133 so the proof command lands on `main`. |
+| Bridge relayer | `flowchain:real-value-pilot:bridge` merged on `main` through PR #145 and closed issue #138. | No bridge relayer blocker remains for the final pilot gate. |
+| Chain runtime | `agent/real-value-pilot-chain` checklist reports runtime credit/replay/restart/export proof complete through the direct wrapper; root package command is missing. | Rebase onto `91b4d5d`, expose `flowchain:real-value-pilot:runtime`, rerun evidence, and open a PR. |
 | Wallet/operator | `flowchain:real-value-pilot:wallet` merged on `main` through PR #143 and closed issue #136. | No wallet/operator blocker remains for the final pilot gate. |
 | Control plane/dashboard | `flowchain:real-value-pilot:control-dashboard` merged on `main` through PR #142 and closed issue #137. | No control-dashboard blocker remains for the final pilot gate. |
 | Ops/installer | `flowchain:real-value-pilot:ops` merged on `main` through PR #144 and closed issue #135. | No ops/installer blocker remains for the final pilot gate. |
@@ -194,8 +197,8 @@ in committed files, or if any document presents the pilot as public readiness.
 
 ## Current Blockers
 
-- Dedicated real-value contracts gate does not exist; tracked by issue #133.
-- Dedicated real-value bridge relayer gate exists branch-locally and passes; tracked by issue #138 until merged.
+- Dedicated real-value contracts gate exists branch-locally and passes; tracked by issue #133 until merged.
+- Dedicated real-value bridge relayer gate is merged on `main`; issue #138 is closed by PR #145.
 - Dedicated real-value runtime gate does not exist; tracked by issue #134.
 - Dedicated real-value wallet/operator gate is merged on `main`; issue #136 is closed by PR #143.
 - Dedicated real-value control-plane/dashboard gate is merged on `main`; issue #137 is closed by PR #142.
@@ -211,7 +214,7 @@ in committed files, or if any document presents the pilot as public readiness.
 | Area | Issue | Required command |
 | --- | --- | --- |
 | Contracts | #133 | `npm run flowchain:real-value-pilot:contracts` |
-| Bridge relayer | #138 | `npm run flowchain:real-value-pilot:bridge` |
+| Bridge relayer | #138, closed by PR #145 | `npm run flowchain:real-value-pilot:bridge` |
 | Chain runtime | #134 | `npm run flowchain:real-value-pilot:runtime` |
 | Wallet/operator | #136, closed by PR #143 | `npm run flowchain:real-value-pilot:wallet` |
 | Control plane/dashboard | #137, closed by PR #142 | `npm run flowchain:real-value-pilot:control-dashboard` |

docs/agent-runs/real-value-pilot-contracts/CHECKLIST.md

@@ -0,0 +1,32 @@
+# Real-Value Pilot Contracts Checklist
+
+## Acceptance
+
+- [x] `forge test` passes.
+- [x] `npm run contracts:hardening` passes.
+- [x] Lockbox supports chain ID `8453` deployment configuration.
+- [x] Contract enforces per-deposit cap and total pilot cap.
+- [x] Contract supports allowlisted asset(s) only.
+- [x] Pause blocks deposits.
+- [x] Authorized release/recovery path remains possible while paused.
+- [x] Replay protection prevents duplicate release/deposit accounting.
+- [x] Events contain deterministic relayer inputs without contract-side
+  `txHash`/`logIndex` assumptions.
+- [x] Dry-run deployment script exists.
+- [x] Broadcast deployment script requires explicit local env ack and never
+  commits keys.
+- [x] Verification/source command or instructions exist.
+- [x] Contract docs explain owner, release authority, cap, pause, replay, and
+  emergency assumptions.
+- [x] `npm run flowchain:product-e2e` still passes or breakage is assigned.
+
+## Work Items
+
+- [x] Read required repo docs.
+- [x] Inspect current main contracts and tests.
+- [x] Inspect `E:\FlowMemory\flowmemory-contracts` active long-loop work.
+- [x] Inspect `E:\FlowMemory\flowmemory-bridge-full` event expectations.
+- [x] Update settlement object vocabulary and tests.
+- [x] Update deployment gating for Base `8453` pilot.
+- [x] Update bridge and deployment docs.
+- [x] Run verification commands and record exact results.

docs/agent-runs/real-value-pilot-contracts/EXPERIMENTS.md

@@ -0,0 +1,35 @@
+# Real-Value Pilot Contracts Experiments
+
+## Commands
+
+Commands will be recorded here with pass/fail status and concise evidence.
+
+| Command | Status | Notes |
+| --- | --- | --- |
+| `forge test --match-path tests/bridge/BaseBridgeLockbox.t.sol` | pass | 17 passed, 0 failed. |
+| `forge test --match-path tests/FlowChainSettlementSpine.t.sol` | pass | 8 passed, 0 failed. |
+| `npm run flowchain:real-value-pilot:contracts` | pass | Focused tests passed, `contracts:hardening` passed with 87 tests, local Anvil dry run passed, Base `8453` missing ack rejected, Base `8453` acknowledged dry run passed, and report written under `devnet/local/real-value-pilot/contracts-e2e/`. |
+| Local Anvil `forge script` dry run | pass | `DeployBridgeSpine` simulated on chain `31337` from the root proof wrapper. |
+| Base `8453` missing-ack dry run | pass | Rejected with `Base8453PilotAckRequired`. |
+| Base `8453` acknowledged dry run | pass | Simulated on chain `8453` with `FLOWCHAIN_BASE8453_PILOT_ACK=true` and nonzero native total cap. |
+| `npm run flowchain:product-e2e` | pass | Product Testnet V1 E2E passed. Generated outputs were restored afterward. |
+| `npm run flowchain:l1-e2e` | pass | Private/local L1 full-smoke alias passed. Generated outputs were restored afterward. |
+| `git diff --check` | pass | Exit 0; Git printed CRLF normalization warnings only. |
+| `node infra/scripts/check-unsafe-claims.mjs` | pass | Unsafe-claim scan passed. |
+| `npm run flowchain:real-value-pilot:e2e -- -AllowIncomplete` | pass | Incomplete coordination report now lists only runtime #134 missing. |
+| `npm run flowchain:real-value-pilot:e2e` | expected fail | Strict final gate fails clearly with only runtime #134 missing. |
+
+## Additional Commands
+
+- `forge fmt --check contracts/FlowChainSettlementSpine.sol script/DeployBridgeSpine.s.sol tests/FlowChainSettlementSpine.t.sol tests/bridge/BaseBridgeLockbox.t.sol`: the source branch recorded existing line-ending/format normalization noise; no broad formatter pass is included in this integration branch.
+- `contracts:hardening` keeps Slither optional by default after the HQ policy merge. Explicit Slither audit remains `npm run contracts:hardening:slither` and is outside this contracts proof PR.
+
+## Findings
+
+- The relayer already supports Base `8453` observations in its schema and code,
+  but Base mainnet canary mode is read-only on the bridge-full side.
+- Contract-side work should preserve the existing `BridgeDeposit` ABI so the
+  relayer's parser remains compatible.
+- `DeployBridgeSpine` now gates local Anvil `31337`, Base Sepolia `84532`, and
+  Base `8453`; the `8453` path requires `FLOWCHAIN_BASE8453_PILOT_ACK=true` and
+  nonzero total caps for configured assets.