Harden FlowChain completion audit gating

Author: FlowmemoryAI

docs/agent-runs/live-product-infra-rpc/ARCHITECTURE_AUDIT.md

@@ -1,6 +1,6 @@
 # FlowChain Architecture Audit
 
-Generated: 2026-05-16T05:40:03.6154266Z
+Generated: 2026-05-16T08:07:28.3494382Z
 Status: blocked
 Blocked only on known external owner inputs: True
 
@@ -21,7 +21,7 @@ Blocked only on known external owner inputs: True
 
 | Layer | Requirement | Status | Evidence |
 | --- | --- | --- | --- |
-| L1 runtime | The block-producing node and service lifecycle are separated from RPC, run in live profile, and expose fresh state evidence. | passed | serviceStatus=passed, liveProfile=True, maxBlocks=0, nodeRunning=True, controlPlaneRunning=True, latestHeight=31145, finalizedHeight=31145 |
+| L1 runtime | The block-producing node and service lifecycle are separated from RPC, run in live profile, and expose fresh state evidence. | passed | serviceStatus=passed, liveProfile=True, maxBlocks=0, nodeRunning=True, controlPlaneRunning=True, latestHeight=32963, finalizedHeight=32963 |
 | Operations | Operations has explicit status, monitor, ops snapshot, and emergency controls that classify incidents separately from owner-input blockers. | passed | monitorStatus=passed, samples=2, heightAdvanced=True, opsSnapshot=blocked, criticalCount=0 |
 | RPC/API | The control-plane API has explicit health/discovery/readiness/CORS/rate-limit validation before it can be exposed publicly. | passed | validationStatus=passed, corsAllowed=True, corsRejected=True, endpointChecks=True, rateLimitProbe=True, rateLimitRejected=True, rateLimitRetryAfter=True, responseHygiene=True |
 | Public edge | External RPC exposure is a distinct owner-operated edge with TLS, allowed origins, rate limits, endpoint checks, and response hygiene. | blocked | publicRpcStatus=blocked, publicRpcReady=False |

docs/agent-runs/live-product-infra-rpc/COMPLETION_AUDIT.md

@@ -1,21 +1,21 @@
 # FlowChain Completion Audit
 
-Generated: 2026-05-16T00:43:28.0428635Z
+Generated: 2026-05-16T08:07:29.2981212Z
 Status: blocked
 Completion ready: False
-Latest observed height: 25272
+Latest observed height: 32963
 
 ## Prompt-To-Artifact Checklist
 
 | Requirement | Status | Evidence | Commands |
 | --- | --- | --- | --- |
 | Chain service is running in live profile and command lines match this worktree. | passed | service-status status=passed, node=running, controlPlane=running, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\service-status-report.json | npm run flowchain:service:status |
-| Chain is producing/finalizing blocks and state is fresh. | passed | latestHeight=25272, stateFileLastWriteAgeSeconds=3, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\service-status-report.json | npm run flowchain:service:status |
-| Live service monitor observes running services and advancing block height over a sampling window. | passed | monitorStatus=passed, samples=2, heightAdvanced=True, heights=25167->25174, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\service-monitor-report.json | npm run flowchain:service:monitor -- -DurationSeconds 20 -PollSeconds 5 -MaxStateAgeSeconds 90 |
+| Chain is producing/finalizing blocks and state is fresh. | passed | latestHeight=32963, stateFileLastWriteAgeSeconds=3, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\service-status-report.json | npm run flowchain:service:status |
+| Live service monitor observes running services and advancing block height over a sampling window. | passed | monitorStatus=passed, samples=2, heightAdvanced=True, heights=32817->32824, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\service-monitor-report.json | npm run flowchain:service:monitor -- -DurationSeconds 20 -PollSeconds 5 -MaxStateAgeSeconds 90 |
 | People can create wallets through the RPC service without receiving secret material. | passed | testerWalletCreates=4, secretMaterialReturned=false, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\live-service-tester-network-e2e-report.json | npm run flowchain:wallet:live-tester:e2e |
-| Wallet-to-wallet transfers sent through the running service settle on produced blocks. | passed | single-transfer blocks 25061->25081, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\live-service-wallet-e2e-report.json | npm run flowchain:wallet:live-service:e2e |
-| A small tester group can create wallets, receive funds, and send funds to each other through the running service. | passed | testerCount=4, transfers=4, blocks=25088->25111, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\live-service-tester-network-e2e-report.json | npm run flowchain:wallet:live-tester:e2e |
-| Clients can connect to the private RPC service for health, discovery, readiness, chain, and wallet methods. | passed | localTesterRehearsalReady=True, latestHeight=25272, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\external-tester-readiness-report.json | npm run flowchain:tester:readiness -- -AllowBlocked |
+| Wallet-to-wallet transfers sent through the running service settle on produced blocks. | passed | single-transfer blocks 32681->32698, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\live-service-wallet-e2e-report.json | npm run flowchain:wallet:live-service:e2e |
+| A small tester group can create wallets, receive funds, and send funds to each other through the running service. | passed | testerCount=4, transfers=4, blocks=32705->32726, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\live-service-tester-network-e2e-report.json | npm run flowchain:wallet:live-tester:e2e |
+| Clients can connect to the private RPC service for health, discovery, readiness, chain, and wallet methods. | passed | localTesterRehearsalReady=True, latestHeight=32963, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\external-tester-readiness-report.json | npm run flowchain:tester:readiness -- -AllowBlocked |
 | System architecture for runtime, RPC, wallets, bridge, backup, operations, verification, and fail-closed owner boundaries is explicit and evidence-backed. | passed | architectureStatus=blocked, blockedOnlyOnKnownExternalOwnerInputs=True, blockedItems=5, failedItems=0, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\flowchain-architecture-audit-report.json | npm run flowchain:architecture:audit -- -AllowBlocked |
 | Owner-operated public deployment contract is machine-checkable, has rollback commands, and fails closed until public RPC, backup, bridge, and tester sharing gates pass. | passed | deploymentStatus=blocked, deploymentReady=False, packetShareable=False, blockedOnlyKnown=True, blockedItems=5, failedItems=0, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\public-deployment-contract-report.json | npm run flowchain:public-deployment:contract -- -AllowBlocked |
 | Owner input validator blocks missing env, fails invalid env, passes structurally valid dummy owner inputs from direct env and the local owner env-file loader, and writes failed reports for missing or malformed owner env files without printing values. | passed | validationStatus=passed, missingBlocks=True, invalidFails=True, validPasses=True, ownerEnvFilePasses=True, missingOwnerEnvFileFails=True, malformedOwnerEnvFileFails=True, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\owner-inputs-validation-report.json | npm run flowchain:owner-inputs:validate |
@@ -26,10 +26,13 @@ Latest observed height: 25272
 | Owner env readiness validator fails closed before child gates for missing owner env files and repo-local env files that are not git-ignored. | passed | validationStatus=passed, missingFails=True, unignoredFails=True, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\owner-env-readiness-validation-report.json | npm run flowchain:owner-env:readiness:validate |
 | The ignored owner env file can drive owner-input, live-infra, and public deployment gates through one redacted command. | blocked | readinessStatus=blocked, pathGitIgnored=True, ownerInputsReady=False, liveInfraReady=False, publicDeploymentContractReady=False, blockedOnlyKnown=True, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\owner-env-readiness-report.json | npm run flowchain:owner-env:readiness -- -AllowBlocked |
 | Public RPC exposure has a no-values owner edge template for HTTPS reverse proxying, rate limiting, and CORS-origin forwarding. | passed | edgeTemplateStatus=passed, repoOwned=True, requiresTls=True, requiresRateLimit=True, forwardsOrigin=True, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\public-rpc-edge-template-report.json | npm run flowchain:public-rpc:edge-template |
+| Public RPC deployment bundle has no-secret Nginx, owner env, verification, and rollback artifacts for exposing FlowChain's own RPC. | passed | bundleStatus=passed, repoOwned=True, nginxTemplate=True, verifyRunbook=True, rollbackRunbook=True, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\public-rpc-deployment-bundle-report.json | npm run flowchain:public-rpc:deployment-bundle |
 | Public RPC readiness validator proves endpoint checks, CORS allowed-origin acceptance, disallowed-origin rejection, bounded rate-limit rejection, retry-after evidence, and response hygiene against a temporary local control plane. | passed | validationStatus=passed, allowedOriginAccepted=True, disallowedProbe=True, disallowedRejected=True, endpointChecks=True, rateLimitProbe=True, rateLimitRejected=True, rateLimitRetryAfter=True, responseHygiene=True, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\public-rpc-validation-report.json | npm run flowchain:public-rpc:validate |
+| Backup tooling creates a manifest-backed live-state snapshot, verifies a restore rehearsal without mutating live state, and rejects corrupted snapshots. | passed | validationStatus=passed, backupPassed=True, restorePassed=True, hashRoundTrip=True, corruptionDetected=True, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\backup-restore-validation-report.json | npm run flowchain:backup:restore:validate |
 | External tester handoff packet is generated and fails closed until sharing gates pass. | passed | packetStatus=blocked, shareable=False, packet=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\EXTERNAL_TESTER_PACKET.md | npm run flowchain:external-tester:packet |
+| Ops snapshot separates critical incidents from expected owner-input blockers and records incident commands. | passed | opsStatus=blocked, criticalCount=0, blockedCount=5, latestHeight=32963, finalizedHeight=32963, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\ops-snapshot-report.json | npm run flowchain:ops:snapshot -- -AllowBlocked |
 | External/public RPC is configured behind owner TLS, CORS, rate limit, endpoint checks, and response hygiene. | blocked | publicRpcStatus=blocked, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\public-rpc-readiness-report.json | npm run flowchain:public-rpc:check |
-| State backup path is configured, writable, and readable for live RPC operations. | blocked | backupStatus=blocked, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\backup-readiness-report.json | npm run flowchain:backup:check |
+| State backup path is configured and can create a manifest-backed snapshot that is verified through a restore rehearsal for live RPC operations. | blocked | backupStatus=blocked, snapshotProof=not-run, restoreProof=not-run, restoreVerified=False, validationStatus=passed, report=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\backup-readiness-report.json | npm run flowchain:backup:create; npm run flowchain:backup:restore:verify; npm run flowchain:backup:check |
 | Bridge readiness for owner-operated Base 8453 funds is verified fail-closed without live broadcasts. | blocked | bridgeLive=blocked, bridgeInfra=blocked, reports=E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\bridge-live-readiness-report.json, E:\FlowMemory\flowmemory-live-infra-rpc\docs\agent-runs\live-product-infra-rpc\bridge-infra-readiness-report.json | npm run flowchain:bridge:live:check; npm run flowchain:bridge:infra:check |
 | Local/mock bridge pilot proof preserves exact value, rejects replay/wrong-chain/unapproved-lockbox cases, and performs no broadcast. | passed | broadcast=False, allAmountsEqual=True, wrongChainRejected=True, unapprovedContractRejected=True, report=E:\FlowMemory\flowmemory-live-infra-rpc\services\bridge-relayer\out\real-value-pilot-e2e\bridge-real-value-pilot-e2e-report.json | npm run flowchain:real-value-pilot:bridge |
 | Owner-supplied Base 8453 transaction diagnostic is read-only, no-secret, and fails closed when tx/env inputs are absent. | passed | diagnosticStatus=blocked, safeReason=missing-env, broadcasts=False, printsEnvValues=False, noSecrets=True, report=E:\FlowMemory\flowmemory-live-infra-rpc\devnet\local\live-l1-bridge-e2e\base-tx-diagnostic.json | npm run flowchain:bridge:diagnose:tx |

docs/agent-runs/live-product-infra-rpc/EXTERNAL_TESTER_PACKET.md

@@ -1,9 +1,9 @@
 # FlowChain External Tester Packet
 
-Generated: 2026-05-16T05:03:07.9302059Z
+Generated: 2026-05-16T08:07:23.0486450Z
 Status: blocked
 Shareable externally: False
-Latest observed height: 30727
+Latest observed height: 32963
 
 Do not share this network externally yet. Local wallet rehearsal is available, but external sharing remains blocked until the listed owner input names and live infrastructure gates pass.
 
@@ -42,7 +42,7 @@ Invoke-RestMethod -Method Get -Uri '<OWNER_PUBLIC_ENDPOINT>/wallets/transfers'
 
 - External tester readiness: blocked
 - Owner inputs: blocked
-- Completion audit: blocked
+- Completion audit: failed
 - Local tester rehearsal ready: True
 - External sharing ready: False
 

docs/agent-runs/live-product-infra-rpc/OPS_SNAPSHOT.md

@@ -1,9 +1,9 @@
 # FlowChain Ops Snapshot
 
-Generated: 2026-05-16T05:36:14.4745825Z
+Generated: 2026-05-16T08:07:24.3953958Z
 Status: blocked
-Latest height: 31145
-Finalized height: 31145
+Latest height: 32963
+Finalized height: 32963
 
 ## Findings
 

docs/agent-runs/live-product-infra-rpc/OWNER_ENV_READINESS.md

@@ -1,6 +1,6 @@
 # FlowChain Owner Env Readiness
 
-Generated: 2026-05-16T00:41:08.4561533Z
+Generated: 2026-05-16T08:05:00.2819287Z
 Status: blocked
 
 This gate points the live checks at the ignored local owner env file and records only env names, statuses, and redacted child output.

docs/agent-runs/live-product-infra-rpc/OWNER_ENV_TEMPLATE.md

@@ -1,6 +1,6 @@
 # FlowChain Owner Env Template
 
-Generated: 2026-05-16T04:56:24.8237627Z
+Generated: 2026-05-16T08:00:10.0145632Z
 Status: passed
 
 This command creates or preserves a local ignored owner env file. It writes only empty assignments and never records owner-provided values.

docs/agent-runs/live-product-infra-rpc/OWNER_INPUTS.md

@@ -1,6 +1,6 @@
 # FlowChain Owner Inputs
 
-Generated: 2026-05-16T05:21:42.9934310Z
+Generated: 2026-05-16T08:07:22.5511019Z
 Status: blocked
 Owner input ready: False
 

docs/agent-runs/live-product-infra-rpc/OWNER_ONBOARDING.md

@@ -1,6 +1,6 @@
 # FlowChain Owner Onboarding
 
-Generated: 2026-05-16T04:56:21.9891941Z
+Generated: 2026-05-16T08:00:07.7672567Z
 Status: passed
 
 FlowChain RPC is implemented by this repository. The owner does not need a third-party FlowChain RPC provider. Public RPC readiness means exposing the private local RPC origin through an owner-operated HTTPS edge with DNS, TLS, CORS, rate limits, and monitoring.

docs/agent-runs/live-product-infra-rpc/OWNER_SIGNUP_CHECKLIST.md

@@ -1,6 +1,6 @@
 # FlowChain Owner Signup Checklist
 
-Generated: 2026-05-16T04:56:23.4939647Z
+Generated: 2026-05-16T08:00:08.9510385Z
 Status: passed
 
 FlowChain RPC is implemented by this repository. Do not sign up for a third-party FlowChain RPC provider. Public RPC means putting an owner-operated HTTPS edge in front of the private origin `127.0.0.1:8787`.