Add pre-production hardening and Base Sepolia reader

.github/workflows/ci.yml

@@ -17,6 +17,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "24"
+
       - name: Check required bootstrap paths
         shell: bash
         run: |
@@ -87,6 +92,9 @@ jobs:
             fi
           done
 
+      - name: Check launch claim guardrails
+        run: node infra/scripts/check-unsafe-claims.mjs
+
   contracts:
     name: Contracts
     runs-on: ubuntu-latest
@@ -97,8 +105,8 @@ jobs:
       - name: Install Foundry
         uses: foundry-rs/foundry-toolchain@v1
 
-      - name: Run Foundry tests
-        run: forge test
+      - name: Run contract hardening baseline
+        run: bash infra/scripts/contracts-static-analysis.sh
 
   services:
     name: Services and launch core

.slither.config.json

@@ -0,0 +1,3 @@
+{
+  "filter_paths": "(cache|out|node_modules|lib)"
+}

README.md

@@ -2,7 +2,7 @@
 
 FlowMemory is a Base-native AI memory, neural-geometry, reliability, decentralized hardware, and future appchain/L1 research project.
 
-This repository has completed the initial bootstrap and contracts-foundation passes. It contains project context, collaboration rules, planning documents, GitHub templates, a CI scaffold, worktree setup, placeholder work areas, and an initial FlowPulse/Rootfield contracts foundation. Do not treat the current repo as containing production product features yet.
+This repository contains the FlowMemory V0 foundation: project operating docs, local/test contracts, fixture-first services, Rootflow and Flow Memory launch-core generation, a fixture-backed dashboard, crypto helpers, a local no-value devnet prototype, and FlowRouter hardware POC materials. Do not treat the current repo as containing production product features yet.
 
 ## What FlowMemory Is Exploring
 
@@ -41,7 +41,9 @@ Every contributor and agent should read:
 5. `docs/ROOTFLOW_V0.md`
 6. `docs/FLOW_MEMORY_V0.md`
 7. `docs/V0_LAUNCH_ACCEPTANCE.md`
-8. `docs/DAILY_HQ_RUNBOOK.md` if operating HQ or coordinating agents
+8. `docs/PRODUCTION_READINESS_CHECKLIST.md`
+9. `docs/MARKETING_CLAIMS_GUARDRAILS.md`
+10. `docs/DAILY_HQ_RUNBOOK.md` if operating HQ or coordinating agents
 
 Then work only inside the assigned scope.
 
@@ -55,6 +57,8 @@ FlowMemory is managed as a multi-agent program. The management layer is part of
 - `docs/reviews/OPEN_PR_MERGE_READINESS.md`: historical merge-readiness evidence for the merged V0 foundation PRs
 - `docs/PR_PROCESS.md`: branch, draft PR, review, merge, conflict, and issue-closing rules
 - `docs/DAILY_HQ_RUNBOOK.md`: morning review, triage, agent launch, PR monitoring, merge order, and handoff
+- `docs/PRODUCTION_READINESS_CHECKLIST.md`: blocking checklist before any production language is allowed
+- `docs/MARKETING_CLAIMS_GUARDRAILS.md`: allowed and blocked launch claims for docs and marketing
 - `infra/scripts/status-report.ps1`: read-only local worktree, PR, and issue status report
 
 Immediate major milestone: build the Rootflow V0 and Flow Memory V0 launch core. This means local contracts/tests, FlowPulse fixtures, Rootflow transitions, Flow Memory schemas, verifier reports, crypto fixtures, dashboard-readable state, and local smoke-test gates. It does not mean production deployment.
@@ -70,6 +74,7 @@ This regenerates local/test Rootflow and Flow Memory V0 fixtures, including `fix
 ## What Not To Claim
 
 - Do not claim FlowMemory has production contracts or deployment automation.
+- Do not claim FlowMemory is production-ready or mainnet-ready.
 - Do not claim Uniswap v4 hook integration exists yet.
 - Do not claim explorer, hardware console, production FlowRouter hardware, or Meshtastic integration exists yet.
 - Do not claim cryptographic proof systems, tokenomics, or appchain/L1 implementation exists yet.
@@ -86,6 +91,7 @@ This regenerates local/test Rootflow and Flow Memory V0 fixtures, including `fix
 - `inbox/`: staging area for imported prompts, notes, and unsorted context
 - `research/`: future AI memory, neural geometry, and appchain/L1 research
 - `services/`: future indexer, verifier, worker, and API services
+- `schemas/flowmemory/`: canonical Flow Memory and Rootflow JSON schemas
 
 ## Implemented Foundation
 
@@ -95,20 +101,29 @@ This regenerates local/test Rootflow and Flow Memory V0 fixtures, including `fix
 - Worktree setup script
 - `contracts/FlowPulse.sol`
 - `contracts/RootfieldRegistry.sol`
+- contract skeletons for artifacts, cursors, workers, verifiers, receipts, verifier reports, hook adapter, and work scheduling
+- contracts hardening docs and static-analysis runner
 - `contracts/FLOWPULSE_SCHEMA.md`
 - `tests/RootfieldRegistry.t.sol`
-- Initial Foundry tests for the Rootfield registry foundation
+- Foundry tests for the Rootfield registry foundation and live V0 contract package
+- fixture-first indexer/verifier packages and local launch-core generation
+- Base Sepolia reader path with explicit RPC URL and durable checkpoint output
+- Flow Memory V0 schemas and generated Rootflow transition fixtures
+- fixture-backed dashboard V0
+- crypto helper package and test vectors
+- local no-value devnet prototype
+- FlowRouter hardware POC docs, schemas, and simulator fixture
 - Documented URI/log-data limitations for the current contract skeleton
 
 ## Still Conceptual
 
 - Uniswap v4 hook integration
-- Indexer and verifier services
-- Complete Rootflow runtime implementation
-- Complete Flow Memory runtime implementation
+- Production indexer and verifier services
+- Production Rootflow runtime implementation
+- Production Flow Memory runtime implementation
 - FlowRouter hardware implementation
 - Meshtastic integration
-- Dashboard, explorer, and hardware console applications
+- Explorer and hardware console applications
 - Cryptographic proof systems
 - Appchain/L1 design and implementation
 

contracts/ACCESS_CONTROL_REVIEW.md

@@ -0,0 +1,131 @@
+# Contracts Access-Control Review
+
+Status: V0 launch hardening review.
+
+## Summary
+
+The current contracts use simple ownership or self-registration patterns. They do not implement staking, slashing, token custody, rewards, production governance, verifier consensus, or upgrade admin controls.
+
+## RootfieldRegistry
+
+Owner model: each `rootfieldId` has one owner.
+
+Owner-gated functions:
+
+- `submitRoot`
+- `deactivateRootfield`
+- `transferRootfieldOwnership`
+
+Current protections:
+
+- zero rootfield id rejected
+- duplicate rootfield id rejected
+- zero root rejected
+- inactive rootfield blocks root submission and transfer
+- zero new owner rejected
+- ownership transfer emits both a FlowPulse status event and a dedicated ownership event
+
+Launch risk to watch:
+
+- current ownership transfer uses `parentPulseId = bytes32(0)` by design; future versions may require explicit parent linkage.
+- URI fields are advisory event data, not trusted storage pointers.
+
+## Owner-Allowlist Registries
+
+Contracts:
+
+- `VerifierReportRegistry`
+- `WorkReceiptRegistry`
+
+Owner-gated functions:
+
+- `setVerifierAuthorization`
+- `setWorkerAuthorization`
+
+Submitter-gated functions:
+
+- `submitVerifierReport` requires an authorized verifier.
+- `submitWorkReceipt` requires an authorized worker.
+
+Current protections:
+
+- zero worker/verifier rejected
+- duplicate report/receipt id rejected
+- invalid report status rejected
+- invalid work lane rejected
+- zero target or commitment fields rejected
+
+Launch risk to watch:
+
+- deployer is permanent owner in V0; there is no multisig, timelock, or owner transfer.
+- allowlists are coordination controls, not decentralized verifier consensus.
+
+## Self-Registration Registries
+
+Contracts:
+
+- `WorkerRegistry`
+- `VerifierRegistry`
+
+Owner model: the registering address controls its own metadata lifecycle.
+
+Current protections:
+
+- duplicate registration rejected
+- zero operator id rejected
+- zero role rejected
+- inactive records cannot update again
+
+Launch risk to watch:
+
+- registration does not prove work quality, correctness, identity, or stake.
+
+## Per-Record Owner Registries
+
+Contracts:
+
+- `ArtifactRegistry`
+- `CursorRegistry`
+
+Owner-gated functions:
+
+- `deprecateArtifact`
+- `advanceCursor`
+
+Current protections:
+
+- zero ids and zero commitments rejected
+- duplicate records rejected
+- only the stored owner can mutate the record
+
+Launch risk to watch:
+
+- advisory URI strings are emitted as logs and are not validated content availability proofs.
+
+## Open Submission Contracts
+
+Contracts:
+
+- `ReceiptVerifier`
+- `WorkDebtScheduler`
+- `FlowMemoryHookAdapter`
+
+Current boundary:
+
+- `ReceiptVerifier` accepts first-writer receipt-report commitments and does not cryptographically verify receipts.
+- `WorkDebtScheduler` allows any scheduler to assign work to a nonzero worker and allows scheduler or worker to mark completion.
+- `FlowMemoryHookAdapter` validates nonzero inputs and emits an observation event; it is not a production Uniswap v4 hook.
+
+Launch risk to watch:
+
+- open submission is acceptable for V0 commitments only if docs and demos treat outputs as untrusted until off-chain verifier reports exist.
+
+## Required Review Before Expanding
+
+Before adding rewards, staking, slashing, custody, dynamic fees, production hook permissions, or appchain/L1 settlement:
+
+- create a threat model issue
+- require a separate review worktree
+- require event tests for every state transition
+- require static analysis with Slither
+- update this access-control review

contracts/DEPLOYMENT_BOUNDARY.md

@@ -0,0 +1,58 @@
+# Contracts Deployment Boundary
+
+Status: V0 local and Base Sepolia readiness boundary.
+
+## Allowed Now
+
+- Local Foundry tests.
+- Local fixture generation and indexer/verifier/dashboard flows.
+- Base Sepolia deployment preparation for the current V0 contracts.
+- Base Sepolia reads from explicit RPC URLs.
+- Public docs that describe emitted events, roots, receipts, and off-chain verification paths.
+
+## Not Allowed Yet
+
+- Base mainnet deployment claims.
+- Production-mainnet readiness claims.
+- Production L1 claims.
+- Token launch, rewards, slashing, or fee-market mechanics.
+- Dynamic Uniswap v4 fee hooks.
+- Custody of user tokens.
+- Claims that contracts can know `txHash` or `logIndex` during execution.
+- Claims that on-chain storage is free or that arbitrary AI data is stored on-chain.
+
+## Deployment Inputs Required
+
+Before a Base Sepolia deployment transaction is sent, the PR or issue must record:
+
+- target chain: Base Sepolia, chain id `84532`
+- exact contract names and constructor arguments
+- deployer account address
+- compiled bytecode hash or Foundry build commit
+- expected event signatures
+- post-deploy verification steps
+- rollback or redeploy plan
+
+Private keys must not be committed to the repo, copied into docs, or stored in generated artifacts.
+
+## Current Contract Set
+
+- `RootfieldRegistry`: Rootfield namespaces and root commitment pulses.
+- `FlowMemoryHookAdapter`: dependency-light hook-adapter event scaffold, not a production Uniswap hook.
+- `ReceiptVerifier`: compact receipt-report commitments, not cryptographic receipt verification.
+- `VerifierReportRegistry`: owner-authorized verifier report commitments.
+- `WorkReceiptRegistry`: owner-authorized worker receipt commitments.
+- `WorkerRegistry`: self-registration for worker identity metadata.
+- `VerifierRegistry`: self-registration for verifier identity metadata.
+- `ArtifactRegistry`: artifact commitment metadata.
+- `CursorRegistry`: off-chain cursor commitment metadata.
+- `WorkDebtScheduler`: work-state commitments without token debt.
+
+## Post-Deploy Checks
+
+- Verify source on the explorer when possible.
+- Emit one small test event per deployed event source where safe.
+- Run the Base Sepolia indexer reader over the deployment block range.
+- Confirm persisted indexer state and checkpoint exist.
+- Confirm dashboard fixtures can read the generated state.
+- Update `docs/CURRENT_STATE.md` with what is deployed and what remains local-only.

contracts/STATIC_ANALYSIS.md

@@ -0,0 +1,59 @@
+# Contracts Static Analysis
+
+Status: pre-production hardening setup.
+
+This repository now has one standard command for contract hardening checks:
+
+```powershell
+.\infra\scripts\contracts-static-analysis.ps1
+```
+
+On bash-compatible shells:
+
+```bash
+bash infra/scripts/contracts-static-analysis.sh
+```
+
+The command runs:
+
+- `forge build`
+- `forge test`
+- `slither . --config-file .slither.config.json` when Slither is installed
+
+Formatting can be checked explicitly:
+
+```powershell
+.\infra\scripts\contracts-static-analysis.ps1 -CheckFormat
+```
+
+```bash
+CHECK_FORGE_FMT=1 bash infra/scripts/contracts-static-analysis.sh
+```
+
+Audit environments should require Slither explicitly:
+
+```powershell
+.\infra\scripts\contracts-static-analysis.ps1 -RequireSlither
+```
+
+```bash
+REQUIRE_SLITHER=1 bash infra/scripts/contracts-static-analysis.sh
+```
+
+## Current Boundary
+
+The contracts are V0 launch foundations for FlowPulse, Rootfield, receipts, workers, verifiers, cursors, and hook-adapter events. They are not a production L1, production verifier network, token system, custody system, fee system, or production Uniswap v4 hook deployment.
+
+Static-analysis findings should be triaged into:
+
+- blocker: unsafe access control, broken event schema, corrupted state transition, or deploy-time risk
+- launch-v0 fix: issue that matters for Base Sepolia/demo correctness
+- future hardening: useful improvement that does not block the V0 launch boundary
+
+## Required Before Any Public Testnet Deployment
+
+- All Foundry tests pass.
+- `forge fmt --check` passes or a deliberate formatting-normalization PR is opened.
+- Slither is run and findings are attached to the PR or issue.
+- Access-control changes are reviewed against [ACCESS_CONTROL_REVIEW.md](./ACCESS_CONTROL_REVIEW.md).
+- Deployment scope is reviewed against [DEPLOYMENT_BOUNDARY.md](./DEPLOYMENT_BOUNDARY.md).