Skip to main content
Signalite’s partner sandbox docs are not an external audit. This page defines the evidence package that should be prepared before broader partner distribution or a public TVL raise.

Scope

The audit package should include:
AreaIncluded artifacts
ContractsVault, strategy, NAV source, deployment scripts, role configuration, tests
KeeperState machine, dry-run/live guards, heartbeat, action selection, failure handling
APIReadiness gates, quote builders, OpenAPI schema, activity/indexer correctness
SDKTransaction builders, typed clients, React Native compatibility, error handling
OperationsRailway services, cron jobs, env-var matrix, monitoring, runbooks
DocsFlow of funds, accounting/proof, user lifecycle, partner integration examples

Reviewer questions

External reviewers should be able to answer these without asking for private operational context:
  • Can strategy-controlled funds move only through intended paths?
  • Are vault share-price calculations complete across buffer, strategy, Core, HLP, and in-flight states?
  • Can queued redeem accounting be double-counted, skipped, or claimed by the wrong receiver?
  • Can stale API/indexer state cause partners to show unsafe write actions?
  • Can a keeper crash, stale state file, or duplicate keeper create inconsistent routing?
  • Do access-gated docs and product UI avoid claiming unsupported revenue or audit status?

Required evidence

Run and attach results from:
npm run lint
npm run build
API_BASE=https://shlp-web-production.up.railway.app npm run smoke:api
PARTNER_READY_REQUIRED=1 API_BASE=https://shlp-web-production.up.railway.app npm run readiness:partner
pnpm --filter @arc/shlp-sdk test
pnpm --filter @arc/shlp-sdk build
pnpm --filter @arc/shlp-sdk typecheck:react-native
cd packages/contracts && forge test
pnpm --filter @arc/keeper typecheck && pnpm --filter @arc/keeper test
Also attach:
  • Current deployed contract addresses
  • Role table
  • Keeper environment matrix with secrets redacted
  • Live /api/v1/health response
  • Live /api/v1/vault proof response
  • A queued redeem lifecycle trace from requested to claimed
  • Known limitations and unresolved issues

Non-goals

Do not present these as complete before they exist:
  • Formal audit report
  • Public bug bounty
  • SLA-backed API uptime
  • Live partner revenue sharing
  • Permissionless public launch

Output

The final audit handoff should be a versioned folder containing:
audit-package/
  README.md
  addresses.md
  roles.md
  architecture.md
  flow-of-funds.md
  accounting-proof.md
  keeper-runbook.md
  api-openapi.json
  sdk-version.md
  test-results.md
  known-issues.md