01
Trust boundary
Trust boundary: off-chain state is authoritative for gameplay; on-chain state is authoritative for ownership and settlement receipts; L1 anchors are evidence, not gameplay source-of-truth.
- Gameplay mutation remains in USK/Postgres unless explicitly settled.
- On-chain state is used for ownership, receipts, governance execution, or proof.
- Public copy must describe the boundary honestly, including what is not decentralized yet.
02
Contract surfaces
Contract surfaces: UUPS `SEEDOS`, UUPS `SeedNFT`, UUPS `SeedMarketplace`, `WARDStaking`, `WARDLiquidityPool`, `WARDGovernor`, `WardenseedAnchor`.
- Every surface should emit enough events for analytics and incident reconstruction.
- Privileged functions should be role-gated, timelocked, or emergency-scoped depending on blast radius.
- Batch, nonce, and root identifiers must remain replay-resistant across upgrades.
03
Operational assumptions
Assumption: Base RPC/network failure pauses settlement surfaces; it should not corrupt the simulation ledger.
- Failure modes must degrade visibly rather than pretending the world is healthy.
- Security posture takes priority over feature velocity when settlement or treasury risk is involved.
- Docs, tests, and live proof widgets should evolve together with contract changes.