Lithosphere Makalu (Testnet) — Phase Completion Tracker

Last updated: 2026-03-06 Context: Assessed against "L1 Developer Infrastructure Engineer Work Scope" PDF Scope: Makalu testnet (EC2 + Docker Compose deployment, NOT K8s)

Summary Scorecard

Phase 0 — Discovery & Architecture (100%)

• Languages/toolchains inventoried (Node/TS, Solidity/Hardhat, pnpm, Turbo)

• Environments defined (.env.local, .env.testnet, .env.mainnet)

• Core stack picked (GitHub Actions, Docker Compose, Prometheus/Grafana)

• Architecture diagrams (14 in docs/diagrams/)

• RACI matrix — Makulu/docs/governance/security-baselines.md section 3

• Security baselines (aspirational) — Makulu/docs/governance/security-baselines.md sections 1-2

• Security baselines (Makalu-enforced) — Makulu/docs/architecture/004-security-baselines-makalu.md

• Promotion gates — Makulu/docs/architecture/003-promotion-gates.md

• Phase 0 sign-off checklist — docs/phase-0/SIGNOFF.md

Phase 1 — Source Control & Repo Strategy (100%)

• Monorepo with pnpm workspaces + Turbo

• contracts-template — real (compiled artifacts, tests)

• service-template — Fastify, health/ready/metrics, OTel tracing, Dockerfile, README (entry: src/server.ts)

• sdk-template — dual ESM/CJS via tsup, retry/backoff, publishConfig, README

• create-litho-app CLI — fully functional

• CODEOWNERS + ESLint + Prettier

• PR template — .github/PULL_REQUEST_TEMPLATE.md

• Automated semantic-release — .releaserc.json + semantic-release job in release.yaml

Phase 2 — CI Foundations (100%)

• ci.yaml with pnpm/node_modules/Turbo caching — parallel jobs (build, lint, test, typecheck, gitleaks)

• Turbo pipeline (build/test/lint with --filter)

• Gitleaks secret scanning in CI

• Contract pipeline — ci-contracts.yaml (compile, test, lint, gas report, slither, ABI export)

• Services pipeline — SBOM in release.yaml; vitest + smoke tests added to api and indexer

• SDK pipeline — ci-sdk.yaml (test on Node 18/20/22 LTS matrix, build, lint, typecheck, size check)

• Parallelization — ci.yaml split into parallel jobs; contract CI has 6 parallel jobs; SDK uses matrix strategy

• Test summaries posted to PR — $GITHUB_STEP_SUMMARY in all CI workflows

• Flaky-test quarantine strategy documented in docs/guides/ci-cache-strategy.md

• Cache strategy doc — docs/guides/ci-cache-strategy.md

• API + Indexer test scripts — vitest with health smoke tests (turbo run test no longer a no-op)

Phase 3 — Artifact & Package Management (100%)

• Docker image build & push (publish-images.yaml — 3 images, semver + sha tags)

• Cosign image signing (in release.yaml + publish-images.yaml)

• SBOM generation SPDX (release.yaml + per-image in publish-images.yaml)

• NPM scope publish — @lithosphere/sdk + create-litho-app with version sync from semantic-release

• Contract versioned artifacts — ABI/bytecode/metadata tarball + SHA256 checksums uploaded to GitHub Releases

• OCI registry — GHCR with semver tags (1.2.3, 1.2), sha-based immutable tags, retention policy

• Immutable artifact conventions + retention policy — docs/guides/consuming-releases.md

• "How to consume releases" guide with cosign verification commands

Phase 4 — GitOps CD & Environment Promotion (100%)

• deploy-simple.yaml — SSH via bastion to EC2, docker compose up (WORKING)

• deploy.yaml — full pipeline with SLSA + image tagging (WORKING)

• Health monitoring — health-monitoring.yaml cron every 5 min

• K8s/ArgoCD — N/A, out of scope for Makalu (production is EC2 + Docker Compose)

• Kustomize overlays — N/A, out of scope for Makalu

• Blue/green deploy — Makulu/scripts/blue-green-deploy.sh (Docker Compose based)

• Automated rollback — rollback jobs in both deploy workflows + rollback snapshots saved pre-deploy

• Formal staging->mainnet approval flow — promote.yaml with GitHub Environment protection rules

• Rollback script — Makulu/scripts/rollback.sh for manual rollback

• Promotion & rollback playbook — docs/guides/promotion-playbook.md

Phase 5 — Developer Local Environment (100%)

• make up one-command stack with health checks

• docker-compose.dev.yml with LithoVM/Anvil (7 services incl. faucet)

• seed-local.ts (27KB) — funds wallets, deploys LEP100, generates transfers

• .env profiles (local, testnet, staging, mainnet)

• VS Code devcontainers (root + Makulu)

• VS Code workspace config — .vscode/settings.json, launch.json (debugger attach), extensions.json

• Onboarding doc (docs/quickstart/dev-setup.md — thorough)

• Makefile targets (up, down, clean, logs, seed, status, restart, dev, test, faucet-fund, help)

• Faucet service — Makulu/faucet/ (Fastify + viem, Redis rate limiting, HTML frontend)

• Faucet in production compose — docker-compose.yaml with Traefik routing

• make dev — one-command full setup (up + seed + endpoints)

Phase 6 — Test Strategy & Ephemeral Environments (~5%) — CRITICAL GAP

• Unit tests — ZERO test files in API, indexer, explorer

• Integration tests — none

• E2E tests — none

• Contract template tests — LithoBase.test.ts + LithoBase.t.sol in template

• PR-based preview environments — not implemented

• Data fixtures / chain state replayers — not implemented

• Test coverage dashboard — not implemented

• Flake tracker / quarantine — not implemented

Phase 7 — Contract Tooling & Safety Rails (~30%)

• Hardhat config in contracts/ and contracts-template/

• Solidity contracts (LEP100, WLITHO, LITHONative) in Makulu/contracts/src/

• Foundry config (foundry.toml in contracts-template)

• Slither config (.slither.config.json) — NOT wired to CI

• Gas reporter configured in hardhat — REPORT_GAS=false, not in CI

• Deployment framework (multi-sig, Ledger, EIP-712) — basic deploy.ts only

• ABI -> SDK auto-publish — not implemented

• solidity-coverage — installed but not in CI

Phase 8 — SDKs & DX Portal (~35%)

• @lithosphere/blockchain-core — 100% STUBS (every module is export {} with TODOs)

• SDK typed ABIs, retry/backoff — not implemented

• Auto-publish on release (npm) — not implemented

• Developer docs portal — Docsify site, 48 markdown files, docs-deploy.yml

• Code samples — docs/developers/examples/ (hardhat, foundry)

• wagmi/ethers frontend samples — not implemented

• OpenAPI/GraphQL schema auto-gen — not implemented

Phase 9 — Observability, Quality & Cost (~70%)

• Prometheus config + lithosphere-alerts.yml

• 7 Grafana dashboards (JSON, provisioned)

• Loki + Promtail configs

• AlertManager config with routing

• Node exporter (deploy script + compose service)

• health-monitoring.yaml (cron every 5 min)

• monitoring-diagnostics.yaml workflow

• SLO dashboard — not implemented

• Cost dashboard — not implemented

• Correlation IDs (commit->build->deploy->trace) — not implemented

Phase 10 — Security, Compliance & Supply Chain (~25%)

• AWS OIDC federation (no long-lived keys in CI)

• Gitleaks secret scanning in CI

• Cosign image signing (release + publish-images)

• SBOM SPDX generation (release workflow)

• Image/dependency scanning (Trivy/Snyk) — not implemented

• License allow/deny policy — not implemented

• Policy as code (OPA/Conftest) — not implemented

• Key rotation playbook — not documented

• Audit trail -> SIEM — not implemented

Phase 11 — Governance & Change Management (~0%)

• Release trains (weekly dev, bi-weekly staging, on-demand hotfix)

• RFC process / template

• CAB approvals for mainnet

• PIR template

• Release calendar

Out of Scope (for Makalu testnet)

Priority Actions (Next Steps)

1. Phase 6 — Write deeper tests for API, indexer, explorer (smoke tests added; need integration/E2E)

2. Phase 8 — Implement blockchain-core SDK or remove stubs

3. Phase 10 — Add Trivy/Snyk to CI for dependency scanning