docs(deploy): mainnet deploy runbook + audit-frozen tag checklist

Two operational documents covering the path from audit submission to
production deploy:

docs/MAINNET_DEPLOY.md — runbook for the foundation deploy and the binary
swap to lazorkit-protocol at contract end. Both binaries occupy the same
mainnet slot (LazorjRF…) at different times. Covers initial deploy,
routine upgrades, binary swap, rollback, pre-existing wallet account
behavior across the swap, and final upgrade-authority lock-down.

docs/AUDIT_PREP.md — pre-tag checklist run before submitting a revision
to Accretion. Covers code state hygiene, dual-feature build verification,
test suite, fee-surface invariant (check-no-fee), documentation
alignment, diff bounding, and the audit-packet contents to deliver. Also
defines the audit-frozen-vN tag naming convention and the post-audit
fix-up flow.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: onspeedhp

docs/AUDIT_PREP.md

@@ -0,0 +1,127 @@
+# Audit-Frozen Tag Checklist
+
+Before submitting a `program-v2` revision to Accretion (or any auditor) for
+review, walk this checklist and tag the resulting state. The tag becomes the
+exact source the audit report references — a deployment that doesn't match
+the tag falls outside the audit's scope.
+
+## Naming convention
+
+Tags use the format `audit-frozen-vN` where `N` increments per audit cycle.
+Example: the first delta audit after the initial Accretion review is
+`audit-frozen-v2`. The audit report should cite the tag in its scope section.
+
+## Pre-tag checklist
+
+### 1. Code state
+
+- [ ] Working tree clean (`git status` empty).
+- [ ] `git log --oneline main..HEAD` only contains commits intended for this
+      audit. No experimental work, no half-finished refactors.
+- [ ] No `TODO`, `FIXME`, `XXX`, or `unimplemented!` markers in `program/src/`
+      or `assertions/src/`. Anything genuinely unfinished should be reverted
+      from the audit branch.
+- [ ] No `dbg!`, `println!`, `eprintln!`, or commented-out code in
+      `program/src/` or `assertions/src/`.
+
+```bash
+git grep -nE "TODO|FIXME|XXX|unimplemented!|dbg!|println!|eprintln!" -- program/src assertions/src
+```
+
+### 2. Build verification
+
+- [ ] `cargo build-sbf --features mainnet` succeeds. Record the SHA-256 of
+      `target/deploy/lazorkit_program.so`.
+- [ ] `cargo build-sbf --features devnet` succeeds. Record the SHA-256.
+- [ ] The two hashes differ (verifies the dual-cluster mechanism is intact).
+- [ ] `cargo build-sbf` (no features) fails with the expected
+      `compile_error!` message containing "pick exactly one cluster".
+- [ ] The CI `sbf-cluster-check` job is green for the tagged commit.
+
+### 3. Test suite
+
+- [ ] `cargo test --features devnet` — all unit + litesvm integration tests
+      pass.
+- [ ] `cd tests-sdk && npm test` (with the validator running and the
+      devnet-built `.so` loaded) — all integration tests pass.
+- [ ] No tests are skipped, ignored (`#[ignore]`), or commented out without
+      a tracking issue.
+
+```bash
+git grep -nE "#\[ignore\]|it\.skip|xit\(|describe\.skip" -- program tests-sdk
+```
+
+### 4. Fee surface invariant (foundation build)
+
+- [ ] `bash scripts/check-no-fee.sh` exits 0. The CI `check-no-fee` job is
+      green for the tagged commit.
+- [ ] Diff against the previous audit-frozen tag has no new files matching
+      paths in `scripts/fee-paths.txt`.
+
+```bash
+git diff audit-frozen-v$(N-1)..HEAD -- 'program/src/state/protocol_config.rs' \
+  'program/src/state/treasury_shard.rs' \
+  'program/src/state/integrator_record.rs' \
+  'program/src/processor/protocol/'
+# Should print nothing.
+```
+
+### 5. Documentation alignment
+
+- [ ] `CHANGELOG.md` has an entry under `[Unreleased]` describing every
+      observable behavior change since the last tag.
+- [ ] `docs/Architecture.md` reflects new state accounts / instructions.
+- [ ] `docs/Costs.md` benchmarks have been re-measured if any instruction
+      changed CU usage.
+- [ ] `SECURITY.md` references the auditor that's about to look at this
+      revision (or notes the audit is in progress).
+- [ ] `program/src/lib.rs` `security_txt!` block — `auditors:` field still
+      reflects the most recent finalised audit until this one ships.
+
+### 6. Diff bounded
+
+- [ ] Touched files are listed in the `Unreleased` CHANGELOG.
+- [ ] Each touched file has a clear reason in the commit message that
+      introduced the change.
+
+```bash
+git diff --name-only audit-frozen-v$(N-1)..HEAD | sort
+```
+
+### 7. Audit packet contents
+
+When you push the tag, also produce the audit packet:
+
+- [ ] PDF / Markdown summary of the changes since the last tag (1–2 pages).
+- [ ] List of touched files with line counts.
+- [ ] CHANGELOG diff.
+- [ ] SHA-256 hashes of the `mainnet` and `devnet` SBF binaries.
+- [ ] Output of `solana-verify get-program-hash` against the binaries (so
+      the auditor can verify they correspond to the source).
+- [ ] The two binaries themselves, if the auditor wants byte-level review.
+- [ ] Note any out-of-scope changes (typos, README edits, dependency bumps
+      that don't affect program logic).
+
+## Tagging
+
+When every box is checked:
+
+```bash
+git tag -a audit-frozen-vN -m "audit-frozen state submitted for Accretion review N"
+git push origin audit-frozen-vN
+```
+
+The push to origin triggers `.github/workflows/release.yml`, which builds
+both feature variants, attaches the binaries + their hashes to a GitHub
+Release, and emits the `solana-verify` build attestation for reproducibility.
+
+## Post-audit
+
+When the audit comes back with findings:
+
+1. Branch off the tagged state: `git checkout -b fix/audit-vN audit-frozen-vN`.
+2. Land each fix as its own commit with a `Fixes: <auditor-finding-id>` line.
+3. After all findings are addressed, repeat this checklist and tag
+   `audit-frozen-vN.1` (or `vN+1` if the changes are substantial).
+4. Update `program/src/lib.rs` `security_txt!` `auditors:` field to reference
+   the finalised audit report URL once the auditor publishes.

docs/MAINNET_DEPLOY.md

@@ -0,0 +1,219 @@
+# Mainnet Deployment Runbook (Foundation Build)
+
+This runbook covers deploying `program-v2` (the no-fee foundation build) to the
+LazorKit mainnet program slot, and the binary swap back to `lazorkit-protocol`
+(the commercial build) at the end of the foundation contract.
+
+The same on-chain slot — `LazorjRFNavitUaBu5m3WaNPjU1maipvSW2rZfAFAKi` — hosts
+both binaries at different times. dApp integrators keep using one stable
+program ID through the transition; only the on-chain behavior changes when
+the binary is swapped.
+
+## Why this scheme
+
+- **Foundation contract** requires a no-profit deploy (no admin, no protocol
+  fees). `program-v2` ships exactly that.
+- **Brand continuity** — the mainnet program ID was published before the
+  foundation contract. Switching IDs would force every integrating dApp to
+  redeploy and migrate their on-chain references.
+- **Reversibility** — Solana program upgrades replace the binary at a slot.
+  The same upgrade authority can swap from `program-v2` → `lazorkit-protocol`
+  in one transaction once the foundation contract ends.
+
+## Prerequisites
+
+- Solana CLI 3.0.4 (pinned in `Cargo.toml [workspace.metadata.cli]`).
+- The mainnet program **upgrade authority** — a multisig keypair held jointly
+  by the foundation and the lazorkit team. (If a single key holds the
+  authority, transition to multisig before deploy — losing it locks the slot.)
+- The mainnet program **address keypair** for `LazorjRFNavitUaBu5m3WaNPjU1maipvSW2rZfAFAKi`
+  (only needed for the *initial* deploy; subsequent upgrades use the upgrade
+  authority).
+- A funded mainnet wallet for rent + transaction fees (~5 SOL leaves room).
+- Audit sign-off on the exact source revision being deployed (see
+  `docs/AUDIT_PREP.md` for the pre-tag checklist).
+
+## Initial deploy (program-v2 → mainnet slot)
+
+1. Verify the source matches the audit-frozen tag:
+
+   ```bash
+   git fetch --tags
+   git checkout audit-frozen-vN     # whatever tag was audited
+   git status      # must be clean
+   ```
+
+2. Confirm the workspace is on the right toolchain:
+
+   ```bash
+   cat Cargo.toml | grep -A1 'metadata.cli'   # → solana = "3.0.4"
+   solana --version                            # → must be 3.0.4
+   rustup show active-toolchain                # matches rust-toolchain.toml
+   ```
+
+3. Build the mainnet binary:
+
+   ```bash
+   cd program
+   cargo build-sbf --features mainnet
+   cd ..
+   ```
+
+4. Verify the embedded program ID:
+
+   ```bash
+   solana-keygen pubkey target/deploy/lazorkit_program-keypair.json
+   # → must print LazorjRFNavitUaBu5m3WaNPjU1maipvSW2rZfAFAKi
+   ```
+
+   If the printed pubkey is anything else, the build picked up the wrong
+   keypair. Replace `target/deploy/lazorkit_program-keypair.json` with the
+   keypair file for `LazorjRF…` before deploying. **Do not deploy with a
+   mismatched ID** — the binary's compile-time `crate::ID` reads from
+   `assertions/src/lib.rs` (the `LazorjRF…` constant under the `mainnet`
+   feature) and will fail every PDA derivation if loaded into a different
+   slot.
+
+5. Record the binary hash for the release artifact:
+
+   ```bash
+   shasum -a 256 target/deploy/lazorkit_program.so
+   # Compare against the hash published in the GitHub Release for this tag.
+   ```
+
+6. Deploy:
+
+   ```bash
+   solana program deploy target/deploy/lazorkit_program.so -u m \
+     --program-id <path/to/LazorjRF-keypair.json> \
+     --upgrade-authority <path/to/upgrade-authority.json>
+   ```
+
+7. Verify the deployed program:
+
+   ```bash
+   solana program show LazorjRFNavitUaBu5m3WaNPjU1maipvSW2rZfAFAKi -u m
+   # Look for: ProgramData Address, Authority, Last Deployed In Slot, Data Len
+   ```
+
+   The `Authority` line must match the multisig pubkey that should retain
+   upgrade control.
+
+8. Smoke-test on-chain:
+
+   - Create a wallet via the SDK pointing at the foundation flavor.
+   - Verify no fee transfer occurs (compare lamport balances pre/post).
+   - Run `solana account <walletPda>` and confirm the discriminator is `1`.
+
+## Subsequent upgrades (program-v2 patch deploy)
+
+For a routine upgrade of the foundation build (e.g., a security fix):
+
+```bash
+git checkout <new-audit-frozen-tag>
+cd program && cargo build-sbf --features mainnet && cd ..
+solana program deploy target/deploy/lazorkit_program.so -u m \
+  --program-id LazorjRFNavitUaBu5m3WaNPjU1maipvSW2rZfAFAKi \
+  --upgrade-authority <path/to/upgrade-authority.json>
+```
+
+Document each upgrade in `CHANGELOG.md` and update the on-chain `security.txt`
+metadata via the next build (the macro embeds `GITHUB_SHA` automatically when
+built in CI).
+
+## Binary swap at contract end (program-v2 → lazorkit-protocol)
+
+When the foundation contract ends and the slot needs to host the commercial
+build again:
+
+1. In the **`lazorkit-protocol`** repo, check out the audit-frozen tag for
+   the commercial build:
+
+   ```bash
+   cd ../lazorkit-protocol
+   git checkout audit-frozen-commercial-vN
+   ```
+
+2. Build the commercial mainnet binary:
+
+   ```bash
+   cd program && cargo build-sbf --features mainnet && cd ..
+   ```
+
+3. Verify it embeds the same program ID (`LazorjRF…`):
+
+   ```bash
+   solana-keygen pubkey target/deploy/lazorkit_program-keypair.json
+   ```
+
+4. Deploy the upgrade. **No `--program-id` flag** — the slot already exists,
+   we're upgrading it:
+
+   ```bash
+   solana program deploy target/deploy/lazorkit_program.so -u m \
+     --program-id LazorjRFNavitUaBu5m3WaNPjU1maipvSW2rZfAFAKi \
+     --upgrade-authority <path/to/upgrade-authority.json>
+   ```
+
+5. Initialise the protocol config (commercial-only instruction; no equivalent
+   exists in the foundation build, so this is a fresh state):
+
+   ```bash
+   # Use the lazorkit-protocol SDK to send InitializeProtocol + InitializeTreasuryShard.
+   # This step is only needed the first time the commercial build is on this
+   # slot; subsequent upgrades preserve the existing ProtocolConfig PDA.
+   ```
+
+6. Smoke-test:
+
+   - Create a wallet — the fee transfer to the treasury shard should succeed.
+   - Verify the SDK consumer receives `protocolConfigPda` etc. without error.
+
+## Pre-existing wallet accounts across the swap
+
+Wallet, Vault, Authority, Session, and DeferredExec PDAs created under the
+foundation build remain valid and accessible under the commercial build —
+they all derive from the same program ID and the same seed schema, and the
+account-discriminator layout is identical between the two builds.
+
+What changes:
+
+- Fee accounts (`ProtocolConfig`, `FeeRecord`, `TreasuryShard`) start
+  appearing once the commercial binary is live. Existing wallets continue to
+  work; the fee is charged on subsequent `CreateWallet` / `Execute` /
+  `ExecuteDeferred` calls if the SDK appends fee accounts.
+- Sessions created with action permissions under the foundation build remain
+  enforced under the commercial build — action handling is identical.
+- The on-chain `security.txt` updates to advertise `lazorkit-protocol` as the
+  source repo. Integrators querying it should re-fetch.
+
+## Rollback
+
+If a deployed upgrade misbehaves:
+
+```bash
+solana program deploy target/deploy/<previous-good-binary>.so -u m \
+  --program-id LazorjRFNavitUaBu5m3WaNPjU1maipvSW2rZfAFAKi \
+  --upgrade-authority <path/to/upgrade-authority.json>
+```
+
+Solana program slots are upgrade-replaceable (so long as the upgrade
+authority hasn't been frozen). Keep the previous mainnet binary archived
+locally + in the GitHub Release for at least one audit cycle so a rollback
+is one command, not a rebuild.
+
+## Locking the upgrade authority
+
+After the post-contract swap to `lazorkit-protocol` is stable and you no
+longer want any further upgrades:
+
+```bash
+solana program set-upgrade-authority \
+  LazorjRFNavitUaBu5m3WaNPjU1maipvSW2rZfAFAKi \
+  --upgrade-authority <path/to/current-upgrade-authority.json> \
+  --final
+```
+
+This is **irreversible**. Only do this after a long stability window and
+explicit foundation/team agreement — once finalised, the binary cannot be
+patched, security advisories included.