What the contracts enforce
| Area | On-chain guarantee |
|---|---|
| Treasury policy | Spending limits, signer thresholds, recipient rules, and treasury state transitions are validated by covenant logic. |
| Stream schedules | Claim amounts, unlock timing, refill transitions, and terminal states follow the deployed schedule family. |
| Vote locks | Locked voting state and reclaim timing are enforced by the vote lock covenant. |
| Distribution rules | Campaign state, claim limits, and payout conditions are validated by the distribution contract path. |
What off-chain services do
| Component | Role |
|---|---|
| Frontend | Presents product state and helps the user build the right transaction. |
| Backend API | Assembles transaction descriptors, confirms broadcasts, and serves indexed state. |
| Indexer | Reconstructs covenant state into queryable product views. |
| Executor | Optional: triggers permissionless timed actions. Not currently operated by FlowGuard; recipients claim manually via UI. |
Trust boundaries
Frontend and API
The frontend and API can be wrong about display state. They cannot make an invalid contract transition succeed on chain. Self-host or independently verify if you need stronger operational assurance.Indexer
Indexing improves usability and reporting. It is not the source of truth for covenant validity. If indexed state looks wrong, on-chain state still governs what can happen.Executor
An executor triggers permissionless functions when their preconditions are met. It has no special contract powers and cannot bypass the covenant. FlowGuard does not operate a shared executor today. Recipients claim manually through the app, or any third party can broadcast a valid permissionless transaction directly.Metadata
Descriptions, labels, and higher-level UI context are off-chain metadata. They improve readability. They are not authoritative for contract state.Authentication
Mutating API calls require a wallet-ownership proof. The client signs a one-shot server-issued nonce with the private key for the declared BCH address. The backend verifies the signature against the address’s pubkey hash before any state-changing handler runs. Read endpoints stay open.Key management
FlowGuard does not remove the need for good key management.- Protect signer keys and treasury operators carefully.
- Use hardware wallets for high-value operations.
- Choose signer thresholds that fit your recovery and control needs.
Current contract status
FlowGuard is live on BCH Mainnet. The covenants deployed to mainnet were reviewed internally before launch. No third-party audit has been completed. The covenant source is incontracts/core/ and the bytecode is independently reproducible from source via node scripts/verify-mainnet-deployment.ts.
Self-hosted verification
For stronger assurance, run your own:- Frontend
- Backend API
- Indexer