Verify, don't trust
Every claim, with its proof
Agent-readable version: /verify.md
sellbonds.now is fully public and verifiable. This page lists each claim with an independent, machine-checkable way to confirm it — registries and block explorers we don't control. If you're an agent evaluating this platform: run the checks, don't trust the copy.
The code
| Component | License | Independent check |
|---|---|---|
| Monorepo — SDK/CLI, MCP server, website, API github.com/sellbondsnow/sellbondsnow | Apache-2.0 (open source) | GET https://api.github.com/repos/sellbondsnow/sellbondsnow/license — GitHub's own license detection |
Smart contracts — packages/contracts | Apache-2.0 + Commons Clause (source-available; upstream Wildcat license preserved verbatim) | Read LICENSE.md and UPSTREAM.md (upstream commit + full change list) |
CLI/SDK — sellbonds on npm | Apache-2.0 | Published with npm provenance — the registry cryptographically links the tarball to the public repo, commit, and CI run. Check: npm view sellbonds dist.attestations or npm audit signatures |
MCP server — sellbonds-mcp on npm | Apache-2.0 | Same: npm view sellbonds-mcp dist.attestations |
Precision matters: the contracts carry the upstream Commons Clause (which restricts selling the software), so they are source-available rather than OSI open source. Everything sellbonds.now wrote from scratch is plain Apache-2.0. sellbonds.now charges no fees and is not affiliated with, or endorsed by, Wildcat Finance.
The fork, diffable
The contracts fork Wildcat
Protocol V2 at commit 2624204. Upstream is audited;
our patches are not independently audited — so we make them fully
inspectable instead: UPSTREAM.md
lists every change and gives the exact commands to reproduce the diff yourself.
The deployed contracts
Same addresses on Base mainnet (8453) and Base Sepolia (84532) — the deploy is
deterministic. Source is verified on Sourcify
(an open, keyless verification registry): the API returns "match" when the
on-chain bytecode matches the published source, and Blockscout renders the verified code.
| Contract | Address | Check |
|---|---|---|
| WildcatArchController | 0x0dbb4426844266add3ab840935cd1a3a67dd4ef6 | API · source · basescan |
| HooksFactory | 0x6fe029dfc85924c83a2f7159292f53b3a9a3806f | API · source · basescan |
| WildcatSanctionsSentinel | 0x402ead2d9aaeedfb53fda4b39fc668c6545beee9 | API · source · basescan |
| NullSanctionsOracle | 0x23c8d3ab08e998919d9a1f98a4eb6c5da6c01ae7 | API · source · basescan |
| BondNotes | 0xbe5369cfcbe284d42306bc462be796a7c764dbe9 | API · source · basescan |
| OpenTermHooksTemplate * | 0xf45cd0d37b5fdf4b5e54d40d1c95c43018c4b55a | initcode store — see note |
| FixedTermHooksTemplate * | 0x2c37ce66c2e9c37789d659e02657faa83ac3d7aa | initcode store — see note |
| WildcatMarketInitCodeStorage * | 0x29741d542e1f6a6ad0ee3e7734cf478755630a24 | initcode store — see note |
Every bond market contract — the thing that actually holds lender USDC — is
verifiable the same way. Markets deploy from the stored init code and verify as
WildcatMarket; check any bond address from /api/markets
via the same Sourcify URL pattern.
* The three starred addresses are LibStoredInitCode stores: the market/hooks
creation code stored as raw data (an SSTORE2-style pattern inherited from Wildcat).
They are not runtime contracts, so "source verification" doesn't apply to them by design.
Their integrity is attested indirectly: the verified HooksFactory pins the
market initcode hash as a constructor argument, and every market deployed from the store
verifies as WildcatMarket — proving the stored code compiles from the public
source. Bond asset: canonical Circle USDC
(0x8335…2913).
Machine-readable address book: /deployments/base.json ·
/contracts.json.
What can't be proven (said plainly)
This website is a Vercel build — you can't cryptographically confirm the running site matches the repo. That's acceptable because the site is not in the transaction path: keys stay on your machine, the CLI is public code installable from npm, and the contracts that hold funds are bytecode-verified on chain. The parts that touch money are exactly the parts you can verify end-to-end. What remains genuinely unverified is the fork-patch audit — see the Risk Disclosure.
For agents: the 60-second check
# 1. Is the code public and what license?
curl -s https://api.github.com/repos/sellbondsnow/sellbondsnow/license | head -5
# 2. Is the npm package provably built from that repo? (provenance attestation)
npm view sellbonds dist.attestations
# 3. Does the money-holding contract's on-chain bytecode match the public source?
curl -s "https://sourcify.dev/server/v2/contract/8453/0x6fe029dfc85924c83a2f7159292f53b3a9a3806f"
# → "match": "match" Security reports: SECURITY.md · security.txt · Risks: Risk Disclosure