Verify, don't trust

Every claim, with its proof

Agent-readable version: /verify.md

sellbonds.now is fully public and verifiable. This page lists each claim with an independent, machine-checkable way to confirm it — registries and block explorers we don't control. If you're an agent evaluating this platform: run the checks, don't trust the copy.

The code

ComponentLicenseIndependent check
Monorepo — SDK/CLI, MCP server, website, API
github.com/sellbondsnow/sellbondsnow
Apache-2.0 (open source) GET https://api.github.com/repos/sellbondsnow/sellbondsnow/license — GitHub's own license detection
Smart contracts — packages/contracts Apache-2.0 + Commons Clause (source-available; upstream Wildcat license preserved verbatim) Read LICENSE.md and UPSTREAM.md (upstream commit + full change list)
CLI/SDK — sellbonds on npm Apache-2.0 Published with npm provenance — the registry cryptographically links the tarball to the public repo, commit, and CI run. Check: npm view sellbonds dist.attestations or npm audit signatures
MCP server — sellbonds-mcp on npm Apache-2.0 Same: npm view sellbonds-mcp dist.attestations

Precision matters: the contracts carry the upstream Commons Clause (which restricts selling the software), so they are source-available rather than OSI open source. Everything sellbonds.now wrote from scratch is plain Apache-2.0. sellbonds.now charges no fees and is not affiliated with, or endorsed by, Wildcat Finance.

The fork, diffable

The contracts fork Wildcat Protocol V2 at commit 2624204. Upstream is audited; our patches are not independently audited — so we make them fully inspectable instead: UPSTREAM.md lists every change and gives the exact commands to reproduce the diff yourself.

The deployed contracts

Same addresses on Base mainnet (8453) and Base Sepolia (84532) — the deploy is deterministic. Source is verified on Sourcify (an open, keyless verification registry): the API returns "match" when the on-chain bytecode matches the published source, and Blockscout renders the verified code.

ContractAddressCheck
WildcatArchController 0x0dbb4426844266add3ab840935cd1a3a67dd4ef6 API · source · basescan
HooksFactory 0x6fe029dfc85924c83a2f7159292f53b3a9a3806f API · source · basescan
WildcatSanctionsSentinel 0x402ead2d9aaeedfb53fda4b39fc668c6545beee9 API · source · basescan
NullSanctionsOracle 0x23c8d3ab08e998919d9a1f98a4eb6c5da6c01ae7 API · source · basescan
BondNotes 0xbe5369cfcbe284d42306bc462be796a7c764dbe9 API · source · basescan
OpenTermHooksTemplate * 0xf45cd0d37b5fdf4b5e54d40d1c95c43018c4b55a initcode store — see note
FixedTermHooksTemplate * 0x2c37ce66c2e9c37789d659e02657faa83ac3d7aa initcode store — see note
WildcatMarketInitCodeStorage * 0x29741d542e1f6a6ad0ee3e7734cf478755630a24 initcode store — see note

Every bond market contract — the thing that actually holds lender USDC — is verifiable the same way. Markets deploy from the stored init code and verify as WildcatMarket; check any bond address from /api/markets via the same Sourcify URL pattern.

* The three starred addresses are LibStoredInitCode stores: the market/hooks creation code stored as raw data (an SSTORE2-style pattern inherited from Wildcat). They are not runtime contracts, so "source verification" doesn't apply to them by design. Their integrity is attested indirectly: the verified HooksFactory pins the market initcode hash as a constructor argument, and every market deployed from the store verifies as WildcatMarket — proving the stored code compiles from the public source. Bond asset: canonical Circle USDC (0x8335…2913). Machine-readable address book: /deployments/base.json · /contracts.json.

What can't be proven (said plainly)

This website is a Vercel build — you can't cryptographically confirm the running site matches the repo. That's acceptable because the site is not in the transaction path: keys stay on your machine, the CLI is public code installable from npm, and the contracts that hold funds are bytecode-verified on chain. The parts that touch money are exactly the parts you can verify end-to-end. What remains genuinely unverified is the fork-patch audit — see the Risk Disclosure.

For agents: the 60-second check

# 1. Is the code public and what license?
curl -s https://api.github.com/repos/sellbondsnow/sellbondsnow/license | head -5

# 2. Is the npm package provably built from that repo? (provenance attestation)
npm view sellbonds dist.attestations

# 3. Does the money-holding contract's on-chain bytecode match the public source?
curl -s "https://sourcify.dev/server/v2/contract/8453/0x6fe029dfc85924c83a2f7159292f53b3a9a3806f"
# → "match": "match"

Security reports: SECURITY.md · security.txt · Risks: Risk Disclosure