AgroNet Labs LLC

External Audit Checklist

A practical, auditor-facing checklist for institutional readiness. This is not a pitch deck. It is an evidence map: what exists, where it lives, and how it is verified.

Controls Evidence Version: v1.0

How to Use This

  • Keep this page public-safe; store sensitive evidence in a private data room.
  • Every checkbox should link to an artifact: commit hash, document, log, or ticket.
  • Auditors trust consistency: one source of truth, versioned, reproducible.

1) Entity & Legal Readiness

Corporate
Entity docs: formation, operating agreement, ownership summary (NDA-only).
IP assignment: code and marks assigned to AgroNet Labs LLC.
Privacy policy + terms (public).
Compliance posture
Risk statement: what is and is not offered (no misleading claims).
Data retention rules + access policy.

2) Treasury, Limits & Controls

Liquidity constraints
Global caps configured: SAFE_PULL_LIMIT, MAX_PULL_RATIO.
Per-channel rules in DB: ledger_rules (min/max/daily).
Approval matrix exists and is enforced (see Governance page).
Audit trail
Every action produces validation_status + validation_reason.
Immutable references: audit_hash, tx hashes, receipts.

3) Codebase, SDLC & Reproducibility

Build integrity
CI runs: lint/format/test/build on every change.
Reproducible builds: pinned dependencies + lockfiles.
Release notes + rollback plan for production deploys.
Database
Migrations are versioned and reversible (up/down).
Seeds for ledger_rules and policies are controlled and logged.

4) Security Controls

Keys & custody
Key management policy: storage, rotation, access, incident response.
No plaintext private keys committed; scanning in CI enabled.
Application security
AuthN/AuthZ: least privilege, role-based access to sensitive endpoints.
Rate limiting + request validation for critical endpoints.
Dependency scanning + vulnerability response process.

5) On-chain & Settlement Evidence

Network operations
Network config documented (RPC providers, failover, monitoring).
Pre-transaction validation enforced before broadcast.
Receipts
Tx hashes stored with timestamps and deterministic request IDs.
Reconciliation procedure exists (ledger vs chain receipts).

6) Monitoring, Incident Response & Continuity

Operational readiness
Centralized logs + alerts for failed validations and abnormal volumes.
Kill-switch implemented: immediate freeze + documented criteria.
Incident response runbook: detect → contain → recover → postmortem.
BCP
Backups, restore tests, and minimal downtime plan.
Provider risk: DNS/CDN/RPC escalation and fallbacks.

7) Evidence Pack (what auditors ask for first)

  • Governance page: roles + approval matrix + treasury controls.
  • System diagram: components, data flows, where logs are produced.
  • Config proof: current caps (SAFE_PULL_LIMIT, MAX_PULL_RATIO) + history of changes.
  • Ledger rules: DB exports for ledger_rules + change history.
  • Audit logs: samples showing validation_status, reasons, and audit_hash.
  • Release evidence: CI logs + deploy tags + rollback docs.

Link this page from your hub (e.g., agronet.bio) and keep sensitive artifacts behind NDA.