fix(flows): route OBOL QA through explicit LLM endpoint

[bussyjd]

Summary

What changed:

• Require OBOL_LLM_ENDPOINT for the full seller/buyer QA flows and default OBOL_LLM_MODEL to qwen36-fast.
• Route Alice and Bob through the canonical obol model setup custom / model sync path instead of relying on local Ollama for full QA.
• Make flow 13 derive, preseed, and assert Bob's canonical buyer wallet before stack up.
• Keep the DNS tunnel override advisory; the real gate remains the in-pod 402 probe.
• Harden Hermes bootstrap against partially cloned shared state with a lock and atomic clone.
• Update the obol-stack-dev skill docs with the no-shortcut Hermes/LLM QA rules.

Why it matters:

• The OBOL seller/buyer flow now validates the actual Hermes agent buy path with the QA LLM endpoint, then proves success structurally through PurchaseRequest Ready=True, paid inference, settlement, and exact balance deltas.
• It removes the confusing two-Bob setup by making the deterministic derived buyer the remote-signer wallet used in the flow.

Risk level: medium

Commit under test: 19e4890 locally; remote flow run used origin/main@2bcc1d1 plus this branch diff before commit creation, with identical flow code.

Base branch: main@2bcc1d1

Scope

• Code
• Charts / manifests
• Flows / QA scripts
• Docs / skills
• Images / dependencies
• Other:

Validation

CI checks:

Check	Status	Link
GitHub Actions	PASS	CodeQL + lint-test passed

Unit tests:

bash -n flows/*.sh && git diff --check && go test ./...
PASS on 2026-05-01 for commit 19e4890

Integration tests:

go test ./internal/hermes -count=1
PASS on 2026-05-01

Flow tests:

Flow	Network	QA machine label	Worktree	Result	Artifacts
flows/flow-13-dual-stack-obol.sh	Anvil fork of Base Sepolia chain 84532	remote QA host 1	fresh detached worktree from origin/main@2bcc1d1 plus this branch diff	PASS, __FLOW13_DONE_RC__=0, steps_failed=0, steps_passed=59, total_steps=55	receipt summary copied below

Release smoke:

Not run in this pass.

Live Chain Evidence

Do not include private keys, seed phrases, passwords, hostnames, personal paths, or raw bearer tokens.

Network: Anvil fork of Base Sepolia, chain ID 84532

RPC/provider: public Base Sepolia RPC used as fork source

Facilitator: local x402-rs facilitator container pointed at the fork

Contracts and tokens:

Name	Address	Version / notes
Fork OBOL token	0xDED00F1C77314EE850d96363b21330FcEaD9effc	name() == Obol Network, Permit2 flow

Wallet roles:

Role	Address	Source
Alice / seller / register	0xC0De030F6C37f490594F93fB99e2756703c4297E	.env signer key address
Bob / buyer / payer	0x57b0eF875DeB5A37301F1640E469a2129Da9490E	deterministic second derived key
Bob remote-signer	0x57b0eF875DeB5A37301F1640E469a2129Da9490E	asserted equal to canonical Bob

Balances:

Token	Address	Before	After	Expected delta	Actual delta
OBOL	Alice seller	10000000000000000000	10001000000000000000	+1000000000000000	+1000000000000000
OBOL	Bob signer	10000000000000000000	9999000000000000000	-1000000000000000	-1000000000000000

Transaction receipts:

Purpose	Tx hash	From	To	Amount / event	Status
ERC-8004 registration	n/a	n/a	n/a	intentionally skipped by flow 13	n/a
Metadata / service offer	n/a	n/a	n/a	Kubernetes ServiceOffer Ready=True	PASS
Approval / permit	n/a	Bob signer	facilitator	Permit2 authorization created by x402 buyer	PASS via PurchaseRequest Ready=True
Purchase request	n/a	Bob agent	Alice service	count=5, price=1000000000000000, model qwen36-fast	Ready=True
Funding	0xb89ca4516d34809d88f97e02cf008e0d6044b2a67d482b6144d363e89e012678	fork deployer	Bob signer	10 OBOL mint/fund	PASS
Settlement transfer	0x4233dbaca1a6783702cf35767fd259d8da76a191a11b9c59622ae0ee8190a06e	Bob signer	Alice seller	Transfer(..., 1000000000000000)	PASS

Runtime Evidence

QA environment:

Item	Value
OS / arch	Linux aarch64
Backend	k3d stack lifecycle, two isolated stack workspaces
Tool versions	Foundry tools preflight passed; Docker image preflights passed
QA agent/model	Hermes agent via qwen36-fast OpenAI-compatible QA endpoint

Images:

Component	Image	Tag / digest	Source
x402 facilitator	ghcr.io/x402-rs/x402-facilitator	1.4.7, sha256:4567d35cd65f2f4e19a1d1fa257f8e95d3d6b6909c33fa589044c1cfb5b76ffd	flow preflight
cloudflared	cloudflare/cloudflared	2026.3.0	embedded chart default

Kubernetes / stack:

Item	Value
Stack IDs	isolated Alice/Bob stack IDs created in the QA worktree
Namespaces	x402, llm, traefik, Hermes agent namespace exercised
Pod readiness	x402 pods running, Hermes API ready, LiteLLM rollout settled
Cleanup result	Alice stack down, Bob stack down, Anvil/facilitator stopped, QA worktree removed

Model and routing:

Item	Value
Agent/model used	qwen36-fast
LiteLLM route	custom external-llm route synced into both Alice and Bob
Paid endpoint status	HTTP 200 via paid/qwen36-fast
Auth token source	Hermes API server token from obol agent auth

Artifacts and logs:

Artifact	Location / link	Notes
receipt-summary.json	copied into this PR body	raw remote path omitted intentionally
flow log	remote QA log reviewed, path omitted	contains __FLOW13_DONE_RC__=0

Demo readiness:

Item	Status	Notes
Seller visible / registered	Partial	ServiceOffer ready; ERC-8004 intentionally skipped by flow 13
Buyer discovery works	PASS	Hermes discovery prompt completed before buy
Paid route works	PASS	paid/qwen36-fast returned HTTP 200
Settlement visible on-chain	PASS	settlement tx and balance deltas verified on fork

Review Notes

Known gaps:

• This pass did not run live Base Sepolia flow 14 to avoid another live-token spend in this PR cycle.
• Release smoke was not run after the focused flow 13 rerun.

Follow-ups:

• Run flow 14 against live Base Sepolia when we intentionally want live OBOL spend coverage.
• Add CI wiring for explicit fork-vs-live release-smoke jobs so the release gate names which OBOL path ran.

Reviewer focus:

• Confirm requiring OBOL_LLM_ENDPOINT for full QA is the intended default.
• Confirm flow 13's derived Bob wallet invariant matches the canonical buyer-wallet plan.
• Check the Hermes bootstrap lock/init change for shared persistent-volume behavior.