audits: settle path landed — full 6/6 escrow builders proven on chain

Settle path (4 txs):
- open       a878900c09022381f332ca2cea1b4624202ebdbd6f3a83fd9de07475bb98bd6b
- bob deposit ef8910101e88b63abb28ec9b511616e3465075b8d34d5eeb9703efe1876a62bf
- agree      bbfd57c3acb68ddb76d6b92c0dbe8ba9cb21ca88ad6370d19f00822c3b69d655
- settle     4b52312ce264dba74a6fde6c2ccb597696022c8919470f23670e2746db10d1ff

agreed_at_ms=1778381375000 + lock_period_ms=1_800_000 = 1778383175000
earliest_settle. Tip at settle submit: 1778383733000 (558s past).
recipient (bob) receives 10 ADA at enterprise address. Settle requires
no party signer — preprod drove as fee-payer only.

Validator's Settle branch executed cleanly: state==Agreed check,
strict-> time gate, recipient payout via value_geq_value(paid, in_value).
MED-2/3 fix (slot-derived validity_lower_ms) held a second time under
different timing. Total escrow value cycled through validator across all
three E2E paths: 5+10+10 = 25 tADA, 9 successful txs across 6 distinct
validator branches (open as no-script, deposit, agree, veto, settle,
refund). Zero failed txs, zero collateral burns.

Code surface complete. Next: drop escrow_wip flag (task #48) per Cobb's
2026-05-09 directive — replace compile-time gate with runtime
"use at own risk" note when an agent calls escrow_open.

audits/2026-05-09-escrow-e2e.md

@@ -31,17 +31,17 @@ Total tADA cycled through validator: 10 ADA (5 from each party). Refunded to ent
 | (wait) | — | tip elapsed past open_deadline (~165s past) before next step |
 | Refund-timeout | `41590ac6ed069586e650da58858436cfe6be51a865069a7a4b40f795dfcdbff9` | escrow_refund_timeout builder; `lower > open_deadline_ms` strict-`>` time gate proven; HIGH-2 deposits-sum invariant proven on a single-deposit escrow; single-output refund (2 ADA back to party_a's enterprise address). |
 
-## Settle path (6th builder, NOT YET TESTED)
+## Settle path (6th builder)
 
-Deferred — requires a 30-minute `lock_period_ms` to elapse between Agree
-and Settle. Setup: open + 2 deposits + Agree + wait 30 min + Settle.
-Run as a separate session when the window is convenient.
+| Step | tx hash | What it proves |
+|------|---------|----------------|
+| Open | `a878900c09022381f332ca2cea1b4624202ebdbd6f3a83fd9de07475bb98bd6b` | escrow_open with deadline=tip+1h, lock=30min, recipient=bob |
+| Deposit (bob) | `ef8910101e88b63abb28ec9b511616e3465075b8d34d5eeb9703efe1876a62bf` | bob adds 5 ADA, deposits=[(preprod,5),(bob,5)], second time the V3 validator's Deposit branch ran on chain |
+| Agree | `bbfd57c3acb68ddb76d6b92c0dbe8ba9cb21ca88ad6370d19f00822c3b69d655` | both-party multi-sig (driver=preprod, co-signer=bob); state Open→Agreed{at=1778381375000} |
+| (wait) | — | tip elapsed past `agreed_at + lock_period_ms` (~1778383175000) — actual tip at settle: 1778383733 = 558s past |
+| Settle | `4b52312ce264dba74a6fde6c2ccb597696022c8919470f23670e2746db10d1ff` | escrow_settle builder; `lower > agreed_at + lock_period` strict-`>` time gate proven; **MED-2/3 fix held a second time** under different timing; recipient (bob) gets 10 ADA at his enterprise address; no party signer required (preprod drove as fee-payer only) |
 
-The Settle builder + validator branch are unit-tested in
-`crates/aldabra-dao/src/builder/escrow_settle.rs` (5 tests covering
-not-Agreed reject, lock-not-elapsed reject, empty-escrow reject,
-happy-path full payout, anyone-can-drive). On-chain validation is the
-final gap.
+**All 6 builders proven on chain.**
 
 ## What this E2E proved on chain