Three normative amendments identified during the gap-analysis and now
captured as a standalone doc. Each amendment cites the implementation
impact on PRs A-G and lists follow-up tickets that extend (not regress)
the already-landed code.
\u00a75.1 Transaction Coordinator trust model:
- names the operator the Workflow Authority
- requires SoD between Coordinator operator, Identity service, and
Ledger Anchor
- requires signed state transitions verifiable by participants
- CurrenciCombo ref topology: issuing bank runs it (single-party
hosted); federated and neutral-utility topologies are future work
and can swap in without changing the API.
\u00a79.2 Commit rule (accepted != settled):
- enumerates the exact SWIFT/ISO-20022 messages that count as
settlement: pacs.002 ACSC, camt.025 ACSC, camt.054 CRDT,
MT910/MT900
- ACCP/ACSP/PDNG do NOT satisfy COMMIT; stay in VALIDATING until
settlement evidence or timer expiry -> ABORTED
- wires explicitly to PR E's camt parsers + PR B's exception taxonomy.
\u00a74.1 Instrument irrevocability matrix:
- UNWIND_PENDING is a Coordinator state, not a guarantee the
underlying banking artefacts reverse
- separate instrument-leg and payment-leg matrices based on
observable progress (dispatched / acknowledged / accepted /
settled)
- irrevocable once instrument.acknowledged; only remaining control
plane actions are accelerated expiry, counter-guarantee, or
legal discharge
- refines the reason payload on ABORTED -> UNWIND_PENDING; no
transition-table change.
Lands docs-only; no code change. Implementation follow-ups enumerated
in "Summary of downstream tickets".
