Skip to content

Proof Boundary

This page defines what is enforced by proof, what is checked by host/runtime integration, and what remains artifact-described in the current publication.

Published Bounded Statement

The active lane is Trustless Relation Query 1 (TRQ1), bounded to two source notes for direct-spend transitions.

Boundary Breakdown

Layer Current status Scope in this milestone
Proof-enforced semantics Enforced in bounded lane Hidden conservation and bounded sink-side role semantics (recipient/change/reserve/fee)
Host/runtime checks Enforced on integration path Carrier integrity, binding checks, and fail-closed acceptance path checks
Artifact-described behavior Descriptive, not proof-defining Reporting fields, evidence summaries, and operational metadata
Public observables Public on Layer 1 Graph linkage, shell economics, fees, topology, timing/cadence
Future optional aggregation Deferred Later observability reduction layer, outside current proof boundary

Public Verifier Export Surface

Allowed public boundary material includes:

  • Public Inputs version 1 (PIv1) bytes (wire magic "PIV1")
  • Proof Blob version 1 (PBv1) envelope bytes (wire magic "PBV1")
  • output-binding commitments and transcript commitments
  • intended ciphertext/recovery transport fields

The public boundary must not expose amount-opening windows, residual transparent-trace hints, or identity-revealing plaintext.

Non-Claims

This proof boundary does not claim:

  • arbitrary-N confidential accounting enforcement
  • hidden BCH graph or settlement topology
  • hidden shell economics or fee burn
  • whole-system full zero-knowledge deployment guarantees

Code Mapping