Docs/Self-Banking Engine/CommitmentGate, Permits, and Receipts

CommitmentGate, Permits, and Receipts

Production Track

Every value movement must pass through the same guarded state machine and emit signed evidence.

Objective

Prevent unauthorized or partial execution by making commitment, policy enforcement, and evidence generation non-optional.

5-phase Commitment Pipeline

Intent validates request semantics, Prepare locks funds, Commit marks point-of-no-return, Execute mutates core state, and Receipt finalizes signed evidence.

Failures before commit are cleanly reversible. Failures after commit trigger deterministic recovery semantics and explicit incident visibility.

SpendPermit Enforcement

Permits apply budget ceilings, recipient scope, time windows, and usage boundaries. They are evaluated as first-class constraints in the transfer pipeline.

Agent and delegated execution paths are required to present permit context for spend-capable operations.

Receipt + WorldLine Evidence

Receipts are Ed25519 signed over canonical payloads and anchored into WorldLine hash-chain events.

Verification can be performed independently, making audit and dispute workflows portable outside the runtime.

Interfaces

Permit API

Issue permit, update limits, revoke permit, inspect usage

Receipt API

Fetch receipt by ID, verify signature, export audit card

Production Checkpoints

  • No spend path bypasses permit checks
  • Receipt signatures verify against canonical payload
  • WorldLine integrity check detects tampering
  • Transfer rollback behavior is deterministic pre-commit

Continue exploring

Self-Banking Engine