{ "schema_version": "2026-06-02.redaction-boundary.v1", "surface": "main_website", "owner": "main_website_release_desk", "purpose": "Machine-readable public/private/redaction boundary for QUAD public datasets, receipts, payloads, provider labels, host-chain labels, financial posture, route proof, and doctrine-sensitive material.", "updated": "2026-06-02", "redaction_rule": "Public data may explain owner, route, state, receipt, proof class, freshness, and boundary. It must not expose payloads, secrets, credentials, private operator procedure, private payment mechanics, sensitive provider detail, or claims the owning chain has not admitted.", "must_not_infer": [ "current_chain_state", "current_block_height", "current_balance", "payload_truth", "provider_identity", "private_operator_procedure", "custody_proof", "admission_proof", "settlement_proof", "liquidity_proof", "sale_access", "reward_eligibility", "allocation", "production_value_movement", "economic_activation", "external_validation" ], "redaction_classes": [ { "class_id": "public_route_metadata", "public_label": "public route metadata", "public_allowed": [ "owner surface", "public route", "state label", "freshness signal", "proof class", "non-inference boundary" ], "keep_private": [ "private endpoint", "credential", "operator procedure", "secret route", "protected topology" ], "redaction_behavior": "Publish the route label and state boundary; omit private endpoint details and operational steps.", "consumer_behavior": "Use the public route as a reading target only. Do not treat it as authority beyond its owner and state label.", "must_not_infer": [ "route_open", "private_access", "chain_authority", "economic_activation" ] }, { "class_id": "receipt_metadata", "public_label": "receipt metadata", "public_allowed": [ "receipt id", "owner surface", "event class", "public timestamp or height where published", "status label", "proof boundary" ], "keep_private": [ "private payload body", "private contract terms", "private account material", "sensitive verifier detail", "private support path" ], "redaction_behavior": "Publish enough metadata to find and interpret the receipt; keep payload and private contract material out unless the product class explicitly makes it public.", "consumer_behavior": "Quote what the receipt proves and what it does not prove. Preserve owner and event boundary.", "must_not_infer": [ "payload_truth", "endorsement", "Core_admission", "Bridge_finality", "Liquid_settlement", "economic_activation" ] }, { "class_id": "payload_private_by_default", "public_label": "payload private by default", "public_allowed": [ "payload access class", "redacted size class where published", "object state", "receipt pointer", "retention or expiry label where published" ], "keep_private": [ "payload body", "private metadata", "private contract contents", "private user material", "sensitive reconstruction detail" ], "redaction_behavior": "Treat payload body and private metadata as absent from public pages unless the owning product class explicitly publishes them.", "consumer_behavior": "Do not infer payload contents, correctness, lawful status, or endorsement from the existence of a receipt.", "must_not_infer": [ "payload_contents", "payload_truth", "lawful_status", "endorsement", "canonical_status" ] }, { "class_id": "public_rented_visibility", "public_label": "public rented visibility", "public_allowed": [ "public visibility flag", "public record handle", "public receipt metadata", "published display route", "expiry or retention label where published" ], "keep_private": [ "private owner identity unless published by product class", "private payload fields", "private verifier mechanics", "private operator procedure" ], "redaction_behavior": "Make public-browse visibility explicit and keep non-public receipt, handle-only, contract, security, or system-evidence classes separate.", "consumer_behavior": "Read public-browse records as intentionally visible records only, not as endorsement or universal truth.", "must_not_infer": [ "endorsement", "payload_truth", "Core_value", "allocation", "economic_activation" ] }, { "class_id": "provider_identity", "public_label": "provider label", "public_allowed": [ "provider class", "public status label", "service role", "capacity label where published", "receipt or proof route where published" ], "keep_private": [ "personal identity", "private account detail", "credentials", "private endpoint inventory", "sensitive operating pattern" ], "redaction_behavior": "Use role and service labels unless the provider identity is deliberately published by the owner surface.", "consumer_behavior": "Do not treat provider visibility or absence as proof of decentralization, endorsement, reliability, or reward status.", "must_not_infer": [ "operator_identity", "endorsement", "validator_advantage", "reward_eligibility", "network_decentralization" ] }, { "class_id": "host_chain_vault", "public_label": "host-chain or vault label", "public_allowed": [ "host-chain label", "vault class", "owner-surface label", "receipt or proof pointer", "public state label" ], "keep_private": [ "private signing material", "private account setup", "private custody procedure", "private payment route", "sensitive route mechanics" ], "redaction_behavior": "Publish class, owner, state, and proof pointer; keep account-control material and private custody procedure out.", "consumer_behavior": "Do not infer reserve backing, redemption, spend authority, or destination admission from a host-chain or vault label.", "must_not_infer": [ "reserve_backing", "redemption", "spend_authority", "destination_admission", "custody_proof" ] }, { "class_id": "financial_posture_label", "public_label": "financial posture label", "public_allowed": [ "account class", "payable or receivable label", "quote class", "refund label", "reserve class", "public boundary" ], "keep_private": [ "internal ledger detail", "private invoice detail", "private payment account", "private treasury procedure", "private counterparty detail" ], "redaction_behavior": "Publish posture and class labels separately from private ledgers and payment accounts.", "consumer_behavior": "Use labels to understand what kind of obligation or state exists; do not treat them as spendable balance or solvency proof.", "must_not_infer": [ "spendable_money", "solvency", "yield", "redemption", "market_value", "economic_activation" ] }, { "class_id": "route_proof_boundary", "public_label": "route proof boundary", "public_allowed": [ "route owner", "route class", "public proof pointer", "status label", "failure or refusal label", "next public check" ], "keep_private": [ "sensitive route mechanics", "private recovery sequence", "private failover procedure", "private endpoint detail", "exploit-sensitive timing" ], "redaction_behavior": "Publish proof and refusal labels without publishing the private mechanics that produce or repair them.", "consumer_behavior": "Read route proof as bounded proof for that route only.", "must_not_infer": [ "destination_acceptance", "route_repaired", "settlement_success", "private_recovery_available", "economic_activation" ] }, { "class_id": "doctrine_sensitive_material", "public_label": "doctrine-sensitive material", "public_allowed": [ "public purpose", "surface role", "boundary rule", "reader-safe doctrine summary", "must-not-infer boundary" ], "keep_private": [ "private doctrine mechanics", "sensitive design rationale", "private evaluation criteria", "private operator controls", "protected implementation detail" ], "redaction_behavior": "Publish the public-facing rule and boundary, not the private mechanism or sensitive rationale.", "consumer_behavior": "Use public doctrine summaries to interpret pages, not to reconstruct private operating design.", "must_not_infer": [ "private_mechanics", "operator_controls", "security_model_detail", "issuer_identity", "endorsement" ] }, { "class_id": "support_evidence_packet", "public_label": "support evidence packet", "public_allowed": [ "surface", "public id", "receipt id", "visible state", "expected next step", "safe timestamp" ], "keep_private": [ "seed phrase", "private key", "recovery phrase", "private account login", "private payload", "payment credential" ], "redaction_behavior": "Ask for public ids and visible labels only; never ask for secrets or private access material.", "consumer_behavior": "Use the evidence packet to route a public support question without expanding receipt meaning.", "must_not_infer": [ "private_support_access", "allocation", "reward_eligibility", "governance_right", "economic_activation" ] } ], "consumer_rules": [ "Publish owner, route, state, receipt, proof class, freshness, and boundary only when the owner surface makes them public.", "Payload body, secrets, credentials, private payment routes, private operator procedure, and sensitive mechanics stay out of public datasets.", "Receipt metadata may be public where product law allows it; receipt metadata does not prove payload truth or cross-surface admission.", "Provider and vault labels should use roles and classes unless the owning surface deliberately publishes stronger identity or custody data.", "Financial posture labels must stay separate from private ledgers and spendable-money claims.", "Public doctrine should explain surface roles and boundaries without revealing private mechanics." ] }