{ "schema_version": "2026-06-02.retention-policy.v1", "surface": "main_website", "owner": "main_website_release_desk", "purpose": "Machine-readable public retention, prune, tombstone, restore, and reissue policy for QUAD public datasets, receipts, payload-access labels, support evidence, and release artifacts.", "updated": "2026-06-02", "retention_rule": "Retention is part of public meaning. A removed payload, expired access right, pruned dataset, tombstoned object, or reissued receipt must still preserve the right public state without pretending payload access or stronger proof still exists.", "must_not_infer": [ "current_chain_state", "current_block_height", "current_balance", "payload_access", "payload_truth", "custody_proof", "admission_proof", "settlement_proof", "liquidity_proof", "sale_access", "reward_eligibility", "allocation", "production_value_movement", "economic_activation", "external_validation" ], "retention_classes": [ { "class_id": "receipt_metadata_retained", "public_label": "receipt metadata retained", "retained_public_fields": [ "receipt id", "owner surface", "event class", "status label", "proof class", "public timestamp or height where published", "non-inference boundary" ], "may_be_pruned": [ "private payload body", "private contract terms", "sensitive verifier detail", "private account material" ], "tombstone_behavior": "If the underlying payload or private record is no longer publicly accessible, keep the receipt metadata and show payload access as ended, expired, private, or not part of the public product.", "restore_or_reissue_behavior": "A reissued receipt may reproduce the original public metadata and proof boundary; it must not expand what the original receipt proved.", "consumer_behavior": "Use retained receipt metadata to locate and interpret a bounded event, not to infer payload contents or stronger authority.", "must_not_infer": [ "payload_truth", "payload_access", "Core_admission", "Bridge_finality", "Liquid_settlement", "economic_activation" ] }, { "class_id": "payload_access_lifecycle", "public_label": "payload access lifecycle", "retained_public_fields": [ "payload access class", "object state", "receipt pointer", "expiry label where published", "retention label where published" ], "may_be_pruned": [ "payload body", "private metadata", "private reconstruction detail", "private user material" ], "tombstone_behavior": "When payload access ends, publish the state as ended, expired, tombstoned, private, or never-public where the owner surface allows it.", "restore_or_reissue_behavior": "Restore may re-open access only through an owner-published product lane; public restore labels do not expose private payload content.", "consumer_behavior": "Read access state separately from receipt existence.", "must_not_infer": [ "payload_contents", "payload_truth", "continued_access", "endorsement", "canonical_status" ] }, { "class_id": "tombstone_record", "public_label": "tombstone record", "retained_public_fields": [ "object or receipt handle", "owner surface", "terminal state", "reason class where public", "replacement or reissue route where public" ], "may_be_pruned": [ "deleted payload", "private cause detail", "private abuse report", "private review material" ], "tombstone_behavior": "A tombstone should prove that a public handle ended, moved, expired, or became unavailable without publishing protected payload or private review material.", "restore_or_reissue_behavior": "If a tombstoned record is restored or reissued, the new record needs its own public id, owner, state, and boundary.", "consumer_behavior": "Treat tombstone as terminal or changed-state evidence, not as failure proof unless the owner labels it that way.", "must_not_infer": [ "payload_truth", "wrongdoing", "custody_failure", "route_failure", "economic_activation" ] }, { "class_id": "pruned_dataset", "public_label": "pruned dataset", "retained_public_fields": [ "dataset id", "owner surface", "schema version", "last public state", "prune label", "replacement route where public" ], "may_be_pruned": [ "old rows", "superseded snapshots", "private payload fields", "non-current fallback values" ], "tombstone_behavior": "If a dataset is pruned, publish the prune label or replacement route where useful; do not silently present old rows as current.", "restore_or_reissue_behavior": "Restored or replacement datasets must carry their own schema version, freshness, lineage, redaction, and boundary labels.", "consumer_behavior": "Use pruned datasets as historical context only unless the owner publishes a current replacement.", "must_not_infer": [ "current_state", "dataset_complete", "owner_acceptance", "external_validation", "economic_activation" ] }, { "class_id": "owner_touch_refresh", "public_label": "owner-touch refresh", "retained_public_fields": [ "owner surface", "refresh label", "last public update", "next public check", "stale behavior" ], "may_be_pruned": [ "old refresh attempts", "private operator notes", "private endpoint tests", "unpublished diagnostics" ], "tombstone_behavior": "If the owner route stops refreshing, public claims should downgrade to stale, unavailable, or cannot verify.", "restore_or_reissue_behavior": "Refresh recovery needs a public owner route, timestamp, version, or receipt before current-state claims reopen.", "consumer_behavior": "Do not quote current state from a route that lacks owner-touch freshness.", "must_not_infer": [ "current_state", "route_repaired", "live_telemetry", "settlement_truth", "economic_activation" ] }, { "class_id": "cold_retention_transfer", "public_label": "cold retention transfer", "retained_public_fields": [ "retention class", "owner surface", "public handle", "access state", "reissue route where public" ], "may_be_pruned": [ "hot-cache payload", "private storage location", "provider detail", "private recovery path" ], "tombstone_behavior": "If hot access ends but retained evidence remains, publish the access state as cold, reissue-only, proof-only, or unavailable where owner law allows.", "restore_or_reissue_behavior": "Cold restore or certified reissue should show quote, owner, receipt id, and unchanged proof boundary where public.", "consumer_behavior": "Read cold-retention labels as access posture only, not as proof of payload contents or economic value.", "must_not_infer": [ "payload_truth", "instant_access", "provider_identity", "reserve_backing", "economic_activation" ] }, { "class_id": "terminal_receipt", "public_label": "terminal receipt", "retained_public_fields": [ "receipt id", "terminal state", "owner surface", "event class", "closure label", "non-inference boundary" ], "may_be_pruned": [ "private closure detail", "payload body", "private support notes", "private operator path" ], "tombstone_behavior": "A terminal receipt should remain readable enough to show that no further public action is available from that record.", "restore_or_reissue_behavior": "A new public action after terminal state needs a new owner-published route, quote, receipt, or appeal path.", "consumer_behavior": "Do not treat terminal state as hidden pending action.", "must_not_infer": [ "future_action_available", "private_override", "reward_eligibility", "allocation", "economic_activation" ] }, { "class_id": "restore_or_reissue", "public_label": "restore or reissue", "retained_public_fields": [ "original receipt id", "new receipt id where applicable", "owner surface", "quote id where applicable", "service class", "unchanged proof boundary" ], "may_be_pruned": [ "private payload reconstruction", "private support notes", "private payment route", "sensitive verifier detail" ], "tombstone_behavior": "If restore is refused, publish the refusal class and next public check where available.", "restore_or_reissue_behavior": "Restore or reissue can reproduce access, metadata, or evidence only within the product lane the owner publishes.", "consumer_behavior": "A reissue is not a new truth claim; it is a new public access or certification event for a bounded old record.", "must_not_infer": [ "payload_truth", "expanded_receipt_scope", "Core_admission", "settlement_truth", "economic_activation" ] }, { "class_id": "refusal_or_abuse_note", "public_label": "refusal or abuse note", "retained_public_fields": [ "refusal class", "owner surface", "public handle", "status label", "next public check where available" ], "may_be_pruned": [ "private report detail", "private moderation material", "private account detail", "payload body" ], "tombstone_behavior": "A refusal or abuse-related tombstone may name the refusal class without publishing protected reports, private payloads, or sensitive review detail.", "restore_or_reissue_behavior": "Appeal, restore, or reissue requires an owner-published route and does not reopen the original claim by default.", "consumer_behavior": "Do not infer legal status, wrongdoing, or endorsement from a refusal label unless the owner explicitly publishes that narrower claim.", "must_not_infer": [ "wrongdoing", "legal_status", "endorsement", "payload_truth", "private_review_result" ] } ], "consumer_rules": [ "A receipt can survive after payload access ends.", "A tombstone should show ended, moved, expired, unavailable, or terminal state without exposing protected payload or private review detail.", "Pruned or superseded data must not be displayed as current state.", "Restore or reissue needs its own public owner, state, and boundary.", "Payload access state is separate from receipt existence.", "Private payloads, provider details, payment routes, support notes, and recovery mechanics remain outside public retention records.", "When retention state is missing, downgrade to cannot verify rather than inventing access, deletion, or restore status." ] }