[AVAILABLE] — every artifact below is a real TypeScript interface in
packages/shared/src/domain/*.ts.Why the chain matters
BusinessTransactionValidator enforces structural consistency across the chain before
anything is evaluated — for example, authorization.authorityId must match
authority.authorityId, and intent.authorizationId must match
authorization.authorizationId (packages/runtime/src/validators/ BusinessTransactionValidator.ts:21-37). A Business Transaction that doesn’t hang together
structurally never reaches policy evaluation.
The Execution Trust Record is append-only
Once created, a Trust Record’soverrides, executions, verifications, and receipts
arrays may only grow — existing entries are never modified or removed. The core fields
(businessTransactionId, the transaction itself, policy, signals, decision) never
change after creation. This is what makes deterministic replay and independent
verification meaningful: there is exactly one record, and its history is the complete
history.
What’s cryptographically bound, and what’s merely attached
The Trust Record’strustRecordHash is computed over its canonical serialized form and
then signed (Signature — algorithm, key ID, base64 value, timestamp). Fields that
participate in that hash — including authorizationId inside execution metadata — cannot
be altered without changing the recomputed hash and failing verification (CLAIMS.md 2.11).
Fields that are just JSON alongside the record are not similarly protected. This
distinction is the entire subject of Content Binding & TOCTOU
— read that page before assuming “signed” means “every field is tamper-evident against every
kind of modification.”