Receipt Schema - Attestation Trajectory Layer

Attestation Trajectory Layer (v0.5.1) Companion layer to the Receipt Schema core grammar. Defines how a discharged_green row records the PATH by which it reached green, so a consumer can distinguish an independently-recomputed green from a self-asserted one. 1. Property classes. Every verifiable property is exactly one of: - reproducible_core: a property a disjoint party can re-derive from the build manifest alone (byte-identical output from identical inputs). - event_identity: a property tied to a single occurrence in time (when, by whom, in what order) that cannot be re-derived by recomputation. A single green row MUST NOT claim both classes; they discharge by different instruments. 2. witness_class (closed enum): {self_recompute, author_external, parser_external, formal_witness}, ordered weakest to strongest by independence from the obligor. 3. attestation_trajectory. Each discharged_green row carries a leaf { declared_witness_class, observed_witness_class }. - declared_witness_class: the path the claimant asserts. - observed_witness_class: the path a disjoint witness actually co-signed. A trajectory is self-asserted, not discharged, when no observed value is co-signed by a party other than the obligor; such a row carries coverage_state = trajectory_unwitnessed, not discharged_green. 4. Compatibility matrix. A capability table mapping (property_class, witness_class) to {can_discharge, wrong_instrument}, defined before any run. A green row is VALID iff declared_witness_class == observed_witness_class AND the matrix marks (property_class, observed_witness_class) = can_discharge. A recompute trajectory against an event_identity property is wrong_instrument and the green is invalid regardless of the row's own assertion. 5. Build-manifest requirement. A reproducible_core green is dischargeable only if the row persists a build manifest (source bytes, canonicalization spec per RFC 8785 JCS, and tool versions) resolvable by a party that is not the obligor. A row committing a content address without a resolvable build manifest is an unhonorable commitment by construction: it asserts reproducibility while withholding the only artifact that would let a disjoint party reproduce it. Such a row carries coverage_state = manifest_unresolvable. 6. Pricing rule (advisory). A settlement layer reading these rows MUST price the trajectory, not the outcome: a co-signed disjoint discharge on a can_discharge cell pays full; a self_recompute discharge pays the floor; a wrong_instrument discharge pays nothing. Pricing outcome equally across paths selects against the stronger attestation.

members: @exori