Transaction Lifecycle

From Intent to Proof

A transaction inside StratX is not processed — it is governed. Every step is policy-bound, auditable, and fail-closed. What follows is the complete path of a single instruction through the supervisory control plane.

SCADA Supervisory Envelope

System Status: Operational

Active Monitor —Verifying intent structure and source integrity. Anomalous patterns are flagged before the orchestration engine processes.

01Intent Intake

The Intent

Bob makes a purchase. Somewhere, a structured instruction is formed — a description of what should happen, who authorized it, and under what conditions. Before anything else occurs, the orchestration engine validates that instruction completely: schema conformance, source authentication, duplication check.

A malformed or unauthenticated instruction never reaches the decision layer. The intent is either well-formed or it does not exist.

Manual ReviewInstitution profile is unrecognized or newly onboarded. Intent is held — an authorized reviewer must clear it before the orchestration engine proceeds.

HaltAuthentication fails, schema is malformed, or a duplicate intent hash is detected. Rejected immediately. Reason code logged. No further processing occurs.

02Policy Gate

The Rules

StratX does not decide what is permissible. That decision was made before this transaction — by the institution's compliance team and the applicable jurisdictional authority — and encoded into a versioned, signed policy file.

At this gate, the instruction is evaluated against those rules. Three checks run: jurisdiction, sanctions screening, authorization tier. StratX enforces the outcome. It does not interpret, override, or negotiate it.

Manual ReviewEntity jurisdiction is ambiguous — the instruction involves a party whose regulatory classification spans conflicting rule sets. System holds and escalates to compliance officer. No execution proceeds during review.

HaltSanctions match detected. Deterministic deny — no human review overrides a sanctions hit. Policy file hash mismatch also triggers immediate halt.

03Route Evaluation

The Options

The orchestration engine identifies available corridors. It does not pick the fastest or cheapest route first — it eliminates non-compliant corridors first. What remains is a set of corridors that all satisfy the policy constraints.

From those, the institution's own directive determines the selection: a deterministic, policy-bound function that produces the same output for the same inputs every time. There is no hidden preference. There is no optimization that operates outside policy bounds.

Manual ReviewAll available corridors are compliant but none meet the institution's performance thresholds. System holds and presents options to an authorized operator rather than selecting autonomously outside defined parameters.

HaltNo compliant corridor exists. The instruction cannot be routed within policy bounds. System denies and logs. A non-compliant route is never attempted.

04Rail Health Check

The Confirmation

Route selection and rail health are evaluated separately by design. A corridor that was healthy at selection time may have degraded by dispatch time. SCADA confirms the selected corridor's current state — latency, availability, anomaly signals — immediately before handoff.

If the corridor has degraded, the transaction halts. Not reroutes. Halts. A partial execution on a compromised corridor is a worse outcome than no execution.

Manual ReviewCorridor available but telemetry shows elevated latency below hard threshold. System flags the condition, logs it, and holds for operator confirmation. This is not an automatic halt — it is a precautionary hold.

HaltCorridor health breaches threshold. SCADA initiates automatic halt. Transaction does not proceed. The instruction is preserved for replay once corridor health is restored.

05Execution Handoff

The Boundary

The authorized instruction reaches the execution boundary. This is where StratX's role ends. The system dispatches the instruction to the selected rail — it does not execute it. Execution requires the institution's own signing authority: hardware-backed, institution-controlled, outside StratX's administrative domain.

StratX holds no keys. It signs nothing. It cannot move value unilaterally. The boundary is structural, not contractual.

Manual ReviewHandoff acknowledgment delayed beyond expected window. System holds the instruction in pending state and alerts the operator. Re-dispatch requires explicit operator confirmation — the system will not re-dispatch autonomously to prevent duplicate execution.

HaltHandoff fails cryptographic integrity check at the boundary. Instruction is not dispatched. Failure logged. StratX does not retry without a new authorized instruction.

06Proof Generation

The Record

Every decision produces a proof. Approved or denied, executed or halted — the outcome is immutably recorded. The proof carries the policy hash that governed the decision, the decision outcome, and a timestamp. It is anchored to an independent target.

A transaction without a proof is not considered complete. The audit record is not a feature — it is a system invariant.

Manual ReviewProof generation completes but external anchoring is delayed or unconfirmed. Proof exists internally — it is not lost. Operator is alerted to confirm anchoring before the transaction record is closed.

HaltProof generation fails entirely. This is a critical system fault — not a transaction failure. The transaction is suspended and the audit integrity incident is escalated immediately.

07RIM Availability

The Oversight

The proof is immediately accessible to authorized regulatory observers through the Regulatory Interface Module. The RIM is a read-only surface — it has no mutation endpoints by design. A regulator with RIM access can verify the policy that governed the decision, retrieve the proof artifact, and confirm the outcome.

They cannot modify any of these things. They cannot access the execution layer. Oversight without control is not a limitation — it is the correct architecture for a non-controlling regulatory surface.

Manual ReviewRIM access request from unrecognized credential. Request held and flagged for authorization review. Existing authorized observers are unaffected.

HaltAttempted mutation request detected on the RIM surface. Treated as a security event. Logged and escalated immediately. The RIM surface does not process mutation requests under any circumstance.