Revocation SLA
What this covers—and what it cannot change
A revocation is a signed statement that evidence previously counted by PoV is no longer valid as submitted. The SLA defines how fast we detect, freeze only what’s affected, assemble the record, apply a fix, and resume. It never rewrites history or moves money early. Paid slices stay paid (set-off only in proven fraud); future slices wait. Settlement law remains: PoV PASS → EMT → Locked EDSD flips to Unlocked → fee → 50% burn. No EMT, no funds.
1. Risk surface
Attestor corrections: INSPECTOR/TERMINAL/CARRIER/DC/3PL withdraw or amend a counted attestation
Registry/brand changes: external serial status flips; mirror needs replacement
Key/role events: key compromise, role suspension
Late data: delayed logs change a pass outcome
Abuse patterns: “revocation spam” to renegotiate economics, not fix facts
2. Guardrails already in place
Narrow freezes: only downstream unreleased slices pause; unrelated orders continue
Append-only lineage: corrective EMTs/tokens link replaces: old_claim_id; nothing is erased
One-Claim holds: uniqueness remains; replacements consume a new claim id and link lineage
Paid burns are immutable: prior burn entries and receipts stand; new releases burn per normal rules
Role-gated revocation: only registry/brand keys or attestor keys registered in the Attestor Registry can revoke
3. The Revocation SLA
Step
Target
What happens
Detect & verify
≤ 15 min
Validate signer, role, key, and reason; dedupe/verify the PoV hash & attestation id
Freeze scope
≤ 15 min (from accept)
Mark affected stage/sub-lots FROZEN; banner + webhooks; paid slices unaffected
Dispute Pack ready
≤ 4 h
Assemble checklist, canonical bytes, file digests, revocation notice, lineage, proposed fix
Corrective submission window
≤ 24 h
Seller/attestor submits corrected doc, re-inspection booking, variance or replacement plan
Re-inspection
24–72 h
Slot with neutral (SGS/Intertek/BV) or designated role
Decision & resume
≤ 24 h (after re-inspection/files)
Mint corrective EMT / replacement mirror; unfreeze downstream slices
Mirror replacement SLA (registries)
≤ 48 h
Registry posts replacement serial/mirror; EDMA links and unfreezes
S1 (critical): On-Board/Customs/Arrival facts; large value slice frozen or public listing risk → fastest clocks; ops paging
S2 (material): Pre-Ship or listing metadata that affects next gate → normal clocks
S3 (informational): Non-blocking corrections → batched handling; no freeze
4. Detection → response → recovery
Detection: Signed pov.attestation.revoked from registered role or registry.mirror.frozen; key/role verified in the Attestor Registry. System flags: revocation_rate spike, conflicting BL/seal/containers, temp Merkle mismatch
Response: Freeze only dependent futures; banner with reason code. Build Dispute Pack; suggest fix paths: corrected file, re-inspection, variance schedule, or replacement EMT/mirror
Recovery: Accept corrective dossier; Gate PASS; corrective EMT mints (or mirror replacement posts); downstream releases resume. Append lineage on proof page (original + correction). Attestor SLA penalties (or bond slashing) apply per policy if thresholds hit; abuse → suspension/ban
5. Business impact matrix
Scenario
What you feel
What doesn’t change
Do now
PSI withdrawn (S1/S2)
Banner + FROZEN future slices
Paid slices, burns, receipts stand
Upload corrected PSI or book re-inspection; resume within SLA
BL/Seal corrected (S1)
On-Board FROZEN
Funds stay Locked
Upload amended BL + matching seal photo; PASS → corrective EMT → release
Registry serial re-issued (S2)
Token listing FROZEN
Retired/settled units stand
Registry posts replacement mirror ≤ 48h; EDMA links & unfreezes
Temp out of range (S1)
Cold-chain gate fails / FROZEN
Same brakes
Provide Merkle inclusion proofs; apply variance or replace sub-lot
Revocation spam (S2/S3)
Repeated non-substantive revokes
Settlement law intact
Governance rate-limits or penalizes; cases merged & closed
6. KPIs & SLOs
T_detect→freeze p95: ≤ 15 min
T_freeze→DisputePack p95: ≤ 4 h
T_corrective_submit p95: ≤ 24 h
T_reinspect p95: ≤ 72 h
T_decide→unfreeze p95: ≤ 24 h
Revocation rate / counted attestations: < 1% per quarter per role/lane
Abuse flags: revocations with “no change” corrective outcome < 0.2%
Compensating mirror SLA (registries): ≤ 48 h p95
Status page shows live SLA deltas per lane and per attestor/registry.
7. Governance knobs
Set SLA windows per severity/lane: define fallback quorum during long S1s
Designate neutrals: SGS/Intertek/BV, ICC expedited and re-inspection priorities
Set penalty bands: SLA penalties, bond sizes/slashing for bonded roles, and rate-limits on revocations per attestor
Define registry mirror SLA expectations: freeze→replace and publish non-compliance reports
They cannot release funds without PASS/EMT, reuse evidence, skip must-fund before shipping, or discount the 50% burn.
8. API & webhooks
API: POST /v1/pov/revoke — submit revocation (signed by role key); GET /v1/pov/revocations/{id} — scope, severity, SLA clocks, status; POST /v1/trade/replace · POST /v1/tokens/replace — corrective EMT/token with lineage
Webhooks: pov.attestation.revoked (accepted, severity, scope); trade.slice.frozen / trade.slice.unfrozen; registry.mirror.frozen / registry.mirror.replaced; sla.revocation.breached (who missed what)
9. Operator checklist
Treat a revocation banner as a ticket with a clock: open the Dispute Pack, choose correct / re-inspect / variance / replace
Keep device keys and Merkle proofs handy: cold-chain
Coordinate with the registry early: mirror replacements have a 48 h target
Plan cash: Unlocked EDSD from earlier gates can still pay in-platform; off-platform cash-out remains at schedule completion
Escalate abuse: governance has rate-limits and penalties for spam
Plain recap
Last updated