Revocation
What “revocation” means here
A revocation is an attested change to the record after a gate has been evaluated. It says, “the evidence you relied on is no longer valid as submitted.” Revocations can come from the original attestor (e.g., PSI withdrawn), a registry/brand/regulator feed (status changed), or the platform (key revoked, role suspended). Revocation does not rewrite history; it freezes only what depends on the bad fact, shows the fix path, and resumes when the record is clean. Paid slices stay paid unless there is proven fraud and a contractual set-off applies. Rule: you still never move money early—No EMT, no funds.
Where it applies
Trade: a passed gate later turns out to rely on a revoked attestation (e.g., PSI retracted, BL/seal mismatch discovered, temp logs corrected). Revocation freezes downstream stages for the affected sub-lots.
Tokens: a listing or already-settled unit gets a registry/status change (e.g., serial invalidated, project vintage reclassified). The listing is frozen; downstream actions (re-sell, post-listing operations) are blocked. Purchased/retired units are handled by the program’s corrective path (replacement/compensation), recorded on-chain.
The revocation flow
Detect: The platform picks up an attestor or registry revocation, a key suspension, or a signed correction. It can also be raised during exception handling or by governance policy (e.g., mass key rotation).
Flag & scope: The order/listing timeline gets a red banner with a plain reason (“PSI withdrawn,” “BL container list changed,” “Temperature out of range on segment 2”). EDMA freezes only the dependent future slices for the impacted sub-lots. Already-paid slices remain paid.
Dispute Pack: We build (or extend) the Dispute Pack: the gate checklist, original files and hashes, the revocation notice, timestamps, and the proposed fix (re-inspection, corrected doc, variance).
Fix paths:
Correction: upload the corrected document (e.g., amended BL; replacement PSI).
Replacement: bind the same Locked EDSD slice to a replacement sub-lot and pass the gate again. The new submission carries replaces: old_claim_id; One-Claim preserves lineage.
Variance/partial pay: apply the contract’s math (short-shipment, damage, shelf-life) and release the adjusted slice.
Cancel & refund: if no fix exists, the frozen Locked EDSD returns to the buyer; downstream slices re-balance.
Resume & record: When the record is clean, the gate passes, the EMT mints, and the slice releases. The proof page shows both the original event and the corrective entry (append-only).
What does not happen
We don’t “roll back” or delete a finalized claim. We append a corrective claim and link it.
We don’t claw back a paid slice by default. Contractual set-off can apply on future releases only in cases of proven fraud.
We don’t freeze unrelated suppliers or lots; pauses are narrow by design.
Money and burns during revocation
Locked EDSD stays locked until the corrective gate passes.
Unlocked EDSD from earlier, unaffected stages can still pay other EDMA invoices; off-platform cash-out stays available only when the seller’s schedule completes (as usual).
Protocol-fee burns are tied to releases; no burn posts until a slice actually releases. Prior burns on already-paid slices remain on-chain; we do not reverse burns.
Tokens: retirements after a revocation
If a settled/retired unit is later affected by a registry change, the corrective action follows program rules (replacement unit, compensating retirement, or cancellation). EDMA records the linkage on the proof page and, where required, performs a compensating action (e.g., retire an equivalent unit from a replacement batch). Buyers get an exportable correction receipt.
Who may revoke
Original attestor (PSI, temperature OEM, terminal/carrier, DC/3PL) using active keys registered in the Attestor Registry.
Registry / program / brand feeds for tokens/branded goods.
Platform controls for key compromise or policy violations (key revocation, role suspension).
Each revocation carries a signature, key id, reason code, and time. The Gate ignores revoked keys; the Registry publishes revocation lists.
Fraud vs. honest error
Honest error: we apply the corrective path—fix, replace, or variance—and resume. Attestor SLA penalties may apply; repeated misses can suspend roles.
Fraud: falsified docs, tampered photos, reused seals, or collusion leads to immediate suspension, set-off against current/future Unlocked EDSD, bond slashing for bonded roles, and—where applicable—regulatory notification.
Governance knobs
Maximum propagation time from revocation to freeze (SLA).
Who may revoke for a given schema (role/registry list).
Auto-reinspection windows and approved neutrals (SGS/Intertek/BV, ICC expedited).
Penalty bands (SLA penalties, bond sizes for bonded roles) and rotation cadence.
Public templates for corrective checklists per lane (e.g., cold-chain).
Governance cannot allow releases without a clean pass, weaken One-Claim, skip must-fund before shipping, or discount the 50% burn.
API & webhooks
POST /v1/pov/revoke — attestor/registry revokes an attestation (signed; includes reason code and references to PoV hash).
GET /v1/pov/revocations/{id} — status and scope (what freezes, affected lots).
pov.attestation.revoked — revocation accepted; dependent slices frozen.
trade.slice.frozen / trade.slice.unfrozen — pause/resume with reasons.
oneclaim.replaced — replacement claim finalized; lineage updated.
Operator checklist
Treat revocation banners as action items, not alarms: read the reason, open the Dispute Pack, pick fix / replace / variance, and submit.
If you split cargo, let EDMA generate child claims; only the impacted sub-lots pause.
Expect no releases while a gate shows Pending Funds—top up first, then pass.
Reconcile corrections in ERP with the proof page, which shows both the original event and the corrective action, plus any compensating retirements (Tokens).
Plain recap
Last updated