docs: Multi-asset purity ADR, integration tests, and service README updates (#1499)

* docs: Add multi-asset purity ADR, integration tests, and README updates

- Add ADR-0035 documenting the multi-asset purity enforcement architecture:
  API-boundary validation via Reference Data with trust-the-caller domains
- Add integration tests verifying multi-asset support across all dimensions
  (CURRENCY, ENERGY, CARBON, COMPUTE, DATA, COUNT) with arithmetic and
  precision handling
- Update service READMEs with instrument resolution patterns for
  current-account, position-keeping, financial-accounting, and
  internal-account

* fix: Address review feedback on multi-asset documentation and tests

- Move tests from tests/integration/ to shared/pkg/amount/ (they test
  domain constructors, not service boundaries)
- Add cross-dimension Compare assertion for complete coverage
- ADR: Document NewFromInstrument backward-compatible CURRENCY path
- READMEs: Scope instrument resolution claims to API boundary and
  account creation, clarify persistence reconstruction path

---------

Co-authored-by: Ben Coombs <bjcoombs@users.noreply.github.com>

Author: bjcoombs

docs/adr/0035-multi-asset-purity.md

@@ -0,0 +1,139 @@
+---
+name: adr-0035-multi-asset-purity
+description: Enforce Reference Data as the sole source of instrument properties across all services
+triggers:
+  - Adding a new instrument type or asset class to the platform
+  - Creating or modifying account/position constructors that accept instrument codes
+  - Reviewing CI failures from the multi-asset purity lint check
+  - Migrating a service from hardcoded currency logic to Reference Data resolution
+instructions: |
+  All instrument properties (code, dimension, precision) must be resolved from Reference Data
+  at the API boundary (gRPC layer). Domain constructors trust caller-provided instrument
+  properties and must not consult local currency registries. Use quantity.NewInstrument() and
+  amount.Zero()/amount.New() for domain-level amount construction. The CI lint rule
+  (scripts/lint-multi-asset-purity.sh) enforces this at merge time.
+---
+
+# 35. Multi-Asset Purity Enforcement
+
+Date: 2026-03-07
+
+## Status
+
+Accepted
+
+## Context
+
+Meridian's architecture supports multiple asset dimensions (CURRENCY, ENERGY, CARBON, COMPUTE,
+DATA, COUNT, etc.) through the `quantity.Instrument` type system. However, early service
+implementations hardcoded assumptions about currency-only instruments:
+
+- Domain constructors called `currency.ByCode()` to validate instrument codes against a local
+  ISO 4217 registry, rejecting non-currency instruments like KWH or GPU_HOUR
+- Precision was hardcoded to 2 decimal places (appropriate for GBP/USD but not for energy
+  meters at 6dp or carbon credits at 0dp)
+- Switch statements on instrument codes created implicit registries that required code changes
+  to support new asset classes
+
+These hardcoded paths prevented the platform from fulfilling its multi-asset mission. A
+systematic migration was needed to centralize instrument knowledge in Reference Data and
+make all services instrument-agnostic.
+
+## Decision Drivers
+
+* **Multi-asset support**: Services must handle any valid instrument without code changes
+* **Single source of truth**: Reference Data service owns instrument definitions (code, dimension, precision)
+* **Fail-closed safety**: Missing Reference Data must prevent account creation, not fall back to defaults
+* **Backward compatibility**: Existing CURRENCY accounts must continue working during migration
+* **CI enforcement**: New violations must be caught before merge, not discovered in production
+
+## Considered Options
+
+1. **Runtime validation via middleware** - Inject instrument validation at the gRPC interceptor level
+2. **Domain-level validation with extensible registry** - Keep validation in domain, make registry pluggable
+3. **API-boundary validation with trust-the-caller domains** - Validate at gRPC layer, domain trusts caller
+
+## Decision Outcome
+
+Chosen option: "API-boundary validation with trust-the-caller domains", because it
+cleanly separates concerns (validation at boundaries, pure logic in domains) and
+eliminates the need for domain packages to know about external registries.
+
+### Architecture
+
+```
+gRPC Layer (API Boundary)
+  |
+  +-- instrumentGetter.GetInstrument(ctx, code, version)
+  |     Returns: dimension, precision, metadata
+  |     Fails: codes.InvalidArgument (unknown), codes.FailedPrecondition (unavailable)
+  |
+  v
+Domain Layer (Pure Logic)
+  |
+  +-- quantity.NewInstrument(code, version, dimension, precision)
+  +-- amount.Zero(inst) / amount.New(inst, minorUnits)
+  |     No external lookups. No registry calls. Trusts caller.
+  |
+  v
+Persistence Layer
+  |
+  +-- Stores instrument_code (VARCHAR 32) + dimension + precision
+  +-- Reconstructs Amount via quantity.NewInstrument on read
+```
+
+### Migrated Services
+
+| Service | Migration | Key Change |
+|---------|-----------|------------|
+| current-account | Task 6 | Removed `currency.ByCode()` from domain, fail-closed gRPC |
+| position-keeping | Task 7 | `InstrumentResolver` replaces hardcoded precision lookup |
+| internal-account | Task 8 | Widened instrument columns, Reference Data resolution |
+| financial-accounting | Task 9 | `InstrumentResolver` for journal entry validation |
+| payment-order | Task 10 | Documented as intentionally currency-only (business constraint) |
+
+### Positive Consequences
+
+* New asset classes (e.g., water rights, bandwidth credits) work without code changes
+* Instrument precision is always correct (resolved from Reference Data, not assumed)
+* CI lint prevents regression to hardcoded patterns
+* Domain code is simpler (no external dependencies for instrument validation)
+
+### Negative Consequences
+
+* Account creation requires Reference Data availability (fail-closed)
+* Persistence layer reconstruction uses `quantity.NewInstrument` directly (bypasses registry)
+* `amount.NewFromInstrument` retains a CURRENCY-specific path that consults the legacy currency
+  registry for backward compatibility during persistence reconstruction. Non-CURRENCY dimensions
+  use caller-provided precision directly. This compatibility path will be removed when the
+  legacy currency packages are deleted.
+* Legacy `shared/domain/money` and `shared/platform/quantity/currency` packages are deprecated
+  but not yet removed (backward compatibility for tests and seed data)
+
+## CI Enforcement
+
+The multi-asset purity lint (`scripts/lint-multi-asset-purity.sh`) runs on every PR and checks for:
+
+1. **Hardcoded instrument codes** in string comparisons (`== "GBP"`)
+2. **Switch statements** on instrument codes (`case "KWH"`)
+3. **Deprecated imports** (`shared/domain/money`)
+4. **Hardcoded precision** (`defaultPrecision = 2`)
+5. **Legacy registry calls** (`currency.ByCode()`)
+
+Allowlisted paths: test files, seed commands, the currency package itself, and
+payment-order (intentionally currency-only). Known violations are tracked in
+`is_known_violation()` and must be documented.
+
+## Links
+
+* [Multi-Asset Purity Lint Script](../../scripts/lint-multi-asset-purity.sh)
+* [Shared Amount Package](../../shared/pkg/amount/)
+* [Quantity Instrument Type](../../shared/platform/quantity/instrument.go)
+* [Reference Data Instrument Registry](../../services/reference-data/registry/)
+
+## Notes
+
+The deprecated `shared/domain/money` and `shared/platform/quantity/currency` packages should
+be removed once all test fixtures and seed data are migrated to use `shared/pkg/amount`
+directly. The `--strict` mode of the lint script will fail on known violations and can be
+used to track progress toward full removal.

services/current-account/README.md

@@ -621,6 +621,32 @@ All webhook delivery attempts are recorded in the `webhook_deliveries` table for
 - `Content-Type: application/json` header is set
 - Tenants should validate the `tenant_id` matches their expected value
 
+## Instrument Resolution (Account Creation)
+
+Account creation resolves instrument properties (dimension, precision) from Reference Data
+at the gRPC layer. The domain trusts caller-provided instrument properties. Downstream
+operations (deposits, withdrawals, balance queries) use the instrument properties stored
+at account creation time.
+
+**Resolution flow:**
+
+1. `InitiateCurrentAccount` receives `instrument_code` (e.g., `"GBP"`, `"KWH"`)
+2. gRPC layer calls `instrumentGetter.GetInstrument(ctx, code, version)` to resolve dimension and precision
+3. Domain constructor `NewCurrentAccountWithDimension()` uses `quantity.NewInstrument()` directly (no local registry lookup)
+4. If Reference Data is unavailable, account creation fails closed (`codes.FailedPrecondition`)
+
+**Error handling for instrument lookup:**
+
+| Error | gRPC Code | Behavior |
+|-------|-----------|----------|
+| Instrument not found | `InvalidArgument` | Unknown instrument code |
+| Context canceled | `Canceled` | Client canceled the request |
+| Context deadline exceeded | `DeadlineExceeded` | Lookup timed out |
+| Reference Data unavailable | `FailedPrecondition` | Service not configured |
+| Other errors | `Unavailable` | Transient failure, client should retry |
+
+See [ADR-0035: Multi-Asset Purity](../../docs/adr/0035-multi-asset-purity.md) for the architectural decision.
+
 ## References
 
 - [BIAN Current Account Specification](https://github.com/bian-official/public/blob/main/release14.0.0/semantic-apis/oas3%20/yamls/CurrentAccount.yaml)

services/financial-accounting/README.md

@@ -210,6 +210,17 @@ erDiagram
 | `financial_accounting_double_entry_validations_total` | Counter | Balance checks |
 | `financial_accounting_errors_total` | Counter | Errors by category |
 
+## Instrument Resolution
+
+Ledger posting validation uses `InstrumentResolver` from Reference Data to verify instrument
+properties at the API boundary. The domain layer trusts caller-provided instrument properties.
+
+The service validates that debit and credit entries within a booking log use matching
+instruments (cross-instrument postings are rejected). The database schema stores
+`instrument_code` as `VARCHAR(32)` to accommodate non-currency instrument codes.
+
+See [ADR-0035: Multi-Asset Purity](../../docs/adr/0035-multi-asset-purity.md) for the architectural decision.
+
 ## References
 
 - [BIAN Financial Accounting Specification](https://github.com/bian-official/public/blob/main/release14.0.0/semantic-apis/oas3%20/yamls/FinancialAccounting.yaml)

services/internal-account/README.md

@@ -434,6 +434,8 @@ req := &iba.InitiateInternalAccountRequest{
 }
 ```
 
+See [ADR-0035: Multi-Asset Purity](../../docs/adr/0035-multi-asset-purity.md) for the architectural decision.
+
 ## Balance Delegation to Position Keeping
 
 **Critical Design Decision**: Internal Account does NOT store balance locally.

services/position-keeping/README.md

@@ -281,14 +281,20 @@ erDiagram
 | Max Transaction Entries | 10,000 | `ErrTooManyEntries` |
 | Max Audit Entries | 10,000 | `ErrTooManyEntries` |
 
-## Currency Support
+## Instrument Resolution
 
-7 currencies with proper decimal handling:
+Position-keeping supports all instrument dimensions (CURRENCY, ENERGY, CARBON, COMPUTE, etc.).
+Instrument properties are resolved via `InstrumentResolver` from Reference Data.
 
-| Currency | Decimals |
-|----------|----------|
-| GBP, USD, EUR, CHF, CAD, AUD | 2 |
-| JPY | 0 |
+**Resolution flow:**
+
+1. Transaction recording receives `instrument_code` and resolves properties via `InstrumentResolver`
+2. Balance computation uses the resolved precision for decimal arithmetic
+3. Persistence reconstruction uses stored `instrument_code`, `dimension`, and `precision` columns
+   with `quantity.NewInstrument()` directly (no Reference Data call on read path)
+
+All instrument dimensions and precision values are defined in Reference Data. See
+[ADR-0035: Multi-Asset Purity](../../docs/adr/0035-multi-asset-purity.md) for the architectural decision.
 
 ## Configuration