docs: define finality fork proof contract

• [MSN] 1 mission to be verified
• [EXC] Board idle, no stories queued or active
• [HLT] 2 warnings, no structural errors detected

Author: rupurt

.keel/README.md

@@ -237,11 +237,11 @@
 |--------|--------|
 | [Publish Typed AI And Communication Event Builders](epics/VI1mbSnsy/voyages/VI1mf8o0n/) | done |
 
-### [Hosted Authority Hardening For Durable External Systems](epics/VI1mcFKum/) (active)
+### [Hosted Authority Hardening For Durable External Systems](epics/VI1mcFKum/) (done)
 
 | Voyage | Status |
 |--------|--------|
-| [Harden Hosted Protocol Auth And Lease Fencing](epics/VI1mcFKum/voyages/VI1mfwr25/) | in-progress |
+| [Harden Hosted Protocol Auth And Lease Fencing](epics/VI1mcFKum/voyages/VI1mfwr25/) | done |
 
 ### [Research Branch-Aware Materialization And Processing](epics/VDd0u3PFg/) (done)
 

.keel/epics/VI1mcFKum/README.md

@@ -22,8 +22,8 @@ mission: VI1mZnbqW
 ## Voyages
 
 <!-- BEGIN GENERATED -->
-**Progress:** 0/1 voyages complete, 2/3 stories done
+**Progress:** 1/1 voyages complete, 3/3 stories done
 | Voyage | Status | Stories |
 |--------|--------|---------|
-| [Harden Hosted Protocol Auth And Lease Fencing](voyages/VI1mfwr25/) | in-progress | 2/3 |
+| [Harden Hosted Protocol Auth And Lease Fencing](voyages/VI1mfwr25/) | done | 3/3 |
 <!-- END GENERATED -->

.keel/epics/VI1mcFKum/voyages/VI1mfwr25/COMPLIANCE_REPORT.md

@@ -0,0 +1,11 @@
+# COMPLIANCE REPORT: Harden Hosted Protocol Auth And Lease Fencing
+
+## Requirement Traceability Matrix
+
+| Req ID | Status | Implemented By | Proof Artifacts |
+|--------|--------|----------------|-----------------|
+| SRS-01 | ✓ VERIFIED | [VI1mjhoAK](../../../../stories/VI1mjhoAK/README.md), [VI1mjhoAK](../../../../stories/VI1mjhoAK/README.md) | [ac-1.log](../../../../stories/VI1mjhoAK/EVIDENCE/ac-1.log)<br>[ac-2.log](../../../../stories/VI1mjhoAK/EVIDENCE/ac-2.log)<br>[ac-3.log](../../../../stories/VI1mjhoAK/EVIDENCE/ac-3.log)<br>[ac-1.log](../../../../stories/VI1mjhoAK/EVIDENCE/ac-1.log)<br>[ac-2.log](../../../../stories/VI1mjhoAK/EVIDENCE/ac-2.log)<br>[ac-3.log](../../../../stories/VI1mjhoAK/EVIDENCE/ac-3.log) |
+| SRS-02 | ✓ VERIFIED | [VI1mjhoAK](../../../../stories/VI1mjhoAK/README.md), [VI1mjhoAK](../../../../stories/VI1mjhoAK/README.md) | [ac-1.log](../../../../stories/VI1mjhoAK/EVIDENCE/ac-1.log)<br>[ac-2.log](../../../../stories/VI1mjhoAK/EVIDENCE/ac-2.log)<br>[ac-3.log](../../../../stories/VI1mjhoAK/EVIDENCE/ac-3.log)<br>[ac-1.log](../../../../stories/VI1mjhoAK/EVIDENCE/ac-1.log)<br>[ac-2.log](../../../../stories/VI1mjhoAK/EVIDENCE/ac-2.log)<br>[ac-3.log](../../../../stories/VI1mjhoAK/EVIDENCE/ac-3.log) |
+| SRS-03 | ✓ VERIFIED | [VI1mjiCB8](../../../../stories/VI1mjiCB8/README.md), [VI1mjiCB8](../../../../stories/VI1mjiCB8/README.md) | [ac-1.log](../../../../stories/VI1mjiCB8/EVIDENCE/ac-1.log)<br>[ac-2.log](../../../../stories/VI1mjiCB8/EVIDENCE/ac-2.log)<br>[ac-3.log](../../../../stories/VI1mjiCB8/EVIDENCE/ac-3.log)<br>[ac-1.log](../../../../stories/VI1mjiCB8/EVIDENCE/ac-1.log)<br>[ac-2.log](../../../../stories/VI1mjiCB8/EVIDENCE/ac-2.log)<br>[ac-3.log](../../../../stories/VI1mjiCB8/EVIDENCE/ac-3.log) |
+| SRS-04 | ✓ VERIFIED | [VI1mjiCB8](../../../../stories/VI1mjiCB8/README.md), [VI1mjiCB8](../../../../stories/VI1mjiCB8/README.md) | [ac-1.log](../../../../stories/VI1mjiCB8/EVIDENCE/ac-1.log)<br>[ac-2.log](../../../../stories/VI1mjiCB8/EVIDENCE/ac-2.log)<br>[ac-3.log](../../../../stories/VI1mjiCB8/EVIDENCE/ac-3.log)<br>[ac-1.log](../../../../stories/VI1mjiCB8/EVIDENCE/ac-1.log)<br>[ac-2.log](../../../../stories/VI1mjiCB8/EVIDENCE/ac-2.log)<br>[ac-3.log](../../../../stories/VI1mjiCB8/EVIDENCE/ac-3.log) |
+| SRS-05 | ✓ VERIFIED | [VI1mjiIBI](../../../../stories/VI1mjiIBI/README.md), [VI1mjiIBI](../../../../stories/VI1mjiIBI/README.md), [VI1mjiIBI](../../../../stories/VI1mjiIBI/README.md), [VI1mjiIBI](../../../../stories/VI1mjiIBI/README.md) | [ac-1.log](../../../../stories/VI1mjiIBI/EVIDENCE/ac-1.log)<br>[ac-2.log](../../../../stories/VI1mjiIBI/EVIDENCE/ac-2.log)<br>[ac-3.log](../../../../stories/VI1mjiIBI/EVIDENCE/ac-3.log)<br>[ac-1.log](../../../../stories/VI1mjiIBI/EVIDENCE/ac-1.log)<br>[ac-2.log](../../../../stories/VI1mjiIBI/EVIDENCE/ac-2.log)<br>[ac-3.log](../../../../stories/VI1mjiIBI/EVIDENCE/ac-3.log)<br>[ac-1.log](../../../../stories/VI1mjiIBI/EVIDENCE/ac-1.log)<br>[ac-2.log](../../../../stories/VI1mjiIBI/EVIDENCE/ac-2.log)<br>[ac-3.log](../../../../stories/VI1mjiIBI/EVIDENCE/ac-3.log)<br>[ac-1.log](../../../../stories/VI1mjiIBI/EVIDENCE/ac-1.log)<br>[ac-2.log](../../../../stories/VI1mjiIBI/EVIDENCE/ac-2.log)<br>[ac-3.log](../../../../stories/VI1mjiIBI/EVIDENCE/ac-3.log) |

.keel/epics/VI1mcFKum/voyages/VI1mfwr25/README.md

@@ -1,14 +1,15 @@
 ---
 # system-managed
 id: VI1mfwr25
-status: in-progress
+status: done
 epic: VI1mcFKum
 created_at: 2026-04-27T14:07:51
 # authored
 title: Harden Hosted Protocol Auth And Lease Fencing
 index: 1
 updated_at: 2026-04-27T14:11:45
 started_at: 2026-04-27T14:56:52
+completed_at: 2026-04-27T15:19:38
 ---
 
 # Harden Hosted Protocol Auth And Lease Fencing
@@ -22,16 +23,18 @@ started_at: 2026-04-27T14:56:52
 |----------|-------------|
 | [SRS.md](SRS.md) | Requirements and verification criteria |
 | [SDD.md](SDD.md) | Architecture and implementation details |
+| [VOYAGE_REPORT.md](VOYAGE_REPORT.md) | Narrative summary of implementation and evidence |
+| [COMPLIANCE_REPORT.md](COMPLIANCE_REPORT.md) | Traceability matrix and verification proof |
 <!-- END DOCUMENTS -->
 
 ## Stories
 
 <!-- BEGIN GENERATED -->
-**Progress:** 2/3 stories complete
+**Progress:** 3/3 stories complete
 
 | Title | Type | Status |
 |-------|------|--------|
 | [Enforce Hosted Auth Posture In Server Protocol](../../../../stories/VI1mjhoAK/README.md) | feat | done |
 | [Replace Object Store Lease Writes With Conditional Fencing](../../../../stories/VI1mjiCB8/README.md) | feat | done |
-| [Define Blockchain-Style Finality And Fork Proof Contract](../../../../stories/VI1mjiIBI/README.md) | docs | backlog |
+| [Define Blockchain-Style Finality And Fork Proof Contract](../../../../stories/VI1mjiIBI/README.md) | docs | done |
 <!-- END GENERATED -->

.keel/epics/VI1mcFKum/voyages/VI1mfwr25/VOYAGE_REPORT.md

@@ -0,0 +1,64 @@
+# VOYAGE REPORT: Harden Hosted Protocol Auth And Lease Fencing
+
+## Voyage Metadata
+- **ID:** VI1mfwr25
+- **Epic:** VI1mcFKum
+- **Status:** done
+- **Goal:** -
+
+## Execution Summary
+**Progress:** 3/3 stories complete
+
+## Implementation Narrative
+### Enforce Hosted Auth Posture In Server Protocol
+- **ID:** VI1mjhoAK
+- **Status:** done
+
+#### Summary
+Enforce hosted token auth at the framed protocol boundary while preserving explicit local `none` mode and remote error envelopes.
+
+#### Acceptance Criteria
+- [x] [SRS-01/AC-01] A server configured for token auth rejects unauthenticated framed requests before shared-engine mutation, while `none` mode remains available for local development. <!-- [SRS-01/AC-01] verify: cargo test -p transit-core auth, SRS-01:start, SRS-01:end, proof: ac-1.log-->
+- [x] [SRS-02/AC-01] Auth failures return remote error envelopes with request id, topology, stable error code, and actionable message. <!-- [SRS-02/AC-01] verify: cargo test -p transit-core token_auth_rejects_unauthenticated_requests_before_shared_engine_mutation, SRS-02:start, SRS-02:end, proof: ac-2.log-->
+- [x] [SRS-NFR-01/AC-01] Auth enforcement is a server boundary concern and does not introduce server-only storage or lineage semantics. <!-- [SRS-NFR-01/AC-01] verify: manual, SRS-NFR-01:start, SRS-NFR-01:end, proof: ac-3.log-->
+
+#### Verified Evidence
+- [ac-1.log](../../../../stories/VI1mjhoAK/EVIDENCE/ac-1.log)
+- [ac-2.log](../../../../stories/VI1mjhoAK/EVIDENCE/ac-2.log)
+- [ac-3.log](../../../../stories/VI1mjhoAK/EVIDENCE/ac-3.log)
+
+### Replace Object Store Lease Writes With Conditional Fencing
+- **ID:** VI1mjiCB8
+- **Status:** done
+
+#### Summary
+Replace plain object-store lease overwrites with conditional fencing or an explicit weaker-backend contract for acquire, heartbeat, handoff, and manifest publication.
+
+#### Acceptance Criteria
+- [x] [SRS-03/AC-01] Object-store consensus uses conditional writes or equivalent generation checks for acquire, heartbeat, and handoff where the backend supports it. <!-- [SRS-03/AC-01] verify: cargo test -p transit-core consensus::tests::object_store_consensus, SRS-03:start, SRS-03:end, proof: ac-1.log-->
+- [x] [SRS-04/AC-01] Manifest publication fails closed when the current remote lease proof cannot be verified against the object-store authority. <!-- [SRS-04/AC-01] verify: cargo test -p transit-core manifest_publication_enforces_distributed_fencing, SRS-04:start, SRS-04:end, proof: ac-2.log-->
+- [x] [SRS-NFR-02/AC-01] Tests cover stale owner overwrite attempts and prove Transit rejects overstated ownership or durability claims. <!-- [SRS-NFR-02/AC-01] verify: just test, SRS-NFR-02:start, SRS-NFR-02:end, proof: ac-3.log-->
+
+#### Verified Evidence
+- [ac-1.log](../../../../stories/VI1mjiCB8/EVIDENCE/ac-1.log)
+- [ac-2.log](../../../../stories/VI1mjiCB8/EVIDENCE/ac-2.log)
+- [ac-3.log](../../../../stories/VI1mjiCB8/EVIDENCE/ac-3.log)
+
+### Define Blockchain-Style Finality And Fork Proof Contract
+- **ID:** VI1mjiIBI
+- **Status:** done
+
+#### Summary
+Define the blockchain-style finality and fork proof contract that maps records, branches, checkpoints, and explicit merge or selection artifacts onto Transit lineage without claiming a full chain runtime.
+
+#### Acceptance Criteria
+- [x] [SRS-05/AC-01] A public contract documents blocks as records, forks as branches, finality as checkpoints, and reorg handling as explicit merge or canonical-selection artifacts. <!-- [SRS-05/AC-01] verify: root=$(git rev-parse --show-toplevel) && rg -n "Block|Fork|Finality marker|Reorg decision|canonical-selection" "$root/FINALITY.md" "$root/website/docs/reference/contracts/finality.md", SRS-05:start, SRS-05:end, proof: ac-1.log-->
+- [x] [SRS-05/AC-02] Proof envelope examples bind stream id, head offset, manifest root, parent heads, checkpoint kind, and optional application block metadata. <!-- [SRS-05/AC-02] verify: root=$(git rev-parse --show-toplevel) && rg -n "stream_id|head_offset|manifest_root|parent_heads|checkpoint_kind|application_block" "$root/FINALITY.md" "$root/website/docs/reference/contracts/finality.md", SRS-05:start, SRS-05:end, proof: ac-2.log-->
+- [x] [SRS-NFR-03/AC-01] Documentation clearly states that Transit supplies lineage and finality primitives, not a complete blockchain consensus runtime. <!-- [SRS-NFR-03/AC-01] verify: root=$(git rev-parse --show-toplevel) && rg -n "not a complete blockchain consensus runtime|does not provide|applications still own consensus" "$root/FINALITY.md" "$root/website/docs/reference/contracts/finality.md", SRS-NFR-03:start, SRS-NFR-03:end, proof: ac-3.log-->
+
+#### Verified Evidence
+- [ac-1.log](../../../../stories/VI1mjiIBI/EVIDENCE/ac-1.log)
+- [ac-2.log](../../../../stories/VI1mjiIBI/EVIDENCE/ac-2.log)
+- [ac-3.log](../../../../stories/VI1mjiIBI/EVIDENCE/ac-3.log)
+
+

.keel/missions/VI1mZnbqW/LOG.md

@@ -6,3 +6,7 @@
 ## 2026-04-27T14:12:08
 
 Created active mission decomposition from senior engineering review: three epics, three planned voyages, and nine ready stories covering bounded replay/materialization, typed AI and communication workload SDKs, and hosted authority hardening.
+
+## 2026-04-27T15:19:47
+
+Mission achieved by local system user 'alex'

.keel/missions/VI1mZnbqW/README.md

@@ -1,13 +1,14 @@
 ---
 # system-managed
 id: VI1mZnbqW
-status: active
+status: achieved
 created_at: 2026-04-27T14:07:27
-updated_at: 2026-04-27T14:11:51
+updated_at: 2026-04-27T15:19:47
 # authored
 title: Productionize Transit Downstream Application Surfaces
 watch: ~
 activated_at: 2026-04-27T14:11:51
+achieved_at: 2026-04-27T15:19:47
 ---
 
 # Productionize Transit Downstream Application Surfaces

.keel/stories/VI1mjhoAK/README.md

@@ -24,5 +24,5 @@ Enforce hosted token auth at the framed protocol boundary while preserving expli
 ## Acceptance Criteria
 
 - [x] [SRS-01/AC-01] A server configured for token auth rejects unauthenticated framed requests before shared-engine mutation, while `none` mode remains available for local development. <!-- [SRS-01/AC-01] verify: cargo test -p transit-core auth, SRS-01:start, SRS-01:end, proof: ac-1.log-->
-- [x] [SRS-01/AC-02] Auth failures return remote error envelopes with request id, topology, stable error code, and actionable message. <!-- [SRS-01/AC-02] verify: cargo test -p transit-core token_auth_rejects_unauthenticated_requests_before_shared_engine_mutation, SRS-01:start, SRS-01:end, proof: ac-2.log-->
+- [x] [SRS-02/AC-01] Auth failures return remote error envelopes with request id, topology, stable error code, and actionable message. <!-- [SRS-02/AC-01] verify: cargo test -p transit-core token_auth_rejects_unauthenticated_requests_before_shared_engine_mutation, SRS-02:start, SRS-02:end, proof: ac-2.log-->
 - [x] [SRS-NFR-01/AC-01] Auth enforcement is a server boundary concern and does not introduce server-only storage or lineage semantics. <!-- [SRS-NFR-01/AC-01] verify: manual, SRS-NFR-01:start, SRS-NFR-01:end, proof: ac-3.log-->

.keel/stories/VI1mjiIBI/EVIDENCE/ac-1.log

@@ -0,0 +1,30 @@
+---
+recorded_at: 2026-04-27T15:17:46.736693676-07:00
+command: root=$(git rev-parse --show-toplevel) && rg -n "Block|Fork|Finality marker|Reorg decision|canonical-selection" "$root/FINALITY.md" "$root/website/docs/reference/contracts/finality.md"
+---
+/home/alex/workspace/spoke-sh/transit/website/docs/reference/contracts/finality.md:2:title: "Finality And Fork Proofs"
+/home/alex/workspace/spoke-sh/transit/website/docs/reference/contracts/finality.md:3:sidebar_label: "Finality And Fork Proofs"
+/home/alex/workspace/spoke-sh/transit/website/docs/reference/contracts/finality.md:4:description: "Blockchain-style finality and fork proof contract over Transit lineage."
+/home/alex/workspace/spoke-sh/transit/website/docs/reference/contracts/finality.md:7:# Finality And Fork Proof Contract
+/home/alex/workspace/spoke-sh/transit/website/docs/reference/contracts/finality.md:16:| Blockchain-style concept | Transit primitive | Contract rule |
+/home/alex/workspace/spoke-sh/transit/website/docs/reference/contracts/finality.md:18:| Block | Record or append batch | Store the block body, block reference, or application envelope as immutable payload bytes. |
+/home/alex/workspace/spoke-sh/transit/website/docs/reference/contracts/finality.md:20:| Block height | Offset plus application metadata | Transit offset is the storage position; application block height remains payload metadata when it differs. |
+/home/alex/workspace/spoke-sh/transit/website/docs/reference/contracts/finality.md:22:| Fork | Branch | A fork is a child stream created from the parent stream at the divergence offset. |
+/home/alex/workspace/spoke-sh/transit/website/docs/reference/contracts/finality.md:24:| Reorg decision | Merge artifact or canonical-selection artifact | Reorg handling must be explicit data that names selected and superseded heads. |
+/home/alex/workspace/spoke-sh/transit/website/docs/reference/contracts/finality.md:25:| Finality marker | Lineage checkpoint | A checkpoint binds a chosen stream head to a manifest root and checkpoint kind. |
+/home/alex/workspace/spoke-sh/transit/website/docs/reference/contracts/finality.md:78:  "stream_id": "chain.main.canonical-selection",
+/home/alex/workspace/spoke-sh/transit/website/docs/reference/contracts/finality.md:94:  "checkpoint_ref": "checkpoints/chain.main.canonical-selection/88.json",
+/home/alex/workspace/spoke-sh/transit/website/docs/reference/contracts/finality.md:97:      "stream_id": "chain.main.canonical-selection",
+/home/alex/workspace/spoke-sh/transit/website/docs/reference/contracts/finality.md:115:canonical-selection artifact when an application chooses one path. Use a
+/home/alex/workspace/spoke-sh/transit/FINALITY.md:1:# Finality And Fork Proof Contract
+/home/alex/workspace/spoke-sh/transit/FINALITY.md:25:| Blockchain-style concept | Transit primitive | Contract rule |
+/home/alex/workspace/spoke-sh/transit/FINALITY.md:27:| Block | Record or append batch | Store the block body, block reference, or application envelope as immutable payload bytes. |
+/home/alex/workspace/spoke-sh/transit/FINALITY.md:29:| Block height | Offset plus application metadata | Transit offset is the storage position; application block height remains payload metadata when it differs. |
+/home/alex/workspace/spoke-sh/transit/FINALITY.md:31:| Fork | Branch | A fork is a child stream created from the parent stream at the divergence offset. |
+/home/alex/workspace/spoke-sh/transit/FINALITY.md:33:| Reorg decision | Merge artifact or canonical-selection artifact | Reorg handling must be explicit data that names selected and superseded heads. |
+/home/alex/workspace/spoke-sh/transit/FINALITY.md:34:| Finality marker | Lineage checkpoint | A checkpoint binds a chosen stream head to a manifest root and checkpoint kind. |
+/home/alex/workspace/spoke-sh/transit/FINALITY.md:94:  "stream_id": "chain.main.canonical-selection",
+/home/alex/workspace/spoke-sh/transit/FINALITY.md:110:  "checkpoint_ref": "checkpoints/chain.main.canonical-selection/88.json",
+/home/alex/workspace/spoke-sh/transit/FINALITY.md:113:      "stream_id": "chain.main.canonical-selection",
+/home/alex/workspace/spoke-sh/transit/FINALITY.md:126:## Fork And Reorg Handling
+/home/alex/workspace/spoke-sh/transit/FINALITY.md:134:- append a canonical-selection artifact that names the selected head,