Architecture

The pipeline is: collect submission (deterministic) → compliance policy #22 (deterministic) → document & identity checks (the one metered stage); the per-case checks are seeded and immutable. The app owns kyc_case in demo_eco_c3_listing_kyc with the checks in demo_eco_c3_kyc_check, and reads the shared host #01 partner / listing / property catalog. On a pass/reject it reconciles the listing status (live / blocked) — the hydrate path derives the gate from the loaded KYC outcomes. The data invariant holds: owner canonical (credential_id NULL); viewer credential-scoped, ephemeral, reset-clearing; the DO-UPDATE scope guard blocks a viewer write from clobbering canonical.

The one metered stage (runKyc) runs dual-mode: Cloud claude-haiku-4-5, cost-capped at $0.05 per session and fail-closed — over the cap it falls back to recorded OSS (qwen2.5-7b-instruct) at $0, recorded on local hardware and never fabricated. Each run writes a cost_ledger row and a demo_cache replay key; the immutable checks are inserted once and never clobbered. Decisions emit kyc.decided and listing.unlocked to the durable event log. Out of scope and clearly labelled: the checks are a deterministic simulation; all submissions are synthetic, document types are labels only, no real documents or PII. Honesty is inspector-only.