Architecture

The pipeline is: decode & downscale (deterministic) → policy gate (deterministic) → visual check (the one metered VISION stage). The app owns media_asset verification in its demo_eco_c3_photo_verification table and reads the shared host #01 property catalog. The data invariant holds: owner writes canonical (credential_id NULL); viewer writes credential-scoped, ephemeral, reset-clearing; the DO-UPDATE scope guard blocks a viewer write from clobbering canonical.

The one metered stage (verifyPhoto) is a vision stage, dual-mode: Cloud claude-haiku-4-5, cost-capped at $0.05 per session and fail-closed — over the cap it falls back to recorded OSS (qwen2.5-vl-7b) at $0, recorded on local hardware and never fabricated. Each run writes a cost_ledger row and a demo_cache replay key. It emits photo.verified to the durable event log. Out of scope and clearly labelled: the visual check is a deterministic simulation; tiles are illustrated placeholders, never real imagery; no PII. Honesty is inspector-only.