Fraud Value Containment V1 Spec

1. The V1 Two-Phase Runtime

The Core Requirement: Once fraud containment opens on a source, source-linked suspicious value must not remain requestable or withdrawable anywhere on-platform.

V1 explicitly splits operations into a Discovery Phase (building the exposure map without mutating behavior) and an Action Phase (suspending core entities and locking exposed holders).

flowchart TD A["Fraud-Coded Source\nPosture Tightens"] --> B["Open/Reuse\nContainment Case"] subgraph Phase1 ["Phase 1: Discovery"] B --> C["Walk V1 Money Edges\n(Transfers & Revshare)"] C --> D["Attribute Traced Exposure\nTo Holders"] D --> E{"Did Holder Forward\nExposure Onward?"} E -- Yes --> F["Expand Frontier"] F --> C E -- No --> G["Stop Expansion"] end subgraph Phase2 ["Phase 2: Action"] G --> H["Suspend Same-Owner Core\n(Identity-Linked)"] H --> I["Lock Every Holder with\nPositive Traced Exposure\n(Money-Linked)"] end style A fill:#3f1414,stroke:#ef4444,stroke-width:2px,color:#fff style Phase1 fill:#0f172a,stroke:#334155,stroke-width:2px,color:#fff style Phase2 fill:#020617,stroke:#1e3a8a,stroke-width:2px,color:#fff style I fill:#064e3b,stroke:#22c55e,stroke-width:2px,color:#fff

2. The Trigger & Rollout Hook

Containment opens on fraud-coded source posture changes (e.g., suspended, reserves_imposed, requested_more_information). It does not wait for a final "hard stop".

V1 Hook: LedgerAccountAuditManager::Companies::Processor (chosen because it matches the burst-fraud corpus that motivated this design).
Guard: Must carry a typed fraud reason/provenance.

3. Actions: The Policy Split

V1 uses two separate policies based on how an entity is linked to the fraud source. Weak signals (shared IP, device, KYC) are explicitly rejected from the critical path to maintain a deterministic runtime.

flowchart TD Case["Containment Actions"] --> Identity["Identity-Linked Core\n(Strict Same-Control)"] Case --> Money["Money-Linked Holders\n(Positive Traced Exposure)"] Identity --> S_Action["Auto-Suspend:\n- Source Bot\n- Source Owner User\n- Other Bots by Same Owner\n- Payout-only Child Bots"] Money --> D_Action["Apply Universal Ledger Lock:\n1. Reserve Percentage = 100%\n2. Rebalance reserves to current balance\n3. Withdrawal Status = Inactive\n4. Deny requested withdrawals\n5. Block new withdrawal requests"] Money -.-x D_Reject["Rejected Default Action:\n- User Suspension (too broad)"] style S_Action fill:#422006,stroke:#f59e0b,color:#fff style D_Action fill:#064e3b,stroke:#22c55e,color:#fff style D_Reject fill:#3f1414,stroke:#ef4444,stroke-dasharray: 5 5,color:#fff

4. Discovery & Traced Exposure

Containment is based on traced exposure, not a generic current balance. The worker traverses only allowed real money edges: inner_platform_transfer and membership_revshare.

                Traced Exposure = (Source-linked Inbound)

                                  - (Proved Reversals/Refunds)

                                  - (Source-linked Outbound already attributed onward)

Conservative Revshare Rule: If a holder received positive source-linked revshare that has not been fully reversed in proved evidence, treat that holder as exposed and lock it. Exact co-mingled allocation is out of scope for V1.

flowchart LR Source(("Source Bot")) -- "inner_platform_transfer" --> H1(("Holder 1\n(Exposed)")) Source -- "membership_revshare" --> H2(("Holder 2\n(Exposed)")) H1 -- "No Onward Movement" --> Stop1["Lock H1\nDo Not Expand"] H2 -- "Forwarded Funds" --> H3(("Holder 3\n(Exposed)")) H2 -. "Lock H2, Expand Frontier" .- H2 H3 -- "Refunded/Reversed" --> Clear["Exposure = 0\n(Do Not Lock)"] style Source fill:#3f1414,stroke:#ef4444,color:#fff style H1 fill:#422006,stroke:#f59e0b,color:#fff style H2 fill:#422006,stroke:#f59e0b,color:#fff style H3 fill:#422006,stroke:#f59e0b,color:#fff style Stop1 fill:#064e3b,stroke:#22c55e,color:#fff style Clear fill:#1e293b,stroke:#64748b,color:#fff