When I jump between Bitcoin/Cardano and Cosmos/Ethereum, the biggest mental shift isn’t consensus or scripting. It’s the ledger model.
- UTXO / eUTXO: “coins” that move around and are consumed once.
- Account model: one big map of addresses and balances (plus contract storage).
This shapes how you build transactions, how you store state, and how you design indexers.
1. Two Different Ledgers in Your Head
I keep two simple pictures in mind.
UTXO (Bitcoin / Cardano)
Ledger = set of unspent outputs
UTXO:
(txid, index) -> {
value = amount [+ tokens]
lock = script or key hash
[datum] = extra state (Cardano)
}
Transaction:
inputs = list of UTXO references
outputs = list of new UTXOs
- UTXO is like cash: each output is a bill, spent once.
- Balances are client‑side: add up all UTXOs you can spend.(Horizen)
Account (Cosmos / Ethereum)
Ledger = map of addresses -> account state
Account:
balance(s)
nonce / sequence
[code + storage] (contracts)
Transaction:
from, to, value, gas, nonce
(plus module / contract calls)
- Account model is like a bank ledger: balances live in the chain’s state.(Alchemy)
Cosmos SDK literally has x/auth and x/bank modules that define account types, sequences, and balance records keyed by address and denom.(Cosmos Documentation)
2. Building Transactions: UTXO vs Account
UTXO: pick coins, make change
On Bitcoin or Cardano, a payment looks like this in your head:
1. Discover spendable UTXOs for my key(s).
2. Select a set of UTXOs whose total value >= amount + fee.
3. Build outputs:
- payment output(s)
- change output(s) back to me
4. Sign each input (and possibly scripts).
5. Broadcast the transaction.
Node validation is local: it checks that each referenced UTXO exists, is unspent, and that scripts/signatures are satisfied. The ledger rules only care about conservation:
sum(inputs) >= sum(outputs) + fee
In Cardano’s eUTXO, the same pattern holds, but outputs can carry datums and script hashes, and transactions are designed to be fully checkable off‑chain before they hit the chain.(Cardano Docs)
Production note. On Cardano systems I treat transaction building as an off‑chain compiler: gather UTXOs, compute datums, run Plutus locally, estimate fees, then send something the chain should just accept.
Account model: mutate a row in the global map
On Ethereum or a Cosmos chain you don’t choose inputs; you say “debit this account, credit that account”.
In rough steps:
1. Fetch my account:
- balance
- nonce (sequence)
2. Construct tx:
- from = my address
- to = recipient or contract
- value / msgs / data
- gasLimit, gasPrice/fee, nonce
3. Sign the tx.
4. Broadcast it.
The node checks the signature, ensures the nonce matches, and applies in‑place updates to balances and any touched contract or module state. Ethereum does this against the world state trie, a Merkle‑Patricia tree mapping addresses to account objects; Cosmos SDK stores per‑module KV state where x/bank keeps balances.(Medium)
3. State Management: UTXO Set vs Global State
UTXO state: “what’s still unspent”
Nodes maintain a UTXO set:
UTXO set:
key = (txid, index)
value = { value, lock, [datum] }
Each new block:
- Removes UTXOs referenced by tx inputs.
- Adds all tx outputs as new UTXOs.
Ledger state is literally “which outputs are unspent right now”. Clients reconstruct balances by summing over UTXOs they control.(Horizen)
Cardano’s eUTXO extends the stored payload (datums, script hashes) and uses two‑phase validation: basic structure first, scripts second. But it’s still “set of live outputs” as the core state.(Cardano Docs)
This has a nice property: validity of a transaction depends only on the transaction and the UTXOs it touches, not on any hidden global variable. Cardano’s docs stress that transactions can be validated off‑chain against the current UTXO snapshot.(Cardano Docs)
Account state: one giant map (+ tries)
Ethereum and Cosmos embed state directly:
Ethereum:
World state trie:
address -> { balance, nonce, codeHash, storageRoot }
Contract storage trie:
key -> value (per contract)
Each block points to a new world state root after all txs are applied.(Medium)
Cosmos SDK:
x/auth store:
address -> base account (pubkey, sequence)
x/bank store:
(address, denom) -> amount
meta total supply
plus per‑module stores for staking, governance, custom modules.(Cosmos Documentation)
Here state is always “live”: any read hits the latest version; history is reconstructed from blocks/events, not from an explicit UTXO graph.
4. Indexing Strategies
UTXO chains: index the graph
For Bitcoin/Cardano, an indexer usually looks like this mentally:
Tables:
tx (id, hash, block_id, ...)
tx_in (tx_id, index, prev_tx_hash, prev_index, address, ...)
tx_out (tx_id, index, value, address, [datum], [script_hash], ...)
address_balance (address, current_balance, updated_at) [optional view]
Patterns:
- To get “UTXOs for address A”, you find all
tx_outto A that are not referenced by anytx_in. - To get history, you join
tx_outandtx_inon addresses or script hashes. - For Cardano, you index datums and script hashes to provide contract‑level views.
Articles comparing the models point out that UTXO’s fragmented nature makes indexers heavier: balances aren’t explicit, so you either constantly fold over outputs or maintain materialized views.(Cheesecake Labs)
Production note. On a multi‑chain indexer we used almost the same schema for Bitcoin and Cardano, just with extra columns for Cardano datums and policies. The heavy part isn’t consensus, it’s the joins.
Account chains: index state deltas and events
For Ethereum / Cosmos, the node already has balances and contract storage keyed by address. Indexers typically:
- Subscribe to new blocks and tx receipts.
- Ingest events / logs (EVM) or ABCI events (Cosmos).
- Maintain their own read models:
* token balances per address
* contract-specific views
* time-series of state changes
If you need current balances, you can always fall back to the node’s native APIs (e.g. eth_getBalance, cosmos.bank.v1beta1/AllBalances).(buf.build)
For historical views you consume logs:
- Ethereum: event topics and data emitted by contracts.
- Cosmos: module‑emitted events on each transaction.
The indexer doesn’t reconstruct ownership from first principles; it watches how the live map changes over time.
5. Concurrency and Throughput in Practice
UTXO: independent coins, better parallelism
Because UTXOs are independent units, two transactions that spend different UTXOs can be validated and applied in parallel, as multiple comparisons and surveys point out.(Cheesecake Labs)
You still have conflicts:
- Double spends: two txs try to consume the same UTXO.
- “Hot UTXO”: one contract UTXO becomes the single bottleneck.
Cardano’s eUTXO documentation leans into this: you can deliberately split state across multiple UTXOs to allow more concurrent interactions.(Cardano Docs)
Production note. On a Cardano DEX we eventually sharded pools across multiple UTXOs per asset pair. Before that, one pool UTXO was effectively a global lock; after sharding, throughput increased because independent orders could hit different pool states.
Account model: global nonce and shared state
Account chains optimise for simplicity but pay for it with contention.
- Every account has a nonce/sequence; txs from the same account must use strictly increasing nonces. If you fire two txs with the same nonce, one eventually loses.(BitGo Developer Portal)
- Contracts share global storage: if two txs touch the same hot contract or balance, they must be ordered consistently.
Tooling docs for custodians and SDKs explicitly warn about this: you either serialize transactions per account or have very careful nonce management and failure handling.(BitGo Developer Portal)
On the upside, you don’t have UTXO fragmentation. Balances are neat rows; you’re limited by block gas and contract complexity, not by “how many small coins does this wallet have”.
6. Smart Contracts and State Machines
Here the difference is mostly about how you encode logic.
eUTXO smart contracts (Cardano)
Cardano’s eUTXO model lets each output carry:
- value (multi-asset)
- script hash (validator)
- datum (typed state)
A transaction provides a redeemer and full context; the validator decides if the UTXO can be spent. Smart contract tutorials summarise it as “deciding when a particular UTXO can be spent”.(book.opshin.dev)
You model contracts as explicit state machines over UTXOs:
State UTXO --[tx + redeemer]--> New state UTXO
No hidden global variables; concurrency issues are visible in which UTXOs are shared.
Account‑based contracts (EVM / CosmWasm / SDK modules)
In Ethereum and Cosmos you think in terms of:
contract storage:
mapping, structs, counters ...
function calls:
read/modify storage in-place
World state tries and module stores keep a single canonical storage root; contracts call each other and mutate shared state in one go.(Medium)
Most “UTXO vs account” comparisons end up here: UTXO gives you better parallelisation and local reasoning, account model gives you easier composability and DevEx for traditional smart‑contract patterns.(Kaleido)
7. How It Feels Day‑to‑Day
Personal snapshot of how it feels to ship against each model.
On UTXO / eUTXO chains I spend time on:
- UTXO hygiene: coin selection, avoiding dust, defragmenting wallets.
- Explicit state modelling: which UTXOs represent which contract states, how to prevent one UTXO from becoming a hotspot.
- Indexers that understand the transaction graph and can reconstruct per‑user and per‑contract views.
On Cosmos/Ethereum I spend time on:
- Nonce and gas management for hot accounts.
- Contract storage schemas and migrations.
- Indexers that track events and state deltas, not individual “coins”.
Production note. Any time we built cross‑chain tools (BTC + EVM, Cardano + Cosmos) the hardest bugs were almost always mismatched mental models: “why did this BTC wallet suddenly break after a batch spend?” vs “why did this Cosmos account suddenly throw sequence errors after we parallelized submissions?”
8. Choosing Between Them (as a Developer)
If I strip away ideology and look at practical trade‑offs:
UTXO / eUTXO
- Great when you want:
* local, analyzable validation
* explicit state machines
* potential for parallel tx processing
* privacy knobs via UTXO structure
Account model
- Great when you want:
* simple balances and UX
* very composable contract calls
* familiar mental model (accounts, storage)
* tight integration with existing EVM/Cosmos ecosystems
Analysis pieces say it in similar terms: UTXO buys you scalability potential and certain privacy advantages; account‑based ledgers buy you smart‑contract ergonomics and simplicity.(Cheesecake Labs)
For multi‑chain systems, the answer is usually “both”:
- UTXO/eUTXO chains as robust settlement or specialized execution layers.
- Account‑based chains as composable application layers.
- Bridges and indexers that intentionally translate between “coins and change” on one side and “accounts and storage” on the other, instead of pretending they’re the same thing.
Once you accept the models are different on purpose, your code, schemas, and mental models start matching reality instead of fighting it.
Completion scope and production contract
This completion review turns the earlier conceptual treatment into a release-oriented engineering contract. It treats UTXO vs Account Model: A Practical Developer’s Perspective as a consensus-aware Bitcoin component, follows a block, transaction, script, or UTXO mutation through validation and durable state, and separates normative requirements from implementation policy. The normative baseline is the activated Bitcoin consensus rules and applicable BIPs; deployment defaults, caching, retry limits, and operator thresholds are explicitly local policy. 11
The intended audience is experienced developers and architects. Readers should understand the surrounding chain or application model, typed data structures, persistence, and basic security engineering. The scope includes correctness, implementation boundaries, deterministic tests, failure recovery, security, performance, and observability. It does not claim that the educational companion is a drop-in replacement for a maintained protocol or cryptographic library. Production adoption requires an independent threat model, compatibility testing against the authoritative implementation, and operational ownership. 12
The mental model used throughout is deliberately strict: untrusted input crosses peer, mempool, chain, persistence, and query boundaries; a validator derives facts under the activated Bitcoin consensus rules and applicable BIPs; accepted transitions update validated chain and UTXO state; and observers consume committed facts, never optimistic intermediate mutations. A guarantee is stated only when it follows from those rules and assumptions. Heuristics such as fee selection, caching, peer scoring, timeouts, user messaging, or alert thresholds remain policy and may be tuned without redefining validity. 13
Reader contract and scope
For UTXO vs Account Model: A Practical Developer’s Perspective, this review makes the exact user decision and the prerequisites needed to make it safely explicit. Start from one block, transaction, script, or UTXO mutation and write down its origin, canonical representation, validation context, authority, and durable outcome. The consensus-aware Bitcoin component must not infer a stronger fact from transport success, cache presence, or an upstream acknowledgement. Its authoritative state is validated chain and UTXO state, and every projection must remain rebuildable or reconcilable from committed facts. This framing distinguishes a protocol guarantee from an operational convenience and gives reviewers a concrete place to challenge an assumption. 11
The principal failure to design against is an attractive example being mistaken for a complete production design. Address it before optimizing by defining a narrow ownership boundary, stable identities, bounded resource use, and a machine-readable outcome for every rejected transition. Record a scope statement, excluded concerns, and a reviewable acceptance criterion. A reviewer should be able to trace each accepted result to input bytes, rule or policy version, prior state, and commit identity without relying on prose logs. When the authority cannot be reached or context is incomplete, return an explicit unavailable or pending state; do not convert uncertainty into acceptance.
Precise vocabulary and authority
Treat precise vocabulary and authority as part of the executable design of UTXO vs Account Model: A Practical Developer’s Perspective, not as documentation added after coding. The relevant operating envelope includes historical synchronization, steady-state blocks, reorganizations, and adversarial transactions. For each mode, identify which state is authoritative, which work may be retried, what is bounded, and which observation proves progress. This is especially important across peer, mempool, chain, persistence, and query boundaries, where delivery and processing are different events and where local time or arrival order may not reflect authoritative order. 12
A useful review asks how the design behaves under invalid encodings, policy rejection, reorganization, duplicate delivery, resource exhaustion, and partial persistence. The unsafe outcome is teams using the same word for incompatible states or guarantees. Prevent it with explicit preconditions and postconditions, and retain a glossary tied to the normative authority for every overloaded term as release evidence. Use stable codes rather than exception text, keep policy configuration versioned, and attach the accepted policy or rule version to durable results. An node or indexer operator must be able to stop intake, drain or quarantine work, compare local state with authority, and resume without inventing a second side effect.
Trust assumptions
The implementation of UTXO vs Account Model: A Practical Developer’s Perspective should expose which actors, clocks, stores, libraries, and upstream systems may fail or act maliciously through types and module boundaries. Parse external representations once, preserve the original identity when audit or replay needs it, and pass validated domain values inward. Mutations of validated chain and UTXO state belong behind one authoritative transition function or transaction boundary. Network clients, storage adapters, user interfaces, and telemetry exporters must not duplicate consensus or business rules. That separation keeps deterministic logic testable and prevents a library upgrade from silently redefining validity. 13
Assume that an implicit trusted component invalidating the claimed guarantee will eventually occur in a staging fault test or production incident. The control is not a catch-all retry: classify the outcome, decide whether the identical operation is safe to repeat, bound attempts and elapsed time, and surface terminal work for reconciliation. The minimum evidence is a trust-boundary diagram and an assumption register with owners. Keep private keys, signatures, peer metadata, and untrusted serialized bytes out of ordinary logs, and prefer hashes, version identifiers, counts, and sanitized reason codes. Any emergency bypass must be narrow, time-limited, approved, and observable.
Architecture and ownership
Verification for UTXO vs Account Model: A Practical Developer’s Perspective must demonstrate component responsibilities and the direction in which facts and commands move at several layers. Small tests cover deterministic transforms and boundary values; contract tests pin serialized forms; integration tests exercise real adapters; replay tests compare state roots or projections; and fault tests interrupt work at every commit boundary. The dataset must include normal history, malformed input, duplicates, reordering, maximum-size values, and changes of rule or schema version. A passing example is evidence about that environment and dataset, not a universal performance claim. 11
Make two components both believing they own the same transition a named negative test. The release packet should retain a context diagram, ownership table, and dependency rule, exact dependency and tool versions, the deterministic command, and its result. For performance work, report warm-up, repetitions, concurrency, percentiles, resource limits, and the point where backpressure begins. For security work, include abuse cases and independent review. A change is ready only when failures leave validated chain and UTXO state safe, recovery is rehearsed, and telemetry explains both user-visible outcome and operator action.
Canonical representation
For UTXO vs Account Model: A Practical Developer’s Perspective, this review makes the byte-level or schema-level representation used for hashing, comparison, storage, and transport explicit. Start from one block, transaction, script, or UTXO mutation and write down its origin, canonical representation, validation context, authority, and durable outcome. The consensus-aware Bitcoin component must not infer a stronger fact from transport success, cache presence, or an upstream acknowledgement. Its authoritative state is validated chain and UTXO state, and every projection must remain rebuildable or reconcilable from committed facts. This framing distinguishes a protocol guarantee from an operational convenience and gives reviewers a concrete place to challenge an assumption. 12
The principal failure to design against is semantically equal values producing different identifiers or verification outcomes. Address it before optimizing by defining a narrow ownership boundary, stable identities, bounded resource use, and a machine-readable outcome for every rejected transition. Record golden encodings, round-trip tests, and rejection of non-canonical forms. A reviewer should be able to trace each accepted result to input bytes, rule or policy version, prior state, and commit identity without relying on prose logs. When the authority cannot be reached or context is incomplete, return an explicit unavailable or pending state; do not convert uncertainty into acceptance.
State-machine model
Treat state-machine model as part of the executable design of UTXO vs Account Model: A Practical Developer’s Perspective, not as documentation added after coding. The relevant operating envelope includes historical synchronization, steady-state blocks, reorganizations, and adversarial transactions. For each mode, identify which state is authoritative, which work may be retried, what is bounded, and which observation proves progress. This is especially important across peer, mempool, chain, persistence, and query boundaries, where delivery and processing are different events and where local time or arrival order may not reflect authoritative order. 13
A useful review asks how the design behaves under invalid encodings, policy rejection, reorganization, duplicate delivery, resource exhaustion, and partial persistence. The unsafe outcome is an impossible intermediate state becoming durable after interruption. Prevent it with explicit preconditions and postconditions, and retain a transition table exercised by positive, negative, and replay tests as release evidence. Use stable codes rather than exception text, keep policy configuration versioned, and attach the accepted policy or rule version to durable results. An node or indexer operator must be able to stop intake, drain or quarantine work, compare local state with authority, and resume without inventing a second side effect.
Invariants
The implementation of UTXO vs Account Model: A Practical Developer’s Perspective should expose properties that must hold before and after every accepted operation through types and module boundaries. Parse external representations once, preserve the original identity when audit or replay needs it, and pass validated domain values inward. Mutations of validated chain and UTXO state belong behind one authoritative transition function or transaction boundary. Network clients, storage adapters, user interfaces, and telemetry exporters must not duplicate consensus or business rules. That separation keeps deterministic logic testable and prevents a library upgrade from silently redefining validity. 11
Assume that local success concealing corruption in a related aggregate or index will eventually occur in a staging fault test or production incident. The control is not a catch-all retry: classify the outcome, decide whether the identical operation is safe to repeat, bound attempts and elapsed time, and surface terminal work for reconciliation. The minimum evidence is executable assertions at the narrowest authoritative boundary. Keep private keys, signatures, peer metadata, and untrusted serialized bytes out of ordinary logs, and prefer hashes, version identifiers, counts, and sanitized reason codes. Any emergency bypass must be narrow, time-limited, approved, and observable.
Validation pipeline
Verification for UTXO vs Account Model: A Practical Developer’s Perspective must demonstrate cheap structural checks, contextual checks, authoritative verification, and commit order at several layers. Small tests cover deterministic transforms and boundary values; contract tests pin serialized forms; integration tests exercise real adapters; replay tests compare state roots or projections; and fault tests interrupt work at every commit boundary. The dataset must include normal history, malformed input, duplicates, reordering, maximum-size values, and changes of rule or schema version. A passing example is evidence about that environment and dataset, not a universal performance claim. 12
Make expensive or stateful work running before malformed input is rejected a named negative test. The release packet should retain ordered validation stages with stable machine-readable rejection codes, exact dependency and tool versions, the deterministic command, and its result. For performance work, report warm-up, repetitions, concurrency, percentiles, resource limits, and the point where backpressure begins. For security work, include abuse cases and independent review. A change is ready only when failures leave validated chain and UTXO state safe, recovery is rehearsed, and telemetry explains both user-visible outcome and operator action.
Error semantics
For UTXO vs Account Model: A Practical Developer’s Perspective, this review makes the distinction between invalid input, conflict, unavailable dependency, retryable interruption, and internal defect explicit. Start from one block, transaction, script, or UTXO mutation and write down its origin, canonical representation, validation context, authority, and durable outcome. The consensus-aware Bitcoin component must not infer a stronger fact from transport success, cache presence, or an upstream acknowledgement. Its authoritative state is validated chain and UTXO state, and every projection must remain rebuildable or reconcilable from committed facts. This framing distinguishes a protocol guarantee from an operational convenience and gives reviewers a concrete place to challenge an assumption. 13
The principal failure to design against is blind retries amplifying a permanent failure or changing user intent. Address it before optimizing by defining a narrow ownership boundary, stable identities, bounded resource use, and a machine-readable outcome for every rejected transition. Record typed errors mapped consistently across logs, metrics, APIs, and queues. A reviewer should be able to trace each accepted result to input bytes, rule or policy version, prior state, and commit identity without relying on prose logs. When the authority cannot be reached or context is incomplete, return an explicit unavailable or pending state; do not convert uncertainty into acceptance.
Concurrency control
Treat concurrency control as part of the executable design of UTXO vs Account Model: A Practical Developer’s Perspective, not as documentation added after coding. The relevant operating envelope includes historical synchronization, steady-state blocks, reorganizations, and adversarial transactions. For each mode, identify which state is authoritative, which work may be retried, what is bounded, and which observation proves progress. This is especially important across peer, mempool, chain, persistence, and query boundaries, where delivery and processing are different events and where local time or arrival order may not reflect authoritative order. 11
A useful review asks how the design behaves under invalid encodings, policy rejection, reorganization, duplicate delivery, resource exhaustion, and partial persistence. The unsafe outcome is a check-then-act race accepting two individually plausible operations. Prevent it with explicit preconditions and postconditions, and retain a linearization argument plus stress tests at the chosen contention boundary as release evidence. Use stable codes rather than exception text, keep policy configuration versioned, and attach the accepted policy or rule version to durable results. An node or indexer operator must be able to stop intake, drain or quarantine work, compare local state with authority, and resume without inventing a second side effect.
Idempotency and replay
The implementation of UTXO vs Account Model: A Practical Developer’s Perspective should expose how duplicate delivery, process restart, and historical backfill preserve the same result through types and module boundaries. Parse external representations once, preserve the original identity when audit or replay needs it, and pass validated domain values inward. Mutations of validated chain and UTXO state belong behind one authoritative transition function or transaction boundary. Network clients, storage adapters, user interfaces, and telemetry exporters must not duplicate consensus or business rules. That separation keeps deterministic logic testable and prevents a library upgrade from silently redefining validity. 12
Assume that at-least-once delivery creating a second side effect will eventually occur in a staging fault test or production incident. The control is not a catch-all retry: classify the outcome, decide whether the identical operation is safe to repeat, bound attempts and elapsed time, and surface terminal work for reconciliation. The minimum evidence is stable operation identities, deduplication state, and deterministic replay fixtures. Keep private keys, signatures, peer metadata, and untrusted serialized bytes out of ordinary logs, and prefer hashes, version identifiers, counts, and sanitized reason codes. Any emergency bypass must be narrow, time-limited, approved, and observable.
Persistence and atomicity
Verification for UTXO vs Account Model: A Practical Developer’s Perspective must demonstrate which facts commit together and how derived views catch up at several layers. Small tests cover deterministic transforms and boundary values; contract tests pin serialized forms; integration tests exercise real adapters; replay tests compare state roots or projections; and fault tests interrupt work at every commit boundary. The dataset must include normal history, malformed input, duplicates, reordering, maximum-size values, and changes of rule or schema version. A passing example is evidence about that environment and dataset, not a universal performance claim. 13
Make a crash exposing a cursor that claims work whose state was not committed a named negative test. The release packet should retain transaction boundaries, durable checkpoints, and reconciliation queries, exact dependency and tool versions, the deterministic command, and its result. For performance work, report warm-up, repetitions, concurrency, percentiles, resource limits, and the point where backpressure begins. For security work, include abuse cases and independent review. A change is ready only when failures leave validated chain and UTXO state safe, recovery is rehearsed, and telemetry explains both user-visible outcome and operator action.
API and schema contracts
For UTXO vs Account Model: A Practical Developer’s Perspective, this review makes input limits, optionality, pagination, versioning, and compatibility behavior explicit. Start from one block, transaction, script, or UTXO mutation and write down its origin, canonical representation, validation context, authority, and durable outcome. The consensus-aware Bitcoin component must not infer a stronger fact from transport success, cache presence, or an upstream acknowledgement. Its authoritative state is validated chain and UTXO state, and every projection must remain rebuildable or reconcilable from committed facts. This framing distinguishes a protocol guarantee from an operational convenience and gives reviewers a concrete place to challenge an assumption. 11
The principal failure to design against is a technically valid deployment silently changing a consumer-visible meaning. Address it before optimizing by defining a narrow ownership boundary, stable identities, bounded resource use, and a machine-readable outcome for every rejected transition. Record consumer fixtures, schema-diff checks, and explicit deprecation windows. A reviewer should be able to trace each accepted result to input bytes, rule or policy version, prior state, and commit identity without relying on prose logs. When the authority cannot be reached or context is incomplete, return an explicit unavailable or pending state; do not convert uncertainty into acceptance.