# Membership Flow Failure-State Matrix (v1)

This matrix defines deterministic fail-closed behavior and user-facing outcomes.

| Stage | Failure | Detection Source | System Action | User Surface |
|---|---|---|---|---|
| Intent | Rate limit | API guard | Block intent issuance | "Too many requests. Try again later." |
| Intent | Invalid origin | API allowlist | Reject request | "Request origin not allowed." |
| Verify | Intent expired | TTL check | Reject verify | "Intent expired. Start again." |
| Verify | Signature mismatch | Signature recovery | Reject verify + audit entry | "Signature could not be verified." |
| Quote | Signature not verified | State check | Deny quote | "Verify wallet signature first." |
| Quote | Distinct payer without ownership proof | Proof validator | Deny quote | "Ownership authorization is required." |
| Quote | Quote expired | TTL check | Deny confirm | "Quote expired. Request a new quote." |
| Mint | Wallet reject tx | Wallet provider | No state change | "Membership mint was not approved." |
| Confirm | Wrong chain | Chain check | Reject confirm | "Transaction is on an unsupported chain." |
| Confirm | Amount mismatch | Quote/tx comparator | Reject confirm | "Transaction does not match quote." |
| Confirm | Recipient mismatch | Quote/tx comparator | Reject confirm | "Destination contract mismatch." |
| Confirm | Node unavailable | RPC health | Fail closed | "Unable to confirm transaction. Purchase stays blocked." |
| Checkout | No membership | Gate check | Block purchase | "Membership required." |
| Checkout | Membership suspended/revoked | Gate check | Block purchase | "Membership inactive. Contact support." |
| Checkout | Workspace/org boundary mismatch | Boundary claim check | Block purchase | "Workspace boundary mismatch. Target org license required." |
| Entitlement Availability | Heartbeat/capsule renewal missed (within grace) | Lease policy engine | Enter `GRACE`, keep paid execution | "Connection delayed. System running in grace mode." |
| Entitlement Availability | Renewal still missing past grace | Lease policy engine | Enter `CONTINUITY`, block growth actions | "Continuity mode: existing operations continue, expansion paused." |
| Entitlement Availability | Renewal unresolved past continuity | Lease policy engine | Enter `PARKED`, pause paid execution | "Execution parked until entitlement is renewed." |
| Governance Install | Install token expired | TTL check | Block install | "Install token expired. Request a new install token." |
| Governance Install | Package hash mismatch | Package verifier | Block activation | "Package verification failed." |
| Governance Install | Policy hash mismatch | Runtime verifier | Block activation | "Policy mismatch. Install blocked." |
| Activation | Entitlement not active | Gate check | Block runtime | "License inactive. Activation blocked." |

## Invariants

1. Unknown state defaults to blocked.
2. No failed transition may promote membership or entitlement state.
3. Every reject path produces structured audit evidence.
4. `PARKED` must preserve read/search/export pathways.