A Bitcoin node does not “trust” miners. It trusts rules. Every block that arrives from the network is run through a deterministic checklist: header structure, proof‑of‑work, difficulty, size/weight, coinbase reward, and transaction validity against the current UTXO set. If any check fails, the block is rejected, even if all miners love it.(Bitcoin Wiki)
This article walks through that checklist from a developer’s perspective. We will look at block header validation, proof‑of‑work (PoW) verification, difficulty rules, and transaction validation. The goal is to give you a clear blueprint for a full block validator, ready to be turned into a Kotlin implementation later.
Prerequisites
You should already be comfortable with the UTXO model and basic transaction validation (scripts, signatures, balances). It also helps if you’ve seen a block in hex or JSON and know that it has a header plus a list of transactions.
On the conceptual side, you should be familiar with proof‑of‑work and the idea of “longest chain / most work” as a fork‑choice rule. On the engineering side, it’s enough to think in terms of a service that reads blocks in height order and maintains a UTXO set.
1. Consensus Rules vs Policies
Consensus rules are the rules that decide whether a block is valid. All fully validating nodes are expected to enforce them identically. Examples include “block subsidy must follow the halving schedule” and “block hash must be below target.”(Bitcoin Wiki)
Mempool policies are local choices about which transactions to relay or keep in memory (min feerate, standardness, etc.). They shape propagation but do not decide final validity. A block can be valid under consensus even if it contains transactions your mempool would never have relayed.(BitBox Blog)
For this article we stay on the consensus side: when we say “block validation,” we mean the checks that define whether a block is acceptable on the main chain.
2. A High‑Level Validation Pipeline
You can visualize block validation as a simple pipeline:
+-------------------+
| Raw Block Bytes |
+---------+---------+
|
v
+---------------------+
| Header Parsing |
| Sanity Checks |
+---------+-----------+
|
v
+---------------------+
| Proof-of-Work |
| Difficulty |
+---------+-----------+
|
v
+---------------------+
| Transaction |
| UTXO Validation |
+---------+-----------+
|
v
+---------------------+
| Chain Selection |
| (most work) |
+---------------------+
Each layer has its own invariants. Header checks are cheap and come first. Expensive script and UTXO work happens only after PoW and difficulty have passed.(Bitcoin Developer Documentation)
3. Block Header Anatomy
The Bitcoin block header is 80 bytes with six fields in a fixed order. This structure is part of consensus and cannot change without a fork.(Bitcoin Developer Documentation)
+----------+-----------------------------+
| Bytes | Field |
+----------+-----------------------------+
| 4 | version |
| 32 | previous block header hash |
| 32 | merkle root (txids) |
| 4 | timestamp (Unix epoch) |
| 4 | nBits (compressed target) |
| 4 | nonce |
+----------+-----------------------------+
The version indicates which set of validation rules may apply (for example BIP34, BIP9 deployments). The previous hash links this header into the chain. The merkle root commits to the transactions in the block. Time and nBits together define the expected difficulty adjustment behaviour. The nonce is the miner’s scratch space during proof‑of‑work.(Bitcoin Developer Documentation)
A validator’s first step is to parse these fields correctly and reject any malformed headers.
4. Proof‑of‑Work Verification
Proof‑of‑work turns that 80‑byte header into an expensive lottery. The validation rule is simple:
double_sha256(header_bytes) <= target
The target is a 256‑bit number derived from the compact nBits field in the header. The smaller the target, the harder it is to find a nonce that makes the hash low enough.(Learn Me A Bitcoin)
Conceptually:
header -> SHA256 -> SHA256 -> hash
hash <= target valid proof-of-work : invalid
Verification is cheap: one double‑hash and a comparison. Mining is expensive: trillions of hashes until a satisfactory nonce is found. That asymmetry is what gives proof‑of‑work its security properties.
5. Difficulty and Target Adjustment
The network aims for a 10‑minute average time between blocks. To keep that target despite changing hash power, nodes periodically adjust the difficulty. Every 2016 blocks (roughly two weeks), each node compares the actual time spent mining those blocks to the expected two weeks and adjusts the target accordingly.(Learn Me A Bitcoin)
The consensus rule is:
- Every block’s nBits must match the expected difficulty for its height.
- Expected difficulty changes only at boundaries of 2016-block periods.
Validators do not recompute history constantly; they derive the current expected difficulty from the previous blocks they have already accepted. If a block comes in with an nBits that does not match the difficulty rules for its position, it is rejected even if its hash is numerically low enough.
6. Header‑Level Sanity Rules
Beyond PoW and difficulty, headers must satisfy a handful of structural and temporal constraints. These include:
- The
previous block header hashmust reference a block the node already knows (or be all zeros for genesis). - The timestamp must be greater than or equal to the median of the previous 11 blocks’ timestamps (median‑time‑past) and not more than about two hours in the future relative to the node’s clock.(Bitcoin Developer Documentation)
- The block’s weight/size must be under the protocol limit (currently 4 million weight units, introduced with SegWit).(River)
If any of these checks fail, the node does not proceed to transaction validation.
7. Coinbase and Block Reward Rules
Every block must include at least one transaction, and the first transaction must be the coinbase transaction. This special transaction has no real inputs and is where the miner claims the block reward.(Bitcoin Developer Documentation)
Consensus rules around coinbase include:
- It must be the first transaction in the block.
- It has one “fake” input (all-zero txid, special index).
- Its outputs must not sum to more than:
block subsidy (height-dependent)
+ total fees of all other transactions in the block.
- The subsidy halves every 210,000 blocks.
The halving schedule starts at 50 BTC per block and halves every 210,000 blocks, yielding the familiar series 50 → 25 → 12.5 → 6.25 → 3.125 BTC, and so on, aiming at a 21‑million maximum supply.(Bitcoin Wiki)
Since BIP34, the coinbase must also encode the block height as the first item in its scriptSig once the network has passed specific activation thresholds. This is itself a consensus rule and contributes to uniqueness of blocks.(bips.dev)
If the miner claims more than “subsidy + fees”, the entire block is invalid, even if all transactions inside are otherwise fine.(Learn Me A Bitcoin)
8. Transaction and UTXO Validation Inside a Block
Once the header is good and PoW is correct, the node checks the transactions. At a high level:
1. Recompute the merkle root from the list of txids and
compare with the header’s merkle root.
2. Verify the coinbase structure and reward.
3. For each non-coinbase transaction:
- Check basic format and invariants.
- Check that total input value >= total output value.
- Check scripts and signatures.
- Check for double-spends inside this block.
4. Apply all transactions to the UTXO set in order.
Modern Bitcoin Core uses the UTXO set, not historical block lookups, as its state for validation: for each input, it looks up the referenced UTXO, checks it exists, validates scripts, then marks it as spent and creates new UTXOs for the outputs.(Bitcoin Core Onboarding)
A few important invariants:
- No transaction (except coinbase) may create value: sum(outputs) ≤ sum(inputs).
- Within a single block, each UTXO may be spent at most once.
- Transactions must be correctly signed and scripts must evaluate to true under the applicable rules (legacy Script, SegWit, Taproot).
Any violation makes the entire block invalid.
9. Chain Selection and Reorg Safety
Validation happens per block, but nodes also have to decide which chain of blocks to follow. Bitcoin’s default rule is “most accumulated proof‑of‑work”, often approximated as “longest chain” when difficulty is constant.(Wikipedia)
In practice:
- For each competing tip, compute its total chain work
(sum of difficulty from genesis to this block).
- Choose the valid chain with the greatest total work.
- If a new block arrives that makes an alternate branch
have more work than the current one, perform a reorg:
- disconnect blocks from the old tip back to the fork point
- connect blocks from the new branch
When disconnecting a block, the node reverses its UTXO changes; when connecting, it reapplies them. This is why validators maintain both the UTXO set and enough history or logs to roll back state safely.(Bitcoin Core Onboarding)
From a Kotlin validator’s point of view, you want a clear abstraction:
applyBlock(block) // forward state transition
undoBlock(block) // inverse state transition
Chaining these gives you safe reorg handling.
10. Sketching a Block Validator Architecture (Kotlin‑Ready)
Without writing code yet, you can already draw the core components you’d implement in Kotlin:
+-----------------------------+
| BlockSource |
| - reads raw blocks |
| - gives (header, txs) |
+--------------+--------------+
|
v
+-----------------------------+
| BlockHeaderValidator |
| - parse header |
| - sanity + PoW + diff |
+--------------+--------------+
|
v
+-----------------------------+
| BlockBodyValidator |
| - merkle root check |
| - coinbase / reward rules |
| - per-tx checks |
+--------------+--------------+
|
v
+-----------------------------+
| UtxoState |
| - apply / undo blocks |
| - per-tx UTXO updates |
+--------------+--------------+
|
v
+-----------------------------+
| ChainIndex / ForkChoice |
| - track tips, total work |
| - handle reorgs |
+-----------------------------+
Each component is pure logic plus access to some storage (blocks, headers, UTXO set). Your Kotlin implementation will likely map these to services or modules, with clear boundaries between “pure consensus logic” and “infrastructure” (database, disk, network).
11. Testing a Consensus‑Compatible Validator
Consensus code needs heavy testing because any divergence from the reference implementation can isolate your node.
There are three useful layers of tests:
-
Unit tests for individual rules. For example, a test that feeds headers with various timestamps into the median‑time‑past check, or tests that verify coinbase rewards against a known halving schedule.
-
Integration tests on synthetic chains. Construct short chains with known forks: blocks that overspend in coinbase, blocks with invalid PoW, blocks that violate script rules. Your validator should reject the right ones and pick the correct fork.
-
Cross‑verification against Bitcoin Core. Run your validator alongside a Bitcoin Core node through an initial block download and periodically assert that:
- You agree on the tip hash at each height.
- When Core marks a block invalid, you do too.
- Your computed UTXO set (for a sampled subset) matches the node’s view.(密碼龐克 Cypherpunks Taiwan)
Old blocks do not need to be revalidated constantly; once a block is buried under enough work, a single validation pass is sufficient in practice. But during development and initial sync, you want the option to reindex and compare behaviour block by block.
Conclusion
Bitcoin block validation is the process by which nodes enforce the protocol’s social contract: no extra inflation, no broken signatures, no shortcuts on proof‑of‑work. At a high level, a validator parses the header, verifies PoW and difficulty, checks structural constraints, enforces coinbase and reward limits, validates all transactions against the UTXO set, and then decides how the block fits into the best‑work chain.
With the model in this article, you should be able to design a block validator as a set of clean components, ready to be implemented in Kotlin: a header validator, a PoW and difficulty engine, transaction and UTXO logic, and a chain index with reorg handling. The actual code is “just” an encoding of these rules, but the rules themselves are what every node must agree on.
In later work you can go one step further: wire this validator into a P2P node, integrate it with your indexer, or compare Bitcoin’s approach to consensus with Cardano’s Ouroboros or Cosmos’s Tendermint.
Source notes
- Bitcoin.org Developer Guide – Block chain, headers, difficulty, and coinbase rules.(Bitcoin Developer Documentation)
- Bitcoin Wiki – Consensus rules and controlled supply.(Bitcoin Wiki)
- BIP34 – Block v2, height in coinbase, and activation mechanism.(bips.dev)
- LearnMeABitcoin – Block headers, PoW target, and coinbase transaction details.(Learn Me A Bitcoin)
- SegWit and block weight – 4M weight unit limit and implications for block validation.(River)
- Bitcoin Core / Mastering Bitcoin – Block validation engine and UTXO‑based state.(Bitcoin Core Onboarding)
Completion scope and production contract
This completion review turns the earlier conceptual treatment into a release-oriented engineering contract. It treats Bitcoin Block Validation: Implementing Consensus Rules as a consensus-aware Bitcoin component, follows a block, transaction, script, or UTXO mutation through validation and durable state, and separates normative requirements from implementation policy. The normative baseline is the activated Bitcoin consensus rules and applicable BIPs; deployment defaults, caching, retry limits, and operator thresholds are explicitly local policy. 13
The intended audience is experienced developers and architects. Readers should understand the surrounding chain or application model, typed data structures, persistence, and basic security engineering. The scope includes correctness, implementation boundaries, deterministic tests, failure recovery, security, performance, and observability. It does not claim that the educational companion is a drop-in replacement for a maintained protocol or cryptographic library. Production adoption requires an independent threat model, compatibility testing against the authoritative implementation, and operational ownership. 14
The mental model used throughout is deliberately strict: untrusted input crosses peer, mempool, chain, persistence, and query boundaries; a validator derives facts under the activated Bitcoin consensus rules and applicable BIPs; accepted transitions update validated chain and UTXO state; and observers consume committed facts, never optimistic intermediate mutations. A guarantee is stated only when it follows from those rules and assumptions. Heuristics such as fee selection, caching, peer scoring, timeouts, user messaging, or alert thresholds remain policy and may be tuned without redefining validity. 15
Reader contract and scope
For Bitcoin Block Validation: Implementing Consensus Rules, this review makes the exact user decision and the prerequisites needed to make it safely explicit. Start from one block, transaction, script, or UTXO mutation and write down its origin, canonical representation, validation context, authority, and durable outcome. The consensus-aware Bitcoin component must not infer a stronger fact from transport success, cache presence, or an upstream acknowledgement. Its authoritative state is validated chain and UTXO state, and every projection must remain rebuildable or reconcilable from committed facts. This framing distinguishes a protocol guarantee from an operational convenience and gives reviewers a concrete place to challenge an assumption. 13
The principal failure to design against is an attractive example being mistaken for a complete production design. Address it before optimizing by defining a narrow ownership boundary, stable identities, bounded resource use, and a machine-readable outcome for every rejected transition. Record a scope statement, excluded concerns, and a reviewable acceptance criterion. A reviewer should be able to trace each accepted result to input bytes, rule or policy version, prior state, and commit identity without relying on prose logs. When the authority cannot be reached or context is incomplete, return an explicit unavailable or pending state; do not convert uncertainty into acceptance.
Precise vocabulary and authority
Treat precise vocabulary and authority as part of the executable design of Bitcoin Block Validation: Implementing Consensus Rules, not as documentation added after coding. The relevant operating envelope includes historical synchronization, steady-state blocks, reorganizations, and adversarial transactions. For each mode, identify which state is authoritative, which work may be retried, what is bounded, and which observation proves progress. This is especially important across peer, mempool, chain, persistence, and query boundaries, where delivery and processing are different events and where local time or arrival order may not reflect authoritative order. 14
A useful review asks how the design behaves under invalid encodings, policy rejection, reorganization, duplicate delivery, resource exhaustion, and partial persistence. The unsafe outcome is teams using the same word for incompatible states or guarantees. Prevent it with explicit preconditions and postconditions, and retain a glossary tied to the normative authority for every overloaded term as release evidence. Use stable codes rather than exception text, keep policy configuration versioned, and attach the accepted policy or rule version to durable results. An node or indexer operator must be able to stop intake, drain or quarantine work, compare local state with authority, and resume without inventing a second side effect.
Trust assumptions
The implementation of Bitcoin Block Validation: Implementing Consensus Rules should expose which actors, clocks, stores, libraries, and upstream systems may fail or act maliciously through types and module boundaries. Parse external representations once, preserve the original identity when audit or replay needs it, and pass validated domain values inward. Mutations of validated chain and UTXO state belong behind one authoritative transition function or transaction boundary. Network clients, storage adapters, user interfaces, and telemetry exporters must not duplicate consensus or business rules. That separation keeps deterministic logic testable and prevents a library upgrade from silently redefining validity. 15
Assume that an implicit trusted component invalidating the claimed guarantee will eventually occur in a staging fault test or production incident. The control is not a catch-all retry: classify the outcome, decide whether the identical operation is safe to repeat, bound attempts and elapsed time, and surface terminal work for reconciliation. The minimum evidence is a trust-boundary diagram and an assumption register with owners. Keep private keys, signatures, peer metadata, and untrusted serialized bytes out of ordinary logs, and prefer hashes, version identifiers, counts, and sanitized reason codes. Any emergency bypass must be narrow, time-limited, approved, and observable.
Architecture and ownership
Verification for Bitcoin Block Validation: Implementing Consensus Rules must demonstrate component responsibilities and the direction in which facts and commands move at several layers. Small tests cover deterministic transforms and boundary values; contract tests pin serialized forms; integration tests exercise real adapters; replay tests compare state roots or projections; and fault tests interrupt work at every commit boundary. The dataset must include normal history, malformed input, duplicates, reordering, maximum-size values, and changes of rule or schema version. A passing example is evidence about that environment and dataset, not a universal performance claim. 13
Make two components both believing they own the same transition a named negative test. The release packet should retain a context diagram, ownership table, and dependency rule, exact dependency and tool versions, the deterministic command, and its result. For performance work, report warm-up, repetitions, concurrency, percentiles, resource limits, and the point where backpressure begins. For security work, include abuse cases and independent review. A change is ready only when failures leave validated chain and UTXO state safe, recovery is rehearsed, and telemetry explains both user-visible outcome and operator action.
Canonical representation
For Bitcoin Block Validation: Implementing Consensus Rules, this review makes the byte-level or schema-level representation used for hashing, comparison, storage, and transport explicit. Start from one block, transaction, script, or UTXO mutation and write down its origin, canonical representation, validation context, authority, and durable outcome. The consensus-aware Bitcoin component must not infer a stronger fact from transport success, cache presence, or an upstream acknowledgement. Its authoritative state is validated chain and UTXO state, and every projection must remain rebuildable or reconcilable from committed facts. This framing distinguishes a protocol guarantee from an operational convenience and gives reviewers a concrete place to challenge an assumption. 14
The principal failure to design against is semantically equal values producing different identifiers or verification outcomes. Address it before optimizing by defining a narrow ownership boundary, stable identities, bounded resource use, and a machine-readable outcome for every rejected transition. Record golden encodings, round-trip tests, and rejection of non-canonical forms. A reviewer should be able to trace each accepted result to input bytes, rule or policy version, prior state, and commit identity without relying on prose logs. When the authority cannot be reached or context is incomplete, return an explicit unavailable or pending state; do not convert uncertainty into acceptance.
State-machine model
Treat state-machine model as part of the executable design of Bitcoin Block Validation: Implementing Consensus Rules, not as documentation added after coding. The relevant operating envelope includes historical synchronization, steady-state blocks, reorganizations, and adversarial transactions. For each mode, identify which state is authoritative, which work may be retried, what is bounded, and which observation proves progress. This is especially important across peer, mempool, chain, persistence, and query boundaries, where delivery and processing are different events and where local time or arrival order may not reflect authoritative order. 15
A useful review asks how the design behaves under invalid encodings, policy rejection, reorganization, duplicate delivery, resource exhaustion, and partial persistence. The unsafe outcome is an impossible intermediate state becoming durable after interruption. Prevent it with explicit preconditions and postconditions, and retain a transition table exercised by positive, negative, and replay tests as release evidence. Use stable codes rather than exception text, keep policy configuration versioned, and attach the accepted policy or rule version to durable results. An node or indexer operator must be able to stop intake, drain or quarantine work, compare local state with authority, and resume without inventing a second side effect.
Invariants
The implementation of Bitcoin Block Validation: Implementing Consensus Rules should expose properties that must hold before and after every accepted operation through types and module boundaries. Parse external representations once, preserve the original identity when audit or replay needs it, and pass validated domain values inward. Mutations of validated chain and UTXO state belong behind one authoritative transition function or transaction boundary. Network clients, storage adapters, user interfaces, and telemetry exporters must not duplicate consensus or business rules. That separation keeps deterministic logic testable and prevents a library upgrade from silently redefining validity. 13
Assume that local success concealing corruption in a related aggregate or index will eventually occur in a staging fault test or production incident. The control is not a catch-all retry: classify the outcome, decide whether the identical operation is safe to repeat, bound attempts and elapsed time, and surface terminal work for reconciliation. The minimum evidence is executable assertions at the narrowest authoritative boundary. Keep private keys, signatures, peer metadata, and untrusted serialized bytes out of ordinary logs, and prefer hashes, version identifiers, counts, and sanitized reason codes. Any emergency bypass must be narrow, time-limited, approved, and observable.
Validation pipeline
Verification for Bitcoin Block Validation: Implementing Consensus Rules must demonstrate cheap structural checks, contextual checks, authoritative verification, and commit order at several layers. Small tests cover deterministic transforms and boundary values; contract tests pin serialized forms; integration tests exercise real adapters; replay tests compare state roots or projections; and fault tests interrupt work at every commit boundary. The dataset must include normal history, malformed input, duplicates, reordering, maximum-size values, and changes of rule or schema version. A passing example is evidence about that environment and dataset, not a universal performance claim. 14
Make expensive or stateful work running before malformed input is rejected a named negative test. The release packet should retain ordered validation stages with stable machine-readable rejection codes, exact dependency and tool versions, the deterministic command, and its result. For performance work, report warm-up, repetitions, concurrency, percentiles, resource limits, and the point where backpressure begins. For security work, include abuse cases and independent review. A change is ready only when failures leave validated chain and UTXO state safe, recovery is rehearsed, and telemetry explains both user-visible outcome and operator action.
Error semantics
For Bitcoin Block Validation: Implementing Consensus Rules, this review makes the distinction between invalid input, conflict, unavailable dependency, retryable interruption, and internal defect explicit. Start from one block, transaction, script, or UTXO mutation and write down its origin, canonical representation, validation context, authority, and durable outcome. The consensus-aware Bitcoin component must not infer a stronger fact from transport success, cache presence, or an upstream acknowledgement. Its authoritative state is validated chain and UTXO state, and every projection must remain rebuildable or reconcilable from committed facts. This framing distinguishes a protocol guarantee from an operational convenience and gives reviewers a concrete place to challenge an assumption. 15
The principal failure to design against is blind retries amplifying a permanent failure or changing user intent. Address it before optimizing by defining a narrow ownership boundary, stable identities, bounded resource use, and a machine-readable outcome for every rejected transition. Record typed errors mapped consistently across logs, metrics, APIs, and queues. A reviewer should be able to trace each accepted result to input bytes, rule or policy version, prior state, and commit identity without relying on prose logs. When the authority cannot be reached or context is incomplete, return an explicit unavailable or pending state; do not convert uncertainty into acceptance.
Concurrency control
Treat concurrency control as part of the executable design of Bitcoin Block Validation: Implementing Consensus Rules, not as documentation added after coding. The relevant operating envelope includes historical synchronization, steady-state blocks, reorganizations, and adversarial transactions. For each mode, identify which state is authoritative, which work may be retried, what is bounded, and which observation proves progress. This is especially important across peer, mempool, chain, persistence, and query boundaries, where delivery and processing are different events and where local time or arrival order may not reflect authoritative order. 13
A useful review asks how the design behaves under invalid encodings, policy rejection, reorganization, duplicate delivery, resource exhaustion, and partial persistence. The unsafe outcome is a check-then-act race accepting two individually plausible operations. Prevent it with explicit preconditions and postconditions, and retain a linearization argument plus stress tests at the chosen contention boundary as release evidence. Use stable codes rather than exception text, keep policy configuration versioned, and attach the accepted policy or rule version to durable results. An node or indexer operator must be able to stop intake, drain or quarantine work, compare local state with authority, and resume without inventing a second side effect.
Idempotency and replay
The implementation of Bitcoin Block Validation: Implementing Consensus Rules should expose how duplicate delivery, process restart, and historical backfill preserve the same result through types and module boundaries. Parse external representations once, preserve the original identity when audit or replay needs it, and pass validated domain values inward. Mutations of validated chain and UTXO state belong behind one authoritative transition function or transaction boundary. Network clients, storage adapters, user interfaces, and telemetry exporters must not duplicate consensus or business rules. That separation keeps deterministic logic testable and prevents a library upgrade from silently redefining validity. 14
Assume that at-least-once delivery creating a second side effect will eventually occur in a staging fault test or production incident. The control is not a catch-all retry: classify the outcome, decide whether the identical operation is safe to repeat, bound attempts and elapsed time, and surface terminal work for reconciliation. The minimum evidence is stable operation identities, deduplication state, and deterministic replay fixtures. Keep private keys, signatures, peer metadata, and untrusted serialized bytes out of ordinary logs, and prefer hashes, version identifiers, counts, and sanitized reason codes. Any emergency bypass must be narrow, time-limited, approved, and observable.
Persistence and atomicity
Verification for Bitcoin Block Validation: Implementing Consensus Rules must demonstrate which facts commit together and how derived views catch up at several layers. Small tests cover deterministic transforms and boundary values; contract tests pin serialized forms; integration tests exercise real adapters; replay tests compare state roots or projections; and fault tests interrupt work at every commit boundary. The dataset must include normal history, malformed input, duplicates, reordering, maximum-size values, and changes of rule or schema version. A passing example is evidence about that environment and dataset, not a universal performance claim. 15
Make a crash exposing a cursor that claims work whose state was not committed a named negative test. The release packet should retain transaction boundaries, durable checkpoints, and reconciliation queries, exact dependency and tool versions, the deterministic command, and its result. For performance work, report warm-up, repetitions, concurrency, percentiles, resource limits, and the point where backpressure begins. For security work, include abuse cases and independent review. A change is ready only when failures leave validated chain and UTXO state safe, recovery is rehearsed, and telemetry explains both user-visible outcome and operator action.