# Architecture Review

## Findings

### Medium: scope discipline is good, but the draft risks under-specifying the portable core

The draft correctly avoids becoming a universal reputation system. The remaining risk is that so much is left to local policy that the portable assertion core becomes too thin. The architecture should define a firmer minimum portable envelope.

### Medium: the trust-event object may be more than the first revision needs

The draft has both trust events and trust assertions. That layering is sensible, but the architecture should say more directly whether trust-event interoperability is a primary goal or merely a feeder model for assertions. Otherwise readers may assume both layers are equally mature.

### Medium: revocation and supersession deserve a cleaner conceptual split

The draft treats revocation as withdrawal or supersession, but those are not always the same. One invalidates a prior assertion; the other replaces it with a newer one. This distinction should be sharper.

## Open questions

- Is the first implementable milestone portable assertions only, with trust events described as optional supporting input?
- Should revocation be kept as a general umbrella term or split explicitly into revoke and supersede actions?

## Residual risk

The document has good boundaries. The main architectural risk is not scope creep but insufficient commitment to a concrete portable core.