v2.3.0

v2.3.0 — Close the arbiter door

Compatibility: SOFT — no wire breakage, no lockstep. Provenance is a
client-side display check (no protocol change). The committed substitution
grace is an additive, optional LOCK field, consensus-safe exactly like the
trade expiry: old clients ignore it and keep working, and a trade without it
behaves byte-identically to v2.1/v2.2. Every flow works across v2.0.x / v2.1 /
v2.2 / v2.3 in any mix.

The door we just closed

• A trade's community arbiters ride in on the listing, set by the creator's own
  app. Until now Chama only checked that the chosen arbiter belonged to THAT
  pool — never that the pool was the community's real one. A hostile creator
  could stuff the pool with sock-puppet keys they control; in a dispute "the
  neutral arbiter" would be theirs, and a creator who is also a party could
  effectively seat two of the three escrow shares. (Healing was never exposed —
  it's refund-only to the rightful locker. The hole was normal dispute
  arbitration.)
• This is the direct answer to "what stops someone adding an arbiter to cheat
  everyone?"

Arbiter provenance (informed consent, not a blunt block)

• Every trade now classifies its arbiter pool against the set your device
  recognizes for that community. The trade room shows a quiet green
  "Community-verified arbiters" tick when every name checks out — and an amber
  "⚠ Unrecognized arbiter(s)" card, naming the exact keys, the instant the pool
  contains arbiters Chama doesn't know for that community.
• It's visible to everyone, including the person about to lock sats — the
  moment money goes at risk. Deliberately a warning, not a hard reject:
  rejecting at the protocol level would turn a stale registry into a
  funds-stranding bug. The threat here is trust, so the close is consent.
• The official community pool is the shared baseline, so two honest sides on it
  always agree (green); a stuffed pool outs its foreign keys the instant the
  counterparty looks.

Substitution grace, now consensus-safe and tunable

• The window an absent arbiter keeps a dispute to itself before a backup may
  step in is now committed into the LOCK (like the trade expiry), so every
  client computes the identical step-in moment. Absent ⇒ the same 4h default as
  before.
• It can only ever make backups eligible SOONER, never later (a longer window
  would just delay rescue of the locker's own funds, and a trade refunds at
  expiry regardless). Still adaptively floored by half the trade's remaining
  life, so short trades stay sane.
• Me › Advanced (power-user): TEST SUBSTITUTION GRACE — set a short floor (e.g.
  60s) to exercise backup step-in on demand instead of waiting hours. Sits next
  to TEST TRADE EXPIRY; clear it after testing.

Design groundwork

• docs/DESIGN-arbiter-economy.md captures the longer arc this opens: signed
  community rosters, consensus admission (you can't add yourself — the
  community admits you), duty-pays-not-power arbiter fees, response-window
  rotation, bonds, and reputation as the real collateral. Four invariants are
  written down and load-bearing — chief among them, still: no vote-flip
  backdoor, ever; high-stakes change goes to community consensus, not a
  maintainer.

Numbers

• 2,211 tests green (+24), including the provenance classifier (verified /
  stuffed / hostile / empty / case-dupe / operator-trusted) and the committed
  grace (clamp bounds, half-life interplay, and a full LOCK→dispute round-trip).