v3.5.0

No stacking the deck

v3.5.0 · arbiter integrity — soft, additive, client-side.

Two guardrails around the one role that could quietly tilt a trade: the arbiter. You'll almost never see either — they only surface when something's off. No change to how an honest trade works.

What's protected

• The judge has to be the assigned one. A trade's arbiter is meant to be assigned fairly, not hand-picked. The app now checks that on every trade — and if the seated arbiter isn't the one the trade should have drawn, it shows a loud warning (naming who's seated vs who should be) before you pay or deliver, and asks you to acknowledge the risk before you act. Backing out is never blocked, and an honest trade never trips it.

• A community can't rubber-stamp itself. The green "verified" badge now refuses to appear when the people vouching for a trade's arbiters are themselves parties to the trade. Vouching has to come from someone who isn't in the deal.

Honest about the edge

Same-key self-vouching is closed. A determined two-identity setup (one key vouches, another trades) can still earn the badge — closing that fully needs the federation-owner credential, which is on the roadmap. We log it as a known item in our public threat model (INVARIANTS.md) rather than overclaim.

Compatibility

Client-side only — the escrow reducer and wire format are untouched (verified). No consensus change, nothing to coordinate, existing trades unaffected. By construction this release cannot strand a sat: its only failure modes are a mis-fired warning or a badge call.

Numbers

2,453 tests green; typecheck clean; classifiers verified live in the served bundle; hardened by an adversarial review that confirmed the consent layer is sufficient, caught a three-era assignment-history subtlety, and surfaced the residual above.