1. The receipt corpus
Every operation an asset goes through — origination, transfer, anchor, re-anchor, revocation — emits a 74-byte canonical receipt: 32 bytes of on-chain commitment plus 42 bytes of off-chain post-quantum proof bundle. The receipts are content-addressable and hash-linked. The corpus of receipts is the operational history.
The corpus is replicable. Customers can hold their own copies. Auditors can hold archival copies. Sovereign archives can hold compliance copies. If H33's servers go dark, the corpus that was already distributed continues to work — every receipt remains verifiable against the same primitives, by the same publicly-specified verifier.
2. The ownership lineage
Each transfer emits a continuation receipt whose commitment includes the prior receipt's hash. The chain of custody is therefore an immutable hash-linked DAG specific to the asset. Replay any subset of receipts and the ownership state at that point reconstructs deterministically.
This means even after the issuer is gone, an auditor can ask "who owned this asset at 2042-03-15?" and get a cryptographically-defended answer. Not from a database; from the receipt chain itself.
3. The authority delegation chain
Authority is governed by Q-Key objects — time-bound, state-scoped, computation-bound authority that's hash-linked from parent to child. A wallet, a transfer agent, an AI compliance bot, a regulator with revocation authority — each acts under an authority object whose lineage is part of the receipt corpus.
Preserved: the full delegation tree at any point in time, including who could do what, under whose grant, with what scope, until when. Even after H33 stops issuing new authority objects, the historical ones remain replayable.
4. The policy state at any moment
The commitment input includes policy_state — the jurisdiction rules, sanctions list state, eligibility constraints, and regulatory framework that were in force when the operation happened. This is part of the hash, so it's part of the canonical identity.
A 2040 auditor asking "was this transfer compliant under the rules in force in 2026?" can answer it from the receipt alone. The policy state didn't have to be stored in an external system that might no longer exist.
What's not preserved (and why that's fine)
Operational metadata that's not bound into the commitment — UI preferences, internal logs, vendor-side analytics, support tickets — is not in the corpus. That's correct: those aren't institutional facts. The line is drawn at "things that need to be verifiable in a courtroom, by a regulator, or by an auditor, without trusting the operator." Everything that meets that bar is preserved structurally. Everything else is operational convenience.