Dusk is where the close can be correct and still not signable.
Nothing is off. Balances line up. Positions are where they should be. If you’re inside the execution context, everything already happened.
The problem shows up one layer later.
We had positions settle under a Dusk disclosure posture that was doing exactly what it was designed to do: reveal the event to the right parties, no more. The state moved. The proof existed. The people allowed to see it could see it.
Then 5:00 hit.
The reporting job ran like it always does — pull exposures, bucket them, stamp the time, send it out before someone asks why it’s late. The file generated. It just didn’t populate the way everyone expected.
At first it looked like a bug. Rows with headers, numbers missing underneath. Too clean to be a failure.
It took a minute to say the quiet part out loud:
those columns assume ambient visibility.
I remember someone asking why half the desk was staring at blanks. Another person answered, then stopped mid-sentence and tried again.
“It’s not missing data. It’s data we’re not allowed to show to this audience.”
That’s not a reporting problem. That’s a Dusk problem you only hit if you design disclosure like an afterthought.
The Dusk's disclosure policy was right. Painfully right. It allowed the regulator view. It allowed the counterparty view. It did not allow the entire internal distro list to ingest the same evidence, because that would have widened the viewer set at execution. You don’t get to do that retroactively and still call it disciplined.
So the close landed in a dead zone.
Risk wanted aggregation before the sweep. Ops wanted something... anything, they could paste into a ticket. Compliance wanted the exact view preserved. Nobody wanted to be the one to say, “we need to redefine who is allowed to see what,” because that’s not a fix you ship at 5:12.
We tried the usual moves anyway.
Could we redact and still score it?
No... the scoring logic depends on the protected fields.
Could we output a simple risk tag?
Not unless that tag was designed as an explicit disclosure product, bound to a viewer set, under the same DuskVM execution rules as the original state change. Otherwise it’s just a softer leak.
So we did the thing nobody likes.
A smaller authorized group pulled the real view. They summarized it manually. Everyone else got a watered-down close note with enough context to survive the night and nothing more. Accurate. Defensive. Ugly.
The ledger was right the whole time. That wasn’t the issue.
The issue was that our internal machinery assumed disclosure equals usability. On Dusk, disclosure equals permission... and permission is scoped, timed, and enforced where execution happens, not where reporting wishes it had happened.
The file still had a timestamp.
The signature line stayed empty, because the audience wasn’t entitled to see what would have justified filling it.
And there’s no way to rush that without breaking the rules you said you cared about.
