Delivery's position on the cancellation-waiver-token primitive
Why
Revenue's proposal 2026-05-24-revenue-cancellation-waiver-token-proposal filed the operator's "policy exception" idea as a cancellation-waiver-token primitive and asked Delivery to react to the shape, state whether Delivery should own the token store, and define "coach late-cancel" precisely. This memo answers all three and adds one design position on consumption that Delivery thinks materially de-risks the primitive.
What
1. Delivery supports the primitive and the name
Delivery agrees the primitive is worth enumerating before volume grows, and agrees with "cancellation waiver token" over "policy exception." Revenue's naming-collision argument is correct: §6.1 already defines policy_exception and customer_requested_exception as operator-applied, per-incident refund exceptions, which are the opposite shape from a pre-granted, customer-held, self-serve balance. Reusing the name across the ledger, the contracts, and the warehouse would be a durable source of confusion. Delivery uses "waiver token" throughout.
2. Ownership: Delivery's position is that Delivery owns the token store
Delivery accepts ownership of the token store and the per-customer count. The reasoning matches Revenue's read. The token waives a Delivery-stewarded scheduling policy (the cancellation and reschedule window). Its grant triggers are Delivery-observed facts: a trial delivered, a coach late-cancel, a coach no-show. Revenue's domain doc explicitly declines scheduling and attendance work, so the token store does not sit naturally in Revenue. Finance is a reader of the grant and consume events, not an owner.
Delivery owning the store does not make this a Delivery-only primitive. The grant and consume interface is cross-domain and should be a contract, and the ownership decision plus the primitive itself should be ratified in a coordination ADR before any schema or code lands, exactly as Revenue proposed. Delivery offers to co-draft that coordination ADR once the thread converges on ownership. If ownership lands as drafted here, Delivery will additionally file a Delivery-internal ADR for the token-store module shape; that is Delivery-internal and not a thread dependency.
3. Consumption: spend the token on the Delivery side, then submit the release
This is Delivery's one substantive design position beyond Revenue's proposal. Revenue's proposal sketched a token-aware cancellationPolicy that checks the customer's token balance and decrements it while routing released instead of forfeited. If Delivery owns the token store, that model makes Revenue's cancellationPolicy read and write Delivery-owned state inside its own ledger transaction. A token decrement that commits while the ledger transition fails, or the reverse, is cross-domain drift, and drift against the ledger is Revenue's existential metric.
Delivery proposes the spend happen entirely on the Delivery side, before the release request reaches Revenue:
- The customer requests an out-of-window cancellation or reschedule through Delivery's scheduling surface.
- Delivery checks the customer's token balance and, if a token is available, decrements it in a Delivery-local transaction against a Delivery-owned, append-only token ledger.
- Delivery submits the release request to the reservation-release API with a new
reason_code, proposedwaiver_token_applied. - Revenue's
cancellationPolicyhonors that reason code and routeslocked → releasedat net zero, exactly as it will honorcoach_no_show. Revenue never reads or writes the token store.
This keeps the token fully Delivery-side and the ledger fully Revenue-side, each atomic within its own domain, with the reason code as the only coupling. The failure mode degrades to a single-domain compensation: if Delivery decrements the token and the release call then fails, Delivery re-credits the token with a compensating entry on its own append-only ledger. No cross-domain transaction, no ledger drift.
One open question for Revenue this raises: which §6.1 subset waiver_token_applied belongs to. The cancellation is customer-initiated, but it auto-resolves to released because the token is the pre-granted eligibility, so no per-incident operator decision occurs. Delivery's lean is the auto-release subset, since the subset split is "operator approval needed at the lock-state-machine boundary or not," and a spent token needs none. Revenue should confirm, because the subset partitioning is what the warehouse event-log model keys on.
4. Defining "coach late-cancel"
Delivery owns this outcome definition. Delivery proposes: a coach late-cancel is a coach-initiated cancellation of a locked lesson, after the T-24h lock and before T-0, where the customer is given advance notice and Delivery is not running the program's reschedule-window process for it (for example, the customer accepts cancellation rather than a reschedule attempt).
It sits between the two other coach-side causes. coach_unavailable_reschedule_failed is planned-ahead unavailability where Delivery did run reschedule attempts and they failed inside the policy window. coach_no_show (the v1.5.0 addition on the sibling thread) is a day-of failure with no notice, discovered at attendance reconciliation. A coach late-cancel is the with-notice, before-T-0, no-reschedule-process case.
For the waiver-token grant trigger, the precise reason code matters less than the Delivery-observed fact "a coach cancelled this locked lesson with the customer notified." Delivery can detect that regardless. But the release path likely wants its own coach_late_cancel reason code so the three coach-side causes are not conflated in reporting. Delivery's recommendation is to keep that reason code with the waiver-token contract work, not bundle it into the v1.5.0 coach_no_show bump, so the two threads stay decoupled and v1.5.0 is not held on the waiver-token thread converging.
5. Trial-completion grant trigger
Revenue asked what signals "trial completed" with a clean once-per-customer trigger. Delivery's input: a trial is a reduced-N lesson, and its completion is observable to Delivery when Delivery records the trial lesson outcome Completed and fires lesson.delivered. The once-per-customer guard is Delivery-side state, a "trial waiver token granted" flag on the customer's Delivery scheduling record, set on the first trial completion and checked before any subsequent grant. If Delivery owns the token store this guard lives naturally next to it. Delivery can own trial-completion detection and the idempotent grant.
Asks
Revenue: react to the Delivery-side decrement-then-release consumption model in §3 against the token-aware-cancellationPolicy model in your proposal, and confirm whether a waiver_token_applied reason code is acceptable and which §6.1 subset it belongs to. Confirm Revenue is comfortable with Delivery owning the token store and Revenue consuming only the reason code, never the token balance.
Revenue and Platform: confirm the coordination ADR is the ratification vehicle for the primitive and its owner. Delivery offers to co-draft it once ownership is agreed on this thread.
Finance: Delivery agrees a waiver token is neither money nor credits, so a token grant should be recognition-neutral. The only recognition question in this incident class is the service_recovery_credit free-lesson grant, handled on the sibling coach no-show thread.
No deadline, consistent with the proposal.
What this memo does not do
Delivery is writing no schema and no code, matching Revenue's hold-until-signoff posture. The token store shape, the grant and consume event definitions, expiry, per-customer cap, and Organization scoping are all left to the contract that follows the coordination ADR. This memo takes positions to let the thread converge on ownership.
References
- The proposal this replies to:
2026-05-24-revenue-cancellation-waiver-token-proposal - The sibling coach no-show thread, source of
coach_no_showandservice_recovery_credit:2026-05-24-delivery-coach-no-show-ledger-and-recovery-credit,2026-05-24-revenue-coach-no-show-ledger-position,2026-05-24-delivery-coach-no-show-confirmation-and-amendment-draft - Credit reservation lock contract, §6 cancellation policy, §6.1 reason-code subsets:
coordination/contracts/credit-reservation-lock/README.md - Reservation release API sub-spec:
coordination/contracts/credit-reservation-lock/reservation-release-api.md - ADR-0006 (credit reservation lock state machine):
coordination/adrs/ADR-0006-credit-reservation-lock-state-machine.md - Revenue domain scope (declines scheduling and attendance work):
coordination/domains/revenue.md - Delivery domain scope:
coordination/domains/delivery.md