Instead of a per-transfer approval, the record references the pre-granted cloud permissions under which the transfer was executed.

• Source Identity: The specific AWS IAM Role, GCP Service Account, or Azure identity used.
• KMS Access: The specific encryption keys accessible to TG for that operation.
• Verification: A timestamp of when these permissions were last verified to be valid.

TG identifies the "ingest" state by capturing the precise instance of the object, not just its name.

• Instance Identifiers: Capture CSP-specific version markers (e.g., AWS versionId, GCP generation, or Azure ETag).
• Source Checksum: The plaintext hash of the object before any transit encryption is applied.

This connects the static object identity to the active transfer process.

• CSP Operation IDs: Captures internal chunk or batch operation IDs from the cloud provider.
• Resiliency Events: Logs retry or resume events, including attempt counts and byte offsets.

Upon completion, TG records the "landed" state of the object.

• New Instance Identifier: Captures the generation or version ID created by the write operation at the destination.
• Reassembly Verification: The destination plaintext checksum is calculated after decryption and chunk reassembly.

A definitive record of the "Triple-Lock" hash comparison:

• Algorithm: Explicitly records the hash algorithm used (e.g., SHA-256).
• Comparison: Lists the source vs. destination checksums and the explicit "Match" or "Fail" result.

This addresses your "Semantic Versioning" policy for same-named objects.

• Collision Handling: If an overwrite occurred at the operational path, the record must include a reference to the prior destination object instance and a timestamp of the supersession.

The final terminal state of the chain-of-custody is the Signed Transfer Manifest.

• Cryptographic Binding: The signature covers all the data points above, asserting the completeness and finality of the entire record.