Write-Domain Separation and Non-Custodial Enforcement: A Structural Impossibility in Account-Based Ledgers, with a Commitment-Based Construction

Account-based ledgers -- standard externally-owned accounts (EOAs), ERC-4337 smart accounts, post-Pectra EIP-7702 delegated EOAs -- place the holder of the controlling key at the apex of asset authorization. We ask a structural question about ledger access control: under this authorization model, can a protocol enforce the future disposition of an asset without taking custody and without requiring the owner's cooperation at enforcement time? We formalize the target as Non-Custodial Enforced Encumbrance (NCEE), a four-property specification covering self-custody, transition restriction, irrevocability, and permissionless enforcement. We define the Key Sovereignty Axiom (KS) and prove that any ledger satisfying KS cannot realize NCEE; standard EOAs, ERC-4337 smart accounts, and EIP-7702 delegated EOAs satisfy KS for their standard asset paths. We define Asset-Authorization Coupling (AAC) and prove it necessary for NCEE in the transfer-dichotomous asset setting. To witness the positive side, we introduce the envelope, a primitive for commitment-based private-state ledgers that binds a note, a condition tree, and a redistribution intent to protocol-maintained marker sets, separating ordinary spend nullifiers from a new encumbrance-namespace nullifier derived from note randomness rather than the owner key. We prove the envelope realizes NCEE under stated cryptographic assumptions and a deployment assumption that the marker-set registry is immutable; three concrete deployment templates are given. We define games for encumbrance integrity, settlement security, key-compromise resilience, and encumbrance indistinguishability. A reference implementation in Noir and UltraHonk supports the empirical claims, with gas measurements, recursive aggregation benchmarks, and a practical-economics analysis.