System Architecture
A formal responsibility boundary model for PVERSE, specified as a transition system: M = (S, E, V, δ, I).
Purpose
This page defines the architecture of PVERSE as an auditable protocol rather than a simple UI surface. It is written as a verification target: responsibilities, boundaries, and authoritative truth sources are defined so that outcomes remain explainable under retries, partial failures, and controlled evolution.
The system is designed so canonical outcomes never depend on narrative, interface rendering, or mutable operator intent. Authority comes from validated evidence, append-only records, and controlled transition rules.
Audit Model
PVERSE is specified as the state-machine formalism M = (S, E, V, δ, I). The system is not defined by cached views, temporary UI state, or informal expectations. It is defined by validated events, controlled transitions, and non-negotiable invariants.
I — Invariants (Non-Negotiable)
Invariants define what must hold across all versions and operating conditions. Any change that violates the invariants below is outside the architecture contract.
I1 — Truth Hierarchy
UI is informational. Canonical truth is derived from authoritative anchors and append-only records produced by controlled execution.
- Authoritative: finalized chain anchors, accepted events, append-only ledger and entitlement records.
- Non-authoritative: UI, caches, client session state, estimates, projections, and convenience displays.
I2 — Append-Only History
Past canonical records are never rewritten. Corrections are represented as new events that reference prior anchors.
- Deletion and mutation are not permitted for canonical records.
- Corrections must be forward-only and preserve historical explainability.
I3 — Idempotency & Replay Safety
Reprocessing the same evidence must not produce duplicate credit, duplicate writes, or inconsistent derived state.
- Duplicate events are no-ops under idempotency keys.
- Partial failures must not create double application or divergent truth.
I4 — Monotonic Finality
Finality moves forward. Any reorg-sensitive or exceptional handling must be explicitly recorded rather than silently edited.
I5 — Forward-Only Updates
Ruleset changes apply to future outcomes only. Past outcomes remain bound to the ruleset version that produced them.
S — Derived State Views (Non-Authority)
S denotes derived views reconstructed from the event stream and append-only records. State is a projection: useful, reproducible, and explainable, but not authoritative by itself unless anchored.
| View | Meaning | Authority |
|---|---|---|
| S_commit | Lifecycle state for a participation or deposit commit, such as CREATED → CONFIRMING → CONFIRMED → SETTLED. | Derived only |
| S_entitlement | Allocation, eligibility, and vesting views bound to a declared ruleset_version. | Derived; authoritative only through records and anchors |
| S_ledger | Append-only ledger application status keyed for idempotency and replay safety. | Authoritative as append-only record |
| S_evidence | Evidence completeness and validation status for a subject such as tx, log, or oracle snapshot. | Derived audit helper |
E — Event Model (Append-Only)
E is the canonical evidence stream. Events are the only allowable inputs that can produce or change derived state. Every outcome-affecting action must correspond to an append-only event with verifiable anchors.
Event Families
- E_OBSERVED — Evidence observed from tx, log, or receipt anchors.
- E_CONFIRMED — Confirmation threshold reached under chain-aware rules.
- E_PRICE_SNAPSHOT — USD valuation snapshot when USD affects outcomes.
- E_ENTITLEMENT_RECORDED — Allocation or eligibility recorded under a ruleset version.
- E_LEDGER_APPLIED — Idempotent append-only ledger application.
- E_CORRECTION — Forward-only correction referencing prior anchors.
{
"event_uid": "unique under idempotency key (deterministic or content-addressed)",
"event_type": "E_OBSERVED | E_CONFIRMED | E_PRICE_SNAPSHOT | E_ENTITLEMENT_RECORDED | E_LEDGER_APPLIED | E_CORRECTION",
"subject": "account_id / wallet / allocation_id / asset_id",
"chain": { "chain_type": "EVM|TRON|...", "chain_id": "..." },
"ruleset_version": "vX.Y",
"observed_at_utc": "YYYY-MM-DDTHH:MM:SSZ",
"anchors": { "tx_hash": "...", "log_index": "...", "block_number": "...", "block_hash": "...", "finality": "..." },
"inputs": { "evidence": "...", "params": {}, "refs": ["..."] },
"validation": { "passed": true, "checks": ["..."] },
"effects": { "state_delta": "...", "records_written": ["..."] }
}
V — Validation Predicates (Acceptance Gates)
V defines the acceptance gate for events. If validation fails, the event must not influence derived state. Validation exists for deterministic replay, consistency, and audit reconstruction.
Base Evidence Requirements
| Field | Requirement | Purpose |
|---|---|---|
| chain_type / chain_id | Required | Disambiguates chain semantics and confirmation rules. |
| event_uid | Required and unique under idempotency key | Prevents double application. |
| anchor | Required | Provides a verifiable reference to an authoritative source. |
| ruleset_version | Required | Binds interpretation to a declared forward-only ruleset. |
| observed_at | Required | Supports ordering and audit timeline reconstruction. |
USD Valuation Evidence Clause
If USD valuation influences eligibility, tier selection, allocation, vesting, or any canonical outcome, then USD becomes an audit input and must be reconstructable from oracle evidence under deterministic rules.
| Field | Requirement | Notes |
|---|---|---|
| oracle_type | Required | For example CHAINLINK. Defines the reconstruction method. |
| feed_address | Required | Canonical price feed contract address. |
| round_id | Required | Pointer used to reconstruct the exact answer at snapshot time. |
| answer / decimals | Required | Exact numeric value used for computation. |
| updated_at | Required if oracle provides it | Oracle-provided update timestamp. |
| block_number and/or block_hash | Required, prefer both | Binds the snapshot to chain context for replay. |
| anchor | Required | Verifiable evidence reference used during reconstruction. |
δ — Controlled Transition Function
δ defines controlled execution: δ(S, E) → S′. No transition is permitted without a validated event, and the system must remain explainable under retries, partial failures, restarts, and replay.
Transition Pipeline
observe : accept evidence into E only after V passes
confirm : apply chain-aware confirmation gates
valuate : if USD affects outcomes, require E_PRICE_SNAPSHOT with full oracle evidence
entitle : record entitlement/allocation as append-only output bound to ruleset_version
apply : apply to ledger idempotently
correct : represent corrections as new events referencing prior anchors
Layer Mapping
Layers act as operational boundaries. Each layer either constrains transitions, executes them, or renders them. No layer may silently override another.
World Layer
Role: expresses world constraints such as scarcity, resource flows, and ownership semantics.
- Controls: world rules vocabulary and constraint boundaries.
- Cannot: establish truth or authorize outcomes through presentation alone.
Protocol Layer
Role: defines the state machine and ruleset governing allowed transitions.
- Controls: S, E, V, δ specification and acceptance gates.
- Cannot: rewrite past state; corrections must be new events.
Token Layer
Role: represents entitlements such as allocations, vesting, and lockups in enforceable form.
- Controls: vesting schedules, lockups, and transfer constraints.
- Cannot: imply market availability or rewrite entitlement history.
Market Layer
Role: governs exposure, DEX activation policy, and liquidity constraints.
- Controls: market activation gates and exposure constraints.
- Cannot: weaken protocol invariants or retroactively affect records.
Infrastructure Layer
Role: handles controlled execution through watchers, signers, settlement loops, and idempotent writers.
- Controls: reliable and secure execution of δ.
- Cannot: redefine rules; it enforces the protocol layer.
UI / Read Models
Role: renders derived views, projections, search surfaces, and operator-readable summaries.
- Controls: presentation and UX clarity.
- Cannot: become a truth source; may lag or fail without altering outcomes.
Truth Sources
The architecture distinguishes authoritative sources from informational surfaces so truth does not shift accidentally during outages, retries, cache drift, or rendering errors.
Authoritative
- Chain anchors: finalized blocks, receipts, and logs that are independently verifiable.
- Accepted events: append-only E stream produced under V and δ.
- Append-only records: ledger and entitlement records written idempotently.
Non-Authoritative
- UI displays: cached, delayed, or misrendered views.
- Client session state: non-binding convenience context.
- Estimates: projections that must never gate canonical transitions.
Versioning & Forward-Only Policy
PVERSE evolves through forward-only updates. Parameter changes may be required to improve balance, mitigate abuse, or address technical constraints. Such changes apply to future outcomes only and do not rewrite history.
Failure Boundaries
The architecture defines what may degrade safely and what must not fail. Non-critical degradation is permitted. Integrity-critical boundaries must remain intact.
May Degrade Safely
- UI delays, stale read models, and non-critical cache issues.
- Indexing lag and temporary read-only limitations.
- Non-critical service restarts that do not rewrite state.
Must Not Fail
- Key boundaries: signing keys and sensitive credentials remain protected.
- State atomicity: no double allocation, no duplicate entitlement application, no divergent commit state.
- Audit integrity: history remains preserved and explainable via recorded events and anchors.
Summary
- PVERSE architecture is specified as M = (S, E, V, δ, I) for audit-grade explainability.
- I defines truth hierarchy, append-only history, idempotency, monotonic finality, and forward-only evolution.
- S represents derived views that are useful but not authoritative by themselves.
- E is the append-only evidence stream backing all outcome-affecting actions.
- V gates acceptance and requires oracle/feed/round evidence when USD affects outcomes.
- δ is controlled execution: no transition without validated events, replay safety, and reconstruction integrity.