PVERSE
WHITEPAPER

System Architecture

A formal responsibility boundary model for PVERSE, specified as a transition system: M = (S, E, V, δ, I).

Published: February 22, 2026
Updated: March 24, 2026
Section: Whitepaper
Authoritative truth: anchors + append-only events Derived state: projections, not authority Transitions: validated, controlled, replay-safe Forward-only updates: version-bound USD evidence required if outcome-affecting
Architecture Contract
This page defines what each layer can do, what it cannot do, and what must remain invariant across retries, failures, upgrades, and forward-only evolution. When convenience conflicts with integrity, integrity wins.

Purpose

This page defines the architecture of PVERSE as an auditable protocol rather than a simple UI surface. It is written as a verification target: responsibilities, boundaries, and authoritative truth sources are defined so that outcomes remain explainable under retries, partial failures, and controlled evolution.

The system is designed so canonical outcomes never depend on narrative, interface rendering, or mutable operator intent. Authority comes from validated evidence, append-only records, and controlled transition rules.

Audit Model

PVERSE is specified as the state-machine formalism M = (S, E, V, δ, I). The system is not defined by cached views, temporary UI state, or informal expectations. It is defined by validated events, controlled transitions, and non-negotiable invariants.

Interpretation Rule
If ambiguity exists, the interpretation that best preserves determinism, scarcity enforcement, replay safety, and record integrity takes precedence. Silent inference is disallowed.

I — Invariants (Non-Negotiable)

Invariants define what must hold across all versions and operating conditions. Any change that violates the invariants below is outside the architecture contract.

I1 — Truth Hierarchy

UI is informational. Canonical truth is derived from authoritative anchors and append-only records produced by controlled execution.

  • Authoritative: finalized chain anchors, accepted events, append-only ledger and entitlement records.
  • Non-authoritative: UI, caches, client session state, estimates, projections, and convenience displays.

I2 — Append-Only History

Past canonical records are never rewritten. Corrections are represented as new events that reference prior anchors.

  • Deletion and mutation are not permitted for canonical records.
  • Corrections must be forward-only and preserve historical explainability.

I3 — Idempotency & Replay Safety

Reprocessing the same evidence must not produce duplicate credit, duplicate writes, or inconsistent derived state.

  • Duplicate events are no-ops under idempotency keys.
  • Partial failures must not create double application or divergent truth.

I4 — Monotonic Finality

Finality moves forward. Any reorg-sensitive or exceptional handling must be explicitly recorded rather than silently edited.

I5 — Forward-Only Updates

Ruleset changes apply to future outcomes only. Past outcomes remain bound to the ruleset version that produced them.

S — Derived State Views (Non-Authority)

S denotes derived views reconstructed from the event stream and append-only records. State is a projection: useful, reproducible, and explainable, but not authoritative by itself unless anchored.

View Meaning Authority
S_commit Lifecycle state for a participation or deposit commit, such as CREATED → CONFIRMING → CONFIRMED → SETTLED. Derived only
S_entitlement Allocation, eligibility, and vesting views bound to a declared ruleset_version. Derived; authoritative only through records and anchors
S_ledger Append-only ledger application status keyed for idempotency and replay safety. Authoritative as append-only record
S_evidence Evidence completeness and validation status for a subject such as tx, log, or oracle snapshot. Derived audit helper
State Is Not Truth
A rendered state view may lag, fail, or misrender without changing canonical outcomes. Canonical truth is anchored in validated events and append-only records.

E — Event Model (Append-Only)

E is the canonical evidence stream. Events are the only allowable inputs that can produce or change derived state. Every outcome-affecting action must correspond to an append-only event with verifiable anchors.

Event Families

  • E_OBSERVED — Evidence observed from tx, log, or receipt anchors.
  • E_CONFIRMED — Confirmation threshold reached under chain-aware rules.
  • E_PRICE_SNAPSHOT — USD valuation snapshot when USD affects outcomes.
  • E_ENTITLEMENT_RECORDED — Allocation or eligibility recorded under a ruleset version.
  • E_LEDGER_APPLIED — Idempotent append-only ledger application.
  • E_CORRECTION — Forward-only correction referencing prior anchors.
Correction Policy
Corrections must be recorded as new events referencing prior anchors. Canonical history is never rewritten.
Event Envelope (Schema Contract)
{
  "event_uid": "unique under idempotency key (deterministic or content-addressed)",
  "event_type": "E_OBSERVED | E_CONFIRMED | E_PRICE_SNAPSHOT | E_ENTITLEMENT_RECORDED | E_LEDGER_APPLIED | E_CORRECTION",
  "subject": "account_id / wallet / allocation_id / asset_id",
  "chain": { "chain_type": "EVM|TRON|...", "chain_id": "..." },
  "ruleset_version": "vX.Y",
  "observed_at_utc": "YYYY-MM-DDTHH:MM:SSZ",
  "anchors": { "tx_hash": "...", "log_index": "...", "block_number": "...", "block_hash": "...", "finality": "..." },
  "inputs": { "evidence": "...", "params": {}, "refs": ["..."] },
  "validation": { "passed": true, "checks": ["..."] },
  "effects": { "state_delta": "...", "records_written": ["..."] }
}

V — Validation Predicates (Acceptance Gates)

V defines the acceptance gate for events. If validation fails, the event must not influence derived state. Validation exists for deterministic replay, consistency, and audit reconstruction.

Base Evidence Requirements

Field Requirement Purpose
chain_type / chain_id Required Disambiguates chain semantics and confirmation rules.
event_uid Required and unique under idempotency key Prevents double application.
anchor Required Provides a verifiable reference to an authoritative source.
ruleset_version Required Binds interpretation to a declared forward-only ruleset.
observed_at Required Supports ordering and audit timeline reconstruction.

USD Valuation Evidence Clause

If USD valuation influences eligibility, tier selection, allocation, vesting, or any canonical outcome, then USD becomes an audit input and must be reconstructable from oracle evidence under deterministic rules.

Hard Rule
If USD valuation affects outcomes, a valid E_PRICE_SNAPSHOT must exist and must include oracle type, feed address, round id or equivalent oracle pointer, and a chain anchor that allows independent reconstruction.
Field Requirement Notes
oracle_type Required For example CHAINLINK. Defines the reconstruction method.
feed_address Required Canonical price feed contract address.
round_id Required Pointer used to reconstruct the exact answer at snapshot time.
answer / decimals Required Exact numeric value used for computation.
updated_at Required if oracle provides it Oracle-provided update timestamp.
block_number and/or block_hash Required, prefer both Binds the snapshot to chain context for replay.
anchor Required Verifiable evidence reference used during reconstruction.
UI-Only USD
If USD is displayed for convenience only and does not affect outcomes, it must be labeled non-authoritative and must not be used in canonical transition logic.

δ — Controlled Transition Function

δ defines controlled execution: δ(S, E) → S′. No transition is permitted without a validated event, and the system must remain explainable under retries, partial failures, restarts, and replay.

Transition Pipeline

observe   : accept evidence into E only after V passes
confirm   : apply chain-aware confirmation gates
valuate   : if USD affects outcomes, require E_PRICE_SNAPSHOT with full oracle evidence
entitle   : record entitlement/allocation as append-only output bound to ruleset_version
apply     : apply to ledger idempotently
correct   : represent corrections as new events referencing prior anchors
Authority Boundary
Operator actions may initiate workflows, but they cannot create canonical outcomes without validated events and controlled transitions. Authority exists to enforce rules, not to override them.

Layer Mapping

Layers act as operational boundaries. Each layer either constrains transitions, executes them, or renders them. No layer may silently override another.

World Layer

Role: expresses world constraints such as scarcity, resource flows, and ownership semantics.

  • Controls: world rules vocabulary and constraint boundaries.
  • Cannot: establish truth or authorize outcomes through presentation alone.

Protocol Layer

Role: defines the state machine and ruleset governing allowed transitions.

  • Controls: S, E, V, δ specification and acceptance gates.
  • Cannot: rewrite past state; corrections must be new events.

Token Layer

Role: represents entitlements such as allocations, vesting, and lockups in enforceable form.

  • Controls: vesting schedules, lockups, and transfer constraints.
  • Cannot: imply market availability or rewrite entitlement history.

Market Layer

Role: governs exposure, DEX activation policy, and liquidity constraints.

  • Controls: market activation gates and exposure constraints.
  • Cannot: weaken protocol invariants or retroactively affect records.

Infrastructure Layer

Role: handles controlled execution through watchers, signers, settlement loops, and idempotent writers.

  • Controls: reliable and secure execution of δ.
  • Cannot: redefine rules; it enforces the protocol layer.

UI / Read Models

Role: renders derived views, projections, search surfaces, and operator-readable summaries.

  • Controls: presentation and UX clarity.
  • Cannot: become a truth source; may lag or fail without altering outcomes.

Truth Sources

The architecture distinguishes authoritative sources from informational surfaces so truth does not shift accidentally during outages, retries, cache drift, or rendering errors.

Authoritative

  • Chain anchors: finalized blocks, receipts, and logs that are independently verifiable.
  • Accepted events: append-only E stream produced under V and δ.
  • Append-only records: ledger and entitlement records written idempotently.

Non-Authoritative

  • UI displays: cached, delayed, or misrendered views.
  • Client session state: non-binding convenience context.
  • Estimates: projections that must never gate canonical transitions.

Versioning & Forward-Only Policy

PVERSE evolves through forward-only updates. Parameter changes may be required to improve balance, mitigate abuse, or address technical constraints. Such changes apply to future outcomes only and do not rewrite history.

Ruleset Binding
Every canonical outcome must bind to a declared ruleset_version. Past allocations, eligibility decisions, and vesting records remain valid under the ruleset that produced them.

Failure Boundaries

The architecture defines what may degrade safely and what must not fail. Non-critical degradation is permitted. Integrity-critical boundaries must remain intact.

May Degrade Safely

  • UI delays, stale read models, and non-critical cache issues.
  • Indexing lag and temporary read-only limitations.
  • Non-critical service restarts that do not rewrite state.

Must Not Fail

  • Key boundaries: signing keys and sensitive credentials remain protected.
  • State atomicity: no double allocation, no duplicate entitlement application, no divergent commit state.
  • Audit integrity: history remains preserved and explainable via recorded events and anchors.
Audit Stance
If a component cannot guarantee invariants, it must fail closed for canonical outcomes. Degraded operation is acceptable only when it cannot alter authoritative truth.

Summary

  • PVERSE architecture is specified as M = (S, E, V, δ, I) for audit-grade explainability.
  • I defines truth hierarchy, append-only history, idempotency, monotonic finality, and forward-only evolution.
  • S represents derived views that are useful but not authoritative by themselves.
  • E is the append-only evidence stream backing all outcome-affecting actions.
  • V gates acceptance and requires oracle/feed/round evidence when USD affects outcomes.
  • δ is controlled execution: no transition without validated events, replay safety, and reconstruction integrity.