Perception & Acquisition Layer
Receives authorized inputs from connected systems through governed API connections. Inputs are stamped with their provenance: source, time, signature, and policy version under which they were accepted.
Platform / 1.3
Core architecture.
The five-layer kernel, the three canonical outputs, the determinism principle, and the Time Sovereignty Layer. Architectural depth, not implementation internals.
01The five-layer kernel
The kernel is described at the architectural level. It is composed of five layers — PAL, IML, CL, DCL, AGL — each with a single responsibility and an explicit boundary with its neighbours. Implementation details are out of scope for the public site; the intent here is to give regulators, auditors, and federation officials a clean conceptual model they can reason about.
Interpretation & Mapping Layer
Maps raw inputs to typed, policy-relevant facts. Untyped, malformed, or out-of-scope inputs are rejected here — they do not reach the deterministic kernel.
Constraint Layer
Evaluates policy preconditions against the typed facts. Encodes the institution's rules, the regulator's requirements, and the operational constraints of the vertical. Versioned and auditable.
Deterministic Control Layer
Emits the canonical output: ALLOW, DEFER, or SYSTEM_UNVERIFIED. Same typed facts, same policy version, same output. No probabilistic component participates in this step.
Authority & Governance Layer
Routes DEFER and SYSTEM_UNVERIFIED to identified humans within scope, manages authorization for irreversible actions, and writes the final outcome to the forensic chain.
Boundaries are explicit.
Each layer has a defined input contract and a defined output contract. A regulator can audit any one layer in isolation; an insurer can scope coverage to layer-level guarantees; a federation can scope a pilot to specific verticals' policy and constraint sets.
02Three canonical outputs
The DCL emits exactly one of three states. The set is closed: there is no fourth state, no probabilistic blend, no "maybe." This closure is what makes the platform reviewable.
ALLOW
Meaning. All policy preconditions are satisfied. The action is permitted under the policy version that produced the decision.
Worked example. A scheduled VAR review request arrives from an authorized federation API, the policy preconditions for review are satisfied, the inputs are signed and within their freshness window — ALLOW. The decision and inputs are written to the chain.
DEFER
Meaning. The system declines to authorize without human input. DEFER is not a refusal — it is a pause state with a defined escalation path to a named human within scope.
Worked example. A clinical trial workflow requests a protocol amendment that touches a category requiring sponsor sign-off. DEFER is emitted, routed to the named principal investigator. On their authorization, the chain records both the deferral and the resolution.
SYSTEM_UNVERIFIED
Meaning. A precondition for verification cannot be evaluated. The system refuses to guess. Human authority resolves the gap before any action proceeds.
Worked example. A stadium safety request arrives but the upstream sensor stream is partially missing or its signature is stale. SYSTEM_UNVERIFIED is emitted, routed to operations. The action does not proceed under any reading of "best effort."
Why three, exhaustively
Probabilistic systems return a number. Numerical outputs invite thresholds, thresholds invite tuning, and tuning invites the slow drift of governance into operations. Three discrete states with explicit semantics keep governance auditable as the operational team changes over years and decades.
03The determinism principle
The defining property of the platform: same input, same output, always. Given the same typed facts and the same policy version, the DCL produces the same canonical output. Decisions are reconstructible from the chain. Reviewers receive the same answer when they review.
Determinism does not mean the platform ignores probabilistic evidence. Model outputs, sensor confidences, and other probabilistic signals can flow in through the PAL, be typed by the IML, and evaluated by deterministic policy in the CL. The probabilistic input is treated as evidence; the institutional judgment is deterministic.
04The forensic chain
Every decision writes a record to the chain. A record carries the typed inputs, the policy version, the output, the provenance, and an ECDSA P-256 signature. Each record links to its predecessor by hash — the standard linked-record construction. Tampering with any record invalidates every downstream record's hash.
Two practical consequences follow. First, any past decision can be replayed: a reviewer reconstructs the typed inputs from the record, applies the named policy version, and verifies the output matches. Second, the chain is forensically timestamped via OpenTimestamps; the current sealed-core proof carries the public ID SOV-2026-02-26.
The forensic chain is treated in detail on Determinism & forensic traceability.
05The Time Sovereignty Layer
An irreversible action — a decision that cannot be cleanly reversed by a subsequent decision — requires a human authorization step. The Time Sovereignty Layer is the architectural surface that makes that requirement load-bearing.
For any action classified by policy as irreversible, the AGL routes the request to a named human within scope, captures their authorization with their signature and time, and writes the authorization to the chain alongside the underlying decision. The action does not proceed in the absence of a valid authorization. The human's authority is preserved by architecture, not by procedure.
Reversibility classification
The set of reversible vs. irreversible actions is defined by the vertical's policy. In football governance, a referee designation change before kick-off may be reversible; a medical clearance for return-to-play that triggers selection is treated as irreversible by policy. The classification lives in the CL, is versioned, and is auditable.