Docs / Architecture

Layered architecture with explicit trust and control boundaries.

Architecture is separated on purpose so trust admission, execution control, and proof handling remain explicit and auditable.

Start Building API Reference

System Map

Architecture map: boundaries linked directly to layers.

Authoring Boundary

Layers: L1-L2

Trust Boundary

Layers: L3

Execution Boundary

Layers: L4-L6

Authoring Boundary

Compiler / DSL Layer

Bundle and Signing Layer

Trust Boundary

Citadel / Verifier Layer

Execution Boundary

Runtime Kernel Layer

API / Integration Layer

Hardware Mapping Layer

System control path

Input -> Admission -> Runtime -> Commit -> Proof

Layer Stack

L1-L6 as one vertical architecture stack.

Compiler / DSL Layer

Responsibility: Transform domain logic into canonical runtime representation.

Boundary: Authoring boundary

Output: Canonical workload bundle

Bundle and Signing Layer

Responsibility: Canonicalize payloads and attach verification metadata.

Boundary: Authoring boundary

Output: Signed bundle and identity context

Citadel / Verifier Layer

Responsibility: Apply admission policy and trust checks before execution.

Boundary: Trust boundary

Output: Verified workload admission

Runtime Kernel Layer

Responsibility: Execute topology-constrained workloads with bounded runtime.

Boundary: Execution boundary

Output: Deterministic runtime state

API / Integration Layer

Responsibility: Expose stable contract surfaces for integrators and operators.

Boundary: Execution boundary

Output: Controlled API response

Hardware Mapping Layer

Responsibility: Align runtime model with hardware-oriented deployment paths.

Boundary: Execution boundary

Output: Hardware-compatible execution model

Boundary View

Security and correctness stay explicit because layers stay separated.

Authoring Boundary

L1-L2 define how logic is authored, canonicalized, and signed before admission.

Layer scope: L1-L2

Trust Boundary

L3 controls identity, policy, and trust admission before workload can execute.

Layer scope: L3

Execution Boundary

L4-L6 govern runtime behavior, proof path, API contract, and hardware alignment.

Layer scope: L4-L6

Control Sequence

Input -> Admission -> Runtime -> Commit -> Proof.

Input->

Admission->

Runtime->

Commit->

Proof

Step 01

Input

Workload enters as canonical bundle.

Step 02

Admission

Policy and trust checks decide if runtime can proceed.

Step 03

Runtime

Topology-constrained execution begins with bounded budget.

Step 04

Commit

Accepted result crosses controlled finalization boundary.

Step 05

Proof

Signed metadata enables verification and replay consistency.

Why Separation Matters

Layer separation keeps trust, execution, and proof independently reviewable.

Trust stays explicit

Admission policy and trust context are isolated before runtime starts.

Execution stays constrained

Runtime cannot bypass topology, budget, or control boundaries.

Proof stays auditable

Commit and proof outputs remain verifiable through a controlled path.

Preparing deterministic execution surface.

Restoring policy context, topology constraints, and proof pipeline metadata.

Validate

Route

Seal

Architecture map: boundaries linked directly to layers.

Authoring Boundary

Layers: L1-L2

Trust Boundary

Layers: L3

Execution Boundary

Layers: L4-L6

Authoring Boundary

Compiler / DSL Layer

Bundle and Signing Layer

Trust Boundary

Citadel / Verifier Layer

Execution Boundary

Runtime Kernel Layer

API / Integration Layer

Hardware Mapping Layer

System control path

Input -> Admission -> Runtime -> Commit -> Proof

L1-L6 as one vertical architecture stack.

Compiler / DSL Layer

Responsibility: Transform domain logic into canonical runtime representation.

Boundary: Authoring boundary

Output: Canonical workload bundle

Bundle and Signing Layer

Responsibility: Canonicalize payloads and attach verification metadata.

Boundary: Authoring boundary

Output: Signed bundle and identity context

Citadel / Verifier Layer

Responsibility: Apply admission policy and trust checks before execution.

Boundary: Trust boundary

Output: Verified workload admission

Runtime Kernel Layer

Responsibility: Execute topology-constrained workloads with bounded runtime.

Boundary: Execution boundary

Output: Deterministic runtime state

API / Integration Layer

Responsibility: Expose stable contract surfaces for integrators and operators.

Boundary: Execution boundary

Output: Controlled API response

Hardware Mapping Layer

Responsibility: Align runtime model with hardware-oriented deployment paths.

Boundary: Execution boundary

Output: Hardware-compatible execution model

Security and correctness stay explicit because layers stay separated.

Authoring Boundary

L1-L2 define how logic is authored, canonicalized, and signed before admission.

Layer scope: L1-L2

Trust Boundary

L3 controls identity, policy, and trust admission before workload can execute.

Layer scope: L3

Execution Boundary

L4-L6 govern runtime behavior, proof path, API contract, and hardware alignment.

Layer scope: L4-L6

Input -> Admission -> Runtime -> Commit -> Proof.

Input->

Admission->

Runtime->

Commit->

Proof

Step 01

Input

Workload enters as canonical bundle.

Step 02

Admission

Policy and trust checks decide if runtime can proceed.

Step 03

Runtime

Topology-constrained execution begins with bounded budget.

Step 04

Commit

Accepted result crosses controlled finalization boundary.

Step 05

Proof

Signed metadata enables verification and replay consistency.