Commit-Gated
Execution

A narrow execution-authority invariant

Side effects may be admitted only when the execution request is authorized relative to the current committed canonical state. Conformant implementations enforce this at the Execution Gate. Under explicit model assumptions, the authorization decision is recomputable from canonical history.

Polaris uses familiar mechanisms such as CAS and versioned state. It does not provide consensus, idempotency, workflow orchestration, external settlement, or reconciliation.

Core Invariant No side effect may be admitted unless the execution request is authorized relative to the current committed canonical state at gate-evaluation time. Under explicit model assumptions, that authorization decision is recomputable from canonical history.
I1

Canonical Progression Uniqueness

At most one committed successor exists per canonical state. Enforced via atomic compare-and-swap at the linearization point.

∀ Sₙ : |successor(Sₙ)| ≤ 1
I2

Mandatory Validation Precondition

No state advancement without validation-pass. The commit authority independently verifies conditions before advancing the pointer.

∀T : commit(T) ⇒ V(T) = PASS
I3

Execution Causality Binding

Side effects require a state identifier equal to the canonical pointer at evaluation time. The gate enforces I3 in any conformant implementation.

execute(E, Sᵣ) ⟹ Sᵣ = Sₙ
01

Proposed Transition

A Proposed State Transition Object (PSTO) carries a canonical pointer reference, class identifier, payload, state reference and application-level payload. All PSTOs are normalized into a deterministic canonical encoding before validation.

02

Canonical Layer

The Commit Authority atomically advances the canonical pointer via CAS — the linearization point of the system. Canonical History is append-only and tamper-evident. Under the model assumptions, conformant verifiers can recompute canonical progression and authorization decisions from that history.

03

Execution Layer

The Execution Gate permits side effects only when the execution request's state pointer equals the current canonical pointer. Mismatch produces structural rejection with no side effect. Each subsystem is bound to exactly one verb. No component may both propose and commit, or validate and execute.