Polaris enforces a single invariant:
Side effects cannot occur except as a consequence of a validated, committed canonical state transition.
Execution authority is structurally bound to committed canonical state — enforced as a direct consequence of the model definitions, not policy.
No side effect may occur unless it is authorized from the current committed canonical state — and that authorization decision is recomputable from canonical history under explicit model assumptions.
At most one committed successor exists per canonical state. Enforced via atomic compare-and-swap at the linearization point.
∀ Sₙ : |successor(Sₙ)| ≤ 1
No state advancement without validation-pass. The commit authority independently verifies conditions before advancing the pointer.
∀T : commit(T) ⇒ V(T) = PASS
Side effects require a state identifier equal to the canonical pointer at evaluation time. The gate enforces I3 in any conformant implementation.
execute(E, Sᵣ) ⟹ h(Sᵣ) = h(Sₙ)
A Proposed State Transition Object (PSTO) carries a canonical pointer reference, class identifier, payload, state reference and application-level payload. All PSTOs are normalized into a deterministic canonical encoding before validation.
The Commit Authority atomically advances the canonical pointer via CAS — the linearization point of the system. Canonical History is append-only, tamper-detectable via replay verification, and deterministically replayable.
The Execution Gate permits side effects only when the execution request's state pointer equals the current canonical pointer. Mismatch produces structural rejection with no side effect. Each subsystem is bound to exactly one verb. No component may both propose and commit, or validate and execute.