Polaris enforces a single invariant:
Side effects cannot occur except as a consequence of a validated, committed canonical state transition.
Execution authority is structurally bound to canonical state — enforced by construction, not policy.
Every observable side effect must originate from a committed transition. If origin cannot be established, the effect is excluded.
At most one committed successor exists per canonical state. Enforced via atomic compare-and-swap at the linearization point.
∀ Sₙ : |successor(Sₙ)| ≤ 1
No state advancement without validation-pass. The commit authority independently verifies conditions before advancing the pointer.
∀T : commit(T) ⇒ V(T) = PASS
Side effects require a state identifier equal to the canonical pointer at evaluation time. The gate is non-bypassable by structural design.
execute(E, S_r) ⟹ S_r = canonical_pointer
A Proposed State Transition Object (PSTO) carries a canonical pointer reference, class identifier, payload, credentials, and proof bundle. All PSTOs are normalized into a deterministic canonical encoding before validation.
The Commit Authority atomically advances the canonical pointer via CAS — the linearization point of the system. The resulting append-only state chain is append-only, tamper-evident, and deterministically replayable.
The Execution Gate permits side effects only when the execution request's state pointer equals the current canonical pointer. Mismatch produces structural rejection with no side effect. Each subsystem is bound to exactly one verb. No component may both propose and commit, or validate and execute.