Core concepts
The dual-law commit
Every commit enforces two conservation laws at once. The money must balance, and the authority must balance. A transaction posts only if both hold, in a single atomic step, with no window between them.
Two laws, one commit
Double-entry bookkeeping has survived five hundred years because it makes a class of error impossible rather than merely detectable. If debits do not equal credits, the entry is not a bad entry; it is not an entry. The constraint is structural.
Axorum adds a second constraint of the same kind, and enforces it in the same step.
The conservative law
Debits equal credits, per currency, across every leg of the transaction. The classical invariant, with one deliberate widening: two to thirty-two journal legs rather than exactly two, because real accounting entries split.
Amounts are integer minor units in checked 128-bit arithmetic. There is no floating point anywhere in the commit path.
The money balances, or nothing posts.
The normative law
The action was permitted, obligated, or forbidden under the policy in force at commit time, and every obligation the transaction touches is accounted for. Duties it discharges are closed. Duties it incurs are opened. Duties that fell due are breached, and any contrary-to-duty reparation they carry is instantiated at the breach tick.
The authority balances, or nothing posts.
Why it must be one commit
The obvious alternative is to run an authorization check, and then, if it passes, write the entry. Almost every system in production does this. It is wrong in a specific and expensive way.
Between the check and the write there is a window. In that window the policy can change, the delegation can expire, the counterparty can fall off the approved list, or a concurrent transaction can consume the budget the check just verified. The system will then post an entry that its own policy forbids, and the log will say it was authorized, because at the moment it was checked, it was.
For a human-initiated transaction this is usually survivable, because a human is still around to notice. For an agent that has already exited, it is not. Nobody notices, and the books say it was fine.
Axorum closes the window by removing it. The verdict and the entry are computed in the same state transition against the same state. There is no interval in which the two can disagree, because there is no interval.
The pin is not optional
Every proposal carries the id of the policy the agent believes is in force. If that pin is stale, the transaction is rejected deterministically, before anything is evaluated. The agent is never told one verdict while the books record another.
Determinism is what makes it hold
The commit is a pure function of its op sequence. Policy evaluation reads no wall clock, uses no floating point, performs no external calls, iterates in no unspecified order, and has a bounded cost. Time enters as an explicit tick supplied by the substrate, never read from the machine.
This is not stylistic. It is what lets the same verdict be reached bit-for-bit on every replica in a consensus group, which is what lets the ledger be replicated at all. A ledger whose control decisions depend on which machine evaluated them is not a ledger; it is a set of opinions.
It also means an auditor holding the transaction and the policy bundle it names — by content hash — can replay the evaluation and must obtain the identical provenance record. The provenance is self-contained. Replay is meaningful because determinism makes it meaningful.
The shape of a commit
An intent arrives at the gateway carrying five things: who the agent is and what it is attested to do, the journal legs it proposes, the deontic action it claims to be performing, the evidence it references, and the policy it believes is in force.
The gateway is the one place where non-determinism lives. It resolves the agent:// identity, verifies the PASETO capability attestation, and joins the delegation — checking not only that the agent is who it says, but that the action it proposes falls inside the scope and window it was delegated. Authentication failures never reach the ledger, and never produce a verdict.
What reaches the ledger is a proposal, and the ledger does exactly one thing with it: it commits, atomically, under both laws, or it does not.
{
"verdict": "ObligatedPending",
"posted": true,
"policy": "b2f4e1c0a7d3...c19d",
"obligations_pending": [
{
"rule": "receipt_within_48h",
"state": "Active",
"deadline": 1447
}
]
}
The transaction posted. It also opened a commitment, and that commitment is now first-class, queryable state — the trial balance for obligations, sitting alongside the trial balance for money.
What follows
The commit resolves to exactly one of five verdicts. The rules it is judged against are written in the policy language. The commitments it opens and closes move through the obligation lifecycle.