Core architecture
Scope
koto7 is split into four core planes:
| Plane | Responsibility |
|---|---|
| API plane | GraphQL schema, auth, tenant scoping, command mapping |
| Orchestration plane | Durable workflow coordination and retries |
| Domain plane | Business state transitions and validation rules |
| Ledger adapter plane | Policy-based routing to private/public chains |
Invariants
- API plane must validate tenant scope before domain access.
- Domain plane must enforce business rules independent of transport layer.
- Ledger adapter must never accept person-identifying job payloads.
Failure Modes
- Resolver-level bypass of tenant context.
- Cross-plane coupling that creates implicit state transitions.
- Ledger routing drift due to unversioned policy changes.
Out of Scope
- Vendor-specific infrastructure implementation details.
- Internal performance tuning playbooks and thresholds.
- Environment-specific deployment topology diagrams.