|
| 1 | +Technical Note — Execution-Boundary Admissibility for Composite Transactions |
| 2 | +Ricky Jones / AlvianTech / TrinityOS — 14 May 2026 |
| 3 | + |
| 4 | +Distributed transaction protocols already handle important parts of the commit problem. |
| 5 | + |
| 6 | +Two-phase commit asks whether participants can agree to commit or abort. Its prepare phase asks each node whether it can promise to carry out the update, and its commit phase carries the update out. |
| 7 | + |
| 8 | +Paxos Commit improves the fault-tolerance of the commit decision. Gray and Lamport describe classic two-phase commit as the special case of Paxos Commit with zero coordinator faults tolerated; Paxos Commit generalises transaction commit by running consensus over commit or abort decisions. |
| 9 | + |
| 10 | +Saga patterns solve a different problem: coordinating work across distributed services and compensating when one step fails. Microsoft describes Saga as a pattern for maintaining data consistency across services, with compensating transactions used to undo work when an eventually consistent operation fails. |
| 11 | + |
| 12 | +Those mechanisms are useful. |
| 13 | + |
| 14 | +But they do not, by themselves, produce an execution-boundary admissibility proof. |
| 15 | + |
| 16 | +They can record that a transaction committed, aborted, retried, compensated, or reached agreement. |
| 17 | + |
| 18 | +They do not necessarily prove that, at the moment of binding: |
| 19 | + |
| 20 | +authority was fresh |
| 21 | +canonical state was current |
| 22 | +the proposed transition remained admissible |
| 23 | +dependent sub-transitions still preserved the required invariant |
| 24 | +refusal occurred before mutation where admissibility failed |
| 25 | + |
| 26 | +That is the missing governance layer. |
| 27 | + |
| 28 | +A composite proposal may decompose into several governed sub-transitions. Each sub-transition may appear locally valid. But the proposal as a whole may become inadmissible if the dependency structure no longer holds at bind time. |
| 29 | + |
| 30 | +For example: |
| 31 | + |
| 32 | +proposal: |
| 33 | + deploy billing update |
| 34 | + |
| 35 | +sub-transitions: |
| 36 | + schema migration |
| 37 | + authorization model update |
| 38 | + reconciliation logic update |
| 39 | + API contract update |
| 40 | + |
| 41 | +If the schema migration binds while the authorization update fails and the API contract partially changes, the system may reach a state that is transactionally recorded but governance-invalid. |
| 42 | + |
| 43 | +The commit record says what happened. |
| 44 | +The admissibility receipt must say why it was allowed to happen — or why it was refused before mutation. |
| 45 | + |
| 46 | +This is the execution-boundary claim: |
| 47 | + |
| 48 | +Governance for composite transactions requires a proof object generated at bind time, not merely a commit outcome, compensation path, or post-hoc audit record. |
| 49 | + |
| 50 | +In TrinityOS terms, the control surface is not only: |
| 51 | + |
| 52 | +prepare → commit / abort |
| 53 | + |
| 54 | +It is: |
| 55 | + |
| 56 | +proposal set |
| 57 | +→ decomposition |
| 58 | +→ authority check |
| 59 | +→ canonical state check |
| 60 | +→ dependency admissibility check |
| 61 | +→ commit gate |
| 62 | +→ allow / refuse / hold |
| 63 | +→ receipt |
| 64 | +→ audit trail |
| 65 | + |
| 66 | +The receipt is the important object. |
| 67 | + |
| 68 | +For weakly coupled proposals, the receipt may show that a subset was allowed to bind while another sub-transition was refused. |
| 69 | + |
| 70 | +For strongly coupled proposals, the receipt may show that no partial bind was admissible because the dependency set failed as a whole. |
| 71 | + |
| 72 | +Either way, governance is not satisfied by saying the transaction completed. |
| 73 | + |
| 74 | +It must be able to show that the consequence-producing transition was authorised, admissible, and bounded at the moment it crossed into mutation. |
| 75 | + |
| 76 | +Claim boundary |
| 77 | + |
| 78 | +This note does not claim production deployment, standards authority, certification, external audit, or field ownership. |
| 79 | + |
| 80 | +It defines a narrow architectural distinction: |
| 81 | + |
| 82 | +Existing distributed commit and recovery patterns address agreement, consistency, and compensation. |
| 83 | + |
| 84 | +Execution-boundary governance requires an additional admissibility proof layer: a receipt-bearing control surface that proves whether a transition or transition-set was allowed, refused, or held before mutation. |
| 85 | + |
| 86 | +References |
| 87 | + |
| 88 | +Martin Fowler, Two-Phase Commit: https://martinfowler.com/articles/patterns-of-distributed-systems/two-phase-commit.html |
| 89 | + |
| 90 | +Jim Gray and Leslie Lamport, Consensus on Transaction Commit: https://arxiv.org/abs/cs/0408036 |
| 91 | + |
| 92 | +Microsoft Azure Architecture Center, Saga design pattern: https://learn.microsoft.com/en-us/azure/architecture/patterns/saga |
| 93 | + |
| 94 | +Microsoft Azure Architecture Center, Compensating Transaction pattern: https://learn.microsoft.com/en-us/azure/architecture/patterns/compensating-transaction |
0 commit comments