08 Concepts

Cross-cutting Concepts

This chapter specifies concepts that span multiple components and constrain Prism’s behavior across boundaries. Each concept is normative; an implementation that does not satisfy a concept’s specification does not conform to Prism.

The concepts below are organized by the architectural concern they address. Concepts referenced from constraints (section 2) or from architecture decisions (section 9) are cross-referenced explicitly.

Trace Wire Format

The trace wire format is the byte representation of a Trace value as it crosses the boundary between the application author’s executable and the application user. The format is normative: cross-implementation interoperability for replay verification depends on the format being fixed.

Trace Structure

A Trace is a tuple of:

Field	Type	Constraint
format_version	u32	MUST equal TRACE_REPLAY_FORMAT_VERSION. The verifier rejects traces whose format version it does not recognize.
events	Sequence of TraceEvent	Length MUST NOT exceed the trace event-count ceiling carried by the application’s selected HostBounds. The events appear in the order in which the principal data path produced them.
fingerprint	ContentFingerprint	The content fingerprint of the Grounded<T> value the trace corresponds to. Computed once at mint time by the application author’s selected Hasher. The fingerprint is data carried by the trace; the verifier passes it through unchanged (constraint TC-05).
hasher_identifier	u32	The identifier of the Hasher selection the author used. The verifier MUST be configured with a Hasher whose identifier matches; otherwise the verifier returns ReplayError::HasherMismatch. The hasher implementation itself is not embedded in the trace; only its identifier.

TraceEvent Variants

Each TraceEvent is one of a fixed set of discriminated variants. The variants correspond one-to-one with the staged transitions of the principal data path (section 5, Level 3 Whitebox: pipeline). Each variant carries the data necessary for the verifier to confirm the corresponding transition was well-typed.

Variant	Carries	Verifier check
DatumAdmitted	ContentFingerprint of the admitted Datum	Confirm the fingerprint width is in the byte-width range carried by the application’s selected HostBounds.
CompileUnitConstructed	ConstrainedTypeShape identifier; partial validation phase index	Confirm the shape identifier is in the foundation’s known catalog of shapes.
Validated	Phase discriminant; ConstraintRef references that were checked	Confirm the phase is valid; confirm each ConstraintRef is in the foundation’s known catalog.
PipelineRun	PrimitiveOp discriminants of the operations performed	Confirm each discriminant is in the foundation’s known PrimitiveOp catalog.
CertificateEmitted	CertificateKind discriminant; ContentAddress references	Confirm the kind is GroundingCertificate (or another known kind for certificate-of-certificate composition); confirm each ContentAddress references a fingerprint that appeared earlier in the event sequence.
CommitmentEvaluated (ADR-048)	List of observable:Observable IRIs the typed commitment evaluated, in left-associative AndCommitment order; the boolean conjunction result.	Confirm each Observable IRI is in the foundation’s closed observable:Observable catalog per ADR-038 + ADR-049’s amendment. Confirm the result byte is 0 or 1. Emitted by pipeline::run_route after the post-resolver C::evaluate consultation per ADR-048; models declaring C = EmptyCommitment (the default) emit this event with an empty IRI list and result = true.

The verifier’s structural validation walks the event sequence in order, applying each variant’s check. A trace is well-formed if all checks pass. A trace is invalid if any check fails; the verifier returns ReplayError with the variant indicating which check failed.

Wire Encoding

The wire encoding of a Trace is a length-prefixed binary format:

Offset	Length	Field
0	4 bytes	format_version as little-endian u32
4	4 bytes	events.len() as little-endian u32
8	Variable	Each TraceEvent, encoded as: 1 byte variant discriminant, 4-byte little-endian length prefix, payload bytes
After events	4 bytes	fingerprint.len() as little-endian u32
Then	Variable	fingerprint bytes
Then	4 bytes	hasher_identifier as little-endian u32

The length prefix on each event allows the verifier to skip past unrecognized payload extensions in future format versions, while still rejecting events with unrecognized variant discriminants. This provides forward compatibility for trace producers without sacrificing strict validation in trace consumers.

The wire encoding is little-endian throughout. The encoding is specified at the byte level here so that a non-Rust implementation of the verifier (in any language) can produce a verifier that interoperates with traces produced by uor-foundation.

Certificate Format

The certificate format is the byte representation of a Certificate value as it appears inside Certified<C>. The format is normative for the same reason as the trace format.

Certificate Structure

A Certificate is a tuple of:

Field	Type	Constraint
kind	CertificateKind	One of the discriminated variants in the foundation’s catalog (GroundingCertificate, plus variants for certificate-of-certificate composition).
addresses	Sequence of ContentAddress	The content addresses the certificate vouches for. For GroundingCertificate, this is the singleton sequence containing the address of the Grounded<T> value the certificate certifies.

Each ContentAddress is a tuple of (ContentFingerprint, hasher_identifier: u32). Combining the fingerprint with the hasher identifier disambiguates content addresses across hasher selections: two Grounded<T> values produced by the same author with different hasher selections produce different ContentAddress values, even if the values' fingerprints (in different bit-widths) might collide as raw bytes.

Wire Encoding

The certificate’s wire encoding mirrors the trace’s: little-endian, length-prefixed, variant-discriminator-prefixed. The encoding is fully determined by the structure above; no additional cross-implementation interpretation is needed.

Sealing Discipline

The seven sealed types are sealed by Rust’s visibility rules alone (section 5, Level 3 Whiteboxes: uor-foundation enforcement and prism seal regime and replay). The seven types split between two crates:

• The four UOR-domain types — Datum, Triad, Derivation, FreeRank — are sealed in uor-foundation. Each is a pub struct in enforcement whose fields are pub(crate) and whose constructors are pub(crate) fn. Within uor-foundation, the constructors are callable; from outside, they are not.

• The three Prism-mechanism types — Validated, Grounded, Certified — are sealed in prism. Each is a pub struct in seal regime whose fields are pub(crate) and whose constructors are pub(crate) fn. Within prism, the constructors are callable (specifically by pipeline and replay); from outside, they are not.

The discipline:

• For the four UOR-domain types: uor-foundation exposes a mint primitives component (a separate cross-crate-public surface) that internally calls enforcement's pub(crate) constructors. prism's pipeline calls these mint primitives at the Datum/Triad/Derivation/FreeRank admission stages. The architectural commitment of ADR-016 reserves prism's pipeline as the only sanctioned caller of the mint primitives; the commitment is normative but not Rust-enforced.

• For the three Prism-mechanism types: prism's pipeline (for Validated, Grounded, Certified along the principal data path) and prism's replay (for Certified<GroundingCertificate> during verification) are the only callers of the seal regime’s pub(crate) constructors. There is no external path.

• The single sanctioned paths through which an external consumer obtains a sealed value are: pipeline::run (in prism, for the application author), and certify_from_trace (in prism, re-exported by prism-verify, for the application user). Both return sealed values that the seal regime has constructed internally.

This discipline is enforced exclusively at the Rust visibility level for both groups, with the cross-crate construction of the four UOR-domain types mediated by uor-foundation's mint primitives under the architectural commitment in ADR-016. It is what constraint TC-02 specifies and what ADR-006, ADR-011, and ADR-016 commit to. There is no other mechanism — no runtime check, no token type, no checksum.

Hashing Substrate Contract

Hasher is the trait foundation declares for the canonical hash axis. Per ADR-030 it is consumed through the AxisTuple substitution-axis structure (the third substitution-axis position generalizes from a single Hasher trait to a tuple of axis trait selections); per ADR-031 the prism-crypto standard-library sub-crate declares HashAxis (the axis whose trait bound on AxisExtension subsumes the prior Hasher trait, with concrete impls Sha256Hasher / Blake3Hasher / etc.); per ADR-036 the third-position substrate parameter carries the + Hasher bound (A: AxisTuple + Hasher) so resolver-bound substrate operations (the eight resolver-bound ψ-Term variants per ADR-035) can consume the canonical hash axis type-associatedly via <A as Hasher>::initial(). The contract any conforming Hasher impl MUST satisfy:

Aspect	Specification
Output width	The hasher’s output MUST be a fixed number of bytes within the byte-width range carried by the application’s selected HostBounds. The width is a constant of the hasher’s implementation; one hasher implementation always produces fingerprints of one fixed width. The HostBounds selection determines the architectural range; foundation does not fix the range globally.
Determinism	Repeated invocation on the same input MUST produce the same output bytes. The hasher MUST NOT depend on hidden state, time, randomness, or any input not explicitly provided.
Identifier	The hasher MUST have a u32 identifier, distinct from every other Hasher impl the wider ecosystem might recognize. This identifier appears in traces and content addresses; cross-implementation interoperability requires that two Hasher impls with the same identifier produce identical output bytes for identical inputs.
Idempotence under truncation	The hasher’s full-width output MUST be such that truncation to any prefix of the output preserves a useful collision-resistance property at that width. (This permits the foundation to specify content fingerprints at the substituted width without requiring the hasher to know the width in advance.)

The foundation does not prescribe a hash function. The application author selects an implementation suited to the domain. BLAKE3 is recommended for production; SHA-256, BLAKE2b, FNV-1a, and other implementations conform if they satisfy the contract above.

The verifier’s Hasher selection MUST match the author’s. The match is established by the hasher_identifier carried in the trace; if the verifier is configured with a Hasher whose identifier differs, the verifier returns ReplayError::HasherMismatch without inspecting the trace’s contents further.

Error Model

Prism’s error model has two principles: typed errors over panics, and structured impossibility witnesses over silent failures.

Typed Errors

Every fallible operation in the public API of any of Prism’s three crates returns a Result<T, E> where E is a typed error variant specific to that operation. There are no panic! calls in any public path. The clippy lints clippy::unwrap_used, clippy::expect_used, clippy::panic, and clippy::missing_errors_doc are denied at crate level in all three crates.

A typed error variant carries enough information for the caller to identify the failure mode without inspecting the error message text. Error message text is supplemental, not load-bearing.

Impossibility Witnesses

When the principal data path cannot produce a Grounded<T> because the input does not satisfy the constraints of the application author’s ConstrainedTypeShape, the path returns a typed impossibility witness: a structured value that identifies which constraint was violated and at what position in the input. The impossibility witness is sealed (constraint TC-02); it is not a free-form error type.

The impossibility witness is not a panic, not a Result::Err from a generic error type, and not an exception. It is a sealed type whose construction signals "the principal data path executed correctly and determined that no Grounded<T> exists for this input under these constraints." This is architecturally distinct from "an error occurred during execution."

#![no_std] Posture

All three crates — uor-foundation, prism, prism-verify — are #![no_std] by default. The internal proc-macro sub-crate inside uor-foundation (which hosts the shape macros) is compile-time only and is not subject to #![no_std] (proc-macros run at compile time in the toolchain’s host environment).

The #![no_std] posture is normative and supports constraint TC-01 (zero-cost runtime). It implies:

• No allocation in default-feature builds. Allocation is gated behind the alloc feature, which the application author opts into when their target supports it.

• No standard library dependencies. The crates depend only on core and, when the alloc feature is enabled, alloc. They do not depend on std.

• No floating-point operations except those core itself provides. The foundation’s mathematical operations are integer-domain unless the host explicitly substitutes a floating-point representation through HostTypes.

• No platform-specific syscalls. Targets like thumbv7em-none-eabihf (bare-metal embedded) MUST be buildable by the application author without modification of any of the three crates.

The #![no_std] posture does not constrain the application author. An author who needs std in their crate enables it freely; the crates' #![no_std] posture does not propagate to the author’s crate.

Feature Flags

All three crates — uor-foundation, prism, and prism-verify — MUST expose feature flags that are additive (enabling a feature does not change the behavior of code that does not depend on the feature) and MUST follow Cargo’s feature-unification rules. prism's feature flags MUST be consistent with uor-foundation's flags (additive across the dependency graph): if the author enables alloc on prism, the underlying uor-foundation features required to support that selection MUST also be enabled.

Feature	Effect
alloc	Enables allocation. Code paths that produce dynamically-sized values (variable-length traces, dynamic certificate composition) become available. Without alloc, only fixed-capacity paths are available.
std	Implies alloc. Enables standard library use, including formatted error output and OS interaction. Authors targeting hosted environments enable this.
serde	Enables serde derive macros for the public types. Authors who serialize/deserialize traces or certificates with serde-compatible formats enable this.
observability	Enables additional observable trait surfaces beyond the core set. Authors who need extended introspection enable this.

No feature MAY change the behavior of code paths used by other features in ways that violate constraint TC-01 (zero-cost runtime) or TC-02 (sealing). A feature flag that introduces runtime dispatch, alters the seal discipline, or changes the principal data path’s stages is not a conforming feature flag.

Observability

The foundation provides an observable trait surface in the bridge::observable component (section 5, Level 2). Observables are read-only views into the foundation’s internal state, exposed for application authors and verification authors to introspect when their domain requires it.

The observable surface is normatively read-only: an observable trait method MUST NOT mutate any foundation state. Observable trait methods are pure with respect to the foundation; their invocation does not affect the principal data path, the sealed values, the trace, or the certificate.

The observable surface is not a substitute for the principal data path. An author who reaches for observables to construct values that the principal data path would have constructed is bypassing UORassembly’s compile-time enforcement, and the author’s code will fail to compile because the observables do not return sealed-value-constructable references.

UORassembly Contract Definition

UORassembly is the set of type-level constraints any Rust source compiling to a Prism executable MUST satisfy. The contract is enforced by prism through the Rust type system (constraint TC-04, ADR-006).

The contract has the following clauses, each enforced as a Rust trait bound or sealed-type constraint:

Clause	Bound / constraint
Every input to the principal data path MUST be a Datum.	pipeline::run accepts only Validated<CompileUnit, _>. Validated is sealed; the only way to obtain one is by passing a Datum through CompileUnitBuilder. Datum is sealed; the only way to obtain one is through a Grounding impl.
Every output of the principal data path MUST be a Grounded<T> plus a Trace.	pipeline::run's return type is (Grounded<T>, Trace). Both are sealed.
Every certificate emission MUST go through the principal data path.	Certified<C> is sealed in prism. Its constructor is pub(crate) to prism; the only paths to obtain one are pipeline::run (returning a Grounded<T> from which a Certified<GroundingCertificate> can be derived) and certify_from_trace (returning a Certified<GroundingCertificate> from a trace; re-exported by prism-verify).
Substitution-axis selections MUST satisfy prism's bounds.	pipeline::run is generic over H: HostTypes + HostBounds + Hasher; the application author’s selection must satisfy these bounds, which are declared by prism.
ConstrainedTypeShape impls MUST be const-evaluable.	The shape proc-macros (which live in uor-foundation's internal proc-macro sub-crate, reached through prism's vocabulary re-exports) emit const fn validate_const() for each ConstrainedTypeShape impl; failure of the const-evaluation is a compile error. prism declares the bound that the const-fn satisfies.

A Rust source file that violates any of these clauses fails to compile. Compilation succeeds if and only if all clauses hold.

Operation Declaration

Operations in Prism are declarative, not imperative. The application author specifies what operation a given type or value satisfies; prism ships the vocabulary in which the specification is written. prism does NOT ship operations themselves. This separation is normative.

The vocabulary prism provides for operation declaration includes:

• Combinators that compose uor-foundation::PrimitiveOp discriminants into operation expressions. Every operation declaration ultimately reduces to a composition of PrimitiveOp discriminants; the combinators are how the composition is built.

• Type-level constraints that the Rust toolchain enforces against operation declarations at compile time. An operation declaration that does not type-check at the bound prism declares is rejected by rustc.

• Witnessing scaffolds that emit type-witness values for operation declarations to compose with the principal data path’s seal regime.

The architectural commitment is that every operation reachable inside a Prism executable is the composition of PrimitiveOp discriminants from uor-foundation's primitives component. There is no path through which an author can introduce a primitive operation into Prism’s vocabulary; the primitive set is closed at the uor-foundation layer (constraint TC-01, ADR-013). The author can declare arbitrarily complex operations by composing primitives, but cannot extend the primitive set itself.

Specific declaration syntax is left to prism's implementation, as long as the semantic commitment holds. Two implementations of prism may differ in their declaration syntax while both satisfying the architectural commitment that all declared operations are compositions of uor-foundation::PrimitiveOp discriminants.

Closure Under uor-foundation

prism is closed under uor-foundation's vocabulary. This is a normative architectural property:

• Every type prism exposes is derived from uor-foundation's type-declaration vocabulary. prism introduces no primitive types of its own.

• Every operation declaration prism's vocabulary admits composes uor-foundation::PrimitiveOp discriminants. prism introduces no primitive operations of its own.

• The three Prism-mechanism sealed types (Validated, Grounded, Certified) are seals over uor-foundation's types and the trace/certificate wire-format types, not new primitive types — they wrap and add invariants but do not introduce new domain content.

Closure has four consequences. First, an uor-foundation amendment that adds a new primitive type or PrimitiveOp discriminant cascades through prism (which may need to expose new vocabulary for the addition to be reachable from authors). This is the primary maintenance coupling between the two crates and is captured as TR-08 (section 11). Second, no Prism implementation can extend the primitive set or the type-declaration vocabulary except by amending uor-foundation first; this is the architectural property that makes UORassembly’s clauses checkable by examining uor-foundation alone. Third, closure makes UOR addresses determinate. The IRI of every type prism ships is content-deterministic in its constraint declaration — derived from uor-foundation's vocabulary, not from the Rust type name. Two applications using the same prism standard type produce values with the same UOR IRI. This is what makes prism's standard library a canonical UOR-address surface (ADR-017): the standard types are not just ergonomic Rust names, they are the canonical declarations applications and schema-import tools target so that traces and certificates address consistently across the ecosystem. Fourth, closure makes the standard library convenience rather than constraint. Authors are not limited to the types prism ships in its standard library; through prism's re-exports of uor-foundation's type-declaration vocabulary, authors declare their own types using the same ConstrainedTypeShape, Grounding, and shape-macro surface the standard library is built from. Author-declared types are first-class Prism types: they receive content-deterministic IRIs, traverse the same principal data path, are subject to the same UORassembly enforcement, and are sealed with the same discipline as standard library types. The standard library is convenience for common shapes; the vocabulary is what gives authors capability.

Closure is enforced by the structure of prism's components: the vocabulary re-exports component is the only path through which prism's other components reach uor-foundation's types; any new type prism adds to its standard library must compose existing re-exported vocabulary. The closure property is normatively asserted (ADR-013) and a Prism implementation in which prism introduces a primitive type or PrimitiveOp discriminant of its own is not a Prism implementation.

Closure Across Layers

The architecture commits to three layers of algebraic closure (ADR-024). Each layer has its own carrier, its own operator set, and its own closure check. The three layers compose: each layer’s operators take operands from the layer below.

Layer 1 — substrate closure. Carrier: uor-foundation's primitive vocabulary (the Term enum’s variants, the PrimitiveOp discriminants, the ConstraintRef variants, the WittLevel ceiling). Operators: the substrate operator set (ADR-025) — composer operators × (partition_product) and ` (partition_coproduct), endomorphism operators `after_op` for `op ∈ Γ = {, −, ×, ÷, ^} with the Categorical X regime split. The catalog and transition tables at any committed snapshot are conformance test vectors for substrate closure’s predictions.

Layer 2 — prism closure. Carrier: routes over substrate-closed shapes — ConstrainedTypeShape impls bounded by prism's declared bounds, composed into forward bodies via the prism operator set. Operators: the prism operator set (ADR-026) — compose, parallel_compose, fold_n, tree_fold, first_admit, partition_product, partition_coproduct. The closure-body grammar G1–G29 (ADR-022 D3 plus ADR-026’s G12-G19 extension plus ADR-033’s G20 field-access projection plus ADR-035’s G21-G29 ψ-chain forms) is the syntactic surface of prism closure; the macro’s FoundationClosed impl emission is its type-level expression for whole-route declarations.

Layer 3 — implementation closure. Carrier: each implementation’s verb set — named, reusable compositions of prism operators applied to substrate primitives, declared via the verb! SDK macro per ADR-024. Operators: composition under prism operators only; no implementation introduces new operators. Closure check: every verb is a composition of prism operators applied to substrate primitives ∪ other verbs of the same implementation ∪ verbs of explicitly imported implementations; the verb-reference graph through non-recurse operators is acyclic. Cross-implementation verb imports proceed through the use_verbs! macro at the importing crate’s root (ADR-024).

The three closures are independent — an implementation can extend its verb set without touching prism; prism can extend its operator set without touching substrate, subject to ADR-013’s substrate-amendment requirement — and compatible: operators at one layer compose objects from the layer below. The three-layer structure is parametric in the substitution axes (ADR-007); each closure’s enumeration at any committed substitution-axis selection is derivable, none is fixed at a specific axis selection. The closure procedures are theorems whose conformance is checked at each layer’s level: substrate closure at the catalog/transition-table snapshot level; prism closure at the macro’s FoundationClosed impl emission; implementation closure at each implementation’s verb-graph acyclicity check.

Substrate closure (prism is closed under uor-foundation's vocabulary, ADR-013) is the type-and-operation half of Layer 1; ADR-025’s operator-set commitment is the operator half. The two together fully specify Layer 1.

Per ADR-030, the substrate-extension lane (Layer 1’s interface to vocabularies whose body lives outside PrimitiveOp) is universal: domain crates declare axes through the axis! SDK macro; foundation provides the meta-mechanism (AxisExtension, AxisTuple, Term::AxisInvocation, the per-variant fold-rule). Per ADR-031, prism is the standard library — a façade re-exporting the architecture from uor-foundation plus the standard-library Layer-3 sub-crates (prism-numerics, prism-crypto, prism-tensor, prism-fhe), all published from the Prism repository, that contribute application-neutral vocabularies. The architecture itself in uor-foundation and the wiki live in the UOR-Framework repository; the standard library in the Prism repository. Third-party Layer-3 crates carry application-specific, format-specific, and architecture-specific extensions that consume the standard-library vocabularies. The closure discipline applies the same way to both — standard-library inclusion is operational. Cross-axis composition happens at the term-tree level: each axis impl operates on byte slices and emits byte slices; the term tree carries the composition through the catamorphism’s evaluation order.

Per ADR-032, the SDK proc-macro reads <DomainTy as ConstrainedTypeShape>::CYCLE_SIZE at proc-macro expansion time and emits it as the measure literal for first_admit lowerings (per ADR-026 G16). Per ADR-033, the closure-body grammar admits field-access projections (G20) on product-of-shapes inputs, lowering to the eleventh Term variant Term::ProjectField per ADR-029’s extended per-variant fold-rules. The PrimitiveOp catalog and the reserved-identifier set are referenced as snapshot-specific in ADR-022 D3 G3, ADR-026 G12, and ADR-029’s Term::Application fold-rule, so the wiki’s normative text stays accurate as foundation extends the catalog through ADR-013’s substrate-amendment-via-foundation rule. Together, the commitments complete the typed-iso surface’s coverage of structured-input destructuring, proc-macro-time cardinality introspection, and substrate-amendment evolution — all preserve the closure discipline at every layer (foundation provides the trait extension, the Term variant, and the PrimitiveOp discriminants; the SDK macros emit consumers; the closure check at the macro invocation validates the grammar form against the receiver’s shape and the snapshot’s catalog).

Per ADR-034, the closure-body grammar’s first_admit (G16) lowering shifts from Term::Recurse to Term::FirstAdmit (the twelfth Term variant), and Term::Recurse's fold-rule extends with the iteration-counter binding via the foundation-fixed RECURSE_IDX_NAME_INDEX. Together these let foundation’s catamorphism evaluate bounded search (with structural short-circuit on first admission) and bounded fold (with iteration-counter access in step bodies above <B as HostBounds>::FOLD_UNROLL_THRESHOLD per ADR-037) end-to-end. The implementation-runtime override per ADR-026 G16’s three-way responsibility split remains available for strategy selection — sequential vs parallel coset traversal, cancellation policy, cost-budget enforcement — but is no longer load-bearing for structural correctness; the typed-iso surface carries the architectural commitments through pipeline::run_route's catamorphism.

Per ADR-035 + ADR-036, the closure-body grammar’s lowering substrate extends with nine ψ-chain Term variants — Term::Nerve, Term::ChainComplex, Term::HomologyGroups, Term::Betti, Term::CochainComplex, Term::CohomologyGroups, Term::PostnikovTower, Term::HomotopyGroups, Term::KInvariants — bringing the Term enum from twelve to twenty-one variants. Each ψ-Term variant lowers from a closure-body grammar form (G21-G29) and parallels an ontology-defined ψ-map. The framework’s op:InferenceOperation is ι = P ∘ Π ∘ G — the ψ-pipeline composed; ADR-035 makes the ψ-chain (the structural-witness arm of op:InferenceOperation) reachable from verb bodies, completing the framework’s verifiability commitment per ADR-001 + ADR-019 at the closure-body grammar layer. ADR-035 commits the canonical k-invariants branch (ψ_1 → ψ_7 → ψ_8 → ψ_9) as the architectural composition for the verifiability commitment: the k-invariants κ_k classify the Postnikov-tower extensions per homology:KInvariant, giving the maximum-discriminating structural witness in the ψ-chain; narrower compositions extract strictly weaker invariants and serve narrower applications. ADR-035 also commits the ψ-residuals discipline (scope refined by ADR-056, summarized below): the route body’s syntactic surface (the prism_model!-declared route closure body) admits no Term::FirstAdmit, no Term::AxisInvocation, no byte-comparison or byte-concat PrimitiveOp emissions; compound verbs declared via verb! per ADR-024, axis impl bodies per ADR-055, and resolver bodies per ADR-046 may compose the full substrate vocabulary because fold-fusion per ADR-054 inlines them through the catamorphism without exposing residual forms at the route surface. The canonical hash axis is consumed by resolvers; admission at the route surface is structural, not search-based. ADR-036 commits the fourth substrate parameter R: ResolverTuple (defaulting to NullResolverTuple) carrying application-provided resolver instances for the eight resolver-bound ψ-Term variants. ADR-048 adds a fifth substrate parameter C: TypedCommitment (defaulting to EmptyCommitment) carrying the application’s typed-bandwidth admission commitment consulted post-resolver on the κ-label. Foundation’s pipeline::run_route reaches its current five-substrate-parameter shape <H, B, A, R, C> (per ADR-030 + ADR-036 + ADR-048) with the ResolverTuple threaded as a value reference alongside the three type-level parameters (HostTypes, HostBounds, AxisTuple-with-Hasher-bound) and the TypedCommitment threaded as a value reference after the resolver tuple; the eight resolver traits share a uniform surface that returns a TermValue directly (fn resolve(&self, input: TermValue<'a, {carrier_inline_bytes::<B>()}>) → Result<TermValue<'a, {carrier_inline_bytes::<B>()}>, ShapeViolation> per ADR-060, superseding ADR-036’s writer-style &mut [u8]-output form); the catamorphism dispatches each resolver-bound ψ-Term fold-rule through the marker-trait accessor on R and consults C::evaluate(kappa_label) after ψ_9 emits the κ-label. The compiled binary is the canonical circuit; the data representation is minimal (input bytes + κ-label); the client is conceptually larger than the data it operates on; a complete model fuses into a single reference.

Per ADR-037 (byte-width subset superseded by ADR-060), the substrate’s data-shape capacity surface is HostBounds-parametric end-to-end. <B as HostBounds> carries 14 associated constants: the structural-element counts (BETTI_DIMENSION_MAX, NERVE_CONSTRAINTS_MAX, NERVE_SITES_MAX, JACOBIAN_SITES_MAX, AFFINE_COEFFS_MAX, CONJUNCTION_TERMS_MAX), the catamorphism/trace bounds (FOLD_UNROLL_THRESHOLD, RECURSION_TRACE_DEPTH_MAX, OP_CHAIN_DEPTH_MAX, UNFOLD_ITERATIONS_MAX), and the four pre-ADR-018 constants (FINGERPRINT_MIN_BYTES, FINGERPRINT_MAX_BYTES, TRACE_MAX_EVENTS, WITT_LEVEL_MAX_BITS). Per ADR-060, the 12 byte-width capacity caps that ADR-037 had migrated (TERM_VALUE_MAX_BYTES, AXIS_OUTPUT_BYTES_MAX, ROUTE_INPUT_BUFFER_BYTES, ROUTE_OUTPUT_BUFFER_BYTES, and the eight ψ-stage *_OUTPUT_BYTES_MAX ceilings) are removed: carrier byte widths are foundation-derived from the structural and Witt/crypto primitives (the source-polymorphic TermValue carrier’s inline width via carrier_inline_bytes::<B>(); the per-ψ-stage carrier widths via foundation const fn), and DefaultHostBounds is removed — every application declares its own impl HostBounds, so every capacity bound the foundation honors traces to an explicit application declaration. The two type-system tuple-impl-table caps (MAX_AXIS_TUPLE_ARITY, MAX_RESOLVER_TUPLE_ARITY) stay foundation-vetted with explicit Rust-language carve-out from ADR-018’s discipline (per-arity impl emission cannot be parametric on downstream HostBounds impls); MAX_RESOLVER_TUPLE_ARITY is structurally bounded below by card(ResolverCategory) = 8, growing with future ADR-013/TR-08 substrate amendments. ADR-018’s commitment — "the architecture admits no capacity bound outside HostBounds" — is honored across the substrate’s API surface: structural counts live on HostBounds, byte widths derive from them per ADR-060, and the impl-table carve-out is explicit and bounded.

Per ADR-038, the substrate’s closed Observable taxonomy includes observable:AxisProjectionObservable — a top-level Observable subclass parallel to the seven internally-derived categories (Stratum, Metric, Path, Reduction, Catastrophe, Curvature, Holonomy). Per ADR-040, the closed BoundShape catalogue carries 7 individuals; type:LessEqBound is for integer-valued observables; type:LexicographicLessEqBound is the byte-sequence-comparison primitive under canonical big-endian unsigned ordering. The ConstraintRef::Bound.args_repr: &'static str wire commitment carries normative canonical-string-form encoding rules for AxisProjectionObservable arguments (axis_address=<hex>;kernel=<symbolic>;sites=<site-list>[;target=<target-spec>]); axis identification is by content-address (AXIS_ADDRESS per ADR-030), not by tuple position. Typed feature hierarchies whose admission relations express as "the axis-realized projection of typed sites is bounded by a target" declare their admission relation through ConstraintRef::Bound with AxisProjectionObservable plus the appropriate BoundShape (LexicographicLessEqBound for byte-sequence targets; another existing BoundShape per the predicate); the application’s ψ_1 NerveResolver consumes the constraint declaration and constructs the simplicial complex accordingly. The closed-catalog discipline holds — foundation owns the catalog; applications consume catalog variants through canonical-string-form args_repr.

Per ADR-039, the canonical k-invariants branch realizes the ontology’s three-primitive inhabitance verdict structure. A successful Grounded<Output> IS a cert:InhabitanceCertificate envelope: the κ-label (the Term::KInvariants emission at ψ_9 per ADR-035) is the homotopy-classification structural witness; the concrete cert:witness ValueTuple is derivable from Term::Nerve's 0-simplices at ψ_1; cert:searchTrace is realized as Grounded::derivation().replay(). An Err(PipelineFailure) whose structural cause is "the constraint nerve has empty Kan completion" realizes a cert:InhabitanceImpossibilityCertificate envelope, carrying proof:InhabitanceImpossibilityWitness as proof payload with proof:contradictionProof as the canonical-form encoding of the failure trace. The κ-label and cert:witness are different witness granularities (homotopy classification vs. concrete ValueTuple); the canonical k-invariants branch produces both, at the ψ_9 and ψ_1 stages respectively. The framework’s four resolver-trait families — pipeline ψ-stage resolvers (8 traits per ADR-036, sealed), bridge Observable-category resolvers, user-surface morphism resolvers, ontology resolver:Resolver hierarchy (20+ class declarations) — coexist as parallel resolution categories at different layers, not in a subclass relationship. The ontology’s predicate:InhabitanceDispatchTable is a resolution-strategy specification that application-supplied NerveResolver impls MAY consult internally for decider routing.

The three commitments compose: ADR-037 ensures the substrate’s data-shape capacity surface is parametric in the application’s selected HostBounds (with explicit impl-table carve-out); ADR-038 + ADR-040 ensure the closed catalog can express the application’s admission relations (with observable:AxisProjectionObservable as a new Observable subclass and a closed BoundShape catalogue of 7 individuals); ADR-039 ensures the framework names the three-primitive verdict structure the canonical k-invariants branch produces (with explicit four-family resolver landscape disambiguation). The full path from typed-feature-hierarchy declaration through κ-label and concrete witness to verdict envelope is realized through closed-catalog vocabulary, HostBounds-parametric data-shape capacity, and the canonical k-invariants branch’s dual-granularity structural witness — no ψ-residual escape, no foundation-fixed data-shape cap collapse, no application-layer verdict re-derivation.

Per ADR-040, the closed BoundShape catalogue carries 7 individuals: EqualBound, LessEqBound, GreaterEqBound, RangeContainBound, ResidueClassBound, AffineEqualBound, LexicographicLessEqBound. type:LessEqBound is for integer-valued observables (HammingMetric, DerivationDepthObservable, etc.); type:LexicographicLessEqBound is the byte-sequence-comparison primitive for observable:AxisProjectionObservable and other byte-sequence-valued Observables, under canonical big-endian unsigned ordering. The catalog declaration alone determines the comparison semantics; the application’s ψ_1 NerveResolver receives the constraint declaration and constructs the simplicial complex over the byte-sequence comparison directly — no observable-type dispatch in the resolver. Each totally-ordered value type whose comparison semantics differ from those the closed catalog already realizes gets its own catalog primitive at the ADR-013/TR-08 amendment boundary.

Per ADR-041, the eight ψ-stage resolver traits per ADR-036 thread typed-coordinate carriers between ψ-stages. Foundation declares nine # newtype wrappers around byte slices — SimplicialComplexBytes<'a>, ChainComplexBytes<'a>, HomologyGroupsBytes<'a>, BettiNumbersBytes<'a>, CochainComplexBytes<'a>, CohomologyGroupsBytes<'a>, PostnikovTowerBytes<'a>, HomotopyGroupsBytes<'a>, KInvariantsBytes<'a> (the κ-label carrier) — one per ψ-stage output shape. Each resolver trait's resolve method takes the prior ψ-stage’s typed carrier as input (and the per-value byte sequence for NerveResolver at ψ_1, since its source is not a prior ψ-stage’s output) and writes the current stage’s bytes into a &mut [u8] output buffer (zero allocation). Cross-stage composition mismatches surface as type errors at resolver-impl compile time rather than runtime ShapeViolations.

Per ADR-042, foundation provides the typed Rust surface for the inhabitance verdict envelope per ADR-039. Two #-style typed views — InhabitanceCertificate<'a, T>(pub &'a Grounded<T>) and InhabitanceImpossibilityCertificate<'a> over &PipelineFailure — expose the verdict-envelope coordinates the catamorphism’s Result envelope already carries. Grounded::as_inhabitance_certificate(&self) and PipelineFailure::as_inhabitance_impossibility_certificate(&self) are the accessor methods; the typed surface exposes kappa_label() (returning KInvariantsBytes<'> per ADR-041), witness() (returning WitnessValueTuple<'> derived from Term::Nerve's 0-simplices at ψ_1), search_trace() (returning the recoverable Trace), certified_type() (returning the ConstrainedTypeShape::IRI), contradiction_proof() (returning the canonical-form encoding of the failure trace for the negative-verdict path). The optional inhabitance::dispatch_through_table helper abstracts predicate:InhabitanceDispatchTable consultation for application NerveResolver impls whose constraint-set shapes fit the three rule arms. The typed surface is universal (any successful Grounded is viewable as InhabitanceCertificate<T>; any PipelineFailure with the appropriate structural cause is viewable as InhabitanceImpossibilityCertificate) and zero-cost at runtime.

ADR-040 + ADR-041 + ADR-042 together close the implementer-facing surface: closed-catalog disambiguation of comparison semantics, type-system discrimination of ψ-stage outputs, and a typed Rust verdict-envelope surface. Applications can declare admission relations through the closed catalog without observable-type dispatch in resolvers, compose ψ-stage resolvers with compile-time type checking, and consume the catamorphism’s Result envelope as the ontology’s three-primitive verdict structure with no per-application accessor reimplementation. The framework’s verifiability commitment per ADR-001 + ADR-019 is realized end-to-end through typed surfaces, from typed-feature-hierarchy declaration to verdict envelope.

The Fold-Fusion Principle (ADR-054) unifies all three layers and their subsequent extensions as folding operations. The three-layer closure (substrate, prism, implementation per ADR-024) plus the substrate-amendment series (ψ-chain Term variants per ADR-035, ResolverTuple per ADR-036, HostBounds-parametric capacity caps per ADR-037, the implementer-facing surfaces per ADR-040..042, the typed-bandwidth admission surface per ADR-048, the UOR observable surface per ADR-049, the width-parametric arithmetic per ADR-050..053, bounded recursive structural typing per ADR-057) all reduce to fold compositions the catamorphism fuses universally. Every prism transformation — verb-body composition, prism_model! route body, resolver body, every axis-impl body — is a folding operation; the catamorphism’s initial-algebra universal property per ADR-019 fuses composed fold-rules into one Rust routine per substitution-axis selection. The three fusion layers (macro-expansion, catamorphism, monomorphization) and their detailed mechanics are specified in ADR-054’s decision section.

Per ADR-055’s universal substrate-Term verb body discipline, the principle’s reach extends through every axis surface: every AxisExtension impl (standard-library AND application-author custom) MUST carry a substrate-Term verb body via the foundation-declared SubstrateTermBody sealed supertrait bound, enforced at compile time. The catamorphism’s Term::AxisInvocation fold-rule per ADR-029 recursively folds the axis impl’s body_arena() static Term slice rather than calling an opaque kernel function. ADR-054 RA2’s standard-library-only scope is superseded; ADR-010’s arbitrary-Rust Hasher carve-out is amended; there is no carve-out remaining. Fold-fusion’s structural reach extends to the leaf level across every axis surface for every axis impl. Operations that genuinely cannot be expressed in substrate Terms are not prism operations per ADR-019’s initial-algebra commitment — they must be hosted at the host boundary outside the catamorphism’s reach. Fold-fusion is the structural mechanism upholding the Conceptual Model’s C2 (zero runtime movement) commitment — the "one Rust function per forward invocation" claim is structurally guaranteed by the type system, not aspirational.

Per ADR-056’s ψ-residuals discipline scope refinement, the ψ-residuals discipline applies to the route body’s syntactic surface (the prism_model!-declared route closure body), not to compound verbs declared via verb! per ADR-024 or axis impl bodies per ADR-055 or resolver bodies per ADR-046. Canonical compound operations — SHA padding (uses Concat), HMAC (uses Concat), Merkle tree construction (uses Concat), tensor saturation (uses Le / Ge) — have substrate-Term decompositions composing the full substrate vocabulary in their verb / axis-impl bodies. The catamorphism’s fold-fusion mechanism per ADR-054 inlines these bodies into the route’s evaluation; the route’s typed-iso surface stays structurally shaped (no ψ-residual syntactic forms emitted directly in the route closure body) while the structural-fold realization uses the full substrate primitives internally. The discipline’s purpose — keeping admission structurally determined at the typed-iso surface — is preserved at the route-body layer where it matters; the vocabulary restriction at the substrate layer is lifted per ADR-056.

Per ADR-057’s bounded recursive structural typing substrate primitive, the closed ConstraintRef catalog gains a Recurse { shape_iri, descent_bound } variant (with a parallel LeafConstraintRef::Recurse) for shape-IRI references that bound their unrolling at a per-reference descent budget. Foundation publishes a shape_iri_registry module collecting ConstrainedTypeShape impls at link time via the register_shape! SDK macro; ψ_1 NerveResolver resolves ConstraintRef::Recurse.shape_iri against the registry at evaluation time, unrolling the referenced shape’s CONSTRAINTS array up to the descent budget. The const-time admission path (per validate_constrained_type_const) defers ConstraintRef::Recurse to runtime admission analogous to ADR-049’s Bound deferral. The partition_coproduct! / partition_product! SDK macros extend their operand grammar to admit recurse(<bound>):<T> markers emitting Recurse references at the operand’s position rather than inlining T’s CONSTRAINTS — breaking the const-eval cycle that direct self-reference cannot resolve. Shapes carrying Recurse constraints saturate CYCLE_SIZE at u64::MAX per ADR-032’s discrete-clock saturation semantics. The shape-IRI registry is the substrate’s second registry surface — parallel in mechanism to the observable-IRI registry per ADR-038/049 and the substitution-axis content-address catalog per ADR-007/030, all three using link-time registration with runtime resolution under the closure discipline (content-addressing, registry-driven dispatch, ADR-013/TR-08-bounded amendment). Bounded recursive structural typing serves application domains whose typed inputs admit self-reference — JSON values, XML documents, syntax trees, S-expressions, ASN.1 / Protocol-Buffer message families, filesystem-like hierarchies, and inductively-defined categorical constructions like rose trees and bounded forests — at the framework’s natural level of structural commitment, without per-application invention of cycle-break mechanisms.

Per ADR-058’s compression-operator reading, κ-derivation — the eight-resolver ψ-pipeline composed with the ψ_9 σ-projection — is the framework’s compression-to-canonical-form operator. The κ-label is the minimum-information byte sequence distinguishing the input within its constraint geometry’s typed-distinction surface (the pre-σ-projection ψ-stages monotonically reduce the unresolved-site count per ADR-043; the σ-projection emits the residual structural identity), and it is unique under the fixed pipeline order per ADR-035 (two inputs emit byte-identical κ-labels iff they are computationally equivalent under closure under the identity catalogue per ADR-019 + ADR-024, with the converse under ADR-047’s U1–U6). This is an identity claim over existing constructs, not a new feature: minimum-information emission plus uniqueness-under-fixed-order are the defining properties of compression-to-canonical-form. The reading commits a three-tier closure-lossless taxonomy — T1 byte-identical, T2 κ-label-identical (the framework’s natural equivalence under κ-derivation, equivalent to TC-05 trace-replay equivalence), T3 outcome-coarse-equivalent (admitting through the same C: TypedCommitment per ADR-048) — forming a strict chain T1 ⇒ T2 ⇒ T3 that supplies a typed equivalence vocabulary for application-level interoperability protocols. Cross-substrate compression universality is a closure property per TC-05, not a statistical regularity: a conforming substrate emits the byte-identical certificate, a non-conforming substrate fails closed at certify_from_trace.

Per ADR-059’s operator-geometry codomain commitment, the codomain of κ-derivation in operator-geometry coordinates is the Atlas image inside E₈, with the Hopf convergence tower per kernel::convergence (R / C / H / O at algebra dimensions {1, 2, 4, 8}; see section 12, Hopf convergence tower) as the coarse stratification: a canonical form’s tower level is the algebra dimension at which its operator-geometry coordinates carry a normed-division-algebra structure, and descent O → H → C → R under compression pressure surrenders the characteristic identities (self-reference → choice → feedback → existence) in reverse order of acquisition. The exceptional algebraic structures (G₂ via product, F₄ via quotient, E₆ via filtration, E₇ via augmentation, E₈ via direct embedding) — derived from the Atlas of Resonance Classes as the initial object in ResGraph — provide finer-grained codomain typing. Together ADR-058 + ADR-059 yield a categorical theorem: any two conforming substrates compressing the same input land at the same Atlas-image position modulo Weyl-orbit equivalence (the operator is universal per ADR-058; its codomain is universal per ADR-059). Application-level typed-commitment surfaces per ADR-048 gain a codomain-typed admission vocabulary — Atlas-image proximity, exceptional-group orbit membership, convergence-tower level-and-residual signature — realized through SingletonCommitment<P> / AndCommitment<A, B> compositions. Both ADRs are conceptual-reading commitments over existing constructs (the ψ-pipeline and σ-projection for ADR-058; the foundation’s kernel::convergence substrate vocabulary for ADR-059); neither introduces new substrate trait declarations or wire-format change.

Per ADR-061’s operational composition surface (prism-runtime-level), the five categorical operations on the Atlas — product (G₂), quotient (F₄), filtration (E₆), augmentation (E₇), direct embedding (E₈) per ADR-059 — become invocable as five ConstrainedTypeShape s in prism’s standard type library (G2ProductShape<N> binary; the other four unary). A composition of N component κ-labels under an operation is a typed-input value the existing ψ-pipeline consumes through the existing σ-projection: the realization’s canonicalize verb emits a canonical form whose κ-label is the composed κ-label, itself landing at an Atlas-image position and so recursively composable (the content-addressable surface is closed under composition). Composition is bounded by the Categorical X regime split’s T = 3 / O = 8 (ADR-025) — arity ≤ 3 (the H-level’s triple associativity) and depth ≤ 8 (the O-level’s algebra dimension), with wider compositions decomposing into a ConstraintRef::Recurse tree per ADR-057; σ-axis substitutability (ADR-047) lifts to compositions (with σ-axis homogeneity required within each composition — all operand κ-labels share the composition’s σ-axis), and cross-substrate universality (ADR-058 + ADR-059) lifts to compositions. ADR-061 is a prism-standard-type-library addition only — no foundation or SDK change, the TypedCommitment (ADR-048) and ObservablePredicate (ADR-049) closed sets retained — and is consistent with this section’s compression/codomain reading: byte-concatenation or tree-hash composition is rejected precisely because it would collapse ADR-059’s algebraic codomain to the byte-pigeonhole framing the framework does not take.

Per ADR-060’s source-polymorphic value carrier, the catamorphism’s value carrier TermValue is no longer a fixed byte buffer but a source-polymorphic enum TermValue<'a, const INLINE_BYTES: usize> with three variants: Inline { bytes: [u8; INLINE_BYTES], len } (a stack buffer whose width derives from carrier_inline_bytes::<B>() — the foundation-computed maximum over the application’s Witt-literal width, fingerprint width, and κ-label ASCII width, so every integer literal, digest, and κ-label flows inline), Borrowed(&'a [u8]) (a slice descriptor into an upstream byte source — input bytes, sibling-ψ-stage scratch, axis-kernel output — with no copy and no byte-width ceiling), and Stream(&'a dyn ChunkSource) (a chunk-emitting source for unbounded payloads, folded chunk-by-chunk at the σ-projection via Hasher::fold_bytes, with no byte-width ceiling). Term::Literal and the catamorphism’s evaluate carry the 'a and INLINE_BYTES parameters, instantiated at the application boundary via the prism_model! macro’s emission. ADR-060 supersedes ADR-037’s byte-width-cap family: the 12 byte-width capacity constants and DefaultHostBounds are removed; per-ψ-stage carrier widths and the inline width are foundation-derived from the application’s HostBounds structural and Witt/crypto primitives, so no contrived byte-width literal survives in the foundation surface and every capacity the foundation honors traces to an explicit application declaration. The contrived 4096-byte ceiling of the pre-0.5.0 surface — a stable-Rust workaround whose application-overridability was fictional — is removed, not relaxed; unbounded payloads (multi-GB model-weight containers, large attestation envelopes, production canonical-JSON) become first-class through Stream with peak resident memory of the derived inline width plus the chunk source’s state. The framework’s mathematical content is invariant under carrier byte width; the κ-label, trace, and certificate wire formats are byte-identical to the pre-0.5.0 surface.

Cross-Crate Construction Surface

uor-foundation exposes a set of pub mint primitives — mint_datum, mint_triad, mint_derivation, mint_freerank, mint_product_witness, mint_coproduct_witness, mint_cartesian_witness — that are the cross-crate construction surface for the four UOR-domain sealed types. Each mint primitive takes type-level-validated inputs and internally calls a pub(crate) constructor of the corresponding sealed type within uor-foundation's enforcement component.

The architectural commitment is that prism's pipeline is the only sanctioned caller of these mint primitives (ADR-016). The commitment is normative; it is not a Rust-language access restriction. Any code with uor-foundation in its dependency graph can syntactically call the mint primitives. The commitment is what makes the call-site enforcement of TC-02 cross-crate-meaningful: a Prism implementation in which any code other than prism's pipeline calls a mint primitive is not a Prism implementation.

Why a pub mint primitive rather than pub(crate) plus a friend-module re-export? Rust has no friend-module mechanism that could grant prism privileged access to uor-foundation's pub(crate) constructors. The two crates are separate compilation units; prism cannot reach uor-foundation's pub(crate) items by language construct. The mint primitives are the language-level workaround: pub to satisfy Rust’s visibility rules for cross-crate access; architecturally restricted by the commitment.

This contrasts with the three Prism-mechanism sealed types (Validated, Grounded, Certified), which are sealed in prism itself. For those, the constructors are pub(crate) to prism and there is no cross-crate construction surface — prism's pipeline and replay are the only callers because they are the only code in prism that needs to construct these types. No architectural commitment beyond Rust’s visibility is required for that group; the cross-crate commitment is needed only for the UOR-domain four.

Foundation as a Signature Category

The architectural commitments stated separately as Closure Under uor-foundation (ADR-013), Operation Declaration as composition of PrimitiveOp discriminants, and the principal data path’s stage transitions admit a single, more compact reading: uor-foundation is the signature category of Prism’s vocabulary. This subsection states the categorical structure explicitly. The reading is normative because the user-facing surface (PrismModel, the next subsection) takes the structure as its precondition.

Signature Endofunctor

Take the category whose objects are foundation-typed shapes — ConstrainedTypeShape impls under the substitution-axis selections — and whose morphisms are typed routes: compositions of PrimitiveOp discriminants and Term::Application constructions that map one shape’s site structure into another’s. Algebraic closure (ADR-013) is the categorical statement that this category is closed under composition: every morphism factors entirely within the category, with no escape to opaque imports. The signature endofunctor F is the self-map this category supports: it takes a shape to a shape and a route to a route, preserving identities and composition.

F’s signature is read off the foundation primitives. F is an enriched signature: it admits algebraic constructors, a binding operator, an explicit fixed-point operator, an unfold operator, an exception-handling operator, a substitution-axis-invocation operator, a field-access projection, a bounded-search operator with structural short-circuit, and the nine ψ-chain operators paralleling the ontology-defined ψ_1..ψ_9 maps. Each PrimitiveOp discriminant — the canonical catalog at any committed snapshot (post-ADR-053: Neg, Bnot, Succ, Pred, Add, Sub, Mul, Div, Mod, Pow, Xor, And, Or, Le, Lt, Ge, Gt, Concat; 18 variants — the six ring-axis primitives Γ = {Add, Sub, Mul, Div, Mod, Pow} per ADR-053, the four hypercube-axis operations {Xor, And, Or, Bnot}, the four unary {Neg, Succ, Pred} augmented with hypercube Bnot, the four byte-level comparisons {Le, Lt, Ge, Gt}, and byte-sequence Concat) — contributes a first-order algebraic constructor. The Term variants Literal, Application, Lift, Project are first-order algebraic node shapes. The remaining variants are non-first-order and require corresponding structure on any carrier: Variable requires an environment-indexed carrier (so binding occurrences can be resolved); Match requires a carrier with sum decomposition (so case analysis is interpretable); Recurse requires a carrier that supports well-founded recursion guarded by an explicit descent measure (the variant carries measure_index, base_index, step_index); Unfold requires a coalgebraic carrier (the dual unfold operation Term's anamorphism walks at the term level); Try requires a carrier with a distinguished failure value and propagation rule; AxisInvocation requires an axis-dispatch carrier consulting the model’s A: AxisTuple + Hasher substrate parameter per ADR-030 + ADR-036; ProjectField requires byte-slicing over product-shape carriers per ADR-033; FirstAdmit requires a bounded-search-with-short-circuit carrier per ADR-034; and the nine ψ-chain variants — Nerve, ChainComplex, HomologyGroups, Betti, CochainComplex, CohomologyGroups, PostnikovTower, HomotopyGroups, KInvariants per ADR-035 — require a resolver-bound byte-buffer-threaded carrier consulting the model’s R: ResolverTuple per ADR-036 (eight of nine are resolver-bound; Betti extracts directly from already-resolved homology). F’s signature is closed exactly when this enriched set is closed under composition (TC-01, ADR-013); the closure property and the zero-cost runtime are not two properties but one (ADR-019). The ψ-residuals discipline per ADR-035 + ADR-056 scopes the route-body-syntactic-surface sub-signature: AxisInvocation, FirstAdmit, and byte-comparison/concat PrimitiveOps remain in F but are forbidden from direct emission in the route body’s syntactic surface (the prism_model!-declared route closure body). Compound verbs per ADR-024, axis impl bodies per ADR-055, and resolver bodies per ADR-046 may use the full F-vocabulary internally because fold-fusion per ADR-054 inlines them through the catamorphism — the route’s syntactic surface stays pure-structural while the structural-fold realization uses the full vocabulary at depth, forcing the compiled binary’s route surface into the pure-structural shape that the canonical k-invariants branch witnesses.

Initial Algebra

Term is the initial algebra of F in the enriched sense above: any well-typed Term tree (well-typed under foundation’s Witt-level and arity discipline) is an element of F’s free term language, generated by the signature’s first-order, binding, fixed-point, unfold, try, substitution-axis-invocation, and field-projection operators. Initiality means: for any carrier supporting the same enriched structure, there is a unique structure-preserving map from Term into that carrier. Pure-F-algebra carriers admit only the first-order operators; enriched carriers admit all twenty-one variants (the original nine plus AxisInvocation per ADR-029 + ADR-030 for substitution-axis-realized verbs plus ProjectField per ADR-033 for product-shape field-access projection plus FirstAdmit per ADR-034 for bounded search with structural short-circuit plus the nine ψ-chain variants per ADR-035 — Nerve, ChainComplex, HomologyGroups, Betti, CochainComplex, CohomologyGroups, PostnikovTower, HomotopyGroups, KInvariants — for the structural-witness arm of op:InferenceOperation). pipeline::run's carrier is enriched: each non-first-order variant is given operational meaning by a corresponding carrier-side mechanism the implementation supplies per ADR-029’s per-variant fold-rules. Uniqueness of the catamorphism follows from the enriched initiality of Term. The tree is independent of any interpretation; the interpretations are the algebras.

Catamorphism (pipeline::run)

pipeline::run is the catamorphism into the runtime carrier: the unique structure-preserving map (in the enriched-initiality sense of the previous subsection) from a Validated<CompileUnit, FinalPhase> (whose root_term is an element of Term) to a Grounded<T>, with the failure case carried by PipelineFailure (the carrier is therefore the Result type Result<Grounded<T>, PipelineFailure>, with PipelineFailure ranging over preflight failures, shape mismatches, shape violations, and the failure-promote case from Term::Try). The Trace is not part of the catamorphism’s codomain; it is the recoverable structure the anamorphism operates on, reached from Grounded<T> via derivation().replay(). The catamorphism produces Result<Grounded<T>, PipelineFailure>; the anamorphism walks Grounded → Trace → Certified. Initiality discharges existence and uniqueness simultaneously: existence because every Term admits exactly one homomorphism to any given carrier supporting the enriched signature; uniqueness because that homomorphism is determined entirely by the term’s structure and the carrier’s operations. There is no extra-algebraic content in the pipeline’s behavior, which is the categorical statement of TC-03 (the principal data path is exercised exactly once, with no alternate path producing a Grounded<T>). The carrier is parameterized by the three substitution axes plus the fourth substrate parameter — HostTypes, HostBounds, AxisTuple + Hasher (the substitution-axis tuple with the canonical hash axis bound per ADR-030 + ADR-036), and ResolverTuple (defaulting to NullResolverTuple per ADR-036) — and the catamorphism is unique within each fixed choice (ADR-018, ADR-019). The application’s compile-time selection of axes and the model declaration’s selection of resolvers determine the carrier; the catamorphism into that carrier is the application’s compiled forward.

The catamorphism’s per-variant evaluation semantics — the fold-rules that turn input bindings into output bytes by induction on Term structure — are specified in ADR-029. The Output shape declared in PrismModel::Output is constructed through the output_shape! SDK macro per ADR-027 (with ConstrainedTypeInput retained as the foundation-sanctioned identity). The returned Grounded<Output> carries the catamorphism’s evaluation result as a value payload (per ADR-028); the metadata fingerprint and unit_address remain as typed-iso path attestation. The catamorphism is therefore a real catamorphism in fact: input bindings flow in, the Term tree’s structural fold produces output bytes, the bytes populate the Grounded’s value payload alongside the path-attestation fingerprint.

Anamorphism (Replay)

The replay surface — prism's replay component re-exported through prism-verify — is the anamorphism dual to the catamorphism: the unique morphism from the runtime carrier back into the term language, walking the trace’s typed derivation. The trace is the witness of the anamorphism: it records the structural steps the catamorphism took, and the anamorphism walks them in reverse to construct a Certified<GroundingCertificate> without re-evaluating the deciders (TC-05). The catamorphism + anamorphism pair makes a prism application a hylomorphism with verifiable round-trip: a forward map Input → Result<Grounded<Output>, PipelineFailure> (catamorphism) and a recoverable backward map Grounded<Output> → Trace → Certified<GroundingCertificate> (anamorphism via derivation().replay() and prism-verify::certify_from_trace). The Trace is the residue object linking the two directions: it witnesses that a given Grounded<Output> was produced by the catamorphism on a specific term tree, and the anamorphism’s output is a Certified<GroundingCertificate> rather than a return to Input. The structure is therefore not strictly an iso between Input and Output (the backward direction certifies provenance rather than inverting the forward map); the wiki’s use of "iso" in this section is informal shorthand for "deterministic, replay-verifiable round-trip with the trace as witness." This structure does not fit any single standard categorical-optic shape (Lens, Iso, Prism, or Adapter); it is closer to a coalgebra-of-an-algebra (hylomorphism) than to any optic. The implementation crate’s name prism and the trait name PrismModel derive from the architecture’s "compiled prism application" usage and from the prism crate name; they do not denote the categorical Prism optic, and the trait does not realize one.

Fixed Points

The four UOR-domain sealed types (Datum, Triad, Derivation, FreeRank) and the three Prism-mechanism sealed types (Validated, Grounded, Certified) are fixed points of the typed pipeline endofunctor — distinct from the signature endofunctor F above. The pipeline endofunctor is the stage-transition map of the principal data path’s forward direction (Datum → Triad → Derivation → FreeRank → Grounded), with Validated as the input wrapper for pipeline::run and Certified as the round-trip output reachable from Grounded via the anamorphism. The seven sealed types are the endofunctor’s least fixed points (denoted μ for the constructive stages) and greatest fixed points (denoted ν where co-induction over the trace structure applies). The two endofunctors coexist: F structures the term language pipeline::run consumes; the pipeline endofunctor structures the typed sequence pipeline::run produces. The catamorphism from F’s initial algebra (Term) into the pipeline carrier is exactly pipeline::run. (The wiki’s prior μF/νF notation was ambiguous between the two endofunctors; the precise identification is that the seven sealed types are fixed points of the pipeline endofunctor, not of F.) Sealing (TC-02, ADR-011) is the type-system enforcement that no path other than the catamorphism reaches these fixed points: their constructors are pub(crate); only the unique homomorphism produces them. The architectural commitment "sealed values arise only along the principal data path" is the categorical statement that the sealed types' fixed-point inhabitants are exactly the catamorphism’s images.

Why This Reading Matters

The categorical reading is not decorative. It is the structure that lets the compiler discharge a Prism application into hardware-speed code without a runtime layer. Specifically: closure under foundation vocabulary (ADR-013) is the precondition that makes F’s signature complete; completeness lets the compiler generate the catamorphism’s image entirely at the application’s compile time (TC-04, UORassembly), with no runtime indirection through opaque imports. TC-01 (zero-cost runtime) is then the consequence of the categorical structure, not an independent property. The wiki has historically stated TC-01 and ADR-013 as separate commitments; the signature-category reading shows they are two halves of the same theorem (ADR-019).

PrismModel

PrismModel is prism's user-facing surface for declaring an application as a typed route through the foundation hylomorphism — input features compiled into output labels by the catamorphism, with the trace as residue object enabling the recoverable backward direction through the anamorphism. It is the developer’s contract for the structure described by the signature-category reading above; it surfaces the categorical content in vocabulary a developer can act on without learning the underlying mathematics.

Contract

A PrismModel declaration is a parameterized trait impl carrying three associated types and one method. The trait is parameterized by the three substitution axes plus a fourth substrate parameter R: ResolverTuple per ADR-036 (defaulting to NullResolverTuple so models that emit no resolver-bound ψ-Term variants per ADR-035 can omit R at the impl site); the A parameter carries the canonical hash axis bound (A: AxisTuple + Hasher) so <A as Hasher>::initial() is reachable type-associatedly per ADR-022 D5:

pub trait PrismModel<H: HostTypes, B: HostBounds, A: AxisTuple + Hasher, R: ResolverTuple = NullResolverTuple>
where Self: __sdk_seal::Sealed {
    type Input:  ConstrainedTypeShape + IntoBindingValue;
    type Output: ConstrainedTypeShape + GroundedShape + IntoBindingValue;
    type Route:  FoundationClosed;
    fn forward(input: Self::Input) -> Result<Grounded<Self::Output>, PipelineFailure>;
}

Member	Role
Input	The shape of the application’s input features. A ConstrainedTypeShape impl declared in foundation vocabulary that also implements IntoBindingValue (so the input value can flow into the CompileUnit's binding-table for Term::Variable { name_index: 0 }; ADR-023). The application author authors this shape (or chooses one from prism's standard library); the SDK shape-construction macros emit the IntoBindingValue impl alongside the ConstrainedTypeShape impl. Site structure is finite.
Output	The shape of the application’s output labels. A ConstrainedTypeShape impl declared in foundation vocabulary that also implements GroundedShape. Site structure is finite.
Route	A type-level witness of the value-level term tree that maps Input to Output. The witness is emitted by a prism-side proc-macro (prism_model!) from the application author’s syntactic Route declaration (a closure-bodied route function inside the prism_model! invocation; ADR-022, D3); the macro emits both the type-level witness (which Route aliases) and the value-level &'static [Term] slice the route witness’s FoundationClosed::arena_slice() returns (ADR-022, D2, D6). The witness’s nodes range over the full Term enum (twenty-one variants: Literal, Variable, Application, Lift, Project, Match, Recurse, Unfold, Try, AxisInvocation, ProjectField, FirstAdmit, Nerve, ChainComplex, HomologyGroups, Betti, CochainComplex, CohomologyGroups, PostnikovTower, HomotopyGroups, KInvariants); the original nine come from ADR-022 D3, AxisInvocation is the tenth variant added in ADR-029 (originally HasherProjection, generalized per ADR-030 for the universal substrate-extension axis), ProjectField is the eleventh per ADR-033 for product-shape field-access projection, FirstAdmit is the twelfth per ADR-034 for bounded search with structural short-circuit, and the nine ψ-chain variants are the thirteenth through twenty-first per ADR-035 for the structural-witness arm of op:InferenceOperation. The bound that any Route satisfies is closure under foundation vocabulary: every node in the witnessed tree is a foundation-vocabulary item, checked at the application’s compile time by UORassembly via the FoundationClosed trait the macro emits (sealed via the #[doc(hidden)] pub mod __sdk_seal { pub trait Sealed {} } ecosystem idiom; ADR-022, D1, D6). No opaque imports.
forward(input: Input) → Result<Grounded<Output>, PipelineFailure>	The inference: the unique homomorphism from Input to Result<Grounded<Output>, PipelineFailure> induced by Route. Implemented as a single call to prism::pipeline::run_route::<H, B, A, Self, R>(input, &resolvers) (the higher-level catamorphism entry point that constructs the CompileUnit from the model’s Route and dispatches into pipeline::run internally; ADR-022, D5; ADR-036). The signature takes no axes value parameter — axis methods are type-associated and invoked through <A as Hasher>::initial() per the A: AxisTuple + Hasher substrate parameter. The author does not write forward's body; it is emitted by the macro.

The trait’s four-position parameterization (H, B, A, R) makes the H-indexed family of carriers (Foundation as a Signature Category, above; ADR-019 Consequences) a literal feature of the type signature: every impl PrismModel<…> for … block is one member of the family, and an application that uses two distinct axis selections (or two distinct resolver selections) has two impl blocks. The macro processes each impl independently and emits a distinct monomorphized forward per impl.

Compilation as Monomorphism

When the application author selects concrete types for Input, Output, and Route, the Rust toolchain monomorphizes forward into a single concrete machine-code form for the triple. The monomorphization is complete — no late-binding, no trait-object dispatch, no runtime indirection — because Route's closure bound is checked at the application’s compile time (TC-04, UORassembly): a Route that imports a function outside foundation vocabulary fails to compile with an unsatisfied bound. This is the precise sense in which "a compiled prism application is a monomorphism": it is the unique map induced by the initial F-algebra into the target machine-code carrier, and unique-induced maps are mono in any category where the carrier is an embedding. The carrier-is-an-embedding side-condition holds by two mechanisms acting together: the seal regime ensures that only the catamorphism constructs sealed values (TC-02, ADR-011), and content-addressing ensures that the catamorphism is injective — Grounded<T> carries unit_address: ContentAddress and content_fingerprint: ContentFingerprint, both derived from the originating CompileUnit (whose root_term is an element of Term), so distinct Term trees produce Grounded<T> values that differ at one of those two identity fields. Injectivity holds modulo content-addressing collisions, which is the standard cryptographic-strength assumption on the selected Hasher (ADR-007, ADR-018). The two mechanisms together — seal-regime gating of construction plus content-addressing-based injectivity — establish the faithful-inclusion property the embedding requires. The category is therefore one in which the unique-induced map from the initial algebra is monic, and "compiled prism application is a monomorphism" follows.

Real-Time Inference

The framing the developer reads is: "input features come in; types route them to output labels; the pipeline is the route’s compiled form; runtime cost is the cost of executing the route." The framing the architecture supports is: "every step is a foundation-vocabulary morphism; the route is an F-algebra homomorphism; the compilation is the unique map induced by initiality; the runtime form is monomorphized native code." The two framings are the same statement at two levels of abstraction. Real-time inference names the operational behavior — features arrive at runtime, the route runs at hardware speed, output labels are sealed Grounded values — without requiring the developer to learn the categorical vocabulary; the categorical vocabulary is the foundation chapter’s content.

Replay Side

A PrismModel produces a Grounded<Output> from which a Trace is recoverable via derivation().replay(). The trace is the witness of the catamorphism — the typed derivation steps that produced the output. The application user (or any third party) takes the trace through prism-verify's certify_from_trace to obtain a Certified<GroundingCertificate> (TC-05, Scenario 2). This is the anamorphism direction of the hylomorphism: the trace lets a verifier reconstruct the certificate without invoking the application author’s deciders or any cryptographic hasher beyond identifier matching. The model + trace pair is what makes the application a verifiable hylomorphism rather than just a function: both directions are witnessed by the trace as residue object linking the catamorphism’s image (Grounded<Output>) to the anamorphism’s image (Certified<GroundingCertificate>).

<Concept 1>

Resolved by the substantive concepts above: Trace Wire Format, Certificate Format, Sealing Discipline, Hashing Substrate Contract.

<Concept 2>

Resolved by the substantive concepts above: Error Model, #![no_std] Posture, Feature Flags, Observability.

<Concept n>

Resolved by the substantive concepts above: UORassembly Contract Definition, Operation Declaration, Closure Under uor-foundation, Closure Across Layers, Cross-Crate Construction Surface, Foundation as a Signature Category, PrismModel. The concepts above are exhaustive; the chapter specifies no further cross-cutting concepts beyond those.