Architecture

Immutable Core

Kernel code is frozen. No proxy admin. No upgrade hooks. Security comes from constraints, not promises.

What it means
Deployment is final: the kernel’s core logic cannot be swapped or patched by an owner.
Why it matters
Removes “trust us” risk: no hidden upgrades, no admin backdoors, fewer attack surfaces.
How you extend
By modules (validators) and policies, not by changing the kernel.
Immutable Core — in practice
Back Spec
Security contract
  • No proxy pattern in the kernel deployment path.
  • No privileged upgrade role (no “admin” who can replace logic later).
  • All evolution happens outside the kernel: validators, policies, off-chain tooling.
Recommended usage
  • Keep kernel minimal.
  • Put business logic into validators (spend limits, allowlists, TTL, risk rules).
  • Use panic/revocation for instant shutdown.
Read Spec View GitHub CI Logs