The Eight Components (C1–C8)
Overview
Section titled “Overview”mempill is structured around eight components. Together they cover the full lifecycle of a claim: ingestion, reconciliation, commitment, projection, and audit. Each component has a single, bounded responsibility; no component performs the work of another. Each component maps to one or more of the Key Invariants (I1–I11).
C1 — Gateway
Section titled “C1 — Gateway”The Gateway is the ingestion entry point for every claim. It validates the incoming claim’s shape, checks that all required provenance fields are present, and verifies temporal coherence (the valid-time range is internally consistent and non-degenerate). Claims that fail any check are rejected before they reach the write path. The Gateway also assigns the immutable ProvenanceLabel at write time — once assigned, provenance cannot be changed by any downstream component.
C2 — Truth Engine
Section titled “C2 — Truth Engine”The Truth Engine is the read-time canonical valid-time fold that derives the current belief from the full claim history. Belief is computed on every read — it is never stored as a materialized row. The fold is a pure function of the committed claim store, making it arrival-order-independent: a claim ingested late is ranked by its valid-time position, not by when it arrived. The Truth Engine is the primary enforcement point for Bi-Temporal Claim Store semantics.
C3 — Reconciler
Section titled “C3 — Reconciler”The Reconciler classifies how an incoming claim relates to the existing subject-line before any commit decision is made. It distinguishes three cases: no conflict (the new claim occupies a disjoint valid-time range), clean temporal succession (the new claim immediately follows the incumbent, with no overlap), and a genuine same-line conflict (the ranges overlap and the values differ). Only the third case escalates to C7. See Valid-Time Succession for how clean succession is resolved without oracle involvement.
C4 — Supersession
Section titled “C4 — Supersession”Supersession records that one claim supersedes another by writing a bounding validity assertion that closes the incumbent’s valid-time range. The original claim is never deleted or modified — it is retained in full in the append-only store (I1). Supersession is the mechanism by which belief moves forward in time without destroying history: the old belief is bounded, the new belief is committed, and both remain auditable.
C5 — Projection
Section titled “C5 — Projection”Projection turns the folded belief produced by C2 into the user-facing view. It computes currency and staleness signals (including AgingUnconfirmed decay), surfaces Contested status where conflicts are unresolved, and maps the belief state to one of the 12 disposition outcomes. Projection does not write anything — it is a pure read-time transformation. See Contested & Dispositions for the full disposition model.
C6 — Amplification Guard (provenance firewall)
Section titled “C6 — Amplification Guard (provenance firewall)”The Amplification Guard is the safety boundary that prevents belief-amplification loops on the write path. It detects RecallReEntry — engine output re-entering the write path — and corroborates the existing claim by identity rather than creating a duplicate. It enforces provenance-independence for corroboration (the same extractor cannot accumulate independent corroboration weight for its own output), applies burst quarantine when ingest rate is anomalous, and caps derivation depth. Without this guard, an agent that recalls its own memory, extracts claims from it, and re-ingests them would amplify every belief unboundedly. See Provenance Firewall.
C7 — Adjudication Gate
Section titled “C7 — Adjudication Gate”The Adjudication Gate is the deterministic commit router. It sends new, non-conflicting first-hand external facts down the cheap path (direct commit). It sends belief overturns — where an incoming claim contradicts a committed one — down the heavy path (oracle escalation). When no oracle is configured and a conflict arrives, the Gate marks the belief Contested rather than picking a silent winner. The Gate enforces I5 (stochastic proposes, never commits) and I7 (Contested is first-class). See The Adjudication Gate and Oracle Resolution Loop.
C8 — Audit Ledger
Section titled “C8 — Audit Ledger”The Audit Ledger is the append-only event log that records every committed claim, every validity assertion (supersession or invalidation bound), and every adjudication outcome. It is the basis for full auditability and bi-temporal replay: given the Ledger, the complete belief history for any subject-line can be reconstructed at any past instant. The Ledger is written atomically with its associated claim and bounding assertion (I9 — no torn state).
Component-to-invariant mapping
Section titled “Component-to-invariant mapping”Each component enforces one or more of the Key Invariants (I1–I11). The full mapping is on the invariants page.