CONCEPTS

Conceptual model

Verdaca's architecture is built around two independent axes of extensibility: the horizontal persona layer, where you compose who deliberates, and the vertical adapter layer, where you configure what infrastructure those personas use. Understanding how the kernel mediates between them is the key to extending the platform without breaking existing workflows.

Two-axis pluggability

The horizontal axis controls deliberation composition — which personas are in the room and in what sequence they reason. The vertical axis controls substrate — which memory backend, model provider, and compaction engine the kernel routes through. A change on one axis has no effect on the other, because both axes talk only to the port contracts in between.

Two-axis pluggability — layered architecture A five-layer stack: Workflows, Agents (five plug-in persona packs forming the horizontal axis), the Kernel, Ports, and Adapters. The kernel, ports and adapters form the vertical substrate axis. TWO-AXIS PLUGGABILITY WORKFLOWS AGENTS KERNEL PORTS ADAPTERS Strategy review · Code review · Hiring · M&A diligence · Architecture review HORIZONTAL AXIS — SWAP ANY PACK, NO KERNEL CHANGE Strategy UX / Design Software Eng Data Science Your custom Orchestration · Routing · Provenance Domain-blind — protocol only, no editorial judgment Memory · LLM Proxy · Compaction · QA · Gateway · Channel Mem0 / Letta · Anthropic / OpenAI · Teams / Slack · Forge / Caveman / … VERTICAL AXIS — KERNEL, PORTS & ADAPTERS SWAP FREELY, NO AGENT CHANGE

The front door — auth-first ingress

Before any agent reasons, a request has to get in. A message from Microsoft Teams or Slack arrives at one channel-neutral gateway and clears four sequential checks — signature verification, per-user OIDC identity (RS256 / JWKS), replay/nonce rejection, and a budget ceiling. Only an authenticated, in-budget request reaches the deliberation loop below; anything that fails a check is rejected at the door.

Design-partner preview. The spine is verified against a local OIDC validator; connectors for commercial identity providers (Entra, Okta, Auth0) are configuration-level and not yet exercised — shown dashed below.

The front door — auth-first ingress Inbound messages from Microsoft Teams and Slack converge on one gateway. Each request passes four sequential checks — signature verification, OIDC identity, replay/nonce rejection, and a budget ceiling — before the deliberation loop runs. Commercial identity-provider connectors are configuration-level and not yet exercised. AUTH-FIRST INGRESS · THE FRONT DOOR INBOUND CHANNELS Microsoft Teams Slack AUTH-FIRST SPINE ① Signature verify ② Identity — OIDC RS256 / JWKS ③ Replay / nonce reject ④ Budget — spend ceiling Gateway DELIBERATION LOOP ↓ ENTRA · OKTA · AUTH0 — CONFIG-LEVEL, NOT YET EXERCISED EVERY INBOUND MESSAGE CLEARS ALL FOUR CHECKS BEFORE ANY AGENT REASONS

Deliberation loop

Each persona in a session passes through a fixed five-phase loop: receive the current context, reason against its role constraints, propose an output, pass through the quality gate, and emit to the synthesis layer. Proposals that fail the gate re-enter the reason phase rather than propagating downstream. The kernel coordinates sequencing and provenance; it does not interpret domain content.

Deliberation loop — five-phase pipeline An authenticated, in-budget request handed off by the gateway enters the Receive phase, then flows through Reason, Propose, Gate and Emit to the synthesis layer. Proposals rejected at the Gate return to the Reason phase. DELIBERATION LOOP FROM GATEWAY RECEIVE REASON PROPOSE GATE EMIT SYNTHESIS LAYER REJECT — RE-REASON The five-phase loop runs once per persona, each round.

Kernel responsibilities

The kernel handles three things and nothing else:

ADVISORY

The kernel has no domain knowledge and applies no editorial judgment. If two personas reach contradictory conclusions, both are preserved in the output; resolution is the human practitioner's call, not the kernel's.

Adapter contract

Every adapter in Verdaca implements the same typed protocol for its port category. The memory adapter contract, for example, requires three methods. Any class that satisfies the protocol — including custom implementations — is a valid drop-in.

class MemoryAdapter(Protocol):
    def store(self, key: str, value: Any) -> None: ...
    def retrieve(self, key: str) -> Optional[Any]: ...
    def search(self, query: str, top_k: int) -> list[Any]: ...

Vendored components

These are the pinned components Verdaca vendors and validates at the adapter layer. Each pin is a specific version or commit SHA chosen for behavioral reproducibility — both Apache-2.0 and MIT entries are license-clean for commercial distribution, and "validates" means Verdaca's contract tests run against the pinned artifact on every build, not against the upstream tip.

Component Purpose Pinned version
mem0 Memory adapter — hybrid vector + graph store v1.0.11 (Apache-2.0)
letta Memory adapter — stateful memory management v1.10.3 (Apache-2.0)
tonl Serialization — structured agent message format pinned SHA (Apache-2.0)
beads Versioned-state — conversation state versioning pinned SHA (MIT)
forge Compaction — context window compaction pinned SHA (MIT)
pi-mono Cost-meter — per-session token cost tracking pinned SHA (MIT)
rtk LLM-proxy — model-provider routing adapter pinned SHA (MIT)

Pinned versions are locked in pyproject.toml and verified against the no-waiver conformance suite on every release; a version bump requires a passing test run before the pin advances.