Skip to content

CVN-N001-EK-S02 — Architecture: the D2 derivation control plane

Story artifact required by ADR-0101. S02 is an analysis-only Story, so "architecture" here is the data / derivation pipeline + decision-gate architecture (Invariant 3), not runtime code. Companions: the plan dossier, ADR-0102, the charter draft S02 fills.

1. What this architecture is

S02 turns the charter's placeholders into signed values (or a typed INFEASIBLE) using only existing data, read-only. The architecture is a derivation pipeline gated by decision points: each charter value is derived → graded → gated → (accepted | typed INFEASIBLE), and no value reaches the charter without passing the provenance gate. It runs no training, no Airflow launcher, no Phase-2 predictive test — that boundary is structural, not advisory.

2. Components & control flow

flowchart TB
    subgraph IN["Inputs (read-only, existing)"]
        OHLCV["OHLCV cache"]
        LAB["Labels (ATR-H4 triple-barrier)"]
        COST["Trade / cost logs"]
        EXP["Exploratory results
(context only — §8.1)"]
    end
    subgraph DERIV["Derivation engine (notebooks/scripts, read-only)"]
        CAP["Reference-capacity rule (§9.1)"]
        P90["P90 cost (§9.2)"]
        MAP["E_econ_min → E_pred_min (§10)"]
        PWR["Power sim → MDE / N_min (§11)"]
        NULL["Null-gate → primary (§12)"]
        BUD["Budgets proposal
(non-locking)"]
        SOR["Sortino R1 note
(not a gate)"]
    end
    subgraph GATE["Decision gates"]
        TIER{"Cost tier?"}
        FEAS{"MDE ≤ E_pred_min?"}
        VALID{"valid conservative null?"}
        PROV{"signed derivation? (§4)"}
    end
    INF["Typed INFEASIBLE record (§7)"]:::inf
    BLOCK["Blocked — cannot feed charter"]:::block
    PCOST["Provisional non-lockable cost bound"]:::prov
    VAL["Unlocked charter values
+ proposals + notes"]:::ok

    OHLCV & LAB & COST --> CAP
    EXP -. "failure-modes / data-quality only" .-> DERIV
    CAP --> P90 --> TIER
    TIER -- "A/B lockable" --> MAP
    TIER -- "C provisional" --> PCOST --> S02C["S02 complete · S03 blocked"]
    TIER -- "D unsupported" --> INF
    MAP --> PWR --> FEAS
    FEAS -- "yes" --> NULL --> VALID
    FEAS -- "no & N_min infeasible" --> INF
    VALID -- "yes" --> PROV
    VALID -- "no" --> INF
    BUD --> PROV
    SOR --> PROV
    PROV -- "yes" --> VAL
    PROV -- "no (unsigned)" --> BLOCK
    VAL --> S03["→ S03 charter lock (Tier A/B only)"]
    INF --> REM["→ remediation (typed next action §7)"]

    classDef inf fill:#6b7280,color:#fff;
    classDef block fill:#dc2626,color:#fff;
    classDef prov fill:#d97706,color:#fff;
    classDef ok fill:#16a34a,color:#fff;
Component Role Plan ref
Inputs (read-only) existing cache / labels / cost logs; exploratory = context only §8
Reference-capacity rule pre-specified order size before cost; conservative tie-breaker §9.1
P90 cost + tiers evidence-graded cost; only Tier A/B lockable §9.2
Mapping distinct E_econ_min / E_pred_min + monotonicity check §10
Power sim MDE_available vs E_pred_min; N_min; reproducible contract §11
Null-gate conservative primary + invalidity criteria §12
Budgets (non-locking) · Sortino (not a gate) proposals · R1 definition note §14 · §13
Decision gates cost-tier · feasibility · null-validity · provenance §9.2 · §11 · §12 · §4
Output unlocked signed values + proposals + notes or typed INFEASIBLE §15 · §16

The pipeline is fail-honest: a value that cannot be defensibly derived gets no placeholder — it routes to the matching INFEASIBLE reason (§7). The first blocker is cost/capacity (§9.x).

3. Output schemas (interfaces)

Signed value record MUST contain: value_name · value · units · derivation_artifact (signed, §4) · evidence_tier (if cost-related) · lockability (lockable | non-lockable) · source_data_hashes · reviewer_status.

Typed INFEASIBLE record MUST contain: reason · trigger · failed_derivation · evidence_attempted · allowed_next_action · blocked_downstream · required_remediation_artifact.

4. Provenance — a gate, not a log

Provenance is a gate: a value reaches the charter only if it carries a signed derivation. A signed derivation = immutable artifact path or MLflow run id · git commit SHA · input dataset versions / hashes · code version · parameters · author · reviewer · generated timestamp · reproducible command / notebook execution record. MLflow is provenance-only — it never denotes a training or predictive run, and an MLflow run id may never be cited as predictive evidence.

5. Control invariants & violation handling

Invariant Enforced by Violation consequence
S02 is analysis-only: no training, no Airflow launcher, no Phase-2 predictive run Decision boundary (§9 below) + operator STOP rule S02 derivation invalidated + escalated to operator; no value may feed S03
Exploratory results are context-only Input boundary (§8.1) the affected tuple coordinate must be registered + budgeted, or the derivation is invalidated
Tier C cost is non-lockable Cost-tier gate (§6) S02 may produce a provisional non-lockable artifact; S03 lock blocked until Tier A/B
Tier D cost is unsupported Cost-tier gate (§6) typed INFEASIBLE-cost-data
Every charter value requires a signed derivation Provenance gate (§4) unsigned value cannot be written into the charter
E_econ_min and E_pred_min stay distinct Mapping contract (§10) mapping derivation rejected if predictive lift is treated as economic edge
Diagnostic nulls cannot promote a tuple Null-gate contract (§12) null derivation non-lockable; S03/S04 cannot proceed on diagnostic-only evidence
MLflow is provenance-only Provenance contract (§4) MLflow run id cannot be cited as training / predictive-run evidence

6. Cost-tier routing

  • Tier A/B evidence may produce a lockable P90 cost candidate for S03.
  • Tier C evidence may produce a provisional, non-lockable cost bound. It may complete S02 only as a labelled non-lockable artifact; it cannot feed an S03 charter lock. Risk-owner approval may allow a Tier-C bound to be carried forward as explicit context, but cannot convert Tier C into lockable Tier A/B evidence (the risk owner approves an exploratory state, never ratifies a cost).
  • Tier D evidence is unsupported → typed INFEASIBLE-cost-data. Unlike Tier C, Tier D cannot be carried even as non-lockable context — there is no defensible bound to carry.

Committee review (doc set) — PASSED, strong consensus, 5/5 (8.5–9.5), OP Meeting #274. Doc-level recommendations applied (Tier-D-not-even-context · reproducibility tolerance · exploratory post-hoc clause). Routed to S03/S04 (non-doc): automated CI enforcement of the test-strategy §5/§11 tests · concrete artifact-path / MLflow naming + pre-commit hooks · regime-aware power (pre/post-halving, vol regimes) · slippage/VWAP + stress-case cost modelling · deployment-capacity decoupling (S04) · input-drift checksums · operator dry-run on STOP-and-ask.

7. Typed INFEASIBLE (states this architecture routes)

Single ADR-0102 verdict, typed reason (full table: plan §15):

reason trigger downstream
cost-data no Tier A/B cost (Tier D) instrument costs; S03 blocked
capacity no defensible reference capacity define/justify capacity; S03 blocked
power MDE_available > E_pred_min & N_min infeasible widen universe / folds
mapping no monotonic predictive→economic mapping change metric / mapping basis
null no defensible null (split/label) fix split / labels

A typed INFEASIBLE is a successful S02 outcome; it blocks S03 until the cause is remediated.

8. Roles

Role In S02
Analyst / operator runs read-only derivations; launches nothing
Methodology reviewer validates power / null / mapping method
Risk owner reviews cost tier + non-deployment framing; the only authority that may carry a Tier-C bound forward as context — cannot make it lockable (§6)

9. Boundaries & non-goals

No training · no Airflow launcher · no Phase-2 run · no model/threshold selection · no charter lock · no trading authority. The reference capacity is non-deployment (research only) and must never be used for AUM sizing. If the analysis requires any run, STOP and ask the operator — S02 does not launch autonomously.

10. Contract traceability

Architecture contract Source plan section Downstream artifact
Reference capacity plan §9.1 capacity derivation note
P90 evidence tiers plan §9.2 cost evidence note
E_econ/E_pred mapping plan §10 mapping note
Power rule + contract plan §11 power report (+ N_min)
Null-gate selection plan §12 null-candidate comparison
Budgets proposal plan §14 budget proposal
Sortino R1 plan §13 Sortino definition note
Signed derivation plan §16 provenance record
Typed INFEASIBLE plan §15 typed INFEASIBLE record

11. Story → downstream

Output Consumes / feeds
Charter values (Tier A/B lockable, signed) S03 charter lock (joint sign-off + risk-owner veto)
Tier-C provisional analysis artifact only — S03 blocked until Tier A/B or explicit risk-owner context approval
Typed INFEASIBLE remediation per §7 (instrument cost · widen universe · change metric · fix split)
Budgets proposal S03 lock
First Phase-2 run using these values S04 (not S02)

12. Reader / audit checklist

A reviewer can validate this architecture by checking:

  1. No output path bypasses provenance (§4 gate — every VAL edge passes PROV).
  2. No Tier-C path reaches an S03 lock (§6).
  3. No exploratory input reaches derivation except as failure-mode / data-quality context (§5, §8.1).
  4. No Phase-2 run / training / launcher is reachable from S02 (§9).
  5. Every INFEASIBLE reason has a remediation path (§7).
  6. Risk-owner approval cannot convert Tier C into lockable evidence (§6, §8).