Understanding the Cosmos SDK is mostly about understanding how it glues your state machine on top of CometBFT/Tendermint through ABCI, and how it forces you into a sane modular architecture with modules and keepers.
Once you see that picture, “Cosmos app‑chains” stop being magic and start looking like a well‑structured Go monolith that just happens to be replicated by a consensus engine.
1. Big Picture: CometBFT + ABCI + Cosmos SDK
Cosmos chains are split into two halves:
+----------------------------+
| CometBFT / Tendermint |
| - Consensus + networking |
| - Mempool |
+--------------+-------------+
| ABCI
v
+----------------------------+
| Cosmos SDK Application |
| - BaseApp |
| - Modules + Keepers |
| - Multistore (state) |
+----------------------------+
CometBFT (formerly Tendermint Core) is a generic BFT state‑machine replication engine. It orders transactions and drives block production.(Tendermint Core Documentation)
The Application Blockchain Interface (ABCI) is the boundary between consensus and your app. CometBFT calls ABCI methods like CheckTx, DeliverTx, BeginBlock, EndBlock, and Commit; the app implements them and mutates its own state.(Cosmos Documentation)
The Cosmos SDK is everything below that line: a framework for writing the ABCI app as a set of modules, not a giant switch statement.(Cosmos Documentation)
2. Cosmos SDK Core: BaseApp and Multistore
At the centre of every SDK chain is BaseApp:
+-----------------------------+
| BaseApp |
+-----------------------------+
| - ABCI handlers |
| - Router (Msg / Query) |
| - Multistore (KV stores) |
| - AnteHandler (auth / gas) |
+-----------------------------+
BaseApp gives you a ready‑made ABCI implementation wired to a multistore: a collection of key‑value stores keyed by module. It implements the main ABCI methods (CheckTx, DeliverTx, InitChain, BeginBlock, EndBlock, Commit, Info, Query) and routes messages to modules.(Cosmos Tutorials)
You extend BaseApp to build your chain:
- Wire in modules and their keepers.
- Configure which module runs in
BeginBlocker,EndBlocker,InitGenesis. - Register message and query routers.
The result is an app‑specific blockchain: you own the state machine and business logic, CometBFT handles consensus and P2P.(Cosmos Documentation)
3. Modules: Building Blocks of the State Machine
Cosmos SDK applications are composed of modules:
App
├─ x/auth (accounts)
├─ x/bank (balances)
├─ x/staking (validators, delegations)
├─ x/gov (governance)
└─ yourmodule (domain-specific logic)
Each module owns:
- A slice of the state (its KV store).
- A Msg service (state‑transition entrypoints).
- A Query service (read‑only RPCs).
- A keeper (the Go struct that actually manipulates state).(Cosmos Documentation)
The SDK’s module manager wires these together and controls the order in which modules run during InitGenesis, BeginBlock, EndBlock, and export/import operations.(Cosmos Documentation)
This modularity is why Cosmos talks about “application‑specific blockchains”: you pick a set of modules, configure them, add a few of your own, and now you have a chain that behaves exactly like your application domain requires.(Cosmos Documentation)
4. Keepers: The Service Layer for On‑Chain State
The keeper pattern is the heart of SDK design.
A keeper is a Go struct that:
- Holds typed access to the module’s KV store(s).
- Encapsulates all state‑mutation logic.
- Optionally holds references to other modules’ keepers.(Interchain Developer Academy)
In rough terms:
+---------------------------+
| Keeper (x/bank) |
+---------------------------+
| - storeKey (bank store) |
| - cdc (codec) |
| - hooks / params |
| - other keepers (staking) |
+---------------------------+
^ ^
| |
Msg server Query server
Message handlers and gRPC query servers call into keepers instead of touching the store directly. Other modules also call exported keeper methods rather than reaching across into each other’s KV stores.
This gives you:
- Encapsulation: only keepers know the key layout and invariants.
- Testability: you can unit‑test keepers without ABCI plumbing.
- Composability: modules depend on each other via clearly defined APIs, not shared global state.(Interchain Developer Academy)
Production note: Almost every messy Cosmos bug report I’ve seen starts with “we bypassed the keeper and wrote straight to the store.” The framework really wants you to keep state mutations in keepers and nowhere else.
5. Msg Services: State Transitions
In modern Cosmos SDK, state transitions happen through protobuf Msg services.
Each module defines a Msg service in protobuf. For example, x/bank defines messages like “Send” and “MultiSend”, and a MsgServer implementation runs on chain.(Cosmos Documentation)
Flow per transaction:
Tx (set of protobuf Msgs)
|
v
BaseApp Msg router
|
v
Module MsgServer
|
v
Keeper methods (write KV stores)
The pattern is simple:
Msgtypes are just data (who, what, how much).- MsgServer methods validate and do minimal orchestration.
- Keepers perform the real business logic and invariants.(Cosmos Documentation)
This separation keeps state transitions explicit and keeps the ABCI layer very thin: DeliverTx decodes tx bytes into Msgs, routes them, and lets modules handle the rest.
6. Queries: Read‑Only State Access
Queries are the read side of the coin.
Modules expose Query services (protobuf gRPC services) that BaseApp wires into its query router. Clients call these via gRPC or REST to read account balances, staking info, governance proposals, custom module state, and so on.(Cosmos Documentation)
Internally, query handlers:
- Use the same keeper APIs, but in read‑only mode.
- Walk the module’s KV store(s) using prefixes and iterators.
- Return protobuf responses.
This separation between Msg and Query services is one of the core design patterns: write through Msgs, read through Queries, never mutate state in a query.
7. ABCI Lifecycle: Blocks and Transactions
ABCI is just a list of methods, but together they define the application lifecycle. A typical block looks like:
BeginBlock (block header)
|
| DeliverTx(tx1)
| -> ante handler (auth, fees, gas)
| -> Msg routing + keepers
|
| DeliverTx(tx2)
| ...
|
EndBlock
|
Commit (write new app hash)
CometBFT calls CheckTx before gossiping txs to peers and putting them in the mempool. Your app uses this to do lightweight checks (sig, fees, basic validity). DeliverTx is called later, once consensus decides to include the tx in a block, and is allowed to mutate state.(Cosmos Documentation)
Modules hook into BeginBlock and EndBlock to implement periodic logic: slash misbehaving validators, run interest accrual, open/close epochs, process IBC timeouts, and so on.(Interchain Developer Academy)
The beauty is that ABCI doesn’t care what your state machine is. Tendermint docs emphasise that you can write the app in any language and framework; the Cosmos SDK just happens to be the canonical Go implementation for multi‑asset PoS chains.(Tendermint Core Documentation)
8. State Management: Multistore, Keys, and Invariants
The SDK’s multistore gives each module isolated KV stores under the hood:
IAVL/KV DB
├─ storeKey "auth"
├─ storeKey "bank"
├─ storeKey "staking"
├─ storeKey "gov"
└─ storeKey "yourmodule"
Each keeper gets one or more storeKeys and is responsible for defining the key layout inside its stores. The multistore composes these into a single Merkle root (the app hash CometBFT commits).(Cosmos Documentation)
The SDK also encourages each module to define invariants: conditions that must always hold (sum of balances equals total supply, no negative shares, etc.). A dedicated crisis module can run these invariants periodically or on demand to detect bugs or mis‑wiring.(Cosmos Documentation)
Production note: In Cosmos security incident write‑ups you often see “invariant violation crashed the chain during BeginBlock.” That’s usually a module exposing an invariant that became invalid when someone changed a keeper interaction without updating both sides.
9. Design Patterns: How Cosmos SDK Wants You to Build
A few patterns repeat across well‑designed SDK chains.
App = BaseApp + module registry.
You define an App type that embeds BaseApp, then:
- Create keepers for each module.
- Register Msg and Query services.
- Register
BeginBlocker,EndBlocker,InitGenesishooks.(Cosmos Tutorials)
Thin MsgServer, fat keeper. Msg handlers decode, validate, and immediately call keepers. They don’t do complex logic themselves. This keeps state transition logic in one place and makes it reusable by other modules and simulations.(Cosmos Documentation)
Cross‑module calls via exported keeper methods.
If your x/yourmodule needs to move tokens, it calls bankKeeper.SendCoins. If it needs staking info, it calls stakingKeeper.GetDelegation. Directly changing bank or staking stores from your module is considered a design smell and a security risk.(Interchain Developer Academy)
Upgradable modules. Newer SDK versions add explicit patterns and helpers for module migrations: you write migration functions in the keeper, register them with the upgrade module, and let the app orchestrate state transitions at upgrade height.(Cosmos Documentation)
Together these patterns give you a clear mental model:
ABCI methods (BaseApp)
|
v
Msg / Query routers
|
v
Module MsgServers / QueryServers
|
v
Keepers (business logic + state)
|
v
KV stores in Multistore
10. Why This Enables App‑Specific Blockchains
If you strip it down, Cosmos SDK provides:
- A standard architecture for state machines: modules, keepers, Msg/Query services, multistore.(Cosmos Documentation)
- A clean interface to a battle‑tested BFT engine via ABCI.(Cosmos Documentation)
You decide:
- Which modules to include (bank, staking, gov, IBC, EVM, your custom domain).(evm.cosmos.network)
- How they interact via keepers.
- What invariants matter.
- What messages and queries define your app’s API.
From there, CometBFT will just keep calling your ABCI app on every validator, in the same order, forever.
Once you’ve internalised modules, keepers and ABCI, designing a Cosmos chain stops being “how do I fork an L1?” and becomes “how do I design a clean Go service with strong invariants, then let a BFT engine replicate it for me.”
Completion scope and production contract
This completion review turns the earlier conceptual treatment into a release-oriented engineering contract. It treats Understanding Cosmos SDK: Architecture and Design Patterns as a Cosmos SDK, CometBFT, or IBC component, follows a consensus round, ABCI request, SDK message, state-store write, or IBC packet through validation and durable state, and separates normative requirements from implementation policy. The normative baseline is the CometBFT consensus specification, Cosmos SDK interfaces, and applicable IBC standards; deployment defaults, caching, retry limits, and operator thresholds are explicitly local policy. 16
The intended audience is experienced developers and architects. Readers should understand the surrounding chain or application model, typed data structures, persistence, and basic security engineering. The scope includes correctness, implementation boundaries, deterministic tests, failure recovery, security, performance, and observability. It does not claim that the educational companion is a drop-in replacement for a maintained protocol or cryptographic library. Production adoption requires an independent threat model, compatibility testing against the authoritative implementation, and operational ownership. 17
The mental model used throughout is deliberately strict: untrusted input crosses consensus, ABCI, module keeper, store, gRPC, and relayer boundaries; a validator derives facts under the CometBFT consensus specification, Cosmos SDK interfaces, and applicable IBC standards; accepted transitions update versioned application state, validator state, consensus round, and light-client state; and observers consume committed facts, never optimistic intermediate mutations. A guarantee is stated only when it follows from those rules and assumptions. Heuristics such as fee selection, caching, peer scoring, timeouts, user messaging, or alert thresholds remain policy and may be tuned without redefining validity. 18
Reader contract and scope
For Understanding Cosmos SDK: Architecture and Design Patterns, this review makes the exact user decision and the prerequisites needed to make it safely explicit. Start from one consensus round, ABCI request, SDK message, state-store write, or IBC packet and write down its origin, canonical representation, validation context, authority, and durable outcome. The Cosmos SDK, CometBFT, or IBC component must not infer a stronger fact from transport success, cache presence, or an upstream acknowledgement. Its authoritative state is versioned application state, validator state, consensus round, and light-client state, and every projection must remain rebuildable or reconcilable from committed facts. This framing distinguishes a protocol guarantee from an operational convenience and gives reviewers a concrete place to challenge an assumption. 16
The principal failure to design against is an attractive example being mistaken for a complete production design. Address it before optimizing by defining a narrow ownership boundary, stable identities, bounded resource use, and a machine-readable outcome for every rejected transition. Record a scope statement, excluded concerns, and a reviewable acceptance criterion. A reviewer should be able to trace each accepted result to input bytes, rule or policy version, prior state, and commit identity without relying on prose logs. When the authority cannot be reached or context is incomplete, return an explicit unavailable or pending state; do not convert uncertainty into acceptance.
Precise vocabulary and authority
Treat precise vocabulary and authority as part of the executable design of Understanding Cosmos SDK: Architecture and Design Patterns, not as documentation added after coding. The relevant operating envelope includes proposal rounds, block execution, validator changes, packet relaying, upgrades, and state synchronization. For each mode, identify which state is authoritative, which work may be retried, what is bounded, and which observation proves progress. This is especially important across consensus, ABCI, module keeper, store, gRPC, and relayer boundaries, where delivery and processing are different events and where local time or arrival order may not reflect authoritative order. 17
A useful review asks how the design behaves under invalid vote, non-deterministic execution, timeout, client expiry, packet replay, store corruption, and version skew. The unsafe outcome is teams using the same word for incompatible states or guarantees. Prevent it with explicit preconditions and postconditions, and retain a glossary tied to the normative authority for every overloaded term as release evidence. Use stable codes rather than exception text, keep policy configuration versioned, and attach the accepted policy or rule version to durable results. An chain, validator, or relayer operator must be able to stop intake, drain or quarantine work, compare local state with authority, and resume without inventing a second side effect.
Trust assumptions
The implementation of Understanding Cosmos SDK: Architecture and Design Patterns should expose which actors, clocks, stores, libraries, and upstream systems may fail or act maliciously through types and module boundaries. Parse external representations once, preserve the original identity when audit or replay needs it, and pass validated domain values inward. Mutations of versioned application state, validator state, consensus round, and light-client state belong behind one authoritative transition function or transaction boundary. Network clients, storage adapters, user interfaces, and telemetry exporters must not duplicate consensus or business rules. That separation keeps deterministic logic testable and prevents a library upgrade from silently redefining validity. 18
Assume that an implicit trusted component invalidating the claimed guarantee will eventually occur in a staging fault test or production incident. The control is not a catch-all retry: classify the outcome, decide whether the identical operation is safe to repeat, bound attempts and elapsed time, and surface terminal work for reconciliation. The minimum evidence is a trust-boundary diagram and an assumption register with owners. Keep validator keys, consensus evidence, capabilities, packet commitments, and untrusted protobuf messages out of ordinary logs, and prefer hashes, version identifiers, counts, and sanitized reason codes. Any emergency bypass must be narrow, time-limited, approved, and observable.
Architecture and ownership
Verification for Understanding Cosmos SDK: Architecture and Design Patterns must demonstrate component responsibilities and the direction in which facts and commands move at several layers. Small tests cover deterministic transforms and boundary values; contract tests pin serialized forms; integration tests exercise real adapters; replay tests compare state roots or projections; and fault tests interrupt work at every commit boundary. The dataset must include normal history, malformed input, duplicates, reordering, maximum-size values, and changes of rule or schema version. A passing example is evidence about that environment and dataset, not a universal performance claim. 16
Make two components both believing they own the same transition a named negative test. The release packet should retain a context diagram, ownership table, and dependency rule, exact dependency and tool versions, the deterministic command, and its result. For performance work, report warm-up, repetitions, concurrency, percentiles, resource limits, and the point where backpressure begins. For security work, include abuse cases and independent review. A change is ready only when failures leave versioned application state, validator state, consensus round, and light-client state safe, recovery is rehearsed, and telemetry explains both user-visible outcome and operator action.
Canonical representation
For Understanding Cosmos SDK: Architecture and Design Patterns, this review makes the byte-level or schema-level representation used for hashing, comparison, storage, and transport explicit. Start from one consensus round, ABCI request, SDK message, state-store write, or IBC packet and write down its origin, canonical representation, validation context, authority, and durable outcome. The Cosmos SDK, CometBFT, or IBC component must not infer a stronger fact from transport success, cache presence, or an upstream acknowledgement. Its authoritative state is versioned application state, validator state, consensus round, and light-client state, and every projection must remain rebuildable or reconcilable from committed facts. This framing distinguishes a protocol guarantee from an operational convenience and gives reviewers a concrete place to challenge an assumption. 17
The principal failure to design against is semantically equal values producing different identifiers or verification outcomes. Address it before optimizing by defining a narrow ownership boundary, stable identities, bounded resource use, and a machine-readable outcome for every rejected transition. Record golden encodings, round-trip tests, and rejection of non-canonical forms. A reviewer should be able to trace each accepted result to input bytes, rule or policy version, prior state, and commit identity without relying on prose logs. When the authority cannot be reached or context is incomplete, return an explicit unavailable or pending state; do not convert uncertainty into acceptance.
State-machine model
Treat state-machine model as part of the executable design of Understanding Cosmos SDK: Architecture and Design Patterns, not as documentation added after coding. The relevant operating envelope includes proposal rounds, block execution, validator changes, packet relaying, upgrades, and state synchronization. For each mode, identify which state is authoritative, which work may be retried, what is bounded, and which observation proves progress. This is especially important across consensus, ABCI, module keeper, store, gRPC, and relayer boundaries, where delivery and processing are different events and where local time or arrival order may not reflect authoritative order. 18
A useful review asks how the design behaves under invalid vote, non-deterministic execution, timeout, client expiry, packet replay, store corruption, and version skew. The unsafe outcome is an impossible intermediate state becoming durable after interruption. Prevent it with explicit preconditions and postconditions, and retain a transition table exercised by positive, negative, and replay tests as release evidence. Use stable codes rather than exception text, keep policy configuration versioned, and attach the accepted policy or rule version to durable results. An chain, validator, or relayer operator must be able to stop intake, drain or quarantine work, compare local state with authority, and resume without inventing a second side effect.
Invariants
The implementation of Understanding Cosmos SDK: Architecture and Design Patterns should expose properties that must hold before and after every accepted operation through types and module boundaries. Parse external representations once, preserve the original identity when audit or replay needs it, and pass validated domain values inward. Mutations of versioned application state, validator state, consensus round, and light-client state belong behind one authoritative transition function or transaction boundary. Network clients, storage adapters, user interfaces, and telemetry exporters must not duplicate consensus or business rules. That separation keeps deterministic logic testable and prevents a library upgrade from silently redefining validity. 16
Assume that local success concealing corruption in a related aggregate or index will eventually occur in a staging fault test or production incident. The control is not a catch-all retry: classify the outcome, decide whether the identical operation is safe to repeat, bound attempts and elapsed time, and surface terminal work for reconciliation. The minimum evidence is executable assertions at the narrowest authoritative boundary. Keep validator keys, consensus evidence, capabilities, packet commitments, and untrusted protobuf messages out of ordinary logs, and prefer hashes, version identifiers, counts, and sanitized reason codes. Any emergency bypass must be narrow, time-limited, approved, and observable.
Validation pipeline
Verification for Understanding Cosmos SDK: Architecture and Design Patterns must demonstrate cheap structural checks, contextual checks, authoritative verification, and commit order at several layers. Small tests cover deterministic transforms and boundary values; contract tests pin serialized forms; integration tests exercise real adapters; replay tests compare state roots or projections; and fault tests interrupt work at every commit boundary. The dataset must include normal history, malformed input, duplicates, reordering, maximum-size values, and changes of rule or schema version. A passing example is evidence about that environment and dataset, not a universal performance claim. 17
Make expensive or stateful work running before malformed input is rejected a named negative test. The release packet should retain ordered validation stages with stable machine-readable rejection codes, exact dependency and tool versions, the deterministic command, and its result. For performance work, report warm-up, repetitions, concurrency, percentiles, resource limits, and the point where backpressure begins. For security work, include abuse cases and independent review. A change is ready only when failures leave versioned application state, validator state, consensus round, and light-client state safe, recovery is rehearsed, and telemetry explains both user-visible outcome and operator action.
Error semantics
For Understanding Cosmos SDK: Architecture and Design Patterns, this review makes the distinction between invalid input, conflict, unavailable dependency, retryable interruption, and internal defect explicit. Start from one consensus round, ABCI request, SDK message, state-store write, or IBC packet and write down its origin, canonical representation, validation context, authority, and durable outcome. The Cosmos SDK, CometBFT, or IBC component must not infer a stronger fact from transport success, cache presence, or an upstream acknowledgement. Its authoritative state is versioned application state, validator state, consensus round, and light-client state, and every projection must remain rebuildable or reconcilable from committed facts. This framing distinguishes a protocol guarantee from an operational convenience and gives reviewers a concrete place to challenge an assumption. 18
The principal failure to design against is blind retries amplifying a permanent failure or changing user intent. Address it before optimizing by defining a narrow ownership boundary, stable identities, bounded resource use, and a machine-readable outcome for every rejected transition. Record typed errors mapped consistently across logs, metrics, APIs, and queues. A reviewer should be able to trace each accepted result to input bytes, rule or policy version, prior state, and commit identity without relying on prose logs. When the authority cannot be reached or context is incomplete, return an explicit unavailable or pending state; do not convert uncertainty into acceptance.
Concurrency control
Treat concurrency control as part of the executable design of Understanding Cosmos SDK: Architecture and Design Patterns, not as documentation added after coding. The relevant operating envelope includes proposal rounds, block execution, validator changes, packet relaying, upgrades, and state synchronization. For each mode, identify which state is authoritative, which work may be retried, what is bounded, and which observation proves progress. This is especially important across consensus, ABCI, module keeper, store, gRPC, and relayer boundaries, where delivery and processing are different events and where local time or arrival order may not reflect authoritative order. 16
A useful review asks how the design behaves under invalid vote, non-deterministic execution, timeout, client expiry, packet replay, store corruption, and version skew. The unsafe outcome is a check-then-act race accepting two individually plausible operations. Prevent it with explicit preconditions and postconditions, and retain a linearization argument plus stress tests at the chosen contention boundary as release evidence. Use stable codes rather than exception text, keep policy configuration versioned, and attach the accepted policy or rule version to durable results. An chain, validator, or relayer operator must be able to stop intake, drain or quarantine work, compare local state with authority, and resume without inventing a second side effect.
Idempotency and replay
The implementation of Understanding Cosmos SDK: Architecture and Design Patterns should expose how duplicate delivery, process restart, and historical backfill preserve the same result through types and module boundaries. Parse external representations once, preserve the original identity when audit or replay needs it, and pass validated domain values inward. Mutations of versioned application state, validator state, consensus round, and light-client state belong behind one authoritative transition function or transaction boundary. Network clients, storage adapters, user interfaces, and telemetry exporters must not duplicate consensus or business rules. That separation keeps deterministic logic testable and prevents a library upgrade from silently redefining validity. 17
Assume that at-least-once delivery creating a second side effect will eventually occur in a staging fault test or production incident. The control is not a catch-all retry: classify the outcome, decide whether the identical operation is safe to repeat, bound attempts and elapsed time, and surface terminal work for reconciliation. The minimum evidence is stable operation identities, deduplication state, and deterministic replay fixtures. Keep validator keys, consensus evidence, capabilities, packet commitments, and untrusted protobuf messages out of ordinary logs, and prefer hashes, version identifiers, counts, and sanitized reason codes. Any emergency bypass must be narrow, time-limited, approved, and observable.
Persistence and atomicity
Verification for Understanding Cosmos SDK: Architecture and Design Patterns must demonstrate which facts commit together and how derived views catch up at several layers. Small tests cover deterministic transforms and boundary values; contract tests pin serialized forms; integration tests exercise real adapters; replay tests compare state roots or projections; and fault tests interrupt work at every commit boundary. The dataset must include normal history, malformed input, duplicates, reordering, maximum-size values, and changes of rule or schema version. A passing example is evidence about that environment and dataset, not a universal performance claim. 18
Make a crash exposing a cursor that claims work whose state was not committed a named negative test. The release packet should retain transaction boundaries, durable checkpoints, and reconciliation queries, exact dependency and tool versions, the deterministic command, and its result. For performance work, report warm-up, repetitions, concurrency, percentiles, resource limits, and the point where backpressure begins. For security work, include abuse cases and independent review. A change is ready only when failures leave versioned application state, validator state, consensus round, and light-client state safe, recovery is rehearsed, and telemetry explains both user-visible outcome and operator action.
API and schema contracts
For Understanding Cosmos SDK: Architecture and Design Patterns, this review makes input limits, optionality, pagination, versioning, and compatibility behavior explicit. Start from one consensus round, ABCI request, SDK message, state-store write, or IBC packet and write down its origin, canonical representation, validation context, authority, and durable outcome. The Cosmos SDK, CometBFT, or IBC component must not infer a stronger fact from transport success, cache presence, or an upstream acknowledgement. Its authoritative state is versioned application state, validator state, consensus round, and light-client state, and every projection must remain rebuildable or reconcilable from committed facts. This framing distinguishes a protocol guarantee from an operational convenience and gives reviewers a concrete place to challenge an assumption. 16
The principal failure to design against is a technically valid deployment silently changing a consumer-visible meaning. Address it before optimizing by defining a narrow ownership boundary, stable identities, bounded resource use, and a machine-readable outcome for every rejected transition. Record consumer fixtures, schema-diff checks, and explicit deprecation windows. A reviewer should be able to trace each accepted result to input bytes, rule or policy version, prior state, and commit identity without relying on prose logs. When the authority cannot be reached or context is incomplete, return an explicit unavailable or pending state; do not convert uncertainty into acceptance.