Documentation

Hybrid Architecture

The CrossConversion Engine — bridging on-chain tokens to bankable securities with mathematical certainty.

The Hybrid Model

CrossSecurities are not purely on-chain. They are not purely traditional. They exist in both worlds simultaneously — and the CrossConversion Engine is the mechanism that makes this possible.

The premise is absolute: an investor holding Sails security tokens on Solana can convert them to bankable, ISIN-identified securities held at Clearstream — and back again. At any time. With full regulatory compliance. Without losing a single unit of value.

Two directions, one invariant:

  • Cross to Bankable: Lock Solana tokens in the on-chain lockbox → Issue ISIN-identified securities via Clearstream.
  • Cross to On-Chain: Cancel the Clearstream position → Unlock Solana tokens from the lockbox.

The 1:1 invariant must always hold:

tokens_locked == isin_outstanding

This is not a guideline. This is a mathematical constraint enforced by smart contract logic, validated by nightly reconciliation, and audited by an appointed Trustee. If it ever breaks, the system halts and alerts fire.

CrossConversion Lockbox

The lockbox is an on-chain PDA (Program Derived Address) that holds tokens in escrow during their bankable life. It is the heart of the hybrid model — the cryptographic proof that on-chain supply and off-chain positions are always in balance.

Program: sails_crossconversion
├── init_lockbox(offering_id, isin_code, clearstream_account)
│   → Creates the lockbox PDA, links to Clearstream account
├── lock_tokens(offering_id, amount)
│   → Transfers tokens to lockbox PDA
│   → Emits CrossConversionRequested event
│   → Increments locked counter
├── unlock_tokens(offering_id, amount, trustee_signature, clearstream_proof)
│   → Verifies Clearstream cancellation proof
│   → Validates Trustee NFT signature
│   → Releases tokens back to investor wallet
│   → Decrements locked counter
├── get_lockbox_state(offering_id)
│   → Returns { locked, isin_outstanding }
└── reconcile(offering_id, clearstream_snapshot_hash)
    → Trustee-signed reconciliation (periodic, e.g., daily)
    → Compares on-chain state with Clearstream snapshot hash
    → Emits ReconciliationCompleted or ReconciliationFailed event

Every lock_tokens call requires a valid KYC credential NFT on the requesting wallet. Every unlock_tokens call requires both a Trustee NFT signature and cryptographic proof of Clearstream position cancellation. There are no shortcuts. There are no overrides. The invariant is sacred.

Operator Service

The CrossConversion Operator Service is a Sandstorm grain (Go+HTMX) that orchestrates the off-chain side of every conversion. It is the bridge between the Solana event stream and the Clearstream API:

  1. Event Listening: Subscribes to CrossConversionRequested events from the Solana program via WebSocket RPC.
  2. KYC Validation: Verifies the requesting investor's KYC credential NFT is valid, unexpired, and carries the correct accreditation tier and jurisdiction clearance.
  3. ISIN Issuance: Initiates the ISIN issuance workflow with Clearstream's API — submitting the security details, investor allocation, and settlement instructions.
  4. Proof Storage: Once Clearstream confirms issuance, stores the proof-of-issuance on-chain in the lockbox PDA metadata.
  5. Reverse Conversion: For Cross-to-On-Chain requests, verifies the Clearstream position cancellation and triggers unlock_tokens on the smart contract.
  6. Audit Trail: Maintains a complete, append-only log of every conversion action, every API call, every Trustee authentication — stored in the grain's journal with 7-year retention.
  7. Trustee Authentication: Every conversion — forward or reverse — requires authentication by an appointed Trustee holding a valid Trustee NFT. No exceptions.

The Operator Service runs as a Station-type grain. It is long-lived, managing all CrossConversion workflows for the platform. Its Powerbox capabilities connect it to Offering Grains (for token state), KYC Grains (for credential verification), and the Trustee Dashboard (for authentication signing).

Reconciliation

Trust but verify — every night, automatically, without fail.

The Reconciliation Engine is a scheduled process that compares two sources of truth:

Source Data Authority
On-Chain Lockbox Total tokens locked per offering, per investor position Solana program state (immutable, auditable)
Clearstream Holdings ISIN positions, settlement status, corporate actions Clearstream daily position report

The nightly reconciliation process:

  1. Pulls the daily Clearstream position report for all active ISINs.
  2. Reads the on-chain lockbox state for every offering with CrossConversion enabled.
  3. Compares totals: tokens_locked must equal isin_outstanding for every offering.
  4. Generates a reconciliation report — signed by the Trustee and stored on-chain as a hash.
  5. On match: emits ReconciliationCompleted event with the snapshot hash.
  6. On mismatch: emits ReconciliationFailed — triggers P0 alert (immediate response required), freezes affected offering's CrossConversion capability until manual resolution.

A supply mismatch should never happen. The smart contract enforces the invariant on every lock and unlock. But the reconciliation engine exists because defense in depth is not optional when you're holding other people's securities.

Message Formats

Communication with Clearstream follows established financial messaging standards. The Sails.to platform generates and consumes these message types as part of the CrossConversion workflow:

Message Type Standard Purpose
MT540 SWIFT Receive Free — settlement instruction for incoming securities (Cross to Bankable). Instructs Clearstream to credit the investor's account with the ISIN-identified securities.
MT542 SWIFT Deliver Free — settlement instruction for outgoing securities (Cross to On-Chain). Instructs Clearstream to cancel the position and provide proof of cancellation.
ISO 20022 ISO Corporate Actions — distribution notifications, voting instructions, and other corporate events that affect ISIN-identified positions.

The TradFi bridge adapter service (Go, running as a grain or sidecar) handles all message generation, submission, and response parsing. It translates between the Sails.to Cap'n Proto schema and the SWIFT/ISO messaging formats — ensuring that every CrossConversion is expressed in the language that traditional financial infrastructure expects and trusts.