Platform Overview
The three-pillar architecture that brings regulated securities on-chain — without compromise.
Architecture Overview
Sails.to is not a monolith. It is not a microservices cluster. It is a capability-secured grain architecture — every component isolated at the OS level, every interaction mediated by cryptographic authority, every byte of investor data sovereign to its owner. This is what regulated infrastructure demands, and this is what we built.
The platform rests on three pillars, each independently auditable, each doing exactly one job with absolute fidelity:
┌─────────────────────────────────────────────────────┐
│ Sandstorm/Melusina OS │
│ ┌───────────────┐ ┌───────────────┐ │
│ │ Station Grain │ │ Instance Grain │ │
│ │ (Orchestrator) │ │ (Worker) │ │
│ │ │ │ │ │
│ │ Go binary │ │ Go binary │ │
│ │ FD3 → Cap'n │ │ FD3 → Cap'n │ │
│ │ Proto RPC │ │ Proto RPC │ │
│ │ │ │ │ │
│ │ UiView Server │ │ UiView Server │ │
│ │ WebSession │ │ WebSession │ │
│ │ (HTMX+Templ) │ │ (HTMX+Templ) │ │
│ │ │ │ │ │
│ │ Journal Store │ │ Journal Store │ │
│ │ Workflow Engine │ │ Process Engine │ │
│ │ WebSocket Hub │ │ WebSocket Hub │ │
│ └───────┬───────┘ └───────┬───────┘ │
│ │ Powerbox │ Powerbox │
│ └───────────────────┘ │
│ Cap'n Proto capabilities │
└─────────────────────────────────────────────────────┘The Three Pillars
Pillar 1: sailsto_website — The Business Layer
The marketing site, legal templates, and product definition. This is the Wyoming DAO Series LLC structure made real — audience-specific landing pages for issuers, investors, brokers, and institutions. A comprehensive knowledge base. Legal templates in the Legal/Client_Series/ directory. The pricing calculator. Every piece of content that makes Sails.to legible to the world lives here.
Pillar 2: Melusina — The On-Chain Authority Layer
The Melusina program is the on-chain truth. Solana NFT-based licensing, KYC credentialing, hierarchical access control from Master NFT down through Reseller, License, and Share layers. Threshold crypto operations for critical governance actions. Every role, every permission, every compliance credential — cryptographically attested on-chain.
Pillar 3: BLOOM_FINAL — The Application Engine
The grain runtime. Sandstorm/Melusina OS grains, Cap'n Proto RPC, Go+HTMX native stack. KYC workflow orchestration. Powerbox-based capability sharing between grains. No SPA, no JavaScript framework churn — server-rendered HTML fragments over WebSession, every interaction authenticated at the capability level.
Grain Types
Seven grain types compose the entire application surface. Each grain is an isolated process with its own journal store, its own capability set, its own security boundary:
| Grain | Type | Purpose |
|---|---|---|
| DAO Manager | Station | Central governance hub for a DAO Series LLC — creates Series, appoints trustees, configures governance rules, monitors compliance across all offerings. |
| Offering | Instance | Lifecycle management for a single securities offering — configure parameters, manage investor whitelist, execute token minting, track cap table, process CrossConversions, execute distributions. |
| KYC/Onboarding | Instance | Complete KYC verification workflow for a single investor — 10-step process from terms acceptance through document verification to on-chain credential minting. |
| Broker Portal | Station | Dashboard for broker-dealers — view available offerings, submit investor subscriptions, track commissions, manage secondary trading, generate regulatory reports. |
| Trustee Dashboard | Station | Authenticated oversight for appointed trustees — authenticate CrossConversions, sign reconciliation reports, execute emergency freezes, maintain audit trail. |
| Investor Self-Service | Instance | Personal dashboard for each investor — view portfolio, track distributions and yields, request CrossConversions, download tax documents, participate in governance votes. |
| Introducer Tracking | Instance | Referral pipeline management — generate unique referral links, track introductions through to funded offerings, calculate 25% commission share, generate payout reports. |
Station grains are orchestrators — long-lived, managing multiple workflows and participants. Instance grains are workers — one per entity (one per offering, one per investor, one per KYC verification), isolated and disposable.
Data Sovereignty Model
Data lives where it belongs. This is not a design preference — it is a regulatory requirement, and we enforce it architecturally:
| Data Layer | What Lives Here | What Never Lives Here |
|---|---|---|
| On-Chain (Solana) | Token balances, NFT authority, compliance flags, distribution records | Names, addresses, document images, phone numbers, emails — zero PII, ever |
| In-Grain Journal | Encrypted PII, KYC documents, audit trails, business logic state | Token balances, on-chain state (that belongs to the ledger) |
| Clearstream | ISIN positions, bankable custody records | On-chain token state (the lockbox maintains the bridge) |
Every grain journal is encrypted at rest with AES-256. GDPR right-to-erasure is handled via cryptographic shredding — delete the encryption key, and the data is gone. Append-only journals enable deterministic replay for audit and disaster recovery. Seven-year retention for regulatory compliance, with automated purge after expiration.
Authentication Layers
Four layers of authentication, each building on the last. No single layer is sufficient — all four must agree before any operation proceeds:
- Solana Wallet Signature — proves wallet ownership. The cryptographic foundation.
- NFT Verification — proves role authorization. You don't just have a wallet; you hold the right NFT for the action you're requesting.
- Sandstorm Session — proves grain access. The OS-level isolation ensures you can only reach grains you've been granted access to.
- Powerbox Capability — proves inter-grain authority. A claim token becomes a sturdyRef, granting persistent, cross-session access to specific capabilities.
This is defense in depth — not as a buzzword, but as architecture. Compromise one layer and three remain. See the Authentication documentation for the complete model.
The Native Stack
Every grain runs Go compiled to a native binary. No HTTP bridge — Cap'n Proto on file descriptor 3 (FD3) directly. The Go binary implements UiView and WebSession natively. HTMX delivers server-rendered HTML fragments — no SPA, no client-side routing, no JavaScript framework. Journal-based storage gives every grain an append-only log with deterministic replay. WebSocket connections flow through Cap'n Proto's WebSession_WebSocketStream for real-time updates.
This is the stack. It is simple. It is fast. It is correct. And it will outlast every framework that ships between now and when you read this.