Web 7.0™ Decentralized System Architecture (DSA): Trusted Digital Assistant (TDA) Design

DSA v0.16 — Epoch 0 — Endowment Phase

Architecture Analysis, Zone Decomposition, and Runspace + Listener Integration Design

Michael Herman — Web 7.0 Foundation — Bindloss, Alberta, Canada

April 2026 — SVRN7 v0.7.1

© 2026 Michael Herman (Alberta, Canada) — Creative Commons Attribution-ShareAlike 4.0

1. Executive Summary

This document analyses the Web 7.0™ Decentralized System Architecture (DSA) v0.16 diagram and derives a complete design specification for the Citizen/Society Trusted Digital Assistant (TDA) — the sovereign, DID-native, DIDComm-native runtime at the centre of the Web 7.0 ecosystem.

The DSA diagram, captioned “Safe, Secure, Trusted, DID-native, DIDComm-native Web 7.0 DIDLibOS” and scoped to Epoch 0 (Endowment Phase), shows seven structural zones. This document reads each zone precisely, maps every component to the existing SVRN7 v0.7.1 C# library, and then specifies the four-layer TDA design: the DIDComm/HTTP Listener, the PowerShell Runspace Pool, the SVRN7 LOBE layer, and the LiteDB-backed storage tier.

Document Scope

Scope: This document is an architecture and design specification. It does not generate or modify any code. All design decisions recorded here are intended as the authoritative input to future implementation sprints.

Key Findings:

• The TDA is a self-hosting, recursive unit: every Citizen TDA in the VTC7 mesh runs the same software at the same architectural level.
• The DIDComm/HTTP Listener and the PowerShell Runspace Pool are deliberately separated: the Listener is a write-ahead log gate; the Pool is an execution environment. They share no threads.
• The DIDComm Message Switchboard — named explicitly in the diagram inside Agent 1’s Runspace — is the single component that reads from the durable inbox (IInboxStore / svrn7-inbox.db) and dispatches to agent runspaces.
• SVRN7 is positioned as a LOBE (Loadable Object Brain Extension), not as an agent task and not as a storage system. This is an architectural statement: the Shared Reserve Currency (SRC) is a cognitive capability available to all runspaces.
• The SVRN7 XFER rail is a dedicated transfer channel independent of the DIDComm message bus, preventing monetary operations from competing with messaging I/O on the same file lock.

2. Diagram Reading: DSA v0.16

Figure 1. Web 7.0™ Decentralized System Architecture (DSA) 0.16 Epoch 0 — Citizen/Society Trusted Digital Assistant (TDA). © 2026 Michael Herman (Alberta, Canada) — TDW™ — CC BY-SA 4.0.

2.1 Diagram Identification

The diagram bears the following identifying information:

• Title: Web 7.0™ Decentralized System Architecture (DSA) 0.16
• Subtitle: Epoch 0 — Secure, Trusted, DID-native, DIDComm-native Web 7.0 DIDLibOS
• Copyright: © 2026 Michael Herman (Alberta, Canada) — TDW™ — Creative Commons Attribution-ShareAlike 4.0

The Epoch 0 designation constrains the permissible transfer matrix. In Epoch 0 (Endowment Phase), citizens may transfer only to their own Society wallet or to the Federation wallet. Cross-Society citizen-to-citizen transfers (Epoch 1) and open-market operations (Epoch 2) are not yet active. All agent routing logic must enforce these epoch rules.

2.2 Seven Structural Zones

Reading the diagram from left to right, seven distinct structural zones are visible. Each zone has a clear role boundary; no two zones share responsibility.

Zone	Label	Description
1	Command-Line Interfaces (CLIs)	Human-facing surface: Windows/Linux, Android, iOS, and FireOS platform shells, plus a smartwatch UX. These are the entry points where human intent enters the system. No agent logic executes here.
2	Internet / LAN / P2P Transport Rail	A vertical transport bridge between the CLIs and the TDA interior. Explicitly transport-agnostic — Internet, LAN, and P2P are treated equivalently. DIDComm envelope security means the transport layer is untrusted and interchangeable.
3	Loadable Object Brain Extensions (LOBEs)	The cognitive/capability layer. Two LOBE blocks flank a central SVRN7 label. LOBEs are PowerShell Modules dynamically loaded into the Runspace Pool InitialSessionState. SVRN7 between the LOBEs signals that the Shared Reserve Currency is a first-class brain capability, not an external service.
4	Citizen/Society Trusted Digital Assistant (TDA)	The primary subject (green outer box). Contains the PowerShell Runspace Pool (red inner box) with Agent 1–N slots and the DIDComm Message Switchboard, plus the DIDComm/HTTP Listener (purple box) at the right edge.
5	Internet Cloud	Standard transport cloud bridging the TDA’s DIDComm/HTTP Listener to the VTC7 federation zone. Annotated arrows indicate Inbound Unpack and Outbound Pack operations at the Listener boundary.
6	Storage Layer	Four LiteDB databases (Fast Cache, Long-Term Message Memory, DID Doc Registry, VC Doc Registry), plus NEO4J (via CIPHER) and SQL Server (via SQL/TDS). A dedicated SVRN7 XFER channel connects the LOBE layer to the SOVRONA (SVRN7) SRC terminal.
7	Verifiable Trust Circles (VTC7)	Large blue arrow on the right encompassing five Citizen TDA nodes connected via purple DIDComm-secured connectors into a federated mesh. The architecture is recursive: each VTC7 peer is a full TDA instance running identical software.

2.3 Zone 3 — LOBE Layer Detail

The LOBE layer is the most architecturally distinctive zone. Two LOBE blocks are shown with a SVRN7 label centred between them. This layout carries three architectural assertions:

1. LOBEs are PowerShell Modules. In the v0.7.1 implementation they are Svrn7.Federation.psm1 (35 cmdlets) and Svrn7.Society.psm1 (15 Society-native cmdlets). They are loaded into the RunspacePool InitialSessionState once at startup, available to every runspace without per-invocation import cost.
2. SVRN7 is a brain capability. Its placement between the LOBEs — not inside the Runspace Pool and not in the storage layer — asserts that ISvrn7SocietyDriver is a cognitive faculty available to all agents as a direct in-process call, not a message-passing request to an external service.
3. A third LOBE slot is implied for domain-specific extensions (e.g., Society.Medicine.psm1, Society.Education.psm1). The architecture is open-ended: new capabilities are added as LOBEs, not as agent modifications.

2.4 Zone 4 — The TDA Detail

2.4.1 PowerShell Runspace Pool

The red inner box contains the Runspace Pool. Its named slots visible in the diagram are:

• Agent 1 Runspace — Coordinator. Contains four specialised sub-agents (Email, Calendar, Presence, Notifications) and the DIDComm Message Switchboard (Inbound/Outbound). The Switchboard is the internal routing hub: every DIDComm message — whether arriving from the internet or generated by a sub-agent — passes through it.
• Agent 2 — Onboard. Handles citizen registration flows.
• Agent 3 — Invoicing. Processes payment and transfer request messages.
• Agent N — Trading. Handles Epoch 1+ market operations. Inactive in Epoch 0.

Each of Agents 2–N has bidirectional arrows to the Switchboard, establishing it as the internal message bus. No agent communicates directly with another agent or with the DIDComm/HTTP Listener.

2.4.2 DIDComm/HTTP Listener

The purple box at the right edge of the TDA is the single inbound/outbound gate to the internet. Two annotations are explicit in the diagram:

• Inbound Processing (Unpack) — upper annotation: all messages arriving from the internet are unpacked (JWE decrypted, JWS signature verified) before entering the system. The Listener never passes ciphertext to agent logic.
• Outbound Processing (Pack) — lower annotation: all messages leaving the system are packed (JWS signed, then JWE encrypted via SignThenEncrypt). The Listener never sends plaintext over the internet.

A separate REST/HTTP rail runs alongside the DIDComm rail. This supports interactions (balance queries, transfer submissions from a mobile app) more naturally expressed as REST calls than as DIDComm messages.

2.4.3 DIDComm Message Switchboard

The Switchboard is the most significant architectural element named in the diagram that is not yet explicitly modelled in the v0.7.1 codebase. The diagram shows it as a named, first-class component inside Agent 1’s Runspace with bidirectional arrows to every other agent. Its architectural role:

• It is the sole reader of the durable inbox (IInboxStore / svrn7-inbox.db). No agent polls the inbox directly.
• It inspects each message’s DIDComm protocol URI (“type” field) and routes it to the correct agent runspace.
• It handles idempotency: if a TransferId has already been processed (via IProcessedOrderStore), it returns the cached packed receipt without invoking any agent.
• It enforces epoch rules: messages of types not permitted in the current epoch are rejected with a DIDComm error response, not silently dropped.

2.5 Zone 6 — Storage Layer Detail

The storage layer sits below the TDA and consists of six data stores:

Store	Technology / v0.7.1 File	Role
Fast Cache (LiteDB)	LiteDB or IMemoryCache	Holds last-N unpacked message bodies keyed by TransferId for duplicate-delivery acceleration. Bidirectional arrow to Long-Term Memory = cache-miss read-through.
Long-Term Message Memory	svrn7-inbox.db (IInboxStore)	All InboxMessage records with full Pending→Processing→Processed/Failed lifecycle. Implemented in v0.7.1.
DID Doc Registry	svrn7-dids.db (DidRegistryLiteContext)	Stores DidDocument records. Resolved via IDidDocumentResolver / LocalDidDocumentResolver / FederationDidDocumentResolver.
VC Doc Registry	svrn7-vcs.db (VcRegistryLiteContext)	Stores VcRecord records. Resolved via IVcDocumentResolver / LiteVcDocumentResolver / FederationVcDocumentResolver.
NEO4J (via CIPHER)	Neo4j Graph DB	Not yet implemented. Intended for graph-structured VTC7 trust relationship queries and Society governance lineage.
SQL Server (via SQL/TDS)	SQL Server	Not yet implemented. Intended for high-volume relational reporting, UTXO ledger analytics, and regulatory export.

The SVRN7 XFER dedicated channel connects the LOBE layer directly to the SOVRONA (SVRN7) SRC terminal at the bottom of the diagram. This is the UTXO transfer pipeline: Invoke-Svrn7Transfer → ISvrn7Driver.TransferAsync → 8-step validator → UTXO commit. The dedicated channel prevents monetary operations from competing with DIDComm message I/O on the same LiteDB file lock.

2.6 Zone 7 — VTC7 Mesh

The large blue VTC7 arrow on the right encompasses five Citizen TDA nodes. Each node connects to neighbours via purple DIDComm-secured connector nodes. Three observations:

• The architecture is recursive and peer-symmetric. Every Citizen TDA in the mesh runs the same software. There is no central broker. The purple connectors represent the DIDComm/HTTP Listener instances of each peer TDA.
• Cross-Society communication flows through Listener instances only, not through a shared database. FindVcsBySubjectAcrossSocietiesAsync and FederationDidDocumentResolver implement this fan-out pattern in v0.7.1.
• VTC7 governance is enforced by the LOBE layer, not by network topology. A TDA that presents a valid Society DID and a current Svrn7VtcCredential VC is a legitimate VTC7 member.

3. Correspondence to SVRN7 v0.7.1

3.1 Component-to-Code Mapping

Diagram Component	v0.7.1 Implementation	Status
LOBE — Federation	Svrn7.Federation.psm1 / ISvrn7Driver	Implemented. 35 cmdlets. Loaded into Runspace Pool InitialSessionState.
LOBE — Society	Svrn7.Society.psm1 / ISvrn7SocietyDriver	Implemented. 15 Society-native cmdlets.
SVRN7 (between LOBEs)	$SVRN7 session variable / Svrn7RunspaceContext (design)	Partially implemented. ISvrn7SocietyDriver singleton exists in DI; named context class not yet formalised.
DIDComm/HTTP Listener — Unpack	IDIDCommService.UnpackAsync / DIDCommPackingService	Implemented. Missing: Kestrel HTTP server entry point calling IInboxStore.EnqueueAsync.
DIDComm/HTTP Listener — Pack	IDIDCommService.PackSignedAndEncryptedAsync	Implemented. SignThenEncrypt default throughout.
DIDComm Message Switchboard	DIDCommMessageProcessorService (partially)	Routing logic exists but not yet a named Switchboard with epoch enforcement and idempotency gating.
Agent 1 — Email sub-agent	Not yet implemented	Microsoft.Graph / EWS PowerShell commands in Agent 1 Runspace.
Agent 1 — Calendar sub-agent	Not yet implemented	Calendar events cross-referenced with Society membership DIDs.
Agent 1 — Presence sub-agent	Not yet implemented	Publishes presence/1.0/status DIDComm messages to VTC7 peers.
Agent 1 — Notifications sub-agent	Not yet implemented	Alerts on inbox threshold, balance change, VC expiry events.
Agent 2 — Onboard	Register-Svrn7CitizenInSociety	Implemented. Needs routing: onboard/1.0/request → Agent 2 Runspace.
Agent 3 — Invoicing	Invoke-Svrn7Transfer / Invoke-Svrn7ExternalTransfer	Implemented. Needs routing: invoice/1.0/request → Agent 3 Runspace.
Agent N — Trading	Not yet implemented	Epoch 1+ only. Switchboard drops trading/1.0/* in Epoch 0.
Fast Cache (LiteDB)	Not yet implemented	Design: fifth LiteDB (svrn7-cache.db) or IMemoryCache.
Long-Term Message Memory	IInboxStore / InboxLiteContext / svrn7-inbox.db	Implemented in v0.7.1.
DID Doc Registry	IDidDocumentRegistry / DidRegistryLiteContext	Implemented.
VC Doc Registry	IVcRegistry / VcRegistryLiteContext	Implemented.
NEO4J / CIPHER	Not yet implemented	Future sprint.
SQL Server / SQL/TDS	Not yet implemented	Future sprint.
SVRN7 XFER rail	SvrN7TransferService (design)	8-step validator exists; dedicated transfer queue (ITransferQueue) not yet separate from agent call paths.
SOVRONA SRC terminal	ISvrn7Driver.TransferAsync → UTXO commit	Implemented. svrn7.db UTXO store is the terminal.
VTC7 peer connectors	DIDComm/HTTP Listener per peer TDA	Implemented per-TDA. Cross-Society routing implemented.

3.2 Epoch Alignment

The diagram’s Epoch 0 designation aligns precisely with Svrn7Constants.Epochs.Endowment (= 0) in the v0.7.1 codebase. The transfer epoch matrix enforced by TransferValidator Step 2 (ValidateEpochRulesAsync) covers all three epochs and requires no code changes. The Switchboard needs to read the current epoch via Get-Svrn7CurrentEpoch before routing trading messages.

Epoch	Constant	Permitted Operations
Epoch 0 — Endowment	Svrn7Constants.Epochs.Endowment	Citizens may transfer only to their Society wallet or the Federation wallet. Switchboard rejects trading/1.0/* messages.
Epoch 1 — Ecosystem Utility	Svrn7Constants.Epochs.EcosystemUtility	Cross-Society citizen-to-citizen transfers permitted. Agent N (Trading) becomes active.
Epoch 2 — Market Issuance	Svrn7Constants.Epochs.MarketIssuance	Open-market operations. Full VTC7 mesh trading enabled.

4. TDA Design Specification

The following layers specify the complete TDA design. No code is generated here; this is the design record from which implementation sprints are planned.

4.1 Layer 0 — DIDComm/HTTP Listener

Overview

A minimal Kestrel HTTP server (ASP.NET Core minimal API, no MVC) running on a configurable port. The Listener is the single inbound/outbound gate to the internet. It has exactly one responsibility: receive packed messages, unpack them at the cryptographic boundary, and enqueue them for processing.

Layer Boundary Rule

Design Rule: The Listener never executes agent logic. It only enqueues. The Runspace Pool never binds to a port. It only processes. These two systems share no threads and no direct call paths.

Routes

• POST /didcomm — Receives a packed DIDComm message (Content-Type: application/didcomm-encrypted+json). Calls IDIDCommService.UnpackAsync to verify and decrypt. Calls IInboxStore.EnqueueAsync(messageType, unpackedBody). Returns 202 Accepted immediately. If UnpackAsync fails, returns 400 Bad Request with a DIDComm problem-report — no message is enqueued.
• POST /rest/transfer — Convenience REST endpoint for synchronous UX-driven transfer submissions. Validates a signed TransferRequest JSON body and calls ISvrn7SocietyDriver.HandleIncomingTransferMessageAsync directly. Returns 200 OK with the packed receipt.
• GET /health — Returns JSON health status: inbox queue depth by status, Merkle tree head age, current epoch, Listener up/down. Used by the smartwatch UX and monitoring.

Pack/Unpack Boundary

• All inbound messages are unpacked before anything else. Unpack = JWE decrypt using the Society’s Ed25519 messaging private key + JWS signature verify using the sender’s Ed25519 public key. Both steps must succeed; a failure at either point results in 400 and no enqueue.
• All outbound messages are packed before leaving the Listener. Pack = JWS sign using the Society’s Ed25519 private key, then JWE encrypt using the recipient’s Ed25519 public key (SignThenEncrypt default, matching DIDCommPackMode throughout v0.7.1).
• Agents work with plaintext only. This is the invariant enforced by the Pack/Unpack boundary. Runspaces never need access to cryptographic keys.

Inbound Processing Flow

POST /didcomm

  → IDIDCommService.UnpackAsync(body, societyPrivateKey)

      → JWE decrypt (Society Ed25519 key → X25519 key agreement)

      → JWS verify (sender public key from DID Document)

      → Extract: messageType, from, body

  → IInboxStore.EnqueueAsync(messageType, body)

  → 202 Accepted

4.2 Layer 1 — LOBE: PowerShell Module Loader

LobeManager

A LobeManager singleton reads a lobes.config.json manifest at startup, listing module paths in load order. It creates a shared InitialSessionState with each LOBE pre-imported and a shared $SVRN7 session variable (a Svrn7RunspaceContext object) injected into every runspace.

The Svrn7RunspaceContext holds:

• A reference to the ISvrn7SocietyDriver singleton.
• A reference to the IInboxStore singleton (svrn7-inbox.db).
• A reference to the IProcessedOrderStore singleton.
• The current epoch value, refreshed periodically via Get-Svrn7CurrentEpoch.

LOBE Load Order

• Svrn7.Common.psm1 — shared helpers. Must be loaded first (dot-sourced by both modules).
• Svrn7.Federation.psm1 — ISvrn7Driver cmdlets (35 functions).
• Svrn7.Society.psm1 — ISvrn7SocietyDriver Society-native cmdlets (15 functions).
• Domain LOBEs (optional) — e.g., Svrn7.Medicine.psm1, Svrn7.Education.psm1. Loaded only if present in lobes.config.json.

4.3 Layer 2 — PowerShell Runspace Pool

Pool Configuration

A RunspacePool with configurable min/max (recommended: min=2, max=ProcessorCount×2). Each runspace shares the same InitialSessionState from the LobeManager. The pool is not shared with the HTTP Listener thread.

4.3.1 Agent 1 — Coordinator Runspace

Agent 1 is always open (min runspaces ≥ 1). It owns the DIDComm Message Switchboard and four specialised sub-agents.

DIDComm Message Switchboard

A continuous loop running inside Agent 1’s Runspace on a dedicated thread (not a PeriodicTimer — it runs with a short sleep on empty inbox). Its processing cycle:

while ($true) {

  $batch = $SVRN7.InboxStore.DequeueBatchAsync(20).GetAwaiter().GetResult()

  if ($batch.Count -eq 0) { Start-Sleep -Milliseconds 100; continue }

  foreach ($msg in $batch) {

    $epoch = Get-Svrn7CurrentEpoch

    # Idempotency check via IProcessedOrderStore

    $cached = $SVRN7.ProcessedOrders.GetReceiptAsync($msg.Id).GetAwaiter().GetResult()

    if ($cached) { $SVRN7.InboxStore.MarkProcessedAsync($msg.Id); continue }

    # Epoch-gated routing by DIDComm protocol URI

    switch -Wildcard ($msg.MessageType) {

      “*/transfer/*”   { Invoke-AgentRunspace Invoicing $msg }

      “*/onboard/*”    { Invoke-AgentRunspace Onboard   $msg }

      “*/trading/*”    { if ($epoch -lt 1) { Send-EpochError $msg } }

      “*/presence/*”   { Invoke-PresenceAgent $msg }

      default          { $SVRN7.InboxStore.MarkFailedAsync($msg.Id, “Unknown type”) }

    }

  }

}

Email Sub-Agent

Wraps Microsoft.Graph or Exchange EWS PowerShell commands. Cross-references sender email addresses with Society member DIDs via Resolve-Svrn7CitizenPrimaryDid. Structured results are placed back into the Switchboard’s outbound queue.

Calendar Sub-Agent

Reads and writes calendar events via Microsoft.Graph. Calendar events can carry did: URI identity claims in their extended properties, linking appointments to Society membership records and VTC7 governance meetings.

Presence Sub-Agent

Publishes the TDA’s availability status as a https://svrn7.net/protocols/presence/1.0/status DIDComm message to subscribed VTC7 peers. Receives presence updates from peers and maintains a local presence cache.

Notifications Sub-Agent

Dispatches alerts to the UX layer (smartwatch, mobile) when: inbox depth exceeds a configurable threshold; a citizen’s SVRN7 balance changes by more than a configurable amount; a Verifiable Credential is within 7 days of expiry; or the Society wallet balance falls below CitizenEndowmentGrana (overdraft draw trigger).

4.3.2 Agents 2–N — Task Runspaces

Agent	DIDComm Protocol URI	SVRN7 Cmdlets	Epoch
Agent 2 — Onboard	https://svrn7.net/protocols/onboard/1.0/request	Register-Svrn7CitizenInSociety Add-Svrn7CitizenDid	Epoch 0+
Agent 3 — Invoicing	https://svrn7.net/protocols/invoice/1.0/request	Invoke-Svrn7Transfer Invoke-Svrn7ExternalTransfer Invoke-Svrn7FederationTransfer	Epoch 0+
Agent 4 — VC Issuance	https://svrn7.net/protocols/vc/1.0/issue	Get-Svrn7VcById Get-Svrn7VcsBySubject Find-Svrn7VcsBySubject	Epoch 0+
Agent N — Trading	https://svrn7.net/protocols/trading/1.0/*	Invoke-Svrn7BatchTransfer (custom market cmdlets)	Epoch 1+ only

Each task runspace is opened from the pool on demand by Invoke-AgentRunspace and returns to the pool when the task completes. The pool thread is occupied only for the duration of the operation.

4.4 Layer 3 — Storage

LiteDB Database Topology

Database	Context Class	Collections	Access Pattern
svrn7.db	Svrn7LiteContext	Wallets, UTXOs, Citizens, CitizenDids, Societies, Memberships, KeyBackups, Overdrafts, LogEntries, TreeNodes, TreeHeads, Nonces (ITransferNonceStore)	High-write on transfers
svrn7-dids.db	DidRegistryLiteContext	DID Documents and version history	Read-heavy; write on DID create/update/deactivate
svrn7-vcs.db	VcRegistryLiteContext	VcRecords, RevocationEvents	Write on VC issuance and expiry sweeps
svrn7-inbox.db	InboxLiteContext	InboxMessages (IInboxStore) and ProcessedOrders (IProcessedOrderStore)	High-write on message receipt
svrn7-cache.db (proposed)	CacheLiteContext (new)	Fast Cache: last-N TransferId → packed receipt pairs	Or IMemoryCache for pure in-process speed

4.5 SVRN7 XFER Dedicated Channel

The SVRN7 XFER rail in the diagram is a dedicated channel from the LOBE layer to the SOVRONA SRC terminal. A SvrN7TransferService BackgroundService is designed to run alongside DIDCommMessageProcessorService:

• Agents post a TransferQueueRecord to a dedicated ITransferQueue collection in svrn7-inbox.db rather than calling ISvrn7Driver.TransferAsync directly.
• SvrN7TransferService drains ITransferQueue on its own loop, runs the 8-step TransferValidator, and commits the UTXO.
• Retry semantics: up to 3 attempts (mirroring IInboxStore). After maxAttempts, the record is dead-lettered with LastError populated.
• This decouples agent logic from the UTXO commit path and prevents monetary operations from competing with DIDComm inbox I/O on the same LiteDB file lock.

5. Key Design Principles

Five principles emerge from careful reading of the DSA diagram. These are structural rules that the diagram enforces by its construction, not interpretive opinions.

#	Principle	Definition	Rationale
P1	Listener and Pool are separate systems	The Listener never executes agent logic; it only enqueues. The Pool never binds to a port; it only processes. No shared threads.	Prevents a slow agent from blocking inbound receipt. Prevents a message burst from exhausting runspaces.
P2	Switchboard is the sole inbox reader	No agent polls IInboxStore directly. Only the Switchboard does, then hands work to agent runspaces.	Single point for epoch enforcement, idempotency checking, and routing. Single LiteDB writer.
P3	Pack/Unpack at Listener boundary only	Agents work with unpacked plaintext. Agents produce plaintext responses; the Listener packs them.	Security guarantee (no agent receives unverified data) and architectural simplification (runspaces need no crypto keys).
P4	SVRN7 is a LOBE, not an agent	ISvrn7SocietyDriver is available to all agents via $SVRN7 session variable — direct in-process cmdlet invocation, not message-passing.	This is why SVRN7 sits between the LOBE blocks in the diagram, not inside a specific agent box.
P5	VTC7 peers are structurally identical	Every Citizen TDA in the mesh runs the same software. No central broker. Cross-Society communication flows through DIDComm/HTTP Listener instances only.	Self-hosting, recursive design. FindVcsBySubjectAcrossSocietiesAsync and FederationDidDocumentResolver implement the fan-out pattern.

6. Implementation Gaps

Components identified in the diagram but not yet implemented in SVRN7 v0.7.1, representing the work backlog for future sprints.

Gap	Priority	Design Decision
HTTP/Kestrel Listener Entry Point	Critical	ASP.NET Core minimal API with POST /didcomm (enqueue), POST /rest/transfer (synchronous), and GET /health routes. Calls IInboxStore.EnqueueAsync. This is the missing bridge between the internet and DIDCommMessageProcessorService.
DIDComm Message Switchboard (named)	Critical	Extract routing logic from DIDCommMessageProcessorService into a named SwitchboardService with explicit epoch gating, IProcessedOrderStore idempotency check, and per-protocol-URI routing to agent runspace slots.
Svrn7RunspaceContext + $SVRN7	High	Formalise the $SVRN7 PSCustomObject as a named class holding ISvrn7SocietyDriver, IInboxStore, IProcessedOrderStore, and current epoch. Inject via RunspacePool InitialSessionState.
LobeManager + lobes.config.json	High	Singleton that reads the manifest, builds the InitialSessionState, and manages hot-reload of domain LOBEs without full TDA restart.
Agent 1 Sub-Agents (Email, Calendar, Presence, Notifications)	High	Four PowerShell pipeline scripts inside Agent 1 Runspace. Microsoft.Graph for Email and Calendar. Custom DIDComm presence/1.0/status protocol for Presence. Event-driven Notifications.
Fast Cache (svrn7-cache.db)	Medium	CacheLiteContext (fifth LiteDB) or IMemoryCache. Stores last-N TransferId → packed receipt pairs for Switchboard hit-before-dequeue.
SvrN7TransferService + ITransferQueue	Medium	Dedicated BackgroundService draining a TransferQueueRecord collection in svrn7-inbox.db, decoupling agent UTXO commit from agent message processing.
Agent N — Trading	Low (Epoch 1)	Implement when Get-Svrn7CurrentEpoch returns ≥ 1. Switchboard routing stub (drop trading/* in Epoch 0) should be added now.
NEO4J / CIPHER integration	Low (Future)	Graph store for VTC7 trust path queries. Out of scope for v0.7.x.
SQL Server / SQL/TDS integration	Low (Future)	Relational reporting. Out of scope for v0.7.x.

7. Glossary

Term	Definition
TDA	Trusted Digital Assistant. The sovereign, DID-native, DIDComm-native runtime at the centre of the Web 7.0 ecosystem. A citizen or Society operates one TDA.
DSA	Decentralized System Architecture. The architectural diagram describing the TDA and its surrounding ecosystem. Current version: DSA v0.16.
LOBE	Loadable Object Brain Extension. A PowerShell Module loaded into the Runspace Pool InitialSessionState, providing capabilities (SVRN7 cmdlets, domain functions) available to all runspaces.
VTC7	Verifiable Trust Circle. A federated mesh of TDA nodes that mutually recognise each other’s DIDs and VCs, enabling cross-Society communication and cross-Society VC resolution.
SRC	Shared Reserve Currency. The SVRN7 / SOVRONA monetary unit. 1 SVRN7 = 1,000,000 grana. Citizen endowment in v0.7.1: 1,000 grana = 0.001 SVRN7.
DIDComm	Decentralized Identifier Communication. A message protocol providing transport-agnostic, end-to-end secure messaging between DID-identified parties. Version 2 used throughout Web 7.0.
SignThenEncrypt	The default DIDComm pack mode in SVRN7 v0.7.1. Payload is JWS-signed with the sender’s Ed25519 private key, then JWE-encrypted with the recipient’s Ed25519 public key (X25519 via RFC 7748 birational map).
Switchboard	The DIDComm Message Switchboard. Named component inside Agent 1’s Runspace. The sole reader of the durable inbox. Routes messages to agent runspaces by protocol URI.
Pack / Unpack	Pack = sign + encrypt an outbound DIDComm message. Unpack = decrypt + verify signature on an inbound message. Both operations occur exclusively at the Listener boundary.
Epoch	A governance phase of the SVRN7 ecosystem. Epoch 0 (Endowment): citizen→Society and citizen→Federation transfers only. Epoch 1 (Ecosystem Utility): cross-Society. Epoch 2 (Market Issuance): open-market trading.
UTXO	Unspent Transaction Output. Atomic unit of SVRN7 wallet balance. Every transfer creates new UTXOs and marks spent UTXOs. Conservation invariant: sum of all UTXOs = TotalSupplyGrana − unallocated Federation balance.
grana	Atomic monetary unit of SVRN7. 1 SVRN7 = 1,000,000 grana. All storage, arithmetic, and transfer amounts are in grana. SVRN7 is display-only.
IInboxStore	Durable inbox interface backed by svrn7-inbox.db. Implements EnqueueAsync, DequeueBatchAsync, MarkProcessedAsync, MarkFailedAsync, ResetStuckMessagesAsync, GetStatusCountsAsync.
ITransferNonceStore	Durable nonce replay protection backed by svrn7.db. Implements IsReplayAsync with sweep-then-insert LiteDB semantics. 24-hour replay window.
IProcessedOrderStore	Cross-Society TransferOrder idempotency store backed by svrn7-inbox.db. Caches packed DIDComm receipts keyed by TransferId.

8. Document Control

Field	Value
Document Title	Web 7.0 DSA-TDA Design
Document ID	WEB7-DSA-TDA-001
Version	1.0 — Initial release
Date	April 2026
Author	Michael Herman, Web 7.0 Foundation, Bindloss, Alberta, Canada
Based on	DSA v0.16 Diagram — Epoch 0 (Endowment Phase)
SVRN7 Version	v0.7.1 (Svrn7.Federation + Svrn7.Society .NET 8)
License	Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)
Canonical URL	https://svrn7.net/docs/dsa-tda-design
Status	Design Specification — No code generated

End of Document