Volume 2 — The Trust Engine
"I did action X on date Y → which caused business Z to earn active income → therefore I am mathematically entitled to passive income $B, provably and undeniably."
This Volume translates the Transformation Operating Model (Volume 1) into the structure of the platform itself. It is written for engineers who will build, for the Product Owner who must understand what he is buying, and for any future architect who needs to extend the system without breaking it.
A globally-distributed, forensic-grade, multi-vertical commission ledger that proves causation between a referral action and a passive income entitlement with the same rigour a stock exchange proves trade settlement — and which extends to unlimited verticals by configuration, not by code.
Every design decision in Flip 360 must defer to these principles. Where they conflict with convenience, the principle wins.
| # | Principle | Implication |
|---|---|---|
| P1 | Immutable by default | Events are append-only. Corrections happen via offsetting entries, never overwrites. |
| P2 | Causation must be provable | Every dollar must trace through an unbroken, hash-chained evidence path back to the originating referral event. |
| P3 | Integer cents arithmetic only | No floats for money — ever. All values stored as integer cents to eliminate rounding drift. |
| P4 | Time-versioned commission rules | A referral made on date D is calculated using the rule active on date D, regardless of when the calculation runs. |
| P5 | Dual confirmation | Both the sender and receiver of a referral cryptographically attest to each lifecycle transition. |
| P6 | Vertical extensibility by configuration | Adding mortgage broking, then trades, then conveyancing requires zero ledger-engine code changes. |
| P7 | Edge-first, globally distributed | Runs on Cloudflare's edge network for sub-100ms member experience worldwide. |
| P8 | Evidence on demand | Any commission entitlement must be reconstructable into a court-admissible evidence pack in under 60 seconds. |
| P9 | Member self-service | Every data point a member can see, they can also export, dispute, and validate independently. |
| P10 | Deterministic outputs | Given the same inputs, the system always produces the same outputs. No hidden state. No randomness in commission math. |
The single sentence the Product Owner gave us — "I did action X on date Y, which caused business Z to earn active income, therefore I am entitled to passive income $B" — is the entire architecture in one line. This chapter formalises it.
Every transition is an event. Every event is immutable. Every event is cryptographically chained to the prior event in its lineage. There are no edits — only new events that supersede or reverse previous ones.
For any disputed cent, the system can assemble — on demand, in under 60 seconds — a self-contained Evidence Pack containing:
This is the artefact a member can take to a tribunal. This is the artefact that retires the dispute.
Every interaction with the system is performed by an Actor. The catalogue is deliberately small. Roles can be combined on a single human (a Flip 360 administrator can also be a referring member), but each role is distinct in its capabilities.
| Actor | Type | Description |
|---|---|---|
| Referring Member | Human | The business or individual sending the referral. Earns passive income. |
| Receiving Member | Human | The business receiving the referral. Earns active income; pays commission. |
| Client / Lead | Human (data subject) | The end customer being referred. Not a system user but a tracked data subject. |
| Flip 360 Administrator | Human | Mathew's team. Onboards members, configures verticals, resolves disputes. |
| Vertical Manager | Human | Owns commission rules for one vertical (e.g. "Mortgage Vertical Lead"). |
| Finance / Payout Officer | Human | Runs payout batches; reconciles bank movement against ledger. |
| Auditor | Human | Read-only access to the immutable chain; internal or external. |
| Performance Coach | Human | Supports ADKAR uplift for bottom-quintile members. |
| Product Owner (Mathew) | Human | Strategic visibility; backlog ownership; system-wide read. |
| System | Automated | Calculates entitlements; runs hash chain; emits notifications; assembles evidence packs. |
| External Payment Rail | External | Stripe Connect / PayID. Receives instructions, returns settlement events. |
| External CRM / Source System | External | A member's own CRM that may push referrals into Flip 360 via API. |
Three value streams traverse the platform end-to-end. Every story in the backlog will support one or more.
A referral is sent → acknowledged → qualified → converted → income earned → commission paid. The core loop.
A business signs up → completes KYC/ABN → joins a vertical → sends first referral → moves through ADKAR.
Targets set → actuals tracked → leaderboard ranked → coaching triggered → quintile movement realised.
The diagram below shows every actor and every primary use case in Flip 360. This is the single most important artefact for the Product Owner to internalise — it is the system, at a glance.
Below are full specifications for the three most architecturally significant use cases. The full catalogue (UC-1 through UC-20) is maintained as a living artefact in the Programme repository.
| Primary Actor | Referring Member |
| Goal | Create an immutable, hash-chained record that a referral was sent on a specific date to a specific receiver. |
| Preconditions | Both sender and receiver are registered, active members. Sender is enrolled in at least one vertical. |
| Trigger | Sender submits a referral via portal, mobile, or API. |
| Main Flow |
1. Sender selects receiver (business or via vertical-matched search). 2. Sender enters client/lead identifying data (name, contact, opportunity description). 3. System validates sender/receiver eligibility and vertical compatibility. 4. System generates referral event with: UUID, server-timestamp, sender_signature, content_hash, prior_event_hash. 5. System appends event to the immutable log. 6. System notifies receiver of pending acknowledgement. 7. Sender sees referral on their dashboard with status "Awaiting Receipt". |
| Postconditions | Referral event exists in the immutable log. Hash chain is intact. |
| Alternate Flows | 3a. Receiver inactive → sender warned; referral not created. 3b. Duplicate detected (same client to same receiver within N days) → confirmation prompt. |
| NFRs Engaged | P50 latency <200ms; immutability; hash integrity; audit logging. |
| Primary Actor | System (automated) |
| Goal | Compute the precise commission entitlement owed to the referring member for a converted referral. |
| Preconditions | Referral event exists. Income Event has been recorded and signed by receiver. Conversion event signed by both parties. |
| Trigger | Income Event recorded against the referral lineage. |
| Main Flow |
1. System retrieves referral event and its date. 2. System resolves vertical and looks up the CommissionRule version active on referral.date. 3. System applies formula: entitlement_cents = round_banker(income.amount_cents · rule.bps / 10000).4. System creates Entitlement Event with full inputs, applied rule version, and result. 5. System chains the event into the ledger. 6. System notifies referring member: "Entitlement of $X earned, pending payout in batch <PB-id>". |
| Postconditions | Entitlement is recorded immutably. Referring member's earned-but-unpaid balance increases by the calculated amount. |
| Determinism Test | Re-running the calculation against the same inputs must produce byte-identical output and identical hash. |
| Primary Actor | Auditor (or any member viewing their own entitlement) |
| Goal | Produce a self-contained, tamper-evident PDF + JSON artefact reconstructing the causation chain for any commission entitlement. |
| Trigger | "Generate Evidence Pack" action invoked on an Entitlement. |
| Main Flow |
1. System traverses the event lineage backward from Entitlement to originating Referral. 2. System retrieves every event in the chain, validates each hash, confirms unbroken linkage. 3. System retrieves the CommissionRule version applied, with its provenance. 4. System assembles the evidence pack (PDF for humans, JSON for systems). 5. System SHA-256-hashes the pack itself and stores the digest in the audit log. 6. System returns the pack to the requester within 60 seconds. |
| Acceptance Test | Any third party with no system access can independently verify the pack's internal hashes and arithmetic. |
| Event Type | Emitted When | Signed By |
|---|---|---|
| REFERRAL_SENT | Sender submits a referral | Sender |
| ACKED | Receiver acknowledges receipt (or auto-ack after N days) | Receiver |
| QUALIFIED | Receiver confirms lead is genuine | Receiver |
| CONVERTED | Receiver records deal closed | Receiver |
| INCOME | Receiver attests active income earned (amount_cents) | Receiver |
| ENTITLEMENT | System computes commission owed | System |
| ADJUSTMENT | Approved adjustment (e.g. clawback) | Administrator |
| REVERSAL | Compensating entry reversing a prior event | Administrator |
| PAYOUT | Funds released through payment rail | Payout Officer |
This chapter is the technical heart of the Trust Engine. Architects building Flip 360 must understand this chapter cold; everything else is plumbing.
Before hashing, every event payload is converted to a canonical JSON representation: keys sorted lexicographically, no whitespace, UTF-8 encoded. This guarantees that the same logical content always produces the same hash, regardless of how it was originally serialised.
Any attempt to alter the contents of an earlier event would invalidate its hash, which would invalidate every subsequent event's prior_hash — a tamper attempt is instantly detectable by walking the chain.
We considered, and rejected, anchoring to a public blockchain (Ethereum, Bitcoin). Reasons:
The system runs three integrity checks continuously:
The Commission Engine is the deterministic calculator that turns Income Events into Entitlement Events. It is the smallest, most tested, most stable module in the platform — by design.
calc(referral, income, rule) → entitlement.| Rule Type | Formula | Example |
|---|---|---|
| Flat percentage | income · bps ÷ 10000 | 30% of broker commission = 3000 bps |
| Flat amount per referral | flat_cents | $200 per qualified referral |
| Tiered percentage (by income amount) | Piecewise on income brackets | 20% to $5k, 25% above |
| Hybrid (flat + percentage) | flat_cents + income · bps ÷ 10000 | $100 + 20% |
| Multi-hop (future) | Recursive entitlements up the referral tree, capped at depth | Originator 25%, second-degree 5% |
Flip 360 uses banker's rounding (round half to even) on the final cent. This is the rounding scheme used by IEEE 754, by the Australian Tax Office for many calculations, and by financial systems globally. It removes the systematic bias that simple half-up rounding introduces over millions of transactions.
Where the receiving member is GST-registered (per their ABN status), commissions paid are typically subject to GST. The engine separates:
entitlement_ex_gst_cents — base entitlement.gst_cents — calculated as 10% of base where applicable.entitlement_inc_gst_cents — sum, paid to the member.Both values are stored on the Entitlement Event. The system can produce a Recipient Created Tax Invoice (RCTI) for each payout — standard practice in the Australian financial services industry.
| Layer | Choice | Rationale |
|---|---|---|
| Runtime | Cloudflare Workers (V8 isolates) | Edge execution; zero ops; sub-100ms global latency. |
| Web framework | Hono | Purpose-built for Workers; lightweight; great DX. |
| Language | TypeScript (strict) | Type safety across the trust engine. |
| Relational store | Cloudflare D1 (SQLite) | Native binding; horizontal read replicas; sufficient for ledger workload. |
| Key-value store | Cloudflare KV | Sessions, configuration, hot dashboards cache. |
| Object store | Cloudflare R2 | Evidence packs, exports, long-term cold ledger snapshots. |
| Authentication | JWT (signed at edge); OAuth (Google/MS) for SSO | Standards-based; member self-service. |
| Payments | Stripe Connect (Express accounts) | Australian-supported; KYC/AUSTRAC handled by Stripe. |
| Email / SMS | Resend (email), Twilio (SMS) | Reliable transactional delivery. |
| Observability | Cloudflare Analytics + Workers Logs; Sentry for errors | Out-of-the-box edge telemetry. |
| CI/CD | GitHub Actions → Wrangler deploy | Trunk-based, sprint-cadence releases. |
| Front-end | Hono JSX (server-rendered) + Tailwind CDN + lightweight Alpine.js where needed | No SPA bloat; member portal feels instant. |
Analytics in Flip 360 are deliberately narrow and deliberately deep. We do not compete with Tableau on breadth — we beat it on fit. Every metric the platform exposes is a metric that drives the active+passive walking thesis.
| Metric | What It Tells the Member |
|---|---|
| Passive Income — Actual vs Target | Are you on track this month to hit your right-leg target? |
| Referrals Sent — Actual vs Target | Are you taking enough right-leg steps? |
| Conversion Rate | Of the referrals you sent, what % became income? |
| Reciprocity Score | For every $1 you generated for others, how much active income returned to you? |
| ADKAR Stage | Where are you on the capability curve? |
Leaderboard is computed daily across three windows: rolling 30 days, current quarter, all-time. Members opt in to be visible by name; otherwise displayed as "Member #1247". The leaderboard surfaces:
The thesis predicts that active referrers attract reciprocal active income. We measure this directly:
Volume 1 established ADKAR as the change framework. Volume 2 makes it a first-class engine of the platform. Every member has a current ADKAR stage; transitions are event-driven; interventions are automated.
| Stage | Entry Trigger | Exit Criteria | System Action |
|---|---|---|---|
| A — Awareness | Sign-up | Member views walking-thesis content + first leaderboard | Welcome sequence; orientation |
| D — Desire | Awareness complete | Member explicitly opts in to a vertical | Surface peer case studies in their vertical |
| K — Knowledge | Vertical join | Member completes onboarding training | Push training; quiz checkpoints |
| A — Ability | Training complete | Member sends 3 referrals, 1 of which qualifies | Coaching nudges; "send your first" prompts |
| R — Reinforcement | First commission received | Sustained 90 days at or above quintile target | Leaderboard recognition; targets advance |
The 30 user stories below seed the Product Backlog. Each is in canonical "I am... I need... so I can..." form, with priority (Must/Should/Could) and the actor identified. The squad will refine these at the first Backlog Refinement session.
I am a prospective member, I need to register my business with legal name, ABN, GST status, primary contact and bank details, so I can begin sending and receiving referrals under a verifiable identity.
I am a registered member, I need to join one or more verticals (e.g. mortgage broking, conveyancing) relevant to my business, so I can receive vertical-appropriate referrals and have the right commission rules applied to my activity.
I am a newly joined member, I need to complete a short onboarding module on how Flip 360 works, so I can confidently send my first referral and understand my entitlement.
I am a registered member, I need to securely connect my Australian bank account via Stripe Connect, so I can receive commission payouts without sharing raw bank details with the platform.
I am a referring member, I need to create a referral by selecting a receiving member and providing client/lead details, so I can establish an immutable, time-stamped, hash-chained record of my action.
I am a receiving member, I need to acknowledge that I have received the referral, so the sender has cryptographic proof I am in possession of the lead.
I am a receiving member, I need to mark a lead as qualified or unqualified after contact, so the system understands which referrals are in the conversion pipeline.
I am a receiving member, I need to record that the referral converted into a deal and attest to the active income amount earned, so the system can deterministically calculate the commission owed.
I am the Commission Engine, I need to apply the time-versioned commission rule active at the referral's date to the income event amount, so I can produce an entitlement that is deterministic, replayable, and provable.
I am an auditor, I need to walk the full event chain and verify every hash linkage, so I can confirm the integrity of the ledger has not been compromised.
I am the Payout Officer, I need to assemble all earned-but-unpaid entitlements into a single payout batch for a given period, so I can release member commissions in a controlled, reconciliable cycle.
I am the Payout Officer, I need to reconcile actual bank transfers against the payout batch line-by-line, so I can confirm zero variance between ledger and money.
I am the system, I need to generate an RCTI for each GST-registered member's payout, so the member meets ATO documentation obligations without manual paperwork.
I am a member, I need to raise a dispute against any referral, entitlement or payout I believe to be incorrect, so I can have my concern formally examined with full ledger evidence.
I am an auditor or affected member, I need to generate a self-contained, tamper-evident evidence pack for any entitlement, so I can resolve disputes from system evidence alone in under 60 seconds.
I am an administrator, I need to issue a compensating adjustment or reversal event to correct an entitlement, so the ledger remains immutable while still allowing legitimate corrections.
I am an administrator, I need to add a new vertical (e.g. "Builders") with regulator metadata and default commission rule, so the network expands without code change.
I am a Vertical Manager, I need to author a new commission rule with an effective_from date, so future referrals in my vertical use the new rate while past referrals retain their original rate.
I am a member, I need to see my actual-vs-target passive income, referrals sent, conversion rate, reciprocity score and ADKAR stage on a single screen, so I can understand at a glance whether I am walking or hopping.
I am a member, I need to see how I rank in the top/bottom 20% across rolling 30-day, current-quarter and all-time windows, so I can compete and benchmark within my vertical and across the network.
I am the Product Owner (or a member setting personal targets), I need to set monthly referral and passive-income targets per member or per cohort, so the actual-vs-target measurement has a denominator.
I am the ADKAR engine, I need to flag members stuck at a stage >30 days or regressing into the bottom quintile, so a human Performance Coach is automatically routed to them with context.
I am a member, I need to export all my referrals, entitlements and payouts as CSV plus evidence packs, so I can maintain my own records and meet my own audit obligations.
I am an auditor, I need to walk the full hash chain and receive a signed integrity certificate, so I can attest to the integrity of the ledger for a given audit period.
I am the system, I need to publish a daily Merkle root of the event log to immutable R2 storage, so the chain has an additional tamper-evident anchor independent of the live database.
I am an external CRM (member-owned), I need to POST referral events into Flip 360 via authenticated API, so the member's existing workflow surfaces the referral without double-entry.
I am the system, I need to instruct Stripe Connect to transfer payout amounts to member accounts, so money movement is initiated automatically from the reconciled payout batch.
I am the Product Owner, I need to see every member, every referral, every entitlement and every payout in one read-only console, so I can understand the health of the entire network at a glance.
I am the Product Owner, I need to capture any new idea I have on-the-fly via a single-field web inbox, so no idea is ever lost and every idea enters the formal triage flow.
I am the Steering Committee, I need to see velocity, burndown, RAG status and top RAID items on a single page, so I can govern the programme with one page per month, not a deck.
NFRs are the qualities of the system: how fast, how safe, how recoverable, how trustworthy. In a financial-grade system, NFRs are first-class citizens, not afterthoughts.
| Category | Requirement | Target | How Measured |
|---|---|---|---|
| Performance | Member dashboard load | P95 < 800ms global | RUM (Real User Monitoring) via Cloudflare |
| Performance | Referral submission | P95 < 400ms | API metrics |
| Performance | Evidence Pack assembly | P95 < 60s | Server timing |
| Availability | Member portal uptime | 99.9% monthly (≤ 43 min downtime) | Synthetic monitoring |
| Durability | Event log retention | 100% of events retained for life of programme; daily R2 snapshot | Snapshot verification |
| Integrity | Hash chain unbroken | Zero broken links | Nightly chain walk |
| Integrity | Determinism | Re-calc produces byte-identical entitlement | Property-based tests |
| Security | Authentication | JWT with short-lived access tokens; refresh via secure cookie | Pen-test |
| Security | PII at rest | Encrypted via Cloudflare-managed keys | Cloudflare audit |
| Recoverability | RPO (data loss tolerance) | < 5 min | D1 + R2 backup cadence |
| Recoverability | RTO (time to restore) | < 4 hours | DR rehearsal quarterly |
| Auditability | Every state change logged | 100% | Coverage report |
| Accessibility | WCAG 2.1 AA | Conformance on all member-facing surfaces | Automated + manual audit |
| Privacy | Australian Privacy Principles (APP 1-13) | Full compliance | Privacy Impact Assessment |
| Regulator / Framework | Applicability | Posture |
|---|---|---|
| Australian Privacy Act 1988 / APPs | All personal information held about members and leads | Privacy Policy + Collection Statement; APP-compliant by design |
| ASIC — NCCP Act | Mortgage broking referrals | Member-level disclosure of referral fees; conflict-of-interest tooling |
| ASIC — Corporations Act / AFSL | Financial advice / insurance referrals | Referrals only, not advice; statement-of-referrer wording |
| ATO — GST & RCTI | Commission payments to GST-registered members | RCTI generation; GST split on Entitlements |
| AUSTRAC | Money movement | Handled by Stripe Connect (regulated entity) |
| TPB | Tax agent referrals | Member-level disclosure |
| Class | Examples | Storage / Treatment |
|---|---|---|
| Public | Vertical names, marketing copy | Cacheable at edge |
| Member-internal | Targets, dashboards, leaderboard rank | D1; member-scoped read |
| Sensitive | Client/lead contact details, ABN, deal value | D1 with field-level encryption for PII |
| Restricted | Bank account references (tokenised by Stripe) | Never stored raw; Stripe references only |
The first six sprints (12 weeks) take Flip 360 from empty repository to first commission paid through the platform with full evidence. Each sprint produces a working, demonstrable Increment.
| Sprint | Goal | Key Stories | Definition of Success |
|---|---|---|---|
| Sprint 1 | Trust foundations | US-009, US-010, US-024, US-025 | Append-only event log live; hash chain walks clean end-to-end; nightly Merkle root publishes. |
| Sprint 2 | Members & verticals | US-001, US-002, US-017, US-018 | First three pilot businesses registered; one vertical (mortgage) live with v1 commission rule. |
| Sprint 3 | The referral loop | US-005, US-006, US-007, US-008 | First end-to-end referral: sent → acked → qualified → converted → income recorded. |
| Sprint 4 | Entitlement & evidence | US-009 (deepen), US-015, US-016 | First entitlement calculated and an evidence pack assembled for it in <60s. |
| Sprint 5 | Payout & reconcile | US-004, US-011, US-012, US-013, US-027 | First payout batch settled via Stripe Connect; RCTI issued; bank reconciled to zero variance. |
| Sprint 6 | Member portal & leaderboard | US-019, US-020, US-021, US-029 | Members see their own dashboard, leaderboard rank, and targets; Mathew's Idea Inbox live. |
Every architecturally-significant decision is captured as a short ADR (Michael Nygard format). Below are the seven foundational ADRs adopted at programme inception. New ADRs accumulate in the repository as the system evolves.
Context: Global member base needs sub-100ms latency; zero-ops preferred. Decision: Cloudflare Workers + Pages with Hono. Consequences: No Node-specific APIs; embrace Web Platform.
Context: Forensic accuracy non-negotiable. Decision: All state derives from an immutable, hash-chained event log; relational tables are materialised projections. Consequences: Higher write discipline; massive audit benefit.
Decision: No floats anywhere in the money path. Consequences: All UI formats from integer cents at the boundary.
Decision: Use D1 (SQLite) at edge. Consequences: Constraints on transaction model; mitigated by event-sourcing pattern.
Decision: Stripe Connect Express accounts; KYC/AUSTRAC offloaded to Stripe. Consequences: Stripe fees in unit economics; faster compliance posture.
Decision: Use internal hash chain + daily Merkle root in R2; reconsider third-party timestamping post-MVP. Consequences: Privacy preserved; performance preserved.
Decision: Hono JSX rendering with progressive enhancement; no React SPA. Consequences: Faster TTI; simpler architecture; less front-end churn.
Volume 1 installed the operating model. Volume 2 has translated it into the structure of the platform. Volume 3 — the CoSai CFO Services Proposal — sets out the commercial terms under which this work is delivered. Volume 4 hands the brand and media strategy to Your Digital Team, and Volume 5 lays out the national PR and earned-media campaign to introduce Flip 360 to Australia.
Left foot. Right foot. Provably, undeniably, mathematically.
Flip 360 Transformation Programme · Volume 2 — Enterprise Architecture & Solution Design
Prepared for Mathew Punter, Product Owner · By the Solution Architect · Foundation Release v1.0 · May 2026