1. System Overview

Verity replaces traditional mutable‑balance databases with a Merkle‑proofed, TLA+‑verified double‑entry ledger and replaces role‑based access control with compile‑time capability security. The platform runs on bare‑metal Linux servers with hardware‑enforced Trusted Execution Environments (Intel TDX or AMD SEV‑SNP) for production. Evaluation deployments may use simulation mode with reduced security guarantees.

Key architectural properties:

• The binary is statically linked — no system libraries beyond Linux kernel 5.15+ required.
• The licence is hardware‑bound on first install. Moving the binary to different hardware requires a new licence key.
• All data is stored in a Merkle‑proofed, append‑only ledger. No transaction can be modified or deleted after commit.
• AI agents run inside the same binary, governed by capability tokens enforced at the VM level.

2. Prerequisites

2.1 Hardware Requirements

Environment	CPU	RAM	Storage	TEE
Production	16 cores (Intel Xeon Scalable or AMD EPYC 9005)	64 GB ECC	1 TB NVMe SSD (RAID‑1 recommended)	Intel TDX or AMD SEV‑SNP required
Evaluation / Pilot	8 cores	32 GB	512 GB SSD	Optional (simulation mode)
Edge (branch / ATM)	4 cores (Intel Atom or ARM Cortex‑A78AE)	4 GB	32 GB eMMC	Optional

2.2 Software Requirements

Component	Version / Notes
Operating System	Linux kernel 5.15 or later. Ubuntu 22.04/24.04 LTS, RHEL 9, or Debian 12 recommended.
Database	PostgreSQL 17+ (production) or SQLite 3 (single‑node evaluation only).
TLS Certificate	A valid X.509 certificate for the Mission Control dashboard. Self‑signed acceptable for initial setup.
NTP	Accurate time synchronisation mandatory. The platform refuses to start if the clock is wrong.
Network	Outbound access to payment rails (FedNow, SWIFT) as required. Inbound access on port 8080 (configurable) for dashboard and API.

2.3 Licence Key

A licence key must be obtained from Intellectica AI LLC before installation. The key is a long string beginning with VERITY- and contains a cryptographically‑signed payload. It is bound to the first server it is installed on.

3. Installation

3.1 Obtain the Binary

1. Navigate to the download URL provided with your licence key (e.g. https://aac62545.verity-core-banking.pages.dev/download).
2. Enter your licence key. The download will begin automatically.
3. Save the file verity-<version>.bin to your server.

3.2 Verify Integrity

A SHA‑256 checksum file is available alongside the download. Verify the binary before execution:

sha256sum -c verity-<version>.bin.sha256

Expected output: verity-<version>.bin: OK

3.3 Install the Binary

sudo cp verity-<version>.bin /usr/local/bin/verity
sudo chmod +x /usr/local/bin/verity

3.4 Run the Installer

sudo verity install --license-key "VERITY-..."

The installer performs the following steps automatically:

• Licence validation — cryptographically verifies the licence key signature against the vendor’s public key (embedded in the binary).
• Hardware binding — captures a hardware fingerprint (CPU serial, motherboard UUID, disk serial, MAC address) and stores it in an encrypted licence file at /etc/verity/license.lic.
• Environment detection — checks for TEE support (Intel TDX / AMD SEV‑SNP). If no TEE is found, the platform runs in simulation mode with a warning.
• Configuration generation — writes /etc/verity/config.toml with default settings.
• Ledger initialisation — creates the Merkle ledger directory at /var/verity/ledger.

Expected output:

✅ Verity installed successfully.
   Organisation: First Interstate Bank
   Licence expires: 2027-06-01T00:00:00Z

Start the platform with: verity serve

3.5 Create a systemd Service

The recommended way to run Verity in production is via systemd:

sudo tee /etc/systemd/system/verity.service << 'EOF'
[Unit]
Description=Verity Core Banking Platform
After=network.target postgresql.service

[Service]
Type=simple
ExecStart=/usr/local/bin/verity serve
Restart=on-failure
RestartSec=5
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target
EOF

sudo systemctl daemon-reload
sudo systemctl enable verity
sudo systemctl start verity

3.6 Verify the Installation

# Check service status
sudo systemctl status verity

# Check licence status
verity license status

# Check the dashboard is responding
curl -k https://localhost:8080/health

Expected licence status output:

Organisation: First Interstate Bank
Expiry:       2027-06-01T00:00:00Z
Hardware match: 100%
Signature:    ✅ valid

4. Configuration

4.1 Configuration File

The main configuration file is /etc/verity/config.toml. It is generated by the installer and may be edited manually.

[platform]
org = "First Interstate Bank"

[ledger]
path = "/var/verity/ledger"

[api]
bind = "0.0.0.0:8080"

4.2 Key Configuration Options

Setting	Default	Description
ledger.path	/var/verity/ledger	Path to the Merkle ledger event store. Must be on persistent, high‑performance storage.
api.bind	0.0.0.0:8080	IP address and port for the Mission Control dashboard and API.
api.tls_cert	(none)	Path to TLS certificate file. Required for production.
api.tls_key	(none)	Path to TLS private key file. Required for production.
tee.mode	auto	One of auto, production, simulation. In production mode the binary refuses to start without valid TEE attestation.

4.3 Environment Variables

Variable	Purpose	Default
DATABASE_URL	PostgreSQL connection string	postgresql://verity:verity@localhost:5432/verity
VERITY_VENDOR_PUBKEY	Embedded at build time	(compiled in)

5. Operations

5.1 Daily Operations

# Start the platform
sudo systemctl start verity

# Stop the platform
sudo systemctl stop verity

# Restart the platform
sudo systemctl restart verity

# View logs
sudo journalctl -u verity -f

5.2 Licence Management

# Check licence status
verity license status

# Check version
verity version

5.3 Backup and Recovery

The Merkle ledger is an append‑only event store. Backups must include:

• The ledger directory (/var/verity/ledger by default).
• The configuration file (/etc/verity/config.toml).
• The licence file (/etc/verity/license.lic). This file is encrypted and hardware‑bound; it cannot be used on different hardware.

Data	Frequency	Retention
Ledger	Continuous (PostgreSQL WAL archiving)	7 years (regulatory minimum)
Configuration	After every change	Indefinite
Licence file	After initial install	Indefinite

5.4 Monitoring

Verity emits OpenTelemetry traces, metrics, and structured logs. Point the OTLP exporter to your observability backend:

[observability]
otlp_endpoint = "http://otel-collector:4317"

Key metrics to monitor:

Metric	Description	Alert Threshold
ledger.append_latency_ms	P99 latency of ledger appends	> 50 ms
capability.validation_count	Capability token validations per second	Sudden drop may indicate attack
fraud.alerts_generated	Fraud alerts per hour	Spike warrants investigation
license.hardware_match	Hardware fingerprint match percentage	< 100% = possible tampering

5.5 Log Levels

Level	Purpose
error	Licence validation failures, ledger corruption, TEE attestation failures
warn	VM/container detection, clock anomalies, circuit breaker trips
info	Normal operations: transaction commits, agent actions, payment processing
debug	Detailed tracing for support investigations
trace	Full execution traces (high volume, not recommended for production)

6. Troubleshooting

6.1 Common Issues

Symptom	Likely Cause	Resolution
“Licence signature invalid”	The licence key was generated with a different vendor key, or the key has been corrupted.	Obtain a new licence key from Intellectica AI LLC.
“Licence is bound to different hardware”	The binary was moved to a different server, or the server underwent major hardware changes.	Request a licence re‑issue from Intellectica AI LLC.
“System clock appears to have been rolled back”	NTP is not running or the system clock is incorrect.	Enable NTP (sudo timedatectl set-ntp true). Ensure the clock is synchronised before restarting Verity.
“Virtualised/container environment detected”	The platform is running inside a VM or container without TEE support.	This is a warning only. The platform will start in simulation mode. For production, deploy on bare‑metal with TEE.
Dashboard returns 502	Verity is not running or the port is blocked by a firewall.	Check systemctl status verity. Verify the firewall allows port 8080.
Ledger append latency is high	Storage I/O is saturated, or the database connection pool is exhausted.	Check disk I/O (iostat). Increase the database connection pool size.

6.2 Diagnostic Commands

# Check Verity service status
sudo systemctl status verity

# View the last 100 log lines
sudo journalctl -u verity -n 100 --no-pager

# Check licence validity
verity license status

# Test the health endpoint
curl -k https://localhost:8080/health

# Check disk space on the ledger volume
df -h /var/verity/ledger

# Check NTP synchronisation
timedatectl show-timesync

6.3 Emergency Shutdown

In the event of a security incident, Verity can be immediately halted:

sudo systemctl stop verity

For hardware‑grade termination, the platform supports a Non‑Maskable Interrupt (NMI) on TEE‑enabled hardware. This is triggered via the IPMI/BMC interface and is specific to your server hardware. Consult your server documentation for NMI invocation.

After an emergency shutdown, the ledger remains consistent because all writes are append‑only. No data corruption occurs from a hard stop.

7. Security

7.1 Licence Enforcement

The licence is cryptographically bound to the server’s hardware fingerprint. The binary will not start if:

• The licence file is missing or tampered with.
• The hardware fingerprint has changed (different CPU, motherboard, or disk).
• The system clock has been rolled back.
• The licence has expired.

7.2 TEE Attestation

In production mode, the binary performs remote attestation on every startup. The TEE (Intel TDX or AMD SEV‑SNP) proves to the binary that it is running on genuine, untampered hardware. If attestation fails, the binary refuses to start.

7.3 Capability‑Based Security

All operations—including those initiated by human operators—are governed by capability tokens. No ambient authority exists. The four‑eyes principle is enforced at the virtual‑machine level for high‑value operations (wire transfers above $10,000, loan approvals, general‑ledger postings).

7.4 Audit Trail

Every transaction, agent action, and configuration change produces a cryptographically‑signed provenance record. These records are Merkle‑chained and may be anchored to a public transparency service (SCITT). Regulators can verify the integrity of the audit trail independently without access to the bank’s systems.

8. Maintenance

8.1 Upgrading Verity

1. Download the new binary as described in §3.1.
2. Stop the running instance: sudo systemctl stop verity
3. Replace the binary: sudo cp verity-<new-version>.bin /usr/local/bin/verity
4. Restart: sudo systemctl start verity
5. Verify: verity version and verity license status

The licence file and ledger are compatible across versions. No data migration is required.

8.2 Licence Renewal

When a licence approaches expiry, contact Intellectica AI LLC for a renewal key. The new key can be applied without reinstalling:

sudo verity install --license-key "VERITY-<new-key>"

This updates the licence file while preserving the existing ledger and configuration.

8.3 Database Maintenance

For PostgreSQL deployments, standard maintenance practices apply:

• Regular VACUUM operations
• WAL archiving for point‑in‑time recovery
• Connection pool monitoring

Verity uses SQLx for database access. The connection pool size defaults to 10 and may be tuned in the configuration file.

9. Network & Firewall Requirements

Source	Destination	Port	Protocol	Purpose
Operator workstations	Verity server	8080	HTTPS	Mission Control dashboard
Verity server	FedNow endpoint	443	HTTPS	Instant payment processing
Verity server	SWIFT endpoint	443	HTTPS	Cross‑border payment processing
Verity server	PostgreSQL server	5432	TCP	Ledger database
Verity server	NTP server	123	UDP	Time synchronisation
Verity server	OTLP collector	4317	gRPC	Observability telemetry

10. Support

For technical support, contact Intellectica AI LLC:
Email: support@verity.io
Emergency: [phone number provided with licence]

When reporting an issue, please include:

• Verity version (verity version)
• Licence status (verity license status)
• The last 100 lines of the systemd journal (sudo journalctl -u verity -n 100 --no-pager)
• The server’s hardware specifications and operating system version
• A description of the expected behaviour and the observed behaviour

# Install
sudo cp verity-*.bin /usr/local/bin/verity && sudo chmod +x /usr/local/bin/verity
sudo verity install --license-key "VERITY-..."

# Service management
sudo systemctl start verity
sudo systemctl stop verity
sudo systemctl restart verity
sudo systemctl status verity

# Logs
sudo journalctl -u verity -f

# Licence
verity license status
verity version

# Health check
curl -k https://localhost:8080/health

/etc/verity/
├── config.toml          # Platform configuration
└── license.lic          # Encrypted, hardware‑bound licence

/var/verity/
└── ledger/              # Merkle event store (append‑only)

/usr/local/bin/
└── verity               # Static binary