The Spec

Apache-2.0 reference
Five tiers. Twenty-six crates. One core, every platform.

The architecture is complete and tests cleanly across every supported target. No part has been certified by a card scheme, audited by a PCI QSA, or run in regulated production. Use it as a starting point, not as one.

Tiers

Each tier depends only on the tiers below.

TIER 1

Foundation

op-coreop-iso20022op-emvop-vault

Typed money. The typestate payment lifecycle. ISO 20022 message helpers (PACS / PAIN / CAMT). EMV TLV codec for tap blobs from iOS Secure Enclave / Android StrongBox. Token-only vault with AES-256-GCM-SIV reference.

TIER 2

Rails & risk

op-rails-cardop-rails-a2aop-rails-cryptoop-fraudop-webhook

Three acquirer traits: CardAcquirer, A2aAcquirer, CryptoGateway. Reference drivers for Hyperswitch (card), FedNow / PIX / SEPA Instant (A2A direct ISO 20022), and USDC on Base via EvmJsonRpcGateway. On-device fraud scorer with heuristic, ONNX, and pure-Rust Burn backends. Stripe-shaped outbound webhook delivery with signing and auto-disable.

TIER 3

Orchestration & ledger

op-orchestratorop-ledgerop-reconciliationop-graph

Routing across rails with idempotency, soft-failure fallback, and 3DS / SCA resume. Double-entry append-only ledger. Ledger ↔ bank-statement reconciliation with deterministic UUID v5 matching. Minigraf-backed implementations of every domain store with bi-temporal history and Datalog queries.

TIER 4

Deployment

op-serverop-refundop-disputeop-settlementop-subscriptionsop-fxop-driver-sdk

Axum HTTP server with env-driven main. Refund and dispute state machines. Batch settlement with holdback computation and NACHA payout-file generation. Recurring billing: plans, calendar-aware intervals, trials, dunning, proration. FX with banker's rounding and a cached quote provider. Driver-SDK conformance harness for third-party drivers.

TIER 5

FFI & CLI

op-ffi-swiftop-ffi-jniop-wasmop-cli

Swift bridge via swift-bridge + C ABI. Android bridge via JNI; opaque handles in Kotlin. Browser / Node.js bridge via wasm-bindgen. Operator CLI with 14 subcommands across health, refund, dispute, batch, subscription, FX, webhooks, audit. PAN never crosses any FFI boundary.

Principles

Enforced by the type system or by the build.

No f64 money: Money is integer minor units paired with Currency. Adding USD to EUR does not compile.
Typestate lifecycle: Payment<Created>, Payment<Authorized>, Payment<Captured>, Payment<Refunded> are distinct types. Refunding before capture is a compile error.
No PCI scope by default: PaymentMethod has no raw-PAN variant unless the pci-scope feature is enabled. Orchestrators and FFI bridges only see VaultRef or Emv(SecureBlob).
Append-only ledger: Entries are never updated or deleted. Corrections are themselves entries. Bi-temporal history is intrinsic, not bolted on.
One core, every platform: op-core, op-fraud, op-vault are no_std-friendly and compile to iOS, Android, WASM, and Linux from the same source.
Drivers are external and verifiable: Operators write their own CardAcquirer / A2aAcquirer; op_driver_sdk::conformance::run_card(&driver)? catches contract violations before deployment.

Status

v0.1.0 — reference, not certified.

Workspace: 26 member crates plus 3 examples. Phases 0 through 31 implemented end-to-end.
Tests: cargo test --workspace → 1124 passing, 0 failing. Feature-gated paths add 28 EVM and 111 reqwest-transport tests.
Lint: cargo clippy --workspace --all-targets → zero warnings.
Toolchain: Rust 1.95 (edition 2024). The MSRV is pinned in Cargo.toml and enforced by CI.
Licence: Apache-2.0. The wire format and the right to fork are public. The optional hosted services are the offer; the protocol is not.

Get early access

Apache-2.0 reference Five tiers. Twenty-six crates. One core, every platform.