In Earned Compression, we showed that a three-party payment cycle exhibits the same core-observer decomposition as tic-tac-toe — the core is a timed event graph with tropical eigenvalue λ = 1, and the observer (overdraft guards) reads state catalytically without feeding tokens back.
But we treated that network as a fixed object. Real settlement systems aren't fixed. Channels are added, split, merged. Parties join and leave. The interesting question isn't "what are the properties of this network?" — it's "how do properties compose when we build networks from parts?"
That question has a precise answer in the language of open Petri nets.
Settle isn't one payment network. It's the free symmetric monoidal category generated by payment Petri nets — the category of all settlement networks built from the same primitives.
send, settle) generated by incidence matricesThe three-party cycle from Earned Compression is one object in Settle. A two-party channel is another. A five-party mesh with multi-hop routing is another. They're all morphisms in the same category, composed from the same generators.
This makes Settle an object in OPetri — the category of open Petri nets (Baez & Master, 2020). The categorical perspective reveals composition structure that the incidence matrix alone doesn't make visible.
An open Petri net is a net with designated boundary places — exposed interfaces along which subnets compose. Each payment channel is an open subnet:
The channel ch_ab (Alice → Bob) is an open net with input boundary {a} and output boundary {b}. Internally it has two transitions (send_ab, settle_ab) and an internal place (pending_ab). The boundary places — alice_bal and bob_bal — are the wires that stick out, available for composition.
The full network is the composition of three open nets, glued by identifying shared boundary places:
Settle = (ch_ab ;_b ch_bc) ;_c ch_ca
where ;_b means "compose along shared boundary place b." The output boundary of ch_ab is {b}, and the input boundary of ch_bc is {b} — gluing them identifies Bob's balance as the shared wire. The cycle closes when ch_ca's output {a} feeds back to ch_ab's input {a}.
This is sequential composition in a symmetric monoidal category. Each channel is a morphism. Composition is wiring outputs to inputs. The monoidal product ⊗ would give us parallel, independent channels — two settlement cycles running side by side with no shared accounts.
The core of Settle is a timed event graph: every place has exactly one producer and one consumer. This gives us a precise definition of an event. A token passing through a place isn't "something happened" — it's a specific morphism in the category: one transition fired, one token moved, one marking transformed to another. The place is the channel. The token is the evidence.
An event is a morphism in Settle, witnessed by a token traversal, provable in zero knowledge.
The incidence matrix records the effect. The tropical eigenvalue gives the throughput. The ZK proof certifies the event was valid — in 128 bytes. What the proof hides depends on the application: in a game, which move was played; in a settlement network, the amounts and balances.
The string diagram isn't a visualization of the incidence matrix. It is the incidence matrix, rendered as topology. Every wire is a token type (account balance or pending amount). Every box is a transition. Reading the diagram left to right gives the sequential composition; reading it top to bottom gives the parallel structure. The incidence matrix C is what you get when you compile the diagram down to a table.
This means the diagram is simultaneously:
a + b + c + p_ab + p_bc + p_ca = const follows from the conservation law visible in the wiring: every wire consumed on the left is produced on the rightThe observer sits outside the composed open net. Categorically, it's a sieve — a subfunctor of the representable presheaf that selects which morphisms are admitted.
A candidate payment is any morphism that the incidence matrix structurally permits. The observer reads the core's state via guard arcs (catalytic: they test a place's marking without consuming tokens) and decides: should this morphism exist at all?
If the overdraft guard passes (balance ≥ amount), the morphism is admitted to Settle. If not, the morphism is deleted — it never becomes a valid composition, never appears in the event log, never exists in the category. This isn't rollback. It's existential: the morphism was a candidate in the ambient category of structurally valid transfers, and the observer's sieve excluded it.
The categorical distinction from tic-tac-toe is precise:
| TTT Observer | Payment Observer | |
|---|---|---|
| Reads | cell history places | account balance places |
| Mechanism | consuming (game ends) | catalytic / guard (system continues) |
| Timing | post-hoc (after move) | pre-hoc (before commit) |
| On failure | game continues | morphism deleted |
The TTT observer is a terminal functor — it maps the reachability graph to a finite set {win_x, win_o, draw} by consuming state. The payment observer is an existence gate — it determines which morphisms populate the category in the first place.
Both are functors F : OPetri → Set. Both preserve the core's reachability. Both are passive — they cannot create new core-reachable markings. The difference is that TTT's observer fires once and terminates the game, while the payment observer fires repeatedly, admitting or deleting each transaction as it arrives.
The observer's guard arcs — read arcs that test a place's marking without consuming tokens — are the precise mechanism that breaks the monoidal structure.
Meseguer & Montanari (1990) proved that ordinary Petri nets form a free symmetric monoidal category. But Montanari & Rossi (1995) showed that contextual nets — nets with read arcs — break this structure. Read arcs are contextual: they couple a transition to a place without modifying it, which means the transition's behavior depends on global state that isn't captured in the incidence matrix C.
The standard workaround is to simulate a read arc as a self-loop: consume the token, then produce it back. But this simulation is not equivalent — it introduces new interleavings (another transition can fire in the gap between consume and produce) and can break confluence and liveness properties (Vogler, Semenov & Yakovlev, 1998).
This is why the core-observer boundary matters categorically:
The overdraft guard in the payment network is a read arc on the balance place — it checks bal >= amt without modifying the balance. This is exactly a contextual arc. It's what makes the observer a sieve rather than a morphism: it filters which compositions are admitted without participating in the composition itself.
Inhibitor arcs (fire only if a place is empty) are the dual — they test for absence rather than presence. Both are contextual. Both break compositionality. The core-observer boundary is, precisely, the boundary between ordinary and contextual arcs.
The core-observer decomposition answers a practical design question: what goes inside a zero-knowledge proof and what stays outside?
The core — ordinary arcs, columns of C — compiles directly to R1CS constraints. A Groth16 proof of a send or settle transition says "a valid state transition occurred and tokens were conserved" in 128 bytes, without revealing which channel moved or what amount. The P-invariant a + b + c + p_ab + p_bc + p_ca = const is enforced by the circuit structure itself. Double-entry bookkeeping isn't a policy you audit — it's a theorem the proof system guarantees.
The observer — contextual arcs, read/inhibitor — sits naturally outside the circuit. The overdraft guard is a policy decision: "should this morphism be admitted?" It reads balance state but doesn't mutate it. A smart contract or network validator can enforce it without the cost of proving it in ZK. You can change the guard threshold, add new compliance rules, or swap the observer entirely — without recompiling the circuit.
This is earned compression applied to system design: prove exactly what the incidence matrix requires, defer the rest.
But we're not limited to this split. If privacy demands it — if you don't want to reveal that a payment was attempted and rejected — you can pull the observer into the circuit. The overdraft check is a range proof (bal >= amt), which is straightforward in R1CS. The contextual arc becomes an auxiliary witness: the prover supplies the current balance, the circuit checks it against the state commitment and verifies the range.
The core-observer boundary tells you the minimum that must be proved. Everything below the boundary is algebraically clean — it lives in C and compiles to uniform constraints. Everything above is policy, and you choose how much policy to prove based on your privacy requirements.
The key property of the OPetri framework: adding a fourth party is composing another open subnet along new boundary places. Splitting a channel into two hops is refining one morphism into a composite of two. The tropical eigenvalue is an invariant of the composed net computable from its components — if we know each channel's circuit weight, we know the composed system's throughput without re-analyzing from scratch.
This compositionality holds for the core — the part expressible with ordinary arcs. The observer sits outside the composed structure, reading it contextually. This is why the categorical framing matters practically: a payment network doesn't get designed all at once. Channels are added, modified, split, merged. Each modification is a compositional operation in Settle, and the structural invariants (conservation, throughput, ZK circuit) update compositionally. We don't re-prove properties from scratch after each change — the monoidal structure guarantees they compose.
The three-party cycle and the five-party mesh live in the same category, analyzed by the same tools, because they're built from the same generators. The observer — the contextual layer that decides which morphisms are admitted — is the part that requires discrete reasoning, case by case.
For the core-observer decomposition and the three-formalism convergence that motivates this: Earned Compression
For the categorical structure underneath: Symmetric Monoidal Categories
For the tropical algebra that gives us throughput from topology: Tropical Petri Nets