Skip to content
Gestalt

Concept: Advisor lenses

Status: staging-durable (fixture). The lens, advisor, and intervention surface is on the membrane today as staging-durable fixture operations: lens.scope, lens.disclose, advisor.openMatter, advisor.issueOpinion, advisor.requestEvidence, intervention.request, and intervention.issue. Production-grade professional-trust cryptography (real reviewer signing keys, real reliance contracts, real liability-bound opinions) remains closed; the fixture surface preserves the discipline without binding real advisor acts. See reference/capability-state.md.

Why lenses, not generic access

Section titled “Why lenses, not generic access”

External professionals — Steuerberater, lawyers, auditors, banks, insurers, regulators — are central to running a real company. The common approach is generic access: “give the Steuerberater a login to the system.” This fails Gestalt’s discipline in three ways:

  1. Scope. A Steuerberater needs to see specific facts to do their job, not all facts.
  2. Speech act. What a professional does matters. A click is not an opinion. An export is not an attestation. The professional’s contribution must enter Gestalt as a structured speech act, not as email sediment.
  3. Liability. A professional carries professional liability for what they sign. The system must record what they signed, under which scope, and during which validity window.

Gestalt models this with lenses and interventions.

What a lens is

Section titled “What a lens is”

A lens is a scoped view onto a company Geist for an external professional. It declares:

visible_facts            which atoms, surfaces, tensions, and projections are visible
permissible_operations   what the professional may propose or commit
issueable_opinions       which kinds of opinion atoms they may issue
reliance_terms           what relying parties may depend on
confidentiality_terms    what they may disclose, retain, forward
validity_windows         from when, until when
revocation_path          how either party may revoke
proof_export_rights      what proofs they may pull out

A Steuerberater lens onto company A is a different object from a Steuerberater lens onto company B. A Kanzlei lens for matter X is a different object from the same Kanzlei’s lens for matter Y. Lenses are scoped, bilateral edges.

What a Steuerberater can do through a lens

Section titled “What a Steuerberater can do through a lens”

The fixture surface implements the discipline today. Production-grade professional trust remains closed.

- inspect the lens-visible projections of the company Geist
    -> lens.scope, lens.disclose, read.* models within scope
- request additional evidence
    -> advisor.requestEvidence
- open a matter
    -> advisor.openMatter
- issue an opinion (posting, VAT, filing, correction, year-end)
    -> advisor.issueOpinion
- request or issue an intervention (escalation, attestation)
    -> intervention.request, intervention.issue
- mark a position as under review or close a matter
    -> recorded as scoped advisor evidence on the matter

Each of these is an intervention atom — a signed speech act with the Steuerberater’s identity, scope, reviewed facts, conclusion, conditions, validity window, reliance terms, and liability reference.

The Koerper presents these as buttons. The Geist records them as atoms.

What a Kanzlei can do through a lens

Section titled “What a Kanzlei can do through a lens”
- open a matter
- review cited facts
- request evidence
- approve
- approve with conditions
- reject
- issue formal opinion
- issue risk note
- propose an alternative act
- close the matter

A Lawfare-like lawyer app sits on top as a Koerper. The lawyer’s work flows through their lens into the company Geist.

What an auditor can do through a lens

Section titled “What an auditor can do through a lens”
- request a scoped proof bundle
- inspect cited atoms within scope
- attest a finding
- request remediation evidence
- close an audit period

Auditor lenses are typically tightly time-bounded.

What a bank or insurer can do through a lens

Section titled “What a bank or insurer can do through a lens”

Commercial Pendulums use lenses differently:

- publish a payment condition change
- publish a coverage condition change
- attach an attestation to a relevant atom
- inspect lens-scoped facts (e.g. settlement evidence)

A bank’s primary contribution is evidence (settlement, account status), not opinion. But a bank may also issue conditional reliance that affects future admissibility (e.g. account status changes).

The intervention as a speech act

Section titled “The intervention as a speech act”

The phrase “intervention is a speech act” is constitutional. It means:

  • A lawyer does not click a vague “approve” button. A lawyer issues a risk note, legal opinion, approval with conditions, rejection, formal attestation, representation act, or request for evidence. Each is a distinct atom kind under a distinct capability.
  • A Steuerberater does not merely receive exports. They issue posting proposals, VAT treatment opinions, filing approvals, correction requests, year-end closing attestations. Each is an atom.
  • A bank does not merely sync data. It issues settlement evidence, account status events. Each is admitted as evidence or as a Pendulum emission.

Each intervention has:

signer              the professional's identity
scope               what is being addressed
reviewed_facts      atoms cited as the basis
conclusion          the professional's finding
conditions          if applicable, what must remain true
validity_window     when this intervention is operative
reliance_terms      who can lean on this conclusion
liability_reference where the professional's responsibility lives

These fields are not narrative metadata. They are the structural shape of the atom.

Lens scoping in practice

Section titled “Lens scoping in practice”

A Steuerberater lens for company A might be scoped to:

visible_facts:
  - all atoms in capability families: invoice.*, payment.*, bookkeeping.*, period.*
  - all closure surfaces and tensions in those families
  - all projections forked for tax purposes
  - all relevant authority package versions
  - the company's effective context atoms
issueable_opinions:
  - bookkeeping.posting_proposal
  - bookkeeping.advisor_evidence
  - vat.treatment_opinion
  - period.close_attestation
  - period.correction_request
permissible_operations:
  - tension.query
  - reality.fork (for tax what-ifs)
  - reality.diff
  - proof.request (advisor_review scope)
reliance_terms:
  - the Steuerberater's opinions are relied on by the company within
    the engagement
  - reliance window: 12 months from issuance, unless revoked
confidentiality_terms:
  - the Steuerberater may not disclose company atoms outside the lens
    scope without explicit entitled disclosure
validity_window:
  - 2026-01-01 to 2026-12-31, renewable
revocation_path:
  - either party may revoke with 30 days notice
  - immediate revocation on professional standing change

The Koerper that the Steuerberater uses (“a Steuerberater console”) sees only what the lens allows.

Lenses vs proofs

Section titled “Lenses vs proofs”

A lens is a sustained, bilateral engagement. The professional keeps coming back. They issue interventions over time.

A proof bundle is a one-shot disclosure. A specific bundle is exported under a specific entitlement, for a specific purpose, with a specific validity window.

A lens can produce many proof bundles. A proof bundle can be delivered without a lens (e.g. to a regulator for a one-time filing). They are not the same object.

Lenses vs roles

Section titled “Lenses vs roles”

A “role” in conventional software is a permission grouping. A lens in Gestalt is a scoped engagement object with bilateral terms, liability, and reliance. Roles do not carry liability. Lenses do.

A user with a “Steuerberater” role in a SaaS app is the same kind of thing as a user with an “Admin” role: a permission set. A lens creates a structurally different object: an external accountable party with their own standing, their own opinions, their own revocation, and their own audit trail.

Mesh implications

Section titled “Mesh implications”

Lenses are bilateral edges. They are local to the relationship between the company Geist and the professional Geist (or the professional’s vessel). Lens activity is not visible to other counterparties of the company. There is no “all my advisors” view that an external party sees.

This is part of the anti-Palantir discipline: no totalizing surveillance ontology, no global view, only bilateral edges.

What this looks like today

Section titled “What this looks like today”

Today an integrator can model the lens shape client-side:

  • store the lens definition in the Koerper,
  • present the Steuerberater console accordingly,
  • record what the Steuerberater clicked.

What an integrator cannot do:

  • Have the Steuerberater’s click be admitted as a signed atom on the company Geist.
  • Have the lens scope enforced at the membrane.
  • Issue interventions that bind future atom admissibility.
  • Verify the Steuerberater’s professional standing through a Pendulum.

For the gap, see 022 gap report item 10.

What lenses are not

Section titled “What lenses are not”
  • Not roles. See above.
  • Not API tokens. A lens is an engagement object; the token attached to it authorizes API calls but is not itself the lens.
  • Not folders. Lenses don’t organize data; they scope visibility.
  • Not export pipelines. Lenses are sustained; exports are one-shot.
  • Not ACLs. ACLs are flat permissions. Lenses carry liability, reliance terms, scope, validity, and revocation as first-class fields.
Section titled “Where to read next”