A reusable method for constructing a team SSOT that aligns AI agents, product, operations, sales, support, and engineering across mission, strategy, promise, Flow, contract, implementation, and evidence.
How to Build an SSOT Nine-Layer Pyramid Model
Do not start by asking, "How many folders should our documentation have?"
Start with the sharper question:
When strategy, product, code, tests, logs, and release evidence disagree, what rule tells the team which statement is current truth?
If that rule is unclear, more folders only create more places for facts to split. More documentation can make humans and AI more confused, not less.
This article describes the reusable principles behind the SSOT Nine-Layer Pyramid. It does not depend on PostPlus.io or any specific product. It answers a general question:
How can a complex software team build its own SSOT Nine-Layer Pyramid?
If you want the motivation first, read the companion essay:
This article is about the method: root objective, layer definitions, top-down reading, bottom-up updating, document governance, evidence rules, and the adoption checklist.
Root Objective
The SSOT Nine-Layer Pyramid is not a new component diagram. It is a unified model for product purpose, current strategy, external promise, experience flow, domain model, system boundary, executable contract, implementation, and evidence.
It does not merely answer "what modules exist?"
It answers:
Why does the product exist?
What must the team win in the current stage?
What is promised to users and to the team?
How do real tasks get completed?
What are the stable concepts and invariants?
Where are the system boundaries?
What executable contracts exist?
How is the system implemented?
What evidence proves these facts are still true?
In one sentence:
The SSOT Nine-Layer Pyramid is an up-to-date snapshot of the team's business, product, and engineering decisions.
Its job is to force humans and AI to rank the priority of every concept that enters the system.
It also gives non-engineering teammates one shared map for current strategy, dependable promise, real workflow, and evidence, instead of forcing them to reconstruct truth from meetings, old plans, and engineer-by-engineer answers.
The Nine Layers
Layer
Core Question
Typical SSOT
L1 Mission
Why does the product exist? What should it become long term?
Mission document, company-level product narrative
L2 Strategy
What must the team win now? How are resources allocated?
How do code, scripts, migrations, components, automation, and config realize the system?
Code, scripts, migrations, automation, config
L9 Evidence
What proves the first eight layers?
Tests, logs, status checks, release evidence, production facts
The upper layers are closer to why the product exists and what the team promises. They change less often, and changes there require more care.
The lower layers are closer to how the system works and how it is proven. They change more often, and depend more heavily on automation and evidence.
One Top-Level Model
The SSOT Nine-Layer Pyramid must be the team's single top-level model for understanding and discussing any long-lived system fact.
Specialized document families can still exist: architecture, working plans, operations, UI, testing, security, support, and release. But they cannot become parallel top-level truth systems.
Every specialized document must state:
Layer owner: which pyramid layer primarily owns it.
Feeds / Affects: which layers it informs or changes.
Stability: whether it is stable fact, current work, evidence, or design reference.
Exit / Promotion: if temporary, where its stable conclusion moves when it is done.
Without this, a team quickly accumulates competing frameworks:
The architecture docs say one thing.
The product roadmap says another.
The testing docs say another.
Release notes say another.
Meeting notes add another.
Humans read these inconsistently. AI synthesizes the wrong answer.
Reading Must Be Top-Down
Anyone, human or AI, must understand a problem top-down:
Confirm the mission.
Confirm the current strategy.
Confirm the promise.
Confirm the real Flow.
Confirm the domain model.
Confirm the system boundary.
Confirm the contract.
Only then inspect implementation and evidence.
This prevents the team from using local code details to redefine the product. It also prevents AI from reading one nearby file and assuming it represents the global system.
For product, operations, sales, and customer support, the same rule prevents old proposals, stale release notes, or legacy troubleshooting paths from being mistaken for current strategy or current promise.
Useful rules of thumb:
If a page still exists, that does not mean it is still strategic.
If an API still exists, that does not mean it is still a user promise.
If a test still runs, that does not mean it protects the current mainline.
If a POC works, that does not mean it is a product capability.
Every local fact must first be positioned inside the pyramid.
Updating Must Be Bottom-Up
Every change must land bottom-up:
Update code, scripts, database, config, and automation.
Update tests, logs, status checks, and release evidence.
If implementation changes an executable contract, update the contract layer.
If a contract changes component ownership, state ownership, or cross-boundary calls, update boundary and domain model.
If domain or boundary changes affect what users, AI agents, operators, customer support, sales, or developers can rely on, update Flow and promise.
If promise changes affect resource allocation or long-term product identity, update strategy and mission.
Only update upper layers when lower-layer change truly changes upper-layer meaning.
This rule prevents a small script, one demo, or a temporary customer request from being prematurely promoted into strategy.
Anti-Patterns and Correct Moves
These are not rare accidents. They are the everyday ways complex teams split truth.
Scenario
Anti-Pattern
Pyramid Touchpoints
Correct Move
An AI agent reads an old README
Let the agent start from a nearby file and synthesize old strategy, new code, and old tests
L2 Strategy: current core capability; L4 Flow: agent reading order; L8/L9: whether the old README and tests still belong to current implementation/evidence
Update L2 and L4 first so the agent starts from the nine-layer entry; then mark old README files and tests in L8/L9 as legacy, turn them into links, or delete them
A POC appears in a pitch deck or website
If the demo runs once, describe the capability as "supported"
Only after L3 defines the support boundary, L7 has executable contract, and L9 has release evidence can the capability enter pitch decks, website copy, demos, or sales narrative
skill has become workflow, but names did not move
Keep old fields, logs, and test names, then explain the new meaning verbally
Move the domain center in L5 first, then synchronize names, contracts, logs, and tests across L7-L9; do not rely on verbal explanation for changed semantics
An internal API gains many callers
Keep changing fields as if it were still internal implementation
L6 System Boundary: owner and callers; L7 Contract: schema, caller inventory, change rule; L9 Evidence: contract tests or call evidence; optionally L4 Flow: agent/operator dependency
Promote the API from L8 implementation to L7 contract, add L6 boundary ownership and L9 evidence, and treat field changes as contract changes
Test entry points multiply
test, check, verify, and ci all exist, but nobody knows which one proves release readiness
L9 Evidence: what each entry proves; L8 Implementation: root commands and CICD config; L4 Flow: who runs what before release; L3 Promise: which checks support public promise
Converge test entry points, document evidence type in L9, keep only a small command set in L8, and put release-gate checks in L4/L3 only when they support promises
Logs and error copy preserve the old concept
The new mainline is workflow, but logs still say skill failed
L5 Domain Model: whether the failure belongs to workflow or skill; L8 Implementation: logs, error copy, event names; L9 Evidence: observability proof; L4 Flow: support and agent troubleshooting path
Define current failure semantics in L5, then update L8 logs/error copy, L9 query evidence, and L4 troubleshooting flows so every role inspects the same fact
A migration plan remains in current work after completion
Three months later, readers think the migration is still open
Current work: delete or compress the plan; L5/L7: stable domain and contract conclusion; L8: final implementation location; L9: closure evidence
Promote stable conclusions into L5/L7/L8/L9, then delete or compress current work so the plan stops acting as a truth entry
A temporary adapter or fallback becomes a truth source
Keep compatibility for speed, then let new features depend on it
L6 System Boundary: whether the adapter is a real boundary; L7 Contract: whether a compatibility contract exists; L8 Implementation: owner and exit condition; L9 Evidence: deletion or failure proof; optionally L3 Promise: promise impact
If a temporary layer is needed, write its owner, exit condition, deletion date, and verification path into L6-L9; when compatibility is not needed, fast fail so fallback cannot become the new truth source
The shared failure is that local facts were never positioned inside the pyramid. The solution is not simply "communicate more." Each change must answer three questions: which layer changes, what kind of fact changes in that layer, and what evidence proves the change is complete.
Figure: not every bottom-layer fact should be promoted. Only facts that change evidence, contract, boundary, domain, Flow, promise, strategy, or mission move upward.
Upper layers are not wish lists. Lower layers are not free-form implementation.
Mission constrains strategy. Strategy constrains promise. Promise constrains Flow. Flow constrains domain model. Domain model constrains system boundary. System boundary constrains contract. Contract constrains implementation. Implementation must be proven by evidence.
In the other direction, lower layers must not merely exist. They must prove the upper layers. Implementation details support contracts through tests, logs, status checks, and release evidence. Contracts and evidence support boundary, domain model, Flow, promise, and strategy.
If a public promise has no evidence, it is not a promise. It is a wish.
Every Layer Needs Its Own Entry
Each layer should have its own document or directory entry. Do not put all long-form content into one giant overview.
The overview explains the model and the reading path. It should not become a second source of truth for every layer.
The exact folder names do not matter. The ownership structure does.
Current Work and Stable Fact Must Be Separate
Stable facts belong in their layer, or in a specialized document owned by that layer.
Temporary plans, investigations, and unresolved tasks belong in a current-work area. They must state the current problem, owner, next closing action, and deletion condition.
When the plan is complete and evidence closes the loop, promote only the stable conclusion to the correct layer. Then delete or compress the plan.
Do not let completed plans, historical logs, and stale checklists remain in the main reading path.
If Documents Conflict, Find the SSOT First
If two documents conflict, first find the explicit SSOT.
If no explicit SSOT exists, a practical temporary rule is to prefer the newer document that sits closer to the fact source. But that is only a triage rule, not a governance model. The durable fix is to create the SSOT and turn conflicting documents into links, references, or deletions.
Be especially strict with words like:
current focus
current priority
core capability
supported
released
mainline
paused
candidate
legacy
If these words are copied across multiple documents, they naturally create split-brain for humans and AI.
Entries, Paths, and Concepts Should Converge
Modules, workflows, commands, documents, and governance entry points should converge by default. They should not naturally grow into many parallel paths.
Any new entry, path, or concept must answer:
Why can the existing SSOT not carry this?
Who triggers it?
What evidence proves it?
Can CICD or AI execute or verify it?
The same type of work should have only a small number of accurately named entry points. Old aliases, temporary paths, and stale concepts should be deleted or renamed instead of preserved "just in case."
Humans Should Handle Human Work
Humans should focus on goals, scope, business approval, permission authorization, real cost decisions, and final judgment.
Routine execution, verification selection, evidence collection, release progression, and governance checks should default to CICD or AI.
AI agents are not only executors. They should actively detect cognitive load, duplicate entry points, manual steps, and automation gaps, then propose how the system can require less explicit human instruction.
But workflow optimization changes default team behavior. It needs explicit approval first. After approval, contract, implementation, documentation, and evidence must be synchronized.
Every Fact Should Reduce Cognitive Load
A fact deserves long-term documentation only if it reduces future cognitive load for humans and AI.
Long-lived documents should describe current truth. They should not replay useless history. History belongs in explicit logs, release evidence, audit records, or current-work plans.
Good documentation lets a first-time reader understand the latest state quickly. It should not force the reader to reconstruct the entire evolution of the system.
Evidence Is Not Documentation
Documentation can describe a fact. Documentation is not evidence.
Evidence includes:
tests
logs
status commands
read-only production checks
release checklists
approvals
release evidence
real provider or real user-path acceptance
If a public promise has no evidence, it is not a promise. It is a wish.
Repository Coverage Starts From Bottom-Layer Facts
Building an SSOT Nine-Layer Pyramid does not mean copying every file into the nine-layer docs.
Start by inventorying bottom-layer facts:
What code, scripts, workflows, schemas, submodules, local config, vendor references, and temporary assets exist?
What evidence supports them: tests, smoke checks, release evidence, status commands, provider health, or only inventory?
Which facts change contracts?
Which contracts change boundaries or domain model?
Which domain or boundary changes affect Flow or promise?
Which promises change strategy or mission?
The pyramid does not seek "documentation coverage for every detail." It seeks ownership and promotion paths for every important surface.
Check Documentation at the End of Every Task
After every development, release, investigation, or documentation task, check:
Did any stable fact change?
Did any current plan close?
Did any promise expand or shrink?
Did Flow, domain, boundary, contract, implementation, or evidence change?
Should any old document be deleted, compressed, linked, or renamed?
Documentation must continuously reflect current truth. Otherwise it quickly stops being SSOT and becomes noise.
Minimal Adoption Checklist
If your team wants to adopt the SSOT Nine-Layer Pyramid, start here:
Create nine layer entries. They can be short at first, but every layer needs ownership.
Create one current-work SSOT for open work only.
Remove or link copied statements like "current priority," "current focus," and "core capability."
Add Layer owner, Feeds / Affects, Stability, and Exit / Promotion to specialized documents.
This article gives the reusable construction method for the pyramid itself.
The exact directory names are not the point. The point is that the team continuously maintains one current, unique, evidence-backed model of business, product, and engineering truth.
