15
How to Build an SSOT Nine-Layer Pyramid Model
A reusable method for constructing a team SSOT that aligns AI agents, product, operations, sales, support, and engineering across mission, strategy, promise, Flow, contract, implementation, and evidence.

Do not start by asking, "How many folders should our documentation have?"
Start with the sharper question:
When strategy, product, code, tests, logs, and release evidence disagree, what rule tells the team which statement is current truth?
If that rule is unclear, more folders only create more places for facts to split. More documentation can make humans and AI more confused, not less.
This article describes the reusable principles behind the SSOT Nine-Layer Pyramid. It does not depend on PostPlus.io or any specific product. It answers a general question:
How can a complex software team build its own SSOT Nine-Layer Pyramid?
If you want the motivation first, read the companion essay:
SSOT: Why Every Software Engineering Principle Is Really About One Thing
This article is about the method: root objective, layer definitions, top-down reading, bottom-up updating, document governance, evidence rules, and the adoption checklist.
Root Objective
The SSOT Nine-Layer Pyramid is not a new component diagram. It is a unified model for product purpose, current strategy, external promise, experience flow, domain model, system boundary, executable contract, implementation, and evidence.
It does not merely answer "what modules exist?"
It answers:
- Why does the product exist?
- What must the team win in the current stage?
- What is promised to users and to the team?
- How do real tasks get completed?
- What are the stable concepts and invariants?
- Where are the system boundaries?
- What executable contracts exist?
- How is the system implemented?
- What evidence proves these facts are still true?
In one sentence:
The SSOT Nine-Layer Pyramid is an up-to-date snapshot of the team's business, product, and engineering decisions.
Its job is to force humans and AI to rank the priority of every concept that enters the system.
It also gives non-engineering teammates one shared map for current strategy, dependable promise, real workflow, and evidence, instead of forcing them to reconstruct truth from meetings, old plans, and engineer-by-engineer answers.
The Nine Layers
| Layer | Core Question | Typical SSOT |
|---|---|---|
| L1 Mission | Why does the product exist? What should it become long term? | Mission document, company-level product narrative |
| L2 Strategy | What must the team win now? How are resources allocated? | Current priorities, resource contention, roadmap |
| L3 Promise | What is supported and dependable? | Public messaging, support boundary, release statement |
| L4 Flow | How do all stakeholders complete real tasks? | User flows, AI agent flows, product-operations-engineering flows, release flows, support flows |
| L5 Domain Model | What are the stable concepts, states, permissions, billing rules, and invariants? | Domain objects, state ownership, permission rules, billing rules |
| L6 System Boundary | How do entry points, capabilities, runtime, cloud product surface, and providers divide responsibility? | Boundary map, call direction, responsibility constraints |
| L7 Contract | What are the executable contracts? | API, database, environment variables, permissions, release contracts |
| L8 Implementation | How do code, scripts, migrations, components, automation, and config realize the system? | Code, scripts, migrations, automation, config |
| L9 Evidence | What proves the first eight layers? | Tests, logs, status checks, release evidence, production facts |
The upper layers are closer to why the product exists and what the team promises. They change less often, and changes there require more care.
The lower layers are closer to how the system works and how it is proven. They change more often, and depend more heavily on automation and evidence.
One Top-Level Model
The SSOT Nine-Layer Pyramid must be the team's single top-level model for understanding and discussing any long-lived system fact.
Specialized document families can still exist: architecture, working plans, operations, UI, testing, security, support, and release. But they cannot become parallel top-level truth systems.
Every specialized document must state:
Layer owner: which pyramid layer primarily owns it.Feeds / Affects: which layers it informs or changes.Stability: whether it is stable fact, current work, evidence, or design reference.Exit / Promotion: if temporary, where its stable conclusion moves when it is done.
Without this, a team quickly accumulates competing frameworks:
- The architecture docs say one thing.
- The product roadmap says another.
- The testing docs say another.
- Release notes say another.
- Meeting notes add another.
Humans read these inconsistently. AI synthesizes the wrong answer.
Reading Must Be Top-Down
Anyone, human or AI, must understand a problem top-down:
- Confirm the mission.
- Confirm the current strategy.
- Confirm the promise.
- Confirm the real Flow.
- Confirm the domain model.
- Confirm the system boundary.
- Confirm the contract.
- Only then inspect implementation and evidence.
This prevents the team from using local code details to redefine the product. It also prevents AI from reading one nearby file and assuming it represents the global system.
For product, operations, sales, and customer support, the same rule prevents old proposals, stale release notes, or legacy troubleshooting paths from being mistaken for current strategy or current promise.
Useful rules of thumb:
- If a page still exists, that does not mean it is still strategic.
- If an API still exists, that does not mean it is still a user promise.
- If a test still runs, that does not mean it protects the current mainline.
- If a POC works, that does not mean it is a product capability.
Every local fact must first be positioned inside the pyramid.
Updating Must Be Bottom-Up
Every change must land bottom-up:
- Update code, scripts, database, config, and automation.
- Update tests, logs, status checks, and release evidence.
- If implementation changes an executable contract, update the contract layer.
- If a contract changes component ownership, state ownership, or cross-boundary calls, update boundary and domain model.
- If domain or boundary changes affect what users, AI agents, operators, customer support, sales, or developers can rely on, update Flow and promise.
- If promise changes affect resource allocation or long-term product identity, update strategy and mission.
Only update upper layers when lower-layer change truly changes upper-layer meaning.
This rule prevents a small script, one demo, or a temporary customer request from being prematurely promoted into strategy.

Anti-Patterns and Correct Moves
These are not rare accidents. They are the everyday ways complex teams split truth.
| Scenario | Anti-Pattern | Pyramid Touchpoints | Correct Move |
|---|---|---|---|
| An AI agent reads an old README | Let the agent start from a nearby file and synthesize old strategy, new code, and old tests | L2 Strategy: current core capability; L4 Flow: agent reading order; L8/L9: whether the old README and tests still belong to current implementation/evidence | Update L2 and L4 first so the agent starts from the nine-layer entry; then mark old README files and tests in L8/L9 as legacy, turn them into links, or delete them |
| A POC appears in a pitch deck or website | If the demo runs once, describe the capability as "supported" | L3 Promise: support boundary; L7 Contract: input, state, failure semantics; L9 Evidence: release proof; optionally L2 Strategy: resource priority | Only after L3 defines the support boundary, L7 has executable contract, and L9 has release evidence can the capability enter pitch decks, website copy, demos, or sales narrative |
skill has become workflow, but names did not move | Keep old fields, logs, and test names, then explain the new meaning verbally | L5 Domain Model: whether workflow is first-class; L7 Contract: field/API semantics; L8 Implementation: symbols, schema, log names; L9 Evidence: test assertions | Move the domain center in L5 first, then synchronize names, contracts, logs, and tests across L7-L9; do not rely on verbal explanation for changed semantics |
| An internal API gains many callers | Keep changing fields as if it were still internal implementation | L6 System Boundary: owner and callers; L7 Contract: schema, caller inventory, change rule; L9 Evidence: contract tests or call evidence; optionally L4 Flow: agent/operator dependency | Promote the API from L8 implementation to L7 contract, add L6 boundary ownership and L9 evidence, and treat field changes as contract changes |
| Test entry points multiply | test, check, verify, and ci all exist, but nobody knows which one proves release readiness | L9 Evidence: what each entry proves; L8 Implementation: root commands and CICD config; L4 Flow: who runs what before release; L3 Promise: which checks support public promise | Converge test entry points, document evidence type in L9, keep only a small command set in L8, and put release-gate checks in L4/L3 only when they support promises |
| Logs and error copy preserve the old concept | The new mainline is workflow, but logs still say skill failed | L5 Domain Model: whether the failure belongs to workflow or skill; L8 Implementation: logs, error copy, event names; L9 Evidence: observability proof; L4 Flow: support and agent troubleshooting path | Define current failure semantics in L5, then update L8 logs/error copy, L9 query evidence, and L4 troubleshooting flows so every role inspects the same fact |
| A migration plan remains in current work after completion | Three months later, readers think the migration is still open | Current work: delete or compress the plan; L5/L7: stable domain and contract conclusion; L8: final implementation location; L9: closure evidence | Promote stable conclusions into L5/L7/L8/L9, then delete or compress current work so the plan stops acting as a truth entry |
| A temporary adapter or fallback becomes a truth source | Keep compatibility for speed, then let new features depend on it | L6 System Boundary: whether the adapter is a real boundary; L7 Contract: whether a compatibility contract exists; L8 Implementation: owner and exit condition; L9 Evidence: deletion or failure proof; optionally L3 Promise: promise impact | If a temporary layer is needed, write its owner, exit condition, deletion date, and verification path into L6-L9; when compatibility is not needed, fast fail so fallback cannot become the new truth source |
The shared failure is that local facts were never positioned inside the pyramid. The solution is not simply "communicate more." Each change must answer three questions: which layer changes, what kind of fact changes in that layer, and what evidence proves the change is complete.

Figure: not every bottom-layer fact should be promoted. Only facts that change evidence, contract, boundary, domain, Flow, promise, strategy, or mission move upward.

Upper Layers Constrain Lower Layers; Lower Layers Prove Upper Layers
Upper layers are not wish lists. Lower layers are not free-form implementation.
Mission constrains strategy. Strategy constrains promise. Promise constrains Flow. Flow constrains domain model. Domain model constrains system boundary. System boundary constrains contract. Contract constrains implementation. Implementation must be proven by evidence.
In the other direction, lower layers must not merely exist. They must prove the upper layers. Implementation details support contracts through tests, logs, status checks, and release evidence. Contracts and evidence support boundary, domain model, Flow, promise, and strategy.
If a public promise has no evidence, it is not a promise. It is a wish.
Every Layer Needs Its Own Entry
Each layer should have its own document or directory entry. Do not put all long-form content into one giant overview.
The overview explains the model and the reading path. It should not become a second source of truth for every layer.
A minimal structure can look like this:
docs/ README.md L1-mission/ L2-strategy/ L3-promise/ L4-flow/ L5-domain-model/ L6-system-boundary/ L7-contract/ L8-implementation/ L9-evidence/ working-plan/ architecture/ operations/ testing/
The exact folder names do not matter. The ownership structure does.
Current Work and Stable Fact Must Be Separate
Stable facts belong in their layer, or in a specialized document owned by that layer.
Temporary plans, investigations, and unresolved tasks belong in a current-work area. They must state the current problem, owner, next closing action, and deletion condition.
When the plan is complete and evidence closes the loop, promote only the stable conclusion to the correct layer. Then delete or compress the plan.
Do not let completed plans, historical logs, and stale checklists remain in the main reading path.
If Documents Conflict, Find the SSOT First
If two documents conflict, first find the explicit SSOT.
If no explicit SSOT exists, a practical temporary rule is to prefer the newer document that sits closer to the fact source. But that is only a triage rule, not a governance model. The durable fix is to create the SSOT and turn conflicting documents into links, references, or deletions.
Be especially strict with words like:
- current focus
- current priority
- core capability
- supported
- released
- mainline
- paused
- candidate
- legacy
If these words are copied across multiple documents, they naturally create split-brain for humans and AI.
Entries, Paths, and Concepts Should Converge
Modules, workflows, commands, documents, and governance entry points should converge by default. They should not naturally grow into many parallel paths.
Any new entry, path, or concept must answer:
- Why can the existing SSOT not carry this?
- Who triggers it?
- What evidence proves it?
- Can CICD or AI execute or verify it?
The same type of work should have only a small number of accurately named entry points. Old aliases, temporary paths, and stale concepts should be deleted or renamed instead of preserved "just in case."

Humans Should Handle Human Work
Humans should focus on goals, scope, business approval, permission authorization, real cost decisions, and final judgment.
Routine execution, verification selection, evidence collection, release progression, and governance checks should default to CICD or AI.
AI agents are not only executors. They should actively detect cognitive load, duplicate entry points, manual steps, and automation gaps, then propose how the system can require less explicit human instruction.
But workflow optimization changes default team behavior. It needs explicit approval first. After approval, contract, implementation, documentation, and evidence must be synchronized.
Every Fact Should Reduce Cognitive Load
A fact deserves long-term documentation only if it reduces future cognitive load for humans and AI.
Long-lived documents should describe current truth. They should not replay useless history. History belongs in explicit logs, release evidence, audit records, or current-work plans.
Good documentation lets a first-time reader understand the latest state quickly. It should not force the reader to reconstruct the entire evolution of the system.
Evidence Is Not Documentation
Documentation can describe a fact. Documentation is not evidence.
Evidence includes:
- tests
- logs
- status commands
- read-only production checks
- release checklists
- approvals
- release evidence
- real provider or real user-path acceptance
If a public promise has no evidence, it is not a promise. It is a wish.
Repository Coverage Starts From Bottom-Layer Facts
Building an SSOT Nine-Layer Pyramid does not mean copying every file into the nine-layer docs.
Start by inventorying bottom-layer facts:
- What code, scripts, workflows, schemas, submodules, local config, vendor references, and temporary assets exist?
- What evidence supports them: tests, smoke checks, release evidence, status commands, provider health, or only inventory?
- Which facts change contracts?
- Which contracts change boundaries or domain model?
- Which domain or boundary changes affect Flow or promise?
- Which promises change strategy or mission?
The pyramid does not seek "documentation coverage for every detail." It seeks ownership and promotion paths for every important surface.
Check Documentation at the End of Every Task
After every development, release, investigation, or documentation task, check:
- Did any stable fact change?
- Did any current plan close?
- Did any promise expand or shrink?
- Did Flow, domain, boundary, contract, implementation, or evidence change?
- Should any old document be deleted, compressed, linked, or renamed?
Documentation must continuously reflect current truth. Otherwise it quickly stops being SSOT and becomes noise.
Minimal Adoption Checklist
If your team wants to adopt the SSOT Nine-Layer Pyramid, start here:
- Create nine layer entries. They can be short at first, but every layer needs ownership.
- Create one current-work SSOT for open work only.
- Remove or link copied statements like "current priority," "current focus," and "core capability."
- Add
Layer owner,Feeds / Affects,Stability, andExit / Promotionto specialized documents. - Define evidence levels: inventory, contract read, static evidence, runtime evidence, release evidence.
- Converge test, release, and operations entry points into a small number of commands.
- Give product, operations, sales, and support one path to current promise, Flow, and evidence.
- Give AI agents a reading order: nine-layer model first, specialized documents second, code third.
- Give AI agents an updating order: implementation and evidence first, then promote only when meaning changes.
- At the end of every task, check whether documents need deletion, compression, promotion, or renaming.
- Clean completed plans regularly so the current-work area does not become a historical archive.
Relationship to the SSOT Essay
The companion essay explains why software engineering principles collapse into SSOT, and why complex teams fail when truth splits:
SSOT: Why Every Software Engineering Principle Is Really About One Thing
This article gives the reusable construction method for the pyramid itself.
The exact directory names are not the point. The point is that the team continuously maintains one current, unique, evidence-backed model of business, product, and engineering truth.