SubFlow

SaaS seat lifecycle and reclaim workflow

← All tokenization ideas
Usage stateP0

SubFlow

SaaS seat lifecycle and reclaim workflow. Enterprises waste budget because SaaS seats are assigned, forgotten, underused, and manually reclaimed late.

SubFlow is strongest when treated as a governed state machine, not a static token. The object must carry enough identity to be trusted at mint, enough mutable state to reflect the real workflow, and enough audit history for a third party to decide whether the current state is reliable.

Strategic thesis

Why this wedge exists

A seat entitlement becomes a shared object across HRIS, identity, finance, procurement, and vendor systems.

The first buyer is IT, procurement, finance, and RevOps teams. They don't need a generic blockchain story; they need a way to reduce disputes, speed approval, and make the current status of a workflow independently checkable.

State Dual manages

Seat purchase, assignment, activity, inactivity threshold, reclaim approval, reassignment, and savings.

PurchasedAssignedActiveInactiveReclaim PendingReassignedTerminated

The important point is not the number of states. It's that each transition has an actor, an allowed action, evidence, and a durable audit record. That turns operational workflow into an inspectable object.

Token architecture

Immutable identityentitlement_id, source_system, subject_id, metering_method, created_at
Mutable stateassigned_to, activity_status, usage_count, fraud_status, settlement_eligibility
Compliance rulesUsage events must be attributed to an approved source. Fraud, inactivity, or overage changes the token state before settlement. Reassignment and expiry are recorded as governed state transitions.
Event sourcesapplication telemetry, identity provider activity, usage meter, fraud or anomaly detector

Example object schema

{
  "template": "subflow",
  "category": "Usage state",
  "immutable": {
    "entitlement_id": "set_at_mint",
    "source_system": "set_at_mint",
    "subject_id": "set_at_mint",
    "metering_method": "set_at_mint",
    "created_at": "set_at_mint"
  },
  "mutable": {
    "assigned_to": "updated_by_event",
    "activity_status": "updated_by_event",
    "usage_count": "updated_by_event",
    "fraud_status": "updated_by_event",
    "settlement_eligibility": "updated_by_event"
  },
  "rules": {
    "allowed_states": ["Purchased","Assigned","Active","Inactive","Reclaim Pending","Reassigned","Terminated"],
    "first_buyer": "IT, procurement, finance, and RevOps teams",
    "audit_required": true
  }
}

This schema is intentionally scoped. A credible first product should prove one object type, one core state machine, and a small number of high-value integrations before expanding into a platform.

User journey

  1. 1

    Issuer: Purchased

    The SubFlow object is created with immutable identity, owner, and rule metadata.

  2. 2

    Operator: Assigned

    An event moves the object into "Assigned", preserving the previous state and the actor that triggered the change.

  3. 3

    Verifier: Active

    An event moves the object into "Active", preserving the previous state and the actor that triggered the change.

  4. 4

    Counterparty: Inactive

    An event moves the object into "Inactive", preserving the previous state and the actor that triggered the change.

  5. 5

    Auditor: Reclaim Pending

    An event moves the object into "Reclaim Pending", preserving the previous state and the actor that triggered the change.

  6. 6

    Automation: Reassigned

    An event moves the object into "Reassigned", preserving the previous state and the actor that triggered the change.

  7. 7

    Administrator: Terminated

    An event moves the object into "Terminated", preserving the previous state and the actor that triggered the change.

Event model

Dual becomes useful when outside systems stop being passive records and start becoming evidence sources for state transitions.

  • application telemetry
  • identity provider activity
  • usage meter
  • fraud or anomaly detector

Each event should answer four questions: who produced it, which object it affects, which transition it requests, and which proof should be retained for audit.

Why not just a database?

Traditional system

A procurement tool can track spend, but it does not enforce current seat state across HR, identity, and vendor usage signals.

That's acceptable when one organization owns the full workflow. It breaks down when multiple parties need to trust the same current state without relying on a single application owner.

Dual stateful object

Dual separates immutable identity, mutable lifecycle state, compliance checks, and event history. Participants can inspect the current object state, verify the transition path, and use the same state as input to payment, access, reporting, or downstream automation.

90-day MVP

One company, three vendors, HRIS departure events, IdP activity events, and approved seat reclaim.

  • Define the template and allowed state transitions.
  • Mint test objects with realistic identity and ownership data.
  • Wire one external event source into the Event Bus.
  • Trigger one successful transition and one rejected transition.
  • Expose a query view that proves current state and transition history.

Proof assets required

  • HRIS event
  • IdP activity signal
  • Reclaim approval
  • Savings report

These assets are the difference between a concept note and a buildable wedge. Without them, the page is only a narrative; with them, it becomes a product specification.

Operating metrics

  • active utilization
  • waste recovered
  • verified events
  • reassignment cycle time

These are the metrics that should be visible in the pilot dashboard. They also give sales, implementation, and investor conversations a concrete way to judge whether Dual is improving the workflow.

Commercial wedge

The first commercial motion should sell a narrow operational outcome, not broad tokenization. For SubFlow, the wedge is: reclaim a seat. Price around the workflow value: fewer disputes, faster settlement, cleaner audit, lower fraud, or lower manual reconciliation.

Expansion should follow the state graph. Once the first transition is trusted, add the next actor, then the next integration, then the next reporting surface. That keeps the product grounded in workflow proof rather than speculative asset creation.

Risks and controls

  • telemetry quality. Control: define the trusted source, log every mutation, and keep manual override paths explicit.
  • vendor API coverage. Control: define the trusted source, log every mutation, and keep manual override paths explicit.
  • false positives in activity or fraud models. Control: define the trusted source, log every mutation, and keep manual override paths explicit.

Implementation playbook

  1. Map the workflow: identify the actor responsible for each state and the evidence required for each transition.
  2. Create the template: split data into immutable identity, mutable state, and compliance rule fields.
  3. Mint sample objects: use realistic IDs, timestamps, owners, and source-system references.
  4. Connect one event: choose the event that makes the state change economically valuable.
  5. Reject one bad action: demonstrate that Dual blocks invalid transitions before downstream settlement.
  6. Expose audit: show current state, previous state, actor, timestamp, evidence hash, and rule result.

Build prompt

Create a Dual template for SubFlow. Model immutable identity fields, mutable lifecycle state, compliance checks, and event inputs. Then emit one test object and move it through: Purchased → Assigned → Active → Inactive → Reclaim Pending.

Include:
- object schema
- transition rules
- event payload examples
- one rejected transition
- audit query output
- MVP dashboard fields

Use this as a scoped wedge: prove one governed state transition, one external event, and one audit query before expanding the workflow.

Start with the Dual quickstart →