Specification Architecture — TL Governance API

Constitutional

Section 1 — The Goukassian Vow as Foundational Architecture

Every schema property, endpoint path, error code, and webhook payload in this specification derives from a single constitutional foundation: the Goukassian Vow.

"Pause when truth is uncertain" → State 0 (Epistemic Hold)

"Refuse when harm is clear" → State −1 (Refuse)

"Proceed where truth is" → State +1 (Proceed)

This is not a design preference. It is the constitutional logic that makes the entire "Ternary Logic" (TL) framework coherent. Every state transition is an expression of one of these three lines.

The first line mandates EscrowRecord creation, TGLF_State0 log emission, and the epistemicHold.escalation webhook. Uncertainty is not failure; it is constitutional information.

The second line mandates TGLF_StateNeg1 log emission, no Permission Token issuance, and refusalIsPermanent: true by default. The ABI's InvalidResolutionState revert enforces this at the on-chain layer.

The third line mandates the Permission Token as the cryptographic expression of verified truth. The five-layer NL=NA enforcement architecture is the engineering expression of this single phrase.

Informative

Section 2 — Binary and Ternary in Parallel

The "Ternary Logic" framework does not replace binary inference. It governs it.

The binary inference engine provides speed, pattern recognition, and statistical throughput. It proposes a state. It cannot authorize actuation. The Inference Lane produces TLResult objects that carry a proposed state field. That field is advisory.

The ternary governance coprocessor operates in parallel, receiving the same decision vector through the Audit Lane. It verifies, logs, and either issues or withholds a Permission Token. Only a valid Permission Token from the Audit Lane authorizes the actuation layer to fire.

This is why POST /decisions and POST /audit-logs are separate endpoints on separate security schemes. The Inference Lane uses TLGovernanceJWT. The Audit Lane uses HSMSignedJWT and NLNAAuditToken. A client that has only TLGovernanceJWT can propose actions. It cannot authorize them.

Normative

Section 3 — Dual-Lane Architecture in OpenAPI Paths

3.1 Inference Lane Path Group

The Inference Lane endpoints are POST /decisions and GET /decisions/{decisionId}. Security: TLGovernanceJWT. The TLResult.state field is the binary engine's proposed state. It is not authorization.

3.2 Audit Lane Path Group

POST /audit-logs is the central NL=NA enforcement point. On State +1, a PermissionToken is returned inside a StateEnvelope. On State 0, an EscrowRecord is returned and the epistemicHold.escalation webhook fires. On State −1, no PermissionToken is issued.

3.3 Gateway Fail-Closed Behavior

The Gateway is fail-closed by design: if it cannot route to the Audit Lane, it defaults to EPISTEMIC_HOLD. Fail-open is constitutionally prohibited. The GatewayRoutingStatus.operationalStatus enum includes EPISTEMIC_HOLD_OVERRIDE_ACTIVE to signal this condition.

Normative

Section 4 — NL=NA Schema-Level Enforcement

NL=NA (No Log = No Action) is enforced at five independent layers. Bypassing one layer does not bypass the others.

Layer 1

StateEnvelope_v1_0_0 if/then constraint: permissionToken required when currentState equals 1. unevaluatedProperties: false prevents bypass.

Layer 2

PermissionToken_v1_0_0.laneOrigin carries const: "AUDIT_LANE". TL_Ledger_Core.registerPermissionToken reverts NLNAViolation on laneOriginHash mismatch.

Layer 3

TGLF_StateP1_v1_0_0.permissionToken is in the required array. pillarsCertified carries minItems: 8, maxItems: 8.

Layer 4

AuditProof.logHash must match PermissionToken.logHash. AuditProof.merkleRoot must match PermissionToken.merkleRoot.

Layer 5

TL_Ledger_Core.registerPermissionToken reverts NLNAViolation if the supplied logHash is not provably included in an anchored Merkle root. Terminal on-chain enforcement gate.

Normative

Section 5 — Epistemic Hold

5.1 State versus Workflow Distinction

Epistemic Hold is a TL constitutional state. Its integer value is 0. Its stateLabel is "EpistemicHold". GovernancePause is the workflow process name that activates when Epistemic Hold is declared — it appears in StateEnvelope.processActive and TGLF_State0.processActive as const: "GovernancePause". It is a workflow name, not a state synonym.

5.2 EscrowRecord as Single Schema Source

EscrowRecord_v1_0_0 is the single authoritative definition of all Epistemic Hold response fields. Fields: escrowId, heldState (const 0), initiatedAt, initiatingDecisionId, holdRationale, resolutionDeadline, immutableLogHash, holdDurationMs, auditLaneStatus, requiredConditions, and windowComparatorReading.

5.3 Resolution Constraints

Resolution must specify State +1 or State −1. State 0 is not a valid resolution. Enforced at three layers: PATCH /epistemic-hold/escalations/{escalationId} schema, TL_Ledger_Core.resolveEpistemicHoldSystemWide revert, and the resolutionDeadline constitutional deadline.

Normative

Section 6 — Goukassian Principle as API Resources

Three canonical lowercase artifact names, each a dedicated API resource:

lantern — exposed at GET /epistemic-hold/lantern. compliancePosture enum includes EPISTEMIC_HOLD_ACTIVE.
signature — exposed at GET /goukassian/signature. PQC slots 6 (SLH-DSA-SHAKE-128s) and 7 (ML-KEM-1024) reserved.
license — exposed at POST /goukassian/license/validate. Exceeded licenseScope triggers automatic Refuse (State −1).

Normative

Section 7 — Eight Pillars

Pillar I

EpistemicHold

POST /decisions, Epistemic Hold escalation surface, EscrowRecord, TGLF_State0, Gateway fail-closed

Pillar II

ImmutableLedger

POST /audit-logs, GET /audit-logs/{logId}, POST /refusals, RFC 3161 timestamp, Ghost Governance prevention

Pillar III

GoukassianPrinciple

lantern · signature · license — required on every POST /decisions, POST /audit-logs, POST /evaluate/* request body

Pillar IV

DecisionLogs

GET /decisions/{decisionId}, GET /thresholds/{domain}, PUT /thresholds/{domain}, GET /metrics/summary

Pillar V

EconomicRights

POST /evaluate/trade, POST /redress/*, GET /regulator/basel-iii/attestation — Basel III, FATF, IOSCO

Pillar VI

SustainableCapital

POST /evaluate/policy, POST /evaluate/supply-chain — Paris Agreement, ESG, carbon footprint, green bond

Pillar VII

HybridShield

POST /emergency/override, GET /emergency/status, GET /audit/custodians/*/heartbeat, TriCameralApproval

Pillar VIII

Anchors

GET /audit/verifications/merkle/{root}, GET /audit/verifications/inclusion/{logId}, SuccessionDeclaration

Normative

Section 8 — Regulatory Nexus

Basel III — RegulatoryContext.baselIii (lcr, nsfr, capitalRatio); LCR ≥ 1.0, NSFR ≥ 1.0; GET /regulator/basel-iii/attestation
FATF — RegulatoryContext.fatf (amlCheckRequired, sanctionsScreened, pepInvolved, sarGenerated); POST /regulator/fatf/compliance-export
IOSCO — RegulatoryContext.iosco (layeringDetected, spoofingDetected, washTradingDetected); GET /regulator/iosco/principle-mapping
GDPR — RegulatoryContext.gdpr.erasureEligible; TL uses HKDF-SHA3-256 cryptographic erasure (not Article 4(5) pseudonymization)
Paris Agreement — RegulatoryContext.parisAgreement (carbonFootprintVerified, greenBondEligibility, esgScore); POST /evaluate/policy

Normative

Section 9 — Domain Evaluation Endpoints

POST /evaluate/trade — financial trading governance. Returns TLResult with tradingMetadata.amlClearanceStatus (CLEARED / PENDING_REVIEW / REFUSED).

POST /evaluate/policy — monetary policy governance. Returns policyMetadata.greenBondEligibility as direct Pillar VI expression.

POST /evaluate/supply-chain — supply chain governance. Returns chainMetadata.carbonFootprintVerified and laborStandardCompliance.

All three require GoukassianPrincipleBlock. All three return TLResult, not StateEnvelope. The POST /audit-logs step is required before any Proceed determination may authorize actuation.

Normative

Section 10 — Auditor and Regulator Surface

Six-step compliance verification workflow using only endpoints in tl_openapi.yaml:

Step 1 — GET /audit/verifications/merkle/{merkleRoot} — verify the Merkle anchor on-chain
Step 2 — GET /audit/verifications/inclusion/{logId} — verify log inclusion with full Merkle proof path
Step 3 — GET /audit-logs/{logId} — retrieve the anchored TGLF record and embedded StateEnvelope
Step 4 — GET /regulator/timestamp-verification/{logId} — verify RFC 3161 qualified timestamp
Step 5 — GET /audit/compliance/attestation — pull signed Eight Pillar compliance attestation
Step 6 — POST /regulator/evidence-export — bulk export signed, Merkle-verified archive

Normative

Section 11 — DITL Hardware Interface

11.1 Architecture B Hybrid Model (SHIPPING)

SHIPPING baseline: software enforcement with DITL attestation where available. NLNAAuditToken.pufAttestation must be set to sentinel "NULL_PUF_DEPLOYMENT" for non-MT deployments. TLCapabilityFlags.pufAttestationMode: "ARCHITECTURE_B".

11.2 MT Integration (FUTURE)

POST /ditl/state-transition and GET /ditl/puf-attestation/{deviceId} are defined with x-tl-implementation-status: FUTURE. Blocking constraint: Constitutional Hardware Monograph, Section X.

Normative

Section 12 — EKR, GDPR Cryptographic Erasure, and Succession Declaration

12.1 Ephemeral Key Rotation

Defined in EKRRecord_v1_0_0. The hkdfSha3256Confirmed: true field confirms HKDF-SHA3-256 key derivation. Key destruction achieves cryptographic erasure — underlying data becomes computationally irrecoverable while audit record remains intact.

12.2 GDPR Cryptographic Erasure

Three residual sub-gaps remain FUTURE: regulatory interpretation, erasure key registry dependency, metadata residue. All documented in Future-Blocked_Appendix.md.

12.3 Succession Declaration

SuccessionDeclaration_v1_0_0 is a notarized, timestamped, anchored governance continuity instrument. Expiry triggers SUCCESSION_DECLARATION_EXPIRED_ERROR.

Normative

Section 13 — Error Handling

All error responses conform to RFC 7807 application/problem+json with three mandatory TL extensions that are never omitted:

x-tl-state — signed integer enum [−1, 0, 1]. Even errors carry a constitutional state.
x-tl-pillar — canonical PillarIdentifier implicated in this error.
x-tl-trace-id — UUID v4 echoed from the originating request header.

Fail-closed default: any unresolvable condition defaults to EPISTEMIC_HOLD or REFUSE, never to PROCEED.

Normative

Section 14 — Trace Propagation

The X-TL-Trace-Id UUID v4 header is the constitutional thread connecting every layer of the governance stack.

Client              Inference Lane        Audit Lane            Regulator
  |                       |                     |                     |
  |-- POST /decisions --->|                     |                     |
  |   X-TL-Trace-Id: T1   |                     |                     |
  |<-- TLResult ---------|                     |                     |
  |                       |                     |                     |
  |-- POST /audit-logs ---|-------------------->|                     |
  |   X-TL-Trace-Id: T1 (bound via NLNAAuditToken)                   |
  |<-- StateEnvelope + PermissionToken --------|                     |
  |                       |                     |                     |
  |<-- epistemicHold.escalation webhook (if State 0)                 |
  |   event_id: E1, x-tl-trace-id: T1          |                     |
  |                       |                     |                     |
  |-- POST /regulator/evidence-export -------------------------------->|
  |<-- exportJobId (archive contains T1-linked TGLF records) --------|

Webhook deduplication uses event_id (UUID v4), not x-tl-trace-id, since a single trace may produce multiple webhook events.

Constitutional Uncertainty Register — Deliverable F

<MONOGRAPH_EXCERPT_MISSING> Section 11 — Architecture B exact compensating control specification. Monograph Section X not supplied. Described from Section 4.10 of the constitutional prompt.

<MONOGRAPH_EXCERPT_MISSING> Section 12.2 — Three GDPR sub-gaps exact phrasing. Derived from Section 5G of the constitutional prompt.