JSON Schema Bundle — TL Governance API

TLState integer SHIPPING EpistemicHold (I)

Three-state enumeration. +1=Proceed, 0=Epistemic Hold, −1=Refuse. State 0 is never null, false, error, timeout, pending, or retry. State −1 canonical label is Refuse. Halt prohibited.

Constraint	Value	Note
enum	[-1, 0, 1]	Signed integer. NL=NA Layer 1 if/then evaluates on this field.
type	integer	Never boolean. int8(0) ≠ bool false.

TLStateLabel string SHIPPING EpistemicHold (I)

Human-readable PascalCase label paired with TLState integer.

Constraint	Value
enum	["Proceed", "EpistemicHold", "Refuse"]

PillarIdentifier string enum SHIPPING All Pillars

Canonical machine-readable identifiers for the Eight Pillars. Used in x-tl-pillar annotations on every endpoint.

Value	Pillar
EpistemicHold	Pillar I
ImmutableLedger	Pillar II
GoukassianPrinciple	Pillar III
DecisionLogs	Pillar IV
EconomicRightsAndTransparencyMandate	Pillar V
SustainableCapitalAllocationMandate	Pillar VI
HybridShield	Pillar VII
Anchors	Pillar VIII

StateEnvelope object SHIPPING EpistemicHold (I)

Canonical TL response wrapper. NL=NA Layer 1: permissionToken REQUIRED when currentState==1 (if/then). GovernancePause is workflow name, not state synonym. unevaluatedProperties: false prevents bypass.

Property	Required	Type	NL=NA	Note
currentState	required	TLState	Layer 1	if/then evaluates on this field
stateLabel	required	TLStateLabel	Layer 1	const per state branch
proposedAction	required	string		minLength: 1
processActive	required	string		GovernancePause (0) \| ProceedAuthorized (1) \| RefusalPermanent (−1)
permissionToken	if currentState==1	PermissionToken	Layer 1	Required when +1. Constitutionally prohibited on 0 or −1.
escrowRecord	if currentState==0	EscrowRecord		Required when 0.
traceId		UUIDv4		Echoes X-TL-Trace-Id header

PermissionToken object SHIPPING ImmutableLedger (II)

NL=NA cryptographic enforcement artifact. laneOrigin const "AUDIT_LANE" — Inference Lane tokens are schema-invalid. maxLifetimeMs maximum 300000 aligned with DLLA Audit Lane 300ms ceiling. Actuation layer MUST reject expired tokens — no grace period.

Property	Type	NL=NA	Note
tokenId	UUIDv4	Layers 2,3,4,5
logHash	SHA256Hex	Layers 4, 5	MUST match AuditProof.logHash
laneOrigin	const "AUDIT_LANE"	Layer 2	Schema-invalid for any other value
merkleRoot	SHA256Hex	Layers 4, 5	MUST match AuditProof.merkleRoot. Layer 5: registerPermissionToken reverts NLNAViolation if logHash not in root.
expiresAt	ISO8601DateTime		Hard expiration. No grace period.
maxLifetimeMs	integer		maximum: 300000 (DLLA Audit Lane ceiling)
revocationStatus	enum		ACTIVE \| REVOKED_BY_EMERGENCY \| REVOKED_BY_TRI_CAMERAL
custodianQuorumAttestation	string		BETA Token valid without it for SHIPPING.

AuditProof object SHIPPING ImmutableLedger (II)

NL=NA Layer 4: logHash and merkleRoot MUST match PermissionToken fields. Cross-reference is the cryptographic link between Audit Lane log commitment and Permission Token issuance.

Property	NL=NA	Note
logHash	Layer 4	MUST = PermissionToken.logHash
merkleRoot	Layer 4	MUST = PermissionToken.merkleRoot
merkleProofPath	Layer 5	Full Merkle inclusion proof

NLNAAuditToken object SHIPPING ImmutableLedger (II)

Audit lane completion token. Non-MT deployments MUST use sentinel value "NULL_PUF_DEPLOYMENT" for pufAttestation. Architecture B compensating controls: software enforcement active.

Property	Note
pufAttestation	Non-MT: use sentinel "NULL_PUF_DEPLOYMENT" · FUTURE: FULL_PUF
laneStatus	enum: pending \| committed \| anchored

EscrowRecord object SHIPPING EpistemicHold (I)

Single authoritative definition of all Epistemic Hold response fields. Created at hold initiation. Immutable. heldState const 0.

Property	Required	Note
escrowId	required	UUIDv4
heldState	required	const: 0
holdRationale	required	rationale · uncertaintyScore [0,1] · pillarImplicated
resolutionDeadline	required	Terminal state must be +1 or −1. State 0 invalid.
immutableLogHash	required	SHA256Hex
requiredConditions	required	array minItems: 1 — each with conditionId, description, met bool
windowComparatorReading	required	SHIPPING: softwareEnforcementActive · FUTURE: resistanceRangeOhm

TGLF_State0 object SHIPPING EpistemicHold (I)

TGLF record for Epistemic Hold. currentState const 0. stateLabel const "EpistemicHold". processActive const "GovernancePause" — workflow name, not state synonym.

TGLF_StateNeg1 object SHIPPING ImmutableLedger (II)

TGLF record for Refuse. stateLabel const "Refuse" — Halt prohibited. refusalIsPermanent default true. No Permission Token issued.

TGLF_StateP1 object SHIPPING ImmutableLedger (II)

TGLF record for Proceed. permissionToken REQUIRED (NL=NA Layer 3). pillarsCertified minItems 8, maxItems 8 — all Eight Pillars must be certified.

Property	NL=NA
permissionToken	Layer 3 — REQUIRED
pillarsCertified	Layer 3 — minItems 8, maxItems 8
auditProof	Layer 4

GoukassianPrincipleBlock object SHIPPING GoukassianPrinciple (III)

Three Goukassian Principle artifacts. Required on every POST /decisions, POST /audit-logs, and POST /evaluate/* request. artifactName const values are canonical lowercase.

Artifact	artifactName const	Key Field
lantern	"lantern"	lanternHash (SHA256Hex)
signature	"signature"	agentSignature (Ed25519Hex)
license	"license"	licenseScope (string[])

LanternStatus object SHIPPING GoukassianPrinciple (III)

Goukassian Principle Lantern status. artifactName const "lantern". compliancePosture includes EPISTEMIC_HOLD_ACTIVE — reflecting constitutional state, not error. pillarStatuses reflects all 8 pillars.

SignatureBlock object SHIPPING GoukassianPrinciple (III)

artifactName const "signature". SHIPPING: ES256 (default) or Ed25519. SLH-DSA-SHAKE-128s (id 6) and ML-KEM-1024 (id 7) are FUTURE-reserved. SHIPPING MUST NOT emit values 6 or 7.

TriCameralApproval object SHIPPING HybridShield (VII)

Technical Council (9 members, proposal rights). Stewardship Custodians (11 members, binding veto). Smart Contract Treasury (automatic execution, no admin key).

Body	totalMembers (const)	Authority
technicalCouncilVotes	9	Proposal rights only
stewardshipCustodianVotes	11	Binding veto — vetoExercised: true blocks constitutionally
smartContractTreasuryExecution	—	Automatic. No admin key. No human override.

EmergencyOverrideRequest object SHIPPING HybridShield (VII)

NL=NA without exception. forcedState enum [−1, 0] only. Forced +1 constitutionally blocked. forcedStateExpiresAt required for FORCED_STATE_TRANSITION.

overrideType	Constraint
BREAK_GLASS_SHUTDOWN	System-wide halt
KILL_SWITCH	Permanent State −1
FORCED_STATE_TRANSITION	Requires targetDecisionId + forcedStateExpiresAt

EKRRecord object SHIPPING HybridShield (VII)

Ephemeral Key Rotation record. HKDF-SHA3-256 key destruction achieves GDPR Article 17 cryptographic erasure. hkdfSha3256Confirmed: true field confirms the algorithm was used.

SuccessionDeclaration object SHIPPING Anchors (VIII)

Notarized, timestamped, anchored governance continuity instrument. Expiry triggers SUCCESSION_DECLARATION_EXPIRED_ERROR. validUntil field establishes constitutional deadline.

TLProblemDetail object SHIPPING All Pillars

RFC 7807 application/problem+json with mandatory TL extensions. x-tl-state never omitted on any error response.

Error Code
GHOST_GOVERNANCE_DETECTED_ERROR
NLNA_VIOLATION_ERROR
EPISTEMIC_HOLD_TIMEOUT_ERROR
LANTERN_FORFEIT_ERROR
PILLAR_VIOLATION_ERROR
SUCCESSION_DECLARATION_EXPIRED_ERROR
SUCCESSION_DECLARATION_REQUIRED_ERROR
QUORUM_NOT_MET_ERROR
TRI_CAMERAL_VETO_ERROR
REGULATORY_COMPLIANCE_ERROR
LICENSE_SCOPE_EXCEEDED_ERROR
WINDOW_COMPARATOR_FAILURE_ERROR
DECISION_LOG_VIOLATION_ERROR

MetricsSummary object SHIPPING DecisionLogs (IV)

System-wide metrics. ghostGovernanceDetectionRate reflects all 8 Pillars. stateDistribution.proceed + .epistemicHold + .refuse covers all constitutional states.