TML Specification Architecture — Deliverables F & G

Specification Architecture & Future Appendix

Narrative companion to the machine-readable specifications — how the architecture works, and what remains unbuildable
Deliverable F specification_architecture.md
Deliverable G future_blocked_appendix.md
authority TML Monograph v3.3
supersedes docs/specs/Dual-Lane Architecture.md
Part F — specification_architecture.md
Canonical narrative explaining how the Dual-Lane Architecture, No Log = No Action, the Goukassian Promise, and the Eight Pillars are expressed across openapi.yaml and tml_schema.json
Section 1

Foundational Architecture: Binary and Ternary in Parallel

The TML framework does not replace the binary inference engine. This is the most consequential architectural fact in the entire specification, and every design decision in openapi.yaml and tml_schema.json flows from it.

The binary inference engine operates as the system's fast cognitive layer: speed, pattern recognition, and statistical throughput. The ternary logic operates as a sovereign governance coprocessor running in parallel. These two systems are not sequential; they are not a pipeline where one feeds the other and then yields. They operate simultaneously on distinct lanes, and their relationship is asymmetric by constitutional design.

The binary system proposes actions. The ternary system dictates whether those actions physically cross the threshold into execution.

This asymmetry is not a preference. It is the architectural enforcement of the Goukassian Vow:

"Pause when truth is uncertain"  →  State  0 (SACRED_ZERO) "Refuse when harm is clear"     →  State -1 (REFUSE) "Proceed where truth is"       →  State +1 (PROCEED)

The binary system can only ever produce a proposal. The ternary system holds the actuation gate. No proposal from the binary system authorizes execution. Only a cryptographically valid Permission Token, issued exclusively by the Anchoring Lane after an immutable Moral Trace Log has been committed, authorizes execution. This is the No Log = No Action iron law, enforced at three independent layers: the OpenAPI contract, the JSON Schema bundle, and the on-chain ABI.

Section 2

The Dual-Lane Architecture in OpenAPI Paths

The openapi.yaml specification expresses the Dual-Lane Architecture as two structurally distinct path groups, each with its own security scheme, latency envelope, and constitutional function.

Lane 1: Inference Lane (Fast Path, <2ms)

POST /decisions  // submit decision vector; proposal only
GET /decisions/{decisionId}  // retrieve with any issued Permission Token
POST /gateway/lane-assignment  // route to Inference or Anchoring Lane
GET /gateway/status  // fail-closed status

These paths are secured by InferenceLaneSecurity (mTLS + ServiceAccountJWT). A StateEnvelope returning currentState: 1 from POST /decisions does not authorize actuation. The schema enforces this structurally: an object claiming currentState: 1 without a permissionToken field fails schema validation. This is the schema-level expression of the binary system's constitutional limitation. It can propose; it cannot authorize.

Lane 2: Anchoring Lane (Governance Lane, <500ms)

POST /anchoring-logs  // central No Log = No Action enforcement; issues Permission Token for State +1
GET /anchoring-logs/{logId}
GET/PATCH /sacred-zero/escalations/{id}  // human-in-the-loop review queue
POST /refusals  // hard State -1; no Permission Token issued
POST /emergency/override  // Section 13.3 supreme authority; logged before execution

These paths are secured by AnchoringLaneSecurity (HSM-SignedJWT + MutualTLS). The HSM requirement is not incidental. The Anchoring Lane's authority to issue Permission Tokens derives from hardware-backed key material registered in the HybridShield 6-Custodian registry. A software-signed JWT cannot satisfy these endpoints.

POST /anchoring-logs is the central enforcement point for No Log = No Action. Its request body accepts a oneOf discriminated union of the three TSLF variants, discriminated on currentState. Its response for currentState: 1 includes a permissionToken object. For currentState: 0 and currentState: -1, no Permission Token is returned; no actuation is authorized; the actuation layer remains locked.

The TML Gateway sits at the entry point. Its constitutional obligation is fail-closed: if it cannot route to the Anchoring Lane, it does not route to Inference and proceed optimistically. It defaults to currentState: 0 (SacredZero) and activates the Sacred Pause. The GatewayRoutingStatus schema exposes failClosedActive as a boolean and operationalStatus with a FAIL_CLOSED_ACTIVE value. These give the actuation layer a machine-readable signal that the system has entered constitutional hold, not a degraded best-effort mode.

Section 3

The Binary System Proposes; the Anchoring Lane Dictates

The separation of proposal from authorization is expressed at every layer of the specification. This section traces the full lifecycle of a decision vector to demonstrate that no ambiguity exists in the contract between the binary and ternary systems.

Decision vector submission. The binary inference engine submits a JustificationObject alongside a proposedAction to POST /decisions. The JustificationObject.proposedState field is described as "a proposal only; the Anchoring Lane determines the authoritative state." The uncertaintyScore field, if it breaches the configured SacredZero threshold, overrides the binary engine's proposedState and mandates currentState: 0 regardless of what the binary engine proposed. The Anchoring Lane cannot be argued out of Sacred Zero by a confident binary engine. The JustificationObject travels from the Inference Lane to the Anchoring Lane. It informs. It does not authorize.

Anchoring Lane evaluation. POST /anchoring-logs receives the complete TSLF record. The Anchoring Lane performs its own ternary evaluation, independent of the binary engine's proposedState. The EthicalVerification schema captures this independent assessment: it requires a PillarVerificationResult for each of the Eight Pillars, and its overallVerdict field is determined by the Anchoring Lane alone. A FAILED verdict from any pillar triggers currentState: -1 regardless of what the binary engine proposed.

Permission Token as actuation gate. The Permission Token's structure enforces authorization integrity through five properties: logHash (SHA-256 of the anchored log; no token without a log), laneOrigin: const "ANCHORING_LANE" (schema-level rejection of Inference Lane tokens), merkleRoot (binds token to public blockchain anchor), expiresAt (hard expiry; actuation layer must reject expired tokens), and signatureValue (HSM signature verified before actuation). The StateEnvelope schema enforces the token's mandatory presence via an if/then constraint: when currentState is 1, permissionToken is a required field. This constraint cannot be bypassed by a conforming implementation.

Section 4

No Log = No Action: Schema-Level Enforcement

No Log = No Action is not a policy statement in this specification. It is a structural constraint enforced at five independent layers. An implementation that satisfies the OpenAPI contract and JSON Schema bundle cannot, by construction, issue a valid actuation authorization without a preceding immutable log commitment.

The five layers are independent. Bypassing one does not bypass the others. An auditor must verify all five are intact.
LayerLocationEnforcement MechanismMonograph Section
Layer 1 StateEnvelope if/then
tml_schema.json#/$defs/StateEnvelope		 When currentState == 1, permissionToken is REQUIRED. Any StateEnvelope claiming PROCEED without a Permission Token fails schema validation. unevaluatedProperties: false prevents bypass. Section 2.3.3
Layer 2 PermissionToken.laneOrigin
tml_schema.json#/$defs/PermissionToken		 laneOrigin: const "ANCHORING_LANE". Any Permission Token carrying laneOrigin: "INFERENCE_LANE" is schema-invalid. The Inference Lane cannot produce a valid Permission Token by data contract. Section 2.3
Layer 3 TSLF-StateP1 required array
tml_schema.json#/$defs/TSLF-StateP1		 permissionToken is in the required array alongside ethicalVerification, theSignature, and auditProof. committedAt documents the pre-actuation commit: the log is committed before the Permission Token is released to the actuation layer. Section 5B.i
Layer 4 AuditProof cross-reference
tml_schema.json#/$defs/AuditProof		 AuditProof.logHash must match PermissionToken.logHash; AuditProof.merkleRoot must match PermissionToken.merkleRoot. The inclusionPath array provides the cryptographic proof of log inclusion. Traversal: token → logHash → merkleRoot → inclusionPath → GET /audit/verifications/merkle/{merkleRoot}. Section 8
Layer 5 TML_Core.registerPermissionToken
NoLogNoAction custom error
tml_abi.json / TML_Core		 Reverts with NoLogNoAction error when a logHash is not provably included in a previously anchored Merkle root. The on-chain final arbiter. Even a schema-valid token fails registration if the authorizing log is not anchored on-chain. Section 2.3.3
Section 5

The Sacred Zero: State, Workflow, and Escalation

Sacred Zero (State 0) is the most architecturally significant state in the TML framework, and the state most vulnerable to misrepresentation. It is a first-class integer member of the triadic state space. It is not null. It is not false. It is not an HTTP error code. It is not a timeout.

In tml_schema.json, the StateEnvelope if/then/else block enforces that when currentState is 0, three distinct fields must carry three distinct values:

currentState: 0       // the state value (signed integer)
stateLabel: "SACRED_ZERO"  // human-readable label
processActive: "SacredPause"   // the operational workflow; NOT a state synonym

The Sacred Pause is not Sacred Zero. The Sacred Pause is the operational workflow that executes when the system enters Sacred Zero. A system that labels its state as "SacredPause" has confused the state with the process. The TSLF-State0 schema enforces this with const constraints on all three fields.

The Sacred Pause workflow in the API surface is expressed through four resources. GET /sacred-zero/escalations is the human-in-the-loop review queue. GET /sacred-zero/escalations/{escalationId} returns full detail including the UncertaintyQuantification record and the DeliberationMatrix presented to the human reviewer. PATCH /sacred-zero/escalations/{escalationId} is the human authority resolution endpoint: resolvedState accepts only 1 or -1; State 0 is not a valid resolution. The sacredPauseEscalation webhook delivers async notification to all registered escalation endpoints when Sacred Zero activates.

The UncertaintyQuantification schema captures the epistemic conditions. The epistemicHoldActive field carries const: true in State 0 contexts. Epistemic Hold is the canonical TML term for the system's recognition that it has reached the boundary of its reliable knowledge. The Anchoring Lane does not speculate beyond this boundary. It holds.

When Sacred Zero is activated, LanternStatus.compliancePosture reflects "SACRED_ZERO_ACTIVE" and activeSacredZeroCount increments. The TSLF-State0 schema includes a required lanternStatus field: the Goukassian Promise Lantern must be captured at the moment of Sacred Zero activation. The Lantern's public signal must not lag behind the governance state.

Section 6

The Goukassian Promise: Lantern, Signature, and License as API Resources

The Goukassian Promise (Pillar III) contributes three canonical artifacts to the TML system. In the monograph these are named as a triad. In the specification they are expressed as distinct schema types and API resources, each with its own artifactName property carrying a const value that is the lowercase canonical artifact name.

The Lantern is the public compliance beacon, exposed at GET /sacred-zero/lantern and required in TSLF-State0 records. The LanternStatus schema carries artifactName: const "lantern". Its compliancePosture field provides a five-value enum spanning the full range of system compliance states. Its pillarStatuses object reports per-pillar live status across all Eight Pillars. The LanternStatus is embedded in the GatewayRoutingStatus schema, so operators reading Gateway status get the Lantern signal without a separate call.

The Signature is the provenance and non-repudiation artifact. It is exposed at GET /goukassian/signature and embedded as a required field in TSLF-StateP1 (as theSignature), in LanternStatus, in ComplianceAttestation, and in the EIP-712 GoukassianSignatureAttestation typed data schema. The SignatureBlock schema carries artifactName: const "signature". Its signatureAlgorithm field enumerates current SHIPPING algorithms (ES256 through RS512) alongside FUTURE-reserved PQC identifiers (SLH-DSA-SHAKE-128s, ML-KEM-1024). The PQC identifiers are present to enable forward-compatible migration without a breaking schema change.

The License governs authorized use of the TML system, exposed through POST /goukassian/license/validate (validation) and POST /refusals/license-violations (violation recording). The LicenseValidationRequest schema carries artifactName: const "license". The LicenseViolationRecord schema records violations with a violatedArtifact field using lowercase canonical artifact names: "lantern", "signature", or "license". In the ITMLEnforcer ABI, these are encoded as integer ordinals (1 = lantern, 2 = signature, 3 = license) for on-chain encoding compatibility.

Section 7

The Eight Pillars: API Capabilities and Out-of-Band Processes

Each Pillar is operationalized differently. Some are expressed primarily as API capabilities with specific endpoints and schema fields. Others are expressed primarily as out-of-band processes whose outputs appear in the specification as input fields or attestation artifacts.

Pillar I
SacredZero
API: POST /decisions, GET /sacred-zero/escalations, PATCH /sacred-zero/escalations/{id}, POST /emergency/override, GET /gateway/status
Schema: TriadicStateValue enum, StateEnvelope if/then/else, TSLF-State0 const discriminators, UncertaintyQuantification.epistemicHoldActive, DeliberationMatrix.resolutionOptions[].proposedState enum constraint.
Pillar II
AlwaysMemory
API: POST /anchoring-logs (pre-actuation commit), GET /anchoring-logs/{logId}, POST /refusals, POST /redress/log-reevaluation (creates new record; original log immutable)
Schema: TSLF-State0/State-1/StateP1.committedAt, ChainOfCustody per-entry inputHash/outputHash, PermissionToken.logHash. Out-of-band: physical immutability of the log store is deployment-specific.
Pillar III
GoukassianPromise
API: GET /sacred-zero/lantern, GET /goukassian/signature, POST /goukassian/license/validate, POST /refusals/license-violations, GET /audit/compliance/attestation, lanternStatusBroadcast webhook
Schema: LanternStatus artifactName: const "lantern", SignatureBlock artifactName: const "signature", LicenseValidationRequest artifactName: const "license", LicenseViolationRecord.violatedArtifact enum, TSLF-StateP1.theSignature.
Pillar IV
MoralTraceLogs
API: POST /anchoring-logs, GET /anchoring-logs/{logId}, GET /audit/verifications/inclusion/{logId}, POST /redress/log-reevaluation, POST /regulator/evidence-export, GET /regulator/timestamp-verification/{logId}
Schema: TSLF-State0, TSLF-State-1, TSLF-StateP1, JustificationObject, ChainOfCustody, AuditProof, MerkleInclusionProof. Out-of-band: storage, indexing, and retrieval infrastructure is deployment-specific.
Pillar V
HumanRightsMandate
API: GET /sacred-zero/escalations (human review queue), PATCH /sacred-zero/escalations/{id} (human resolution), POST /redress/challenges, GET /redress/challenges/{id}, POST /redress/human-rights-grievances
Schema: JustificationObject.humanRightsMandateFlags, ThreatVectorAnalysis.udhrProvision, RedressChallenge.challengeGrounds[].udhrProvision, HumanRightsGrievance.udhrProvisions. ABI: ITMLEnforcer.verifyHumanRightsCompliance, HumanRightsMandateViolationDetected event.
Pillar VI
EarthProtectionMandate
API: POST /anchoring-logs (mandate flags evaluated during log submission), GET /audit/compliance/attestation
Schema: JustificationObject.earthProtectionMandateFlags, ThreatVectorAnalysis.parisAgreementProvision. ABI: ITMLEnforcer.verifyEarthProtectionCompliance, EarthProtectionMandateViolationDetected event. Out-of-band: Paris Agreement article registry is a deployment governance decision.
Pillar VII
HybridShield
API: GET /audit/custodians/{custodianId}/heartbeat, GET /regulator/custodian-quorum, POST /anchoring-logs (custodian quorum required for Merkle anchoring), POST /emergency/override (optional custodian quorum approval)
Schema: CustodianHeartbeat, PermissionToken.custodianQuorumAttestation (BETA), EmergencyOverrideRequest.custodianQuorumApproval. ABI: TML_Core.anchorMerkleRoot requires custodianSignatures; QuorumNotMet custom error. EIP-712: CustodianQuorumAttestation typed data.
Pillar VIII
PublicBlockchains
API: POST /anchoring-logs (Merkle-batched anchoring), GET /audit/verifications/merkle/{merkleRoot}, GET /audit/verifications/inclusion/{logId}, GET /regulator/timestamp-verification/{logId}, POST /regulator/evidence-export (includes Merkle proofs)
Schema: MerkleInclusionProof.inclusionPath, AuditProof.merkleRoot and inclusionPath, PermissionToken.merkleRoot. ABI: TML_Core.anchorMerkleRoot and verifyMerkleInclusion; MerkleRootAnchored event. EIP-712: MoralTraceLog and PermissionToken typed data.
Section 8

Auditor and Regulator API Surface

The specification provides a dedicated endpoint group for auditors and regulators, secured by AuditorRegulatorSecurity (CA-VettedJWT + IPAllowlist). This group is read-dominant by design: auditors do not produce state; they verify it.

The auditor's complete verification workflow, using only endpoints in this specification, proceeds as follows:

  1. 1
    Pull the current compliance attestation at GET /audit/compliance/attestation. The ComplianceAttestation schema carries pillarCompliance with a PillarVerificationResult for each of the Eight Pillars, overallStatus, and a SignatureBlock binding the attestation to the Goukassian Promise provenance chain.
  2. 2
    Verify a specific Moral Trace Log via GET /audit/verifications/inclusion/{logId}. The MerkleInclusionProof response provides the inclusionPath array for independent Merkle verification.
  3. 3
    Confirm the Merkle batch anchor at GET /audit/verifications/merkle/{merkleRoot}. The blockchainTxId in the response locates the public blockchain transaction.
  4. 4
    Verify the qualified timestamp at GET /regulator/timestamp-verification/{logId}. The response confirms RFC 3161 Time-Stamp Authority identity and verificationStatus.
  5. 5
    Check HybridShield custodian health at GET /audit/custodians/{custodianId}/heartbeat for each of the 6 custodians, and review aggregate quorum status at GET /regulator/custodian-quorum.
  6. 6
    Request bulk evidence export at POST /regulator/evidence-export for regulated inspection proceedings. The BulkEvidenceExport schema accepts jurisdiction, legal basis, date range, and filter parameters. Exports are asynchronous, signed, and include Merkle proofs.

This workflow does not require access to implementation code, deployment infrastructure, or internal system state beyond what the API surface exposes. The constitutional compliance matrix (Step 4) maps each step to the monograph sections and regulatory provisions it satisfies.

Section 9

Error Handling and Constitutional Consistency

Every error response across the specification conforms to RFC 7807 application/problem+json with two TML-specific extensions: x-tml-state (the triadic state active at error time, as a signed integer) and x-tml-pillar (the canonical Pillar identifier most directly implicated). These extensions ensure that error responses are themselves constitutionally legible: an error is not an escape from the triadic state space. The ProblemDetail schema enforces unevaluatedProperties: false, preventing error responses from carrying undeclared fields that could introduce ambiguity.

The SacredZeroHold408 response is the canonical HTTP expression of Sacred Zero in the error surface. A 408 response carrying x-tml-state: 0 is not a timeout in the conventional sense. It is a constitutional hold. The retry_after field provides a retry interval, but the caller must await the sacredPauseEscalation webhook notification or poll GET /sacred-zero/escalations for resolution before resubmitting the same action vector.

Section 10

Idempotency and Anti-Spoliation

Every POST, PUT, and PATCH endpoint in the specification requires an Idempotency-Key header (UUID v4). The idempotency window is 24 hours; within this window, a repeated request with the same key returns the original response without re-executing the operation.

Idempotency and AlwaysMemory (Pillar II) interact at the pre-actuation commit boundary. A POST /anchoring-logs request that commits a Moral Trace Log and receives a Permission Token in response cannot be re-executed to produce a second Permission Token for the same log. The first commit is the anti-spoliation anchor. The idempotency guarantee ensures that network failures between the Anchoring Lane and the calling system cannot result in duplicate log entries or duplicate token issuances for the same decision.

Part G — future_blocked_appendix.md
Architectural targets blocked by Section 10 (Implementation Gap). No endpoint or schema claims to implement any feature in this appendix.

A feature is FUTURE when it is blocked by a named constraint from Section 10 of the TML Constitutionalization Monograph v3.3. A feature is BETA when buildable with documented tradeoffs. A feature is SHIPPING when buildable with 2025 production libraries with no known Section 10 blockers. This appendix covers FUTURE only.

Every entry below traces to a named Section 10 constraint. SHIPPING mitigations are documented; they do not close the underlying gap. The gap remains FUTURE until the named constraint is resolved.
Feature 1
Real-Time Per-Token Blockchain Anchoring
FUTURE
Architectural Target
Every Permission Token issued by the Anchoring Lane is anchored individually and in real time to a public blockchain, producing a per-token blockchain transaction ID available within the <500ms Anchoring Lane latency envelope.
Blocking Constraint (Section 10)
Throughput asymmetry at global AI scale. Public blockchain throughput is measured in tens to hundreds of transactions per second for finalized writes. A TML deployment processing millions of decisions per day would require millions of per-token blockchain writes per day. No public blockchain in production as of the monograph version provides the throughput, finality speed, and cost profile required to anchor every token individually within the <500ms Anchoring Lane latency budget.
What Remains Unbuildable
A single-token-to-single-blockchain-transaction binding at Anchoring Lane throughput. The <500ms latency envelope and the per-token granularity requirement cannot be simultaneously satisfied with any 2025 production public blockchain.
Shipping Mitigation
Merkle-batched anchoring. The Anchoring Lane accumulates Moral Trace Logs into batches, computes a Merkle root over the batch, and anchors the root as a single blockchain transaction. Individual log inclusion is provable via MerkleInclusionProof.inclusionPath. The Permission Token carries merkleRoot rather than a per-token transaction ID.
POST /anchoring-logs response: anchoring.estimatedFinalizationAt — signals deferred finalization
GET /audit/verifications/merkle/{merkleRoot} — verifies batch root
GET /audit/verifications/inclusion/{logId} — proves per-log inclusion
TML_Core.anchorMerkleRoot — anchors batch roots, not per-token records
Remaining Gap
Batch anchoring introduces a finalization lag between log commitment and public blockchain confirmation. During this lag, merkleAnchoringStatus.anchoredAt and MerkleInclusionProof.verificationStatus may report PENDING. The Permission Token is valid for actuation authorization before batch finalization completes, because the token's validity is bound to the Anchoring Lane's HSM signature, not to blockchain confirmation. The forensic auditability is complete only after batch finalization. This lag is architectural, not a defect.
Specification Artifacts Affected
POST /anchoring-logs PermissionToken.merkleRoot MerkleInclusionProof TML_Core.anchorMerkleRoot TSLF-StateP1.merkleAnchoringStatus
Feature 2
Post-Quantum Cryptography (PQC) Signature Migration
FUTURE
Architectural Target
All TML cryptographic signatures, including Permission Token signatures, Goukassian Promise Signature Block values, HybridShield custodian signatures, and EIP-712 signed structures, use post-quantum algorithms (SLH-DSA-SHAKE-128s for signing and ML-KEM-1024 for key encapsulation) that are secure against adversaries with access to large-scale quantum computing.
Blocking Constraint (Section 10)
Algorithm standardization maturity and HSM production availability. As of the monograph version, NIST FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) are finalized standards, but HSM vendors have not uniformly shipped production firmware supporting these algorithms. The EIP-712 ecosystem and the broader Ethereum toolchain have not standardized PQC signature verification on-chain. Migration requires simultaneous readiness across HSM firmware, smart contract verifiers, and client SDK layers. The on-chain verification gap is the hardest constraint: no production EVM supports PQC precompiles as of the monograph version.
What Remains Unbuildable
A fully PQC-secured TML deployment in which every signature-producing operation uses SLH-DSA-SHAKE-128s or ML-KEM-1024 and every signature-verifying operation, including on-chain ABI verification in TML_Core, can verify PQC signatures.
Shipping Mitigation
ECDSA (ES256, ES384, ES512) and RSA (RS256, RS384, RS512) signatures are the SHIPPING algorithms. The specification reserves PQC algorithm identifiers in all relevant schema fields to enable forward-compatible migration without breaking schema changes.
SignatureBlock.signatureAlgorithm: enum includes "SLH-DSA-SHAKE-128s" and "ML-KEM-1024" — schema-valid, operationally FUTURE
eip712_typed_data.json GoukassianSignatureAttestation: signatureAlgorithmId 6 (SLH-DSA), 7 (ML-KEM) reserved
Remaining Gap
ECDSA P-256 is computationally secure against classical adversaries. It is not secure against a sufficiently powerful quantum adversary running Shor's algorithm. Until HSM vendors and EVM toolchains support PQC algorithms in production, the cryptographic non-repudiation chain retains a long-term quantum vulnerability. The mitigation reserves the migration path; it does not close the vulnerability.
Specification Artifacts Affected
SignatureBlock.signatureAlgorithm eip712_typed_data.json signatureAlgorithmId 6-7 PermissionToken.signatureValue CustodianQuorumAttestation (EIP-712)
Feature 3
Hardware Moral Processing Units (MPUs)
FUTURE
Architectural Target
Dedicated silicon implementing the ternary logic governance coprocessor as a hardware Moral Processing Unit, physically enforcing the separation between the binary inference engine and the ternary governance layer at the instruction execution level. An MPU would enforce No Log = No Action in hardware: the actuation bus would be physically gated by a hardware signal, making software bypass architecturally impossible rather than merely contractually prohibited.
Blocking Constraint (Section 10)
No production MPU silicon exists. The hardware design space for ternary logic processing units is an active research area, but no commercially available MPU implementing TML's constitutional enforcement model has been fabricated, tested, or qualified for production deployment as of the monograph version.
What Remains Unbuildable
The actuation bus hardware gate. In the absence of MPU silicon, No Log = No Action is enforced through software contracts (the StateEnvelope schema constraint), cryptographic verification (the Permission Token signature and Merkle proof chain), and on-chain ABI reversion (the NoLogNoAction custom error). These are strong enforcement mechanisms, but they do not provide the physical impossibility guarantee that hardware gating would.
Shipping Mitigation
The Dual-Lane software architecture is the SHIPPING expression of the MPU concept. The Inference Lane and Anchoring Lane are architecturally separated at the API surface, security scheme level (InferenceLaneSecurity vs AnchoringLaneSecurity), and schema level (PermissionToken.laneOrigin: const "ANCHORING_LANE"). The GatewayRoutingStatus schema and GET /gateway/status expose the Gateway's constitutional routing state including failClosedActive.
Remaining Gap
Software enforcement requires a trusted execution environment and a conforming implementation. A non-conforming implementation can bypass software constraints in ways that hardware gating would prevent. The constitutional compliance matrix and auditor verification workflow provide detection capability for non-conforming behavior after the fact, but not prevention at the execution level.
Specification Artifacts Affected
Entire Dual-Lane Architecture GatewayRoutingStatus.failClosedActive PermissionToken.laneOrigin: const "ANCHORING_LANE" TML_Core.NoLogNoAction error
Feature 4
Cross-Jurisdiction Custodian Quorum in Sub-500ms
FUTURE
Architectural Target
The HybridShield 6-Custodian distributed anchoring achieves a cryptographic quorum across all six custodians, operating in geographically distributed jurisdictions, within the Anchoring Lane's <500ms latency budget, so that every Permission Token is backed by a fully distributed, cross-jurisdictional custodian quorum completed before the token is issued.
Blocking Constraint (Section 10)
Network physics. The speed of light imposes a minimum round-trip latency between geographically distant custodian nodes. A custodian in Western Europe and a custodian in East Asia have a minimum round-trip network latency of approximately 200-300ms under ideal conditions. A 6-of-6 or even 4-of-6 synchronous quorum across genuinely cross-jurisdictional custodian nodes cannot reliably complete within 500ms given routing overhead, cryptographic signing time, and network jitter.
What Remains Unbuildable
Synchronous cross-jurisdiction full quorum within the <500ms Anchoring Lane latency envelope. The physics constraint is absolute: no software optimization closes the gap imposed by the geographic distribution requirement.
Shipping Mitigation
Two mitigations are specified. First, regionally co-located custodian subsets can achieve sub-500ms quorum within a single geographic region. GET /regulator/custodian-quorum reports both activeCustodianCount and crossJurisdictionLatencyMs, allowing operators to monitor the gap between the local quorum and the full cross-jurisdictional target. Second, PermissionToken.custodianQuorumAttestation is an optional BETA field; a token is valid without it.
GET /regulator/custodian-quorum: x-tml-blocking-constraint: "Section 10: Cross-jurisdiction sub-500ms quorum remains FUTURE"
PermissionToken.custodianQuorumAttestation: optional BETA — token valid without it
Remaining Gap
A deployment claiming full HybridShield constitutional compliance must acknowledge that the cross-jurisdiction latency target is aspirational until network infrastructure evolution or architectural changes (such as asynchronous quorum with deferred finality) make it achievable.
Specification Artifacts Affected
GET /regulator/custodian-quorum PermissionToken.custodianQuorumAttestation (BETA) CustodianHeartbeat.latencyMs TML_Core.QuorumNotMet error
Feature 5
Immutable Ledger with Native GDPR Article 17 Compliance (Erasure Paradox)
FUTURE
Architectural Target
The Moral Trace Log store is simultaneously: (a) cryptographically immutable, with immutability provable via the Merkle inclusion chain; and (b) natively GDPR Article 17 compliant, so that any individual can exercise their right to erasure and the system can demonstrate that their personal data has been erased.
Blocking Constraint (Section 10)
The Erasure Paradox. Immutability means no deletion. Article 17 means the right to deletion. These two properties are in direct architectural contradiction. No data architecture as of the monograph version resolves this contradiction natively.
What Remains Unbuildable
A single log store architecture that is both cryptographically immutable and natively capable of demonstrating per-record erasure to a data subject or supervisory authority.
Shipping Mitigation: Cryptographic Erasure
The monograph proposes cryptographic erasure as the mitigation. Personal data in each log entry is encrypted with a per-record key (derived from a per-subject key hierarchy such as HKDF-SHA3-256). The key is held in a separate erasure key registry. When an Article 17 erasure request is received, the erasure key for the relevant records is destroyed. Without the key, the encrypted personal data in the log entry is computationally inaccessible, providing practical erasure without modifying the ciphertext record in the immutable log.
The SHA256Hex schema primitive and the PermissionToken.logHash binding accommodate this architecture: the Merkle inclusion proof verifies the ciphertext record's integrity, and the destroyed key provides the practical erasure guarantee. This is consistent with ENISA guidance on pseudonymization and with interpretations of Article 17 that accept cryptographic inaccessibility as equivalent to deletion for computationally bounded adversaries.
Cryptographic Erasure folder (TernaryLogic repository): HKDF-SHA3-256 key hierarchy, NuSMV LTL verification,
NIST CAVP vectors, ML-KEM-1024 PQC migration path, FROST 3-of-5 and 5-of-7 threshold signing for key management.
Remaining Gap (Three Sub-Gaps)
Sub-gap 1: Regulatory interpretation. The interpretation that key destruction constitutes erasure has not been affirmed by all EU supervisory authorities and has not been tested in CJEU proceedings as of the monograph version. Regulatory risk remains.
Sub-gap 2: Erasure key registry dependency. If erasure keys are lost before an erasure request is received, personal data becomes permanently inaccessible even to the data controller. Conversely, if the erasure key registry is compromised, all encrypted records are exposed. The registry's security posture is as critical as the log store's.
Sub-gap 3: Metadata residue. Metadata fields in log records (timestamps, decision identifiers, pillar assessment scores, threat vector categories) may themselves constitute personal data in some jurisdictions when combined with other data sources. Key-destroying the personal data content does not erase metadata. Complete Article 17 compliance may require metadata suppression beyond what cryptographic erasure provides.
Specification Artifacts Affected
All TSLF schemas SHA256Hex PermissionToken.logHash AuditProof MerkleInclusionProof Cryptographic Erasure folder (TernaryLogic repo)
Appendix Index

FUTURE Features by Primary Pillar

Feature Primary Pillar(s) Section 10 Constraint Key Specification Artifacts Affected
Real-time per-token blockchain anchoring PublicBlockchains (VIII) Throughput asymmetry at global AI scale POST /anchoring-logs; PermissionToken.merkleRoot; MerkleInclusionProof; TML_Core.anchorMerkleRoot
PQC signature migration GoukassianPromise (III); HybridShield (VII) HSM firmware and EVM toolchain readiness SignatureBlock.signatureAlgorithm; eip712_typed_data.json GoukassianSignatureAttestation signatureAlgorithmId 6-7
Hardware Moral Processing Units (MPUs) SacredZero (I); AlwaysMemory (II) No production MPU silicon Entire Dual-Lane Architecture; GatewayRoutingStatus; PermissionToken.laneOrigin
Sub-500ms cross-jurisdiction custodian quorum HybridShield (VII) Network physics; geographic distribution GET /regulator/custodian-quorum; PermissionToken.custodianQuorumAttestation (BETA); CustodianHeartbeat.latencyMs
Immutable ledger with native GDPR Art. 17 compliance AlwaysMemory (II); MoralTraceLogs (IV) Erasure Paradox (immutability vs. right to erasure) All TSLF schemas; SHA256Hex; PermissionToken.logHash; AuditProof; Cryptographic Erasure folder

Note on BETA classification. PermissionToken.custodianQuorumAttestation is classified BETA, not FUTURE. It is buildable with documented tradeoffs (regional rather than full cross-jurisdictional quorum, latency penalties). It is listed in the sub-500ms quorum entry to distinguish the optional BETA field from the cross-jurisdiction latency target (which is FUTURE). BETA features appear in the specification as optional fields or annotated endpoints. They are buildable for regulated deployments where the performance tradeoffs are acceptable.

TML Specification Architecture — Step 5 of 5 — specification_architecture.md + future_blocked_appendix.md — v3.3.0-tml-monograph-2025 Authority: TML Constitutionalization Monograph v3.3