TML Specification Architecture — Deliverables C & D

Contract Layer — tml_abi.json & eip712_typed_data.json

On-chain ABI definitions + off-chain EIP-712 structured data schemas — no Solidity source code
contracts TML_Core, ITMLEnforcer
EIP-712 types 5 primary types
typeHash strings 5 canonical
authority TML Monograph v3.3
📄
Section A — tml_abi.json
Function signatures, event logs, and custom errors. No Solidity source code.
Scope constraint
This ABI bundle defines function signatures, event parameters, and custom error types for TML_Core.sol and ITMLEnforcer.sol. It contains no Solidity source code, no deployment scripts, and no operational SLO configurations. The ABI is the on-chain enforcement complement to the OpenAPI contract (Step 1) and JSON Schema bundle (Step 2): together they enforce No Log = No Action across off-chain API, schema, and on-chain layers.
TML_Core
constructor 9 functions 6 events 6 errors
ITMLEnforcer
5 functions 3 events 2 errors
TML_Core.sol — Functions
Core constitutional enforcement. Merkle anchoring. Permission Token registry. Sacred Zero and Emergency Override state management.
constructor TML_Core nonpayable
Deploys the TML_Core contract, binding it to the HybridShield 6-Custodian registry address, the ITMLEnforcer implementation, and the canonical monograph version string.
Monograph ref: Section 2.3.3, Section 2.4
Inputs
NameSolidity TypeDescription
_custodianRegistryaddressAddress of the HybridShield 6-Custodian registry contract.
_enforceraddressAddress of the ITMLEnforcer implementation for HumanRightsMandate and EarthProtectionMandate.
_monographVersionstringCanonical monograph version string, e.g. "3.3.0-tml-monograph-2025".
function anchorMerkleRoot nonpayable
Anchors a Merkle root representing a batch of Moral Trace Logs to the public blockchain. Enforces AlwaysMemory (Pillar II) and PublicBlockchains (Pillar VIII) on-chain. Caller must supply a valid HybridShield custodian quorum signature meeting the configured threshold. Emits MerkleRootAnchored on success.
Monograph ref: Section 8, Pillar VIII (PublicBlockchains), Pillar VII (HybridShield). x-tml-pillar: AlwaysMemory, PublicBlockchains, HybridShield
Inputs
NameSolidity TypeDescription
merkleRootbytes32SHA-256 Merkle root of the log batch, packed as bytes32.
batchIdbytes32Unique identifier for this Merkle batch.
logCountuint256Number of Moral Trace Log entries included in this batch.
custodianSignaturesbytes[]ECDSA signatures from HybridShield custodians. Must meet the quorum threshold.
custodianIdsbytes32[]Custodian identifiers corresponding to each signature.
Outputs
NameSolidity TypeDescription
anchorIdbytes32On-chain identifier for this anchored Merkle root record.
anchoredAtuint256Block timestamp at which the Merkle root was anchored.
Reverts with QuorumNotMet if custodian signatures do not meet the configured HybridShield threshold. Reverts with SacredZeroSystemWideActive if a system-wide Sacred Zero is active.
function registerPermissionToken nonpayable
Registers a Permission Token on-chain, binding it to its authorizing Moral Trace Log hash and Merkle root. A Permission Token cannot be registered without a previously anchored Merkle root that includes its logHash. This is the on-chain enforcement of No Log = No Action. Reverts with NoLogNoAction if logHash is not provably in an anchored Merkle root.
Monograph ref: Section 2.3.3, Section 5B.i. x-tml-pillar: AlwaysMemory, MoralTraceLogs
NO LOG = NO ACTION — Reverts NoLogNoAction when logHash is not contained in any anchored Merkle root. The on-chain final enforcement layer.
Inputs
NameSolidity TypeDescription
tokenIdbytes32Unique identifier for the Permission Token (UUID v4 packed as bytes32).
logHashbytes32SHA-256 hash of the authorizing Moral Trace Log entry.
merkleRootbytes32Merkle root of the batch containing the log. Must be a previously anchored root.
signerKeyIdbytes32Key identifier of the HSM signing key that signed this token.
epochTimestampuint256Unix epoch timestamp at issuance.
signatureValuebytesHSM signature over canonical token fields.
Outputs
NameSolidity TypeDescription
registeredboolTrue if registration succeeded. False (or revert) if logHash is not in the supplied merkleRoot.
function verifyPermissionToken view
Verifies that a Permission Token is validly registered, unexpired, and bound to an anchored Moral Trace Log. Read-only. Used by the actuation layer before executing any State +1 action. Returns a human-readable reason string when invalid.
Monograph ref: Section 2.3.3, Section 5B.i. x-tml-pillar: AlwaysMemory, MoralTraceLogs
Inputs
NameSolidity TypeDescription
tokenIdbytes32The Permission Token identifier to verify.
logHashbytes32Expected logHash binding for this token.
currentTimestampuint256Current block timestamp used for expiry check.
Outputs
NameSolidity TypeDescription
validboolTrue if token is registered, unexpired, and logHash is anchored.
reasonstringHuman-readable reason when valid is false. Empty string when valid is true.
function verifyMerkleInclusion pure
Verifies that a log entry hash is included in a previously anchored Merkle root via a supplied inclusion proof path. Pure function; no state read required. Used by auditors and the actuation layer to verify log inclusion without reading storage.
Monograph ref: Section 8, Pillar VIII (PublicBlockchains). x-tml-pillar: PublicBlockchains, MoralTraceLogs
Inputs
NameSolidity TypeDescription
merkleRootbytes32The anchored Merkle root to verify against.
logHashbytes32SHA-256 hash of the log entry (leaf node).
inclusionPathbytes32[]Ordered sibling hashes from leaf to root.
pathPositionsbool[]Position flags: true = sibling is on the right; false = sibling is on the left.
Outputs
NameSolidity TypeDescription
includedboolTrue if logHash is provably included in the merkleRoot via the supplied proof path.
function activateSacredZeroSystemWide nonpayable
Activates a system-wide Sacred Zero state (State 0), suspending all Permission Token registration and issuance until resolved by a human authority. Logs the activation event on-chain before taking effect. No Log = No Action applies without exception. Requires custodian quorum. Emits SacredZeroActivated.
Monograph ref: Section 2.2 (SacredZero / Sacred Pause), Section 13.3. x-tml-pillar: SacredZero, AlwaysMemory, HybridShield
Sacred Zero (State 0) is an active governance state of mandatory hesitation. It is never a null, never an error, never a timeout. This function activates the system-wide Sacred Pause operational workflow.
Inputs
NameSolidity TypeDescription
escalationIdbytes32Identifier of the Sacred Zero escalation triggering this system-wide activation.
justificationHashbytes32SHA-256 hash of the justification document for this activation.
custodianSignaturesbytes[]Quorum custodian signatures authorizing system-wide activation.
custodianIdsbytes32[]Custodian identifiers corresponding to signatures.
Outputs
NameSolidity TypeDescription
activationIdbytes32On-chain identifier for this Sacred Zero activation record.
function resolveSacredZeroSystemWide nonpayable
Resolves an active system-wide Sacred Zero state under supreme authority. Resolution must specify a terminal state: 0 (REFUSE, encoded as uint8 0) or 1 (PROCEED, encoded as uint8 1). State 0 is not a valid resolution value. Reverts with InvalidResolutionState for any other value. Resolution is logged on-chain before state transition.
Monograph ref: Section 2.2, Section 13.3. x-tml-pillar: SacredZero, AlwaysMemory
resolvedState encoding: 0 = REFUSE (-1 in triadic space). 1 = PROCEED (+1 in triadic space). Any other value reverts InvalidResolutionState. Sacred Zero cannot be resolved to another Sacred Zero state.
Inputs
NameSolidity TypeDescription
activationIdbytes32The activation ID returned by activateSacredZeroSystemWide.
resolvedStateuint80 = REFUSE. 1 = PROCEED. No other values accepted; reverts InvalidResolutionState otherwise.
justificationHashbytes32SHA-256 of the human reviewer's justification document.
supremeAuthoritySignaturebytesSignature from a registered supreme authority identity.
Outputs
NameSolidity TypeDescription
resolvedboolTrue if the Sacred Zero state was successfully resolved.
function executeEmergencyOverride nonpayable
Executes an Emergency Override under Section 13.3 supreme authority. Supports three override types. Logs the override on-chain before any state change. No Log = No Action applies without exception to all emergency overrides. Forced transition to PROCEED (+1) is not permitted via this function.
Monograph ref: Section 13.3 (Emergency Override). x-tml-pillar: SacredZero, AlwaysMemory, HybridShield
NO LOG = NO ACTION — Override is logged on-chain before execution. forcedState 255 = SACRED_ZERO. forcedState 0 = REFUSE. Forced transition to PROCEED is architecturally blocked.
Inputs
NameSolidity TypeDescription
overrideRequestIdbytes32Unique identifier for this override request.
overrideTypeuint80 = BREAK_GLASS_SHUTDOWN. 1 = KILL_SWITCH. 2 = FORCED_STATE_TRANSITION.
targetDecisionIdbytes32Required when overrideType is 2. Zero bytes32 for other types.
forcedStateuint8Required when overrideType is 2. 0 = REFUSE. 255 = SACRED_ZERO. Forced transition to PROCEED is not permitted.
justificationHashbytes32SHA-256 of the justification document. Logged before execution.
supremeAuthoritySignaturebytesSignature from a registered supreme authority identity.
Outputs
NameSolidity TypeDescription
overrideIdbytes32On-chain identifier for this override event record.
function getAnchoredMerkleRoot view
Returns metadata for a previously anchored Merkle root. Used by auditors and the actuation layer to confirm batch anchoring status.
Monograph ref: Section 8. x-tml-pillar: PublicBlockchains
Inputs
NameSolidity TypeDescription
merkleRootbytes32The Merkle root to query.
Outputs
NameSolidity TypeDescription
batchIdbytes32Batch identifier associated with this Merkle root.
logCountuint256Number of log entries in this batch.
anchoredAtuint256Block timestamp of anchoring.
anchorIdbytes32On-chain anchor record identifier.
existsboolTrue if this Merkle root has been anchored.
function getSystemState view
Returns the current system-wide triadic state and emergency status of the TML_Core contract.
Monograph ref: Section 2.3, Section 13.3. x-tml-pillar: SacredZero
Outputs
NameSolidity TypeDescription
systemStateuint80 = NORMAL_OPERATION. 1 = SACRED_ZERO_SYSTEM_WIDE. 2 = BREAK_GLASS_ACTIVE. 3 = KILL_SWITCH_ACTIVE.
activeSacredZeroCountuint256Number of active Sacred Zero escalations.
emergencyOverrideActiveboolTrue when a Section 13.3 Emergency Override is active.
activeOverrideIdbytes32Identifier of the active override. Zero bytes32 when emergencyOverrideActive is false.
function monographVersion view
Returns the canonical monograph version string this contract was deployed against. Binding the contract to a specific monograph version ensures constitutional alignment is traceable on-chain.
Outputs
NameSolidity TypeDescription
versionstringCanonical monograph version, e.g. "3.3.0-tml-monograph-2025".
TML_Core.sol — Events
On-chain immutable records of all constitutional state transitions and anchoring operations.
event MerkleRootAnchored
Emitted when a Moral Trace Log batch Merkle root is successfully anchored on-chain. Primary on-chain record for PublicBlockchains (Pillar VIII) and AlwaysMemory (Pillar II) compliance.
Monograph ref: Section 8, Pillar VIII. x-tml-pillar: PublicBlockchains, AlwaysMemory
Parameters
NameSolidity TypeDescription
merkleRoot indexedbytes32The anchored Merkle root.
batchId indexedbytes32Batch identifier.
logCountuint256Number of log entries in this batch.
anchoredAtuint256Block timestamp of anchoring.
anchorIdbytes32On-chain anchor record identifier.
event PermissionTokenRegistered
Emitted when a Permission Token is successfully registered on-chain. Confirms that No Log = No Action was enforced: the token's logHash was verified in an anchored Merkle root before registration succeeded.
Monograph ref: Section 2.3.3, Section 5B.i. x-tml-pillar: AlwaysMemory, MoralTraceLogs
Parameters
NameSolidity TypeDescription
tokenId indexedbytes32The registered Permission Token identifier.
logHash indexedbytes32SHA-256 of the authorizing Moral Trace Log.
merkleRoot indexedbytes32Merkle root of the batch containing the log.
epochTimestampuint256Unix epoch timestamp at issuance.
event SacredZeroActivated
Emitted when a Sacred Zero state is activated (per-decision or system-wide). The Sacred Pause operational workflow begins upon this event. State 0 is an active first-class governance state; this event is its on-chain record of activation.
Monograph ref: Section 2.2. x-tml-pillar: SacredZero
Parameters
NameSolidity TypeDescription
escalationId indexedbytes32The escalation case identifier.
systemWideboolTrue when activation is system-wide.
activatedAtuint256Block timestamp of activation.
justificationHashbytes32SHA-256 of the justification document.
event SacredZeroResolved
Emitted when a Sacred Zero escalation is resolved by a human authority. resolvedState: 0 = REFUSE, 1 = PROCEED. Resolution to Sacred Zero (any other value) reverts InvalidResolutionState and never emits this event.
Monograph ref: Section 2.2. x-tml-pillar: SacredZero, HumanRightsMandate
Parameters
NameSolidity TypeDescription
activationId indexedbytes32The Sacred Zero activation being resolved.
resolvedStateuint80 = REFUSE (-1 triadic). 1 = PROCEED (+1 triadic).
resolvedAtuint256Block timestamp of resolution.
event EmergencyOverrideExecuted
Emitted when an Emergency Override is executed under Section 13.3 supreme authority. This event is the on-chain confirmation that the override was logged before execution (No Log = No Action compliance).
Monograph ref: Section 13.3. x-tml-pillar: SacredZero, AlwaysMemory, HybridShield
Parameters
NameSolidity TypeDescription
overrideId indexedbytes32On-chain identifier for the override event record.
overrideTypeuint80 = BREAK_GLASS_SHUTDOWN. 1 = KILL_SWITCH. 2 = FORCED_STATE_TRANSITION.
executedAtuint256Block timestamp of execution.
justificationHashbytes32SHA-256 of the justification document.
event LanternStatusBroadcast
Emitted when the Goukassian Promise Lantern signal is updated on-chain. Provides an immutable on-chain record of each compliance beacon broadcast. compliancePosture values: 0 = FULLY_COMPLIANT, 1 = SACRED_ZERO_ACTIVE, 2 = PARTIAL_COMPLIANCE, 3 = EMERGENCY_OVERRIDE_ACTIVE, 4 = DEGRADED.
Monograph ref: Section 2.4 (GoukassianPromise: lantern). x-tml-pillar: GoukassianPromise
Parameters
NameSolidity TypeDescription
lanternId indexedbytes32Unique identifier for this Lantern broadcast.
compliancePostureuint80 = FULLY_COMPLIANT. 1 = SACRED_ZERO_ACTIVE. 2 = PARTIAL_COMPLIANCE. 3 = EMERGENCY_OVERRIDE_ACTIVE. 4 = DEGRADED.
emittedAtuint256Block timestamp of emission.
signatureHashbytes32SHA-256 of the Goukassian Promise Signature Block signing this broadcast.
🚫
TML_Core.sol — Custom Errors
Typed reverts for constitutional violations. Each error name identifies the specific law breached.
error NoLogNoAction
Reverts when a Permission Token registration is attempted for a logHash not included in any anchored Merkle root. The on-chain enforcement of the No Log = No Action iron law. This revert name is the constitutional statement in Solidity.
NO LOG = NO ACTION — This error is the on-chain constitutional enforcement. It cannot be caught and suppressed by a conforming actuation layer.
Monograph ref: Section 2.3.3
Parameters
NameSolidity TypeDescription
tokenIdbytes32The Permission Token that failed registration.
logHashbytes32The logHash not found in any anchored Merkle root.
error SacredZeroSystemWideActive
Reverts when any Permission Token registration or Merkle anchoring is attempted while a system-wide Sacred Zero state is active. The Sacred Pause holds all actuation until resolution.
Monograph ref: Section 2.2, Section 13.3
Parameters
NameSolidity TypeDescription
activationIdbytes32The active Sacred Zero activation record identifier.
error QuorumNotMet
Reverts when a HybridShield custodian quorum threshold is not met for operations requiring distributed authorization (Merkle anchoring, system-wide Sacred Zero activation).
Monograph ref: Section 2.3.3, Pillar VII (HybridShield)
Parameters
NameSolidity TypeDescription
provideduint256Number of valid custodian signatures provided.
requireduint256Minimum custodian signatures required for quorum.
error InvalidResolutionState
Reverts when a Sacred Zero resolution attempts to resolve to State 0 or any value other than 0 (REFUSE) or 1 (PROCEED). State 0 is not a valid resolution state. Terminal resolution must be +1 or -1.
Monograph ref: Section 2.2
Parameters
NameSolidity TypeDescription
invalidStateuint8The invalid resolution state value that was submitted.
error UnauthorizedSupremeAuthority
Reverts when an Emergency Override caller is not a registered supreme authority identity. Emergency Overrides may only be invoked by identities registered in the TML_Core supreme authority registry.
Monograph ref: Section 13.3
Parameters
NameSolidity TypeDescription
calleraddressThe unauthorized caller address.
error TokenExpired
Reverts when a Permission Token is presented for verification after its expiresAt timestamp. Token expiry is a hard constraint; expired tokens may never authorize actuation.
Monograph ref: Section 5B.i
Parameters
NameSolidity TypeDescription
tokenIdbytes32The expired Permission Token identifier.
expiredAtuint256The expiresAt timestamp that was exceeded.
ITMLEnforcer.sol — Functions
Interface for HumanRightsMandate (Pillar V) and EarthProtectionMandate (Pillar VI) on-chain enforcement. All TML-compliant deployments must satisfy this interface.
function verifyHumanRightsCompliance view
Verifies that a proposed action vector does not violate the Human Rights Mandate. Checks the action against UDHR Article and Geneva Convention provision vectors. Returns forcedState to indicate the mandated triadic state when non-compliant: 0 = SACRED_ZERO, 255 = REFUSE.
Monograph ref: Pillar V (HumanRightsMandate), Section 2.3.3. x-tml-pillar: HumanRightsMandate
Inputs
NameSolidity TypeDescription
decisionIdbytes32The decision being evaluated.
actionVectorHashbytes32SHA-256 of the canonical action vector.
flaggedProvisionsbytes32[]Hashed UDHR Article and Geneva Convention provision identifiers flagged by the Inference Lane. E.g. keccak256("UDHR-Art-3").
severityLevelsuint8[]Severity levels per provision: 0 = LOW, 1 = MEDIUM, 2 = HIGH, 3 = CRITICAL.
Outputs
NameSolidity TypeDescription
compliantboolTrue if no Human Rights Mandate violation detected.
violationCodebytes32Hash of the most severe violated provision. Zero bytes32 when compliant.
forcedStateuint8Mandated triadic state when non-compliant. 0 = SACRED_ZERO. 255 = REFUSE. Callers must respect this mandate.
function verifyEarthProtectionCompliance view
Verifies that a proposed action vector does not violate the Earth Protection Mandate. Checks the action against Paris Agreement article and climate target vectors. Returns forcedState to indicate the mandated triadic state when non-compliant.
Monograph ref: Pillar VI (EarthProtectionMandate), Section 2.3.3. x-tml-pillar: EarthProtectionMandate
Inputs
NameSolidity TypeDescription
decisionIdbytes32The decision being evaluated.
actionVectorHashbytes32SHA-256 of the canonical action vector.
flaggedProvisionsbytes32[]Hashed Paris Agreement provision identifiers. E.g. keccak256("PA-Art-2.1a").
severityLevelsuint8[]Severity levels per provision: 0 = LOW, 1 = MEDIUM, 2 = HIGH, 3 = CRITICAL.
Outputs
NameSolidity TypeDescription
compliantboolTrue if no Earth Protection Mandate violation detected.
violationCodebytes32Hash of the most severe violated provision. Zero bytes32 when compliant.
forcedStateuint80 = SACRED_ZERO. 255 = REFUSE.
function verifyGoukassianLicense view
Verifies the Goukassian Promise License artifact for a requesting entity. The license artifact is identified by its canonical name "license". A failed verification is a mandatory trigger for State -1 (Refuse). violatedArtifact ordinals: 1 = lantern, 2 = signature, 3 = license (canonical lowercase string ordinals for ABI encoding).
Monograph ref: Section 2.4 (GoukassianPromise: license). x-tml-pillar: GoukassianPromise
Inputs
NameSolidity TypeDescription
licenseTokenHashbytes32SHA-256 hash of the license token being validated.
requestingEntityIdbytes32Hash of the requesting entity identity.
currentTimestampuint256Current block timestamp for expiry check.
Outputs
NameSolidity TypeDescription
validboolTrue if the license token is valid.
violationTypeuint80=NO_VIOLATION. 1=LANTERN_SUPPRESSION. 2=SIGNATURE_FORGERY. 3=LICENSE_BREACH. 4=PROVENANCE_TAMPERING. 5=UNAUTHORIZED_STATE_TRANSITION.
violatedArtifactuint80=NO_ARTIFACT. 1="lantern". 2="signature". 3="license". Ordinals map to canonical lowercase Goukassian Promise artifact names.
function recordMandateViolation nonpayable
Records a confirmed mandate violation on-chain. Called by TML_Core when a compliance check returns non-compliant. The violation record is immutable (AlwaysMemory). mandateType: 0 = HUMAN_RIGHTS_MANDATE, 1 = EARTH_PROTECTION_MANDATE.
Monograph ref: Pillar V, Pillar VI, Pillar II (AlwaysMemory). x-tml-pillar: HumanRightsMandate, EarthProtectionMandate, AlwaysMemory
Inputs
NameSolidity TypeDescription
decisionIdbytes32The decision associated with this violation.
mandateTypeuint80 = HUMAN_RIGHTS_MANDATE. 1 = EARTH_PROTECTION_MANDATE.
violationCodebytes32Hash of the violated provision.
violationEvidenceHashbytes32SHA-256 of the off-chain violation evidence package.
Outputs
NameSolidity TypeDescription
violationRecordIdbytes32On-chain identifier for the immutable violation record.
function getMandateConfiguration view
Returns the current configuration of registered UDHR/Geneva and Paris Agreement provisions and their severity thresholds. Read-only. Used by auditors and regulators to verify mandate coverage without reading implementation code.
Monograph ref: Pillar V, Pillar VI. x-tml-pillar: HumanRightsMandate, EarthProtectionMandate
Inputs
NameSolidity TypeDescription
mandateTypeuint80 = HUMAN_RIGHTS_MANDATE. 1 = EARTH_PROTECTION_MANDATE.
Outputs
NameSolidity TypeDescription
provisionCountuint256Number of registered provisions for this mandate.
configurationHashbytes32SHA-256 of the full provision registry at its current state.
lastUpdatedAtuint256Block timestamp of the most recent configuration update.
ITMLEnforcer.sol — Events & Errors
Mandate violation detection events and interface errors.
event HumanRightsMandateViolationDetected
Emitted when a Human Rights Mandate violation is detected. Triggers the automatic Sacred Zero or Refuse state transition via forcedState. forcedState: 0 = SACRED_ZERO, 255 = REFUSE.
Monograph ref: Pillar V (HumanRightsMandate). x-tml-pillar: HumanRightsMandate, SacredZero
Parameters
NameSolidity TypeDescription
decisionId indexedbytes32The decision in which the violation was detected.
violationCode indexedbytes32Hash of the violated UDHR/Geneva provision.
forcedStateuint80 = SACRED_ZERO. 255 = REFUSE.
detectedAtuint256Block timestamp of detection.
event EarthProtectionMandateViolationDetected
Emitted when an Earth Protection Mandate violation is detected. Triggers the automatic Sacred Zero or Refuse state transition. forcedState: 0 = SACRED_ZERO, 255 = REFUSE.
Monograph ref: Pillar VI (EarthProtectionMandate). x-tml-pillar: EarthProtectionMandate, SacredZero
Parameters
NameSolidity TypeDescription
decisionId indexedbytes32The decision in which the violation was detected.
violationCode indexedbytes32Hash of the violated Paris Agreement provision.
forcedStateuint80 = SACRED_ZERO. 255 = REFUSE.
detectedAtuint256Block timestamp of detection.
event GoukassianLicenseViolationDetected
Emitted when a Goukassian Promise license verification fails. violatedArtifact ordinals correspond to canonical lowercase artifact names: 1 = "lantern", 2 = "signature", 3 = "license".
Monograph ref: Section 2.4 (GoukassianPromise). x-tml-pillar: GoukassianPromise
Parameters
NameSolidity TypeDescription
licenseTokenHash indexedbytes32Hash of the failed license token.
violationTypeuint80=NO_VIOLATION. 1=LANTERN_SUPPRESSION. 2=SIGNATURE_FORGERY. 3=LICENSE_BREACH. 4=PROVENANCE_TAMPERING. 5=UNAUTHORIZED_STATE_TRANSITION.
violatedArtifactuint80=NO_ARTIFACT. 1="lantern". 2="signature". 3="license".
detectedAtuint256Block timestamp of detection.
error MandateNotConfigured & ProvisionArrayMismatch
MandateNotConfigured: Reverts when a mandate verification is requested for a mandateType not configured in the enforcer. Parameter: mandateType (uint8).
ProvisionArrayMismatch: Reverts when flaggedProvisions and severityLevels arrays are not the same length. Parameters: provisionsLength (uint256), severitiesLength (uint256).
👑
Section B — eip712_typed_data.json
Off-chain structured data hashing for TML artifacts. Five primary types + canonical typeHash registry.
EIP-712 scope
This schema bundle defines EIP-712 domain separator and type definitions for off-chain structured data hashing and signing of TML artifacts. It is distinct from the on-chain ABI above. Signed EIP-712 structures enable the actuation layer to verify authorization off-chain without a gas-bearing call for every action, while the logHash and merkleRoot fields maintain on-chain verifiability via TML_Core. The PermissionToken typed data is the off-chain expression of No Log = No Action.
domain EIP712Domain
Domain separator definition binding all typed data signatures to a specific contract, chain, and monograph version. Prevents cross-domain and cross-version replay attacks.
EIP-712 Section 4 (Domain Separator). chainId and verifyingContract must be set to the deployment target at runtime.
name: "TMLFramework"
version: "3.3.0" // monograph version
chainId: <DEPLOYMENT_CHAIN_ID> // EIP-155 chain ID
verifyingContract: <TML_CORE_CONTRACT_ADDRESS> // binds to deployment
salt: <DEPLOYMENT_SPECIFIC_SALT_BYTES32> // entropy salt
Domain Type Fields
NameEIP-712 TypeDescription
namestringHuman-readable signing domain name.
versionstringTML monograph version this domain is bound to.
chainIduint256EIP-155 chain ID of the deployment network.
verifyingContractaddressTML_Core contract address. Binds signatures to the specific deployment.
saltbytes32Deployment-specific entropy salt to differentiate domain separators across deployments.
primaryType MoralTraceLog
EIP-712 typed data for off-chain signing of a Moral Trace Log (TSLF) entry. Enables custodians, auditors, and the Anchoring Lane to produce verifiable signatures over TSLF records without full on-chain storage of every field. currentState is typed as int8 to preserve signed triadic semantics: 0 is SACRED_ZERO, never false, never null.
Monograph ref: Section 8 (TSLF), Pillar II (AlwaysMemory), Pillar IV (MoralTraceLogs)
currentState is int8. State 0 = SACRED_ZERO. The int8 type prevents any implicit conflation of State 0 with Solidity bool false or uint8(0) semantics in off-chain signing contexts.
Type Fields
NameEIP-712 TypeDescription
logIdbytes32Unique identifier for this Moral Trace Log entry (UUID v4 as bytes32).
currentStateint8Signed triadic state: +1, 0, or -1. int8 preserves sign. 0 = SACRED_ZERO, not false, not null.
decisionIdbytes32The decision that produced this log entry.
envelopeIdbytes32Associated State Envelope identifier.
justificationObjectHashbytes32SHA-256 of the canonical JSON serialization of the JustificationObject.
pillarsCertifiedHashbytes32SHA-256 of the canonical serialization of the pillarsCertified array.
committedAtuint256Unix epoch timestamp of pre-actuation commit (AlwaysMemory).
monographVersionHashbytes32keccak256("3.3.0-tml-monograph-2025"). Binds log to specific monograph version.
Canonical TypeHash String
MoralTraceLog(bytes32 logId,int8 currentState,bytes32 decisionId,bytes32 envelopeId,bytes32 justificationObjectHash,bytes32 pillarsCertifiedHash,uint256 committedAt,bytes32 monographVersionHash)
primaryType PermissionToken
EIP-712 typed data for off-chain signing of a Permission Token by the Anchoring Lane. The signed PermissionToken is the cryptographic release key for the actuation layer. logHash and merkleRoot maintain on-chain verifiability against TML_Core anchor records. This is the off-chain expression of No Log = No Action.
Monograph ref: Section 2.3.3, Section 5B.i
NO LOG = NO ACTION (off-chain): logHash binds this token to a specific anchored log. Any off-chain verifier MUST confirm logHash is included in merkleRoot before accepting the token as actuation authorization.
Security properties enforced by this typed data:
No Log = No Action: logHash binds token to anchored log; actuation layer must verify Merkle inclusion.
Anchoring Lane only: Token must be signed by key registered to the Anchoring Lane in HybridShield registry.
Hard expiry: Actuation layer must reject any token where current timestamp ≥ expiresAt.
Domain binding: chainId + verifyingContract + monographVersionHash prevent cross-chain and cross-version replay.
Decision binding: decisionId prevents token reuse across different decisions.
Type Fields
NameEIP-712 TypeDescription
tokenIdbytes32Unique Permission Token identifier (UUID v4 as bytes32).
logHashbytes32Core No Log = No Action binding. SHA-256 of the authorizing anchored Moral Trace Log.
epochTimestampuint256Unix epoch timestamp at Anchoring Lane issuance.
signerKeyIdbytes32keccak256 of the HSM signing key identifier string.
merkleRootbytes32Merkle root of the batch containing the authorizing log. Verifiable against TML_Core on-chain record.
expiresAtuint256Unix epoch expiry. Actuation layer MUST reject tokens at or after this timestamp.
decisionIdbytes32Prevents token reuse across decisions. One token authorizes one decision.
monographVersionHashbytes32keccak256("3.3.0-tml-monograph-2025"). Binds token to specific constitutional version.
Canonical TypeHash String
PermissionToken(bytes32 tokenId,bytes32 logHash,uint256 epochTimestamp,bytes32 signerKeyId,bytes32 merkleRoot,uint256 expiresAt,bytes32 decisionId,bytes32 monographVersionHash)
primaryType EmergencyOverride
EIP-712 typed data for off-chain signing of Emergency Override authorizations by supreme authority identities. The signed data is submitted to TML_Core.executeEmergencyOverride. Signing this structure constitutes a sovereign authority act; it is immutably logged before execution. forcedState values: 0 = REFUSE, 255 = SACRED_ZERO. Forced transition to PROCEED is not permitted.
Monograph ref: Section 13.3 (Emergency Override). x-tml-pillar: SacredZero, AlwaysMemory, HybridShield
Type Fields
NameEIP-712 TypeDescription
overrideRequestIdbytes32Unique override request identifier.
overrideTypeuint80 = BREAK_GLASS_SHUTDOWN. 1 = KILL_SWITCH. 2 = FORCED_STATE_TRANSITION.
targetDecisionIdbytes32Target decision for FORCED_STATE_TRANSITION. Zero bytes32 for other types.
forcedStateuint80 = REFUSE. 255 = SACRED_ZERO. Forced transition to PROCEED (+1) is architecturally blocked.
justificationHashbytes32SHA-256 of the justification document. Archived off-chain and anchored before override executes.
requestedAtuint256Unix epoch timestamp of the override request.
monographVersionHashbytes32keccak256("3.3.0-tml-monograph-2025"). Binds override to specific monograph authority.
Canonical TypeHash String
EmergencyOverride(bytes32 overrideRequestId,uint8 overrideType,bytes32 targetDecisionId,uint8 forcedState,bytes32 justificationHash,uint256 requestedAt,bytes32 monographVersionHash)
primaryType CustodianQuorumAttestation
EIP-712 typed data for HybridShield custodian signatures in quorum operations. Each of the 6 custodians signs this structure to contribute to a quorum for Merkle anchoring, system-wide Sacred Zero activation, or Emergency Override authorization. operationType: 0 = MERKLE_ANCHOR, 1 = SACRED_ZERO_ACTIVATION, 2 = EMERGENCY_OVERRIDE.
Monograph ref: Section 2.3.3, Pillar VII (HybridShield). 6-Custodian distributed anchoring.
Type Fields
NameEIP-712 TypeDescription
custodianIdbytes32Unique identifier of the attesting custodian node.
operationIdbytes32Identifier of the operation this attestation authorizes.
operationTypeuint80 = MERKLE_ANCHOR. 1 = SACRED_ZERO_ACTIVATION. 2 = EMERGENCY_OVERRIDE.
operationPayloadHashbytes32SHA-256 of the operation payload (e.g., merkleRoot for MERKLE_ANCHOR).
attestedAtuint256Unix epoch timestamp of custodian attestation.
custodianKeyVersionbytes32Version identifier of the custodian's current key material.
Canonical TypeHash String
CustodianQuorumAttestation(bytes32 custodianId,bytes32 operationId,uint8 operationType,bytes32 operationPayloadHash,uint256 attestedAt,bytes32 custodianKeyVersion)
primaryType GoukassianSignatureAttestation
EIP-712 typed data for the Goukassian Promise Signature artifact, expressed as an on-chain-verifiable signed structure. artifactName is keccak256("signature"), encoding the canonical lowercase artifact name. signatureAlgorithmId reserves PQC algorithm slots: 6 = SLH-DSA-SHAKE-128s (FUTURE), 7 = ML-KEM-1024 (FUTURE). SHIPPING: 0 = ES256.
Monograph ref: Section 2.4 (GoukassianPromise: signature). artifactName: keccak256("signature").
signatureAlgorithmId 6 (SLH-DSA-SHAKE-128s) and 7 (ML-KEM-1024) are FUTURE per Section 10 (PQC migration gap). Algorithm IDs are reserved for forward-compatible migration without typeHash change.
Type Fields
NameEIP-712 TypeDescription
signatureIdbytes32Unique identifier for this Goukassian Promise Signature attestation.
artifactNamebytes32keccak256("signature"). Encodes the canonical Goukassian Promise artifact identity on-chain.
signerKeyIdbytes32keccak256 of the HSM signing key identifier string.
signedPayloadHashbytes32SHA-256 of the payload being attested.
signatureAlgorithmIduint80=ES256 (SHIPPING). 1=ES384. 2=ES512. 3=RS256. 4=RS384. 5=RS512. 6=SLH-DSA-SHAKE-128s (FUTURE). 7=ML-KEM-1024 (FUTURE).
signedAtuint256Unix epoch timestamp at which the signature was produced.
monographVersionHashbytes32keccak256("3.3.0-tml-monograph-2025"). Binds attestation to specific constitutional version.
Canonical TypeHash String
GoukassianSignatureAttestation(bytes32 signatureId,bytes32 artifactName,bytes32 signerKeyId,bytes32 signedPayloadHash,uint8 signatureAlgorithmId,uint256 signedAt,bytes32 monographVersionHash)
#
TypeHash Registry
Canonical EIP-712 type encoding strings. Whitespace is significant. These strings must not be reformatted. keccak256 of each string produces the on-chain typeHash.
Per EIP-712 Section 2.4: typeHash = keccak256(encodeType(primaryType)). These strings are authoritative. Any deviation in whitespace, ordering, or type name produces a different typeHash and breaks signature verification.
Primary Type Canonical Type String (keccak256 input) Note
MoralTraceLog MoralTraceLog(bytes32 logId,int8 currentState,bytes32 decisionId,bytes32 envelopeId,bytes32 justificationObjectHash,bytes32 pillarsCertifiedHash,uint256 committedAt,bytes32 monographVersionHash) int8 preserves signed triadic semantics. currentState 0 = SACRED_ZERO.
PermissionToken PermissionToken(bytes32 tokenId,bytes32 logHash,uint256 epochTimestamp,bytes32 signerKeyId,bytes32 merkleRoot,uint256 expiresAt,bytes32 decisionId,bytes32 monographVersionHash) Off-chain No Log = No Action enforcement. logHash binding is canonical.
EmergencyOverride EmergencyOverride(bytes32 overrideRequestId,uint8 overrideType,bytes32 targetDecisionId,uint8 forcedState,bytes32 justificationHash,uint256 requestedAt,bytes32 monographVersionHash) Section 13.3 supreme authority act. Signing this is a constitutional commitment.
CustodianQuorumAttestation CustodianQuorumAttestation(bytes32 custodianId,bytes32 operationId,uint8 operationType,bytes32 operationPayloadHash,uint256 attestedAt,bytes32 custodianKeyVersion) HybridShield 6-Custodian quorum contribution signature.
GoukassianSignatureAttestation GoukassianSignatureAttestation(bytes32 signatureId,bytes32 artifactName,bytes32 signerKeyId,bytes32 signedPayloadHash,uint8 signatureAlgorithmId,uint256 signedAt,bytes32 monographVersionHash) artifactName = keccak256("signature"). PQC IDs 6-7 reserved FUTURE.
TML Specification Architecture — Step 3 of 5 — tml_abi.json + eip712_typed_data.json — v3.3.0-tml-monograph-2025 Authority: TML Constitutionalization Monograph v3.3