Technical Architecture & Governance
of TML Smart Contracts
A Deterministic Enforcement Layer for Ternary Moral Logic on EVM-compatible Platforms
Executive Summary
The Ternary Moral Logic (TML) smart contract architecture operationalizes ethical commitments through a deterministic tri-state enforcement layer. Built on a Finite State Machine with states for active operation, review holds, and integrity freezes, the system introduces a "Sacred Zero" state for ethical uncertainty escalation to a human Stewardship Council. Protected by irreversible kill switches and hybrid on-chain/off-chain data architecture, TML ensures Ethics Precedes Execution in decentralized systems.
1. The Enforcement Primitive
The foundational layer of the Ternary Moral Logic (TML) framework is the Enforcement Primitive, a smart contract architecture designed to function as a deterministic State-Transition Engine. This engine operationalizes ethical commitments by embedding them directly into the execution logic of a smart contract, which acts as a gatekeeper for all subsequent actions on an EVM-compatible platform.
1.1 Smart Contract as State-Transition Engine
The TML smart contract is fundamentally a transaction-based state machine, a concept central to the Ethereum Virtual Machine (EVM) itself [65] [66]. Ethereum's global state transitions to a new state with each processed block of transactions [67].
Core TML Logic Implementation
The core evaluation logic processes incoming transactions against ethical rules derived from human rights documents and environmental protocols. This implementation uses Past-Time Linear Temporal Logic (PLTL) for formal verification [78].
// SPDX-License-Identifier: TML-Constitutional-Code
pragma solidity ^0.8.19;
/// @title ITMLEnforcer
/// @notice The interface for the Ternary Moral Logic enforcement primitive.
interface ITMLEnforcer {
/// @notice Represents the tri-state output of the TML evaluation.
enum TMLVerdict {
REFUSE, // -1
REVIEW_HOLD, // 0
PROCEED // +1
}
/// @notice Represents the finite states of the governed contract.
enum ContractState {
STATE_ACTIVE,
STATE_REVIEW_HOLD,
STATE_FLAGGED,
STATE_INTEGRITY_FROZEN
}
/// @notice Evaluates a transaction against the TML logic.
/// @dev This is the core function that must be called before any state-changing operation.
/// @param data The calldata of the transaction to be evaluated.
/// @return verdict The TMLVerdict enum value.
function evaluateTransaction(bytes calldata data) external returns (TMLVerdict verdict);
}
1.2 Tri-State Enforcement Mapping
Transaction Execution
Ethically compliant transaction authorized for immediate execution. Contract remains in STATE_ACTIVE.
Transaction Reversion
Definitive rejection for ethical violations. Transaction reverts, gas spent as deterrent.
Review Hold
Ethical ambiguity triggers STATE_REVIEW_HOLD for human council intervention.
1.3 Sequence Diagrams
Happy Path: +1 (Proceed)
Rejection Path: -1 (Refuse)
Escalation Path: 0 (Sacred Zero)
2. The Human Protocol Interface: The Stewardship Council
The TML framework introduces a critical layer of human oversight through the Stewardship Council, implemented as a multi-signature authority designed to intervene in specific scenarios of ethical ambiguity. The Council's power is strictly bounded, preventing it from overriding core ethical axioms.
2.1 Council as Multi-Sig Authority
The Council's power is distributed through a multi-signature smart contract implementation, leveraging the "m-of-n" wallet model that ensures no single individual holds absolute power [114] [115].
Role Definition and Responsibilities
- Reviewing Escalated Cases: Analyze transactions in STATE_REVIEW_HOLD
- Deliberation and Voting: Cast votes through multi-sig contract
- Executing Verdicts: Submit consensus decisions with m-of-n threshold
- Maintaining Integrity: Manage council membership through multi-sig votes
2.2 Workflow and Verdict Commits
Prohibition on Overriding -1 (Refuse) Verdicts
A cornerstone of the TML architecture is the strict prohibition on the Stewardship Council overriding a -1 (Refuse) verdict. This rule is enforced at the smart contract level, ensuring that core ethical axioms remain immutable.
Critical Principle: The Council's role is to resolve ambiguity (0), not to grant exceptions to rules (-1). This prevents "God Mode" scenarios where human authority could circumvent fundamental ethical principles.
// Verdict Commit Structure
struct VerdictCommit {
bytes32 logId; // Original TML evaluation ID
TMLVerdict finalVerdict; // Council's decision (+1 or -1)
uint256 timestamp; // Decision timestamp
bytes[] signatures; // m-of-n council signatures
bytes32 merkleProof; // Cryptographic proof linking to Always Memory
}
3. Finite State Machine Logic & Triggers
The lifecycle of a TML-governed smart contract is formally defined by a Finite State Machine (FSM), ensuring predictable and secure behavior through constrained states and governed transitions. This model is critical for operationalizing the TML framework.
3.1 State Definitions and Transitions
Standard Operation
Default operational state where TML tri-state logic is actively enforced.
- • Processes +1 and -1 verdicts
- • Triggers STATE_REVIEW_HOLD on 0
- • Majority of contract lifecycle
Sacred Zero State
Ethical ambiguity pause requiring human council intervention.
- • Time-bounded (72 hours)
- • Council consensus required
- • Auto-fail if unresolved
Probationary State
Heightened scrutiny triggered by pattern of -1 refusals.
- • Increased gas costs
- • Mandatory council review
- • Risk management tool
Irreversible Kill Switch
Terminal state triggered by catastrophic security threats.
- • No outgoing transitions
- • Absolute security guarantee
- • Protects system integrity
3.2 Integrity Freeze Triggers
Critical Security Triggers
⚠️ Irreversible Operation
Once triggered, STATE_INTEGRITY_FROZEN cannot be reversed. This design choice ensures absolute protection against "God Mode" scenarios where privileged users could override security measures.
4. Data Architecture: The "Always Memory" Implementation
The "Always Memory" architecture reconciles blockchain immutability with practical data management through a hybrid model. On-chain components store cryptographic commitments while off-chain systems maintain full encrypted logs with proof-of-custody.
4.1 On-Chain Storage Strategy
Merkle Roots
Cryptographic fingerprints of off-chain log data, enabling efficient verification without storing full data on-chain.
Keccak-256 Hashes
Native EVM hash function for decision trees, ensuring immutable reference to TML axioms and rulesets.
Timestamped Events
Chronological logs of significant state transitions and TML evaluations for auditability.
// Always Memory Root Management
bytes32 public alwaysMemoryRoot;
function updateAlwaysMemoryRoot(bytes32 newRoot)
external
onlyInState(STATE_ACTIVE)
onlyCouncilConsensus
{
alwaysMemoryRoot = newRoot;
emit AlwaysMemoryUpdated(newRoot, block.timestamp);
}
function verifyMerkleProof(
bytes32 leaf,
bytes32[] memory proof,
uint256 index
) public view returns (bool) {
return MerkleProof.verify(proof, alwaysMemoryRoot, leaf);
}
4.2 Verification and State Changes
Merkle Proof Verification Process
- 1. Proof Submission: User submits Merkle proof with leaf data and sibling hashes
- 2. Root Recomputation: Contract recomputes Merkle root using provided proof path
- 3. Root Comparison: Computed root compared against stored alwaysMemoryRoot
- 4. State Transition: Valid proof enables sensitive state changes like review hold resolution
🔒 Security Guarantee
Any sensitive state change requires valid Merkle proof verification, ensuring contract actions are always substantiated by authentic, untampered historical data.
5. Licensing & Compliance Attestation
The TML architecture embeds ethical principles directly through mandatory compliance attestation. The "Genesis" requirement ensures every contract is initialized with commitment to verifiable ethical documents, creating a constitutional foundation for operation.
5.1 The Genesis Requirement
Mandated Corpora
Human Rights Documents (40+)
- • Universal Declaration of Human Rights
- • International Covenant on Civil and Political Rights
- • Convention on the Rights of the Child
- • Geneva Conventions
Earth Protection Protocols (26+)
- • Paris Agreement on Climate Change
- • Convention on Biological Diversity
- • Basel Convention on Hazardous Waste
- • Stockholm Convention on POPs
// Constitution Hash Verification
bytes32 public constant CONSTITUTION_HASH =
0x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef;
constructor(bytes32 _constitutionHash) {
require(
_constitutionHash == CONSTITUTION_HASH,
"TML: Invalid Constitution Hash"
);
// Deployment continues only with valid hash
}
Non-Compliance Failure Mode
If the Constitution Hash check fails during deployment, the constructor reverts and the contract is never created. This absolute enforcement ensures:
- • No TML contract exists without valid ethical foundation
- • Immutable axioms prevent retroactive alterations
- • System integrity preserved through cryptographic verification
6. Adversarial Analysis & "No God Mode" Proof
The TML architecture's "No God Mode" principle ensures no entity can arbitrarily alter fundamental ethical rules or override deterministic enforcement. This section provides mathematical proof of the irreversible STATE_INTEGRITY_FROZEN and analysis of administrative surface security.
6.1 Mathematical Proof of No Unfreeze Function
Formal State Machine Analysis
Let S = {ACTIVE, REVIEW_HOLD, FLAGGED, INTEGRITY_FROZEN} be the set of all states. Let T be the set of all defined transitions (s_from, s_to) where s_from and s_to are in S.
The "No God Mode" property: ∀t ∈ T, if t.s_from == INTEGRITY_FROZEN, then no such t exists where t.s_to != INTEGRITY_FROZEN
This formal verification is implemented through:
- • Modifier guards on all state-changing functions
- • Absence of any code path allowing unfreeze operations
- • Symbolic execution verification using CTL formulae
Circuit Breaker (Legitimate)
- • Triggered by objective, verifiable conditions
- • Automatic response to security threats
- • Protects system and users
- • Irreversible by design
Rug Pull (Malicious)
- • Triggered by admin discretion
- • Benefits admin at user expense
- • Reversible by privileged users
- • Exploits centralized control
Formal Verification Benefits
Using symbolic execution tools like nuXmv with CTL properties provides mathematical guarantees beyond traditional testing:
- • Exhaustive state space exploration
- • Automated vulnerability detection
- • Mathematical proof of security properties
- • Counter-example generation for failed properties
7. Conclusion: The Constitutional Code
The TML architecture represents a paradigm shift from "Code is Law" to "Logic is Constitution" — a fundamental transformation where ethical principles govern code execution rather than raw instructions determining outcomes.
Ethics Precedes Execution
Every action in the TML framework must pass ethical evaluation before execution. The tri-state logic creates nuanced responses to complex scenarios, while the "Sacred Zero" state acknowledges algorithmic limitations and provides structured pathways for human judgment.
Key Architectural Principles
- • Deterministic Enforcement
- • Tri-State Logic & Human Oversight
- • Finite State Machine Governance
- • "No God Mode" Security
Implementation Guarantees
- • "Always Memory" Data Architecture
- • Compliance Attestation
- • Irreversible Integrity Protection
- • Mathematical Security Proofs
Implications for Decentralized Governance
The shift from "Code is Law" to "Logic is Constitution" enables more flexible, ethical decentralized governance. TML provides concrete mechanisms for operationalizing ethical principles in systems that remain secure, efficient, and aligned with human values.
This architecture offers valuable insights for ethical AI development, demonstrating how complex ethical principles can be encoded into deterministic, verifiable systems — paving the way for trustworthy AI applications across domains from DeFi to autonomous systems.