Application-facing Time Contract

RC5.8 evaluator preview available now · macOS notarized package + Linux Docker ARM64 bundle active

The Time Contract before your application commits state.

GAL-2 Time Contract gives applications a governed decision before unsafe time becomes committed state.

Instead of trusting raw time directly, your software reads a local contract backed by the GAL-2 API. The contract tells the application when time is safe to consume, when to hold over, when to rejoin, and when to fail closed.

Public evidence chain

RC5.8 active evaluator artifacts: macOS PersonalSigned notarized installer, Linux Docker ARM64 evaluator bundle, SHA256SUMS, README, GPG signature, public download index, and public master index are active in the public download channel. RC5.8 includes the Time Contract daemon, RC4-derived 72-hour holdover policy, accelerated / policy-equivalent holdover and rejoin coverage, and IXOYE advisory witness surface.
RC5.8 public download index
RC5.8 public master index

RC5.8 IXOYE live witness evidence: IXOYE runs as an advisory, out-of-band witness. It observes contract coherence and live attestations, but it does not decide safe_to_consume, does not act as a time source, and is not a fallback clock. The authority remains GAL2_Time_Contract_policy_only.

RC5.8 holdover boundary: RC5.8 inherits the RC4-derived 72-hour holdover policy and includes accelerated / policy-equivalent holdover and rejoin coverage. The prior RC4 evidence includes a real 120-hour Time Contract characterization with the declared 72-hour holdover policy boundary. RC5.8 does not claim a fresh real 72-hour wall-clock holdover run of these exact final artifacts.

RC5.1 public evaluator release evidence: public release materials, smoke evidence addendum, and publication boundary package.
DOI: 10.5281/zenodo.20646973

RC4 72-Hour Extended Holdover: GAL-2 completed an official 120-hour Time Contract characterization with 14,279 contract samples, 0 monotonic_sequence backward steps, 0 gal2_time backward steps, 1 documented FAIL_CLOSED boundary row at the declared 72-hour holdover policy boundary, clean LIVE_RESTORED recovery, and return to LIVE.
DOI: 10.5281/zenodo.20582981

5-Day Adversarial: GAL-2 Time Contract v1.0 completed adversarial characterization with 14,397 contract samples, 0 fetch failures, 0 monotonic_sequence backward steps, and observed FAIL_CLOSED behavior with safe_to_consume=false.
DOI: 10.5281/zenodo.20357131

Solstice 7D: GAL-2 API-backed governed timeline maintained strict monotonicity across 508,548 observed samples over a full-week run on commodity hardware under real-world network conditions.
DOI: 10.5281/zenodo.18018704

Application-facing continuity and governance evidence. Not UTC accuracy evidence, not metrology certification, not production SLA evidence, and not a replacement for UTC, GNSS, PTP, NTP, chrony, grandmasters, atomic clocks, or operating-system time. RC5.8 is an evaluator preview / enterprise pilot candidate. It inherits the RC4-derived 72-hour holdover policy and includes accelerated / policy-equivalent holdover and rejoin coverage, but it does not claim a fresh real 72-hour wall-clock holdover run of the final RC5.8 artifacts.

View validation View release README View SHA256SUMS

Keep your timing stack. Add GAL-2 where time becomes application state.

Example Local Time Contract

GET http://127.0.0.1:9095/contract 
{

“schema”: “gal2-daemon-time-contract-v1”,
“version”: “1.2.0-contract-rc.3”,
“gal2_time”: “2026-06-16T15:38:29.930930Z”,
“utc_time”: “2026-06-16T15:38:29.945379Z”,
“safe_to_consume”: true,
“mode”: “LIVE”,
“health”: “green”,
“reason”: “fresh_api_sync”,
“valid_until”: “2026-06-16T15:39:07.333769Z”,
“valid_until_basis”: “last_good_sync_plus_contract_live_valid_sec”,
“monotonic_sequence”: 1513,
“monotonic_sequence_semantics”: “per_contract_serve”,
“api_latency_ms”: 455.827,
“operational_bound_ms”: 456.036,
“holdover_policy_version”: “rc5_ixoye_witness_holdover_policy_v0_1_derived_from_rc4_72h”,
“source_lineage”: [
“gal2_api”,
“gal2_daemon_rc3_base”,
“rc4_72h_holdover_policy”,
“rc5_ixoye_witness_contract”
],
“witness_ref”: {
“discovery”: “/witness”,
“enabled”: true,
“layer”: “IXOYE”,
“role”: “out_of_band_attestation”,
“policy”: “advisory_only”,
“effect_on_safe_to_consume”: “none”
}
}

  

    GET http://127.0.0.1:9095/witness
  

  
{

“schema”: “gal2-witness-advisory-v1”,
“layer”: “IXOYE”,
“role”: “out_of_band_attestation”,
“policy”: “advisory_only”,
“mocked”: false,
“effect_on_safe_to_consume”: “none”,
“safe_to_consume_authority”: “GAL2_Time_Contract_policy_only”,
“current_daemon_version”: “1.2.0-rc.3”,
“current_contract_version”: “1.2.0-contract-rc.3”,
“boundary”: {
“ixoye_does_not_decide_safe_to_consume”: true,
“ixoye_is_not_time_source”: true,
“ixoye_is_not_fallback_time_source”: true,
“live_attestation_observes_current_contract”: true
}
}

  

    
    Backed by the GAL-2 API. Served locally by the daemon. IXOYE witnesses out-of-band and does not affect safe_to_consume.

Start with the Time Contract

Try GAL-2 in your environment.

Get an API key, verify the upstream GAL-2 API, then run the local daemon and inspect 127.0.0.1:9095/contract.

Get an API key Quickstart (5 min)

Free evaluation tier · macOS + Linux · No credit card

API-Backed Governed Time

GAL-2 uses an upstream governed timeline and exposes it locally through the daemon as a consumable Time Contract.

Temporal Circuit Breaker

When time becomes stale, degraded, unavailable, or unsafe, GAL-2 can hold over, degrade, rejoin, or fail closed before bad time becomes application state.

Works With Your Timing Stack

GAL-2 complements GNSS, PTP, NTP, chrony, grandmasters, cloud systems, and existing infrastructure at the application boundary.

Application-facing Time Contract

How GAL-2 works

GAL-2 Time Contract RC5.1 / 1.1.3 turns governed time into an application-facing contract your software can check before time becomes state.

01

Connect to the GAL-2 API

The GAL-2 API provides the upstream governed timeline. Your existing timing stack remains in place while GAL-2 adds application-facing governance above it.

02

Run the local daemon

Deploy the GAL-2 daemon beside your application on macOS or Linux. The daemon exposes a local /contract endpoint backed by the GAL-2 API.

03

Commit only through the contract

Your application checks safe_to_consume, mode, reason, valid_until, and valid_until_basis before using time in state-changing operations. 

curl -s http://127.0.0.1:9095/contract

The Time Contract answers the question raw clocks do not.

Not only “what time is it?” but whether that governed time is safe for your application to consume right now.

gal2_time safe_to_consume valid_until valid_until_basis mode reason monotonic_sequence source_lineage

Your timing stack delivers time. GAL-2 governs whether applications should consume it before it becomes application state.

Why it matters

Raw time can become application state silently.

GAL-2 gives applications a governed boundary before time is trusted, written, ordered, logged, or committed. The Time Contract is visible to applications. The upstream governance layer is API-backed and designed for protected AWS deployment, including Nitro Enclaves and the NO-PA-NO™ anti-tamper governance model.

Without GAL-2

Timing faults can pass straight into production.

  • Backward clock steps can break ordering.
  • Stale references can be consumed as normal.
  • Recovery events can shock the application.
  • Bad time may be detected only after state was already committed.
With GAL-2 Time Contract

Time is governed before the application trusts it.

  • Applications check safe_to_consume before committing time-dependent state.
  • gal2_time is served through a local contract backed by the GAL-2 API.
  • Holdover, degraded, rejoin, and fail-closed states are explicit.
  • Monotonic sequence behavior gives software an auditable consumption path.
Protected governance model

Contract-visible. Core-protected. Evidence-backed.

GAL-2 exposes auditable Time Contract outputs to applications while keeping the upstream temporal governance core protected. NO-PA-NO™ is the anti-tamper governance model designed to protect the core against unauthorized observation, cloning, or arbitrary modification. The result is a practical integration surface for developers and a disciplined evidence trail for infrastructure evaluators.

Local endpoint 127.0.0.1:9095/contract Backed by GAL-2 API Protected AWS model with Nitro Enclaves Core protected by NO-PA-NO™ Evidence on Zenodo DOI Artifacts with SHA-256 Evaluator support for macOS + Linux
Close-up of a dark digital audio workstation interface showing audio and MIDI tracks with waveforms and block patterns.

Time-boundary failures

Built for the moments where broken time can become broken state.

GAL-2 Time Contract is designed for application paths that cannot blindly trust raw time during discontinuities, legacy timestamp boundaries, reference loss, stale time, recovery events, or timing behavior that can corrupt ordering, transactions, logs, expirations, and committed state.

Leap-second-like discontinuities

Do not let time jumps become state.

Leap seconds and similar discontinuities can create brittle application behavior when software assumes raw time is always safe. GAL-2 gives protected applications a governed path through gal2_time, validity, mode, reason, sequence, controlled output, and fail-closed semantics.

Y2038 application-boundary protection

Protect the state layer around Y2038-style failures.

GAL-2 does not patch legacy binaries, operating systems, kernels, firmware, database engines, schemas, or 32-bit time_t implementations. That is platform-level remediation. GAL-2 protects a different boundary: the moment software is about to turn time into committed application state. For workflows integrated through the GAL-2 Time Contract, Y2038-style timestamp failures can be governed, blocked, degraded, held over, or failed closed before unsafe time becomes irreversible state.

Reference loss and recovery

Hold, rejoin, or fail closed.

When upstream timing becomes stale, unavailable, degraded, or returns out of phase, GAL-2 can preserve bounded monotonic continuity where policy allows, perform controlled rejoin, or stop protected operations before unsafe time becomes committed state.

Claim boundary: GAL-2 does not replace platform-level Y2038 remediation such as 64-bit time migration, operating system updates, firmware replacement, database schema changes, or legacy binary remediation. GAL-2 operates at a different layer: it governs whether time can safely become application state. For applications and workflows integrated through the GAL-2 Time Contract, GAL-2 helps prevent Y2038-style timestamp failures, leap-second-like discontinuities, stale references, and unsafe recovery behavior from becoming committed state. Platform updates fix the clock layer. GAL-2 protects the state layer.

RC5.8 evaluator preview

Run the Time Contract locally.

GAL-2 runs as a local daemon and exposes an application-facing contract with gal2_time, safe_to_consume, mode, reason, valid_until, monotonic_sequence, and source_lineage.

RC5.8 active

macOS + Linux evaluator preview with IXOYE advisory witness.

Local endpoint: 127.0.0.1:9095/contract Witness endpoint: 127.0.0.1:9095/witness macOS Developer ID - Apple notary trusted macOS customer-installable package Linux Docker ARM64 - GPG signed API key required for LIVE mode IXOYE advisory-only witness Contract 1.2.0-contract-rc.3
Download for macOS Download for Linux Get API key Documentation

Evaluator boundary: RC5.8 is the active public evaluator preview / enterprise pilot candidate for GAL-2 Time Contract 1.2.0-rc.3. The macOS artifact is a customer-installable package with IXOYE live observer support and verifier fix. It is Developer ID signed and trusted by the Apple notary service.

The Linux bundle is a Docker ARM64 evaluator bundle with detached GPG signature, real API validation, live IXOYE witness proof, verifier boundary checks, and corrected internal SHA256SUMS. No API key or literal secret is included in the downloadable bundles.

RC5.8 inherits the RC4-derived 72-hour holdover policy and includes accelerated / policy-equivalent holdover and rejoin coverage. The prior RC4 evidence includes a real 120-hour Time Contract characterization with the declared 72-hour holdover policy boundary. RC5.8 does not claim a fresh real 72-hour wall-clock holdover run of these exact final artifacts.

IXOYE remains advisory only. It is not a time source, not a fallback source, and does not decide or affect safe_to_consume. The Time Contract policy remains the authority for safe_to_consume. This preview is not final enterprise production certification.

SHA256SUMS · README · Master index · macOS latest · Linux latest · Linux signature · GPG public key · Public index

Validation Evidence

Raw time keeps going. GAL-2 knows when to stop.

The Red Light Test compares a raw-time application path against a GAL-2-aware path that commits state through the Time Contract. When time is declared unsafe, the GAL-2 path blocks protected operations before unsafe time becomes application state.

Raw application path

Committed through unsafe time

20 total events
20 raw commits
6 unsafe commits
GAL-2 Time Contract path

Governed before commit

14 allowed commits
6 unsafe operations blocked
0 unsafe GAL-2 commits
Result: PASS

Under the declared unsafe window, the raw path kept committing. The GAL-2 path allowed safe operations, blocked unsafe operations, and produced zero unsafe commits.

The Time Contract answers the operational question:

Can this governed time safely become application state right now?

This is application-facing temporal safety evidence, not a UTC accuracy or metrology claim.

View Validation Read Time Contract Docs

Claim Boundary

Where GAL-2 sits in the timing stack.

GAL-2 Time Contract is evaluated as an application-facing temporal governance layer. It does not replace the global timing stack. It governs how software consumes time before that time becomes application state.

Boundary
  • Not a metrology certification.
  • Not a nanosecond or microsecond accuracy claim.
  • Not a replacement for UTC, GNSS, PTP, NTP, chrony, atomic clocks, grandmasters, or timing receivers.
  • Not a claim that physical reference infrastructure is no longer needed.
Demonstrated focus
  • Application-facing Time Contract behavior.
  • Governed consumption of gal2_time.
  • Monotonic continuity for contract consumers.
  • Bounded holdover, controlled rejoin, and fail-closed semantics under policy.
  • Y2038 application-state remediation at the commit boundary.
  • Auditable runtime fields: mode, reason, validity, sequence, and lineage.

Keep your timing stack. Add GAL-2 where time becomes application state.

Evidence integrity

Validation artifacts are sealed, scanned, and reproducible.

GAL-2 public validation packages are prepared with SHA-256 manifests, secret scans, public-safe artifacts, and reproducible evidence trails for technical review.

Public-safe artifacts

Scanned

SHA-256 manifests

Sealed

Validation packages

Published

View Public Validation Solstice 7D DOI 5-Day DOI
image of teacher using a smartboard for edtech

Stop unsafe commits before they happen

When timing conditions degrade, GAL-2 helps protected applications block, defer, or fail closed before unsafe timestamps become committed state.
image of gps device in truck cab

Recover without raw time shock

When the reference returns, GAL-2 supports controlled rejoin so applications are not forced to consume abrupt recovery behavior directly.

Application-facing temporal governance

Continuity when time becomes unsafe.

GAL-2 Time Contract helps protected applications preserve ordering, continuity, and state safety across LIVE, HOLDOVER, REJOIN, DEGRADED, FAIL_CLOSED, and restart conditions.

Your timing stack delivers time. GAL-2 governs whether software should consume it.

What is the core benefit?

GAL-2 helps applications consume governed time instead of raw time, reducing the risk that unsafe timing conditions become committed state.

How does GAL-2 govern time consumption?

GAL-2 uses a protected temporal governance core behind the API and exposes the result through a local Time Contract. Applications receive gal2_time, safe_to_consume, mode, reason, validity, sequence, and lineage before acting.

What happens when timing degrades?

GAL-2 can enter bounded holdover, preserve monotonic behavior for contract consumers, perform controlled rejoin when the reference returns, or fail closed when safe consumption can no longer be justified.

Who should evaluate GAL-2?

Teams operating distributed applications where ordering, ledgers, logs, caches, authorization, workflows, audit trails, Y2038 boundaries, or recovery behavior depend on safe time consumption.

Is integration straightforward?

Yes. GAL-2 Time Contract runs locally as a daemon, is backed by the GAL-2 API, and complements existing GNSS, PTP, NTP, chrony, cloud, blockchain, IoT, and production infrastructure.

IXOYE™ Time

Toward time that follows the sun.

GAL-2 is the practical contract layer for governed application time. IXOYE is the larger solar-witness vision behind it: a path toward temporal continuity that is public, observable, resilient, and aligned with the natural cycle of the sun.

Today, GAL-2 governs how applications consume time. The deeper vision is time that does not depend blindly on fragile clock authority, but can be witnessed beyond the systems it protects.

Explore IXOYE Time
Validation · Docs · Whitepaper · Pricing · Vision
GAL-2 Time Contract Layer · Powered by AWS · Verified Apple Developer ID XWFX4JS9C2 · Local contract endpoint 127.0.0.1:9095/contract
Public evidence: RC4 72h Holdover · 5-Day Adversarial · Solstice 7D · SHA-256 sealed validation artifacts
© 2026 GAL-2™ Technologies LLC. All rights reserved. · Application-facing Time Contract infrastructure · Terms of Service · Privacy Policy · support@gal-2.com GAL-2 governs whether software should consume time before committing state. It is not a replacement for UTC, GNSS, PTP, NTP, chrony, atomic clocks, grandmasters, hardware clocks, or existing timing infrastructure.