Your timing stack delivers time. GAL-2 governs whether software should consume it before committing application state through a local Time Contract policy surface.
Technical documentation
GAL-2™ is an application-facing time governance platform born from Fractal Time research.
Its current product surface is the GAL-2 Time Contract: a local daemon and API-backed contract path
that exposes governed gal2_time so applications can evaluate explicit policy,
validity, mode, reason, sequence, and lineage before time becomes committed state.
Applications call /contract and evaluate safe_to_consume,
mode, reason, validity, sequence, and lineage before using time in protected operations.
Active public evaluator preview for macOS and Linux Docker ARM64. RC5.8 exposes the local
/contract endpoint and the advisory /witness surface.
GAL-2 complements UTC, GNSS, PTP, NTP, chrony, atomic clocks, grandmasters, cloud time, operating-system time, and timing receivers at the application boundary.
Start here:
Open GAL-2 Quickstart
to test an API key, download the active evaluator daemon, and verify the local
http://127.0.0.1:9095/contract endpoint. RC5.8 / 1.2.0-rc.3
is the active evaluator preview. Historical RC5.1, RC5.7, and RC5.7.1 artifacts remain part
of the public evidence trail, but should not be presented as the active evaluator.
Decision basis
safe_to_consume based on?The GAL-2 Time Contract does not ask applications to blindly trust a timestamp. It exposes a policy-derived consumption decision based on observable runtime conditions and declared evaluator policy limits before time becomes committed application state.
In the RC5.8 evaluator, the policy values shown by the contract are evaluator defaults, not universal constants. They are declared so an external evaluator can characterize whether observed contract behavior matches the published policy profile.
The local daemon evaluates runtime conditions such as upstream freshness, last-good sync, cache age, upstream API latency, current mode, validity window, holdover age, rejoin state, and monotonic contract sequence.
The decision is constrained by declared policy values such as live validity, holdover soft and hard limits, maximum API latency, rejoin guard behavior, uncertainty basis, holdover policy version, and policy profile.
Applications receive safe_to_consume, mode, reason,
valid_until, monotonic_sequence, uncertainty_ms,
source_lineage, and witness boundary metadata instead of a raw timestamp alone.
safe_to_consume resolutionLIVEWARMINGHOLDOVERREJOINDEGRADEDFAIL_CLOSED/contract reads are loopback reads from the local daemon. The field
api_latency_ms reflects upstream sync round-trip latency used by the daemon as part of
the policy context; it is not the application-facing local contract-read latency.
source_lineage records the observed path used for audit and evidence packaging. It should be
read as contract lineage metadata, not as a public disclosure of protected decision logic.
GAL-2 is organized as a modular temporal governance architecture. Public interfaces expose governed outputs and contract behavior. Internal modules coordinate correction, routing, pacing, coherence, and operational continuity without exposing protected implementation details.
Coordinates correction logic and alignment between internal time representations and external system interfaces.
Provides adaptive routing and access coordination between GAL-2 components and connected systems.
Manages pacing and timing emission concepts used to support consistent system behavior.
Handles coordination and alignment across distributed nodes and internal processes.
Acts as an internal control and orchestration layer responsible for coherence and operational continuity.
Exposes governed gal2_time with safety, validity, mode, reason, sequence, and lineage for consuming applications.
GAL-2 is built on a fractal-based theoretical framework that treats time as a governed system property, not merely as a raw hardware signal. The model informs how GAL-2 reasons about continuity, correction, bounded behavior, and safe consumption under degraded or changing timing conditions.
Public documentation focuses on observable behavior and integration semantics. GAL-2 does not expose the protected formula, internal correction implementation, or backend decision logic. The current external product surface is the Time Contract, not a directly callable mathematical formula.
Conceptual flow, public-safe: input: upstream reference context last known good GAL-2 state local daemon state policy limits protected governance boundary: GAL-2 correction and continuity authority mode transition logic validity evaluation lineage recording output: gal2_time safe_to_consume valid_until mode reason monotonic_sequence source_lineage
GAL-2 is designed to integrate alongside existing timing infrastructure, including GNSS, NTP, PTP, chrony, cloud systems, and enterprise timing stacks. It does not require customers to remove their existing reference layer.
The recommended integration pattern is to run the local GAL-2 Time Contract daemon near the application.
Protected application workflows call the local /contract endpoint and use gal2_time
only when the contract allows consumption.
curl -s http://127.0.0.1:9095/contract | python3 -m json.tool
The Time Contract returns governed time and runtime semantics. gal2_time appears first because
it is the output the application evaluates for protected consumption. The remaining fields explain whether
that output is safe, why, until when, and through what lineage.
{
"schema": "gal2-daemon-time-contract-v1",
"version": "1.2.0-contract-rc.3",
"gal2_time": "2026-06-15T12:55:58.490713Z",
"utc_time": "2026-06-15T12:55:58.965368Z",
"safe_to_consume": true,
"mode": "LIVE",
"health": "green",
"reason": "fresh_api_sync",
"valid_until": "2026-06-15T12:56:43.490713Z",
"valid_until_basis": "last_good_sync_plus_contract_live_valid_sec",
"monotonic_sequence": 1,
"monotonic_sequence_semantics": "per_contract_serve",
"api_latency_ms": 474.655,
"operational_bound_ms": 474.745,
"source_lineage": [
"gal2_api",
"gal2_daemon_1.2.0_rc3",
"time_contract_1.2.0_contract_rc3",
"rc4_72h_holdover_policy",
"ixoye_advisory_witness"
]
}
gal2_timeutc_timesafe_to_consumegal2_time is safe under observed runtime conditions, current mode, validity, policy, and lineage metadata.valid_untilvalid_until_basismodereasonmonotonic_sequencesource_lineageLIVEsafe_to_consume=true and the contract is valid.DEGRADEDHOLDOVERREJOINFAIL_CLOSEDWARMINGGAL-2 protects consumers of the Time Contract. If an application reads raw system time through another side path and uses it for protected commits, that behavior is outside the GAL-2 protection boundary.
contract = get_time_contract()
if contract.safe_to_consume and current_time() <= contract.valid_until:
commit_with_timestamp(contract.gal2_time)
else:
block_or_defer_protected_operation(contract.mode, contract.reason)
Public endpoints are designed for contract consumption, observability, and integration. They do not expose protected governance logic, tuning parameters, private formulas, private keys, or authoritative backend decision mechanisms.
Primary local endpoint: GET http://127.0.0.1:9095/contract Common local checks: GET http://127.0.0.1:9095/status GET http://127.0.0.1:9095/witness Upstream API: GET https://api-v2.gal-2.com/time Expected local configuration path: macOS: /etc/gal2/daemon.env /etc/gal2/daemon.env.example Linux Docker: use the evaluator bundle README and environment template included with the RC5.8 package
The GAL-2 API provides the upstream governed timeline used by the local daemon. If the upstream API
becomes unreachable and the daemon has a valid last trusted anchor, the Time Contract may enter bounded
HOLDOVER under policy. If there is no valid cache, no trusted anchor, expired validity, exceeded policy
boundary, or unsafe policy condition, the daemon must expose a non-consumable contract such as
safe_to_consume=false rather than silently falling back to raw time.
/witness endpoint is advisory-only. IXOYE does not decide safe_to_consume,
is not a time source, and is not a fallback time source. The Time Contract authority remains
GAL2_Time_Contract_policy_only.
GAL-2 validation focuses on application-facing behavior: monotonicity for contract consumers, governed timeline continuity, bounded holdover, controlled rejoin, fail-closed semantics, source lineage, and auditable evidence. Public evidence should not be read as a claim that GAL-2 replaces certified metrology references or improves upstream physical precision.
Active public evaluator preview for macOS and Linux Docker ARM64 with local /contract,
advisory /witness, IXOYE observer support, release README, SHA256SUMS, and public master index.
Master index: GAL2_RC58_MASTER_INDEX_20260615T233544Z.md
Shows a GAL-2 API-backed governed timeline maintaining application-facing continuity over a full-week run, with strict monotonicity across 508,548 observed samples under real-world network conditions.
Documents 14,397 contract samples, zero fetch failures, zero monotonic sequence backward steps,
and observed FAIL_CLOSED behavior with safe_to_consume=false
during the adversarial window.
Documents the RC4 120-hour Time Contract characterization, 72-hour holdover policy boundary, fail-closed behavior at boundary, and recovery to LIVE.
DOI-published public evaluator / enterprise pilot candidate evidence package preserving Time Contract semantics and release boundary. This is part of the public evidence trail, not the active evaluator artifact.
Public validation includes legacy continuity, protected commit behavior, and Postgres application-boundary protected commit evidence for Y2038-style failure conditions.
See: Public Validation
GAL-2 performance should be evaluated per deployment. Public benchmark summaries should avoid unsupported precision claims. Serious technical evaluations should measure local daemon latency, contract-call p50 and p95, false-positive rate, holdover behavior, rejoin timeline, and raw application versus GAL-2-aware application behavior under the same impairment.
gal2_time moves backward for contract consumers.GAL-2 operates in a different layer than traditional synchronization systems. UTC, GNSS, NTP, PTP, chrony, grandmasters, and atomic references help define, discipline, or distribute time. GAL-2 governs how applications consume time before it becomes state.
gal2_time and contract semantics so protected applications can continue within policy, rejoin under control, or fail closed.GAL-2 is designed for systems where time becomes state and unsafe timestamps can cause operational, financial, forensic, or distributed-system damage.
Helps protect ordering-sensitive writes, reconciliation, and audit trails when raw time becomes unsafe.
Provides governed behavior when external timing references are degraded, intermittent, unavailable, or recovering.
Supports explicit contract states for nodes that may operate through isolation, reconnection, and local restart.
Logs mode, reason, validity, sequence, and lineage alongside protected operations for post-event review.
Complements existing timing stacks by governing consumption near the software commit path.
GAL-2 can help remediate Y2038-style application-state failure for workflows integrated through the Time Contract path by governing whether unsafe legacy timestamp behavior can become committed state. This does not replace OS, kernel, firmware, database, schema, or legacy binary remediation at their own layers.
GAL-2 is designed to work with modern enterprise security practices and controlled deployment models. Live contract serving requires a valid API key. Public interfaces expose contract behavior while protected core logic remains server-side.
GAL-2 is designed to operate alongside established timing and networking standards. It does not replace NTP, PTP, GNSS, UTC, chrony, atomic clocks, grandmasters, timing receivers, cloud time, operating-system time, or national metrology references.
For regulated or critical environments, GAL-2 should be evaluated through controlled technical evaluations, documented policies, evidence packages, and separate written agreements before any production-critical use.
GAL-2 releases should evolve through controlled versioning. Frozen releases should not be modified silently. Any change to schema, behavior, installer, package, signing, daemon semantics, or public contract fields should create a new release marker.
/contract, advisory /witness, RC4-derived 72-hour holdover policy boundary, and evaluator packaging.gal2_time: The governed timestamp applications consume through GAL-2 when policy allows.safe_to_consume: Policy-derived decision indicating whether gal2_time is safe under observed runtime conditions, current mode, validity, declared policy, and lineage metadata.safe_to_consume.