Technical documentation

GAL-2™ Time Contract and Fractal Time Architecture

GAL-2™ is an application-facing time governance platform born from Fractal Time research. Its current product surface is the GAL-2 Time Contract: a local daemon and API-backed contract path that exposes governed gal2_time so applications can evaluate explicit policy, validity, mode, reason, sequence, and lineage before time becomes committed state.

Product surface

Time Contract

Applications call /contract and evaluate safe_to_consume, mode, reason, validity, sequence, and lineage before using time in protected operations.

Current evaluator

RC5.8 / 1.2.0-rc.3

Active public evaluator preview for macOS and Linux Docker ARM64. RC5.8 exposes the local /contract endpoint and the advisory /witness surface.

Claim boundary

Not a clock replacement

GAL-2 complements UTC, GNSS, PTP, NTP, chrony, atomic clocks, grandmasters, cloud time, operating-system time, and timing receivers at the application boundary.

Start here: Open GAL-2 Quickstart to test an API key, download the active evaluator daemon, and verify the local http://127.0.0.1:9095/contract endpoint. RC5.8 / 1.2.0-rc.3 is the active evaluator preview. Historical RC5.1, RC5.7, and RC5.7.1 artifacts remain part of the public evidence trail, but should not be presented as the active evaluator.

Decision basis

What is safe_to_consume based on?

The GAL-2 Time Contract does not ask applications to blindly trust a timestamp. It exposes a policy-derived consumption decision based on observable runtime conditions and declared evaluator policy limits before time becomes committed application state.

In the RC5.8 evaluator, the policy values shown by the contract are evaluator defaults, not universal constants. They are declared so an external evaluator can characterize whether observed contract behavior matches the published policy profile.

Observable inputs

What the daemon can observe

The local daemon evaluates runtime conditions such as upstream freshness, last-good sync, cache age, upstream API latency, current mode, validity window, holdover age, rejoin state, and monotonic contract sequence.

Declared policy

What the contract may justify

The decision is constrained by declared policy values such as live validity, holdover soft and hard limits, maximum API latency, rejoin guard behavior, uncertainty basis, holdover policy version, and policy profile.

Contract output

What the application receives

Applications receive safe_to_consume, mode, reason, valid_until, monotonic_sequence, uncertainty_ms, source_lineage, and witness boundary metadata instead of a raw timestamp alone.

Delivered time context UTC, GNSS, PTP, NTP, chrony, API context, or existing timing stack.
GAL-2 policy evaluation Freshness, validity, latency, holdover, rejoin, uncertainty, and mode.
Time Contract decision Consume, hold, rejoin, degrade, or fail closed before software commits state.
Mode
Observable condition
safe_to_consume resolution
LIVE
Fresh upstream sync is available, latency is inside declared policy, the validity window remains active, and the daemon can justify the current governed output.
true, while the contract remains valid.
WARMING
The daemon is starting, lacks sufficient trusted state, has no valid last-good anchor, or is not ready to justify governed consumption.
false. Applications should wait for a valid contract or use an approved non-GAL-2 fallback.
HOLDOVER
Fresh upstream sync is unavailable or degraded, but a last-good trusted anchor exists and the contract remains inside declared holdover, validity, and uncertainty limits.
may be true only while inside declared policy budget. If the holdover, validity, uncertainty, trust, or policy boundary is exceeded, the contract must become non-consumable.
REJOIN
Upstream sync has returned and GAL-2 is reconciling continuity under declared rejoin guard and no-backstep semantics.
conditional. The contract is consumable only when the rejoin policy can justify controlled recovery. Otherwise protected operations should wait, block, or defer.
DEGRADED
Timing conditions are impaired but still observable and governed inside the configured policy profile.
policy-dependent. Applications should proceed only if their deployment policy explicitly allows degraded consumption.
FAIL_CLOSED
GAL-2 can no longer justify safe consumption because freshness, cache state, trusted anchor, validity, holdover, latency, uncertainty, or policy boundaries are no longer satisfied.
false. Protected operations should block, defer, or follow an approved fallback.
Local /contract reads are loopback reads from the local daemon. The field api_latency_ms reflects upstream sync round-trip latency used by the daemon as part of the policy context; it is not the application-facing local contract-read latency.
source_lineage records the observed path used for audit and evidence packaging. It should be read as contract lineage metadata, not as a public disclosure of protected decision logic.
The protected GAL-2 implementation remains controlled. The public evaluation surface is the observable Time Contract behavior: whether fields, mode transitions, validity windows, monotonic sequence, lineage metadata, and fail-closed behavior match declared policy under controlled timing conditions.
The innovation is not a new clock. The innovation is the contract boundary between delivered time and committed software state.

System architecture

GAL-2 is organized as a modular temporal governance architecture. Public interfaces expose governed outputs and contract behavior. Internal modules coordinate correction, routing, pacing, coherence, and operational continuity without exposing protected implementation details.

CAMI

Correction and Alignment Module for Integration

Coordinates correction logic and alignment between internal time representations and external system interfaces.

Aria

Adaptive Relay for Integrated Access

Provides adaptive routing and access coordination between GAL-2 components and connected systems.

Emma

Emitter of Modular Metronomic Alignment

Manages pacing and timing emission concepts used to support consistent system behavior.

CHAR

Coordinated Harmonic Alignment Relay

Handles coordination and alignment across distributed nodes and internal processes.

YO-EL5

Operational Coordination Layer

Acts as an internal control and orchestration layer responsible for coherence and operational continuity.

Time Contract

Application-facing boundary

Exposes governed gal2_time with safety, validity, mode, reason, sequence, and lineage for consuming applications.

These components describe the public architectural model. The Time Contract is the visible integration surface. The protected GAL-2 governance core remains private behind the protected governance boundary. Detailed mathematical derivations, correction formulas, tuning logic, private keys, backend implementation, and protected governance logic are not exposed in public documentation.

Theoretical foundation

GAL-2 is built on a fractal-based theoretical framework that treats time as a governed system property, not merely as a raw hardware signal. The model informs how GAL-2 reasons about continuity, correction, bounded behavior, and safe consumption under degraded or changing timing conditions.

Public documentation focuses on observable behavior and integration semantics. GAL-2 does not expose the protected formula, internal correction implementation, or backend decision logic. The current external product surface is the Time Contract, not a directly callable mathematical formula.

Conceptual flow, public-safe:

input:
  upstream reference context
  last known good GAL-2 state
  local daemon state
  policy limits

protected governance boundary:
  GAL-2 correction and continuity authority
  mode transition logic
  validity evaluation
  lineage recording

output:
  gal2_time
  safe_to_consume
  valid_until
  mode
  reason
  monotonic_sequence
  source_lineage
Public documentation intentionally describes observable behavior, contract fields, and integration rules only. Internal formulas, tuning logic, private keys, backend decision mechanisms, and protected governance authority are not exposed through public documentation or the Time Contract surface.

Installation and integration

GAL-2 is designed to integrate alongside existing timing infrastructure, including GNSS, NTP, PTP, chrony, cloud systems, and enterprise timing stacks. It does not require customers to remove their existing reference layer.

The recommended integration pattern is to run the local GAL-2 Time Contract daemon near the application. Protected application workflows call the local /contract endpoint and use gal2_time only when the contract allows consumption.

curl -s http://127.0.0.1:9095/contract | python3 -m json.tool
Protected workflows include ledger writes, audit events, authorization decisions, ordering-sensitive jobs, cache invalidation, event ingestion, and any path where unsafe timestamps can become committed state.

Time Contract response

The Time Contract returns governed time and runtime semantics. gal2_time appears first because it is the output the application evaluates for protected consumption. The remaining fields explain whether that output is safe, why, until when, and through what lineage.

{
  "schema": "gal2-daemon-time-contract-v1",
  "version": "1.2.0-contract-rc.3",
  "gal2_time": "2026-06-15T12:55:58.490713Z",
  "utc_time": "2026-06-15T12:55:58.965368Z",
  "safe_to_consume": true,
  "mode": "LIVE",
  "health": "green",
  "reason": "fresh_api_sync",
  "valid_until": "2026-06-15T12:56:43.490713Z",
  "valid_until_basis": "last_good_sync_plus_contract_live_valid_sec",
  "monotonic_sequence": 1,
  "monotonic_sequence_semantics": "per_contract_serve",
  "api_latency_ms": 474.655,
  "operational_bound_ms": 474.745,
  "source_lineage": [
    "gal2_api",
    "gal2_daemon_1.2.0_rc3",
    "time_contract_1.2.0_contract_rc3",
    "rc4_72h_holdover_policy",
    "ixoye_advisory_witness"
  ]
}
Example values are illustrative. Evaluators should rely on their local runtime output, package hashes, release README, and public master index when validating a specific artifact.

Core fields

Field
Meaning
Application use
gal2_time
Governed time output served by GAL-2.
Use for protected state-changing operations when the contract allows consumption.
utc_time
Server-side UTC alignment context returned with the governed output.
Use for comparison and audit context. Do not frame as UTC replacement or certified traceability unless separately verified.
safe_to_consume
Policy-derived decision indicating whether gal2_time is safe under observed runtime conditions, current mode, validity, policy, and lineage metadata.
If false, block, defer, fail closed, or follow an approved fallback.
valid_until
Window during which the current contract decision remains justified.
Refresh before using stale decisions.
valid_until_basis
Explains how the validity window was derived.
Use for audit and policy review.
mode
Current operational state.
Drive application behavior from declared state.
reason
Explanation for the current decision.
Log with protected commits for auditability.
monotonic_sequence
Consumer-facing sequence for continuity and review.
Record alongside protected operations.
source_lineage
Observed lineage metadata used to describe the path and evidence context for the governed output.
Use for incident review and evidence packaging. Do not read as disclosure of protected decision logic.

Mode behavior

Mode
Meaning
Recommended application behavior
LIVE
Fresh upstream sync is available.
Proceed if safe_to_consume=true and the contract is valid.
DEGRADED
Timing condition is degraded but still governed.
Proceed only if policy allows degraded mode.
HOLDOVER
GAL-2 is preserving bounded continuity from last known good state.
Proceed only inside policy and validity limits.
REJOIN
Reference has returned and GAL-2 is reconciling under controlled semantics.
Proceed only if the contract allows. Log rejoin state and sequence.
FAIL_CLOSED
GAL-2 can no longer justify safe consumption.
Block, defer, or use an approved fallback. Do not silently use raw time.
WARMING
Daemon is not ready to serve governed production time or lacks valid upstream/cache state.
Wait for valid contract or use a defined non-GAL-2 fallback.

Integration rule

GAL-2 protects consumers of the Time Contract. If an application reads raw system time through another side path and uses it for protected commits, that behavior is outside the GAL-2 protection boundary.

contract = get_time_contract()

if contract.safe_to_consume and current_time() <= contract.valid_until:
    commit_with_timestamp(contract.gal2_time)
else:
    block_or_defer_protected_operation(contract.mode, contract.reason)
The safest evaluation pattern is to start with one protected workflow, log the full contract with every protected operation, and compare raw application behavior against GAL-2 contract behavior under the same impairment.

API and configuration boundary

Public endpoints are designed for contract consumption, observability, and integration. They do not expose protected governance logic, tuning parameters, private formulas, private keys, or authoritative backend decision mechanisms.

Primary local endpoint:

GET http://127.0.0.1:9095/contract

Common local checks:
GET http://127.0.0.1:9095/status
GET http://127.0.0.1:9095/witness

Upstream API:
GET https://api-v2.gal-2.com/time

Expected local configuration path:
macOS:
  /etc/gal2/daemon.env
  /etc/gal2/daemon.env.example

Linux Docker:
  use the evaluator bundle README and environment template included with the RC5.8 package

The GAL-2 API provides the upstream governed timeline used by the local daemon. If the upstream API becomes unreachable and the daemon has a valid last trusted anchor, the Time Contract may enter bounded HOLDOVER under policy. If there is no valid cache, no trusted anchor, expired validity, exceeded policy boundary, or unsafe policy condition, the daemon must expose a non-consumable contract such as safe_to_consume=false rather than silently falling back to raw time.

The /witness endpoint is advisory-only. IXOYE does not decide safe_to_consume, is not a time source, and is not a fallback time source. The Time Contract authority remains GAL2_Time_Contract_policy_only.
Holdover evidence should be read as governed continuity under a declared policy and uncertainty budget. It is not a claim of metrology-certified oscillator accuracy, UTC traceability certification, or physical precision superiority.

Laboratory and validation evidence

GAL-2 validation focuses on application-facing behavior: monotonicity for contract consumers, governed timeline continuity, bounded holdover, controlled rejoin, fail-closed semantics, source lineage, and auditable evidence. Public evidence should not be read as a claim that GAL-2 replaces certified metrology references or improves upstream physical precision.

Active evaluator release

RC5.8 / 1.2.0-rc.3

Active public evaluator preview for macOS and Linux Docker ARM64 with local /contract, advisory /witness, IXOYE observer support, release README, SHA256SUMS, and public master index.

Master index: GAL2_RC58_MASTER_INDEX_20260615T233544Z.md

Full-week governed timeline

Solstice 7D

DOI: 10.5281/zenodo.18018704

Shows a GAL-2 API-backed governed timeline maintaining application-facing continuity over a full-week run, with strict monotonicity across 508,548 observed samples under real-world network conditions.

Contract behavior under stress

5-Day Adversarial Run

DOI: 10.5281/zenodo.20357131

Documents 14,397 contract samples, zero fetch failures, zero monotonic sequence backward steps, and observed FAIL_CLOSED behavior with safe_to_consume=false during the adversarial window.

RC4 holdover policy evidence

72-Hour Extended Holdover

DOI: 10.5281/zenodo.20582981

Documents the RC4 120-hour Time Contract characterization, 72-hour holdover policy boundary, fail-closed behavior at boundary, and recovery to LIVE.

Public evaluator evidence

RC5.1 DOI package

DOI: 10.5281/zenodo.20646973

DOI-published public evaluator / enterprise pilot candidate evidence package preserving Time Contract semantics and release boundary. This is part of the public evidence trail, not the active evaluator artifact.

Application-state boundary safety

Y2038 Evidence Corpus

Public validation includes legacy continuity, protected commit behavior, and Postgres application-boundary protected commit evidence for Y2038-style failure conditions.

See: Public Validation

Evidence is presented as application-facing continuity, contract behavior, and protected application-state behavior under defined conditions. It is not presented as a formal precision-superiority claim, nanosecond accuracy claim, or UTC traceability certification. RC5.8 inherits the RC4-derived 72-hour holdover policy boundary and includes evaluator evidence, but does not claim a fresh real 72-hour wall-clock run of the exact RC5.8 release artifacts.

Performance and benchmarks

GAL-2 performance should be evaluated per deployment. Public benchmark summaries should avoid unsupported precision claims. Serious technical evaluations should measure local daemon latency, contract-call p50 and p95, false-positive rate, holdover behavior, rejoin timeline, and raw application versus GAL-2-aware application behavior under the same impairment.

Metric
Purpose
Why it matters
Contract latency
Measures local daemon response time.
Answers enterprise runtime overhead questions.
Monotonicity
Checks whether gal2_time moves backward for contract consumers.
Protects ordering-sensitive workflows.
Holdover duration
Measures bounded continuity under upstream loss.
Validates policy-limited temporal lifeline behavior.
Rejoin timeline
Measures recovery after upstream reference returns.
Validates controlled recovery without raw time shock.
Fail-closed behavior
Checks whether unsafe consumption is blocked when policy can no longer justify output.
Prevents unsafe time from becoming committed state.
False-positive rate
Measures unnecessary degradation or fail-closed events during healthy conditions.
Protects operational usability.
A dedicated RC5.8 exact-artifact latency sheet may be published as an evaluator addendum. Existing public latency evidence should not be overread as universal deployment performance.

Comparative analysis

GAL-2 operates in a different layer than traditional synchronization systems. UTC, GNSS, NTP, PTP, chrony, grandmasters, and atomic references help define, discipline, or distribute time. GAL-2 governs how applications consume time before it becomes state.

  • UTC and national timing references: provide civil and reference time, but do not define application consumption behavior during local failure, partition, stale reference, or recovery events.
  • GNSS: provides high-value timing reference, but can be degraded, jammed, spoofed, unavailable, or operationally unsuitable for direct application trust.
  • NTP and chrony: discipline system time, but do not provide application-facing validity, reason, lineage, holdover policy, controlled rejoin, or fail-closed semantics.
  • PTP and grandmasters: distribute precise time in controlled environments, but do not replace the need for application-boundary consumption governance.
  • GAL-2 Time Contract: provides governed gal2_time and contract semantics so protected applications can continue within policy, rejoin under control, or fail closed.

Real-world use cases

GAL-2 is designed for systems where time becomes state and unsafe timestamps can cause operational, financial, forensic, or distributed-system damage.

Distributed ledgers

Transaction ordering

Helps protect ordering-sensitive writes, reconciliation, and audit trails when raw time becomes unsafe.

GNSS-degraded environments

Bounded continuity

Provides governed behavior when external timing references are degraded, intermittent, unavailable, or recovering.

Edge and autonomous systems

Intermittent operation

Supports explicit contract states for nodes that may operate through isolation, reconnection, and local restart.

Audit and forensics

Runtime evidence

Logs mode, reason, validity, sequence, and lineage alongside protected operations for post-event review.

Cloud infrastructure

Application boundary

Complements existing timing stacks by governing consumption near the software commit path.

Y2038 application-state remediation

Legacy timestamp boundaries

GAL-2 can help remediate Y2038-style application-state failure for workflows integrated through the Time Contract path by governing whether unsafe legacy timestamp behavior can become committed state. This does not replace OS, kernel, firmware, database, schema, or legacy binary remediation at their own layers.

Security

GAL-2 is designed to work with modern enterprise security practices and controlled deployment models. Live contract serving requires a valid API key. Public interfaces expose contract behavior while protected core logic remains server-side.

  • Transport security: deployments should use encrypted transport and standard secure networking practices.
  • Access control: API access is key-gated and should be integrated with controlled provisioning and rotation practices.
  • Integrity: evaluator releases should be distributed with hashes, signatures where available, and clear release scope.
  • Protected governance core: protected governance logic, private keys, formulas, backend authority mechanisms, and internal implementation details are not shipped in public documentation.
  • Roadmap attestation: signed Time Contract responses should be described only when implemented and verified.

Standards and compliance boundary

GAL-2 is designed to operate alongside established timing and networking standards. It does not replace NTP, PTP, GNSS, UTC, chrony, atomic clocks, grandmasters, timing receivers, cloud time, operating-system time, or national metrology references.

For regulated or critical environments, GAL-2 should be evaluated through controlled technical evaluations, documented policies, evidence packages, and separate written agreements before any production-critical use.

Maintenance and versioning

GAL-2 releases should evolve through controlled versioning. Frozen releases should not be modified silently. Any change to schema, behavior, installer, package, signing, daemon semantics, or public contract fields should create a new release marker.

  • RC5.8 / 1.2.0-rc.3: Active public evaluator preview for macOS and Linux Docker ARM64 with local /contract, advisory /witness, RC4-derived 72-hour holdover policy boundary, and evaluator packaging.
  • RC5.7.1 macOS: Superseded macOS customer-installable evaluator packaging correction around the RC5.7 daemon binary. Preserved as historical evidence, not the active evaluator.
  • RC5.7 Linux Docker ARM64: Superseded Linux Docker ARM64 evaluator preview with detached GPG signature and public signing key. Preserved as historical evidence, not the active evaluator.
  • RC5.1: DOI-published public evaluator / enterprise pilot candidate evidence package preserving Time Contract semantics and release boundary. Preserved as DOI-published evidence, not the active evaluator artifact.
  • Future contract versions: may add stronger attestation, upstream signatures, local audit chain hashes, policy profiles, and expanded validation evidence.
  • Deployment policy: customers should define protected operations, false-positive tolerance, fail-closed behavior, and fallback rules before production decisions.

Glossary

  • GAL-2: Global Alignment Layer 2, the temporal governance architecture behind the Time Contract.
  • Fractal Time: GAL-2's conceptual foundation for governed temporal continuity and correction.
  • Time Contract: Runtime object that exposes governed time and consumption semantics to applications.
  • gal2_time: The governed timestamp applications consume through GAL-2 when policy allows.
  • safe_to_consume: Policy-derived decision indicating whether gal2_time is safe under observed runtime conditions, current mode, validity, declared policy, and lineage metadata.
  • HOLDOVER: Bounded continuity from last known good state when upstream reference is unavailable or degraded.
  • REJOIN: Controlled reconciliation when the upstream reference returns.
  • FAIL_CLOSED: State where GAL-2 can no longer justify safe consumption and protected operations should not proceed through the contract path.
  • IXOYE Witness Layer: Out-of-band advisory witness reference. IXOYE is not a time source, not a fallback source, and does not decide safe_to_consume.
  • Protected governance core: Controlled upstream governance logic that remains private while the developer-facing integration surface remains the auditable Time Contract.