Application-facing temporal governance for production timing stacks. Your timing stack delivers time. GAL-2 governs whether applications should consume it.
GAL-2™ Time Contract
GAL-2 Time Contract RC5.8 / 1.2.0-rc.3 is a public evaluator
preview for application-facing governed time consumption. It exposes
gal2_time, safe_to_consume, mode,
reason, valid_until, monotonic_sequence,
and source_lineage before applications commit time-dependent state.
Precision protects the reference. GAL-2 protects the consumer.
macOS + Linux evaluator preview with IXOYE advisory witness.
RC5.8 is the active GAL-2 Time Contract evaluator preview. It supersedes earlier evaluator downloads for public evaluation.
The macOS artifact is a customer-installable package with daemon runtime, LaunchDaemon service, daemon wrapper, configuration template, logs directory, IXOYE live observer support, and verifier fix. The package is Developer ID signed and trusted by Apple notarization.
The Linux evaluator bundle is a Docker ARM64 evaluator package with detached GPG signature, corrected internal SHA256SUMS, verifier boundary checks, and real API LIVE witness evidence. The canonical public Linux filename is retained for compatibility and resolves to the corrected payload.
RC5.8 inherits the RC4-derived 72-hour holdover policy and includes accelerated / policy-equivalent holdover and rejoin coverage. The prior RC4 evidence includes a real 120-hour Time Contract characterization with the declared 72-hour holdover policy boundary. RC5.8 does not claim a fresh real 72-hour wall-clock holdover run of these exact final artifacts.
No API key or literal secret is included in the downloadable bundles. Without a
valid local API key, the daemon is expected to remain in a safe non-LIVE state such
as WARMING with safe_to_consume=false.
IXOYE remains advisory only. It is not a time source, not a fallback source, and
does not decide safe_to_consume. The Time Contract policy remains the
authority for safe_to_consume.
This release is provided AS IS and AS AVAILABLE. It is not final enterprise production certification and is not certified for production critical infrastructure, safety-critical systems, regulated trading, medical systems, aviation, emergency services, life-support systems, nuclear facilities, weapons systems, or other high-risk environments without a separate written agreement with GAL-2 Technologies LLC.
Applications call the local Time Contract and consume gal2_time with
safe_to_consume, valid_until, mode,
reason, monotonic_sequence, source_lineage,
valid_until_basis, and policy metadata.
The contract covers LIVE, HOLDOVER, DEGRADED, FAIL_CLOSED, and REJOIN semantics. When policy can no longer justify safe consumption, protected operations should not proceed through the GAL-2 contract path.
The local daemon is the contract layer. The GAL-2 API and protected core remain upstream. The daemon reconciles with the API when available, preserves local continuity when policy allows, and exposes governed time before applications commit state.
IXOYE remains an out-of-band advisory witness. IXOYE observes contract coherence,
but it is not a time source, not a fallback source, and does not decide
safe_to_consume.
For installation commands, API key activation, SHA256 verification, macOS setup, Linux Docker ARM64 setup, and local contract checks, use the hosted GAL-2 Quickstart. This keeps the pricing page clean and avoids long terminal snippets inside the download block.
The evaluator path is: download the RC5.8 artifact, verify the release files,
configure a valid GAL-2 API key locally, start the daemon, and check
http://127.0.0.1:9095/contract and
http://127.0.0.1:9095/witness.
GAL-2™ Time Contract
Start with an API key, activate the local daemon, and evaluate GAL-2 in a controlled non-production environment.
1 API key • 10,000 requests/month • Quickstart guide • Community support
1 API key • 100,000 requests/month • Commercial license • Priority support
Dedicated API keys • Higher request limits • Evaluation support • Enterprise review options
Start here
Start with the GAL-2 Quickstart to test an API key, download the evaluator daemon, activate the local Time Contract, and verify the local contract endpoint.
Use RapidAPI when you want to test the upstream GAL-2 Time API first, before moving into the full local Time Contract path.
GAL-2 exposes governed time and Time Contract signals so applications can evaluate whether time is safe to consume before committing state.
After purchasing your plan on GAL-2.com, you will receive your personal x-api-key, secured through the GAL-2 AWS infrastructure.
Use your GAL-2 API key in the request header.
curl -s -H "x-api-key: YOUR_GAL2_API_KEY" \
"https://api-v2.gal-2.com/prod/time"
Call the Time API from a backend service or secure server context.
import fetch from "node-fetch";
const res = await fetch(
"https://api-v2.gal-2.com/prod/time",
{
headers: {
"x-api-key": "YOUR_GAL2_API_KEY"
}
}
);
console.log(await res.json());
Use Python for testing, integration checks, and evaluator scripts.
import requests
url = "https://api-v2.gal-2.com/prod/time"
headers = {
"x-api-key": "YOUR_GAL2_API_KEY"
}
res = requests.get(url, headers=headers)
print(res.json())
x-api-key header will be rejected.GAL-2 is not presented as a replacement for UTC, GNSS, PTP, NTP, grandmasters, or hardware clocks. GAL-2 operates at the application boundary, helping software decide whether time is safe to consume under current conditions.
Business risk
Timing incidents are not only clock problems. When software blindly trusts raw time, unsafe timestamps can become committed application state.
Applications may continue committing during stale references, backward steps, leap-second-like discontinuities, Y2038-style boundaries, VM resume behavior, reference loss, or recovery out of phase.
The cost can show up as downtime, engineering investigation, corrupted data cleanup, audit exposure, customer impact, delayed recovery, and loss of confidence in system history.
Applications consume governed gal2_time through a Time Contract.
GAL-2 can continue within policy, hold over, rejoin under control, or fail closed
before unsafe time becomes committed state.
A practical cost model:
Timing incident cost = downtime + engineering remediation + corrupted data cleanup + audit exposure + customer impact + recovery delay + reputational damage.

Clear answers about governed time, application-state risk, and how GAL-2 helps protected systems hold, rejoin, or fail closed before unsafe time becomes committed state.
Technical and buyer FAQ
GAL-2™ Time Contract is an application-facing time governance product. It combines
the GAL-2 API, a local daemon, and a Time Contract surface so protected applications can
evaluate governed gal2_time, check safety before commit, hold over within policy,
rejoin under control, or fail closed before unsafe time becomes state.
GAL-2™ Time Contract is the application-facing product surface of GAL-2. It runs locally as a daemon, is backed by the GAL-2 API, and exposes a contract your software can call before committing time-dependent state.
The core fields include gal2_time, safe_to_consume,
mode, reason, valid_until,
monotonic_sequence, and source_lineage.
They are different parts of the same product system. The Time Contract is the application-facing runtime object. The daemon is the local process that serves the contract to protected applications.
Applications integrate with the local daemon and evaluate the Time Contract before using time in state-changing operations.
GAL-2 solves the application-consumption problem. Timing infrastructure can deliver time, but applications still need to decide whether that time is safe to use for commits, ordering, ledgers, logs, authorization, cache expiration, workflows, and audit trails.
GAL-2 governs that boundary so unsafe timing behavior does not silently become application state.
Because timing incidents do not stay inside clocks. They become corrupted logs, bad ordering, ledger errors, stale authorization, broken expirations, failed audit trails, and unsafe commits.
GAL-2 gives engineering teams a controlled, auditable way to decide what software should do when time is healthy, degraded, unavailable, recovering, or unsafe.
Commercially, GAL-2 is an application-facing Time Contract for systems where time becomes state. Technically, it is a time consumption governance layer. Architecturally, it is a software-defined time governance boundary.
No. Monitoring observes and reports. GAL-2 is designed to sit in the application consumption path.
Protected software evaluates gal2_time through the contract and reacts to
safe_to_consume, mode, reason, validity, sequence, and lineage before committing state.
GAL-2 should not be described as a replacement for UTC, GNSS, PTP, NTP, chrony, atomic clocks, grandmasters, timing receivers, or certified metrology references. It should not claim nanosecond or microsecond accuracy unless independently measured against a named reference.
The strongest claim is application-facing governance: governed output, monotonic continuity for contract consumers, bounded holdover where policy allows, controlled rejoin, fail-closed behavior, and auditable runtime evidence.
The primary local endpoint is http://127.0.0.1:9095/contract.
Applications should call this endpoint for protected state-changing operations instead of
reading raw system time directly for those operations.
The GAL-2 API provides the upstream governed timeline. The local daemon is the application-facing contract surface. The daemon turns upstream governance into a local contract with mode, safety, validity, reason, sequence, and lineage.
For production-style integration, applications should integrate with the local Time Contract.
RapidAPI is a fast way to test the upstream GAL-2 Time API. It is useful for first contact, API exploration, and simple developer testing.
The full GAL-2 Time Contract experience requires the local daemon and a GAL-2 API key.
Start with the Quickstart. Test your GAL-2 API key, download the evaluator daemon for macOS
or Linux Docker ARM64, activate the daemon with your key, verify /status, and call
/contract.
The daemon may expose local status and warming behavior, but it should not serve live production
GAL-2 Time. A clean no-key state should report something like WARMING,
warming_no_cache, and safe_to_consume=false.
Yes. A controlled technical evaluation can start with one protected workflow: ledger writes, audit events, authorization decisions, ordering-sensitive jobs, cache invalidation, event ingestion, Y2038 boundary handling, or recovery behavior.
RC5.8 evaluator support includes macOS and Linux Docker ARM64. macOS is distributed as a customer-installable package. Linux is distributed as a Docker ARM64 evaluator bundle with verification artifacts.
GNSS provides a reference. GAL-2 governs what applications consume when a reference is degraded, jammed, spoofed, stale, unavailable, or recovering out of phase.
GNSS protects reference delivery. GAL-2 protects the application boundary.
PTP and grandmasters distribute precise time. GAL-2 does not replace them. GAL-2 sits downstream, closer to the application, and governs whether software should consume, hold, rejoin, degrade, or fail closed when timing behavior becomes unsafe.
A monotonic clock helps with local ordering, but it does not provide upstream lineage, freshness, validity windows, holdover policy, controlled rejoin, fail-closed semantics, or machine-readable audit reasoning.
GAL-2 adds a contract around governed time, not just a local counter.
GAL-2 is complementary. Timing hardware protects the reference layer. GAL-2 protects the software consumption layer. Customers can keep GNSS, PTP, NTP, chrony, TimeCards, grandmasters, atomic clocks, and receivers while adding GAL-2 where time becomes state.
safe_to_consume=false mean?It means the governed output should not be used for protected state-changing operations under the current contract state. The application should block, defer, fail closed, or follow a specifically approved fallback. It should not silently switch to raw time.
GAL-2 can enter bounded holdover, preserve monotonic behavior for contract consumers,
perform controlled rejoin when the reference returns, or move to FAIL_CLOSED
when safe consumption can no longer be justified.
GAL-2 should not force abrupt raw recovery behavior into the application. It uses controlled rejoin semantics to reconcile back toward upstream-backed operation while preserving no-backward-step behavior for contract consumers where policy allows.
GAL-2 can help remediate Y2038-style application-state failure for workflows integrated through the GAL-2 contract path. The key is that unsafe legacy timestamp behavior can be governed, blocked, translated, or prevented from becoming committed state.
GAL-2 does not mean customers can ignore operating system, kernel, firmware, database, schema, or legacy binary remediation. Those layers still matter. GAL-2 operates at a different layer: the application-consumption boundary where time becomes state.
GAL-2 can reduce application risk from leap-second-like discontinuities for consumers that use the Time Contract, because the application evaluates governed time and contract semantics instead of blindly trusting raw timing behavior.
No. GAL-2 protects consumers of the Time Contract. If an application reads raw system time through a side path and commits protected state with that raw value, that behavior is outside the GAL-2 protection boundary.
GAL-2 has public evidence packages showing API-backed governed timeline continuity, Time Contract behavior under stress, protected commit behavior, source-isolation behavior, and application-facing temporal safety testing.
These datasets should be read as continuity and governance evidence, not as certified metrological UTC accuracy claims.
The Solstice 7D dataset shows that a GAL-2 API-backed governed timeline maintained application-facing continuity over a full-week run on commodity hardware, with strict monotonicity verified across 508,548 observed samples under real-world network conditions.
The 5-Day Adversarial run shows contract behavior under controlled stress: 14,397 contract
samples, zero fetch failures, zero monotonic sequence backward steps, and observed
FAIL_CLOSED behavior with safe_to_consume=false during the
adversarial window.
A serious evaluation should measure monotonicity for contract consumers, decision latency, holdover duration, rejoin behavior, fail-closed behavior, false-positive rate, restart behavior, local cache behavior, source lineage, evidence hashes, and raw application versus GAL-2-aware application behavior under the same impairment.
GAL-2 should fail evaluation if the protected path allows unsafe time to become committed
state without disclosure, if gal2_time moves backward for contract consumers,
if holdover continues past policy without fail-closed behavior, if mode or reason fields
misrepresent reality, or if evidence cannot be reproduced.
No. The protected mathematical model, backend governance logic, key material, and implementation details are not delivered as customer source code. GAL-2 exposes behavior through the local Time Contract, controlled APIs, evaluator packages, public evidence artifacts, policy lineage, and reproducible validation records.
The evaluation boundary is the observable contract behavior: what the application receives, how modes transition, how policy is represented, and whether the system behaves as claimed under controlled test conditions.
GAL-2 should be evaluated through observable behavior, not private claims. Engineers should inspect the Time Contract fields, mode transitions, monotonic sequence behavior, holdover limits, rejoin behavior, fail-closed behavior, source lineage, raw logs, SHA-256 manifests, evaluator packages, and reproduced test outputs.
The developer-facing integration surface remains the auditable Time Contract. The protected upstream core remains controlled, while contract behavior can be externally characterized under real timing infrastructure.
Engineers should not be asked to trust a hidden claim. They should test the contract.
A serious evaluation should verify whether safe_to_consume, mode, reason,
validity windows, policy, uncertainty, sequence behavior, and lineage match observed
system behavior under nominal, degraded, holdover, rejoin, and fail-closed conditions.
The trust model is evidence-backed: signed or hashed artifacts where available, public datasets, reproducible validation records, and controlled characterization beside existing timing infrastructure.
Public claims about signed contract responses should only be made when signature support is implemented, documented, and verified. Until then, signed response envelopes should be treated as an enterprise attestation roadmap item.
Current evaluator releases are intended for developer evaluation, architecture review, and controlled technical evaluation. Production use in critical infrastructure, safety-critical systems, regulated trading, aviation, medical systems, emergency services, life-support systems, nuclear facilities, weapons systems, or other high-risk environments requires separate written agreement, additional validation, and deployment-specific review.
No. GAL-2 core IP, formula, protected governance logic, and ownership are not for sale. Commercial access is provided through API usage, daemon licensing, evaluator access, controlled technical evaluation, enterprise contracts, and dedicated partner arrangements where appropriate.
The best first step is a controlled technical evaluation. Pick one workflow, define the raw-time risk, integrate the Time Contract, run nominal and impaired tests, compare behavior, and produce a clean evidence package with logs, metrics, and decision outcomes.