GAL-2 Time Contract Policy

Time should not be consumed blindly.

GAL-2 gives applications a governed time-consumption decision before protected state commits. Instead of trusting raw time by default, software can inspect a local Time Contract with policy, validity, lineage, continuity, and fail-closed behavior.

GAL-2 does not replace or redefine UTC, GNSS, PTP, NTP, chrony, grandmasters, time appliances, or atomic clocks. It adds an application-facing policy layer that helps software decide whether governed time is safe to consume right now.

Local decision surface Applications read /contract before protected actions.

Explicit safety flag safe_to_consume turns timing risk into a visible policy decision.

Bounded continuity Policy exposes LIVE, HOLDOVER, REJOIN, WARMING, and FAIL_CLOSED states.

Advisory witness IXOYE observes contract evidence out-of-band without governing the contract.

Live evaluator evidence

The RC5.8 evaluator exposes a local daemon, a Time Contract endpoint, and an IXOYE advisory witness endpoint. The dashboard below is an observability layer fed by the local evaluator endpoints.

GAL-2 Time Contract RC5.8 evaluator dashboard showing live policy state and IXOYE advisory witness

Local evaluator dashboard preview. The governing surface is the GAL-2 Time Contract. IXOYE is shown as an advisory witness layer only.

Daemon 1.2.0-rc.3

Contract 1.2.0-contract-rc.3

Contract state LIVE · safe=true

IXOYE witness Advisory · live fresh

Dashboard boundary

The dashboard does not govern time and does not change GAL-2 policy. It reads the local /contract and /witness endpoints so evaluators can see the policy state and witness state in real time.

From timestamp to decision

In ordinary systems, time is often treated as a raw value. GAL-2 treats application-facing time as a governed contract. The important question becomes: should this application consume this time before committing state?

Input

Upstream reconciliation, API freshness, cache age, latency, last trusted sync, lineage, continuity checks, and declared policy thresholds.

Policy decision

The daemon evaluates whether governed application time is consumable under the current Time Contract policy.

Application output

A local contract with safe_to_consume, mode, valid_until, lineage, continuity, and uncertainty basis.

The contract endpoint

The local daemon exposes the Time Contract at http://127.0.0.1:9095/contract. Protected applications read this contract before commits, event ordering, TTLs, audit logs, or recovery workflows.

{
  "schema": "gal2-daemon-time-contract-v1",
  "version": "1.2.0-contract-rc.3",
  "service": "gal2d-rc5-ixoye-witness",
  "gal2_time": "2026-06-20T16:13:56.515332Z",
  "utc_time": "2026-06-20T16:13:56.515332Z",
  "safe_to_consume": true,
  "mode": "LIVE",
  "health": "green",
  "reason": "fresh_api_sync",
  "valid_until": "2026-06-20T16:14:39.717231Z",
  "valid_until_basis": "last_good_sync_plus_contract_live_valid_sec",
  "last_good_sync": "2026-06-20T16:13:54.717231+00:00",
  "cache_age_seconds": 1.762,
  "api_latency_ms": 719.454,
  "monotonic_sequence": 7657,
  "monotonic_sequence_semantics": "per_contract_serve",
  "policy": {
    "contract_live_valid_sec": 45.0,
    "contract_max_api_latency_ms": 5000.0,
    "contract_holdover_soft_sec": 21600.0,
    "contract_holdover_hard_sec": 259200.0,
    "contract_rejoin_guard_sec": 10.0
  },
  "uncertainty_ms": 719.503,
  "uncertainty_ms_basis": "conservative_model_v1_not_external_metrology_validated",
  "source_lineage": [
    "gal2_api",
    "gal2_daemon_rc3_base",
    "rc4_72h_holdover_policy",
    "rc5_ixoye_witness_contract"
  ],
  "witness_ref": {
    "discovery": "/witness",
    "enabled": true,
    "layer": "IXOYE",
    "policy": "advisory_only",
    "role": "out_of_band_attestation",
    "effect_on_safe_to_consume": "none"
  }
}

Fields evaluators should inspect

safe_to_consume The application-facing decision. If false, protected software should not commit state using the contract timestamp.

mode The observable policy state, such as LIVE, WARMING, HOLDOVER, REJOIN, or FAIL_CLOSED.

valid_until The bounded consumption window for the current contract under declared policy.

monotonic_sequence A per-contract-serve continuity signal for observing ordering, restart, or backward-step behavior at the contract boundary.

source_lineage The observable path from GAL-2 API to daemon policy to application-facing contract.

uncertainty_ms A conservative operational uncertainty estimate. In RC5.8, this is not an external metrology certification claim.

witness_ref IXOYE is advisory only. It does not source time, govern the contract, or decide safe_to_consume.

Policy states

The Time Contract makes timing state explicit so applications do not silently trust raw system time.

LIVE Fresh upstream reconciliation is available and the contract is consumable within policy.

WARMING The daemon is starting, reconnecting, or waiting for sufficient trusted state.

HOLDOVER Fresh upstream sync is unavailable, but bounded local continuity may still be allowed from a last trusted anchor.

REJOIN Controlled recovery after degraded or offline state, avoiding unsafe application-facing discontinuity.

FAIL_CLOSED Safe consumption can no longer be justified. Protected applications should stop or degrade.

IXOYE advisory witness

The RC5.8 evaluator includes an advisory IXOYE witness endpoint at http://127.0.0.1:9095/witness. When the local IXOYE observer is running, it can provide fresh live attestations of the active Time Contract.

Observed state

IXOYE can observe fields such as contract version, mode, safety decision, sequence, witness freshness, and observed contract state.

Evidence surface

Live witness output can include chain index, observer identity, latest attestation hash, and packaged coherence evidence.

Authority boundary

IXOYE does not source time, act as fallback, govern policy, or decide safe_to_consume.

Witness, not authority

GAL-2 governs. IXOYE observes. The Time Contract remains governed by GAL-2 policy, while IXOYE provides advisory evidence about the observed contract state.

How protected applications use it

contract = GET http://127.0.0.1:9095/contract
if contract.safe_to_consume == true:
    commit_state(timestamp = contract.gal2_time)
else:
    block_or_degrade(reason = contract.reason)

Policy decision, not clock perfection

safe_to_consume is a Time Contract policy decision, not a claim of absolute clock perfection. It means GAL-2 governed time is consumable under declared policy and observed state.

Boundaries

UTC boundary GAL-2 does not replace, redefine, or certify UTC. It exposes governed application-facing time while remaining compatible with existing timing infrastructure.

Application boundary GAL-2 protects the path where the application checks the Time Contract before protected actions. Raw system-time reads are outside this boundary.

Cache boundary If the daemon cannot perform a new upstream sync, the contract must not pretend that a fresh API sync occurred. Depending on policy and cache state, it may expose WARMING, bounded HOLDOVER, or non-consumable output.

IXOYE boundary GAL-2 governs. IXOYE observes. The contract field effect_on_safe_to_consume: none makes that boundary explicit.

Evaluator boundary RC5.8 is an evaluator preview and enterprise pilot candidate, not final production certification and not external metrology validation.

Operational goal

Raw time keeps moving, even when application risk changes. The Time Contract makes timing state explicit so software can consume, hold, rejoin, degrade, or fail closed under declared policy.

Temporal Circuit Breaker for Production Systems