GAL-2™ Time Contract Layer

Governed Time for Application State

Your timing stack delivers time. GAL-2 governs whether software should consume it before committing application state through a local Time Contract policy surface.

Checking GAL-2 status…
Latest Public Evidence

GAL-2 RC5.8 / 1.2.0-rc.3 Time Contract Public Technical Preview

RC5.8 is an enterprise pilot candidate and public technical preview for application-facing Time Contracts. It exposes the local daemon, the Time Contract endpoint, the RC4-derived 72-hour holdover policy boundary, and IXOYE as an advisory out-of-band witness surface.

Current publication status RC5.8_PUBLIC_TECHNICAL_PREVIEW_ACTIVE
Daemon version 1.2.0-rc.3
Contract version 1.2.0-contract-rc.3
RC4-derived holdover policy exposed 72h
macOS notarized package ACTIVE
Linux Docker ARM64 bundle ACTIVE
IXOYE advisory witness surface ACTIVE

Why this release matters

RC5.8 moves the Time Contract closer to a customer-facing evaluation package. It gives evaluators a concrete local policy surface at 127.0.0.1:9095/contract, where applications can inspect safe_to_consume, mode, valid_until, lineage, continuity, and uncertainty basis before committing state.

This matters because GAL-2 is not asking teams to replace UTC, GNSS, PTP, NTP, chrony, grandmasters, hardware clocks, or operating-system time. GAL-2 adds a governed application-facing decision layer where raw time becomes software state.

RC5.8 also exposes IXOYE as an advisory witness surface at 127.0.0.1:9095/witness. IXOYE observes contract evidence out-of-band, but it does not source time, act as fallback, govern policy, or decide safe_to_consume.

Scope boundary: RC5.8 is an enterprise pilot candidate and public technical preview, not final enterprise production certification, not production SLA evidence, and not external metrology validation. RC5.8 inherits the RC4-derived 72-hour holdover policy and includes accelerated / policy-equivalent holdover and rejoin coverage, but it does not claim a fresh real 72-hour wall-clock holdover run of the final RC5.8 artifacts. IXOYE is an advisory out-of-band witness surface only. It is not a time source, not a fallback source, and does not decide safe_to_consume. GAL-2 is not a replacement for UTC, GNSS, PTP, NTP, chrony, grandmasters, hardware clocks, operating-system time, or existing timing infrastructure.

Public Evidence Chain

5-Day Time Contract Adversarial Characterization

Pre-registered adversarial run with public results package

GAL-2 Time Contract v1.0 completed a 5-day adversarial characterization under controlled upstream interruption conditions.

The run evaluated application-facing temporal governance behavior, including LIVE, HOLDOVER, DEGRADED, REJOIN, and FAIL_CLOSED states.

The official collector completed cleanly with 14,397 contract samples and 14,397 consumer rows. During the hard interruption phase, GAL-2 entered FAIL_CLOSED with health=red and safe_to_consume=false after hard policy expiration.

0 fetch failures
0 monotonic_sequence backward steps
0 gal2_time backward steps
Secret scan PASS
Public pre-registration
Public results package

Claim boundary: This evidence evaluates application-facing Time Contract behavior under controlled upstream interruptions. It is not a UTC replacement claim, GNSS/PTP/NTP replacement claim, metrological accuracy claim, or long-duration autonomous holdover claim.

Validation evidence

Real Daemon Impairment Test v0.1

A controlled upstream impairment test using the installed GAL-2 local daemon and the real application-facing Time Contract endpoint.

Result: PASS
Phase order Baseline LIVE → Upstream impairment → Recovery
Modes observed LIVE · HOLDOVER · DEGRADED · FAIL_CLOSED
Mode distribution 36 LIVE · 9 HOLDOVER · 20 DEGRADED · 7 FAIL_CLOSED
Records 72 contract snapshots
Fail-closed samples 7 safe_to_consume=false records
Backward steps 0 monotonic_sequence · 0 gal2_time steps
Secret scan PASS · 0 findings
Claim type Application-facing Time Contract impairment evidence

When upstream access was impaired, GAL-2 did not fail silently. The daemon exposed explicit Time Contract states including HOLDOVER, DEGRADED, and FAIL_CLOSED. When safe consumption could no longer be justified, safe_to_consume became false.

Zenodo DOI 10.5281/zenodo.20213086
Public-safe package SHA256 85db223e2f4273777f371f5ad5d25187e318c06e1f91e24781aae4bac62fa14e
Claim boundary: application-facing Time Contract impairment evidence. Not a metrology accuracy test. Not a UTC replacement claim. Not a nanosecond or microsecond precision claim.
Close-up view of a microscope lens focusing on a digital touchscreen interface with colorful icons.
APPLICATION-FACING TIME VALIDATION

API-Backed Contract Source Isolation

A general-purpose Mac client consumed a local SNTP feed derived from the current GAL-2 Time Contract and backed by the live GAL-2 API.

60m
SUSTAINED MONITOR
61/61
CLIENT SAMPLES
79/79
SAFE RESPONSES
PASS
ADOPTION RESULT

In this controlled two-Mac demonstration, Mac A ran the current GAL-2 daemon and exposed a local SNTP-compatible bridge derived from the GAL-2 Time Contract. Mac B was configured to use Mac A as its macOS Network Time Server.

This version extends the earlier source-isolation evidence by replacing the prior local protected core path with the current live API-backed Time Contract path.

Tested Chain GAL-2 API → GAL-2 daemon → Time Contract → Mac A SNTP Bridge → Mac B Network Time
Mac A Bridge 192.168.6.143
Mac B Client 192.168.6.243
Source Lineage gal2_api → gal2_daemon → contract_v1
Mac B Monitor 61 samples, PASS
Bridge Responses 79 SNTP responses
Modes Observed LIVE, REJOIN
Monotonic Sequence 30284 to 30362
Master Archive SHA256 ce63a8e26d38e61ef8d0d1d7e5d101631087f59fb80537fb42e568fcca169f85

Evidence Boundary

This test supports 60-minute operational source isolation and contract-gated local time consumption using the current GAL-2 Time Contract and live GAL-2 API path. It does not claim physical oscillator control, metrological replacement of UTC, UTC traceability certification, universal production readiness, or clock accuracy superiority.

Previous source-isolation evidence used an earlier local protected core path. This version documents the current API-backed Time Contract path.

Application-Facing Time Safety

Red Light Test v2 Live Demo

Raw time keeps going. GAL-2 knows when to stop. This live demo shows the GAL-2 Time Contract blocking unsafe operations before time becomes committed application state.

21 Raw commits
6 Raw unsafe commits
6 GAL-2 blocked unsafe operations
0 GAL-2 unsafe commits

This test measures application-facing temporal safety behavior, not clock accuracy. It is evaluator-stage technical evidence and should be interpreted within its stated scope.

Historic API correction record

Historic GAL-2 API correction output

Early technical record from the original GAL-2 API correction pathway.

On July 28, 2025, GAL-2™ was tested through its API correction pathway using an externally supplied UNIX timestamp. The system returned a governed correction output in real time: gal2_corrected: 1722283734.

This record is preserved as early engineering evidence that a submitted timestamp entered the GAL-2 API path and produced a corrected output rather than simply echoing raw time.

Submitted timestamp 1722283745
GAL-2 output 1722283734
Observed correction -11 seconds
Claim boundary: This is a historic API correction record. It is not a metrology certification, not a UTC replacement claim, not an NTP replacement claim, and not a nanosecond or microsecond precision claim. Current validation evidence is documented below through the GAL-2 Time Contract, 5-Day Adversarial run, Real Daemon Impairment Test, Red Light Test, Y2038 Evidence Corpus, and other sealed validation artifacts.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Y2038 Evidence Corpus

From corrected time to protected state.

A layered public evidence trail showing how GAL-2 moves from legacy mediated-time continuity into application-boundary commit protection, local multi-substrate durability, local Postgres gating, local latency characterization, and controlled GAL-2 Time authority beyond the signed 32-bit Unix time boundary. The model is not “GAL-2 patches every legacy machine.” The model is: keep the minimum substrate alive, move operational time authority to GAL-2, and protect the workflow before broken time becomes committed state.

Operational continuity model

GAL-2 does not claim to keep a failed 32-bit kernel, firmware, filesystem, database engine, or host operating system alive by itself.

GAL-2 operates where a protected workflow can still execute, or where a bridge, wrapper, gateway, daemon, or external integration layer can consume the Time Contract.

Under that model, GAL-2 moves operational time authority away from signed-32 Unix time and into governed GAL-2 Time.

Minimum substrate stays alive. GAL-2 governs time authority. Protected workflows keep operating.

Layer 1
Legacy binary continuity
Layer 2
SQLite protected commit
Layer 3
SQLite + JSONL durability
Layer 4
Local Postgres gating
Layer 5
Latency characterization
Layer 1 Legacy boundary Published

Legacy Binary Continuity

Post-2038 continuity for tested legacy execution paths

Legacy 32-bit execution paths were evaluated beyond the raw Y2038 boundary using GAL-2 API-seeded temporal continuity.

This package documents mediated-time behavior in legacy post-2038 scenarios where tested legacy-style execution paths continued operating in cases where raw execution paths failed.

Interpretation: evidence of legacy survivability and continuity for tested binary execution paths. Not a universal claim for every legacy binary, operating system, or execution environment.

Layer 2 SQLite PASS

Application-Boundary Protected Commit

GAL-2 Y2038 Protected Commit Test v1.1.1

This package extends the prior Y2038 corpus from legacy mediated-time behavior into application-boundary protected commit behavior.

In the tested single-host SQLite scenario, the raw path committed unsafe Y2038-style time-derived state. The GAL-2 protected path checked the Time Contract gate and the declared Y2038 safety policy gate before durable commit, blocking unsafe inputs before they became durable application state.

Main test
PASS
Oracle verifier
PASS
Secret scan
PASS
Archive smoke
PASS

Claim boundary: application-boundary protected commit evidence. Not universal Y2038 remediation, not operating system, kernel, filesystem, database engine, or distributed-system remediation, not production throughput or latency evidence, not metrology, and not UTC, GNSS, PTP, NTP, or chrony replacement.

Layer 3 SQLite + JSONL PASS

Local Multi-Substrate Protected Commit

GAL-2 Y2038 Multi-Substrate Protected Commit Test v1.2

This package extends protected commit evidence from a single SQLite substrate to a local multi-substrate scenario using SQLite and an append-only JSONL ledger.

The raw path committed unsafe Y2038-style state into both tested substrates. The GAL-2 protected path produced zero unsafe commits across SQLite and JSONL.

Cross-substrate consistency means data parity: the same logical safe commits appear in both tested substrates, and unsafe inputs are absent from both GAL-2 protected substrates. It does not claim transactional atomicity, two-phase commit, rollback coordination, distributed transactions, or atomic cross-substrate recovery.

Total cases
30
Raw unsafe commits
40
GAL-2 unsafe commits
0
Backward steps
0

Claim boundary: local multi-substrate application-boundary protected commit evidence using SQLite and append-only JSONL. Not universal Y2038 remediation, not distributed-system remediation, not production throughput or latency evidence, not transactional atomicity evidence, not metrology, and not UTC, GNSS, PTP, NTP, or chrony replacement.

Layer 4 Postgres PASS

Local Postgres Protected Commit

GAL-2 Y2038 Postgres Protected Commit Test v1.3

This package extends the protected commit evidence into a local Postgres database substrate. It evaluates whether unsafe Y2038-style time-derived state can be blocked before becoming durable Postgres application state.

In the tested single-host local Postgres scenario, the raw path committed unsafe Y2038-style records into Postgres. The GAL-2 protected path blocked all unsafe inputs and committed all safe inputs.

Postgres rows
60
Raw unsafe commits
20
GAL-2 unsafe commits
0
False-positive blocks
0

Claim boundary: local Postgres application-boundary protected commit evidence. Not universal Y2038 remediation, not operating system, kernel, filesystem, database engine, or distributed-system remediation, not replication evidence, not multi-node behavior, not multi-writer behavior, not transactional atomicity across multiple systems, not production performance evidence, not metrology, and not UTC, GNSS, PTP, NTP, or chrony replacement.

Layer 5 Latency PASS

Local Latency Characterization

GAL-2 Protected Commit Latency Characterization v1.4

This package characterizes local raw path latency, GAL-2 protected path latency, local Time Contract fetch latency, safe commit latency, unsafe block latency, and p50 / p95 / p99 behavior across SQLite, append-only JSONL, and local Docker Postgres.

The Contract measurement uses the real local GAL-2 Time Contract surface at 127.0.0.1:9095/contract. It measures local daemon latency, not a direct public API round-trip to api-v2.gal-2.com.
For Postgres, the meaningful interpretation is protected path versus raw path under the same local method. Absolute Postgres latency values include docker exec psql overhead and should not be interpreted as production libpq, connection-pooled, or networked database latency.
SQLite / JSONL
PASS
Postgres
PASS
Combined summary
PASS
Archive audit
PASS

Claim boundary: local latency and throughput characterization only. Not production throughput evidence, not production latency evidence, not distributed-system performance evidence, not a capacity benchmark, not metrology, and not UTC, GNSS, PTP, NTP, or chrony replacement evidence.

A layered evidence record.

The Y2038 corpus documents a progression from mediated-time continuity to protected application-state behavior, local multi-substrate durability, Postgres commit gating, local latency characterization, and controlled GAL-2 Time authority beyond the signed 32-bit Unix time boundary. Each layer is published with a strict claim boundary, independent verification artifacts, public-safe packaging, and reproducible evidence records.

Compared to standard NTP, GAL-2™ compresses offsets and increases stability across servers worldwide.

demonstrating application-facing temporal safety behavior under declared policy, while complementing existing timing infrastructure.

Historical integrity records

Public hashes for earlier sealed validation artifacts.

These public hashes are preserved as integrity records for specific historical GAL-2 validation artifacts. They are not standalone performance claims. Each hash should be read as evidence that the referenced artifact existed in a sealed form at the time of publication.

Historical record: the following hashes preserve earlier GAL-2 validation artifacts and should be interpreted together with the dated package, manifest, or record they identify.
September 29, 2025

File

verify_20250929T203008Z.txt

SHA512

8b262ed2970a5afc7d041181be581c4c304eb2c1aa7bd6fbe6e47b6f6e4cd79829c0848e0861da679402756fe5a3ad16c6c4b6647791f246b769e8d7c0cd50a4

S3 VersionId

DeSp8N0Gal8gvXJrafguMiBbgl7J9nyR

File

gal2_nopano_manifest_20250929.json

SHA512

43c99d07810f76ff4fff79b3035fd710639067fda5362c9fa1e2a2cc48abdbb4d3aef5ee60fa4a894c2eaff6419309ea

S3 VersionId

aSmv9u3z_QciikmHVZ68fQuBvd9mguiu
September 30, 2025

File

verify_20250930T151405Z.txt

SHA512

a48467f3bbd8968953614080eb0330333962a987704de1c2fbe75779d60b4e79b0f3ca6df732aad5610a9c6bf88bc005

S3 VersionId

y0A0_spIptQtdTgGyrS.3JKOy.5Wccpx

File

gal2_manifest_2025-09-30_151423Z.json

SHA512

f6ad0ccfb8c8cffb8166e4d59a8d878f

S3 VersionId

CFShof.AOaRnU_fdtiFoQJ1GShOTfy3Z

Verification

Verify downloaded artifacts locally.

Anyone can verify a referenced file by downloading the manifest or evidence artifact, calculating its SHA512 hash, and comparing the result to the value published here.

sha512sum <file>
Close-up view of a microscope lens focusing on a digital touchscreen interface with colorful icons.

The full 7-day GNSS-denied dataset is publicly archived on Zenodo for independent review and replication.
https://doi.org/10.5281/zenodo.18018704
Dataset content is immutable and independently hosted.

10.5281/zenodo.18018704


Local Daemon Continuity Pack-Monotonic application-facing continuity observed across restart, holdover, and rejoin conditions

On 2026-04-21, GAL-2 local daemon tests on macOS showed 0 backward steps across sequential reads, concurrent reads, forced daemon restarts, and induced upstream-loss holdover testing. The daemon remained continuously available through holdover and returned to live mode without temporal rollback.Highlights5,000 sequential reads, 0 backward steps
10,000 parallel reads, 0 backward steps
5 forced daemon restarts, 0 backward steps
300/300 successful holdover test responses
600/600 successful 10-minute daemon probe responsesDOIDOI: 10.5281/zenodo.19684054IntegritySHA-256: 0eb2fcb347e3025443aaa224340c45d0e179a666fe41ae70cc98ac0b58a3c142Honest noteThis package supports continuity and resilience claims.

10.5281/zenodo.19684054

72h steady-state observation: node-specific GAL-2-to-UTC relation held within 1 μsIn the 72-hour steady-state dataset, the observed GAL-2-to-UTC relation remained stable within 1 μs per node while preserving a node-specific constant offset.This is evidence of node-specific steady-state relation stability under the tested conditions. It is not a public claim of universal one-microsecond absolute accuracy, certified UTC traceability, or replacement of metrology-grade timing references.Honest note:
The result supports steady-state stability of the observable GAL-2-to-UTC relation, not a universal precision guarantee.

10.5281/zenodo.19546807


Strict ordering preserved under leap-second-like discontinuities

GAL-2 preserved a strictly increasing consumer path across 27 historical events under controlled authority-side raw_stepand backward_jump injection, with 54/54 passing runs, 0 backward steps, 0 duplicate steps, and 0 errors. Independent observation confirmed the same result. In separate production testing, the real GAL-2 API remained strictly increasing across 2000 direct polls with 0 backward steps, 0 duplicate steps, and 0 request errors.
Evidence: https://doi.org/10.5281/zenodo.19687840
Scope: Controlled architectural evidence plus real production API strict-ordering probe.

10.5281/zenodo.19687840