Skip to content

Federation Outward Shell — the cell as a constitutional citizen

GFTCL-LION-FEDERATION-RETROFIT-001 + GFTCL-LION-CLIMATE-FOOD-001.

The cell is one citizen in the GFTCL network. Meaning has to survive every other party's reach — peer cells, audit partners, lab co-witnesses, the public. The internal meaning audit (the cell talking to itself) is necessary but not sufficient. This page documents the outward plane: how the cell's sealed witnesses become subscribable, recomputable, and signed by anyone in the network.

The constitutional invariant

An unsigned receipt cannot roar.

Enforced at the substrate level via per-domain BEFORE INSERT triggers (V130):

CREATE TRIGGER trig_<domain>_insert_requires_quintet
BEFORE INSERT ON <table>
FOR EACH ROW
WHEN NEW.nats_broadcast_at_iso IS NOT NULL
  AND (NEW.signature_quintet IS NULL OR NEW.signature_quintet = '[]')
BEGIN
  SELECT RAISE(ABORT, '<domain>: INSERT refused — broadcast marked but signature_quintet is empty');
END

Any row that marks itself broadcast-ready (nats_broadcast_at_iso non-NULL) MUST carry a non-empty signature_quintet. The trigger refuses the INSERT otherwise. The federation gate holds at row birth.

The signature quintet

GaiaFTCLCore/SignatureQuintet.swift — five facets, each a SHA-256 over "<cell_id>|<key>|<value>|<payload_hash>":

  1. cell_id — the GaiaFTCL Mac cell's constitutional id
  2. domain_id — which domain's witness this is
  3. lean_artifact_path — which sealed theorem the witness mirrors
  4. payload_sha256 — the canonical witness hash
  5. tau_block — the constitutional time-step

A peer cell receives the canonical witness JSON, recomputes each facet from public inputs, and verifies the array element-wise. No privileged substrate access required. The dignity property — verdict is a pure function of public inputs — is the federation's truth condition.

When real peer cells join the federation, their signatures replace facets in the array. The constitutional gate stays the same: a non-empty array unblocks broadcast.

The seven federated subjects (six gated)

Domain NATS subject Watched by
Energy gaiaftcl.energy.ledger.sealed (+ 3 others) EnergyAlertableEvents
Materials gaiaftcl.materials.validation.sealed MaterialsAlertableEvents
Medical gaiaftcl.medical.dosing.sealed MedicalAlertableEvents
Security gaiaftcl.security.validation.sealed SecurityAlertableEvents
Drug Discovery gaiaftcl.drug.trial_outcome.sealed DrugDiscoveryAlertableEvents
Climate & Food gaiaftcl.climate_food.chain.sealed ClimateFoodAlertableEvents
LVC gaiaftcl.lvc.receipt.sealed LVCAlertableEvents

(Logistics is read-only — no per-domain seal table — and does not carry a constitutional gate.)

Finance (gaiaftcl.finance.capture.sealed) was the first AlertableDomain consumer; Energy was the second. The other six landed across V128–V130 + the engine-ingest commit.

The wiring (end-to-end per seal)

  1. Engine seals<Domain>Engine.sealValidation(...) recomputes the dignity property, builds a canonical payload, computes SHA-256, and signs with SignatureQuintet.selfSigned(...).
  2. Single INSERT — the engine writes the row with signature_quintet and nats_broadcast_at_iso set in the same INSERT. The BEFORE INSERT trigger permits it (quintet non-empty); the BEFORE UPDATE OF trigger (V129) defends against any future retro-fit attempt.
  3. Engine ingests — the engine calls AlertGovernor.shared.ingest(subject: ..., payload: ...). The payload dict carries the fields each AlertableEvents watches.
  4. Governor routesAlertGovernor looks up subjectToDomains[subject], finds the registered AlertableDomain, projects fields, evaluates seedRules, writes alert_queue rows for matching rules.
  5. App startup registrationSovereignStackLauncher calls FederationAlertableRegistration.registerAll() once the substrate is ready. This populates the governor's subjectToDomains map — without it, step 4 returns [] for every event.
  6. External consumers — the cell's HTTP server renders alert_queue as RSS; Apple Alert adapter pushes notifications; future NATS publisher reads rows where nats_broadcast_at_iso IS NOT NULL and emits to the message bus.

Falsifiers

Two end-to-end smoke tests prove the pipeline holds:

M8FederationReVerifySmokeTest (climate-food)

Six assertions:

  1. Substrate seed chain-demo-cf-001 present
  2. ClimateFoodEngine.recompute bit-matches the Lean instance A: p=[71,499,3496]
  3. sealValidation produces verdict_kind='coherent_finalizes'
  4. signature_quintet populated; nats_broadcast_at_iso non-NULL
  5. Peer re-verify — a simulated peer cell with NO substrate access recomputes from public inputs and lands on the same witness SHA
  6. Tamper test — attempting to mark broadcast on an unsigned row is ABORTED by the trigger

M8FederationRetrofitSmokeTest (five retrofitted domains)

For each of Materials, Medical, Security, Drug Discovery, LVC:

  1. signature_quintet + nats_broadcast_at_iso columns present (V129)
  2. trig_<domain>_insert_requires_quintet present (V130)
  3. trig_<domain>_nats_requires_quintet present (V129)
  4. BEFORE INSERT gate REFUSES tamper INSERT marking broadcast with empty quintet

Both tests live in cells/xcode/Sources/ and run via swift run M8FederationReVerifySmokeTest / swift run M8FederationRetrofitSmokeTest.

What stays NAMED OPEN

  • Per-domain HTTP routes on GaiaNodeServer (currently only /energy/... is wired; /materials/..., /medical/..., /security/..., /drug/..., /lvc/..., /climate_food/... are named-next).
  • Per-domain wiki PQ pages for Materials, Medical, Security, Drug Discovery, Logistics (Energy / Climate-Food / LVC already have dedicated pages).
  • Real NATS publisher — currently the cell writes nats_broadcast_at_iso to substrate ("broadcast permitted"); a future component will query unbroadcast rows and emit to a real message bus.
  • Real peer signatures — current quintet is self-signed (5 facets of the originating cell). When peer cells join the federation, their signatures replace facets in the array; the constitutional gate stays the same.

Files

  • Signing primitive: cells/xcode/Sources/GaiaFTCLCore/SignatureQuintet.swift
  • Per-domain BEFORE INSERT gate: cells/xcode/Sources/GaiaFTCLCore/NarratorSchemaV130.swift
  • Per-domain BEFORE UPDATE OF gate + column adds: cells/xcode/Sources/GaiaFTCLCore/NarratorSchemaV129.swift
  • Climate-food template + gate: cells/xcode/Sources/GaiaFTCLCore/NarratorSchemaV128.swift
  • App-launch registration: cells/xcode/Sources/GaiaFTCLApp/FederationAlertableRegistration.swift
  • Eight AlertableEvents targets: cells/xcode/Sources/{Finance,Energy,Materials,Medical,Security,DrugDiscovery,LVC,ClimateFood}AlertableEvents/
  • Smoke tests: cells/xcode/Sources/M8FederationReVerifySmokeTest/ + M8FederationRetrofitSmokeTest/

Federation-cosigned

This page's source is sealed in the GaiaFTCL federation manifest — page SHA-256 e657aa29dcd4371d…, manifest witness a090592e0609adc8…, signed 2026-06-02T18:58:22Z by cell gaiaftcl-mac-cell. Verify with gaiaftcl wiki sign --all and compare wiki-all-signatures.json.