Federation Outward Shell — the cell as a constitutional citizen
GFTCL-LION-FEDERATION-RETROFIT-001 + GFTCL-LION-CLIMATE-FOOD-001.
The cell is one citizen in the GFTCL network. Meaning has to survive every other party's reach — peer cells, audit partners, lab co-witnesses, the public. The internal meaning audit (the cell talking to itself) is necessary but not sufficient. This page documents the outward plane: how the cell's sealed witnesses become subscribable, recomputable, and signed by anyone in the network.
The constitutional invariant
An unsigned receipt cannot roar.
Enforced at the substrate level via per-domain BEFORE INSERT triggers (V130):
CREATE TRIGGER trig_<domain>_insert_requires_quintet
BEFORE INSERT ON <table>
FOR EACH ROW
WHEN NEW.nats_broadcast_at_iso IS NOT NULL
AND (NEW.signature_quintet IS NULL OR NEW.signature_quintet = '[]')
BEGIN
SELECT RAISE(ABORT, '<domain>: INSERT refused — broadcast marked but signature_quintet is empty');
ENDAny row that marks itself broadcast-ready (nats_broadcast_at_iso non-NULL) MUST carry a non-empty signature_quintet. The trigger refuses the INSERT otherwise. The federation gate holds at row birth.
The signature quintet
GaiaFTCLCore/SignatureQuintet.swift — five facets, each a SHA-256 over "<cell_id>|<key>|<value>|<payload_hash>":
1. cell_id — the GaiaFTCL Mac cell's constitutional id
2. domain_id — which domain's witness this is
3. lean_artifact_path — which sealed theorem the witness mirrors
4. payload_sha256 — the canonical witness hash
5. tau_block — the constitutional time-step
A peer cell receives the canonical witness JSON, recomputes each facet from public inputs, and verifies the array element-wise. No privileged substrate access required. The dignity property — verdict is a pure function of public inputs — is the federation's truth condition.
When real peer cells join the federation, their signatures replace facets in the array. The constitutional gate stays the same: a non-empty array unblocks broadcast.
The seven federated subjects (six gated)
| Domain | NATS subject | Watched by |
|---|---|---|
| Energy | gaiaftcl.energy.ledger.sealed (+ 3 others) |
EnergyAlertableEvents |
| Materials | gaiaftcl.materials.validation.sealed |
MaterialsAlertableEvents |
| Medical | gaiaftcl.medical.dosing.sealed |
MedicalAlertableEvents |
| Security | gaiaftcl.security.validation.sealed |
SecurityAlertableEvents |
| Drug Discovery | gaiaftcl.drug.trial_outcome.sealed |
DrugDiscoveryAlertableEvents |
| Climate & Food | gaiaftcl.climate_food.chain.sealed |
ClimateFoodAlertableEvents |
| LVC | gaiaftcl.lvc.receipt.sealed |
LVCAlertableEvents |
(Logistics is read-only — no per-domain seal table — and does not carry a constitutional gate.)
Finance (gaiaftcl.finance.capture.sealed) was the first AlertableDomain consumer; Energy was the second. The other six landed across V128–V130 + the engine-ingest commit.
The wiring (end-to-end per seal)
1. Engine seals — <Domain>Engine.sealValidation(...) recomputes the dignity property, builds a canonical payload, computes SHA-256, and signs with SignatureQuintet.selfSigned(...).
2. Single INSERT — the engine writes the row with signature_quintet and nats_broadcast_at_iso set in the same INSERT. The BEFORE INSERT trigger permits it (quintet non-empty); the BEFORE UPDATE OF trigger (V129) defends against any future retro-fit attempt.
3. Engine ingests — the engine calls AlertGovernor.shared.ingest(subject: ..., payload: ...). The payload dict carries the fields each AlertableEvents watches.
4. Governor routes — AlertGovernor looks up subjectToDomains[subject], finds the registered AlertableDomain, projects fields, evaluates seedRules, writes alert_queue rows for matching rules.
5. App startup registration — SovereignStackLauncher calls FederationAlertableRegistration.registerAll() once the substrate is ready. This populates the governor's subjectToDomains map — without it, step 4 returns [] for every event.
6. External consumers — the cell's HTTP server renders alert_queue as RSS; Apple Alert adapter pushes notifications; future NATS publisher reads rows where nats_broadcast_at_iso IS NOT NULL and emits to the message bus.
Falsifiers
Two end-to-end smoke tests prove the pipeline holds:
M8FederationReVerifySmokeTest (climate-food)
Six assertions:
1. Substrate seed chain-demo-cf-001 present
2. ClimateFoodEngine.recompute bit-matches the Lean instance A: p=[71,499,3496]
3. sealValidation produces verdict_kind='coherent_finalizes'
4. signature_quintet populated; nats_broadcast_at_iso non-NULL
5. Peer re-verify — a simulated peer cell with NO substrate access recomputes from public inputs and lands on the same witness SHA
6. Tamper test — attempting to mark broadcast on an unsigned row is ABORTED by the trigger
M8FederationRetrofitSmokeTest (five retrofitted domains)
For each of Materials, Medical, Security, Drug Discovery, LVC:
1. signature_quintet + nats_broadcast_at_iso columns present (V129)
2. trig_<domain>_insert_requires_quintet present (V130)
3. trig_<domain>_nats_requires_quintet present (V129)
4. BEFORE INSERT gate REFUSES tamper INSERT marking broadcast with empty quintet
Both tests live in cells/xcode/Sources/ and run via swift run M8FederationReVerifySmokeTest / swift run M8FederationRetrofitSmokeTest.
What stays NAMED OPEN
- Per-domain HTTP routes on
GaiaNodeServer(currently only/energy/...is wired;/materials/...,/medical/...,/security/...,/drug/...,/lvc/...,/climate_food/...are named-next). - Per-domain wiki PQ pages for Materials, Medical, Security, Drug Discovery, Logistics (Energy / Climate-Food / LVC already have dedicated pages).
- Real NATS publisher — currently the cell writes
nats_broadcast_at_isoto substrate ("broadcast permitted"); a future component will query unbroadcast rows and emit to a real message bus. - Real peer signatures — current quintet is self-signed (5 facets of the originating cell). When peer cells join the federation, their signatures replace facets in the array; the constitutional gate stays the same.
Files
- Signing primitive:
cells/xcode/Sources/GaiaFTCLCore/SignatureQuintet.swift - Per-domain BEFORE INSERT gate:
cells/xcode/Sources/GaiaFTCLCore/NarratorSchemaV130.swift - Per-domain BEFORE UPDATE OF gate + column adds:
cells/xcode/Sources/GaiaFTCLCore/NarratorSchemaV129.swift - Climate-food template + gate:
cells/xcode/Sources/GaiaFTCLCore/NarratorSchemaV128.swift - App-launch registration:
cells/xcode/Sources/GaiaFTCLApp/FederationAlertableRegistration.swift - Eight AlertableEvents targets:
cells/xcode/Sources/{Finance,Energy,Materials,Medical,Security,DrugDiscovery,LVC,ClimateFood}AlertableEvents/ - Smoke tests:
cells/xcode/Sources/M8FederationReVerifySmokeTest/+M8FederationRetrofitSmokeTest/
248640c81a27090a1d58455ad7d57db3c7de72435460dde744c06d73d688ca8b.
This page serves with a substrate-honest pending-signature notice until the operator's Franklin signer cosigns it.