Skip to content
Gestalt

API Reference

Status: Fixture Preview. This reference tracks contracts/gestalt-cloud-membrane.v0.json version 0.0.1-fixture. See Capability State before using any operation as an integration boundary.

Gestalt’s membrane operations use a common response shape:

type MembraneResponse<T> = {
  operation: string;
  outcome: "admitted" | "refused" | "pending" | "projected" | "verified" | "queued" | "executed" | "failed";
  body: T;
  receipt?: {
    ref: string;
    outcome: string;
    reasons: string[];
    fixture?: boolean;
  };
};

Every response should be read with its capability-state label. Fixture receipts are useful for prototyping and refusal-code discipline; they are not production proof.

Observability

Section titled “Observability”
OperationMethodPathState
runtime.healthGET/healthstaging-durable
runtime.readyGET/readystaging-durable
runtime.versionGET/versionstaging-durable
runtime.metricsGET/metricsstaging-durable
membrane.contractGET/v1/membrane/contractshape-only

Tenant And Session

Section titled “Tenant And Session”
OperationMethodPathState
tenant.selfGET/v1/tenant/selfshape-only
tenant.createPOST/v1/tenants/createstaging-durable
company.bootstrapPOST/v1/companies/bootstrapstaging-durable

Auth And Sessions

Section titled “Auth And Sessions”
OperationMethodPathState
auth.loginStartPOST/v1/auth/login/startstaging-durable
auth.loginFinishPOST/v1/auth/login/finishstaging-durable
auth.sessionExchangePOST/v1/auth/session/exchangefixture-rehearsed
auth.sessionIssuePOST/v1/auth/sessions/issuestaging-durable
auth.sessionInspectPOST/v1/auth/sessions/inspectstaging-durable
auth.sessionRefreshPOST/v1/auth/sessions/refreshstaging-durable
auth.rateLimitEvaluatePOST/v1/auth/rate-limit/evaluatestaging-durable
auth.recoveryPolicyPOST/v1/auth/recovery/policystaging-durable
auth.recoveryExecutePOST/v1/auth/recovery/executestaging-durable
humanAuth.passkeyRegistrationOptionsPOST/v1/human-auth/passkey/registration/optionsstaging-durable
humanAuth.passkeyAssertionOptionsPOST/v1/human-auth/passkey/assertion/optionsstaging-durable
humanAuth.registerPasskeyPOST/v1/human-auth/passkey/registerstaging-durable
humanAuth.passkeyImportPOST/v1/human-auth/passkey/importstaging-durable

Production Gate And Key Custody

Section titled “Production Gate And Key Custody”
OperationMethodPathState
keyCustody.readinessGET/v1/key-custody/readinessstaging-durable
keyCustody.attestPOST/v1/key-custody/atteststaging-durable
keyCustody.providerAttestPOST/v1/key-custody/provider/atteststaging-durable
keyCustody.rotationRehearsePOST/v1/key-custody/rotatestaging-durable
keyCustody.revokePOST/v1/key-custody/revokestaging-durable
keyCustody.breakGlassPOST/v1/key-custody/break-glassstaging-durable
keyCustody.signingRehearsePOST/v1/key-custody/signing/rehearsestaging-durable
production.admissionPolicyPOST/v1/production/admission/policystaging-durable
production.admissionPrecheckPOST/v1/production/admission/precheckstaging-durable
production.scopeInspectGET/v1/production/scopestaging-durable
production.scopeEvaluatePOST/v1/production/scope/evaluatestaging-durable
tenant.productionLifecycleAdvancePOST/v1/tenants/production-lifecycle/advancestaging-durable
company.productionLifecycleAdvancePOST/v1/companies/production-lifecycle/advancestaging-durable
staging.maturityReportPOST/v1/staging/maturity-reportstaging-durable
tenant.onboardingGatePOST/v1/tenants/onboarding-gatestaging-durable

These endpoints record the missing production gate explicitly. They can cite staging key-custody readiness, fixture attestations, provider attestations, public verification material, rotation rehearsals, key revocations, break-glass receipts, signing rehearsal refusals, production precheck refusals, minimized tenant onboarding records, minimized company bootstrap records, and tenant onboarding gates, but they do not provision production keys, call an external signer, accept private key material, ingest raw customer or register payloads, or set production_admission to true.

Koerper Ingress

Section titled “Koerper Ingress”
OperationMethodPathState
standing.claimPOST/v1/standing/claimstaging-durable
standing.evaluatePOST/v1/standing/evaluatestaging-durable
standing.grantPOST/v1/standing/grantstaging-durable
standing.revokePOST/v1/standing/revokestaging-durable
mandate.delegatePOST/v1/mandates/delegatestaging-durable
mandate.revokePOST/v1/mandates/revokestaging-durable
advisor.openMatterPOST/v1/advisor/matters/openstaging-durable
advisor.issueOpinionPOST/v1/advisor/opinions/issuestaging-durable
advisor.requestEvidencePOST/v1/advisor/evidence/requeststaging-durable
lens.scopePOST/v1/lens/scopestaging-durable
lens.disclosePOST/v1/lens/disclosestaging-durable
intervention.requestPOST/v1/interventions/requeststaging-durable
intervention.issuePOST/v1/interventions/issuestaging-durable

These are fixture ingress records for generated Koerpers and advisor/lens surfaces. They do not provision production key custody, admit real customer data, create standing from HumanAuth alone, grant advisor admin authority, or expose raw DB, connector payloads, or biometric material.

Intents And Shop

Section titled “Intents And Shop”
OperationMethodPathState
intent.precheckPOST/v1/intents/precheckfixture-rehearsed
intent.commitPOST/v1/intents/commitfixture-rehearsed
shop.preparePOST/v1/shop/preparefixture-rehearsed
shop.commitPOST/v1/shop/commitfixture-rehearsed
vertical.de.invoicePaymentAdvisorPOST/v1/verticals/de/invoice-payment-advisorfixture-rehearsed

Authority And Capability

Section titled “Authority And Capability”
OperationMethodPathState
authority.resolveContextPOST/v1/authority/resolve-contextfixture-rehearsed
capability.publishPOST/v1/capabilities/publishfixture-rehearsed
capability.policy.evaluatePOST/v1/capabilities/policy/evaluatestaging-durable
authority.hostedOperator.grantPOST/v1/authority/operators/grantstaging-durable
authority.hostedOperator.revokePOST/v1/authority/operators/revokestaging-durable
authority.package.statusGET/v1/authority/packages/statusstaging-durable
authority.package.importPOST/v1/authority/packages/importstaging-durable
authority.package.publisher.onboardPOST/v1/authority/packages/publishers/onboardstaging-durable
authority.package.reviewer.onboardPOST/v1/authority/packages/reviewers/onboardstaging-durable
authority.package.candidatePOST/v1/authority/packages/candidatefixture-rehearsed
authority.package.reviewPOST/v1/authority/packages/reviewstaging-durable
authority.package.activatePOST/v1/authority/packages/activatestaging-durable
authority.package.revokePOST/v1/authority/packages/revokestaging-durable
capability.importResolvePOST/v1/capability/import/resolveshape-only
authority.epochDefinePOST/v1/authority/epochs/defineshape-only
authority.epochTransitionPOST/v1/authority/epochs/transitionshape-only
pendulum.publishPOST/v1/pendulum/publishshape-only
pendulum.publishSourcePOST/v1/pendulum/publish-sourceshape-only
verlag.publishInstrumentPOST/v1/verlag/instruments/publishshape-only
pilot.admissionGatePOST/v1/pilot/admission-gatestaging-durable-refusal

Ops And Incidents

Section titled “Ops And Incidents”
OperationMethodPathState
ops.edgePolicyCheckPOST/v1/ops/edge-policy/checkstaging-durable
ops.restoreRehearsePOST/v1/ops/restore/rehearsestaging-durable
ops.incidentReceiptPOST/v1/ops/incident/receiptstaging-durable
ops.statusGET/v1/ops/statusstaging-durable

capability.publish is the first exposed publication-shaped capability surface. It stores a fixture capability manifest and makes it available to capability.policy.evaluate inside the current fixture runtime. The manifest can be written as M7 evidence when remote storage is configured, but published capabilities are not rehydrated as active evaluator input after restart yet. M27 adds separate staging-durable Verlag publisher and reviewer trust records for authority packages; those are still fixture trust roots and do not enable production admission.

Human Auth And Lifecycle

Section titled “Human Auth And Lifecycle”
OperationMethodPathState
humanAuth.challengePOST/v1/human-auth/challengestaging-durable
humanAuth.passkeyImportPOST/v1/human-auth/passkey/importstaging-durable
humanAuth.verifyPasskeyPOST/v1/human-auth/passkey/verifystaging-durable
humanAuth.passkeyRevokePOST/v1/human-auth/passkey/revokestaging-durable
humanAuth.passkeyRotatePOST/v1/human-auth/passkey/rotatestaging-durable
humanAuth.faceMatchFallbackPOST/v1/human-auth/face-matchshape-only
authority.presenceApprovalPOST/v1/authority/presence-approvalfixture-rehearsed
authority.sessionRevokePOST/v1/authority/sessions/revokestaging-durable
authority.keyRotatePOST/v1/authority/keys/rotatestaging-durable

Effects And Economy

Section titled “Effects And Economy”
OperationMethodPathState
effect.intentPOST/v1/effects/intentstaging-durable
effect.dispatchPOST/v1/effects/dispatchfixture-rehearsed
economy.invoicePOST/v1/economy/invoicestaging-durable
economy.paymentObservationPOST/v1/economy/payment-observationstaging-durable
economy.bookkeepingFactPOST/v1/economy/bookkeeping-factstaging-durable
economy.periodClosePOST/v1/economy/period-closefixture-rehearsed

Evidence, Proof, And Receipts

Section titled “Evidence, Proof, And Receipts”
OperationMethodPathState
evidence.witness.fixturePOST/v1/evidence/witness-fixturefixture-rehearsed
evidence.connector.consentPOST/v1/evidence/connectors/consentstaging-durable
evidence.connector.ingestPOST/v1/evidence/connectors/ingeststaging-durable
evidence.connector.revokePOST/v1/evidence/connectors/revokestaging-durable
evidence.connector.statusGET/v1/evidence/connectors/statusstaging-durable
receipt.verifyPOST/v1/receipts/verifyshape-only
proof.requestPOST/v1/proofs/requestshape-only
proof.bundlePOST/v1/proofs/bundlestaging-durable
proof.verifyPOST/v1/proofs/verifystaging-durable, local-verifier-compatible
commit.recentGET/v1/commits/recentstaging-durable
refusal.codesGET/v1/refusals/codesshape-only
refusal.registryGET/v1/refusals/registryshape-only
m7.stateGET/v1/m7/statestaging-durable

Read Models

Section titled “Read Models”
OperationMethodPathState
read.standing.activeGET/v1/read/standing/activestaging-durable
read.mandates.activeGET/v1/read/mandates/activestaging-durable
read.economy.periodCloseReadinessGET/v1/read/economy/period-close-readinessstaging-durable
read.connectors.evidenceGapsGET/v1/read/connectors/evidence-gapsstaging-durable
read.proofs.historyGET/v1/read/proofs/historystaging-durable
read.advisor.mattersGET/v1/read/advisor/mattersstaging-durable
workcell.publishPOST/v1/workcells/publishstaging-durable
workcell.precheckPOST/v1/workcells/precheckstaging-durable
workcell.revokePOST/v1/workcells/revokestaging-durable

Read models project durable membrane evidence into Koerper-safe summaries. They never expose raw database rows, raw connector payloads, raw biometric material, or cross-tenant graphs. A Koerper builds list/detail/dashboard views from these endpoints rather than holding canonical state locally.

Realities And Zeitgestalt

Section titled “Realities And Zeitgestalt”
OperationMethodPathState
reality.forkPOST/v1/reality/forkstaging-durable
reality.commitPOST/v1/reality/commitfixture-rehearsed
reality.diffPOST/v1/reality/diffstaging-durable
reality.promotePOST/v1/reality/promotefixture-rehearsed
reality.discardPOST/v1/reality/discardfixture-rehearsed
closure.surfacePOST/v1/closure/surfacestaging-durable
tension.queryPOST/v1/tensions/queryfixture-rehearsed
zeitgestalt.queryPOST/v1/zeitgestalt/querystaging-durable

Detail pages

Section titled “Detail pages”

Each family below has a deeper page covering request/response shapes, SDK examples, and refusal codes.

  • Intents and commitsintent.precheck, intent.commit
  • Shop (hosted operator delegate)shop.prepare, shop.commit
  • Vertical: DE invoice / payment / advisorvertical.de.invoicePaymentAdvisor
  • Capabilitiescapability.publish, capability.policy.evaluate
  • Authorityauthority.resolveContext, hosted operators, packages, presence approval, sessions, keys
  • Package onboardingauthority.package.publisher.onboard, authority.package.reviewer.onboard
  • Auth and sessionsauth.loginStart/loginFinish, auth.sessionExchange, auth.sessionIssue/sessionInspect/sessionRefresh, authority.sessionRevoke, auth.rateLimitEvaluate, auth.recoveryPolicy/recoveryExecute, passkey registration/assertion options, register, and import
  • Admission and key custodykeyCustody.readiness/attest/revoke/providerAttest/rotationRehearse/signingRehearse/breakGlass, production.admissionPolicy/admissionPrecheck, production.scopeInspect/scopeEvaluate, tenant.productionLifecycleAdvance, company.productionLifecycleAdvance, staging.maturityReport, tenant.onboardingGate, pilot.admissionGate
  • Operations postureops.edgePolicyCheck, ops.restoreRehearse, ops.incidentReceipt, ops.status
  • Standing and mandatesstanding.claim/evaluate/grant/revoke, mandate.delegate/revoke
  • Advisoradvisor.openMatter, advisor.issueOpinion, advisor.requestEvidence
  • Lens and interventionlens.scope/disclose, intervention.request/issue
  • Connectorsevidence.connector.consent/ingest/revoke/status
  • Production gate — keyCustody.readiness, keyCustody.attest, production.admissionPrecheck, tenant.onboardingGate
  • Realityreality.fork/commit/diff/promote/discard
  • Effectseffect.intent, effect.dispatch
  • Economyeconomy.invoice/payment_observation/bookkeeping_fact/period_close
  • Evidenceevidence.witness.fixture, evidence.connector.consent/ingest/revoke/status
  • Proofs and receiptsproof.request, proof.bundle, proof.verify, receipt.verify
  • Human authhumanAuth.challenge/passkeyImport/verifyPasskey/passkeyRevoke/passkeyRotate/faceMatchFallback
  • Read modelsread.standing.active, read.mandates.active, read.economy.periodCloseReadiness, read.connectors.evidenceGaps, read.proofs.history
  • Zeitgestalt and tensionszeitgestalt.query, tension.query, closure.surface
  • Observability and misctenant.self, tenant.create, company.bootstrap, commit.recent, m7.state, refusal.codes, runtime.*

Default posture

Section titled “Default posture”

The contract publishes a default posture that informs every refusal:

{
  "missing_standing": "refuse",
  "missing_authority_package": "pend",
  "stale_authority_package": "refuse",
  "low_confidence_extraction": "pend",
  "cross_tenant_access": "refuse",
  "projection_promotion_without_evidence": "refuse"
}

See reference/default-posture.md.

Open SDK boundary

Section titled “Open SDK boundary”
typed request envelopes
typed response envelopes
local receipt verification
fixture simulation
proof disclosure request construction

Closed runtime boundary

Section titled “Closed runtime boundary”
production admission
tenant key custody
authority package activation
pendulum evaluator dispatch
proof issuance
operator audit policy

Forbidden surface

Section titled “Forbidden surface”
raw database access
private signing keys
cross-tenant graph traversal
production package mutation
unscoped proof bundle disclosure
Section titled “Where to read next”