API: Admission and key custody

Capability state: every operation in this file is staging-durable. They record the production gate, but production admission stays globally disabled. pilot.admissionGate is staging-durable-refusal — it always refuses with a durable gate record. Real production keys, real signers, and real public launch all remain out of scope. See 022 gap report for the broader gap surface.

This cluster covers Gestalt’s production gate — the surface that records what would have to be true to admit production but keeps production globally disabled.

Three lanes:

• Key custody lane — keyCustody.providerAttest records an external signer provider posture and public verification material; keyCustody.rotationRehearse and keyCustody.signingRehearse exercise the provider boundary without production signing; keyCustody.breakGlass records a break-glass receipt without emergency key access. None of these ingest private key material.
• Production admission lane — production.admissionPolicy records bounded scope and signer commitments while admission stays disabled; production.admissionPrecheck records a precheck of the prerequisites for admission and pends on a manual gate; staging.maturityReport records a no-wipe staging maturity commitment with explicit boundary assertions.
• Tenant and pilot gate lane — tenant.onboardingGate ties tenant onboarding, company bootstrap, key custody, standing, and precheck records into one durable gate record; pilot.admissionGate evaluates a limited authentic pilot prerequisite list and refuses until a signed production admission exists. m13.keyRotate (contract operation authority.keyRotate) is the holder-key rotation lifecycle for the authenticated session and is documented under authority; it is distinct from keyCustody.rotationRehearse, which rehearses the production signer boundary.

See reference: capability state for what staging-durable and staging-durable-refusal mean.

keyCustody.readiness

Inspect production key-custody readiness without exposing private key material.

GET /v1/key-custody/readiness
state: staging-durable
sdk_role: inspect production key-custody readiness without exposing private key material
request_record: CloudKeyCustodyReadinessRequest
responses: key_custody_readiness | receipt

GET endpoint — no request body. The authenticated tenant is inferred from the session.

Response

{
  "operation": "keyCustody.readiness",
  "outcome": "verified",
  "body": {
    "readiness": "key_custody_readiness:m22_fixture",
    "status": "staging_no_root_ready",
    "storage_profile": "...",
    "root_signing": "no_root_key",
    "root_fallback_enabled": false,
    "production_kms_hsm_ready": false,
    "tenant_key_custody_provider_configured": false,
    "private_key_material_exposed": false,
    "production_admission": false,
    "durable_state": {...}
  },
  "receipt": {...}
}

The status is one of:

• staging_no_root_ready — the runtime root signing mode is no_root_key; staging is the only mode and production admission stays disabled.
• fixture_root_fallback_blocks_production — a fixture root fallback is enabled; production admission is structurally blocked until the fixture fallback is removed.

The full payload also lists required_before_production and open_decisions (KMS provider, HSM requirement, break-glass ceremony, tenant- vs platform-managed keys).

SDK example

const readiness = await client.keyCustodyReadiness();

keyCustody.attest

Record a staging key-custody attestation, or refuse production fixture/private material.

POST /v1/key-custody/attest
state: staging-durable
sdk_role: record staging key-custody attestation or refuse production fixture/private material
request_record: CloudKeyCustodyAttestRequest
responses: key_custody_attestation | refusal | receipt

Request

interface KeyCustodyAttestRequest {
  tenant?: GestaltRef;
  company?: GestaltRef;
  attestation_ref?: GestaltRef;
  mode?: string;                   // e.g. "staging_env"
  provider?: string;               // e.g. "fixture_staging_secret_file"
  key_ref?: GestaltRef;
  public_key?: string;
  attestation_hash?: string;
  fixture?: boolean;
  production_requested?: boolean;
  contains_customer_data?: boolean; // refused if true
  private_key_material?: unknown;   // refused if present
  private_key_pem?: string;         // refused if present
}

Response

{
  "operation": "keyCustody.attest",
  "outcome": "admitted",
  "body": {
    "key_custody_attestation": "key_custody_attestation:...",
    "status": "...",
    "mode": "staging_env",
    "provider": "fixture_staging_secret_file",
    "key_ref": "key_registry:...",
    "private_key_material_stored": false,
    "private_key_material_exposed": false,
    "production_admission": false,
    "durable_state": {...}
  },
  "receipt": {...}
}

The outcome is admitted for staging mode and pending when production_requested: true (a real production attestation requires keyCustody.providerAttest plus rotation rehearsal, break-glass receipt, and a signed manual gate — see keyCustody.readiness body for the full prerequisite list).

SDK example

const attestation = await client.keyCustodyAttest({
  tenant: "tenant_node:rheinwerk_calibration",
  company: "company_geist:rheinwerk_calibration",
  attestation_ref: "key_custody_attestation:m22_staging_fixture",
  mode: "staging_env",
  provider: "fixture_staging_secret_file",
  key_ref: "key_registry:m22_staging_key_fixture",
  public_key: "fixture-public-key-not-production",
  attestation_hash: "sha256:m22_staging_key_custody_fixture",
  fixture: true,
  production_requested: false,
});

keyCustody.revoke

Record provider key revocation so future signing rehearsals refuse with a stable code.

POST /v1/key-custody/revoke
state: staging-durable
sdk_role: record provider key revocation so future signing rehearsals refuse with a stable code
request_record: CloudKeyCustodyRevokeRequest
responses: key_custody_revocation | refusal | receipt

Request

interface KeyCustodyRevokeRequest {
  tenant?: GestaltRef;
  company?: GestaltRef;
  provider_attestation?: GestaltRef; // must reference a known durable provider attestation
  key_ref?: GestaltRef;
  reason?: string;
  fixture?: boolean;
  contains_customer_data?: boolean;  // refused if true
}

Response

{
  "operation": "keyCustody.revoke",
  "outcome": "admitted",
  "body": {
    "revocation": "key_custody_revocation:...",
    "key_ref": "key_registry:...",
    "status": "revoked",
    "refuses_future_signing": true,
    "private_key_material_exposed": false,
    "production_admission": false,
    "durable_state": {...}
  },
  "receipt": {...}
}

Refusal codes: customer_data_forbidden, key_custody_provider_attestation_missing.

After revocation, future keyCustody.signingRehearse calls against the revoked key_ref refuse with a stable code.

SDK example

const revocation = await client.keyCustodyRevoke({
  tenant: "tenant_node:rheinwerk_calibration",
  company: "company_geist:rheinwerk_calibration",
  provider_attestation: "key_custody_provider_attestation:m23_reserved_kms_fixture",
  key_ref: "key_registry:m23_reserved_kms_fixture",
  reason: "m23_revoked_key_rehearsal",
});

keyCustody.providerAttest

Record external signer provider posture and public verification material without private key ingress.

POST /v1/key-custody/provider/attest
state: staging-durable
sdk_role: record external signer provider posture and public verification material without private key ingress
request_record: CloudKeyCustodyProviderAttestRequest
responses: key_custody_provider_attestation | public_verification_material | refusal | receipt

Request

interface KeyCustodyProviderAttestRequest {
  tenant: GestaltRef;
  company: GestaltRef;
  provider_attestation_ref: GestaltRef;
  mode: string;                      // e.g. "reserved_kms"
  provider: string;                  // e.g. "reserved_kms_adapter"
  key_ref: GestaltRef;
  public_key: string;
  public_key_hash: string;
  attestation_hash: string;
  verification_material: unknown;    // arbitrary JSON: issuer/kid/x5c_hash etc
  fixture: boolean;
  production_requested: boolean;
  contains_customer_data: boolean;   // refused if true
  private_key_material?: unknown;    // refused if present
  private_key_pem?: string;          // refused if present
}

Response

{
  "operation": "keyCustody.providerAttest",
  "outcome": "admitted",
  "body": {
    "provider_attestation": "key_custody_provider_attestation:...",
    "public_verification_material": "key_custody_public_verification_material:...",
    "status": "staging_provider_attested",
    "mode": "reserved_kms",
    "provider": "reserved_kms_adapter",
    "external_provider_required": false,
    "provider_attestation_verified": false,
    "can_satisfy_production": false,
    "private_key_material_stored": false,
    "private_key_material_exposed": false,
    "production_admission": false,
    "durable_state": {
      "provider_attestation": {...},
      "public_verification_material": {...}
    }
  },
  "receipt": {...}
}

When production_requested is true and the rest of the posture qualifies as a production candidate, the outcome flips to pending and status becomes provider_attestation_recorded_unverified. A fixture provider attempting to satisfy production is refused with production_key_custody_fixture_refused.

SDK example

const attested = await client.keyCustodyProviderAttest({
  tenant: "tenant_node:rheinwerk_calibration",
  company: "company_geist:rheinwerk",
  provider_attestation_ref: "key_custody_provider_attestation:m23_reserved_kms_fixture",
  mode: "reserved_kms",
  provider: "reserved_kms_adapter",
  key_ref: "key_registry:m23_reserved_kms_fixture",
  public_key: "reserved-provider-public-key-fixture",
  public_key_hash: "",
  attestation_hash: "sha256:m23_reserved_provider_attestation_fixture",
  verification_material: {
    issuer: "fixture",
    kid: "m23-reserved-provider",
    x5c_hash: "sha256:m23_fixture_x5c",
  },
  fixture: false,
  production_requested: false,
  contains_customer_data: false,
});

keyCustody.rotationRehearse

Rehearse key rotation while preserving old public verification material.

POST /v1/key-custody/rotate
state: staging-durable
sdk_role: rehearse key rotation while preserving old public verification material
request_record: CloudKeyCustodyRotationRequest
responses: key_custody_rotation | refusal | receipt

Request

interface KeyCustodyRotationRequest {
  tenant: GestaltRef;
  company: GestaltRef;
  provider_attestation: GestaltRef;
  key_ref: GestaltRef;
  replacement_key_ref: GestaltRef;
  replacement_public_key: string;
  rotation_reason: string;
  fixture: boolean;
  contains_customer_data: boolean;   // refused if true
  private_key_material?: unknown;    // refused if present
  private_key_pem?: string;          // refused if present
}

Response

{
  "operation": "keyCustody.rotationRehearse",
  "outcome": "verified",
  "body": {
    "rotation": "key_custody_rotation:...",
    "status": "rotation_rehearsed",
    "old_public_material_preserved": true,
    "replacement_private_key_material_stored": false,
    "provider_rotation_executed": false,
    "production_admission": false,
    "durable_state": {...}
  },
  "receipt": {...}
}

The handler refuses with key_custody_provider_attestation_missing if provider_attestation is unknown, and with key_custody_key_revoked if the key has already been revoked.

SDK example

const rotated = await client.keyCustodyRotationRehearse({
  tenant: "tenant_node:rheinwerk_calibration",
  company: "company_geist:rheinwerk",
  provider_attestation: "key_custody_provider_attestation:m23_reserved_kms_fixture",
  key_ref: "key_registry:m23_reserved_kms_fixture",
  replacement_key_ref: "key_registry:m23_reserved_kms_fixture_rotated",
  replacement_public_key: "reserved-provider-rotated-public-key-fixture",
  rotation_reason: "m23_rotation_rehearsal",
  fixture: false,
  contains_customer_data: false,
});

keyCustody.signingRehearse

Exercise the signer provider boundary without production signing.

POST /v1/key-custody/signing/rehearse
state: staging-durable
sdk_role: exercise the signer provider boundary without production signing
request_record: CloudKeyCustodySigningRehearsalRequest
responses: key_custody_signing_rehearsal | refusal | receipt

Request

interface KeyCustodySigningRehearsalRequest {
  tenant: GestaltRef;
  company: GestaltRef;
  provider_attestation: GestaltRef;
  key_ref: GestaltRef;
  payload_hash: string;
  production_payload: boolean;       // refused with durable record if true
  contains_customer_data: boolean;   // refused if true
}

Response

{
  "operation": "keyCustody.signingRehearse",
  "outcome": "pending",
  "body": {
    "status": "rehearsed_provider_boundary",
    "stable_code": "key_custody_signing_provider_unavailable",
    "signature_created": false,
    "external_provider_called": false,
    "private_key_material_exposed": false,
    "production_admission": false,
    "durable_state": {...}
  },
  "receipt": {...}
}

Every refusal still produces a durable M7 record. The stable codes are:

• key_custody_production_signing_disabled — production_payload: true
• key_custody_provider_attestation_missing — unknown attestation
• key_custody_key_revoked — key has been revoked
• key_custody_signing_provider_unavailable — boundary reached; no fixture signature is ever produced

SDK example

const rehearsal = await client.keyCustodySigningRehearse({
  tenant: "tenant_node:rheinwerk_calibration",
  company: "company_geist:rheinwerk",
  provider_attestation: "key_custody_provider_attestation:m23_reserved_kms_fixture",
  key_ref: "key_registry:m23_reserved_kms_fixture",
  payload_hash: "sha256:m23_signing_rehearsal_payload",
  production_payload: false,
  contains_customer_data: false,
});

keyCustody.breakGlass

Record break-glass receipt without emergency key access or private material exposure.

POST /v1/key-custody/break-glass
state: staging-durable
sdk_role: record break-glass receipt without emergency key access or private material exposure
request_record: CloudKeyCustodyBreakGlassRequest
responses: key_custody_break_glass_receipt | refusal | receipt

Request

interface KeyCustodyBreakGlassRequest {
  tenant: GestaltRef;
  company: GestaltRef;
  provider_attestation: GestaltRef;
  key_ref: GestaltRef;
  operator: GestaltRef;
  justification_hash: string;
  approver_receipt: GestaltRef;      // required; usually a human_presence_receipt
  fixture: boolean;
  contains_customer_data: boolean;   // refused if true
  private_key_material?: unknown;    // refused if present
  private_key_pem?: string;          // refused if present
}

Response

{
  "operation": "keyCustody.breakGlass",
  "outcome": "admitted",
  "body": {
    "break_glass": "key_custody_break_glass:...",
    "status": "receipt_recorded",
    "emergency_access_executed": false,
    "private_key_material_stored": false,
    "private_key_material_exposed": false,
    "production_admission": false,
    "durable_state": {...}
  },
  "receipt": {...}
}

emergency_access_executed: false is asserted explicitly: this records the break-glass intent and approver receipt; no key access is performed in fixture.

SDK example

const breakGlass = await client.keyCustodyBreakGlass({
  tenant: "tenant_node:rheinwerk_calibration",
  company: "company_geist:rheinwerk",
  provider_attestation: "key_custody_provider_attestation:m23_reserved_kms_fixture",
  key_ref: "key_registry:m23_reserved_kms_fixture",
  operator: "hosted_operator:fixture",
  justification_hash: "sha256:m23_break_glass_fixture_justification",
  approver_receipt: "human_presence_receipt:fixture_private_presence",
  fixture: false,
  contains_customer_data: false,
});

production.admissionPolicy

Record bounded production admission policy scope and signer while production remains globally disabled.

POST /v1/production/admission/policy
state: staging-durable
sdk_role: record bounded production admission policy scope and signer while production remains globally disabled
request_record: CloudProductionAdmissionPolicyRequest
responses: production_admission_policy | refusal | receipt

Request

interface ProductionAdmissionPolicyRequest {
  tenant: GestaltRef;
  policy_ref: GestaltRef;
  jurisdiction: string;                          // e.g. "DE"
  vertical: string;                              // e.g. "invoice_payment_advisor"
  tenant_type: string;                           // e.g. "single_company_pilot"
  admitted_connectors: string[];
  admitted_authority_packages: GestaltRef[];
  admitted_effects: string[];
  admitted_proof_outputs: string[];
  excluded_operations: string[];
  forbidden_data_classes: string[];
  admission_signer: GestaltRef;
  admission_signer_commitment: string;
  public_launch_claim: boolean;                  // refused if true
  production_admission_enabled: boolean;         // refused if true
  contains_customer_data: boolean;               // refused if true
}

Response

{
  "operation": "production.admissionPolicy",
  "outcome": "pending",
  "body": {
    "production_admission_policy": "production_admission_policy:m36_fixture",
    "policy_scope_bound": true,
    "public_launch_claim": false,
    "global_production_admission_enabled": false,
    "production_admission": false,
    "raw_customer_payload_stored": false,
    "raw_db_exposed": false,
    "durable_state": {...}
  },
  "receipt": {...}
}

All scope-defining fields are required; if any is empty the handler refuses with production_admission_policy_scope_missing. The policy must not enable production admission and must not assert any of the phrases enumerated under customer_boundary_lane.forbidden_doc_claims in contracts/production-admission.v0.json.

SDK example

const policy = await client.productionAdmissionPolicy({
  tenant: "tenant_node:rheinwerk_calibration",
  policy_ref: "production_admission_policy:m36_fixture",
  jurisdiction: "DE",
  vertical: "invoice_payment_advisor",
  tenant_type: "single_company_pilot",
  admitted_connectors: ["sandbox_invoice"],
  admitted_authority_packages: [
    "authority_package:m6_cloud_authority_fixture_2026_04",
  ],
  admitted_effects: ["none_production_disabled"],
  admitted_proof_outputs: ["redacted_proof_bundle"],
  excluded_operations: [
    "public_launch_claim",
    "automated_filing",
    "raw_customer_payload_ingest",
  ],
  forbidden_data_classes: [
    "raw_biometric_material",
    "raw_connector_payload",
    "raw_register_payload",
    "raw_database_access",
  ],
  admission_signer: "policy_signer:m36_fixture",
  admission_signer_commitment: "sha256:m36_policy_signer_fixture",
  public_launch_claim: false,
  production_admission_enabled: false,
  contains_customer_data: false,
});

production.scopeInspect

Return the production v0 boundary contract — the operation maturity map, evaluator contract, guard rules, and refuse-by-default admission state — for the running fixture cloud.

GET /v1/production/scope
state: staging-durable
sdk_role: not yet wrapped — call directly when the Koerper needs to render the production boundary
request_record: (empty body)
responses: production_scope_snapshot | receipt

Request

The endpoint takes no body. No bearer token is required (the contract is public).

Response

{
  "operation": "production.scopeInspect",
  "outcome": "verified",
  "body": {
    "production_scope": {...},
    "maturity_labels": {...},
    "operation_maturity_count": 108,
    "evaluator_contract": {...},
    "guard_rules": {...},
    "production_admission": false,
    "raw_db_exposed": false
  },
  "receipt": {...}
}

The TS SDK does not yet have a thin wrapper. Use fetch directly:

const scope = await fetch(
  "http://127.0.0.1:3011/v1/production/scope",
).then(r => r.json());

production.scopeEvaluate

Evaluate a candidate operation against the production v0 boundary contract. The handler returns a bounded admission decision and the specific evidence/posture gates that would need to pass before an operation could enter production. It does not change global production admission.

POST /v1/production/scope/evaluate
state: staging-durable
sdk_role: not yet wrapped — call directly to dry-run admission posture against the boundary
request_record: CloudProductionScopeEvaluateRequest
responses: production_scope_decision | refusal | receipt

Request

interface ProductionScopeEvaluateRequest {
  operation: string;                        // e.g. "economy.invoice"
  jurisdiction?: string;                    // e.g. "DE"
  tenant_type?: string;                     // e.g. "single_company_pilot"
  vertical?: string;                        // e.g. "invoice_payment_advisor"
  data_classes_present: string[];           // declared data classes
  public_launch_claim: boolean;             // refused if true
  fixture_credential: boolean;
  signed_policy_ref?: string;
  signer_commitment?: string;
  policy_expired: boolean;
  tenant_ref?: string;
  company_ref?: string;
  // ... rich set of optional posture fields:
  //   tenant/company lifecycle state, signer provider posture,
  //   key revocation status, session assurance, HumanAuth presence
  //   freshness, passkey binding, standing/mandate/identity binding,
  //   hosted operator grant, authority package + epoch, connector
  //   consent + adapter profile, evidence presence (invoice, payment,
  //   advisor, bookkeeping, closure), period close request, effect
  //   intent posture, schema/migration/restore posture, edge policy
  //   posture, audit retention, pilot admission record.
}

If a posture field is omitted, the handler infers what it can from the durable record graph (tenant/company lifecycle state, signer provider posture, key revocation, HumanAuth presence freshness). The full field list lives in crates/gestalt-cloud/src/lib.rs on ProductionScopeEvaluateRequest.

Response

{
  "operation": "production.scopeEvaluate",
  "outcome": "verified",
  "body": {
    "production_scope_decision": "...",
    "admitted": false,
    "missing_evidence": ["..."],
    "failed_gates": ["..."],
    "production_admission": false,
    "raw_db_exposed": false
  },
  "receipt": {...}
}

The decision body is a refuse-by-default citation. A verified outcome means the evaluation completed; it does not mean the operation is admitted into production.

production.admissionPrecheck

Record production gate precheck while production admission remains disabled.

POST /v1/production/admission/precheck
state: staging-durable
sdk_role: record production gate precheck while production admission remains disabled
request_record: CloudProductionAdmissionPrecheckRequest
responses: production_admission_precheck | refusal | receipt

Request

interface ProductionAdmissionPrecheckRequest {
  tenant: GestaltRef;
  company: GestaltRef;
  precheck_ref: GestaltRef;
  key_custody_attestation: GestaltRef;
  edge_access_policy: GestaltRef;
  authority_package: GestaltRef;
  proof_issuer: GestaltRef;
  backup_restore_receipt: GestaltRef;
  hostile_suite_receipt: GestaltRef;
  manual_gate_signature?: string;
  request_production: boolean;
  contains_customer_data: boolean;   // refused if true
}

Response

{
  "operation": "production.admissionPrecheck",
  "outcome": "pending",
  "body": {
    "production_precheck": "production_admission_precheck:m22_fixture",
    "status": "pending_manual_gate",
    "failed_gate": "production_admission_manual_gate_required",
    "manual_gate_required": true,
    "production_admission": false,
    "durable_state": {...}
  },
  "receipt": {...}
}

When prerequisites are missing, returns outcome: "refused" with failed_gate: "production_admission_prerequisites_missing" and a durable record. When a manual_gate_signature is supplied, the runtime still refuses with production_admission_disabled (the runtime never accepts a fixture signature as production admission).

SDK example

const precheck = await client.productionAdmissionPrecheck({
  tenant: "tenant_node:rheinwerk_calibration",
  company: "company_geist:rheinwerk",
  precheck_ref: "production_admission_precheck:m22_fixture",
  key_custody_attestation: "key_custody_attestation:m22_staging_fixture",
  edge_access_policy: "edge_access_policy:m22_fixture",
  authority_package: "authority_package:m6_cloud_authority_fixture_2026_04",
  proof_issuer: "proof_issuer:m22_fixture",
  backup_restore_receipt: "receipt:m18_restore_verified",
  hostile_suite_receipt: "receipt:m17_hostile_suite_verified",
  request_production: true,
  contains_customer_data: false,
});

tenant.onboardingGate

Tie known tenant onboarding, company bootstrap, key custody, standing, and production precheck records without admitting production.

POST /v1/tenants/onboarding-gate
state: staging-durable
sdk_role: tie known tenant onboarding, company bootstrap, key custody, standing, and production precheck records without admitting production
request_record: CloudTenantOnboardingGateRequest
responses: tenant_onboarding_gate | refusal | receipt

Request

interface TenantOnboardingGateRequest {
  tenant: GestaltRef;
  tenant_onboarding: GestaltRef;
  company_bootstrap: GestaltRef;
  key_custody_attestation: GestaltRef;
  standing_grant: GestaltRef;
  production_precheck: GestaltRef;
  fixture: boolean;                  // must be true
  contains_customer_data: boolean;   // refused if true
}

Response

{
  "operation": "tenant.onboardingGate",
  "outcome": "pending",
  "body": {
    "tenant_onboarding_gate": "tenant_onboarding_gate:...",
    "status": "blocked_before_production",
    "tenant_onboarding": "tenant_node:m21_koerper_fixture",
    "company_bootstrap": "company_geist:m21_koerper_fixture",
    "key_custody_attestation": "key_custody_attestation:m22_staging_fixture",
    "production_precheck": "production_admission_precheck:m22_fixture",
    "standing_grant": "standing:...",
    "known_record_checks_passed": true,
    "tenant_key_custody_bound": true,
    "tenant_key_custody_provisioned": false,
    "human_presence_creates_standing": false,
    "standing_is_separate_from_identity_binding": true,
    "customer_data_stored": false,
    "production_admission": false,
    "durable_state": {...}
  },
  "receipt": {...}
}

Each input reference must already be a known durable record; the handler refuses with tenant_onboarding_*_unknown codes otherwise. The gate explicitly records the boundary that human presence does not create standing and standing is separate from identity binding.

SDK example

const gate = await client.tenantOnboardingGate({
  tenant: "tenant_node:rheinwerk_calibration",
  tenant_onboarding: "tenant_node:m21_koerper_fixture",
  company_bootstrap: "company_geist:m21_koerper_fixture",
  key_custody_attestation: "key_custody_attestation:m22_staging_fixture",
  standing_grant: "standing:anna_geschaeftsfuehrer_fixture",
  production_precheck: "production_admission_precheck:m22_fixture",
  fixture: true,
  contains_customer_data: false,
});

tenant.productionLifecycleAdvance

Advance a tenant onboarding record through the production lifecycle states (candidate -> evidence_pending -> reviewer_pending -> verified_for_pilot, with refused and revoked as terminal states). Each transition records hash-only evidence and reviewer receipt commitments. A fixture-marked tenant cannot enter the production lifecycle, and raw customer payloads are refused.

POST /v1/tenants/production-lifecycle/advance
state: staging-durable
sdk_role: not yet wrapped — call directly when driving the production gate
request_record: CloudTenantProductionLifecycleAdvanceRequest
responses: tenant_lifecycle | refusal | receipt

Request

interface TenantProductionLifecycleAdvanceRequest {
  tenant: GestaltRef;
  tenant_onboarding: GestaltRef;     // must be a known durable record
  target_state: string;              // candidate | evidence_pending | reviewer_pending | verified_for_pilot | refused | revoked
  evidence_refs: GestaltRef[];       // required past `candidate`
  reviewer_receipt_refs: GestaltRef[]; // required for reviewer_pending and verified_for_pilot
  fixture: boolean;                  // refused if true
  contains_customer_data: boolean;   // refused if true
  raw_customer_payload?: unknown;    // refused if present
}

Response

{
  "operation": "tenant.productionLifecycleAdvance",
  "outcome": "admitted",
  "body": {
    "tenant_lifecycle": "tenant_node:...",
    "lifecycle_state": "verified_for_pilot",
    "prior_state": "reviewer_pending",
    "evidence_count": 3,
    "reviewer_receipt_count": 2,
    "production_admission": false,
    "raw_db_exposed": false,
    "durable_state": {...}
  },
  "receipt": {...}
}

Refusal codes worth knowing: customer_data_forbidden, production_tenant_lifecycle_fixture_refused, production_tenant_lifecycle_state_invalid, tenant_onboarding_candidate_unknown, production_tenant_lifecycle_transition_invalid, production_tenant_lifecycle_evidence_missing, production_tenant_lifecycle_reviewer_missing.

company.productionLifecycleAdvance

Mirror of tenant.productionLifecycleAdvance for the company bootstrap. A fixture-marked company cannot enter the production lifecycle, and raw register payloads are refused.

POST /v1/companies/production-lifecycle/advance
state: staging-durable
sdk_role: not yet wrapped — call directly when driving the production gate
request_record: CloudCompanyProductionLifecycleAdvanceRequest
responses: company_lifecycle | refusal | receipt

Request

interface CompanyProductionLifecycleAdvanceRequest {
  tenant: GestaltRef;
  company_bootstrap: GestaltRef;
  target_state: string;              // same state machine as tenant
  company_form: string;              // e.g. "DE_GmbH"
  evidence_refs: GestaltRef[];
  reviewer_receipt_refs: GestaltRef[];
  fixture: boolean;                  // refused if true
  contains_customer_data: boolean;   // refused if true
  raw_register_payload?: unknown;    // refused if present
}

Response

Shape mirrors tenant.productionLifecycleAdvance with company_lifecycle in place of tenant_lifecycle.

staging.maturityReport

Record the guarded no-wipe staging maturity report commitment without raw replay payloads or production admission.

POST /v1/staging/maturity-report
state: staging-durable
sdk_role: record the guarded no-wipe staging maturity report commitment without raw replay payloads or production admission
request_record: CloudStagingMaturityReportRequest
responses: staging_maturity_report | refusal | receipt

Request

interface StagingMaturityReportRequest {
  tenant: GestaltRef;
  report_ref: GestaltRef;
  run_slug: string;
  report_commitment: string;                    // sha256: prefix required
  source_summary_commitment: string;            // sha256: prefix required
  required_trials: string[];                    // e.g. ["m13","m14",...]
  trial_count: number;
  pass_count: number;                           // must equal trial_count
  manifest_commitment_count: number;
  proof_verification_count: number;
  proof_verification_pass_count: number;
  proof_verification_expected_refusal_count: number;
  boundary_failure_count: number;               // must be 0
  gate_state: string;                           // must be "staging_durable_not_production"
  production_admission_enabled: boolean;        // refused if true
  public_launch_claim: boolean;                 // refused if true
  customer_data_admitted: boolean;              // refused if true
  root_signing_before: string;                  // must be "no_root_key"
  root_signing_after: string;                   // must be "no_root_key"
  production_admission_before: boolean;         // must be false
  production_admission_after: boolean;          // must be false
  raw_db: string;                               // must be "not_exposed"
  database_locator_exposed: boolean;            // must be false
  raw_biometric_material_exposed: boolean;      // must be false
  raw_connector_payload_exposed: boolean;       // must be false
  raw_credential_material_stored: boolean;      // must be false
  private_key_material_exposed: boolean;        // must be false
  raw_package_payload_stored: boolean;          // must be false
}

Response

{
  "operation": "staging.maturityReport",
  "outcome": "recorded",
  "body": {
    "staging_maturity_report": "staging_maturity_report:fixture",
    "report_commitment": "sha256:fixture_maturity_report",
    "gate_state": "staging_durable_not_production",
    "trial_count": 12,
    "manifest_commitment_count": 1,
    "proof_verification_count": 1,
    "production_admission": false,
    "raw_db_exposed": false,
    "durable_state": {...}
  },
  "receipt": {...}
}

The boundary fields are checked exhaustively. Any deviation (production admission flipped, raw payloads claimed, root signing key set, database locator exposed, etc.) returns staging_maturity_report_boundary_failed and the report is not recorded.

SDK example

const report = await client.stagingMaturityReport({
  tenant: "tenant_node:rheinwerk_calibration",
  report_ref: "staging_maturity_report:fixture",
  run_slug: "fixture",
  report_commitment: "sha256:fixture_maturity_report",
  source_summary_commitment: "sha256:fixture_no_wipe_summary",
  required_trials: ["m13","m14","m19","m23","m24","m25","m26","m27","m28","m29","m30","m35"],
  trial_count: 12,
  pass_count: 12,
  manifest_commitment_count: 1,
  proof_verification_count: 1,
  proof_verification_pass_count: 1,
  proof_verification_expected_refusal_count: 0,
  boundary_failure_count: 0,
  gate_state: "staging_durable_not_production",
  production_admission_enabled: false,
  public_launch_claim: false,
  customer_data_admitted: false,
  root_signing_before: "no_root_key",
  root_signing_after: "no_root_key",
  production_admission_before: false,
  production_admission_after: false,
  raw_db: "not_exposed",
  database_locator_exposed: false,
  raw_biometric_material_exposed: false,
  raw_connector_payload_exposed: false,
  raw_credential_material_stored: false,
  private_key_material_exposed: false,
  raw_package_payload_stored: false,
});

pilot.admissionGate

Evaluate limited authentic pilot prerequisites and refuse until signed production admission is available.

POST /v1/pilot/admission-gate
state: staging-durable-refusal
sdk_role: evaluate limited authentic pilot prerequisites and refuse until signed production admission is available
request_record: CloudPilotAdmissionGateRequest
responses: pilot_admission_gate | refusal | receipt

Request

interface PilotAdmissionGateRequest {
  tenant: GestaltRef;
  company: GestaltRef;
  pilot_ref: GestaltRef;
  customer_consent_hash: string;
  data_boundary_hash: string;
  support_runbook_hash: string;
  production_precheck: GestaltRef;
  tenant_onboarding_gate: GestaltRef;
  key_custody_provider_attestation: GestaltRef;
  human_presence_receipt: GestaltRef;
  standing_grant: GestaltRef;
  connector_consent: GestaltRef;
  authority_package: GestaltRef;
  proof_bundle: GestaltRef;
  proof_manifest_commitment: string;
  edge_policy: GestaltRef;
  restore_rehearsal: GestaltRef;
  rollback_rehearsal: GestaltRef;
  incident_receipt: GestaltRef;
  production_gate_signature?: string;
  no_public_launch_claim: boolean;       // must be true
  automated_filing_disabled: boolean;    // must be true
  customer_data_live: boolean;           // refused if true
}

Response

This operation always responds with outcome: "refused" and a durable record. The HTTP status is 403. The failed_gate field indicates the reason:

{
  "operation": "pilot.admissionGate",
  "outcome": "refused",
  "body": {
    "stable_code": "pilot_production_admission_disabled",
    "production_admission": false,
    "durable_state": {...}
  },
  "receipt": {...}
}

Failure modes (in order checked):

• pilot_prerequisites_missing — any of the prerequisite records is unknown or any boundary hash is empty.
• pilot_production_gate_signature_missing — all prerequisites are present but no production_gate_signature is supplied.
• pilot_production_admission_disabled — every prerequisite plus signature is present, but production pilot admission remains disabled in this runtime. (This is the terminal staging refusal shape.)

The durable payload also records the explicit hard_limits for a pilot — one tenant, one company, one connector or manual lane, one authority package family, automated filing disabled, no broad availability claim, manual support and rollback — and the matching non_claims_visible list. The non-claims include everything enumerated under customer_boundary_lane.forbidden_doc_claims in contracts/production-admission.v0.json, plus automated filing, broad connector catalog, and production admission.

SDK example

const pilot = await client.pilotAdmissionGate({
  tenant: "tenant_node:rheinwerk_calibration",
  company: "company_geist:rheinwerk",
  pilot_ref: "pilot_gate:m30_fixture",
  customer_consent_hash: "sha256:m30_customer_consent_fixture",
  data_boundary_hash: "sha256:m30_data_boundary_fixture",
  support_runbook_hash: "sha256:m30_support_runbook_fixture",
  production_precheck: "production_admission_precheck:m22_fixture",
  tenant_onboarding_gate: "tenant_onboarding_gate:m25_fixture",
  key_custody_provider_attestation: "key_custody_provider_attestation:m23_reserved_kms_fixture",
  human_presence_receipt: "human_presence_receipt:fixture_private_presence",
  standing_grant: "standing:anna_geschaeftsfuehrer_fixture",
  connector_consent: "connector_consent:m26_fixture",
  authority_package: "authority_package:m6_cloud_authority_fixture_2026_04",
  proof_bundle: "proof_bundle:m6_cross_domain_cloud_authority_worldline",
  proof_manifest_commitment: "sha256:m30_manifest_required",
  edge_policy: "ops_edge_policy:m29_fixture",
  restore_rehearsal: "ops_backup_restore:m29_fixture",
  rollback_rehearsal: "ops_rollback:m29_fixture",
  incident_receipt: "ops_incident:m29_fixture",
  no_public_launch_claim: true,
  automated_filing_disabled: true,
  customer_data_live: false,
});

On m13.keyRotate

The contract operation authority.keyRotate (request record CloudM13KeyRotateRequest, SDK method m13KeyRotate) is the holder-key rotation lifecycle for the authenticated session. It is documented under authority. It is distinct from keyCustody.rotationRehearse:

• m13.keyRotate / authority.keyRotate rotates the session holder key inside the staging-durable session lifecycle. The request must reference the authenticated session’s holder_key; the response records key_lifecycle with private_key_exposed: false.
• keyCustody.rotationRehearse rehearses the production signer provider boundary, preserving old public verification material for an external KMS-style key. It does not touch session holder keys.

Both record durable lifecycles; neither admits production.

Refusal codes

Selected refusal codes returned by this cluster (see refusal.codes for the full list):

customer_data_forbidden
key_custody_private_material_refused
key_custody_provider_attestation_required
key_custody_provider_attestation_missing
key_custody_key_revoked
key_custody_break_glass_private_material_refused
key_custody_break_glass_approval_missing
key_custody_production_signing_disabled
key_custody_signing_provider_unavailable
production_key_custody_fixture_refused
production_admission_policy_public_launch_forbidden
production_admission_policy_enable_forbidden
production_admission_policy_scope_missing
production_admission_prerequisites_missing
production_admission_disabled
production_admission_manual_gate_required
staging_maturity_report_production_claim_forbidden
staging_maturity_report_commitment_missing
staging_maturity_report_boundary_failed
staging_maturity_report_not_full_coverage
tenant_onboarding_key_custody_missing
tenant_onboarding_production_precheck_missing
tenant_onboarding_standing_missing
tenant_onboarding_candidate_unknown
tenant_onboarding_company_bootstrap_unknown
tenant_onboarding_key_custody_unknown
tenant_onboarding_production_precheck_unknown
tenant_onboarding_standing_unknown
koerper_fixture_only
pilot_public_launch_claim_forbidden
pilot_automated_filing_forbidden
pilot_prerequisites_missing
pilot_production_gate_signature_missing
pilot_production_admission_disabled

Where to read next

• API: authority — authority.keyRotate (the session holder-key sibling of keyCustody.rotationRehearse)
• API: auth and sessions — the staging session lifecycle that the production gate refuses to admit
• Reference: capability state
• Reference: refusal codes