Skip to content
Gestalt

API: Authority

Capability state: mixed. See per-operation labels below; full map in reference/capability-state.md.

This page covers the authority-side membrane operations: context resolution, hosted operator delegation, the authority package lifecycle, presence approval, session revocation, and key rotation.

authority.resolveContext

Section titled “authority.resolveContext”

Given a target jurisdiction and signal tags, return the matched sovereign demands and integrity findings.

POST /v1/authority/resolve-context
state: fixture-rehearsed
runtime_owner: cloud_geist
sdk_role: submit context and evidence refs
request_record: CloudAuthorityResolveContextRequest

Request

Section titled “Request”
interface AuthorityResolveContextRequest {
  subjectCompany?: GestaltRef;
  effectiveContext?: GestaltRef;
  from?: string;            // e.g. "DE"
  to: string[];             // e.g. ["FR"]
  tags: string[];           // e.g. ["warehouse_country:FR"]
  evidenceRefs: GestaltRef[];
}

Response

Section titled “Response”
{
  "operation": "authority.resolveContext",
  "outcome": "verified",
  "body": {
    "confidence": "deterministic_fixture",
    "matchedDemands": [
      "sovereign_demand:de_registered_office_continuity",
      "sovereign_demand:fr_tax_establishment_and_vat"
    ]
  },
  "receipt": {...}
}

SDK example

Section titled “SDK example”
const resolution = await client.resolveAuthorityContext({
  subjectCompany: "company_geist:rheinwerk_calibration",
  effectiveContext: "effective_context:fixture_de_gmbh",
  to: ["FR"],
  tags: ["warehouse_country:FR"],
  evidenceRefs: [],
});

The fixture matches DE/FR/US deterministically; real resolution will require active authority packages and Pendulum dispatch.

Hosted operator delegation

Section titled “Hosted operator delegation”

A hosted operator is a Gestalt-managed delegate that holds a narrow scoped grant from a tenant for shop-origin acts. See shop.md.

authority.hostedOperator.grant

Section titled “authority.hostedOperator.grant”
POST /v1/authority/operators/grant
state: staging-durable
sdk_role: grant staged hosted operator delegation through membrane mutation
request_record: CloudHostedOperatorMutationRequest
{
  "operation": "authority.hostedOperator.grant",
  "outcome": "admitted",
  "body": {
    "grantAtom": "atom:...",
    "signer": { "kind": "tenant_signer" }
  },
  "receipt": {...}
}

authority.hostedOperator.revoke

Section titled “authority.hostedOperator.revoke”
POST /v1/authority/operators/revoke
state: staging-durable
sdk_role: revoke staged hosted operator delegation through membrane mutation
{
  "operation": "authority.hostedOperator.revoke",
  "outcome": "admitted",
  "body": {
    "revokeAtom": "atom:...",
    "signer": { "kind": "tenant_signer" }
  },
  "receipt": {...}
}

The hosted operator’s actual standing is not yet a real product boundary — see 022 gap report items 9, 10.

Authority packages

Section titled “Authority packages”

See concepts: authority packages for the model. The membrane operations:

authority.package.status

Section titled “authority.package.status”
GET /v1/authority/packages/status
state: fixture-rehearsed
sdk_role: inspect fixture authority package governance state

Returns the status of authority packages known to the tenant.

authority.package.import

Section titled “authority.package.import”
POST /v1/authority/packages/import
state: fixture-rehearsed
sdk_role: import package manifest with content hash source hash publisher signature and supersession metadata
request_record: CloudAuthorityPackageMutationRequest
const imported = await client.packageImport({
  tenant: "tenant_node:rheinwerk_calibration",
  package: "authority_package:france_market_entry_projection_2026_04",
  publisher_signed: true,
  manifest_version: "authority.package.manifest.v0.fixture",
  source_hash: "sha256:fixture_source",
  content_hash: "sha256:fixture_manifest",
  tampered_manifest: false,
  stale: false,
  self_activate: false,
});

Refusal codes: authority_package_tamper_refused, authority_package_stale, authority_package_self_activation_refused.

authority.package.candidate

Section titled “authority.package.candidate”
POST /v1/authority/packages/candidate
state: fixture-rehearsed
sdk_role: create package candidate from changed source evidence

authority.package.review

Section titled “authority.package.review”
POST /v1/authority/packages/review
state: fixture-rehearsed
sdk_role: record reviewer approval or refusal
const review = await client.packageReview({
  tenant: "tenant_node:rheinwerk_calibration",
  package: "authority_package:france_market_entry_projection_2026_04",
  reviewer_decision: "approve",   // | "refuse"
});

authority.package.activate

Section titled “authority.package.activate”
POST /v1/authority/packages/activate
state: fixture-rehearsed
sdk_role: request staged fixture activation after publisher and reviewer gates
const activation = await client.packageActivate({
  tenant: "tenant_node:rheinwerk_calibration",
  package: "authority_package:france_market_entry_projection_2026_04",
  publisher_signed: true,
  reviewer_decision: "approve",
  self_activate: false,
});

self_activate: true is structurally refused.

authority.package.revoke

Section titled “authority.package.revoke”
POST /v1/authority/packages/revoke
state: fixture-rehearsed
sdk_role: revoke active fixture package

Presence approval

Section titled “Presence approval”

authority.presenceApproval

Section titled “authority.presenceApproval”
POST /v1/authority/presence-approval
state: fixture-rehearsed
sdk_role: satisfy sensitive approval with human presence while keeping identity standing and delegation separate
request_record: CloudM13PresenceApprovalRequest

A human presence receipt (from humanAuth.verifyPasskey or humanAuth.faceMatchFallback) is presented to satisfy a sensitive approval requirement without creating new standing or delegation.

const approval = await client.m13PresenceApproval({
  tenant: "tenant_node:rheinwerk_calibration",
  actor: "human_person:anna",
  vessel: "vessel:fixture_sdk",
  human_presence_receipt: "human_presence_receipt:fixture_private_presence",
  create_standing_from_presence: false,
});

Refusal codes: m13_wrong_actor, m13_wrong_vessel, m13_human_presence_cannot_create_standing (if you set create_standing_from_presence: true, intentionally refused — presence does not create standing).

See human-auth.md for the presence flow.

Session and key lifecycle

Section titled “Session and key lifecycle”

authority.sessionRevoke

Section titled “authority.sessionRevoke”
POST /v1/authority/sessions/revoke
state: staging-durable
sdk_role: record session revocation lifecycle without exposing raw session token
const revocation = await client.m13SessionRevoke({
  tenant: "tenant_node:rheinwerk_calibration",
  session: "auth_session:fixture_valid",
  enforce_runtime_overlay: true,
});

The raw session token is never exposed in either request or response shape.

authority.keyRotate

Section titled “authority.keyRotate”
POST /v1/authority/keys/rotate
state: staging-durable
sdk_role: record holder-key rotation lifecycle without exposing private key material
const rotation = await client.m13KeyRotate({
  tenant: "tenant_node:rheinwerk_calibration",
  key: "key_registry:rheinwerk_session_signing_fixture",
  replacement_key: "key_registry:rheinwerk_session_signing_fixture_rotated",
  enforce_runtime_overlay: true,
});

Private key material is never in the request or response shape. Real key custody (the closed boundary) is gated; see 022 item 2.

Section titled “Where to read next”