Skip to content
Gestalt

Operations: observability

Status: staging-durable for probes. Health, ready, version, metrics endpoints work locally and on remote staging.

This page covers what you can observe about a Gestalt cloud at runtime — without touching governed state.

Probe endpoints

Section titled “Probe endpoints”

All four are unauthenticated and exist for ops and CI.

GET /health

Section titled “GET /health”

Returns 200 if the runtime is healthy.

GET /ready

Section titled “GET /ready”

Returns a JSON body with the runtime posture. Example:

{
  "production_admission": false,
  "ready": true,
  "root_signing": "no_root_key",
  "runtime": "gestalt.cloud.fixture",
  "sessions": 4,
  "storage": "surreal-remote"
}

production_admission: false is an operating invariant today. root_signing: "no_root_key" is the expected posture under --no-root-key.

GET /version

Section titled “GET /version”

Returns the runtime version and the membrane contract version.

GET /metrics

Section titled “GET /metrics”

Returns runtime metrics in a fixture-shaped surface today. The production metrics format is roadmapped.

Inspection endpoints (authenticated)

Section titled “Inspection endpoints (authenticated)”

These require Authorization: Bearer <token> and let an operator inspect tenant-scoped state without raw database access.

GET /v1/tenant/self

Section titled “GET /v1/tenant/self”
Terminal window
curl -s http://127.0.0.1:3011/v1/tenant/self \
  -H "Authorization: Bearer fixture-session-token"

Returns the bearer-bound tenant context.

GET /v1/commits/recent

Section titled “GET /v1/commits/recent”
Terminal window
curl -s http://127.0.0.1:3011/v1/commits/recent \
  -H "Authorization: Bearer fixture-session-token"

Returns the recent durable signed atom commits for the bearer’s tenant. With --storage-profile surreal-remote, this list survives restarts.

GET /v1/m7/state

Section titled “GET /v1/m7/state”
Terminal window
curl -s http://127.0.0.1:3011/v1/m7/state \
  -H "Authorization: Bearer fixture-session-token"

Returns tenant-scoped durable object counts (atoms, evidence bundles, passkey bindings, session lifecycles, etc.) without exposing raw database access. rawDbExposed: false is asserted explicitly.

GET /v1/refusals/codes

Section titled “GET /v1/refusals/codes”
Terminal window
curl -s http://127.0.0.1:3011/v1/refusals/codes \
  -H "Authorization: Bearer fixture-session-token"

Returns the current refusal taxonomy. See reference/refusal-codes.md.

GET /v1/evidence/connectors/status

Section titled “GET /v1/evidence/connectors/status”
Terminal window
curl -s http://127.0.0.1:3011/v1/evidence/connectors/status \
  -H "Authorization: Bearer fixture-session-token"

Returns redacted connector evidence summaries. rawConnectorPayloadExposed: false is asserted.

GET /v1/authority/packages/status

Section titled “GET /v1/authority/packages/status”
Terminal window
curl -s http://127.0.0.1:3011/v1/authority/packages/status \
  -H "Authorization: Bearer fixture-session-token"

Returns the status of authority packages known to the tenant.

Trial proof bundles

Section titled “Trial proof bundles”

Each M-trial script produces a JSON proof bundle under target/gestalt-m<N>-trial/. These bundles are the operating evidence layer:

target/gestalt-m6-trial/cloud-authority-proof-bundle.json
target/gestalt-m6-trial/worldline-proof-bundle.json
target/gestalt-m7-trial/proof-after-restart.json
target/gestalt-m9-trial/proof-after-restart.json
target/gestalt-completion-trial/proof-after-restart.json   (M10/M11)
target/gestalt-m12-trial/worldline-proof-after-restart.json
target/gestalt-m13-trial/proof-after-restart.json
target/gestalt-m14-trial/proof-after-restart.json

Treat these bundles as the authoritative ops record, not the console output of the script. Each bundle:

  • cites the operations executed,
  • includes receipts for each crossing,
  • asserts production_admission: false,
  • asserts the privacy invariants (no raw DB, no raw payload, no biometric storage, etc.).

Logs

Section titled “Logs”

The fixture cloud logs to stdout in fixture-shaped JSON. Logs are observability — they help debugging and ops. They are not receipts and they are not proofs.

The audit-bearing artifact for any membrane crossing is the MembraneResponse.receipt. The proof-of-record for a trial is the proof bundle. Logs sit alongside.

What you must not do

Section titled “What you must not do”
  • Do not parse logs as authoritative records. Use receipts and proof bundles.
  • Do not expose direct database access for “observability.” It is in the forbidden surface; see the block quote below.
  • Do not surface production_admission: false to end users as if it were a feature toggle. It is an operating invariant.

Gestalt operations does not expose raw DB access to operators, support, advisors, or any external surface. Anything that looks like that on the membrane is a refusal, not a feature.

Section titled “Where to read next”