Capability State
Status: Fixture Preview. Last verified against
contracts/gestalt-cloud-membrane.v0.jsonversion0.0.1-fixture. No operation is production-admitted today.
This page is the user-facing ledger for what each membrane operation can truthfully do today. It exists so SDK users, Koerper builders, advisors, operators, MCP hosts, and Verlag publishers do not confuse a routed fixture with authentic company reality.
Labels
Section titled “Labels”| Label | Meaning |
|---|---|
shape-only | The contract and types exist. The call may return a structurally correct response, but it records no meaningful consequence. |
fixture-rehearsed | The call walks an end-to-end fixture pattern with honest receipts/refusals. No real company reality is bound. |
staging-durable | The operation can persist runtime evidence across restarts when the remote staging store is configured. Production admission remains false. |
authentic | Production-admitted, real consequence, real proof. No current operation carries this label. |
Current Operation Map
Section titled “Current Operation Map”| Operation | Method | Path | State | Notes |
|---|---|---|---|---|
runtime.health | GET | /health | staging-durable | Public probe; no company consequence. |
runtime.ready | GET | /ready | staging-durable | Public readiness probe. |
runtime.version | GET | /version | staging-durable | Public version surface. |
runtime.metrics | GET | /metrics | staging-durable | Public fixture metrics surface. |
tenant.self | GET | /v1/tenant/self | shape-only | Resolves the authenticated fixture tenant/session; no tenant onboarding. |
tenant.create | POST | /v1/tenants/create | staging-durable | Durable synthetic tenant candidate; raw customer payloads are refused and key custody remains a reference only. |
company.bootstrap | POST | /v1/companies/bootstrap | staging-durable | Durable company bootstrap requires legal-name/register hashes and evidence refs; raw register payloads and raw legal names are forbidden. |
auth.loginStart | POST | /v1/auth/login/start | staging-durable | Records hash-only login start with replay/source-hash gates; raw identifiers and biometric material are refused. |
auth.loginFinish | POST | /v1/auth/login/finish | staging-durable | Issues a signed session against a known login start; never grants standing or company authority. |
auth.sessionExchange | POST | /v1/auth/session/exchange | fixture-rehearsed | Trades the fixture bearer for a signed session context; not a real authentication exchange. |
auth.sessionIssue | POST | /v1/auth/sessions/issue | staging-durable | Issues a signed session token bound to actor/vessel/tenant scope; production admission remains false. |
auth.sessionInspect | POST | /v1/auth/sessions/inspect | staging-durable | Returns scope/expiry posture for a signed session; cannot reveal raw key material. |
auth.sessionRefresh | POST | /v1/auth/sessions/refresh | staging-durable | Refreshes a signed session within bounded scope; refuses scope expansion and stale holder keys. |
auth.rateLimitEvaluate | POST | /v1/auth/rate-limit/evaluate | staging-durable | Records rate-limit evaluation posture for a route; does not enforce production rate limits. |
auth.recoveryPolicy | POST | /v1/auth/recovery/policy | staging-durable | Records the recovery policy and its constraints for a tenant. |
auth.recoveryExecute | POST | /v1/auth/recovery/execute | staging-durable | Executes a recovery flow under the recorded policy; cannot create standing or override authority. |
keyCustody.readiness | GET | /v1/key-custody/readiness | staging-durable | Records readiness posture; KMS/HSM production custody is not configured. |
keyCustody.attest | POST | /v1/key-custody/attest | staging-durable | Records staging attestation evidence; private key material and fixture production requests are refused. |
keyCustody.providerAttest | POST | /v1/key-custody/provider/attest | staging-durable | Records provider posture and public verification material; provider attestation is not production-verified. |
keyCustody.rotationRehearse | POST | /v1/key-custody/rotate | staging-durable | Preserves old public verification material and records replacement public material hash; no provider rotation is executed. |
keyCustody.revoke | POST | /v1/key-custody/revoke | staging-durable | Records revoked provider key state so signing rehearsal refuses with stable code. |
keyCustody.breakGlass | POST | /v1/key-custody/break-glass | staging-durable | Records break-glass receipt only; emergency access and private key exposure remain false. |
keyCustody.signingRehearse | POST | /v1/key-custody/signing/rehearse | staging-durable | Exercises signer-provider boundary; production signing remains disabled and revoked keys refuse. |
production.admissionPolicy | POST | /v1/production/admission/policy | staging-durable | Records bounded admission policy scope (jurisdiction, vertical, admitted connectors/packages/effects, exclusions, signer commitment) while keeping global production admission disabled and refusing public-launch claims. |
production.admissionPrecheck | POST | /v1/production/admission/precheck | staging-durable | Records prerequisite or manual-gate refusal; production admission remains disabled. |
production.scopeInspect | GET | /v1/production/scope | staging-durable | Returns the production v0 boundary contract, evaluator contract, guard rules, and refuse-by-default admission state for the runtime. |
production.scopeEvaluate | POST | /v1/production/scope/evaluate | staging-durable | Evaluates a candidate operation against the production scope, returning the bounded admission decision and missing-evidence citations; does not flip production admission. |
tenant.productionLifecycleAdvance | POST | /v1/tenants/production-lifecycle/advance | staging-durable | Advances tenant onboarding lifecycle (candidate -> evidence_pending -> reviewer_pending -> verified_for_pilot) with hash-only evidence and reviewer receipts; refuses fixture-marked tenants and raw customer payloads. |
company.productionLifecycleAdvance | POST | /v1/companies/production-lifecycle/advance | staging-durable | Mirrors tenant.productionLifecycleAdvance for the company bootstrap; refuses fixture-marked companies and raw register payloads. |
staging.maturityReport | POST | /v1/staging/maturity-report | staging-durable | Records a staging maturity snapshot tied to durable readiness, attestation, rotation, and signing rehearsal evidence. |
tenant.onboardingGate | POST | /v1/tenants/onboarding-gate | staging-durable | Requires known tenant onboarding, company bootstrap, key custody, standing, and precheck records without admitting production. |
ops.edgePolicyCheck | POST | /v1/ops/edge-policy/check | staging-durable | Records route surface, access edge, WAF/rate-limit posture, and audit retention without exposing raw DB. |
ops.restoreRehearse | POST | /v1/ops/restore/rehearse | staging-durable | Records no-wipe backup restore and rollback rehearsal tied to a verified proof bundle commitment. |
ops.incidentReceipt | POST | /v1/ops/incident/receipt | staging-durable | Records alert, secret-rotation, and incident receipt hashes without raw incident payloads. |
ops.status | GET | /v1/ops/status | staging-durable | Summarizes operations posture through membrane-safe counts/citations. |
pilot.admissionGate | POST | /v1/pilot/admission-gate | staging-durable-refusal | Records limited pilot gate attempts and refuses until signed production admission exists. |
standing.claim | POST | /v1/standing/claim | staging-durable | Claim record only; requires durable company bootstrap and HumanAuth presence cannot create standing. |
standing.evaluate | POST | /v1/standing/evaluate | staging-durable | Fixture standing evaluation now requires known durable standing claim, company bootstrap, and evidence review before any standing grant. |
standing.grant | POST | /v1/standing/grant | staging-durable | Fixture standing lifecycle record requires matching durable claim, company bootstrap, and grantable evaluation evidence; not production standing. |
standing.revoke | POST | /v1/standing/revoke | staging-durable | Fixture standing revocation lifecycle. |
mandate.delegate | POST | /v1/mandates/delegate | staging-durable | Requires HumanAuth presence but does not create standing. |
mandate.revoke | POST | /v1/mandates/revoke | staging-durable | Fixture mandate revocation lifecycle. |
advisor.openMatter | POST | /v1/advisor/matters/open | staging-durable | Scoped advisor matter; advisor is not an admin. |
advisor.issueOpinion | POST | /v1/advisor/opinions/issue | staging-durable | Scoped advisor opinion evidence; raw payloads refused. |
advisor.requestEvidence | POST | /v1/advisor/evidence/request | staging-durable | Scoped evidence request; no full tenant graph disclosure. |
lens.scope | POST | /v1/lens/scope | staging-durable | Defines explicit field scope for advisor/Koerper access. |
lens.disclose | POST | /v1/lens/disclose | staging-durable | Redacted field disclosure; raw DB, connector payloads, and biometric material refused. |
intervention.request | POST | /v1/interventions/request | staging-durable | Scoped professional intervention request without admin authority. |
intervention.issue | POST | /v1/interventions/issue | staging-durable | Scoped intervention evidence; raw payloads refused. |
intent.precheck | POST | /v1/intents/precheck | fixture-rehearsed | Calls Gravity over an in-process fixture world. |
intent.commit | POST | /v1/intents/commit | fixture-rehearsed | Commits signed fixture atoms; production admission remains false. |
shop.prepare | POST | /v1/shop/prepare | fixture-rehearsed | Hosted-operator preparation rehearsal. |
shop.commit | POST | /v1/shop/commit | fixture-rehearsed | Hosted-operator commit rehearsal with signer provenance. |
vertical.de.invoicePaymentAdvisor | POST | /v1/verticals/de/invoice-payment-advisor | fixture-rehearsed | German invoice/payment/advisor walk; not real company reality. |
authority.resolveContext | POST | /v1/authority/resolve-context | fixture-rehearsed | Deterministic DE/FR/US fixture matching. |
receipt.verify | POST | /v1/receipts/verify | shape-only | Verifies fixture receipt shape, not a production signature chain. |
proof.request | POST | /v1/proofs/request | shape-only | Disclosure request shape only. |
commit.recent | GET | /v1/commits/recent | staging-durable | Lists tenant-scoped committed fixture atoms when remote store is configured. |
refusal.codes | GET | /v1/refusals/codes | shape-only | Introspection surface for current code families. |
refusal.registry | GET | /v1/refusals/registry | shape-only | Developer refusal registry with category metadata, guard rules, privacy posture, and live runtime taxonomy attached. |
membrane.contract | GET | /v1/membrane/contract | shape-only | Returns the embedded gestalt-cloud-membrane.v0 contract document for client introspection. |
m7.state | GET | /v1/m7/state | staging-durable | Tenant-scoped durable object counts without raw database access. |
read.standing.active | GET | /v1/read/standing/active | staging-durable | Membrane-safe active standing read model; HumanAuth presence and sessions cannot create standing. |
read.mandates.active | GET | /v1/read/mandates/active | staging-durable | Membrane-safe active mandate read model; mandate state remains separate from session identity. |
read.economy.periodCloseReadiness | GET | /v1/read/economy/period-close-readiness | staging-durable | Derived period-close readiness from durable obligations and closure surfaces. |
read.connectors.evidenceGaps | GET | /v1/read/connectors/evidence-gaps | staging-durable | Connector evidence gap summary without raw connector payload exposure. |
read.proofs.history | GET | /v1/read/proofs/history | staging-durable | Proof bundle manifest history without raw DB, connector payload, or biometric disclosure. |
read.advisor.matters | GET | /v1/read/advisor/matters | staging-durable | Advisor matters with their opinions, evidence requests, and clearance status; raw company graph and raw advisor payloads remain absent; advisor cannot become admin. |
workcell.publish | POST | /v1/workcells/publish | staging-durable | Publishes a governed agent workcell envelope (principal, mandate, readable_lens, writable_scope, tool_scope, amount_limits, evidence_requirements, intervention_triggers, escalation_policy); does not grant standing or admin authority. |
workcell.precheck | POST | /v1/workcells/precheck | staging-durable | Prechecks a proposed action against a workcell’s declared scope and amount limits; refuses with workcell_action_out_of_scope, workcell_amount_exceeded, workcell_currency_mismatch, workcell_revoked, or workcell_unknown. |
workcell.revoke | POST | /v1/workcells/revoke | staging-durable | Revokes a workcell envelope; subsequent prechecks refuse with workcell_revoked even after restart-rehydration. |
capability.publish | POST | /v1/capabilities/publish | staging-durable | Publishes a fixture capability manifest into the membrane and M7 evidence, then rehydrates it as active evaluator input after restart. |
capability.policy.evaluate | POST | /v1/capabilities/policy/evaluate | staging-durable | Evaluates capability policy as a runtime gate and stores the evaluation. |
humanAuth.challenge | POST | /v1/human-auth/challenge | staging-durable | Privacy-preserving WebAuthn challenge record with replay status. |
humanAuth.passkeyRegistrationOptions | POST | /v1/human-auth/passkey/registration/options | staging-durable | Generates registration options bound to a known challenge; no raw credential or biometric material. |
humanAuth.passkeyAssertionOptions | POST | /v1/human-auth/passkey/assertion/options | staging-durable | Generates assertion options for a known imported credential. |
humanAuth.registerPasskey | POST | /v1/human-auth/passkey/register | staging-durable | Registers a passkey from a verified registration response; stores credential ID hash plus public verification material only. |
humanAuth.passkeyImport | POST | /v1/human-auth/passkey/import | staging-durable | Imports credential ID hash plus public verification material only; no raw credential ID, private key, or biometric material. |
humanAuth.verifyPasskey | POST | /v1/human-auth/passkey/verify | staging-durable | Verifies imported ES256 WebAuthn assertions; fixture vector path remains for legacy fixture binding. |
humanAuth.passkeyRevoke | POST | /v1/human-auth/passkey/revoke | staging-durable | Revokes a passkey lifecycle record; refuses raw credential/biometric material and cannot create standing or company authority. |
humanAuth.passkeyRotate | POST | /v1/human-auth/passkey/rotate | staging-durable | Rotates a passkey lifecycle record; refuses raw credential/biometric material and cannot create standing or company authority. |
humanAuth.faceMatchFallback | POST | /v1/human-auth/face-match | shape-only | Scenario stub; no biometric pipeline. |
authority.presenceApproval | POST | /v1/authority/presence-approval | fixture-rehearsed | Binds fixture presence to actor/vessel; cannot create standing. |
authority.sessionRevoke | POST | /v1/authority/sessions/revoke | staging-durable | Revocation lifecycle evidence can persist when remote store is configured. |
authority.keyRotate | POST | /v1/authority/keys/rotate | staging-durable | Key lifecycle evidence can persist; no real key custody provider. |
effect.intent | POST | /v1/effects/intent | staging-durable | Queues fixture effect intent/outbox records; no external dispatch guarantee. |
effect.dispatch | POST | /v1/effects/dispatch | fixture-rehearsed | Executes/fails fixture dispatch; no real external act. |
economy.invoice | POST | /v1/economy/invoice | staging-durable | Economic invoice fixture record and obligation evidence. |
economy.paymentObservation | POST | /v1/economy/payment-observation | staging-durable | Fixture payment observation and settlement evidence. |
economy.bookkeepingFact | POST | /v1/economy/bookkeeping-fact | staging-durable | Requires invoice, payment, and advisor evidence; still fixture. |
economy.periodClose | POST | /v1/economy/period-close | fixture-rehearsed | Closure rehearsal; not a binding accounting close. |
authority.hostedOperator.grant | POST | /v1/authority/operators/grant | staging-durable | Mutation captured; not a real hosted delegation product boundary. |
authority.hostedOperator.revoke | POST | /v1/authority/operators/revoke | staging-durable | Revocation captured; fixture-only authority. |
authority.package.status | GET | /v1/authority/packages/status | staging-durable | Reports package lifecycle plus durable Verlag trust records without exposing the underlying store. |
authority.package.import | POST | /v1/authority/packages/import | staging-durable | Canonicalizes package manifest, checks tamper/staleness/self-activation gates, and can require publisher trust. |
authority.package.publisher.onboard | POST | /v1/authority/packages/publishers/onboard | staging-durable | Records a publisher trust root/public key hash while refusing private key material. |
authority.package.reviewer.onboard | POST | /v1/authority/packages/reviewers/onboard | staging-durable | Records reviewer standing and conflict policy; conflicted reviewers refuse. |
authority.package.candidate | POST | /v1/authority/packages/candidate | fixture-rehearsed | Fixture candidate creation. |
authority.package.review | POST | /v1/authority/packages/review | staging-durable | Records reviewer approval/refusal and can require reviewer trust plus standing. |
authority.package.activate | POST | /v1/authority/packages/activate | staging-durable | Activates fixture package only after publisher/reviewer gates; production admission remains false. |
authority.package.revoke | POST | /v1/authority/packages/revoke | staging-durable | Durable revocation; active authority resolution fails closed after revocation. |
evidence.witness.fixture | POST | /v1/evidence/witness-fixture | fixture-rehearsed | Fixture witness only. |
evidence.connector.consent | POST | /v1/evidence/connectors/consent | staging-durable | Records sandbox connector consent, scope, and credential reference without credential secret ingress. |
evidence.connector.ingest | POST | /v1/evidence/connectors/ingest | staging-durable | Accepts fixture or sandbox hash-only evidence; raw connector payloads and credential secrets are refused. standing_review also requires reviewer standing plus hash-only review signature provenance. |
evidence.connector.revoke | POST | /v1/evidence/connectors/revoke | staging-durable | Records revocation so future sandbox connector ingestion refuses. |
evidence.connector.status | GET | /v1/evidence/connectors/status | staging-durable | Counts fixture connector/evidence records. |
proof.bundle | POST | /v1/proofs/bundle | staging-durable | Durable fixture bundle manifest with audit kernel, receipt graph, signature graph, durable citations, redaction proof, and independent verifier metadata. |
proof.verify | POST | /v1/proofs/verify | staging-durable | Verifies durable proof bundle manifest commitments and reports local verifier compatibility without raw database access. |
reality.fork | POST | /v1/reality/fork | staging-durable | Projection records can persist; still fixture worldline. |
reality.commit | POST | /v1/reality/commit | fixture-rehearsed | Projected atom rehearsal; no record leak. |
reality.diff | POST | /v1/reality/diff | staging-durable | Fixture diff record with citations. |
reality.promote | POST | /v1/reality/promote | fixture-rehearsed | Requires projection approval evidence; not production promotion. |
reality.discard | POST | /v1/reality/discard | fixture-rehearsed | Fixture projection discard. |
closure.surface | POST | /v1/closure/surface | staging-durable | Emits fixture closure/tension records. |
tension.query | POST | /v1/tensions/query | fixture-rehearsed | Queries fixture tension records. |
zeitgestalt.query | POST | /v1/zeitgestalt/query | staging-durable | Stores cited fixture answers; no general reasoning engine. |
capability.importResolve | POST | /v1/capability/import/resolve | shape-only | Contract surface for capability import resolution; records no consequence and refuses raw payloads. |
authority.epochDefine | POST | /v1/authority/epochs/define | shape-only | Contract surface for defining an authority epoch; production-grade epoch definition arrives in a later phase. |
authority.epochTransition | POST | /v1/authority/epochs/transition | shape-only | Contract surface for transitioning between authority epochs; the central evaluator already enforces epoch_active. |
pendulum.publish | POST | /v1/pendulum/publish | shape-only | Contract surface for publishing a pendulum runtime authority oracle; production publication arrives in a later phase. |
pendulum.publishSource | POST | /v1/pendulum/publish-source | shape-only | Contract surface for publishing pendulum source material; production publication arrives in a later phase. |
verlag.publishInstrument | POST | /v1/verlag/instruments/publish | shape-only | Contract surface for publishing an external Verlag instrument; production publication runs through the M35 external Verlag trust lane. |
Missing Operation Families
Section titled “Missing Operation Families”These remain absent from the membrane entirely (no shape-only stub yet):
counterparty.exchangecounterparty.acknowledgeProduction Admission
Section titled “Production Admission”Every current operation returns or implies production_admission: false.
An operation may only move to authentic when it has real tenant key
custody, authority activation, proof issuance, edge access policy, and
third-party-verifiable receipts for its consequence.
The M25 onboarding gate makes that refusal durable: production key custody
requires an external provider attestation, private key material is never a
membrane input, tenant/company bootstrap records are minimized before the gate,
tenant onboarding remains blocked before production, and even a complete
synthetic precheck only reaches pending_manual_gate.