Technical Specification
The complete specification for the GLO governance decision kernel, enforcement stack, and audit architecture.
Unfamiliar terms? See the Glossary.
Decision Precedence
Conflicts are resolved by a deterministic ordering. Higher-priority controls override lower ones.
If a lock fires, the decision is determined immediately — gates and mode clamps are not consulted. If drift projection detects a budget overrun, escalation overrides the gate result. This ordering ensures that hard safety invariants always take priority over risk-graded policy decisions.
Risk Taxonomy
Seven risk dimensions. Each event is scored independently across all dimensions. The aggregate risk R = max(rk).
| Dimension | Description | τk | BkS | BkL |
|---|---|---|---|---|
K1_EXEC | Execution / code-to-action | 0.20 | 0.60 | 2.00 |
K2_NET | Network / scanning / intrusion | 0.20 | 0.60 | 2.00 |
K3_PRIV | Privacy / data exfiltration | 0.15 | 0.45 | 1.50 |
K4_AUTH | Authentication / impersonation | 0.15 | 0.45 | 1.50 |
K5_FIN | Finance / fraud / laundering | 0.20 | 0.60 | 2.00 |
K6_BIO | Bio/chem hazards | 0.10 | 0.30 | 1.00 |
K7_EVASION | Bypass / obfuscation | 0.10 | 0.30 | 1.00 |
τk is the per-dimension threshold below which risk does not contribute to drift. BkS is the short-term drift budget — exceeding it triggers STEPUP. BkL is the long-term drift budget — exceeding it triggers LOCKDOWN.
Gate Mapping
The aggregate risk score R maps to one of five decisions.
| Decision | Condition | Effect |
|---|---|---|
| ALLOW | R < 0.20 |
Permit the proposed action under current mode and budgets |
| ATTENUATE | 0.20 ≤ R < 0.40 |
Permit in constrained form (redaction, safer transform) with logged reason |
| STEPUP | 0.40 ≤ R < 0.70 |
Require higher-assurance pathway; mode transitions to TIGHT |
| DENY | R ≥ 0.70 |
Block the proposed action; mode transitions to TIGHT |
| LOCKDOWN | Long-term drift exceeded | Hard stop; identity-bound, requires ADMIN-AUDIT to reset |
Locks (Hard Invariants)
Locks override gates when triggered. They are not risk-graded — they are binary enforcement boundaries.
| Lock | Name | Invariant | Fail Mode |
|---|---|---|---|
L1 | Audit Integrity | Census is append-only with hash chain | DENY (fail-closed) |
L2 | Boundary Mediation | All tool calls, memory writes, updates flow through governor | DENY |
L3 | Update Authority | Weight/adapter updates only in ADMIN-AUDIT with signed snapshot | DENY |
L4 | Policy Provenance | Every decision record bound to policy_hash | DENY |
L5 | Evasion Detection | Decode-or-deny for encoded/obfuscated payloads | DENY or STEPUP |
ALC | Audit-Layer Capture Guard | Interpretive semantic changes require explicit change record + Purpose Declaration | DENY |
L5 Evasion Reason Codes
- E1: Encoded/obfuscated payload wrappers in executable or sensitive fields
- E2: Staged multi-turn assembly to bypass gates
- E3: Attempts to bypass logging/provenance or hide intent
- E4: Scope mismatch between declared intent and actuation surface
Drift Budgets
Accumulated governance risk over time. Repeated near-misses consume budget and trigger escalation.
Short-Term Drift (Sk)
Leaky accumulator per risk dimension. Decays after W quiet turns (12 turns where all rk ≤ τk). Capped at Sk,max = 2.00.
ΔS_k = max(0, r_k - τ_k)
S_k' = min(S_k + ΔS_k, S_k_max)
If S_k' > B_k^S → STEPUP, mode → TIGHTLong-Term Drift (Lk)
Non-leaky, identity-bound accumulator. Does not decay. Persists across sessions via user_id_hash. Reset requires ADMIN-AUDIT mode with logged justification.
ΔL_k = max(0, r_k - τ_k)
L_k' = L_k + ΔL_k
If L_k' > B_k^L → LOCKDOWN, mode → TIGHTCensus Schema v0.1.3
Every mediated event produces a structured audit record with the following required fields.
| Field | Description |
|---|---|
timestamp | Unix timestamp of the decision |
context_signature | SHA-256 of the context object |
policy_hash | SHA-256 of the active policy bundle |
mode_in / mode_out | Operating mode before and after the decision |
action_type | Channel type (tool, text, memory, update) |
proposal_signature | SHA-256 of the proposed action object |
risk_vector | Per-dimension risk scores {K1…K7} |
decision | ALLOW / ATTENUATE / STEPUP / DENY / LOCKDOWN |
locks_fired | List of triggered lock identifiers |
outcome_label | PASS / DENIED / NEAR_MISS / INCIDENT |
drift_deltas | Per-dimension drift changes from this event |
drift_totals | Current Sk and Lk values after update |
severity | INFO / LOW / MEDIUM / HIGH / CRITICAL |
record_hash | SHA-256(record || prev_record_hash) |
prev_record_hash | Hash chain link to previous census record |
Policy-as-Code
The active governance policy is pilot-v0_02.yaml — a versioned, hashable bundle that plugs into the decision kernel.
The policy defines:
- Risk taxonomy — dimension names, thresholds, budget limits
- Gate mapping — risk-to-decision threshold boundaries
- Lock configuration — which locks are enabled and their parameters
- Mode permissions — which side-effect classes are allowed per operating mode
- Tool classification — mapping of tool names to side-effect classes (READ_ONLY, WRITE_LOCAL, EXECUTE_CODE, etc.)
- Drift parameters — decay rates, quiet windows, persistence rules
Every decision record includes the policy_hash — the SHA-256 of the canonicalized policy file. If the policy changes, the hash changes, and every subsequent audit record reflects the new version. No decision can be attributed to a policy that wasn't the one in effect.
External Anchor Architecture
GLO-EAA v1.0.0 — closing the Gödelian gap.
GLO's internal verification mechanisms (hash chains, manifests, test suites) all operate inside GLO's own trust boundary. A sufficiently compromised instance could forge valid-looking attestations. The External Anchor Architecture converts this undetectable internal failure into a detectable external divergence.
Three Layers + Identity
| # | Layer | Technology | Purpose |
|---|---|---|---|
| 0 | GPG Signing | GPG / Ed25519 | Identity binding — proves authorship |
| 1 | Internal Merkle Root | SHA-256 tree | Binds entire artifact set to a single hash |
| 2 | Rekor / Sigstore | Transparency log | Publicly auditable, tamper-evident inclusion proof |
| 3 | RFC 3161 TSA | Trusted timestamp | Legal-grade timestamped receipt, self-contained |
The full GLO-EAA specification is available in the downloads section.