20-EFT.WP.Metrology.TimeBase v1.0 | Chapter 13 — Compliance, Contracts & Audit

Home ／ Docs-Technical WhitePaper ／ 20-EFT.WP.Metrology.TimeBase v1.0

Chapter 13 — Compliance, Contracts & Audit

One-line objective: Use executable contracts as quality gates to form a closed loop of evaluate → sign → freeze → trace, ensuring that tau_mono and the published ts remain stably auditable under statutory/industry compliance and technical SLOs.

I. Scope & Targets

1. Covered
   • Time-base publication & version freeze: ts, tau_mono, warp(t), manifest.time.*.
   • Contract library & evaluation: the C50-* assertion set, tol_*, and SLOs.
   • Audit & traceability: TraceID, hash_sha256(blob), signature, and prev_hash chaining.
2. Inputs
   • Observations & statistics: offset, skew, J, offset_1pps, delta_form, pdop/cn0, event & alert streams.
   • Policy & thresholds: policy.yaml (thresholds, rollback strategies, retention).
3. Outputs
   • Assessment reports: report.contracts, report.slo, q_score.
   • Freeze & sign: manifest.time, signature, release_tag.
   • Audit assets: immutable logs, hash chains, and replay evidence.

II. Terms & Variables

• Core fields: ts, tau_mono, warp(t), offset, skew, J, leap_event, UTC_smear(t), holdover, active_src.
• Thresholds & gauges: tol_offset, tol_skew, tol_J, tol_Tarr, SLO.*, p99(x).
• Trace & signatures: TraceID, hash_sha256(blob), prev_hash, signature, pubkey_ref.
• Uncertainty: u(x), U = k * u_c (see Appendix E).
• Units & dimensions: unit(x), dim(x), check_dim(expr).

III. Axioms P513- **

• P513-1 (Contracts first): No external publication proceeds without passing the C50-* contract suite and validating signatures.
• P513-2 (Monotone & dual-gauge): non_decreasing(ts) and dual-form T_arr publication are non-negotiable.
• P513-3 (Layered compliance): Technical SLOs are necessary; legal/industry compliance is sufficient—both must hold.
• P513-4 (Immutable trace): Audit logs are hash-chained and signed; rewrites and overwrites are prohibited.
• P513-5 (Minimum disclosure): Publish only the metadata required for audit; avoid coupling to business data.
• P513-6 (Replayable verification): Any release must be reproducible in isolation to yield equivalent manifest.time and signature.
• P513-7 (Cross-volume consistency): Contract fields and naming follow the unified lexicon of DataSpec and Methods.Cleaning/Imaging/CrossStats.

IV. Minimal Equations S513- **

• S513-1 (Release criterion)
  pass_release = ( ∧_i 1{ test_i(report) = true } ) ∧ ( signature_valid = true )。
• S513-2 (Quantiles)
  p99(x) = inf{ z : ( ∑ 1{ x_j ≤ z } ) / N ≥ 0.99 } — applicable to offset/skew/J and peers。
• S513-3 (Uncertainty composition)
  U_offset = sqrt( ∑ u_k^2 )，publish U = k * u_c with unit(offset)="s", dim(offset)="[T]"。
• S513-4 (Hash & signature)
  h = hash_sha256(blob)；sig = Sign( privkey_ref , h )；verify Verify( pubkey_ref , h , sig ) = true。
• S513-5 (Gauge-difference constraint)
  delta_form = | ( 1 / c_ref ) * ( ∫ n_eff d ell ) - ( ∫ ( n_eff / c_ref ) d ell ) | ≤ tol_Tarr。
• S513-6 (Freeze consistency)
  manifest_frozen = h_config ⊕ h_data ⊕ h_contracts ⊕ h_binaries（where ⊕ denotes the constructed aggregate hash）。

V. Compliance & Release Flow M50-13 (Ready → Evaluate → Sign → Freeze → Publish → Audit)

• Ready
  Lock versions for configuration, binaries, contract library C50-*, threshold tol_*, and the public key pubkey_ref.
• Evaluate
  Compute offset/skew/J, p99(*), delta_form, offset_1pps, and source health; run evaluate_time_contracts.
• Sign
  Build manifest.time, compute h and Sign, verify Verify = true.
• Freeze
  freeze_release_time(tag); store artifacts and manifest.time; generate prev_hash → h chain pointer.
• Publish
  Atomically switch to the new tag; persist release_note and the public-facing SLO summary.
• Audit
  Emit audit_bundle = {manifest, report, logs_chain} and register TraceID; support offline replay verification.

VI. Contracts & Assertions (Selected)

• C50-131 (Monotonicity): violations( non_decreasing(ts) ) = 0.
• C50-132 (Offset/Skew/Jitter): | offset |_p99 ≤ tol_offset ∧ | skew |_p99 ≤ tol_skew ∧ J_p99 ≤ tol_J.
• C50-133 (Dual-form arrival): delta_form ≤ tol_Tarr and both T_arr forms recorded.
• C50-134 (Leap/smear consistency): if leap_event ≠ 0, UTC_smear satisfies | d UTC_smear / dt - 1 | ≤ eps_smear and is applied once.
• C50-135 (Source health gate): pdop ≤ pdop_max ∧ cn0 ≥ cn0_min ∧ spoof_score ≤ spoof_thr; otherwise holdover=true.
• C50-136 (Link budget): | offset_1pps | ≤ tol_1pps; after link correction check_dim( offset ) = pass.
• C50-137 (Signature & chain): Verify(pubkey_ref, hash_sha256(manifest), signature)=true ∧ prev_hash contiguous.
• C50-138 (Rollback readiness): last_good.tag exists and ttr_rollback ≤ ttr_max.
• C50-139 (Fields & units): required_fields ⊆ manifest.time.keys ∧ ( ∀x unit(x), dim(x) declared ).

VII. Implementation Bindings I50-13*

• evaluate_time_contracts(ds, rules) -> report
• export_time_manifest(tag, inputs, report) -> manifest.time
• sign_manifest(manifest, keyref) -> signature
• verify_manifest(manifest, signature, pubkey) -> ok
• freeze_release_time(tag) -> artifact
• audit_replay(bundle, sandbox) -> findings
• tamper_chain(logs) -> {ok, break_at} (verifies prev_hash continuity)
• risk_score(report, weights) -> q_score
• rollback_to(tag_last_good) -> state
• retention_compactor(policy) -> archive_index
• Invariants: unique(TraceID); signature_valid=true; manifest_frozen is read-only; mean(weights)=1 (normalized metric weights).

VIII. Cross-References

• Servos & sync constraints: Chapter 5.
• Offset/skew/jitter estimation: Chapter 6.
• Allan family & holdover uncertainty: Chapter 7.
• Arrival time & path gauges: Chapter 9.
• Boundary & anomaly handling: Chapter 12.
• Streaming ops & backpressure: Chapter 11 (rate limits & rollback during release switches).

IX. Quality SLIs & Risk Control

1. SLIs (examples)
   • offset_p50/p95/p99, skew_p99, J_p99, offset_1pps_p95.
   • ts_monotonic_violations, source_switch_count, holdover_duration_s.
   • contract_fail_rate, sig_verify_fail, audit_gap_seconds, smear_active_flag.
2. SLOs (recommended)
   offset_p99 ≤ tol_offset, J_p99 ≤ tol_J, contract_fail_rate ≤ 10^-3, ttr_rollback ≤ 5 min.
3. Risk & rollback
   • On trigger breach → automatic rollback_to(last_good); holdover preferred over admitting unhealthy sources; gray-weight reinstatement.
   • Periodic drills for leap/stall/spoof; audit tamper_chain = ok and audit_replay parity.

Summary

• This chapter operationalizes compliance, contracts, and audit as a closed loop of P513-* axioms, S513-* equations, M50-13 flow, C50-13* gates, and I50-13* interfaces.
• Any external time-base release is contingent on contract pass and signature verification, producing a replayable, traceable, rollback-ready manifest.time that remains consistent with the volume’s modeling and boundary-governance conventions.