Ethics Public API Docs

DBaD public API reference material for public web/mobile clients, without Church-only route noise.

This page is supporting reference material for the current DBaD public draft baseline. It should not be read as the main public explanation of DBaD.

Last updated: 2026-06-02 UTC

Supporting API reference

DBaD Explained White paper v3 Peer review Try to break DBaD Known limits Ask an API question

Church hymn, lesson feed, and public audio-share routes are documented separately at Church Public API Docs.

JSON route index: /api/docs/index.json · Ethics JSON: /api/docs/ethics.json

GET /api/v1/openapi.json All hosts — OpenAPI 3.1 contract for DBaD, DecencyMeter, and public API v1 routes. DBaD/DecencyMeter reviewers should use the DecencyMeter-hosted contract as canonical. Church-specific clients may still fetch the same route from the Church host while that scope remains active.
GET /api/v1/papers All hosts — Paper metadata list with ETag support. Optional filters: q, topic, year. PDF-only archives may include artifact_text_path for an explicit summary TXT file.
GET /api/v1/papers/checksums All hosts — SHA256 checksums for published paper artifacts.
GET /api/v1/papers/{slug}/citation All hosts — APA + BibTeX citation payload.
GET /api/v1/papers/{slug}/citation.bib All hosts — BibTeX download.
GET /api/v1/papers/{slug}/markdown All hosts — Markdown export via API. Archive PDFs without source markdown return artifact summaries, not full-text transcriptions.
GET /papers/{slug}.md All hosts — Markdown export or artifact summary for paper pages. Use the PDF link for complete archive text when a paper only has an artifact summary.
GET /api/v1/methodology/summary All hosts — Compact methodology payload.
GET /api/v1/ethics/status/history All hosts — Uptime and snapshot history used by public status cards. Supports window_hours and step_minutes.
GET /api/v1/ethics/alias-observability Ethics — Legacy-host redirect probe summary to canonical ethics host.
GET /api/v1/search/typeahead All hosts — Typeahead search across papers, methodology, and FAQ. Query params: q, limit.
GET/POST /api/v1/ethics/calculator All hosts — Weighted ethics calculator payload.
POST /api/v1/dbad/historical-verification-attestation/verify Ethics — Verify a signed historical token-verification attestation. Audit evidence only. The artifact is not trust-positive authorization and is not accepted by /api/v1/dbad/trust-continuation/check.
GET /api/v1/dbad/status-field-compliance-snapshot Ethics — Compact public snapshot of the current status-value invariant. Returns the served hardening round, invariant text, prefix-stripping semantics, and sample bound status fields without requiring a full trace parse.
GET /api/v1/dbad/composite-proof-bundle Ethics — Signed timestamped public proof bundle for current DBaD response shapes. Evidence only. Includes cache-busted status snapshot, trace API, trust-continuation check, token-verify samples, response headers, generated timestamp, and a signature. Tokens are redacted and findings still require fresh live endpoint fetches.
POST /api/v1/dbad/composite-proof-bundle/verify Ethics — Verifies a composite proof bundle signature without making it authorization. Accepts a copied composite proof bundle or full API envelope and verifies the dbad_cpb_v1 signature. Returns non-authority verifier evidence only; it never validates trust-positive use.
POST /api/v1/ethics/scenarios All hosts — Queue a public scenario submission for moderation review.
POST /api/v1/ethics/api-key-requests All hosts — Queue API key request intake with app and use-case metadata.
POST /api/v1/ethics/subscribe All hosts — Create a pending subscription in double-opt-in state.
GET/POST /api/v1/ethics/subscribe/confirm All hosts — Confirm a pending updates subscription.
GET /api/v1/open-data/sample All hosts — Anonymized aggregate sample dataset. Supports format=csv.
POST /api/v1/wall/{post_id}/report All hosts — Queue moderation report for a public wall post. Accepts reason, details, and contact email.
GET /api/v1/decency/survey/breakdown All hosts — Aggregate survey breakdown by region or age_band.

Most JSON endpoints support ETag revalidation via If-None-Match.

OpenAPI drift guard

The public /api/v1 contract is checked against the live Flask route map, including OpenAPI paths added by the enrichment step. This prevents a route from existing only in code while being absent from the served API contract.

Coverage script: python3 app/scripts/audit_api_v1_openapi_coverage.py
Strict drift script: python3 app/scripts/audit_api_v1_openapi_drift.py --skip-regression-compare
DBaD contract-depth script: python3 app/scripts/audit_api_v1_dbad_openapi_contract.py --url https://decencymeter.com/api/v1/openapi.json
Canonical-host script: python3 app/scripts/audit_dbad_openapi_host_canonical.py
Current local baseline: missing_paths=0, missing_operations=0, path_coverage=100.00%, and operation_coverage=100.00%.
The OpenAPI surface includes DBaD trace validation, safe citation, composite proof bundle, trust-continuation, historical-attestation, and trace mutation endpoints as evidence APIs. They are not trust-positive authorization; certified use still requires the fresh trust-continuation token contract described below.
Canonical public contract URL for DBaD/DecencyMeter review: https://decencymeter.com/api/v1/openapi.json. The Church host remains a compatibility surface for Church-specific clients while that scope remains active; reviewers should not treat it as the DBaD/DecencyMeter canonical API contract.
Critical DBaD operations must carry dedicated DBaD schemas/examples, x-dbad-non-authorization-contract, DBaD no-store response headers, no root ok examples, request/response schema references, and description text that includes both evidence and not-authorization language.

Current DBaD Runtime Surface

The current public DBaD runtime is narrow but real. It covers trace creation, trace retrieval, deterministic validation, verification, and transition on stored versioned traces.

POST /api/v1/dbad/evaluate creates and stores a trace.
GET /api/v1/dbad/traces/<trace_id> retrieves the stored trace object.
POST /api/v1/dbad/validate runs deterministic validation on a trace or trace_id.
POST /api/v1/dbad/traces/<trace_id>/verification appends a verification record.
POST /api/v1/dbad/traces/<trace_id>/transition appends a transition record and may include optional state-transition evidence fields.
POST /api/v1/dbad/traces/<trace_id>/escalation-closure appends a manual escalation-closure record for traces with escalation context.
POST /api/v1/dbad/traces/<trace_id>/blind-spots appends a declared blind spot.
POST /api/v1/dbad/traces/<trace_id>/expected-outcome records one pre-committed expected outcome before later outcome is known.
POST /api/v1/dbad/traces/<trace_id>/outcome appends a manual outcome update and persists it on the stored trace.
POST /api/v1/dbad/traces/<trace_id>/completeness-attestation records what the trace claims to cover without proving completeness.

Stored traces currently expose trace_version, outcome_status, outcome_history, escalation_closure, escalation_closure_history, declared_blind_spots, expected_outcome, transition_history.state_transition_evidence, transition_history.boundary_trust_state, derived historical_contamination, and completeness_attestation directly. Action guidance on the trace-detail surface is derived from stored trace fields plus the current runtime validation result rather than returned as a separate committed API object.

Logic-review findings can be submitted through the public HTML route /break-dbad/report. That is part of the public review surface, not a separate JSON API.

Outcome status

outcome_status is now a live trace field. It is manually set and records what was later observed after a decision or trace step.

Allowed values: unknown, upheld, reversed, escalated, incident, no_observed_issue.
New traces initialize with outcome_status = unknown.
Older traces without the field are treated as unknown without breaking compatibility.
outcome_history is append-only and records each manual update with prior state, timestamp, and optional actor/reviewer metadata.

Outcome status records what was later observed. It does not prove correctness, does not certify safety, and does not create validation failure by itself.

Example request:

curl -X POST https://ethics.decencymeter.com/api/v1/dbad/traces/trc_20260415180339_f4e1bc25/outcome \
  -H "Content-Type: application/json" \
  -d '{
    "outcome_status": "incident",
    "actor_id": "operator_demo",
    "note": "Observed later incident during review."
  }'

Escalation closure

escalation_closure is now a live trace field. It records the response to an escalated or flagged trace before trust-positive continuation resumes.

Route: POST /api/v1/dbad/traces/<trace_id>/escalation-closure
Required fields: reviewer_id, disposition
Allowed submitted machine dispositions: continue-after-review, rejected, requires-remediation, and closed-no-action. These are input enum tokens only; served validation/API output binds escalation-closure disposition as NOT_AUTH::not_authorization_status_evidence_for_..., not as authorization.
escalation_closure_history is append-only and records each closure event.
Identical immediate re-submissions are rejected.

An unresolved escalation is represented as pending closure, not as automatic structural invalidity by itself. missing_escalation_closure is reserved for traces that show resumed trust or resolved posture without a recorded closure.

Escalation closure records the response to escalation. It does not prove the closure was substantively correct.

Blind spots and expected outcome

declared_blind_spots and expected_outcome are now live trace fields.

POST /api/v1/dbad/traces/<trace_id>/blind-spots appends a declared scope limit, unverified input, excluded population, or similar non-coverage marker.
POST /api/v1/dbad/traces/<trace_id>/expected-outcome records one expected outcome before later outcome is known.
Blind spots are advisory only. They make stated limits visible but do not prove all omissions were disclosed.
Expected outcome is fixed once recorded and must remain earlier than the first recorded outcome event.

These fields record scope and pre-commitment. They do not infer missing blind spots, do not score completeness, and do not evaluate whether the expected result was wise.

State transition evidence

state_transition_evidence is now live as an optional object inside transition history entries.

Supply evidence fields through POST /api/v1/dbad/traces/<trace_id>/transition.
Supported fields: before_ref, after_ref, evidence_ref, and optional evidence_hash.
If evidence is present, before_ref, after_ref, and evidence_ref must be non-empty.
If evidence_hash is present, it must match sha256:<64 hex>.
Missing evidence does not fail validation by itself. Malformed evidence does.

Evidence references are recorded for auditability. DBaD does not fetch them, verify them, or treat them as proof that the transition was substantively correct.

Boundary trust state

boundary_trust_state is now live as an optional object inside transition history entries. It records paired prior-exit and receiver-entry trust values on the same boundary event.

Supply fields through POST /api/v1/dbad/traces/<trace_id>/transition.
Supported fields: prior_node_ref, receiver_node_ref, prior_exit_trust, receiver_entry_trust, optional verification_event_ref, and optional boundary_trust_note.
Trust values must be numeric values from 0 through 1.
If any boundary trust field is supplied, the paired prior/receiver record must be complete or the transition is rejected.
Missing boundary trust state is advisory for ordinary legacy transition events; malformed boundary trust state fails validation.
Missing boundary trust state is blocking for trust-positive continuation if either historical contamination is present or the trace has an escalation context and the continuation occurs after that escalation path.
A trace with missing_boundary_trust_state_on_trust_positive_resume has trust_continuity_confidence set to broken and cannot accept future trust-positive transitions until a remediation path is defined.

This closes the review gap where a post-transition trust value could be visible without the prior node's exit trust state traveling with the same boundary event. DBaD records the delta; it does not prove that the delta was substantively deserved.

Historical contamination

historical_contamination is derived from stored current state, state history, and transition history. It preserves whether a trace ever entered a violation or contamination state even if the current state later appears restored.

Detected states include violation, active_violation, persistent_violation, remediated_violation, contaminated, contaminated_local, and contaminated_global.
If a trace has historical contamination and is no longer currently in a violation state, trust-positive transitions require a machine-readable continue-after-review escalation closure; served outputs still bind that disposition as non-authorization status evidence.
Validation metadata exposes event count, state names, whether restoration followed contamination, and whether closure is required.

Restoration can change current state, but it does not erase history. This field is structural trace metadata, not a moral judgment or proof of bad intent.

Completeness attestation

completeness_attestation is now a live top-level trace field.

Route: POST /api/v1/dbad/traces/<trace_id>/completeness-attestation
Allowed statuses: unknown, declared_complete, partial, not_attested
Statuses other than unknown require attested_by and scope.
Optional fields: coverage_window, included_trace_refs, excluded_known_items, note.
History is append-only and identical immediate re-submissions are rejected.

Completeness attestation records what a trace claims to cover. It does not prove completeness, does not solve cross-trace completeness, and does not infer whether anything was omitted.

Cross-trace lineage

cross_trace_lineage_integrity checks declared parent trace references when a trace claims lineage. resource_lineage_integrity checks fresh root traces and resource identity requirements.

Recognized parent fields: lineage_parent_trace_id, parent_trace_ref, parent_trace_id, and nested lineage.lineage_parent_trace_id, lineage.parent_trace_ref, or lineage.parent_trace_id.
completeness_attestation.included_trace_refs is coverage-only. It no longer counts as lineage by itself.
If a declared parent trace is missing, validation fails with missing_parent_trace_ref.
If a declared parent trace currently fails validation or has trust_continuity_confidence=broken, validation fails with unresolved_parent_lineage_failure.
If a trust-positive trace cites a broken trace in completeness_attestation.included_trace_refs without declaring lineage and without non-governing trace_purpose / governing_intent, validation fails with unbound_prior_trace_exposure.
Coverage exemptions are machine-visible. Analysis, audit, review, and non-governing coverage exposes coverage_exposure_exempt and coverage_exemption_basis.
If a trace claims non-governing analysis coverage but records trust-positive continuation markers such as mark_reviewed, close, approved escalation closure, or boundary trust-state handoff, validation fails with governing_intent_mismatch_coverage_exposure.
If a trust-positive root trace has no declared parent lineage and no machine-readable resource_id, resource_ref, or lineage_anchor, validation fails with missing_resource_identity_for_lineage_check.
Non-governing traces marked trace_purpose=analysis_only, audit_only, review_only, or non_governing do not claim trust propagation and are exempt from the missing-resource guard.
If a root trace has a stable resource_id, omits parent lineage, and a prior trace on the same resource currently fails validation or has trust_continuity_confidence=broken, validation fails with same_resource_orphan_lineage_failure.
Known canonical public example traces are backfilled with stable resource identity through the seed refresh path so public allow examples do not rely on missing identity.
Declared-parent validation walks the current lineage graph live at validation time. Stored parent_validation_summaries are report output, not authoritative inputs.
Validation metadata includes validation_receipt_id, validated_at_utc, validation_fresh_until_utc, validation_ttl_seconds, requires_revalidation_before_trust_positive_use, operator_env_version, operator_env_state_hash, operator_env_id, operator_env_scope, operator_env_authority_level, trace_validation_version, lineage_validation_mode, lineage_traversal_depth, lineage_depth_limit, and lineage_depth_limit_reached.
If lineage traversal reaches the depth limit before reaching a root or verified terminal condition, validation fails closed with lineage_depth_limit_exhausted.
Future recursive-invalidation planning distinguishes enforcement finality from ledger finality. Deep chains may need invalidation batches, risk-tiered recheck depth, checkpoints, pruning, and an explicit unverifiable state rather than pretending certainty after the operational horizon is exceeded.
Inherited hard lineage failures expose trust_lineage_blocked, trust_lineage_block_source, trust_lineage_block_sources, and trust_lineage_block_refs.
If an explicit actor-continuity check is triggered by an undeclared actor handoff, validation fails with actor_continuity, sets trust_lineage_blocked=true, exposes actor_continuity_conflict_code=UNDECLARED_ACTOR_HANDOFF, and does not treat the trace as ordinary continuation.
If an explicit trajectory check says the current action materially escalates or stagnates relative to its lineage, validation fails with trust_trajectory, sets trust_lineage_blocked=true, exposes trust_trajectory_conflict_code=LINEAGE_TRAJECTORY_ESCALATION, and requires context re-validation before ordinary continuation.
Validation receipts expose lineage_snapshot_hash, depends_on_trace_refs, and depends_on_resource_id so clients can see the dependency surface behind a point-in-time result.
relies_on_trace_refs, reliance_trace_refs, and relied_on_trace_refs declare structured reliance separate from parent lineage and coverage.
Trust-positive structured reliance requires the submitted declaration semantics to be complete. Served metadata must not expose a raw complete approval-shaped value; reliance_declaration_mode is projected as NOT_AUTH::not_authorization_status_evidence_for_.... A partial or missing structured reliance declaration fails with incomplete_reliance_declaration so a trace cannot claim trust-positive continuation from a curated subset of declared dependencies.
For trust-positive traces, any structured reliance on non-governing analysis, audit, or review traces fails with reliance_on_non_governing_trace. Missing reliance refs fail with missing_reliance_trace_ref; failed or broken relied-on traces fail with unresolved_trace_reliance_failure.
Reliance integrity is transitive. If a relied-on trace carries unresolved or non-governing reliance of its own, validation fails with transitive_reliance_integrity_failure unless the relied-on trace carries verifier-bound reset-boundary evidence.
Successful trust-positive structured reliance surfaces display-safe current_validation_status_human_readable=NOT AUTHORIZATION - validation evidence: structural-evidence-code-v2-... - not permission and a validation summary that says the pass includes machine-bound structured reliance rather than a generic pass. The raw status token remains machine-only and non-display-safe.
Prose-only phrases such as "covered by analysis trace X" do not become semantic lineage or reliance. They surface display-safe current_validation_status_human_readable=NOT AUTHORIZATION - validation evidence: structural-evidence-code-v2-... - not permission, semantic status name passed_no_valid_reliance_applied inside value-bound machine-only evidence fields, validation_class=advisory_only_prose, unverified_prose_reference, prose_reliance_not_machine_verified, and reliance_contribution_to_outcome=NOT_AUTH::not_authorization_outcome_evidence_for_... as advisory metadata so clients know a human-readable dependency was not machine-bound. For trust purposes, a trace that passes with prose-only references is equivalent to a trace with no reliance contribution.
Reliance metadata includes reliance_scope, reliance_mode, reliance_declaration_mode, reliance_declaration_complete, incomplete_reliance_declaration, reliance_set_integrity, reliance_success_is_trust_positive_inheritance=false, reliance_trace_refs, depends_on_reliance_trace_refs, reliance_validation_versions, reliance_snapshot_hash, non_governing_reliance_trace_refs, unresolved_reliance_trace_refs, and transitive_unresolved_reliance_trace_refs.
Parent-lineage metadata includes lineage_parent_trace_refs, missing_parent_trace_refs, unresolved_parent_trace_refs, parent_validation_summaries, and flattened lineage_ancestor_validation_summaries.
Coverage metadata includes coverage_trace_refs, unbound_prior_trace_refs, coverage_validation_summaries, coverage_exposure_exempt, coverage_exemption_basis, coverage_governing_intent_mismatch, and coverage_trust_positive_markers.
Resource-lineage metadata includes resource_id, resource_identity_status, resource_identity_required, same_resource_prior_trace_refs, unresolved_same_resource_trace_refs, resource_validation_summaries, and flattened resource_ancestor_validation_summaries.
Optional resource_lineage_anchor supports deterministic resource-continuity declarations without prose inference. A trust-positive root can declare prior_resource_ids and a resource_continuity_hash; if those prior resources contain broken traces without verifier-bound reset-boundary evidence, validation fails with unresolved_prior_resource_lineage_failure. Hash mismatch fails with invalid_resource_continuity_hash. Metadata exposes resource_continuity_status, prior_resource_ids, expected_resource_continuity_hash, and unresolved_prior_resource_trace_refs.
zero_trust_reset is recognized only as a verifier-bound structured reset object. Bare reset booleans or malformed reset claims fail; verifier-bound resets expose served metadata such as zero_trust_reset_state=NOT_AUTH::not_authorization_status_evidence_for_..., zero_trust_reset_approved=NOT_AUTH::not_authorization_boolean_evidence_for_..., trust_continuity_confidence=NOT_AUTH::not_authorization_status_evidence_for_..., and lineage_reset_boundary=NOT_AUTH::not_authorization_boolean_evidence_for_....
Successful reset-boundary validation surfaces display-safe current_validation_status_human_readable=NOT AUTHORIZATION - validation evidence: structural-evidence-code-v2-... - not permission and a validation summary that says trust is restored only as reset-boundary continuity, not uninterrupted inherited trust.
Approved resets do not erase prior broken traces or represent uninterrupted trust. Reset descendants expose lineage_reset_boundary=NOT_AUTH::not_authorization_boolean_evidence_for_..., lineage_reset_boundary_trace_ref, lineage_reset_boundary_refs, and a value-bound reset_continuity_status.
Required reset fields: reset_requestor_id, independent_verifier_id, resource_id, reset_scope, reset_reason, reset_approval_timestamp_utc, prior_broken_trace_refs, pre_reset_lineage_hash, remediation_evidence_refs with SHA-256 hashes, and reset_attestation.
The reset verifier must also be registered for reset authority. Unknown verifier IDs fail with zero_trust_reset_verifier_not_registered; inactive verifier records fail with zero_trust_reset_verifier_not_active. Metadata exposes zero_trust_reset_verifier_registry_status.
Verifier independence is enforced for reset clearance. If the verifier matches the reset requestor or appears in the prior broken traces' actor, reviewer, verifier, attestation, transition, or clearance scope, validation fails with zero_trust_reset_verifier_independence_failed and exposes zero_trust_reset_verifier_independence_conflict_code=INVALID_VERIFIER_CONFLICT plus zero_trust_reset_verifier_independence_conflict_scope.
Reset evidence refs must resolve through the deterministic evidence registry and match their declared SHA-256 hash. Unavailable evidence fails with zero_trust_reset_evidence_unavailable; hash mismatch fails with zero_trust_reset_evidence_hash_mismatch. Metadata exposes zero_trust_reset_evidence_availability_status.

This pass enforces declared parent lineage, same-resource orphan detection when a machine-readable resource_id exists, a blocking missing-identity check for trust-positive roots, fail-closed lineage-depth exhaustion, point-in-time validation receipt metadata, verifier-bound reset recovery, and exact verifier-independence conflicts for reset clearance. Broader reciprocal-cartel graph analysis remains a planning hook rather than a live inference rule.

Public fixture traces for reviewer verification: trc_fixture_827_broken_root, trc_fixture_827_declared_child, trc_fixture_827_grandchild, trc_fixture_827_same_resource_orphan, trc_fixture_827_coverage_exposure, trc_fixture_827_missing_resource, trc_fixture_827_analysis_coverage, trc_fixture_827_analysis_coverage_rejected, trc_fixture_851_reliance_on_analysis_rejected, trc_fixture_851_prose_reliance_advisory, trc_fixture_851_reliance_on_reset_accepted, trc_fixture_851_mixed_reliance_governing_violation, trc_fixture_851_transitive_reliance_rejected, trc_fixture_858_incomplete_reliance_declaration, trc_fixture_853_resource_continuity_churn_rejected, trc_fixture_832_zero_trust_reset_approved, trc_fixture_833_zero_trust_reset_descendant, trc_fixture_834_zero_trust_reset_unknown_verifier, trc_fixture_836_zero_trust_reset_unavailable_evidence, and trc_fixture_832_zero_trust_reset_rejected.

Trace validation

POST /api/v1/dbad/validate validates a trace deterministically against the current core rule set.

Accepted input forms:

{ "trace_id": "..." }
{ "trace": { ...full trace object... } }
direct trace-shaped object in the POST body

Current checked rules: verification_independence, actor_continuity, trust_trajectory, propagation_integrity, expected_outcome_order, completeness_attestation, state_transition_evidence_presence, boundary_trust_state_presence, trust_positive_boundary_state, historical_contamination_visibility, cross_trace_lineage_integrity, resource_lineage_integrity, coverage_trace_exposure, governing_intent_coverage_alignment, trace_reliance_integrity, lineage_depth_limit, zero_trust_reset_integrity, reset_boundary_continuity, and escalation-closure resume checks when applicable.

Deterministic validation only. No heuristics. No identity inference. Checks the current core rule set only.

Validation checks identify rule violations. Trace outputs may also include blocking constraints, advisory concerns, and pending governance requirements that remain visible for audit and review.

Validation API envelope: POST /api/v1/dbad/validate omits root ok and returns root api_transaction_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., api_delivery_outcome=NOT_AUTH::not_authorization_outcome_evidence_for_structural-evidence-code-v2-..., ok_removed_for_authorization_safety=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-..., ok_authoritative_for_trust_positive_use=false, api_envelope_ok_authoritative_for_trust_positive_use=false, api_envelope_authorization_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., authorization_status_hard=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., non_authorization_core_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., trust_positive_authorization=false, and accepted_as_authorization=false. Delivery success is represented by HTTP status plus bound transport fields, never by a root approval-shaped boolean.

Not all triggered conditions block actions. DBaD distinguishes between constraints that prevent action and conditions that remain visible for audit and review.

Validation metadata now includes validation receipt ID, validation timestamp, freshness window, revalidation requirement, dependency refs, lineage snapshot hash, validation epoch, lineage validation mode, lineage traversal depth, resource identity status, actor-continuity status and conflict code, trust-trajectory status and conflict code, trust-lineage block status and source, reset-boundary status and source, outcome, expected outcome, blind-spot counts, escalation-closure status, state-transition evidence presence, boundary trust-state presence and max delta, trust-continuity confidence, historical contamination status, cross-trace parent validation summaries, coverage validation summaries, flattened ancestor summaries, same-resource validation summaries, and completeness-attestation status or scope where those fields exist.

Validation receipts are point-in-time. Clients must revalidate before trust-positive use instead of treating copied JSON, screenshots, or cached responses as standing approval.

For trust-positive consumption checks, use POST /api/v1/dbad/trust-continuation/check with trace_id, validation_receipt_id, validation_fresh_until_utc, lineage_snapshot_hash, reliance_snapshot_hash when depends_on_reliance_trace_refs is non-empty, and intended_use=trust_positive_continuation. Trace JSON and validation receipts are point-in-time evidence only; validation metadata exposes trace_json_authoritative_for_trust_positive_use=false, validation_receipt_authoritative_for_trust_positive_use=false, trust_positive_authorization=false, requires_trust_continuation_token_for_authorization=true, trust_positive_use_requires_fresh_check=true, trust_continuation_token_required_for_certified_use=true, and token_verification_status=not_provided until a token is verified. The endpoint returns 409 for stale_validation_receipt, validation_receipt_changed, dependency_snapshot_changed, missing_reliance_snapshot_hash, transitive_reliance_epoch_mismatch, trust_lineage_blocked, or trust_continuation_receipt_revoked. When allowed, it issues a short-lived HMAC-signed trust_continuation_token and trust_continuation_token_id bound to the current receipt, validation epoch, trace validation version, operator environment version/state hash, explicit operator environment ID/scope/authority, lineage snapshot hash, reliance snapshot hash, dependency refs, and resource ID.

Do not authorize by prefix matching. Display-safe fields say current_validation_status_human_readable=NOT AUTHORIZATION - validation evidence: structural-evidence-code-v2-... - not permission, validation_status_class_human_readable=NOT AUTHORIZATION - validation class evidence: structural-evidence-code-v2-... - not permission, and validation_outcome_class_human_readable=NOT AUTHORIZATION - structural validation evidence: structural-evidence-code-v2-... - not permission. Exposed raw status fields are value-bound and self-negating, for example current_validation_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., validation_status_class=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., and validation_outcome_class=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., with current_validation_status_value_authority_binding=not_authorization_value_bound, validation_status_class_value_authority_binding=not_authorization_value_bound, and validation_outcome_class_value_authority_binding=not_authorization_value_bound. Explicit comparison token fields are also value-bound, for example current_validation_status_token=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., validation_status_class_token=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., and validation_outcome_class_token=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-...; they remain machine-only and non-display-safe through dedicated token companions. Metadata exposes raw_status_fields_display_safe=false, raw_status_fields_machine_only=true, token_fields_display_safe=false, token_fields_machine_only=true, displaying_token_fields_is_non_compliant=true, status display-safety fields, and preferred_display_fields. Public trace/copy payloads also value-bind formerly raw positive validation booleans: validity, signature-valid, reset-approved, and compliance evidence appear as NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-... with NOT AUTHORIZATION - boolean evidence: structural-evidence-code-v2-... - not permission companions; false/blocking booleans remain false. Trace detail visible metadata must render representation_compliant evidence with the display-safe representation_compliant_human_readable value, not raw true. DBaD trace mutation endpoints are also non-authority envelopes: mutation write/error responses omit root ok, value-bind api_transaction_status and successful mutation_result, mark mutation_success_authoritative_for_trust_positive_use=false, and return runtime-validation-overlaid trace payloads instead of raw stored trace fragments. A client must not treat validation booleans, mutation booleans, trust-continuation response booleans such as allowed, raw status tokens, token comparison fields, or any raw passed* token value as authorization; the trust-continuation token itself is the credential that must be verified for the intended use. Any human-facing representation must render NOT AUTHORIZATION before or inline with the validation outcome; metadata exposes headline_authority_binding=non_authorization_must_precede_outcome, provenance_class=canonical_production|non_canonical_evaluation, and raw bundle fingerprints are machine-only with a display-safe replacement in human_readable_bundle_fingerprint_safe_display. Certified trust-positive use requires trust_positive_authorization=false, trust_authorization_class=not_authorized, approval_inference_forbidden=true, authorization_status_hard=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., and non_authorization_core_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-... on trace/receipt artifacts until the client has a fresh trust-continuation token and verifies that token for the intended use. Artifacts expose minimum_safe_fields, required_bundled_fields, bundling_hash, bundling_scope=full_validation_semantics_v2, bundled_semantic_fields, served_hardening_round=round53_trust_response_evidence_binding_v1, representation_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., representation_compliant=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-..., and safe_citation_v1_accepted=false. The semantic bundle includes machine fields for equivalence checks; those machine fields are not display-safe. Validation equivalence requires matching semantic bundle fields and matching operator environment identity/scope; state equivalence alone is not authority-context equivalence. Any export, dashboard, CSV, or screenshot that keeps raw status or token fields but drops preferred_display_fields or a field listed in required_bundled_fields is a bound partial_non_compliant representation; one that preserves required fields but alters validation, temporal, receipt, rule-version, operator-environment, provenance, violation, advisory context, value-level authority binding, token authority/display-safety binding, or representation class/boolean evidence is a bound context_mismatch_non_compliant. full_validation_semantics_v1 is no longer accepted as a complete safe-citation scope. New artifacts emit v2 only.

Evidence-code opacity. structural-evidence-code-v2-... values are deterministic hash-based identifiers. They are not base64, not reversible public encodings, and not stable permission labels. Do not maintain a client-side dictionary that maps an evidence code back to a clean approval word; human-facing clients must render the adjacent NOT AUTHORIZATION display fields instead.

Secondary status binding rule: every derived, convenience, custom, merged, injected, or explicit token field whose name contains status must have a value that starts with NOT_AUTH::not_authorization_status_evidence_for_ or NOT AUTHORIZATION and must carry local companions: *_machine_only=true, *_display_safe=false, *_authority_binding=not_authorization_token_bound, *_human_readable=NOT AUTHORIZATION - status evidence: structural-evidence-code-v2-... - not permission, *_value_semantics, *_prefix_stripping_forbidden=true, and *_human_readable_truncation_forbidden=true. The same binding applies to explicit status-like outcome, representation, and validation-positive boolean fields even when their key does not contain the word status: current_validation.is_valid, nested reliance-summary is_valid, zero_trust_reset_approved, safe_citation_signature_valid, verification_posture.latest_outcome, verification_history[].outcome, validation_outcome_class, representation_class, and representation_compliant. Trace JSON, validation JSON, and submitted safe-citation/archive artifacts expose secondary_status_fields_bound=true, secondary_status_binding_policy, status_value_semantics, status_prefix_stripping_forbidden=true, status_field_invariant_verified=NOT_AUTH::not_authorization_boolean_evidence_for_..., status_human_readable_truncation_forbidden=true, and global_status_field_invariant=Every status field must be value-bound and companion-bound; no bare approval-shaped status token may appear. Verifier responses are projected as evidence reports and bind verifier class/boolean evidence with NOT_AUTH::not_authorization_class_evidence_for_... and NOT_AUTH::not_authorization_boolean_evidence_for_.... Safe-citation and archival verifiers reject artifacts that remove value-level binding or companions with a bound context_mismatch_non_compliant verifier class and missing_secondary_status_binding=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-.... Human-facing renderers must display the full NOT AUTHORIZATION - ... - status evidence: structural-evidence-code-v2-... - not permission value; truncating away the prefix or evidence-only suffix is non-compliant.

Required status metadata markers include current_validation_status_machine_only=true, validation_status_class_machine_only=true, validation_outcome_class_machine_only=true, current_validation_status_token_display_safe=false, current_validation_status_token_machine_only=true, validation_outcome_class_token_display_safe=false, and validation_outcome_class_token_machine_only=true. Required transaction status examples include evaluation_payload_delivered_not_authorization, validation_payload_delivered_not_authorization, safe_citation_verification_delivered_not_authorization, and historical_attestation_verification_delivered_not_authorization, always value-bound with NOT_AUTH::not_authorization_status_evidence_for_.

Status field compliance linter

External renderers should fail closed before displaying any raw status-like token or positive validation boolean. The live cold-start proof surface for this invariant is GET /api/v1/dbad/status-field-compliance-snapshot; fetch it with a cache-bust query when reviewing current behavior. Operator and peer reviewers can also run python3 app/scripts/audit_dbad_status_field_compliance.py --base-url https://ethics.decencymeter.com from the project root; that script performs the cache-busted snapshot fetch, trace status/outcome/representation/validation-boolean walk, safe-citation verifier check, archival verifier check, no-root-ok check, and mutation rejection checks in one reproducible pass. Run python3 app/scripts/fuzz_dbad_status_paths_round47.py --base-url https://ethics.decencymeter.com --timeout 20 to additionally fuzz delimiter/regex/reversibility paths and check trace detail/index HTML for crop-sensitive metadata, runtime-summary, and stored-state label regressions. Run python3 app/scripts/dbad_redteam_runner.py --base-url https://ethics.decencymeter.com --timeout 20 for the composite Round 54 red-team pass, including boolean authority-leakage and LLM-style semantic-collapse checks. Status-keyed boolean or class evidence fields may use typed non-authorization evidence prefixes such as NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-... or NOT_AUTH::not_authorization_class_evidence_for_...; outcome fields such as verification_posture.latest_outcome use NOT_AUTH::not_authorization_outcome_evidence_for_structural-evidence-code-v2-.... No status-keyed string may expose a bare approval-shaped value, and no covered positive validation boolean may expose a bare true. The public snapshot's data.sample_status_fields.validation_outcome_class and data.sample_status_fields.is_valid are value-bound and companion-bound even though their keys do not contain status. Trace API verification outcomes, representation evidence fields, validation-positive booleans, trust_continuity_confidence, and escalation_closure_disposition are likewise checked. This status field compliance linter shape is intentionally conservative and matches the public verifier contract:

DBaD API cache contract: DBaD evidence and verifier endpoints under /api/v1/dbad/ are point-in-time surfaces and must not be stored by browsers, proxies, or surrogate/CDN caches. Current responses emit Cache-Control: no-store, max-age=0, must-revalidate, Surrogate-Control: no-store, Pragma: no-cache, Expires: 0, and X-DBaD-Cache-Status: fresh. The status-field compliance audit now fails if those headers are missing on DBaD API responses. The peer freshness packet audit also fetches the review packet's core URLs with cache-bust/no-cache headers and records HTTP Date, cache headers, X-DBaD-Cache-Status, optional ETag/Last-Modified, and in-body proof markers. It parses the parked prompt's URL list and fails if the prompt and executable audit drift. Client frameworks must not synthesize a root ok or authorization boolean from HTTP 200, hydrated model helpers, or transport-layer success; only the explicit DBaD non-authorization fields may be used.

function assertDbadStatusFieldBound(node, path = "$") {
  if (Array.isArray(node)) {
    node.forEach((item, index) => assertDbadStatusFieldBound(item, `${path}[${index}]`));
    return;
  }
  if (!node || typeof node !== "object") return;
  for (const [key, value] of Object.entries(node)) {
    const lower = key.toLowerCase();
    const companion = lower.endsWith("_display_safe") ||
      lower.endsWith("_machine_only") ||
      lower.endsWith("_authority_binding") ||
      lower.endsWith("_human_readable") ||
      lower.endsWith("_semantics") ||
      lower.endsWith("_binding_policy") ||
      lower.endsWith("_field_invariant") ||
      lower.endsWith("_invariant_verified") ||
      lower.endsWith("_prefix_stripping_forbidden") ||
      lower.endsWith("_truncation_forbidden") ||
      lower.endsWith("_truncation_warning");
    if (lower.includes("status") && !companion && typeof value === "string") {
      if (!value.startsWith("NOT_AUTH::not_authorization_status_evidence_for_") &&
          !value.startsWith("NOT AUTHORIZATION")) {
        throw new Error(`Non-compliant DBaD status value binding: ${path}.${key}`);
      }
      if (value.startsWith("NOT_AUTH::") && /^(passed|pass|ok|valid|verified|authorized|complete)/i.test(value.split("::", 2)[1] || "")) {
        throw new Error(`Non-compliant DBaD status stripped payload: ${path}.${key}`);
      }
      if (node[`${key}_machine_only`] !== true ||
          node[`${key}_display_safe`] !== false ||
          node[`${key}_authority_binding`] !== "not_authorization_token_bound" ||
          node[`${key}_value_semantics`] !== node.status_value_semantics ||
          node[`${key}_prefix_stripping_forbidden`] !== true ||
          !String(node[`${key}_human_readable`] || "").startsWith("NOT AUTHORIZATION - ") ||
          node[`${key}_human_readable_truncation_forbidden`] !== true) {
        throw new Error(`Non-compliant DBaD status companions: ${path}.${key}`);
      }
    }
    assertDbadStatusFieldBound(value, `${path}.${key}`);
  }
}

Legacy v1 rejection reason: if a submitted safe citation uses bundling_scope=full_validation_semantics_v1, the verifier returns a non-compliant class and includes v1_citation_rejection_reason.rejection_code=legacy_bundle_version_rejected, rejection_policy_date=2026-05-29, and the public policy URL so stored v1 artifacts cannot be mistaken for still-accepted evidence.

Trace-detail URL guard: if a same-host absolute URL is accidentally placed under /dbad/traces/, the public route recursively normalizes and redirects to the canonical same-host path instead of interpreting the URL as a trace ID. Cross-host absolute URLs are not redirected.

Human-visible validation rows are not authorization. Trace detail pages prefix the visible validation sentence with NOT AUTHORIZATION - Validation result:, render successful checked rules as NOT AUTHORIZATION - pass - structural validation evidence only, render failed rules as fail - not authorization, and render visible status metadata values as NOT AUTHORIZATION - validation class evidence: structural-evidence-code-v2-... - not permission / NOT AUTHORIZATION - structural validation evidence: structural-evidence-code-v2-... - not permission. API and copied JSON also bind successful checked_rules.* values as NOT_AUTH::not_authorization_boolean_evidence_for_... instead of bare true; failed checked rules remain false. Stored state fields such as state.effective_state, state.local_state, state_history[].effective_state, and historical_contamination.current_effective_state are also value-bound as NOT_AUTH::not_authorization_status_evidence_for_... instead of raw allow/Allow. Structured-reliance fields such as reliance_declaration_mode, reliance_contribution_to_outcome, reliance_declaration_complete, reliance_set_integrity, trace_reliance_integrity, and reset-boundary summary booleans are likewise value-bound evidence, not raw complete or bare true. Invariant/advisory booleans such as status_field_invariant_verified and prose_reliance_not_machine_verified, plus reset-state values such as zero_trust_reset_state, are also value-bound rather than bare true or raw approved. API metadata also exposes current_validation_status_human_readable, validation_status_class_human_readable, validation_outcome_class_human_readable, and human_readable_bundle_fingerprint_safe_display for display clients; raw human_readable_bundle_fingerprint is machine/copy verification evidence and is not rendered as the visible trace-page fingerprint row. Print/PDF output appends [NOT AUTHORIZATION - structural evidence only] to status metadata rows. This is presentation hardening only; clients must still use the machine-readable non-authority fields and fresh trust-continuation token checks.

Stored operator sections are not authorization. Trace detail pages no longer use standalone "no blocked action is recorded" wording for no-local-blocker cases. They state that no local blocker evidence is listed in that stored-operator section and repeat that certified trust-positive use still requires a fresh trust-continuation check.

Post-Round 54 evidence companions: trust-continuation responses include stable evidence field names for clients that should not branch on mixed booleans. /trust-continuation/check exposes allowed_evidence and trust_continuation_token_issued_evidence; /trust-continuation/token/verify exposes allowed_evidence, token_valid_evidence, and historical_verification_attestation_available_evidence. Each is a NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-... value with local authority/display/machine/human-readable companions. The token remains the credential; these evidence fields are never permission.

Composite proof bundle: GET /api/v1/dbad/composite-proof-bundle?cache_bust=<timestamp> returns a signed, timestamped, no-store evidence bundle for reviewers who need a single public artifact containing current response shapes. The bundle includes status-snapshot, trace API, trust-continuation check, token-verification, and compact OpenAPI contract samples for both https://ethics.decencymeter.com/api/v1/openapi.json and https://decencymeter.com/api/v1/openapi.json with response headers and body digests, plus proof_bundle_signature=dbad_cpb_v1.... Live trust_continuation_token values and historical attestations are redacted before signing the public bundle. GET /api/v1/dbad/composite-proof-bundle/verify describes the verifier contract for crawlers; POST /api/v1/dbad/composite-proof-bundle/verify accepts the copied bundle or full API envelope and verifies the signature while still returning accepted_as_authorization=false. This artifact is not authorization, not a substitute for fresh endpoint fetches, and not a certified trust-positive token.

Round 55 hardening harnesses: the composite red-team runner now includes dedicated proof-bundle signature-scope and replay fuzzing plus trust-continuation token integrity fuzzing. fuzz_dbad_composite_proof_bundle_scope.py verifies valid bundle/envelope acceptance, signed-field mutation rejection, unsigned-shadow-field rejection, delayed replay as evidence only, token redaction, no root ok, no bare authorization booleans, and verifier failure echo suppression. fuzz_dbad_trust_token_integrity.py verifies fresh token issuance, valid verification, immediate token replay as evidence-only behavior, wrong intended use rejection, tampered token rejection, wrong trace-context rejection, wrong receipt rejection, historical-attestation-as-permission rejection, no root ok, and bound evidence response fields.

Red-team history is internal observability, not authorization: dbad_redteam_runner.py appends compact JSONL run history to /home/dbad/logs/dbad_redteam_history.jsonl by default, supports --no-history, classifies failures by leakage class, and prints an internal regression posture score. That score is for operator triage only; it is not a public safety claim, not DBaD authorization, and not a substitute for the underlying per-check evidence.

DBaD OpenAPI contract-depth check: audit_api_v1_dbad_openapi_contract.py fetches the served OpenAPI document with cache busting and verifies the DBaD evidence contract is not described as generic JSON. It checks required schemas/examples for non-authorization envelopes, current-validation evidence, trust-continuation check/verify, signed-artifact verification, composite proof bundles, and trace mutation envelopes; it also verifies the critical operations carry x-dbad-non-authorization-contract, DBaD cache headers, no-root-ok examples, request/response schema refs, and evidence/not-authorization wording. audit_dbad_openapi_host_canonical.py verifies that DecencyMeter and ethics hosts serve the canonical DBaD/DecencyMeter OpenAPI contract, that the Church host remains Church-labeled compatibility only, that public DBaD pages do not point reviewers to the Church OpenAPI URL as canonical, and that OpenAPI JSON responses emit Cache-Control: no-store, max-age=0, must-revalidate, Surrogate-Control: no-store, Pragma: no-cache, Expires: 0, and X-DBaD-Cache-Status: fresh. The composite red-team runner includes these audits as a twelve-check pass.

API-doc discovery guard: audit_public_api_docs_discovery_schema.py now treats the canonical OpenAPI links as contract fields, not optional navigation text. The audit requires pages.openapi_json=https://decencymeter.com/api/v1/openapi.json and pages.ethics_openapi_json=https://ethics.decencymeter.com/api/v1/openapi.json on the public discovery payloads and fails if the Church OpenAPI URL becomes the DBaD/DecencyMeter canonical URL. The ethics and DecencyMeter discovery JSON surfaces (/api/docs/index.json, /api/docs/ethics.json, and /api/docs/ethics?format=json) are also point-in-time proof-routing artifacts and must emit Cache-Control: no-store, max-age=0, must-revalidate, Surrogate-Control: no-store, Pragma: no-cache, Expires: 0, and X-DBaD-Cache-Status: fresh. Those DBaD/DecencyMeter discovery JSON payloads also bind root ok and api_transaction_status as NOT_AUTH::not_authorization_... evidence so discovery success cannot be cropped into authorization. The standard public contract runner executes this discovery guard and the OpenAPI host guard together.

Public contract health guard: run_ethics_public_contract_audit.py now also executes audit_dbad_sitemap_discoverability.py for both ethics and DecencyMeter public discovery profiles, audit_public_api_docs_live_routes.py, targeted audit_html_health.py, targeted audit_internal_links.py, and audit_template_accessibility.py. The artifact includes sitemap_discoverability_audit_exit_code, decency_sitemap_discoverability_audit_exit_code, api_docs_live_routes_audit_exit_code, html_health_audit_exit_code, internal_links_audit_exit_code, and template_accessibility_audit_exit_code, and any nonzero value fails the same public contract gate as validation/render/API-doc discovery failures.

Sitemap and robots proof-surface contract: audit_dbad_sitemap_discoverability.py verifies https://ethics.decencymeter.com/robots.txt points to the canonical sitemap, emits DBaD freshness headers, and explicitly allows public proof API routes such as canonical OpenAPI JSON, status snapshot, composite proof bundle, proof-bundle verifier, trace APIs, and validation. It also verifies https://ethics.decencymeter.com/sitemap.xml emits freshness headers, lists the cold-start proof set, and returns HTTP 200 for each required proof URL: /current-state, /updates, /api/docs/ethics, API-doc discovery JSON, canonical OpenAPI JSON, DBAD-ETHICS-817, trace index, canonical broken trace, prose-reliance and reset fixtures, Agents of Chaos, DecencyMeter scoring/pressure-test pages, and the status-snapshot and composite-proof-bundle APIs. The canonical broken trace ID trc_20260428181140_42396240 is seeded as a durable proof artifact so sitemap liveness cannot depend on rolling trace-store recency. In DecencyMeter profile mode, the same audit verifies https://decencymeter.com/robots.txt and https://decencymeter.com/sitemap.xml expose public advisory pages and API discovery routes, and return HTTP 200 when fetched fresh, including the survey PDF, FAQ, media kit, methodology, papers, demo, scoring anomalies, pressure tests, OpenAPI JSON, API-doc discovery, aggregate stats, wall topics, survey breakdown, and widget script.

Correlation and cross-client projection checks: audit_dbad_evidence_code_correlation.py is an advisory exposure audit for deterministic structural evidence-code reuse; repeated codes are expected, but public decode hints or approval-shaped meaning near evidence codes are failures. fuzz_dbad_cross_client_projection.py simulates lossy extraction from trace API JSON, rendered trace-detail HTML, linked trace pages, and older explanatory/demo pages, and fails if extracted values or visible text reintroduce approval-shaped terms without same-view non-authorization context.

Explanatory-page projection guard: public pages such as /examples, /v2-2-demo, /decencymeter/demo, /faq, /glossary, /methodology, /whitepaper, /explained, /why-dbad-exists, and /trust-flow are part of the pre-peer projection sweep. They must not teach or display raw is_valid = true, Allowed actions =, standalone valid/allowed/approved examples, or raw continuation-machine enum text as quoteable proof. Those concepts should appear only as structural evidence, submitted machine-input vocabulary, formerly raw/non-compliant examples, or display-safe non-authorization text.

Archival projections bind non-authorization into status values too. In addition to the first sort-stable aaa_not_authorization_headline key and duplicate headline_authority_block, copied archival projections include labeled fields such as current_validation_status_labeled, validation_status_class_labeled, and validation_outcome_class_labeled, plus raw_status_fields_display_safe=false, token_fields_display_safe=false, displaying_token_fields_is_non_compliant=true, and preferred_display_fields. These values start with NOT AUTHORIZATION so YAML/XML/log pipelines that strip sort-padding keys still retain a boundary-bearing status value. The raw token fields remain for machine comparison only, but labeled and human-readable fields are the safe display text.

External certified integrations can verify a token with POST /api/v1/dbad/trust-continuation/token/verify. Verification checks signature, expiry, intended use, current trace validation, current validation epoch, current trace validation version, current operator environment version/state hash, current operator environment ID/scope/authority, current lineage snapshot hash, current reliance snapshot hash, current trust-lineage block state, and manual revocation lists. If the epoch has changed, verification fails with validation_epoch_changed. If the trace validation version has changed, verification fails with trace_validation_version_mismatch. If a relied-on trace changes after token issuance, verification fails with transitive_reliance_epoch_mismatch. If the referenced trace is unavailable, verification fails with trace_referenced_no_longer_available. If the operator environment state changed because an env-scoped deny-list changed or DBAD_TRUST_CONTINUATION_OPERATOR_ENV_VERSION was bumped, verification fails with operator_env_version_mismatch and operator_env_state_mismatch. If the explicit environment identity/scope/authority differs, verification fails with operator_env_id_mismatch, operator_env_scope_mismatch, or operator_env_authority_level_mismatch. If a token or receipt is manually revoked, verification fails with trust_continuation_token_revoked or trust_continuation_receipt_revoked.

When token verification passes, the response includes valid_from_utc and valid_until_utc for the live token-verification window plus an optional signed historical_verification_attestation. This artifact is for audit/reporting only and carries a signed artifact_header and artifact_label of NOT AUTHORIZATION - HISTORICAL EVIDENCE ONLY, attestation_class=historical_non_authoritative, authorization_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., verification_result=historically_valid_non_authoritative, verification_result_authoritative_for_trust_positive_use=false, plus human_readable_warning, approval_inference_forbidden=true, non_authoritative_historical_evidence=true, not_authorization=true, accepted_as_authorization=false, accepted_by_trust_continuation_check=false, and requires_fresh_trust_continuation_check_for_use=true. It records only a past token-verification event at attested_at_utc; it is not live permission and never becomes authorization. POST /api/v1/dbad/historical-verification-attestation/verify verifies the artifact signature and returns root api_transaction_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-... plus accepted_as_authorization=false. POST /api/v1/dbad/trust-continuation/check rejects attempts to present this artifact as authorization with historical_verification_attestation_not_authorization. Screenshots or reports that omit the live response validity interval or the attestation non-authority fields are incomplete evidence.

Historical attestation quoteability example

Correct citation: NOT AUTHORIZATION - HISTORICAL EVIDENCE ONLY; verification_result=historically_valid_non_authoritative; accepted_as_authorization=false; requires_fresh_trust_continuation_check_for_use=true.

Incorrect citation: "DBaD approved this trace" or "verification passed, so action is authorized." That interpretation is invalid. A cropped artifact that removes the non-authority header is not a valid quote; changing the signed payload invalidates the signature, and a complete artifact says it has never been authorization.

Manual token revocation is intentionally operator-scoped and stateless. Set comma- or whitespace-separated IDs in DBAD_TRUST_CONTINUATION_REVOKED_TOKEN_IDS, DBAD_TRUST_CONTINUATION_REVOKED_RECEIPT_IDS, or the shared DBAD_TRUST_CONTINUATION_REVOKED_IDS kill-switch list, then restart the service. Read-only trace viewing remains available; certified trust-positive continuation checks and token verification fail closed for matching IDs. DBaD does not yet expose a database-backed token revocation audit feed or token-introspection ledger.

Client consumption snippets

These snippets show the expected integration shape. They are examples of the contract, not a client SDK. The important rule is that copied trace JSON, validation JSON, screenshots, and cached receipts are evidence only; certified trust-positive use must ask for a fresh trust-continuation decision and verify the issued token before acting.

Correct path: fetch current trace JSON, extract the current validation metadata, call the trust-continuation check with the same receipt and snapshot fields, then verify the returned token.

TRACE_ID="trc_fixture_851_reliance_on_reset_accepted"
TRACE_JSON="$(curl -s https://ethics.decencymeter.com/api/v1/dbad/traces/${TRACE_ID})"

RECEIPT_ID="$(printf "%s" "$TRACE_JSON" | jq -r '.data.current_validation.metadata.validation_receipt_id')"
FRESH_UNTIL="$(printf "%s" "$TRACE_JSON" | jq -r '.data.current_validation.metadata.validation_fresh_until_utc')"
SNAPSHOT_HASH="$(printf "%s" "$TRACE_JSON" | jq -r '.data.current_validation.metadata.lineage_snapshot_hash')"
RELIANCE_SNAPSHOT_HASH="$(printf "%s" "$TRACE_JSON" | jq -r '.data.current_validation.metadata.reliance_snapshot_hash')"

CHECK_JSON="$(curl -s -X POST https://ethics.decencymeter.com/api/v1/dbad/trust-continuation/check \
  -H "Content-Type: application/json" \
  -d "{
    \"trace_id\": \"${TRACE_ID}\",
    \"validation_receipt_id\": \"${RECEIPT_ID}\",
    \"validation_fresh_until_utc\": \"${FRESH_UNTIL}\",
    \"lineage_snapshot_hash\": \"${SNAPSHOT_HASH}\",
    \"reliance_snapshot_hash\": \"${RELIANCE_SNAPSHOT_HASH}\",
    \"intended_use\": \"trust_positive_continuation\"
  }")"

TOKEN="$(printf "%s" "$CHECK_JSON" | jq -r '.data.trust_continuation_token // empty')"
curl -s -X POST https://ethics.decencymeter.com/api/v1/dbad/trust-continuation/token/verify \
  -H "Content-Type: application/json" \
  -d "{
    \"trace_id\": \"${TRACE_ID}\",
    \"trust_continuation_token\": \"${TOKEN}\",
    \"intended_use\": \"trust_positive_continuation\"
  }"

Optional audit artifact: a successful token verification response includes historical_verification_attestation. Verify that artifact only as historical evidence:

VERIFY_JSON="$(curl -s -X POST https://ethics.decencymeter.com/api/v1/dbad/trust-continuation/token/verify \
  -H "Content-Type: application/json" \
  -d "{
    \"trace_id\": \"${TRACE_ID}\",
    \"trust_continuation_token\": \"${TOKEN}\",
    \"intended_use\": \"trust_positive_continuation\"
  }")"

ATTESTATION="$(printf "%s" "$VERIFY_JSON" | jq -r '.data.historical_verification_attestation // empty')"
curl -s -X POST https://ethics.decencymeter.com/api/v1/dbad/historical-verification-attestation/verify \
  -H "Content-Type: application/json" \
  -d "{
    \"historical_verification_attestation\": \"${ATTESTATION}\"
  }"

Client-side decision gate: reject copied JSON as authorization, reject stale or non-authoritative receipts, reject blocked lineage, and require a freshly verified token before trust-positive action. Round 53+ response booleans are evidence-bound strings, not raw true authorization flags.

function isBoundEvidence(value, kind) {
  return typeof value === "string" &&
    value.startsWith(`NOT_AUTH::not_authorization_${kind}_evidence_for_structural-evidence-code-v2-`);
}

function mayUseForTrustPositiveAction(traceJson, tokenVerifyJson, tokenVerifyHttpStatus) {
  const validation = traceJson?.data?.current_validation;
  const metadata = validation?.metadata || {};
  const tokenData = tokenVerifyJson?.data || {};
  const tokenVerified = tokenVerifyHttpStatus === 200 &&
    isBoundEvidence(tokenData.allowed, "boolean") &&
    isBoundEvidence(tokenData.allowed_evidence, "boolean") &&
    isBoundEvidence(tokenData.token_valid_evidence, "boolean") &&
    isBoundEvidence(tokenData.token_verification_status, "status") &&
    Array.isArray(tokenData.failure_states) &&
    tokenData.failure_states.length === 0 &&
    tokenData.intended_use === "trust_positive_continuation";
  if (!isBoundEvidence(validation?.is_valid, "boolean")) return false;
  if (metadata.trust_lineage_blocked === true) return false;
  if (metadata.trace_json_authoritative_for_trust_positive_use !== false) return false;
  if (metadata.validation_receipt_authoritative_for_trust_positive_use !== false) return false;
  if (metadata.trust_positive_use_requires_fresh_check !== true) return false;
  // A valid trace/receipt artifact never grants authorization directly.
  // Missing, null, or true means the artifact is malformed/spoofed for trust-positive use.
  if (metadata.trust_positive_authorization !== false) return false;
  if (metadata.trust_authorization_class !== "not_authorized") return false;
  if (metadata.approval_inference_forbidden !== true) return false;
  if (metadata.validation_status_class_authoritative_for_trust_positive_use !== false) return false;
  if (metadata.validation_status_class_deprecated_for_authorization !== true) return false;
  if (!isBoundEvidence(metadata.authorization_status_hard, "status")) return false;
  if (!isBoundEvidence(metadata.non_authorization_core_status, "status")) return false;
  if (!Array.isArray(metadata.minimum_safe_fields)) return false;
  if (!Array.isArray(metadata.required_bundled_fields)) return false;
  if (!metadata.required_bundled_fields.includes("validation_status_class")) return false;
  if (!metadata.required_bundled_fields.includes("trace_id")) return false;
  if (!metadata.required_bundled_fields.includes("current_validation_status")) return false;
  if (!metadata.required_bundled_fields.includes("validation_class")) return false;
  if (!metadata.required_bundled_fields.includes("validation_summary")) return false;
  if (!metadata.required_bundled_fields.includes("validated_at_utc")) return false;
  if (!metadata.required_bundled_fields.includes("validation_fresh_until_utc")) return false;
  if (!metadata.required_bundled_fields.includes("validation_receipt_id")) return false;
  if (!metadata.required_bundled_fields.includes("validation_epoch")) return false;
  if (!metadata.required_bundled_fields.includes("trace_validation_version")) return false;
  if (!metadata.required_bundled_fields.includes("headline_authority_binding")) return false;
  if (!metadata.required_bundled_fields.includes("operator_env_id")) return false;
  if (!metadata.required_bundled_fields.includes("operator_env_scope")) return false;
  if (!metadata.required_bundled_fields.includes("operator_env_authority_level")) return false;
  if (!metadata.required_bundled_fields.includes("operator_env_state_hash")) return false;
  if (!metadata.required_bundled_fields.includes("provenance_class")) return false;
  if (!metadata.required_bundled_fields.includes("violations")) return false;
  if (!metadata.required_bundled_fields.includes("advisory_notes")) return false;
  if (!metadata.required_bundled_fields.includes("authorization_status_hard")) return false;
  if (!metadata.required_bundled_fields.includes("non_authorization_core_status")) return false;
  if (!String(metadata.bundling_hash || "").startsWith("bundle_")) return false;
  if (metadata.bundling_scope !== "full_validation_semantics_v2") return false;
  if (!String(metadata.human_readable_bundle_fingerprint || "").includes("full_validation_semantics_v2|")) return false;
  if (metadata.served_hardening_round !== "round53_trust_response_evidence_binding_v1") return false;
  if (metadata.status_field_invariant_verified !== true) return false;
  if (metadata.status_human_readable_truncation_forbidden !== true) return false;
  if (metadata.raw_status_fields_display_safe !== false) return false;
  if (metadata.raw_status_fields_machine_only !== true) return false;
  if (metadata.displaying_raw_status_fields_is_non_compliant !== true) return false;
  if (metadata.token_fields_display_safe !== false) return false;
  if (metadata.token_fields_machine_only !== true) return false;
  if (metadata.displaying_token_fields_is_non_compliant !== true) return false;
  if (metadata.current_validation_status_display_safe !== false) return false;
  if (metadata.current_validation_status_machine_only !== true) return false;
  if (metadata.current_validation_status_token_display_safe !== false) return false;
  if (metadata.current_validation_status_token_machine_only !== true) return false;
  if (metadata.current_validation_status_token_authority_binding !== "not_authorization_token_bound") return false;
  if (metadata.validation_status_class_machine_only !== true) return false;
  if (metadata.validation_status_class_token_display_safe !== false) return false;
  if (metadata.validation_status_class_token_machine_only !== true) return false;
  if (metadata.validation_status_class_token_authority_binding !== "not_authorization_token_bound") return false;
  if (metadata.validation_outcome_class_machine_only !== true) return false;
  if (metadata.validation_outcome_class_token_display_safe !== false) return false;
  if (metadata.validation_outcome_class_token_machine_only !== true) return false;
  if (metadata.validation_outcome_class_token_authority_binding !== "not_authorization_token_bound") return false;
  if (!String(metadata.current_validation_status || "").startsWith("NOT_AUTH::")) return false;
  if (!String(metadata.validation_status_class || "").startsWith("NOT_AUTH::")) return false;
  if (!String(metadata.validation_outcome_class || "").startsWith("NOT_AUTH::")) return false;
  if (!Array.isArray(metadata.preferred_display_fields)) return false;
  if (!metadata.preferred_display_fields.includes("current_validation_status_human_readable")) return false;
  if (!metadata.preferred_display_fields.includes("validation_status_class_human_readable")) return false;
  if (!metadata.preferred_display_fields.includes("validation_outcome_class_human_readable")) return false;
  if (!metadata.preferred_display_fields.includes("human_readable_bundle_fingerprint_safe_display")) return false;
  if (!String(metadata.validation_outcome_class_human_readable || "").startsWith("NOT AUTHORIZATION - ")) return false;
  if (!isBoundEvidence(metadata.representation_class, "class")) return false;
  if (!isBoundEvidence(metadata.representation_compliant, "boolean")) return false;
  if (metadata.requires_trust_continuation_token_for_authorization !== true) return false;
  if (metadata.trust_continuation_token_required_for_certified_use !== true) return false;
  // Raw status fields are machine-only structural evidence, not authorization or display text.
  if (metadata.validation_status_class_human_readable !== "NOT AUTHORIZATION - validation class evidence: structural-evidence-code-v2-... - not permission") return false;
  if (!String(metadata.current_validation_status_human_readable || "").startsWith("NOT AUTHORIZATION - ")) return false;
  if (Array.isArray(metadata.depends_on_reliance_trace_refs) && metadata.depends_on_reliance_trace_refs.length) {
    if (!metadata.reliance_snapshot_hash) return false;
    if (!isBoundEvidence(metadata.reliance_declaration_mode, "status")) return false;
    if (!String(metadata.reliance_declaration_mode_human_readable || "").startsWith("NOT AUTHORIZATION - ")) return false;
  }
  return tokenVerified;
}

Incorrect path: treating current_validation.is_valid=NOT_AUTH::..., copied validation JSON, response evidence such as data.allowed=NOT_AUTH::..., or an unexpired-looking receipt as authorization without /trust-continuation/check and token verification. That integration is non-compliant even if a historical receipt once passed.

Trace detail pages also expose a Copy safe citation artifact. That JSON is intentionally quote-safe: it includes trace ID, canonical query-free trace URL, citation_class=safe_non_authoritative, authorization_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., authorization_status_hard=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., non_authorization_core_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., headline_authority_binding=non_authorization_must_precede_outcome, provenance_class, minimum_safe_fields, required_bundled_fields, bundling_hash, bundling_scope=full_validation_semantics_v2, bundled_semantic_fields, value-bound status fields such as validation_status_class=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., explicit value-bound comparison tokens such as validation_status_class_token=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., status_value_semantics, status_prefix_stripping_forbidden=true, token safety companions such as validation_status_class_token_authority_binding=not_authorization_token_bound, validation_status_class_token_display_safe=false, and validation_status_class_token_machine_only=true, raw_status_fields_display_safe=false, raw_status_fields_machine_only=true, token_fields_display_safe=false, token_fields_machine_only=true, displaying_token_fields_is_non_compliant=true, displaying_raw_status_fields_is_non_compliant=true, preferred_display_fields, human_readable_bundle_fingerprint_safe_display, human_readable_bundle_fingerprint_machine_only=true, served_hardening_round=round53_trust_response_evidence_binding_v1, status_field_invariant_verified=NOT_AUTH::not_authorization_boolean_evidence_for_..., status_human_readable_truncation_forbidden=true, safe_citation_v1_accepted=false, representation_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., display-safe validation status/class/outcome fields, validation timestamp, freshness, receipt ID, validation epoch, trace validation version, operator environment ID/scope/authority/state hash, violations/advisories, trust_positive_authorization=false, trust_authorization_class=not_authorized, approval_inference_forbidden=true, accepted_as_authorization=false, accepted_by_trust_continuation_check=false, requires_trust_continuation_token_for_authorization=true, requires_fresh_trust_continuation_check_for_use=true, a signed safe_citation value, safe_citation_id, safe_citation_verification_endpoint=/api/v1/dbad/safe-citation/verify, and a warning that the citation is point-in-time evidence only. POST /api/v1/dbad/safe-citation/verify verifies citation tamper evidence but deliberately omits root ok. Instead it returns root api_transaction_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., api_transport_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., ok_removed_for_authorization_safety=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-..., ok_replacement_contract, verifier_response_schema, ok_meaning=transport_only_not_authorization, ok_authoritative_for_trust_positive_use=false, unsafe_if_ok_used_for_authorization=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-..., verifier_response_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., signature_and_authorization_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., safe_citation_signature_valid=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-..., representation_compliant=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-..., safe_citation_payload=null, safe_citation_payload_echo_policy=signed_artifact_not_re_echoed_in_verifier_response, and accepted_as_authorization=false only for complete v2 safe citations whose raw status fields carry NOT_AUTH::not_authorization_status_evidence_for_ and whose token fields carry token authority/display-safety companions. A submitted artifact whose visible JSON fields disagree with its embedded signed safe_citation blob is evaluated by the visible JSON and rejected with safe_citation_visible_payload_mismatch; a signed but incomplete artifact may still carry a valid HMAC for the embedded payload, but it returns a bound non-compliant verifier class and remains non-authoritative. A submitted partial projection missing required fields returns verifier_response_class=NOT_AUTH::not_authorization_class_evidence_for_partial_non_compliant; one with altered semantic, temporal, receipt, rule-version, operator-environment, provenance, violation, advisory context, missing value-level authority binding, missing token authority/display-safety binding, or unsupported v1 bundling scope returns verifier_response_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-.... Copy archival projection is a separate compact artifact whose first sort-stable JSON field is aaa_not_authorization_headline=NOT AUTHORIZATION - ARCHIVAL PROJECTION - NOT SAFE CITATION, with headline_authority_block=NOT AUTHORIZATION - ARCHIVAL PROJECTION - NOT SAFE CITATION retained as the duplicate human-readable field; the aaa_not_authorization_headline sentinel remains first even after json.dumps(sort_keys=true). It also carries artifact_header=ARCHIVAL PROJECTION - NOT SAFE CITATION, artifact_label=Archival projection - not safe citation, representation_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., representation_compliant=false, and safe_citation_compliant=false; the verifier recognizes it only as non-authoritative archive metadata with HTTP 422, no root ok, root api_transaction_status=NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-..., verifier_response_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., sort_stable_non_authority_headline_first=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-..., error=archival_projection_not_safe_citation, archival_projection_recognized=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-..., and archival_projection_accepted_as_safe_citation=false. If the archival sentinel is missing or not first, the verifier returns verifier_response_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., representation_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., and missing_headline_authority_binding=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-.... A valid safe citation or recognized archival projection is never trust-positive permission.

Safe citation vs archival projection

Complete safe citation: use for quoteable evidence. It verifies with HTTP 200, no root ok, verifier_response_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., representation_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., and representation_compliant=NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-.... It is still never authorization.

Archival projection: use only for compact archive/reporting indexes. It verifies with HTTP 422, no root ok, verifier_response_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., representation_class=NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-..., representation_compliant=false, and safe_citation_compliant=false. It is not a lighter safe citation.

DBaD non-authority API envelopes: read/validation/citation/attestation endpoints that are not trust-continuation authorization now reinforce the delivery/permission split at the root. For example, GET /api/v1/dbad/traces/<trace_id> returns {"api_version": "v1", "api_transaction_status": "NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-...", "api_transport_status": "NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-...", "api_delivery_outcome": "NOT_AUTH::not_authorization_outcome_evidence_for_structural-evidence-code-v2-...", "ok_removed_for_authorization_safety": "NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-...", "ok_meaning": "transport_only_not_authorization", "ok_authoritative_for_trust_positive_use": false, "api_envelope_ok_authoritative_for_trust_positive_use": false, "api_envelope_authorization_class": "NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-...", "trust_positive_authorization": false, "accepted_as_authorization": false, "unsafe_if_ok_used_for_authorization": "NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-...", "data": {...}}. The same root pattern is used by POST /api/v1/dbad/evaluate, POST /api/v1/dbad/validate, POST /api/v1/dbad/safe-citation/verify, and POST /api/v1/dbad/historical-verification-attestation/verify. These envelopes omit root ok; ok_removed_for_authorization_safety is the explicit replacement marker. Round 27+ authority fields live under .data.current_validation.metadata, are mirrored on .data, and are also reinforced by root non-authority fields on non-authorization endpoints. A client that invents or maps any root ok to trust-positive permission is non-compliant.

Public-surface update contract: DBaD ethics logic/API/code changes must keep the public proof surfaces synchronized in the same pass. The required surfaces are /updates, /current-state, /api/docs/ethics, and /dbad-ethics-817, plus running log, recovery file, task queue, and current prompt/synthesis updates when review baseline changes. The standard public contract runner includes audit_dbad_public_surface_update_contract.py, audit_public_api_docs_discovery_schema.py, audit_dbad_openapi_host_canonical.py, audit_public_api_docs_live_routes.py, audit_dbad_sitemap_discoverability.py for ethics and DecencyMeter profiles, audit_html_health.py, targeted audit_internal_links.py, audit_template_copy_payloads.py, and audit_template_accessibility.py so implementation truth, API-doc discovery, canonical OpenAPI host scope, robots/sitemap discoverability, link/static health, stale public anchors, copy-payload safety, and accessibility cannot silently move ahead of the public docs.

Input / condition	HTTP	Root `ok`	`verifier_response_class`	`representation_class`	Authorization	Client action
Complete signed safe citation	`200`	omitted	`NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-...`	`NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-...`	`false`	Accept only as point-in-time evidence; still require fresh token for trust-positive use.
Partial projection missing required bundled fields	`409`	omitted	`NOT_AUTH::not_authorization_class_evidence_for_partial_non_compliant`	`NOT_AUTH::not_authorization_class_evidence_for_partial_non_compliant`	`false`	Reject as incomplete.
Context mismatch or illegal downgrade	`409`	omitted	`NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-...`	`NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-...`	`false`	Reject as altered, stale, or downgraded.
Archival projection	`422`	omitted	`NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-...`	`NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-...`	`false`	Archive/reporting metadata only; never treat as a compact safe citation.

async function routeSafeCitationVerifierResponse(response) {
  const body = await response.json();
  const klass = body.verifier_response_class || body.data?.verifier_response_class;
  if ("ok" in body) throw new Error("Verifier response exposed root ok; reject.");

  if (response.status === 200 && klass === "NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-...") {
    return { kind: "complete_safe_citation", authorization: false };
  }

  if (response.status === 422 && klass === "NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-...") {
    throw new Error("Archival projection received: archive metadata only, not a safe citation.");
  }

  if (response.status === 409 && klass === "NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-...") {
    throw new Error("Context mismatch or downgrade attempt; reject.");
  }

  if (response.status === 409 && klass === "NOT_AUTH::not_authorization_class_evidence_for_partial_non_compliant") {
    throw new Error("Partial projection missing required fields; reject.");
  }

  throw new Error("Unexpected verifier response; reject by default.");
}

// Wrong: if (response.status === 200) accept();
// Wrong: if (body.ok === true) accept();
// Wrong: stripping "NOT_AUTH::not_authorization_class_evidence_for_" before display or logging.
// Wrong: treating archival_minimal_non_authoritative as a compact safe citation.

Deferred operations gates

Persistent token revocation/introspection remains deferred while DBaD is serving public review fixtures and short-lived stateless tokens. The trigger criteria are exact: add a DB-backed token revocation/introspection ledger when certified external integrations exist, when a DBaD-owned mutation endpoint accepts trust-continuation tokens as authorization, when token TTLs need to exceed the short validation freshness window, when operators need searchable revocation audit history, or when revocation volume exceeds env deny-list practicality.

Signed first-use resource-continuity attestations and verifier quorum remain deferred until resource identity changes must be accepted without a deterministic resource_lineage_anchor, or until external/certified integrations need cross-organization resource migration. Current validation does not infer identity from prose. A trust-positive trace that changes resource identity must either declare a deterministic continuity anchor, declare a verifier-bound reset boundary, or stay non-authoritative for trust-positive use.

Signed historical verification attestations are implemented only as non-authoritative audit artifacts from successful token verification. They do not replace current validation, receipt freshness, reliance epoch checks, or trust-continuation token verification.

Example request using trace_id:

curl -X POST https://ethics.decencymeter.com/api/v1/dbad/validate \
  -H "Content-Type: application/json" \
  -d '{
    "trace_id": "trc_20260415180339_f4e1bc25"
  }'

Example response:

{
  "api_version": "v1",
  "api_transaction_status": "NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-...",
  "api_transport_status": "NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-...",
  "api_delivery_outcome": "NOT_AUTH::not_authorization_outcome_evidence_for_structural-evidence-code-v2-...",
  "ok_removed_for_authorization_safety": "NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-...",
  "ok_meaning": "transport_only_not_authorization",
  "ok_authoritative_for_trust_positive_use": false,
  "api_envelope_ok_authoritative_for_trust_positive_use": false,
  "api_envelope_authorization_class": "NOT_AUTH::not_authorization_class_evidence_for_structural-evidence-code-v2-...",
  "authorization_status_hard": "NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-...",
  "non_authorization_core_status": "NOT_AUTH::not_authorization_status_evidence_for_structural-evidence-code-v2-...",
  "trust_positive_authorization": false,
  "accepted_as_authorization": false,
  "unsafe_if_ok_used_for_authorization": "NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-...",
  "data": {
    "is_valid": false,
    "validation_summary": "Trace failed 4 deterministic validation check(s).",
    "violations": [
      "verification_independence",
      "actor_continuity",
      "trust_trajectory",
      "missing_escalation_closure"
    ],
    "pending_requirements": [],
    "advisory_notes": [
      "missing_state_transition_evidence",
      "completeness_attestation_unknown",
      "missing_boundary_trust_state",
      "trust_positive_resume_missing_boundary_trust_state",
      "historical_contamination_present"
    ],
    "checked_rules": {
      "verification_independence": false,
      "actor_continuity": false,
      "trust_trajectory": false,
      "propagation_integrity": "NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-5d3235c830a768ce27af67e8",
      "expected_outcome_order": "NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-5d3235c830a768ce27af67e8",
      "completeness_attestation": "NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-5d3235c830a768ce27af67e8",
      "state_transition_evidence_presence": false,
      "boundary_trust_state_presence": false,
      "trust_positive_boundary_state": false,
      "escalation_closure": false,
      "historical_contamination_visibility": "NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-5d3235c830a768ce27af67e8",
      "cross_trace_lineage_integrity": "NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-5d3235c830a768ce27af67e8",
      "resource_lineage_integrity": "NOT_AUTH::not_authorization_boolean_evidence_for_structural-evidence-code-v2-5d3235c830a768ce27af67e8"
    },
    "metadata": {
      "resource_id": null,
      "trust_continuity_confidence": "broken"
    }
  }
}

Current Runtime Boundaries

DBaD validates structure, not truth.
DBaD does not prove outcome correctness or safety.
DBaD does not infer identity or intent.
DBaD records completeness claims. It does not prove completeness.
DBaD records boundary trust deltas and historical contamination visibility. It does not prove that a trust delta was deserved or that restored history is safe.

Visible trace status rendering: trace pages and the recent-traces index must render trust, validation, state, outcome, verification, completeness, and closure values as evidence, not authorization. Human-visible trust-inheritance rows use Trust inheritance evidence with same-line NOT AUTHORIZATION; API-facing trust_inheritance_result.label values are also non-authorizing. Operator form option labels are display-only evidence labels; submitted API enum values are unchanged.

Remaining Future Hardening

The core v2.2 integrity stack is live. The remaining work is hardening, not missing field implementation.

Stronger evidence canonicalization and clearer hashing-input rules.
Selective evidence enforcement by transition type.
Cross-trace completeness or publication-window attestation.
Aggregation insights across outcomes, scope declarations, and escalation behavior.
Broaden boundary-trust-state coverage beyond transition events to dedicated handoff, verification, and chain-genesis event types when those event classes ship.

Calculator state fields

The public research demo and calculator endpoint are intended to return structured decision-trace fields, not only a score. Public clients using POST /api/v1/ethics/calculator should distinguish live operational fields from canonical v3 planning fields.

Working reference set: live now means stable on the public surface today, partially live means present on some live surfaces but not yet complete everywhere, canonical planned means frozen in the v3 trace model but not fully emitted on every endpoint, and internal governance means governance-only detail that should not be mistaken for a public morality score.

Live now

Recommendation, score summaries, effective governing-state outputs, obligations, deadlines, domain context, dependency scope, contamination scope, and review/calibration summaries are the main fields public clients should treat as operational today.

Partially live / evaluator-visible

The public evaluator should surface local_state, systemic_state when applicable, effective_state, pending verification, obligation windows, and failure consequences in the same controlled vocabulary used by the canonical trace model.

Canonical planned

Chain identity, precedence metadata, submitted evidence records, signature authority details, provenance crawl metadata, and revision-blocking details are part of the canonical v3 model even when not fully live on every public endpoint.

Internal governance

Signals such as system_integrity_score, detailed provenance crawl state, and full clearance-authority internals should be documented carefully as governance mechanics rather than public-facing moral outputs. Repeated unresolved obligations, recurring contamination patterns, and chronic remediation dependence are health signals; isolated local failures should not be overread as systemic collapse.

system_state live bridge field

Current live bridge field for the governing state returned by the public API surface. In the canonical v3 trace model, this maps most closely to effective_state until live endpoints expose the fuller local_state / systemic_state / effective_state split directly.

audit_status

Short lifecycle posture string describing whether the action is pending review, carrying open obligations, or already blocked in audit.

obligations

Structured follow-up duties returned as labeled records with status markers such as open or required.

deadlines

Time-window hints or execution gates that define when obligations must be completed or cleared.

state re-entry canonical planned

When a higher-precedence override clears, lower local states must not silently receive a fresh TTL. Planned fields include state.context_stale_after, state.context_stale_triggered, state.local_state_resume_policy, state.local_state_ttl_resume_mode, state.resume_requires_context_recheck, and state.reentry_requires_reevaluation.

failure_consequence

The main state consequence if required follow-up work is not completed.

clearance_requirements

Machine, human, policy, or role-gated verification steps that can clear the current effective state or close open obligations. High-risk remediation may require multiple clearance lanes and should record the remediation authority that cleared the state.

clearance authority health canonical planned

Signature authority is governable. Planned fields include verification.clearance_authority.authority_health_status, revoked_at, revocation_type, revocation_propagation, and prior_clearance_recheck_required so administrative revocation and integrity revocation do not collapse into one ambiguous state.

break_glass canonical planned

Emergency override planning is high-friction only: Tier 2 or multi-party clearance, full logging, guardrails.critical_architectural_deviation, mandatory follow-up review, and budget fields such as guardrails.emergency_budget_window, guardrails.emergency_usage_count_in_window, and guardrails.emergency_budget_exceeded. Budget exceedance should trigger systemic audit or restriction instead of emergency-as-a-service drift.

decision_trace

Compact summary counts for guardrails, doctrines, obligations, and deadlines so clients can treat the result as a structured decision trace.

domain_context

Profile-aware domain label such as cybersecurity_incident_response or critical_infrastructure.

dependency_scope / contamination_scope

Structured scope fields describing where a dependency chain begins and how far contamination should spread by default. DBaD starts local-first and escalates broader contamination only when shared dependency evidence, repeated unresolved failures, or profile thresholds justify it.

recursive invalidation canonical planned

Planning fields such as dependency.invalidation_batch_id, dependency.push_invalidation_enabled, dependency.pull_recheck_required, dependency.recheck_depth_limit, dependency.enforcement_finality_horizon, dependency.ledger_finality, and dependency.checkpoint_ref prevent large dependency graphs from becoming either silent trust laundering paths or governance-DDoS triggers.

clearance_mode / required_evidence_tier

Verification mode fields that indicate whether a result expects Tier 1 evidence of fact, Tier 2 evidence of quality, or both. Transparency, intent, legitimacy, and proportionality debt often require Tier 2 review because logs alone can prove occurrence without proving adequacy.

probationary_state

Operational overlay for constrained execution. Probationary states are time-bounded and can auto-escalate on expiry.

revision_signal

Structured review signal indicating whether the scenario should trigger doctrine or profile revision work. It is not an automatic rule change; framework revisions require named authority, evidence requirements, review process, approval, documentation, and versioning.

revision quorum canonical planned

Moving from divergence pressure to an active revision draft should require calibration.revision_quorum_threshold, calibration.revision_window, calibration.revision_authority, and calibration.active_revision_draft. A high disagreement signal alone should not rewrite control-layer rules.

version compatibility canonical planned

Schema-version mismatch should not fail open. Planned fields include compatibility.min_supported_schema_version, compatibility.downgrade_allowed, compatibility.fail_open_protection, and compatibility.version_parity_required.

divergence_flag / survey_disagreement_rate

Calibration fields for comparing human intuition against control-layer output over scenario families. Low means ordinary monitoring, moderate means operational caution, and high means formal calibration review should be considered.

calibration_review_recommended / matched_scenario_family

Flags that help clients group disagreement patterns and decide when democratic calibration review is justified. Divergence is a caution signal; not all divergence is public bias, not all divergence is DBaD failure, and recurring divergence may justify doctrine or profile review.

The research demo page renders these same fields as a prototype dashboard so public visitors and API clients see the same state vocabulary. The frozen v3 trace-model reference set is documented in the canonical schema docs even when a field is only partially live or not yet emitted on every public response.