Follow-up to ADJ-GTM-2 / HUMAN-D10 in the sovereign-federation GTM plan.
The GTM proof suite runs cross-domain federation proofs (GTM-C) using two isolated network namespaces on ONE host. ADJ-GTM-2 decided option A (on-box staging, guarded by a no-shared-state trap) for the loop, because it is cheap and deterministic.
This tracks option B: a release-time validation that the same federation proofs pass on TWO GENUINELY SEPARATE hosts (distinct machines or VMs), to catch anything on-box staging masks — real NIC/MTU behavior, clock skew, and true network-partition recovery.
Acceptance:
- GTM-C1 (offline cross-verify, no shared registry)
- GTM-C2 (revocation propagation within the operator-published staleness bound)
- GTM-C3 (selective exposure)
all pass with org-a and org-b on distinct hosts.
Ref: roadmap/go_to_market/plans/sovereign_federation_gtm.md (ADJ-GTM-2)
Follow-up to ADJ-GTM-2 / HUMAN-D10 in the sovereign-federation GTM plan.
The GTM proof suite runs cross-domain federation proofs (GTM-C) using two isolated network namespaces on ONE host. ADJ-GTM-2 decided option A (on-box staging, guarded by a no-shared-state trap) for the loop, because it is cheap and deterministic.
This tracks option B: a release-time validation that the same federation proofs pass on TWO GENUINELY SEPARATE hosts (distinct machines or VMs), to catch anything on-box staging masks — real NIC/MTU behavior, clock skew, and true network-partition recovery.
Acceptance:
all pass with org-a and org-b on distinct hosts.
Ref: roadmap/go_to_market/plans/sovereign_federation_gtm.md (ADJ-GTM-2)