Japanese version: Canonical Trajectory Governance
Canonical Trajectory Governance v0.1.1.1
Canonical Trajectory Governance (CTG) is the contract-level governance model for checking whether an execution trajectory remains aligned with canon, policy, and operator intent. This document is the developer-facing companion to the Zenodo-published CTG paper:
- AIKernel Canonical Trajectory Governance (CTG): A Three-Council Gateway for Deterministic AI Personality OS Architecture
- DOI: https://doi.org/10.5281/zenodo.20681895
- Paper package:
../papers/12-canonical-trajectory-governance/README.md
The paper is the fixed theoretical reference. This document maps that theory to the AIKernel.NET contract surface and does not define canon rule bodies.
AIKernel.NET only publishes the contract vocabulary for CTG. Runtime hosts and provider packages can implement the contracts, but the contract packages remain limited to interfaces, DTOs, and enums.
1. Scope
CTG covers three questions:
- Can a proposed step be accepted by the governance councils?
- Can a finite gate decision be derived deterministically from those council votes?
- Can a whole trajectory be accepted when all step-level gates are replayed?
The published contract surface is intentionally narrow:
- interfaces live in
AIKernel.Abstractions.Governance - records live in
AIKernel.Dtos.Governance - enums live in
AIKernel.Enums.Governance - canon text and rule execution are outside AIKernel.NET
- runtime implementations are outside AIKernel.NET
2. Triadic Council Model
CTG keeps the council vocabulary as the triad:
LogosEthosPathos
These values are represented by CouncilKind. The triad is the stable governance vocabulary. It must not be replaced with operational categories such as audit, policy, safety, or execution in this contract surface. If those categories are needed later, they should be introduced as a separate enum rather than changing CouncilKind.
Each council emits a CouncilVote carrier and can preserve:
- the
CouncilVoteValue - a reason message
- one or more
CanonReferencevalues - optional
Confidence - optional
RiskScore
Confidence and RiskScore are observational carriers. They exist to preserve trace evidence and must not become weights in the gate decision.
The C# enum numeric values are serialization discriminants, not the paper's mathematical vote weights. Runtime implementations map CouncilVoteValue values onto the paper's finite vote table: approve is positive, abstain is neutral, and reject is negative.
Veto is not a fourth vote value. Hard denial conditions are carried as rejection evidence, gate denial, and where applicable RejectReasonKind.EthosVeto.
3. Step Gate
The conceptual step gate is gate(l,e,p), where:
lis the Logos council decisioneis the Ethos council decisionpis the Pathos council decision
The contract model is deterministic and fail-closed:
- Missing or unknown inputs are treated as rejection evidence.
- An Ethos rejection closes the step gate.
- If Ethos does not reject, the step can be accepted only when the
- Zero, negative, missing, unknown, or insufficient evidence rejects the step.
mapped aggregate council vote is strictly positive.
The exact runtime algorithm belongs outside AIKernel.NET. The contract package only provides the carriers required to make the decision replayable:
DecisionGateRequestGateInputDecisionGateResultRejectReasonInfoStepGovernanceTrace
DecisionGateRequest carries a single vote-only GateInput. It must not carry per-council L / E / P gate envelopes or a CouncilDecision payload; those belong to council evaluation and trace carriers.
The gate decision vocabulary is discrete-only: GateDecisionKind.Allow or GateDecisionKind.Deny, with Unknown reserved as a fail-closed sentinel.
4. Trajectory Gate
The trajectory gate evaluates a sequence of step governance traces. A trajectory is accepted only when every step is accepted and no step contains missing, unknown, or denial governance evidence.
The contract carriers are:
TrajectoryGateRequestTrajectoryGateInputTrajectoryGateResultGovernanceTrace
The result must preserve the rejected step index and rejection reasons when the trajectory is denied. This keeps replay deterministic and allows diagnostics to explain which step closed the gate.
The trajectory decision vocabulary is discrete-only: TrajectoryGateDecisionKind.Continue or TrajectoryGateDecisionKind.Halt, with Unknown reserved as a fail-closed sentinel.
This corresponds to the paper's product semantics: a trajectory remains valid only when every step-level gate admits execution. A single denial short-circuits the trajectory.
5. Canon References
CanonReference is a DTO carrier. CTG contracts use IReadOnlyList<CanonReference> instead of a single reference because a single decision can depend on multiple canon anchors.
The normalized DTO shape is:
public sealed record CanonReference\n{\n public string CanonId { get; init; } = string.Empty;\n public string Path { get; init; } = string.Empty;\n public string Section { get; init; } = string.Empty;\n public string? Anchor { get; init; }\n public string? ContentHash { get; init; }\n}
AIKernel.NET does not author canon rule text. Runtime hosts can resolve CanonReference values against a ROM, VFS, package resource, or other trusted source. If canon resolution fails, the governance result should fail closed.
The Monolith minimal CTG-ROM is the baseline canon for the AIKernel personality OS. Its effective canon path is resolved through the locale ROM descriptor:
rom/governance/ctg.monolith.canon.md
The repository separates the base canon layer from localized personality ROM descriptors:
rom/governance/contains canon, council, gate, and reject-policy assets.rom/locales/<locale>/contains localized personality ROM descriptors.- runtime VFS implementations merge the base canon layer, the selected locale
descriptor, and optional developer diff layers into a mounted Personality-ROM.
Developer diff layers personalize the Monolith base without editing the base canon directly. They must preserve the triadic council model, Ethos veto, fail-closed behavior, default deny, and replayable trace requirements.
The paper describes CTG-ROM as a portable persona contract containing canon, root goals, prohibitions, council criteria, and trace requirements. AIKernel.NET documents the Monolith base-layer layout while keeping runtime VFS merge logic outside the contract packages.
6. Deterministic Replay
CTG is replay-oriented. Every governance decision should be reconstructable from its carriers without hidden state:
- council inputs and outputs are carried by evaluation DTOs
- gate inputs and outputs are carried by decision DTOs
- step traces capture council and gate evidence together
- trajectory traces aggregate the ordered step trace chain
Replay consumers should treat unknown enum values as fail-closed and record raw values in diagnostics or metadata according to the enum handling policy.
7. Relationship to Existing Governance
CTG complements existing PDP, policy, signed prompt, HATL, PPM, and replay vocabulary. It does not replace them.
- PDP decides whether an operation is allowed in a policy context.
- Signed prompt governance verifies trusted prompt artifacts.
- HATL/HBS contracts preserve signed history and audit evidence.
- PPM remains a mathematical research line for state-space, interference, and
- CTG evaluates whether a step or trajectory remains canonically admissible.
memory-protection analysis; it is not the CTG execution gate.
These surfaces are additive. Existing v0.1.1 public interfaces remain stable.
The important separation is: CTG governs decision admissibility, HATL protects state and replay integrity, and PPM may inform future state or memory protection research.
8. Related Documents
- Domain Contract Surface v0.1.1.1
- Paper 12: Canonical Trajectory Governance
- CTG Contract Model
- CTG Developer Guide
- CTG ROM Layout
- Enum Handling Policy
- XML Documentation Policy
architecture/20.CANONICAL_TRAJECTORY_GOVERNANCE-v0.1.1.1.md