Runtime Surface Map
For current project truth, defer to `docs/STATE.md` and `docs/PHASE_PROGRESS.md`. This map is a routing guide for the surfaces a member or app actually touches today.
This document points at the gateway endpoints, primitives, and proof artifacts that exist as real runtime surfaces in the current main. It is not exhaustive — a full API reference lives in `docs/reference/api/API_REFERENCE.md` — and it does not over-document implementation details. It is a fast routing layer.
For a mechanical inventory of every gateway route declaration (Actix attribute macros) versus OpenAPI coverage, see the generated `generated/route-inventory.md` (regenerate/check with
docs/scripts/route_inventory.py; issue #2112). It proves declarations exist in source — not correctness, auth, tests, or production readiness.
The gateway
The icn-gateway crate exposes the REST + WebSocket surface used by member-facing apps and SDKs.
- Crate:
icn/crates/icn-gateway/ - HTTP module:
icn/apps/governance/src/http/(governance app handlers), plus equivalent paths in other apps. - Default port:
8080(seeicn-core/src/config/gateway.rs). Never 8000. - API contract: OpenAPI generated by
icnctl api export-openapi; TypeScript types regenerated viacd sdk/typescript && npm run generate-types.
Member-facing read models
These are the canonical answers to "who am I, what can I do, what needs my attention?". The surfaces below exist; some have richer specs in docs/architecture/.
| Surface | Method + path | What it does | Canonical doc |
|---|---|---|---|
| Member standing | GET /v1/gov/me/standing |
Caller identity, memberships, roles, capabilities, currently selected scope, plain-language hooks. | `docs/architecture/MEMBER_STANDING.md` |
| Action cards | GET /v1/gov/me/action-cards |
Closed source/action enums; the things waiting on the caller, with proof linkage to the receipt that closes the loop. | STATE.md (action-card runtime section) |
Discovery commands:
grep -RIn "me/action-cards\|me/standing\|completion-receipt" icn/apps icn/crates docs | head -100
grep -RIn "route\|service\|configure" icn/apps/governance/src/http icn/crates/icn-gateway/src | head -100
Action-card source paths and proof loops
The action-card runtime emits closed source/action pairs. Currently emitted source paths are proof-bearing — completing the action produces an append-only receipt that can be retrieved over HTTP.
| Source path | Receipt type | Status |
|---|---|---|
proposal / vote |
GovernanceDecisionReceipt |
✅ proof loop verified end-to-end |
action_item / complete |
ActionItemCompletionReceipt |
✅ proof loop verified end-to-end |
meeting / attend |
MeetingAttendanceReceipt |
✅ proof loop verified end-to-end (Present and Remote are receipt-bearing; Absent is not) |
signal_rule |
(RFC-gated) | ⏳ pending #1631, tracked under #1646 |
obligation_lifecycle |
(RFC-gated) | ⏳ pending #1634, tracked under #1646 |
Receipt and provenance retrieval
| Surface | Method + path | Notes |
|---|---|---|
| Action-item completion-receipt retrieval | GET /v1/gov/domains/{domain_id}/action-items/{item_id}/completion-receipt |
Closes the proof loop on the read side. governance:read scope + domain membership; receipt's bound domain_id is asserted to match the path parameter so cross-domain probes are rejected. |
| Local HTTP proof loop runbook | (local script) | Closure recorded under PR #1676; proof-path runbook lives in the partner NYCN repo. |
| K3s smoke proof loop runbook | (operator-authorized) | Closure recorded under PR #1677 against deployed image 91a63eec; proof-path runbook lives in the partner NYCN repo. |
Governance primitives (data surface)
The governance domain is the deepest implemented today. Primitives live in icn-governance (kernel-side type model) and apps/governance (runtime, HTTP, persistence).
| Primitive | Notes |
|---|---|
| Governance domains | Persisted across gateway restart in standalone mode. Bootstrap creates them via a generic institution bootstrap package path. |
| Structures | Non-sovereign, parent-entity-owned bodies (committees, working groups, etc.). |
| Activities | Time-bounded, parent-entity-owned (events, summits, initiatives). |
| Programs / milestones | Wraps recurring Activity cycles; tranche framing. |
| Meetings | Schedule, agenda, attendance, minutes. Dual-key sled scheme prevents domain-id leak. |
| Action items | Decision-to-action bridge from accepted proposals; status update via PUT. |
| Proposals + votes | Consent-based decision mode plus thresholded modes. |
| Charter activation | Live charter activation endpoint; person-directory overlay binds DIDs to package-side person ids. |
| Notification digest | Pending votes, overdue items, upcoming meetings. |
Identity, trust, ledger surfaces
| Subsystem | Role | Canonical doc |
|---|---|---|
| Identity | DIDs (did:icn:<base58-pubkey>), Ed25519 keypairs, Age-encrypted keystore, DID-TLS binding. |
icn/crates/icn-identity/, `docs/architecture/IDENTITY_MEMBERSHIP_ARCHITECTURE.md` |
| Trust graph | TrustPolicyOracle translates trust scores into ConstraintSet (the meaning firewall in action). |
`docs/architecture/KERNEL_APP_SEPARATION.md` |
| Ledger | Double-entry mutual credit / state-change journal (Merkle-DAG). | icn/crates/icn-ledger/, `docs/design/economics/ECONOMIC_ARCHITECTURE.md` |
| Settlement | Settlement engine in apps/ledger. Vocabulary note: ICN uses "settlement," not "payment." |
`docs/design/economics/` |
| Compute | Trust-gated distributed task execution. | icn/crates/icn-compute/, `docs/design/compute-substrate-design.md` |
Generated SDK surfaces
| Surface | Where | Generated from |
|---|---|---|
| OpenAPI spec | docs/api/openapi.generated.yaml |
icnctl api export-openapi (run from icn/) |
| TypeScript types | sdk/typescript/src/generated/api-types.ts |
cd sdk/typescript && npm run generate-types |
When the gateway API changes, both must be regenerated and committed. The CI "Check API Types Drift" job catches drift; the canonical regen recipe lives in `CLAUDE.md` under "CI Failure Index → Drift fix recipe".
Vocabulary
ICN's runtime surfaces use:
- identity, position, obligation, allocation, settlement, unit — preferred.
- payment, currency, wallet, balance — avoided. A
unitis not a currency. Apositionis not a balance. Asettlementis not a payment. The Regulatory Compliance Linter enforces this.
Reviewing public/API claims against generated evidence
Before a public, demo, or docs surface claims anything about ICN's API/route surface, check it against the mechanical evidence, not prose. This supports the public-surface truth-sync work in #1779 and the route/API inventory lane #2112.
- `generated/route-inventory.md` — gateway route-macro declarations, unparsed gateway candidates, governance-app route-registration candidates, and OpenAPI matched/unmatched (regenerate/check with
docs/scripts/route_inventory.py). - `generated/icnctl-command-inventory.md` —
icnctlCLI command declarations from the clap tree, grouped by a curated role heuristic, uniformunknown / needs local verificationstatus andL1proof (regenerate/check withdocs/scripts/icnctl_command_inventory.py; issue #2113). Declarations exist in source — not correctness, auth, live wiring, or organizer/production readiness. - `docs/api/openapi.generated.yaml` — the documented contract.
What this evidence proves / does not prove: it proves route declarations / registration sites exist in source at a snapshot commit. It does not prove correctness, authn/authz, mounting, test coverage, runtime health, or production readiness. OpenAPI presence does not prove a route is served; a route being served does not prove it is public-safe.
Shape of the surface (see the inventory for live counts): the gateway has hundreds of route-macro declarations, plus a separate governance-app registration surface (served under the gateway's /v1/gov scope, not gateway macros), while the generated OpenAPI documents only a handful of paths. So "the API" is far larger than OpenAPI describes — most of it is undocumented, not absent.
Safe vs unsafe public/API claim patterns — use the existing status vocabulary from `source-of-truth-map.md`, bound by proof level in `proof-level-taxonomy-capability-matrix.md`, and demo limits in `show-readiness-map.md`:
| Claim | Verdict | Why |
|---|---|---|
"Member standing and action cards are declared + OpenAPI-documented member-facing read models, fixture-backed in ?mode=demo" |
safe | GET /v1/gov/me/standing + GET /v1/gov/me/action-cards are governance-registered and OpenAPI-documented, and the demo panes are fixture-backed. Bounded to declared/documented + demo — does not assert a confirmed-live, authenticated runtime endpoint (per "proves / does not prove" above; confirm via `docs/STATE.md` + ops). |
| "The API is documented / complete / fully specified" | unsafe | OpenAPI documents only a handful of the hundreds of declared routes; the rest are unknown / needs local verification, not specified. |
| "Endpoint X is live / in production" | unsafe unless ops-confirmed | a declaration/registration is not a running, served, authenticated route; defer to `docs/STATE.md` + current ops evidence. |
"Governance /v1/gov/* routes are part of the gateway's documented surface" |
partial | they are governance-app registrations surfaced as candidates — not gateway route macros, and only a few reach OpenAPI. |
Rule: keep public claims at or below what the generated evidence plus current canonical state (`docs/STATE.md`, `docs/PHASE_PROGRESS.md`) support. When unsure, say unknown / needs local verification rather than implying coverage.
Where to read deeper
| Topic | Doc |
|---|---|
| API reference | `docs/reference/api/API_REFERENCE.md` |
| Member standing contract | `docs/architecture/MEMBER_STANDING.md` |
| Charter system | `docs/PHASE_PROGRESS.md` §"Phase 1: The Charter Engine" |
| Kernel/app separation | `docs/architecture/KERNEL_APP_SEPARATION.md` |
| Phase model and gates | `docs/PHASE_PROGRESS.md` |