Rendered statically at build time from the committed
gate-openapi.json (OpenAPI 3.1.0);
no runtime JavaScript, no CDN. The live gate also serves the same document
at GET /openapi.json.
Regulated-finance evidence infrastructure.
POST /gate (and the bank-facing alias POST /v1/activations) submits a governance action for a decision and returns a signed receipt plus a self-contained evidence pack. The gate fails closed on unsupported regulated action types, stale or unverifiable source state, and missing required evidence context.
Supported regulated action types and their required structured contexts: regulated_product_activation, regulated_client_entitlement, regulated_platform_change, regulated_monitoring_coverage, and agent_payment. The agent_payment action implements the AP2 v0.2.0 mandate profile (checkout + payment mandate SD-JWTs verified against operator-supplied trust material). This is a statement of implemented behavior, not an endorsement, certification, or compliance approval by any payment network, standards body, or regulator.
FARIGATE is evidence infrastructure: a decision and its evidence pack prove what the gate decided and verified — they do not guarantee that an enforcement action cannot happen elsewhere.
Endpoints
POST/gatePOST /gate — Submit a governance action for a decision.
Auth: bearer FARIGATE API key (fg_live_… tenant-scoped or fg_actor_… actor-bound).
This handler:
1. Validates the request body
2. Enforces actor binding (in strict mode)
3. Handles idempotency and deduplication via the durable intake journal
4. Returns a decision response with a signed receipt
Note: Full receipt signing and sequencing is handled by the evidence plane.
This ingestion plane handler focuses on admission control, validation, and
durable journaling.
Request journaled; evidence-plane completion pending or a request with the same idempotency key is in flight. Replay with the same idempotency key to retrieve the result.
Settlement bound (or replayed): the signed rail-confirmation binding and the updated evidence pack carrying the additive rail layer. A byte-identical re-settle replays the existing binding.
Fail-closed rejection: not an agent_payment decision, receipt-digest mismatch, amount/currency divergence from the authorized mandate, or malformed rail confirmation
The public `/v1/activations` request payload.
Domain-agnostic within the supported appliance, but not the canonical
long-term Farigate evidence-event model.
Field
Type
Description
action_digestrequired
string
SHA-256 hash of the underlying document/artifact being reviewed.
Format: "sha256:" (64 hex chars after prefix).
This is the cryptographic anchor to the actual content.
The client computes this on their side — Farigate never sees the raw document.
action_typerequired
string
What kind of governance action is being gated.
Examples: "document_approval", "model_deploy", "kyc_decision"
Additional context. Farigate does NOT inspect or store the contents.
WARNING: Do not include PII. This value is hashed into the receipt's
composite request digest.
Structured AP2 mandate context for the `agent_payment` regulated action.
Carries the checkout + payment mandate SD-JWT compact serializations
(AP2 v0.2 per ADR-003) plus the key-binding expectations for delegated
(human-not-present) chains. The mandate signatures are verified by the
gate against the agent-mandate trust directory; intake only enforces
structural bounds and the action-digest binding.
Field
Type
Description
checkout_mandaterequired
string
Checkout Mandate token (single SD-JWT or `~~`-joined chain).
checkout_nonce
string | null
Expected `nonce` on checkout-chain KB hops.
expected_aud
string | null
Expected `aud` on KB hops (enforced on every hop when set).
payment_mandaterequired
string
Payment Mandate token (single SD-JWT or `~~`-joined chain).
payment_nonce
string | null
Expected `nonce` on payment-chain KB hops.
ArtifactClass
Artifact class identifies the semantic role of an artifact in the evidence system.
This allows operators to distinguish between decision receipts, governance bundles,
and combined evidence packages.
The additive, separately-verifiable rail-confirmation binding carried at the
top level of an evidence pack. The decision-pack [`EvidencePackBinding`] and
manifest are NOT modified by settlement.
The current appliance `/gate` request payload.
Domain-agnostic within the supported appliance, but not the canonical
long-term Farigate evidence-event model.
Field
Type
Description
action_digestrequired
string
SHA-256 hash of the underlying document/artifact being reviewed.
Format: "sha256:" (64 hex chars after prefix).
This is the cryptographic anchor to the actual content.
The client computes this on their side — Farigate never sees the raw document.
action_typerequired
string
What kind of governance action is being gated.
Examples: "document_approval", "model_deploy", "kyc_decision"
Additional context. Farigate does NOT inspect or store the contents.
WARNING: Do not include PII. This value is hashed into the receipt's
composite request digest.
A separately-signed rail-confirmation layer proving the payment SETTLED on
the rail as authorized.
This is the additive settlement layer that links to a decision receipt by
`receipt_digest`. It is NOT part of the decision-time pack binding (which is
sealed at decision time); it rides as its own artifact plus its own signed
binding statement ([`RailConfirmationBindingStatement`]).
AP2 mapping (`core/crates/farigate-mandate/spec/schemas/payment_receipt.json`):
- [`RailConfirmation::status`] ~ AP2 `status` (`Success`→`approved`,
`Error`→`error`; `declined` is a network decline distinct from a
processing error).
- [`RailConfirmation::network_transaction_id`] ~ AP2 `network_confirmation_id`
(the network's transaction confirmation id, i.e. the Visa ARN /
`transactionIdentifier`, carried as a string).
- [`RailConfirmation::approval_code`] ~ the issuer approval/auth code.
- [`RailConfirmation::receipt_digest`] ~ AP2 `reference` in spirit: it binds
this rail confirmation to the closed decision it settles.
Field
Type
Description
action_coderequired
string
Rail/network response action code (e.g. ISO `"00"` for approved).
amount_minor_unitsrequired
integer (int64)
Settled amount in minor units; cross-checked against the decision's
mandate-derived amount by the gate and the offline verifier.
approval_code
string | null
Issuer approval/authorization code, when present.
currencyrequired
string
Settled currency; cross-checked against the decision's mandate-derived
currency.
formatrequired
string
Always [`RAIL_CONFIRMATION_FORMAT`].
network_transaction_idrequired
string
Network transaction id (Visa ARN / `transactionIdentifier`) as a string.
Maps to AP2 `network_confirmation_id`.
railrequired
string
Rail identifier, e.g. `"visa_direct"`.
receipt_digestrequired
string
SHA-256 hex digest of the decision receipt this settlement closes. Links
the rail confirmation to exactly one decision.
settled_at_unixrequired
integer (int64)
Unix seconds at which the rail reported settlement.
Signature envelope over a [`RailConfirmationBindingStatement`].
Field
Type
Description
algorithmrequired
string
signature_b64required
string
signer_kidrequired
string
RailConfirmationBindingStatement
The signed binding statement over a [`RailConfirmation`].
Mirrors [`EvidencePackBindingStatement`] in spirit: a small canonical
statement that the receipt signer signs, committing to the rail
confirmation bytes and the decision it settles. Deliberately minimal so the
settlement binding cannot be confused with the decision-pack binding.
Field
Type
Description
formatrequired
string
Always [`RAIL_CONFIRMATION_BINDING_FORMAT`].
rail_confirmation_sha256required
string
`sha256:` digest of the canonical [`RailConfirmation`] JSON bytes.
receipt_digestrequired
string
Decision receipt digest this settlement closes (must equal the rail
confirmation's `receipt_digest`).
settled_at_unixrequired
integer (int64)
Unix seconds at which the rail reported settlement.
signer_kidrequired
string
Hex kid of the receipt signer that produced this binding.
RailConfirmationStatus
Settlement status reported by the payment rail.
Mirrors the AP2 `payment_receipt.json` `status` enum
(`Success`/`Error`) plus an explicit `declined` state for a network-level
decline that is not an internal error.