LABR-072 · DAY 97 · 2026-05-11

TrendalTrial Court Architecture

Full CRD Spec · ADMIT/DENY/WATCH Trinary · 8 Trial Phases · SOSTLE-Aware Severity

γ₁ = 14.134725141734693 · mefine-static · pemos.ca

§1 — TrendalTrial CRD Specification
FULL CRD SPEC — apiVersion: pemos.io/v1alpha1 / kind: TrendalTrial
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: trendaltrials.pemos.io
spec:
  group: pemos.io
  scope: Namespaced
  names:
    plural: trendaltrials
    singular: trendaltrial
    kind: TrendalTrial
    shortNames: ["tt"]
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          properties:
            spec:
              type: object
              required: [subject, trialClass, gates]
              properties:
                subject:
                  type: object
                  properties:
                    kind:        { type: string }   # Pod, Deployment, Image
                    name:        { type: string }
                    namespace:   { type: string }
                    imageRef:    { type: string }
                    gitSHA:      { type: string }
                trialClass:
                  type: string
                  enum: [ADMISSION, RUNTIME, INCIDENT, COMPLIANCE]
                gates:
                  type: object
                  properties:
                    conftest:    { type: boolean, default: true }
                    trivy:       { type: boolean, default: true }
                    kyverno:     { type: boolean, default: true }
                    gatekeeper:  { type: boolean, default: true }
                    falco:       { type: boolean, default: true }
                laamMode:
                  type: string
                  enum: [INGEST, VALIDATE, BOTH]
                  default: BOTH
                gamma1:
                  type: number
                  default: 14.134725141734693
            status:
              type: object
              properties:
                phase:
                  type: string
                  enum: [Pending, Gathering, Gating, Witnessing,
                         Scoring, Reviewing, Deciding, Complete]
                verdict:
                  type: string
                  enum: [ADMIT, DENY, WATCH]
                score:         { type: number }
                gateResults:
                  type: object
                  additionalProperties:
                    type: object
                    properties:
                      passed:  { type: boolean }
                      weight:  { type: number }
                      detail:  { type: string }
                falcoEvents:
                  type: array
                  items: { type: string }
                soslteLevel:   { type: integer }
                rekorUUID:     { type: string }
                immudbTxID:    { type: integer }
                certificateRef:{ type: string }
                gamma1Stamp:   { type: number }
                completedAt:   { type: string, format: date-time }
§2 — ADMIT / DENY / WATCH Trinary Verdict
ADMIT
Score ≥ 0.75. All required gates passed. No CRITICAL Falco events. Subject is cleared for deployment or continued operation. TrendalCertificate issued.
🚫
DENY
Score < 0.40 OR Gatekeeper/Falco hard block. Subject is rejected. Admission webhook returns 403. Existing runtime is quarantined. Incident filed in immudb.
👁
WATCH
Score 0.40–0.74. Admitted with monitoring intensified. Falco rules tightened. Prometheus alert thresholds lowered. Re-trial scheduled at next deployment cycle.
§3 — 8 Trial Phases
Pending
TrendalTrial CR created. Controller picks up. Subject metadata resolved. Git SHA + image digest captured.
Gathering
LAAM-ingest mode: collect TC-0 through TC-3 evidence. Manifests pulled, logs indexed, existing Prometheus metrics snapshotted.
Gating
conftest runs policy suite. Trivy scans image for CVEs. Kyverno evaluates cluster policies. Gatekeeper dry-run admission check executed.
Witnessing
Falco kernel witness engaged. eBPF probes active. Runtime syscall profile captured for TC-4 (RuntimeWitness) evidence class.
Scoring
LAAM-validate mode: PEMLAAM scores all evidence. Gate weights applied. Falco severity modifiers computed. Composite score produced.
Reviewing
SOSTLE level assessed from severity profile. Score and SOSTLE level presented to verdict logic. Edge cases escalated to CLO bench.
Deciding
Trinary verdict computed: ADMIT / DENY / WATCH. Verdict recorded in status. Admission webhook action triggered if ADMISSION class trial.
Complete
γ₁ stamp applied. Rekor transparency log entry created. immudb WORM record written. TrendalCertificate CR created and linked. Trial closed.
§4 — Gate Weights
PEMLAAM GATE WEIGHT DOCTRINE
conftest (CI policy)
0.15
trivy (CVE scan)
0.15
kyverno (policy)
0.15
gatekeeper (admission)
0.20
falco (kernel witness)
0.35

Falco carries 35% of total score weight. A kernel witness outranks all static analysis gates combined. CRITICAL Falco events trigger automatic DENY regardless of other scores.

§5 — LAAM Ingest vs LAAM Validate Split
LAAM-Ingest Mode

Evidence Intake

First-pass collection: fetch manifests, pull logs, snapshot Prometheus state. No scoring. No judgment. Pure evidence gathering. Runs during phases 1-3. Designed to be non-blocking — the cluster is not yet affected.

phases 1-3 non-blocking read-only
LAAM-Validate Mode

Evidence Scoring

Second-pass scoring: all collected evidence fed into PEMLAAM graph. Gate weights applied. Falco severity modifiers computed. Composite score derived. Verdict logic runs. Runs during phases 5-7. May block admission.

phases 5-7 scoring active may block
§6 — SOSTLE-Aware Severity Table
SOSTLE LEVEL NAME FALCO THRESHOLD SCORE MODIFIER DEFAULT VERDICT
L0 Clear INFO only +0.10 ADMIT
L1 Nominal WARNING acceptable ±0.00 ADMIT
L2 Elevated ERROR triggers review -0.10 WATCH
L3 Incident CRITICAL triggers DENY -0.25 WATCH/DENY
L4 Crisis Any Falco event = DENY -0.40 DENY
L5 Gated CLO bench required manual CLO review
§7 — TrendalCertificate Output Schema
TRENDAL CERTIFICATE CRD — OUTPUT OF COMPLETED TRIAL
apiVersion: pemos.io/v1alpha1
kind: TrendalCertificate
metadata:
  name: cert-{trialName}-{epoch}
  namespace: pemos-system
spec:
  trialRef:     {trialName}
  subject:
    kind:       Pod | Deployment | Image
    name:       {name}
    namespace:  {namespace}
    imageRef:   {registry}/{image}@sha256:{digest}
    gitSHA:     {commit}
  verdict:      ADMIT | DENY | WATCH
  score:        0.00-1.00
  soslteLevel:  0-5
  gateResults:
    conftest:   { passed: bool, weight: 0.15, detail: str }
    trivy:      { passed: bool, weight: 0.15, detail: str }
    kyverno:    { passed: bool, weight: 0.15, detail: str }
    gatekeeper: { passed: bool, weight: 0.20, detail: str }
    falco:      { passed: bool, weight: 0.35, detail: str }
  rekorUUID:    {rekor-transparency-log-uuid}
  immudbTxID:   {integer}
  gamma1Stamp:  14.134725141734693
  issuedAt:     {RFC3339}
  expiresAt:    {RFC3339}   # 90 days default
  certHash:     sha256:{hash-of-full-cert}
§8 — Controller 10-Step Loop
  1. Watch — Controller observes TrendalTrial CRs via informer. New CR triggers reconcile loop.
  2. Resolve — Fetch subject resource. Capture image digest, git SHA, namespace context. Record in status.
  3. Gather — LAAM-ingest: pull manifests, fetch Vector/Loki logs, snapshot Prometheus metrics. Phase = Gathering.
  4. Gate — Run conftest, Trivy, Kyverno dry-run, Gatekeeper dry-run in parallel goroutines. Phase = Gating.
  5. Witness — Activate Falco eBPF probe for subject process tree. Collect syscall events for witness window (default 60s). Phase = Witnessing.
  6. Score — LAAM-validate: feed all evidence into PEMLAAM. Apply gate weights. Apply SOSTLE modifier. Phase = Scoring.
  7. Review — Assess SOSTLE level. Check for CLO escalation triggers. Log review outcome. Phase = Reviewing.
  8. Decide — Compute trinary verdict. If DENY and ADMISSION class: call admission webhook reject. Phase = Deciding.
  9. Notarize — Write WORM record to immudb. Submit Rekor transparency log entry. Capture UUIDs. Phase = Complete.
  10. Certify — Issue TrendalCertificate CR. Apply γ₁ stamp. Emit Prometheus metric for trial outcome. Update status.certificateRef.
"Conftest checks the passport. Kyverno and Gatekeeper judge the border.
Falco watches the body. PEMLAAM scores the evidence.
SOSTLE gives the verdict. Trendal remembers the trust.
γ₁ places the trial on the helix."
§9 — Related Doctrine
TrendalTrial Bonixer Chaos SOSTLE Bonixer LABR-071 · Evidence Metabolism LABR-073 · VIZASL Measurement LABR Galaxy Index
LABR-072 · EOSE LABS · DAY 97 · 2026-05-11 · γ₁=14.134725141734693