On-Demand Adaptive Caching: Cache Instances That Follow Usage, Not Configuration

Mechanism

Each index scope — a contiguous region of the addressable namespace governed by a defined anchor set — maintains an attached telemetry surface that records resolution requests against the scope. The telemetry surface is not optional; it is part of the scope's governance metadata, and the anchors responsible for the scope are the only writers permitted to update its thresholds. Among the values recorded are query rate (resolutions per unit time), unique-key cardinality, request-source diversity, and the elapsed time since the scope's last authoritative mutation. These values feed a cache controller co-located with the anchor quorum.

When the controller observes that query rate at the scope has crossed the instantiation threshold and that the scope's data is in a quiescent enough state to be cacheable (no in-flight mutations beyond a configured concurrency bound), the anchors execute a cache-instantiation protocol. The protocol selects a cache host — typically a node already participating in the anchor quorum or a delegated edge node carrying a credential issued by the anchors — and transmits a cache manifest. The manifest declares the scope being cached, the exact authoritative state version from which the cache is populated, the bounded-staleness window the cache is permitted to serve under, the eviction policy the cache must apply within its capacity envelope, and the cryptographic identity under which the cache will sign its responses.

Cache population is not a copy of arbitrary data. It is an authenticated transfer of the scope's current Merkle root and the leaf entries indexed under that root, performed under a receipt that the cache host countersigns. The countersigned receipt is what authorizes the cache host to answer subsequent resolution requests as a delegate of the anchors. A request handler that lacks the receipt cannot impersonate a cache; a cache host that loses the receipt (revocation, expiry, or rotation) ceases to be a valid responder. This is what makes the cache governance-aware: its existence is conditional on a credential the anchors can revoke at any time.

Once active, the cache serves resolution requests by returning entries together with a freshness witness — a signed tuple binding the entry, the manifest version, and the time of last cache-side validation. Consumers verify the freshness witness against the bounded-staleness window declared in the manifest before consuming the value. Entries beyond the staleness window are not served; the cache either re-validates against the anchors or returns a deferred response that forces the consumer to fall back to the authoritative path.

Invalidation is event-driven. Whenever the anchors commit a mutation against the underlying scope, they emit an invalidation notice scoped to the changed key range. Cache hosts holding manifests for the affected scope mark intersecting entries as stale and purge them from their working set. Because the invalidation notice is signed and carries the same anchor identity that issued the manifest, cache hosts can validate it independently — there is no need for an out-of-band coordination channel and no opportunity for an unsigned message to poison cache state. Each invalidation, instantiation, eviction, and expiration is appended to a tamper-evident log whose digest is published with the scope's normal governance state, so any after-the-fact dispute over what a cache served, when, and under whose authority can be resolved by replaying the log.

Expiration is symmetric with instantiation. When the controller observes that query rate has fallen below the expiration threshold for a sustained dwell period, the anchors issue a dissolution receipt to the cache host. The receipt acknowledges any in-flight requests, instructs the host to drain rather than truncate, and reclaims the manifest credential. The cache host emits a final log entry recording the receipts it served during its lifetime and the digest of its working set at dissolution; the anchors retain this entry in the scope's audit trail.

Operating Parameters

The instantiation threshold is expressed as a query-rate floor combined with a sustain duration: a scope must exceed the floor continuously for the sustain duration before a cache is instantiated. Typical floor values range from tens to thousands of resolutions per second per scope, with sustain durations from a few seconds for highly elastic edge deployments up to tens of minutes for cost-sensitive backplane deployments. Both values are recorded in the scope's caching policy and may be adjusted only through the same governance flow that controls every other scope-level setting.

The expiration threshold is similarly composed of a query-rate ceiling and a sustain duration, with the additional constraint that expiration cannot fire while the cache holds any unanswered requests or any entries that have been mutated within the most recent invalidation window. The bounded-staleness window is a per-scope policy expressed as a maximum age in seconds, capped from above by a global ceiling that the network's root governance enforces. Caches holding entries older than this window must revalidate or refuse to serve.

Cache capacity is bounded per host by a credential-encoded byte limit. Eviction within capacity is governance-aware: the eviction policy declared in the manifest selects the entries to drop when capacity is reached, and the policy must be one of an enumerated set the anchors recognize (least-recently-used, least-frequently-used, lowest-resolution-cost, or a credentialed custom policy whose code hash is signed by the anchors). Eviction events are logged with the manifest version under which they occurred. This ensures that two caches operating under the same manifest produce comparable behavior under load.

Tamper-evidence applies at three levels: each cached entry carries the freshness witness that ties it to a manifest version; each invalidation, eviction, and expiration is recorded in a per-cache log whose head is periodically anchored into the scope's governance log; and the scope's governance log itself participates in the network's broader integrity surface. A consumer or auditor can therefore prove, after the fact, that a cache served exactly the entries the manifest authorized at exactly the freshness the policy permitted.

Alternative Embodiments

The framework supports several embodiments that vary the placement, authority, and persistence of cache instances without changing the governance contract. In a backplane-collocated embodiment, the cache host is a member of the anchor quorum itself; the manifest is implicit (the host is already authorized for the scope), and the value of caching is the avoidance of repeated quorum-side resolution work. In an edge-delegated embodiment, the manifest carries a delegation chain that authorizes a node geographically close to the consumer to act as a cache delegate; the delegation chain is itself a credentialed object, revocable independently of the cache.

A consumer-side embodiment instantiates the cache on the requesting client, with the manifest binding the cache to the consumer's credential rather than to a network role. This is useful for applications that issue many resolutions for the same key set in tight loops; the bounded-staleness contract still applies, but the storage and eviction occur within the consumer process. A pull-through embodiment causes the cache to lazily populate on first access rather than eagerly populating from the manifest's declared state version, trading first-request latency for population bandwidth.

The instantiation signal need not be query-rate alone. Embodiments may key instantiation on cardinality bursts, on the appearance of a specific governance label in incoming requests, or on a scheduled prediction emitted by an offline workload analyzer whose recommendations are themselves credentialed. Similarly, expiration may be driven by a fixed maximum lifetime, by a falling rate, by an explicit anchor-issued teardown, or by a capacity-pressure signal from the host. In each variant the structural invariants — credentialed manifest, bounded staleness, signed invalidation, tamper-evident log — are preserved.

Composition With Other Adaptive-Index Primitives

Adaptive caching composes with the adaptive-index sharding primitive: when a scope is split or merged, the affected caches are dissolved as part of the split/merge protocol, and new caches may be instantiated on the resulting child scopes if their independent demand warrants. The dissolution and re-instantiation are part of the same governance transaction that performs the topology change, so consumers cannot observe a window in which a cache is serving entries that no longer correspond to the current scope shape.

Adaptive caching composes with the network's replication primitive: a cache is not a replica, and the system never confuses the two. Replicas hold authoritative state under quorum rules; caches hold derived state under bounded-staleness rules. A replica that loses quorum cannot be silently demoted to a cache, and a cache that observes high traffic cannot be silently promoted to a replica. The credentials are different and the audit obligations are different.

Adaptive caching composes with the framework's auditability primitive: cache logs are first-class participants in the audit chain, so an auditor reconstructing the state served to a particular consumer at a particular time has the same evidence available regardless of whether that state was served from the authoritative path or from a cache delegate.

Distinction From Prior Caching Approaches

Conventional caching tiers — in-memory caches sitting in front of databases, CDN edges fronting origin servers, application-level memoization layers — share a common property: the cache is administered separately from the data it caches. An operator decides where caches live, how large they are, what eviction policy they use, and what staleness they tolerate, and these decisions are encoded as configuration that drifts independently of the underlying data's governance.

The adaptive caching primitive inverts this relationship. The data's governance owns its caches. There is no configuration to drift. There is no separately administered cache tier. The cache cannot serve under a staleness contract that the data's governance has not authorized; the cache cannot exist at all without an anchor-issued manifest; and the cache cannot evict an entry without producing a log entry that the data's governance can later inspect. This is structurally different from a cache that simply happens to be invalidated promptly, because the structural property is what produces the audit trail and the governance-aware eviction, not just the timely invalidation.

Prior systems that attempt usage-driven cache placement typically rely on a control plane separate from the data plane, with its own identity and its own policies. The adaptive caching primitive collapses this separation: the same anchors that govern the data govern the caches, the same credentials that authenticate authoritative reads authenticate cache reads, and the same audit log that records mutations records cache lifetimes.

Disclosure Scope

The disclosed mechanism covers the instantiation, operation, invalidation, and dissolution of cache instances under credentialed manifests issued by the anchor set governing the index scope being cached, including the bounded-staleness contract, the tamper-evident lifetime log, the governance-aware eviction policy, and the symmetric instantiation/expiration thresholds. The disclosure extends to the alternative embodiments enumerated above (backplane-collocated, edge-delegated, consumer-side, pull-through, scheduled, label-driven) and to compositions of the cache primitive with sharding, replication, and audit primitives within the broader adaptive-index framework. The disclosure is not limited to any particular eviction algorithm, transport encoding, or persistence medium; the structural invariants — credentialed manifest, bounded staleness, signed invalidation, audit-anchored log — are what define the scope of the claimed subject matter.