Physical Capability Envelopes for Embodied Robotics

Mechanism

The mechanism is a closed-loop admissibility pipeline that interposes between a high-level intent stream and the low-level actuator interface of an embodied agent. An intent, expressed as a structured action descriptor that names a target pose, a force profile, a velocity profile, and a time horizon, is first resolved against a physical capability envelope. The envelope is a signed descriptor that enumerates the agent's actuator specifications, sensor specifications, current wear state, current environmental state, and the cross-products that bound them: the maximum torque the joint can sustain at the present temperature, the maximum velocity the gear train can sustain at the present lubrication state, the minimum sensor reliability at the present contamination level. The envelope is not a static datasheet; it is a live document signed at intervals by the agent's self-monitoring subsystems and countersigned by an external attestation service.

The intent is admitted only when every cross-product field invoked by the action descriptor falls strictly inside the envelope. Admission is computed by an admissibility gate that consumes the intent, the envelope, and a spatial-mesh fragment covering the action's swept volume. The spatial mesh is a verified geometric model produced by a fusion subsystem that reconciles depth sensors, lidar, and prior maps, and it is consumed by the gate to enforce contact and clearance constraints that depend on geometry rather than on actuator capability alone. An intent that fits the actuator envelope but would violate a clearance constraint in the current mesh is denied at the same gate and recorded in the same lineage.

Admitted intents are decomposed into actuator command sequences by a governed-actuation translator that emits, for each command, a per-step capability witness: a record showing which envelope field bounded the command and by what margin. The witness travels with the command into the actuator's local controller, where a final pre-execution check confirms that the witness's assumptions still hold given any envelope updates that arrived during decomposition. Commands whose witnesses no longer hold are aborted before execution, with the abort recorded.

Execution feedback closes the loop. Realized actuator measurements are compared against the witness's predicted values, and discrepancies above a tolerance threshold trigger an envelope update that tightens the relevant field. Discrepancies that exceed a hard threshold trigger a quarantine state in which the agent refuses further intents until a maintenance event or a re-attestation restores the envelope. The result is an embodied agent whose physical capability is a first-class, signed, ledgered property of every action it takes.

Several aspects of the mechanism distinguish it from a conventional supervisory controller. First, the envelope is consumed as data rather than compiled into the controller, which permits envelopes to evolve at runtime in response to wear and environment without code change. Second, the witness is emitted by the same translator that decomposes the intent, which guarantees that the witness reflects the assumptions actually used by the decomposition rather than a parallel reconstruction. Third, the lineage ledger records denials and aborts on the same footing as admissions and executions, which preserves the negative information that incident reviewers and regulators most often need. Fourth, the admissibility gate is uniform across intent sources, so that an intent emitted by a planner, a teleoperator, or a language-model agent is subject to the same admissibility discipline and produces witnesses indistinguishable in form, which simplifies the audit story and removes a class of source-dependent bypasses.

Operating Parameters

The capability envelope is parameterized by the agent's actuator topology and is expressed as a structured document with one section per actuator, one section per sensor, and one section per cross-product that the admissibility gate must check. Each actuator section carries fields for force or torque limit, velocity limit, acceleration limit, precision tolerance, duty cycle, and a wear curve that maps cumulative operating hours to a degradation factor on each of the preceding limits. Each sensor section carries fields for nominal range, nominal resolution, contamination-degradation curve, temperature-degradation curve, and a confidence floor below which the sensor is treated as unavailable.

Cross-product fields are computed at envelope-issuance time and refreshed at a cadence appropriate to the field's volatility. Thermal cross-products refresh on a sub-second cadence, lubrication cross-products refresh on a per-task cadence, and structural cross-products refresh on a per-shift cadence. The signing key for the envelope is held by the agent's secure element, and the countersigning key is held by the operator's attestation service. An envelope without both signatures is treated as expired by the admissibility gate.

The spatial mesh is parameterized by a voxel resolution, a confidence-per-voxel field, and a freshness timestamp, and the admissibility gate enforces a per-action freshness floor below which the mesh is treated as unavailable for that action's swept volume. The governed-actuation translator emits witnesses in a canonical CBOR encoding so that downstream auditors can verify them without access to the agent's internal state.

The admissibility gate operates with a budget on per-intent resolution latency that is set by the deployment and that bounds the staleness of the inputs the gate consults. When the budget cannot be met, the gate fails closed and emits a denial whose witness records the budget breach, rather than admitting the intent under stale inputs. The witness format includes a signed capability-version identifier and a signed mesh-version identifier so that any later reconstruction can pinpoint exactly which envelope and which mesh fragment governed a given command, which is the property that makes the lineage ledger useful for incident reconstruction across software upgrades and re-attestation events.

Alternative Embodiments

A first alternative embodiment applies the framework to a fixed-base manipulator in a structured cell, where the spatial mesh degenerates to a static prior and the envelope's environmental fields collapse to a small set of cell-state variables. The admissibility gate retains its full structure but executes against a simpler input.

A second alternative embodiment applies the framework to a mobile platform in an unstructured environment, where the spatial mesh is the dominant input and is supplied by an online SLAM subsystem whose confidence field is consumed directly by the gate. The envelope's actuator section gains traction and slip fields whose cross-products with the mesh's surface-friction estimate gate every locomotion intent.

A third alternative embodiment applies the framework to a multi-agent fleet in which envelopes are composed across agents and the admissibility gate enforces fleet-level constraints such as collision avoidance and shared-resource allocation. Each agent retains its own envelope, and a fleet supervisor issues a composite envelope that the gate consults alongside the agent-local one.

A fourth alternative embodiment applies the framework to surgical or laboratory robotics, where the envelope's sensor section carries fields for biological-contamination state and the gate refuses any intent that would breach a sterility cross-product. The witness format extends to record the sterility state at command issuance.

A fifth alternative embodiment applies the framework to aerial or marine platforms, where the envelope incorporates fluid-dynamic fields and the spatial mesh extends to volumetric flow estimates. The admissibility gate's structure is unchanged.

Composition

The primitive composes upward with the cognition-native intent layer, which supplies the structured action descriptor that the gate consumes. Intents that originate from a language model are subject to the same admissibility discipline as intents that originate from a teleoperator or a planner, and the witness format is uniform across sources so that a downstream auditor cannot distinguish them by inspection. The composition is what makes the cognition-native primitives extend to physical embodiments without a separate safety stack.

The primitive composes laterally with the spatial-mesh primitive as a strict consumer: the gate reads mesh fragments and confidence fields but does not modify them. The mesh primitive is independently maintained and independently signed, which permits a graceful upgrade of either component without coordinated release. The primitive composes laterally with the governed-actuation primitive as a strict producer: the witnesses emitted by the translator are the inputs that the actuation primitive consumes and verifies before execution.

The primitive composes downward with the operational-lineage ledger, which records every admission, denial, abort, and envelope update in a tamper-evident sequence. The ledger is the substrate on which incident review, regulatory inspection, and insurance attestation operate, and its existence is what permits the embodied agent to participate in regulated environments without case-by-case waiver.

Prior Art

Prior approaches to robot safety treat actuator limits, sensor reliability, and environmental state as inputs to a controller whose safety properties are established offline through analysis or testing. These approaches do not produce a signed, ledgered, per-action witness; they do not compose with a cognition-native admissibility gate; and they do not refresh the capability descriptor on a wear-aware cadence. Functional-safety standards such as ISO 13849 and ISO 10218 specify the categories and performance levels that a safety function must meet but do not specify a primitive in which the capability descriptor is itself a signed document consumed by an admissibility gate. The disclosed primitive is distinguished by the elevation of the capability envelope to a first-class, signed, composable artifact and by the uniform admissibility discipline applied to intents regardless of origin.

Disclosure Scope

The disclosure covers the admissibility-gated, envelope-signed, witness-ledgered physical capability primitive in any embodiment that consumes a structured action descriptor, resolves it against a signed capability envelope and a spatial-mesh fragment, emits a per-command witness, and records the admission and execution events in a tamper-evident lineage. The disclosure extends to fixed-base, mobile, fleet, surgical, and aerial or marine embodiments and to envelope schemas that include actuator, sensor, environmental, and cross-product fields. The disclosure does not extend to embodiments that omit the signed envelope, that omit the witness, or that omit the lineage ledger, since each of these elements is essential to the structural safety guarantee that distinguishes the primitive from controller-only approaches.