Uncertainty as First-Class Propagated Variable

Mechanism

In the cognition patent, every value that crosses a stage boundary in the agent's cognitive pipeline is represented as a pair (v, u) where v is the nominal value and u is a structured uncertainty descriptor. The descriptor is not a single scalar variance; it is a typed object carrying at minimum a magnitude term, a distribution-class tag, a provenance pointer to the input fields that generated the uncertainty, and a freshness timestamp indicating when the underlying observation was last revalidated. This pair is the canonical representation of a capability claim, a sensor reading, a model output, or any intermediate quantity used by a downstream stage.

Propagation through a computation step is governed by a bounded operator. Each operator that the agent is permitted to apply, such as composition, projection, fusion, or aggregation, is registered in the policy reference together with an explicit propagation rule that maps input uncertainty descriptors to an output descriptor. The rules are deterministic functions of their inputs and are required to be monotonic in the worst-case sense: an operator may not produce an output uncertainty smaller than the smallest input uncertainty unless the operator is explicitly tagged as a noise-reducing fusion with a documented reduction warrant. In all other cases the output uncertainty is at least as large as the dominant input, and is typically larger because composition and projection introduce additional terms drawn from the operator's structural parameters.

Because uncertainty is a first-class operand, it is impossible for a stage to drop it inadvertently. The runtime rejects any value crossing a stage boundary that is not paired with a descriptor; an unpaired value is treated as a structural fault, recorded in the lineage, and routed to the deferral or reject path rather than being silently coerced. This is the structural difference between this mechanism and ad hoc confidence annotations: confidence is not metadata that downstream code is free to ignore, it is part of the type of every value the agent computes with.

When a downstream decision point reads a propagated value, it reads the compounded descriptor that has accumulated through every preceding operator. The decision threshold is evaluated against that compounded descriptor, not against the nominal value alone. Two values with identical nominal magnitude but different upstream histories therefore produce different downstream authorizations, because the longer or more lossy history carries a larger uncertainty term. This preserves information about how a value was produced and prevents the structural error of treating a heavily-derived estimate as equivalent to a directly observed measurement.

Operating Parameters

The propagation framework exposes a small set of policy-tunable parameters. The first is the operator registry: which operators are permitted, and for each, the explicit propagation rule and any reduction warrant. Domains with strict safety budgets restrict the registry to operators with conservative rules, refusing fusions that claim noise reduction unless the reduction is backed by a verifiable redundancy condition such as independent sensors with bounded correlation.

The second parameter is the descriptor schema. Minimum required fields are fixed by the patent, but domains may extend the descriptor with additional terms such as systematic-bias bounds, drift estimates, or domain-specific tags. Extension is policy-declared, so any stage that consumes an extended descriptor declares which extensions it requires; a missing extension is a structural fault rather than a silent default.

The third parameter is the freshness budget. Each descriptor carries a timestamp, and downstream operators are permitted to discount or reject values whose freshness exceeds a stage-specific budget. The budget is set per stage and per domain: a perception fusion stage in a vehicle may require freshness measured in tens of milliseconds, while a strategic-planning stage may accept seconds.

The fourth parameter is the aggregation policy. Aggregation operators that combine multiple inputs into a summary are required to declare whether they preserve, conservatively bound, or actively reduce uncertainty, and the runtime enforces that declaration against the registered rule. An aggregation that would produce a smaller uncertainty than its conservative bound is rejected as a structural violation, even if the nominal output is well within range.

Alternative Embodiments

In an interval-arithmetic embodiment, the descriptor magnitude is represented as a closed interval and propagation operators implement interval extensions of their nominal computations. This is appropriate where worst-case bounds are required and probabilistic assumptions cannot be justified, such as in formal-verification-adjacent control loops.

In a probabilistic embodiment, the descriptor carries a distribution-class tag together with sufficient statistics, and propagation operators implement distributional combinators consistent with the tag. Gaussian, sub-Gaussian, and bounded-support tags are explicitly supported; mixing tags across an operator triggers a coercion to the most conservative compatible tag.

In a sampled embodiment, the descriptor references a small ensemble of samples carried alongside the nominal value, and propagation is realized by applying the operator to each sample. This embodiment is useful where analytical propagation rules are unavailable but bounded compute permits a fixed-size ensemble at every stage.

In a hybrid embodiment, the agent permits multiple descriptor types within a single pipeline and the operator registry defines explicit cross-type rules, always defaulting to the more conservative of the available propagations when a unique rule is not registered.

Composition With Adjacent Mechanisms

Uncertainty propagation feeds the confidence-governance layer directly. The compounded descriptor at a decision boundary is the primary input to threshold evaluation, deferral computation, and effort accounting. Without first-class propagation, governance thresholds would be evaluated against optimistically collapsed values and would lose their structural guarantees.

The mechanism also composes with capability-claim publication. A capability advertised by a substrate is itself a (v, u) pair, and matching a task to a capability uses the descriptor to determine whether the worst-case capability still satisfies the task's requirements. This eliminates the failure mode where a nominal capability appears sufficient but its uncertainty places the worst case outside the task envelope.

Lineage recording integrates with the propagation framework by treating each operator application as a recorded event with input descriptors, the operator identity, and the output descriptor. Auditors can reconstruct exactly which operators contributed to a downstream uncertainty and identify the dominant source, supporting both post-incident analysis and proactive policy tuning.

Distinction From Prior Art

Prior systems treat uncertainty as ancillary metadata. Sensor-fusion stacks compute variances internally but flatten them before exposing values to downstream consumers; model-serving infrastructures attach confidence scores that consumers are free to ignore; rule-based pipelines drop uncertainty entirely at stage boundaries. The structural property absent from these systems is enforcement: there is no point in the pipeline where a value can be used without its descriptor, and no operator can produce an output whose uncertainty is smaller than its registered rule permits.

The mechanism is also distinct from end-to-end uncertainty quantification approaches that train a model to emit a calibrated confidence. Those approaches concentrate uncertainty at a single output and rely on training-time calibration, which silently degrades under distribution shift. First-class propagation does not depend on a learned calibration; it composes structural rules registered in policy and verifiable independently of any training process.

Runtime Enforcement Surface

Enforcement is concentrated at three structural surfaces. The first is the stage boundary: the runtime intercepts every value crossing a stage and refuses any value lacking a descriptor or carrying a malformed descriptor. The second is the operator dispatch: each operator is invoked through a registered shim that reads input descriptors, looks up the registered propagation rule, and constructs the output descriptor before the value is exposed to consumers. The third is the threshold check: every governance decision reads the compounded descriptor, never the bare value, and the runtime refuses configurations that attempt to bypass this read.

Each enforcement point emits a lineage event. The events together form a complete record of how uncertainty entered, propagated, and was consumed. This record is the substrate for both audit and policy refinement: when a downstream decision behaves in an unexpected way, the auditor traces the compounded descriptor backward through operator applications to the originating measurements, identifies the dominant uncertainty source, and refines either the operator rule or the upstream observation policy.

The runtime also enforces a non-laundering invariant. An aggregation operator that combines multiple values into a summary cannot produce an output uncertainty smaller than the registered conservative bound for its operator class, regardless of the nominal inputs. This prevents the structural failure mode in which a dispersed set of low-confidence inputs is averaged into a high-confidence summary that downstream consumers then rely upon. The invariant is checked at output construction and a violation is recorded as a structural fault rather than coerced silently.

Domain configuration interacts with enforcement through the policy reference, never through code modification. A domain that wishes to permit a noise-reducing fusion registers the fusion as an operator with an explicit reduction warrant; the warrant declares the redundancy condition, the bound on input correlation, and the maximum permissible reduction factor. The runtime checks the warrant at every invocation and refuses to apply the reduction if the declared condition is not satisfied by the current inputs.

Disclosure Scope

This article describes Chapter 6 of the cognition patent at the level required to establish enablement and structural distinction. Specific operator rule families, descriptor extension schemas, and runtime enforcement points are claimed in the patent. Implementations are licensable for use in autonomous-vehicle perception stacks, medical-decision support, robotic manipulation, financial-risk pipelines, and any system whose downstream decisions depend on the structural integrity of upstream uncertainty.

The disclosure deliberately separates structural mechanism from numerical specifics. The numerical content of an operator's propagation rule, the specific magnitudes of conservative bounds, and the calibration of distribution-class tags are implementation choices that vary by deployment. What does not vary, and what the patent claims, is the structural requirement that uncertainty be a first-class operand carried at every stage boundary, that propagation be governed by registered bounded operators, that aggregation be barred from laundering low-confidence inputs into high-confidence summaries, and that downstream thresholds be evaluated against compounded descriptors rather than against bare nominal values.

Licensees adopting the mechanism gain a structural foundation on which confidence governance, deferred execution, effort analysis, and capability-claim publication compose without redundant reimplementation. The mechanism is the substrate that makes the rest of the cognitive architecture's guarantees structural rather than aspirational, and its absence is the principal reason that ad hoc confidence systems fail under distribution shift, sensor degradation, or adversarial inputs.