Cross-Domain Cascade Composition

Mechanism

A cross-domain cascade is composed from atomic cascade observations belonging to disjoint domains. Each domain (cyber, physical, regulatory, financial, communications, and others declared by governance) maintains its own credentialing authorities, its own admissibility predicates, and its own observation schemas. The composition mechanism does not flatten these into a common namespace; instead, it introduces a typed link object, the cross-domain mapping, which carries the five-property chain.

The five properties are: (1) the source-domain observation identifier, including its credentialing chain; (2) the propagation rule, a declared structural relation drawn from a governance-published catalogue (for example, "cyber-refusal-implies-physical-hold" or "physical-actuation-implies-regulatory-notice"); (3) the target-domain observation identifier produced by application of the rule; (4) the composition authority, a credentialed entity authorized to assert the cross-domain link; and (5) the admissibility window, which constrains the temporal and contextual scope under which the composed cascade is treated as valid.

When an intrusion-detection observation is published in the cyber mesh with credentials drawn from a CISO authority, a composition authority (typically a joint cyber-physical safety authority pre-credentialed for the relevant equipment class) emits a cross-domain mapping that names the cyber observation as source, applies the published "intrusion-implies-vehicle-hold" rule, and produces a physical-domain observation: a hold directive bound to a specific vehicle identifier, a specific gate, and a specific time window. The physical observation enters the physical mesh under physical-domain credentials, but its lineage chain encloses, by reference, the cyber-domain credentials of the source. A subsequent regulatory cascade follows the same pattern: a regulatory composition authority emits a mapping from the physical observation to a regulatory incident-report observation, again preserving the prior chain by reference.

Verification proceeds structurally. A downstream auditor presented with the regulatory observation can walk back through two cross-domain mappings to the originating cyber observation, validating each composition authority's credentials, each propagation rule's catalogue membership, and each admissibility window's temporal scope. No single domain's authority is forced to vouch for events outside its competence; the cyber authority signs only the cyber observation, the physical authority signs only the physical observation, and the composition authorities sign only the links between them.

Operating Parameters

The composition mechanism admits parameterization along several axes. The propagation-rule catalogue is governance-controlled and versioned; rule entries declare their input domain, output domain, required source-observation predicates, target-observation construction template, and minimum-credential class for the composition authority. Catalogue versions enter lineage so that historical cascades can be re-evaluated against the rules in force at the time of composition.

Admissibility windows are expressed as composite predicates over wall-clock time, monotonic mesh sequence numbers, and contextual conditions (for example, "operational mode equals normal" or "regulatory regime equals peacetime"). A composed cascade whose admissibility window has expired is not retroactively invalidated; instead, downstream operations evaluating the cascade observe the expiry and may treat the observation as historical evidence rather than an active directive.

Composition authorities are themselves credentialed observations: an authority is admitted to the composition role by a governance act that names the authority, the rule catalogue entries it may invoke, the domains it may bridge, and the credential issuer that vouches for it. Revocation of a composition authority does not retroactively invalidate prior compositions; it terminates the authority's prospective ability to emit new mappings. This separation between historical validity and prospective capability is essential for forensic reconstruction following authority compromise.

Domain identifiers are themselves typed and registered. A domain registration declares its credential schema, its admissibility evaluator interface, and the set of observation types it admits. New domains (for example, a recently delineated space-traffic domain) enter the composition framework through governance acts that register the domain and declare its initial rule-catalogue entries.

Alternative Embodiments

The composition mechanism is embodiment-agnostic with respect to the transport substrate. In one embodiment, cross-domain mappings are exchanged as signed messages over a domain-bridging gateway operated by the composition authority; the gateway holds no observation state but signs and forwards mapping objects between domain meshes. In a second embodiment, all domains share a single underlying mesh substrate with domain-tagged observations, and the composition authority emits mappings as ordinary observations of type "cross-domain-mapping" with appropriate lineage references.

A third embodiment supports asynchronous composition: the source observation is published, the propagation rule fires deterministically against a rule engine, and the resulting target observation is queued for composition-authority signing. This embodiment is appropriate where the composition authority is human-mediated (for example, a regulatory officer reviewing a proposed incident-report cascade before signature). A fourth embodiment supports speculative composition, in which a candidate target observation is constructed but admitted only conditionally; downstream operations may evaluate the candidate but must surface the conditional status until the composition authority signs.

The framework also supports multi-hop composition collapse, in which a sequence of N cross-domain mappings is summarized into a single equivalent mapping for transport efficiency, while the full chain remains recoverable via the lineage references retained in the summary. This embodiment is useful for low-bandwidth coalition links where the full chain is reconstructed at the receiving end.

A further embodiment supports rule-evolution composition, in which the propagation-rule catalogue is extended at runtime by governance act, and pre-existing source observations may be retroactively eligible for composition under newly admitted rules. The retroactive eligibility is itself bounded by an admissibility window declared in the rule's catalogue entry, preventing unbounded re-interpretation of historical events. A still further embodiment supports composition under partial-information conditions, where a source observation carries probabilistic or interval-valued attributes; the propagation rule declares how such attributes are mapped into target-domain attributes, and the resulting target observation carries the propagated uncertainty as a first-class field.

Composition With Other Mesh Features

Cross-domain cascade composition composes with cross-jurisdictional credentialing: a cascade originating under one jurisdiction's cyber authority and crossing into another jurisdiction's physical authority requires a jurisdiction-bridging composition authority whose mandate spans both jurisdictions. The five-property chain is unchanged; the composition authority's credential scope extends across the jurisdictional boundary.

Composition with byzantine-robust observation handling preserves the structure under adversarial conditions: if a source observation is contested by independent attestations, the cross-domain mapping inherits the contested status, and downstream domains evaluate the contested cascade under their own admissibility predicates. Composition with the dispute mechanism allows a contested cross-domain mapping itself to be the subject of a dispute observation, triggering governance review of the composition authority's action.

Composition with lineage-preserving import (described separately) allows a cross-domain cascade originating in one mesh to be imported into another mesh while retaining all five properties of each composition step. The importing mesh's admissibility evaluator may reject any individual step (for example, on the basis that a particular composition authority is not recognized in the importing jurisdiction) without invalidating the rest of the chain.

Distinction From Prior Art

Cross-domain cascade composition is structurally distinct from federated alarm systems, in which alarms generated in one system are forwarded to another with no preservation of credentialing or rule provenance. Federated alarms typically arrive as opaque messages whose acceptance is governed by transport-level trust between systems; the recipient cannot verify the originating authority, the propagation rule, or the admissibility window.

The mechanism is distinct from SIEM correlation, which applies pattern-matching rules over a common event store to produce derived alerts. SIEM correlation treats all input events within a single trust boundary, does not preserve heterogeneous source authorities, and typically discards the derivation chain in favor of a synthesized alert object.

The mechanism is distinct from BPMN process orchestration and similar workflow systems, which sequence activities under a single orchestrating authority. BPMN does not preserve distinct credentialing across activity boundaries, does not catalogue propagation rules independently of the orchestrator's process definition, and does not produce auditable cross-authority lineage chains. The five-property chain, the governance-controlled rule catalogue, and the per-step composition authority distinguish the present mechanism from each of these prior approaches.

Disclosure Scope

The disclosure encompasses the five-property composition chain, the governance-controlled propagation-rule catalogue, the credentialing of composition authorities as a distinct authority class, and the admissibility-window mechanism. The disclosure encompasses single-hop and multi-hop compositions, synchronous and asynchronous composition flows, speculative and committed compositions, and the collapse and reconstruction of multi-hop chains.

The disclosure encompasses domains explicitly enumerated (cyber, physical, regulatory, financial, communications) and any further domains admitted by governance act. The disclosure encompasses applications including defense-civil cross-domain cascades, energy-transport cross-domain cascades, and communication-financial cross-domain cascades, without limitation to those applications.

As taught in U.S. provisional application 64/049,409, the cross-domain composition primitive is reduced to practice through a propagation-rule catalogue that is itself an admissible observation class, so that rule promulgation, amendment, and revocation produce signed events whose lineage is composable with the cascades they govern. This recursive treatment forecloses the silent rule-drift failure mode common to inter-agency data exchanges and supplies the auditable provenance required for cross-domain compositions to be admitted into adjudicatory, supervisory, and command-and-control records without parallel reconciliation infrastructure across each participating domain.