Execution Authorization Recovery

Mechanism

Execution authorization recovery is the structured procedure by which an agent restores admit-grade authorization after its operational confidence has collapsed below a configured floor. As specified in Chapter 5 of the cognition patent, recovery is not a single event but a sequence of governance-bound phases through which the authorization state advances only when phase-specific predicates have been satisfied. The mechanism is engaged automatically upon detection of a confidence-floor breach and remains in force until full authorization is re-established or the recovery procedure is terminated by policy.

The first phase is suspension. Upon detection of the floor breach, the agent's authorization state is transitioned to a suspended condition in which no admit determinations are issued for state-affecting mutations. In-flight mutations that have not yet entered execution are recalled to the proposal stage; mutations already executing are allowed to complete only if their completion is itself a precondition for system safety, and are otherwise rolled back through the lineage-recorded reversal procedure. A structured suspension record is emitted into lineage identifying the breach signals, the policy thresholds in force, and the suspension timestamp.

The second phase is scope narrowing. The agent restricts the set of operations for which authorization may be sought to a narrowed admissible set defined by the policy reference. The narrowed set typically includes only diagnostic operations, evidence-gathering operations, and reversible operations that produce no externally visible side effects. The narrowing is structural: proposed mutations outside the narrowed set are rejected at the proposal stage rather than evaluated, ensuring that the composite admissibility evaluator is not exercised on operations that are categorically out of scope during recovery.

The third phase is evidence solicitation. The agent issues structured evidence requests to the sources identified in its policy reference as admissible during recovery — typically including its own observability subsystem, designated counterparty agents, and human supervisors where the policy admits human-in-the-loop participation. Each evidence request carries a structured identifier, a target predicate, and a deadline. Returned evidence is incorporated into the lineage and re-evaluated by the composite admissibility evaluator under the recovery-specific calibration.

The fourth phase is gradual re-expansion. As evidence accumulates and confidence indicators rise above policy-defined re-expansion thresholds, the narrowed admissible set is enlarged in stages. Each stage corresponds to a tier of operational scope; transition between tiers requires that the prior tier has operated stably for a configured dwell interval without re-breach of the confidence floor. The re-expansion sequence is monotonic by policy: scope cannot be enlarged beyond a tier whose dwell predicate has not been satisfied, and any re-breach during re-expansion returns the agent to suspension with a structured re-breach record.

Operating Parameters

The recovery process is governed by a set of declarative parameters drawn from the policy reference. The confidence floor is the threshold whose breach triggers entry to the recovery process; it is configured per operational domain and may be raised structurally during heightened-risk windows. The recovery floor is the threshold above which the suspension phase may transition to scope narrowing; it is set strictly above the confidence floor to enforce hysteretic separation between entry and exit, preventing oscillation between suspended and recovering states.

The narrowed admissible set is specified as an enumerable list of operation classes, each tagged with a tier identifier indicating the re-expansion stage at which the class becomes admissible. Tier-dwell intervals specify the minimum elapsed time during which a tier must operate without re-breach before the next tier may be activated. Evidence-deadline parameters bound how long the agent may wait for solicited evidence before treating the request as failed and emitting a structured timeout record.

Re-breach handling parameters specify how many re-breach events within a configured window will escalate the recovery procedure — for example, by raising the recovery floor, extending dwell intervals, or terminating recovery in favor of a supervised intervention pathway. These escalation parameters are bounded structurally: no policy configuration may disable escalation entirely, and minimum escalation cadences are enforced regardless of policy.

Calibration parameters for the recovery-specific admissibility evaluator are held in the policy reference and are subject to the same audit requirements that govern the steady-state evaluator. The recovery calibration is typically more conservative than the steady-state calibration; the structural requirement is that the recovery calibration may not be more permissive, and the policy reference enforces this ordering as an invariant.

Alternative Embodiments

In a first alternative embodiment, the recovery process incorporates an explicit human-in-the-loop tier in which transition past a designated re-expansion stage requires affirmative authorization from a designated human supervisor. The supervisor's authorization is itself a lineage-recorded artifact carrying the supervisor identity, the timestamp, and the evidence reviewed.

In a second alternative embodiment, multiple confidence floors are configured for distinct operational dimensions — for example, perception confidence, planning confidence, and counterparty confidence — and recovery proceeds along the dimension whose floor was breached while other dimensions remain at full authorization. Composition rules in the policy reference define how multi-dimensional recovery interacts when more than one dimension has breached simultaneously.

In a third alternative embodiment, the gradual re-expansion sequence is replaced with a continuous re-expansion in which the admissible scope is parameterized by a continuous recovery index rather than discrete tiers. The dwell predicate is replaced by a moving-window stability predicate over the recovery index. Structural monotonicity is preserved: the recovery index is non-decreasing absent re-breach.

In a further alternative embodiment, the recovery process incorporates a quarantine tier in which the agent continues to perform admissible operations within the narrowed set but emits no externally visible side effects until the quarantine condition has been cleared by an audited reconciliation procedure. The quarantine tier is policy-configurable and is structurally distinct from suspension: operations admitted within quarantine are recorded in lineage and may be replayed once reconciliation completes, whereas operations rejected during suspension are not retained. The choice of quarantine versus suspension is determined by the breach-classification rule held in the policy reference.

In a fourth alternative embodiment, the agent participates in a multi-agent recovery protocol in which neighboring agents contribute to evidence solicitation and may temporarily assume responsibilities held by the recovering agent. The protocol is governance-bound: participating agents emit structured handoff records, and the recovering agent's lineage incorporates the contributed evidence as first-class artifacts.

Composition With Adjacent Mechanisms

Recovery composes with the composite admissibility evaluator by raising the admissibility threshold and narrowing the admissible set during the suspension and scope-narrowing phases, and by progressively relaxing these constraints during re-expansion. The evaluator does not require modification to participate in recovery; it consumes the recovery-state signals and recovery-specific calibration from the policy reference.

Recovery composes with the lineage subsystem by emitting structured records at every phase transition, evidence solicitation, evidence return, dwell satisfaction, and re-breach. The lineage record of a recovery episode is itself a queryable artifact, enabling post-hoc analysis of recovery dynamics and longitudinal evaluation of recovery-policy effectiveness.

Recovery composes with the agent's policy reference by drawing every threshold, dwell interval, escalation parameter, and admissible-set definition from the reference at runtime rather than from compiled-in defaults. Policy updates that affect recovery parameters are themselves audited events, and updates applied while the agent is mid-recovery are sequestered until the current episode terminates so that an in-flight recovery cannot be silently re-parameterized. This composition preserves the determinism of replay: a recovery episode replayed from lineage references the policy version in force at the original episode and yields identical transitions.

Recovery composes with the forecasting engine by suspending promotion of speculative branches into verified state during the suspended and narrowed phases, while allowing speculative exploration to continue within the planning subsystem. Speculative branches generated during recovery may inform the evidence-solicitation phase by identifying the operations whose admissibility would most rapidly restore confidence.

Distinction From Prior Art

Prior art in fault recovery and degraded-mode operation typically employs binary recovery semantics — the system is either in a fault state or in normal operation — or relies on operator-driven recovery in which the transition back to normal operation is unstructured and not subject to programmatic constraint. Binary semantics produce premature resumption when the underlying conditions have not actually stabilized; operator-driven recovery is unauditable and does not generalize across operational domains.

Execution authorization recovery distinguishes itself by structuring recovery as a governance-bound multi-phase process in which every transition is policy-defined, predicate-gated, lineage-recorded, and structurally prevented from short-circuiting. The dwell-and-re-expansion design is not a heuristic but a structural property; the hysteretic separation between confidence floor and recovery floor is a structural property; the immutability of the calibration ordering is a structural property. These properties together define the mechanism's scope.

Implementation Properties

Recovery preserves several structural invariants. First, monotonic re-expansion absent re-breach: between re-breach events, the admissible scope is non-decreasing across phase transitions. The implementation enforces this by representing the active tier as a single policy-bound state variable whose update function admits only forward transitions when the dwell predicate is satisfied. Second, hysteresis between entry and exit: the confidence floor and the recovery floor are distinct parameters, with the recovery floor strictly above the floor that triggered entry. The hysteresis prevents the system from flickering between suspension and recovery under marginal confidence noise, and the strict-ordering invariant is enforced at policy-load time so that misconfigurations cannot reach a running engine.

Third, lineage completeness: every recovery episode is reconstructable from its lineage. A consumer presented with a recovery episode identifier can resolve the lineage to recover the entry breach signals, the policy parameters in force, every evidence request and response, every dwell satisfaction or re-breach, and every transition timestamp. Fourth, structural prevention of short-circuit: there is no implementation pathway by which an agent under recovery can reach full authorization without traversing the dwell predicates of intervening tiers. The transition function is total over its inputs and rejects any candidate transition that does not match a policy-defined predicate, with the rejection itself recorded in lineage as a structured event.

Disclosure Scope

The disclosure encompasses any structured authorization-recovery procedure in which suspension, scope narrowing, evidence solicitation, and gradual re-expansion are governed by policy-defined predicates and recorded in lineage, regardless of the specific phase decomposition, the specific evidence sources, or the specific representation of the admissible set. Embodiments described herein are exemplary; the structural properties of multi-phase progression, predicate-gated transition, hysteretic threshold separation, and lineage-recorded re-expansion define the scope of the claim.