Execution as Revocable Permission

Mechanism

The revocable-permission mechanism treats every authorization to execute as a binding between a scope descriptor and an evidence vector. The scope descriptor enumerates the actions, resources, and side-effect classes that the permission admits. The evidence vector enumerates the structured inputs whose values support the permission: confidence values, attestations, lineage records, policy version, and any domain-specific signals declared in the policy reference. The binding is held by the agent's confidence governor, which recomputes it on every evaluation cycle.

Recomputation produces one of three outcomes. The first outcome is unchanged scope, indicating that the evidence continues to support the existing binding. The second outcome is contracted scope, indicating that some component of the evidence has weakened sufficiently that a strict subset of the previous scope remains supported. The third outcome is full revocation, indicating that the evidence no longer supports any portion of the previous scope. Each outcome is recorded in the agent's lineage with the inputs, the computed outcome, and the policy version under which the computation was performed.

Scope contraction is not a soft signal. It is a structural change in the binding held by the governor, and any subsequent action that would have been admissible under the prior scope but falls outside the contracted scope is rejected at the gate. The agent does not consult the contracted scope as a recommendation; the gate enforces it as a precondition for action. The same applies to revocation: the moment the binding terminates, no action of any class is admitted until a new binding is established by recomputation against fresh evidence.

The recomputation cycle is driven both by time and by event. A periodic cycle ensures that no binding outlives a configured maximum age without re-evaluation. Event-driven cycles are triggered by the arrival of evidence whose magnitude or class is declared in the policy reference as material to scope. The combination ensures that revocation is prompt with respect to material evidence and is bounded with respect to elapsed time.

Operating Parameters

The mechanism is configured by parameters declared in the policy reference. The evidence vector specification declares which structured inputs are admissible as evidence, the canonical fields from which they are drawn, and the canonicalization rules that determine how their values are compared across cycles. The scope grammar declares the structure of admissible scope descriptors, including the action classes, the resource references, and the side-effect classes that may appear. The binding function declares how an evidence vector maps to a scope descriptor; the function is deterministic, and identical evidence produces identical scope.

Hysteresis parameters prevent oscillation near contraction or revocation thresholds. A contraction margin specifies the minimum evidence change required to contract a scope, and a restoration margin, larger than the contraction margin, specifies the minimum evidence change required to restore a previously contracted scope. The asymmetry ensures that scope does not flap near a threshold. Time-based hysteresis introduces minimum dwell times in contracted or revoked states, preventing rapid re-expansion that would defeat the conservative posture motivating contraction.

Promptness parameters bound the latency between material evidence change and the corresponding scope change. The maximum cycle period bounds the time between periodic recomputations. The event-trigger latency bounds the time between event arrival and the cycle that processes it. Together, these parameters yield a worst-case bound on revocation latency that can be analyzed against the agent's deployment requirements.

Alternative Embodiments

The mechanism accommodates multiple embodiments without altering its structural commitments. In a single-governor embodiment, one confidence governor holds all bindings for the agent. In a partitioned embodiment, multiple governors each hold bindings for a partition of the agent's scope grammar, with the partition declared in the policy reference. In a federated embodiment, governors operate across distinct trust domains and the agent's effective scope is the intersection of the bindings held by the relevant governors.

The binding function admits multiple realizations. In a threshold embodiment, the function maps confidence values to scope by selecting the largest scope descriptor whose admissibility predicate is satisfied at the current confidence. In a piecewise embodiment, the function decomposes the scope grammar into bands, each associated with an evidence range. In a learned embodiment, the function is a deterministic interpretation of a model whose parameters were fit offline; the model is not consulted online to permit drift but is invoked as a fixed function whose outputs depend solely on its declared inputs.

Restoration of revoked scope admits embodiments differing in the strength of evidence required. In a symmetric embodiment, the same evidence threshold governs both revocation and restoration, modulated only by the hysteresis margin. In an asymmetric embodiment, restoration requires evidence of strictly higher quality, such as fresh attestation or human acknowledgement, beyond the threshold that originally supported the binding. The asymmetric embodiment is appropriate in safety-critical domains where the cost of false restoration exceeds the cost of conservative non-restoration.

Composition with Adjacent Mechanisms

The revocable-permission mechanism composes with the agent's inference-control subsystem. Inference proceeds along a semantic graph in which each transition is admitted only if the action class it represents lies within the current scope. A scope contraction therefore halts inference along any branch whose next transition has been excluded, without requiring a separate halt mechanism. The semantic execution mechanism and the revocable permission mechanism share the same gate, and the gate is consistent across them.

The mechanism composes with the lineage subsystem by recording every binding, every contraction, and every revocation event in the agent's structured lineage. Forensic review can therefore reconstruct, for any action that the agent performed or refused, the binding under which the gate evaluated the action and the evidence vector that supported the binding. Reconstruction is exact because the binding function is deterministic and the policy version is recorded.

The mechanism composes with the skill-gating pipeline by treating the activation record of a skill as one component of the evidence vector for any binding that authorizes execution of that skill. Revocation of a skill therefore produces immediate scope contraction in every binding that depended on it, without requiring a separate cascade mechanism. The cascade is a structural consequence of the evidence-vector design rather than a procedural step appended to revocation.

Prior-Art Distinction

Conventional access-control systems treat permissions as durable grants that persist until explicitly revoked. The grant is a record in an authorization store, and revocation is a write to the store followed by cache invalidation across consumers. The latency of revocation is bounded by the cache architecture rather than by the structure of the permission. Conventional systems also treat the grant as binary: a principal either holds the permission or does not, with no provision for graded contraction in response to evidence.

Conventional autonomous-system safety architectures likewise treat authorization as a static configuration: a vehicle is either authorized to operate in a domain or it is not, and changes are made by configuration rather than by continuous re-evaluation. When evidence weakens, the system either continues to operate at full authority until a configuration change or fails to a safe state, with no intermediate posture available structurally.

The mechanism described here departs from both patterns by binding the permission to an evidence vector that is recomputed on every cycle, by admitting graded contraction as a structural primitive, and by enforcing the binding through the same gate that admits actions. The permission is not a record in a store; it is a continuously recomputed function of the agent's current evidence, and the gate is the only authority that admits actions under it.

Disclosure Scope

This article describes the revocable-permission mechanism as defined in Chapter 5 of the cognition patent. The mechanism is disclosed at a level sufficient for a person of ordinary skill in the art of governed autonomous systems to construct an embodiment without undue experimentation. The evidence vector, scope grammar, binding function, hysteresis controls, and recomputation cycle are declared as policy-bound rather than implementation-bound, and the disclosure encompasses any embodiment in which scope is held as a binding to evidence and recomputed deterministically against declared inputs.

The disclosure scope extends to embodiments in which the binding function is realized as a threshold predicate, a piecewise function, a deterministic interpretation of a learned model, or any composition thereof, provided the function is deterministic and its inputs are drawn from the canonical fields declared in policy. It extends to embodiments in which the recomputation cycle is periodic, event-driven, or both, and to embodiments in which restoration of revoked scope requires evidence of strictly higher quality than the evidence that originally supported the binding.

The disclosure does not encompass embodiments in which permission is held as a durable grant in an authorization store and revocation is performed by cache invalidation, in which the binding function is non-deterministic, or in which the policy reference does not declare the evidence vector and scope grammar. Such embodiments lack the structural commitments that make the mechanism promptly revocable and are outside the scope of the present disclosure.

The disclosure further encompasses embodiments in which the evidence vector includes signals derived from external attestations, including attestations issued by remote verifiers, attestations produced by sensor fusion subsystems, and attestations produced by human acknowledgement events. Each such signal is treated structurally as a field in the evidence vector whose canonicalization, freshness window, and admissibility predicate are declared in policy. The mechanism is indifferent to the source of an attestation insofar as the policy declares its structural form, and identical attestations produce identical contributions to scope. The composition of multiple attestations is itself a deterministic function declared in policy, whether expressed as a conjunction, a weighted sum subject to a threshold, or a more elaborate composition rule.

The disclosure encompasses, in addition, embodiments in which the scope grammar is partitioned by deployment domain, with each partition declaring its own action classes, resource references, and side-effect classes. A partitioned grammar permits the same agent to operate under different effective scope vocabularies in different deployment contexts, with the binding function consulting the partition declared in policy as an additional input. The structural commitment that the binding is a deterministic function of declared inputs is preserved across all partitions, and the cross-partition behavior of the agent is itself an artifact subject to lineage recording and forensic review.