Lineage-Preserving Cross-Mesh Import

Mechanism

A cross-mesh import is structured as a typed observation in the receiving mesh whose payload is the imported observation's serialization, including its complete lineage chain as published in the source mesh. The import observation declares: the source-mesh identifier; the source-mesh observation identifier; the import authority (a credentialed entity in the receiving mesh authorized to perform imports of the relevant subject class); the receiving-mesh admissibility evaluation result; and the import timestamp anchored against the receiving mesh's monotonic clock.

The import authority signs the outer envelope. The signature covers the import-act assertions (source identifiers, admissibility result, timestamp) and the cryptographic identifier of the inner payload, but does not re-sign the inner observation's substantive content. The inner observation retains its original signatures, its original credentialing chain, and its original lineage references back through the source mesh. A receiver presented with the imported observation evaluates two distinct credential chains: the outer chain validates the import act under the receiving mesh's governance, and the inner chain validates the substantive observation under the source mesh's governance.

Walk-back is structural. A downstream operation in the receiving mesh, or in any further mesh that subsequently imports from the receiving mesh, can recursively unwrap the import envelopes to reach the original signer. Each unwrap step exposes the import authority that performed that step, allowing a reviewer to reconstruct the full path the observation traveled across mesh boundaries. Where intermediate meshes performed transformations or admissibility-conditional restrictions, those acts appear as additional layers in the chain, not as silent modifications to the substantive content.

The mechanism composes with no-consensus federation: the receiving mesh does not require agreement from the source mesh on the import act, and the source mesh does not require notification of the import. The cryptographic chain is sufficient to validate the imported observation without any synchronous protocol between meshes. This independence is essential for coalition operations where meshes may be intermittently connected or operated under independent governance regimes that do not admit cross-mesh consensus protocols.

Operating Parameters

The import authority is parameterized by subject class, source-mesh class, and admissibility-evaluator binding. An import authority may be admitted with scope "imports of safety-cascade observations from coalition-member meshes," for example, and may not perform imports outside that scope. The scope declaration is itself a governance-credentialed object in the receiving mesh; revocation of an import authority's scope is recorded as a credentialed governance act and applies prospectively without invalidating prior imports.

Admissibility evaluation is configurable along several axes: source-mesh authority recognition (which source-mesh credentialing chains the receiving mesh accepts), subject-matter scope (which observation types may be imported), temporal scope (acceptable age of source observations), and conditional predicates over receiving-mesh state. The admissibility evaluator's decision, including the rule applied and the input state observed, is recorded in the outer envelope and is part of the import observation's lineage.

Source-mesh trust anchors are configured through governance acts that name specific source-mesh identifiers and bind them to root credentialing keys. A new source-mesh trust anchor is added by governance signature; subsequent imports from that source mesh are evaluable. The trust-anchor configuration is versioned, and historical imports remain evaluable against the trust anchors in force at import time.

Recursion depth is bounded by configurable policy. An imported observation that itself contains imports from yet earlier meshes presents a multi-layer chain; receivers may apply policy bounds on the depth they will evaluate, with deeper chains either rejected or admitted with a flagged status. The bound is itself a credentialed configuration object.

Alternative Embodiments

In one embodiment, the import envelope is implemented as a signed JSON object referencing the inner payload by content hash, with the inner payload retained alongside in the receiving mesh store. In a second embodiment, the import envelope and inner payload are concatenated in a single signed binary object using a nested attestation format such as a COSE-encoded structure with embedded source-mesh COSE structures. In a third embodiment, the inner payload is retained only by reference (content-addressed) with retrieval on demand from a content-addressable store shared between meshes.

A fourth embodiment supports partial import: the receiving mesh imports only a subset of the source observation's fields, with the omitted fields replaced by a signed omission marker that names the omitted fields and the import-authority justification. The omission marker preserves the integrity claim over the imported fields without forging a claim about the omitted ones.

A fifth embodiment supports translated import: where the receiving mesh's schema differs from the source mesh's, the import authority emits a translation observation alongside the import, mapping source fields to receiving-mesh fields under a credentialed schema-mapping rule. The original payload is retained unmodified; the translation is a separately credentialed object whose lineage references both the import and the schema-mapping rule.

A sixth embodiment supports batch import, in which a sequence of source-mesh observations is imported under a single outer envelope with a Merkle-tree binding, enabling per-observation walk-back without per-observation envelope overhead. This embodiment is appropriate for high-volume cross-mesh feeds.

Composition With Other Mesh Features

Lineage-preserving import composes with cross-domain cascade composition: a cross-domain mapping originating in the source mesh may be imported into the receiving mesh with its full five-property chain intact, and a receiving-mesh composition authority may extend the chain with further mappings into receiving-mesh domains. The cross-mesh boundary appears as a layer in the lineage but does not break the cascade chain.

Composition with multi-authority resolution: an imported observation may participate as a source in a receiving-mesh resolution, and the resolution observation's lineage will reference the imported observation's outer envelope, transitively reaching the source-mesh signer. Where the receiving mesh's precedence rules differ from the source mesh's, the resolution authority's selection is recorded explicitly, with the source-mesh precedence remaining visible for forensic review.

Composition with the dispute mechanism allows a downstream party to dispute an import act (alleging that the import authority exceeded its scope, or that the admissibility evaluation was performed in error) without disputing the substantive source-mesh observation, or vice versa. The dispute targets a specific layer of the chain and is itself a credentialed observation whose lineage is preserved.

Composition with byzantine-robust handling allows the receiving mesh to import multiple corroborating observations from independent source meshes covering the same subject and to evaluate them under byzantine-robust admissibility. The lineage chain of each imported observation is independently preserved; corroboration does not collapse the chains into a single representative observation.

Distinction From Prior Art

Lineage-preserving import is distinct from CRDT replication. Conflict-free replicated data types propagate state across replicas with eventual convergence under merge functions, but they do not preserve per-update credentialing chains: the converged state names no signer, and a reviewer cannot walk from a converged value back to the contributing original updates. The present mechanism is structurally orthogonal to CRDT replication; the imported observations retain identity and chain rather than merging into a converged value.

The mechanism is distinct from blockchain bridges and analogous cross-chain transfer mechanisms. Bridges typically require consensus participation (a quorum on the bridge contract or relayer set) to admit a foreign observation, binding the receiving chain to the bridge's consensus assumptions. The present mechanism admits an imported observation under the receiving mesh's local admissibility evaluation alone; no cross-mesh consensus is required, and the receiving mesh's governance retains independent control over which source-mesh authorities it recognizes.

The mechanism is distinct from data-warehouse ETL and analogous integration pipelines, which extract source data, transform it under integration rules, and load it into a target store. ETL pipelines characteristically discard source lineage in favor of integration-target schema conformance; where lineage is retained, it is recorded as separate metadata rather than as a cryptographic chain whose validity can be verified by downstream consumers without consulting the integration system. The present mechanism's nested attestation is verifiable against source-mesh trust anchors directly; the receiving mesh need not be consulted to validate the inner chain.

The mechanism is further distinct from federated identity protocols (SAML, OIDC) which assert claims across trust boundaries but do not generally preserve a verifiable end-to-end chain to the original credentialing authority through arbitrary intermediate hops. The combination of nested attestation, no-consensus admission, and recursive walk-back is the structural distinction.

Disclosure Scope

The disclosure encompasses the nested-attestation envelope, the import-authority credentialing class, the configurable admissibility evaluator, the source-mesh trust-anchor mechanism, and the recursive walk-back capability. The disclosure encompasses single-layer, multi-layer, partial, translated, and batch import embodiments. The disclosure encompasses composition with cross-domain cascade composition, multi-authority resolution, dispute mechanisms, and byzantine-robust corroboration.

The disclosure encompasses applications in cross-organization mesh integration, cross-jurisdiction integration, coalition operations, and any further application in which observations generated under one mesh's governance are made available within another mesh's governance with end-to-end auditable lineage.