Containment Collapse: Loss of the Speculation-Verification Boundary

Mechanism

The cognition system maintains two structurally distinct content stores. The planning graph holds speculative content: hypotheses, simulated outcomes, candidate actions, and counterfactual branches. Verified memory holds content that has passed the promotion gate, which is the predicate function that admits items into verified status only after their evidentiary requirements have been satisfied and their provenance attested. The boundary between the two is enforced by the promotion gate as a one-way valve: items move from planning into verified memory only by passing through the gate, and consumers of verified memory rely on this invariant when constructing actions.

Containment collapse is the failure of this invariant. The collapse is not typically a single catastrophic event but a cascade. An initial leak occurs when an item enters verified memory through a path other than the promotion gate, or when the gate admits an item that should have been rejected. The leaked item is now indistinguishable from genuinely verified content to downstream consumers. When the agent's reasoning processes encounter the leaked item, they treat it as evidence and use it to satisfy the evidentiary requirements of further promotion-gate decisions. The next batch of admissions is therefore validated, in part, against contaminated evidence, and the gate's effective threshold drops. Subsequent leaks face a weaker barrier, the contamination compounds, and the boundary progressively dissolves.

The architectural analog is the loss of reality testing in psychotic states, where internally generated content is treated as external observation. The structural mechanism is the same: a content store that should have a one-way provenance invariant loses that invariant, and the consuming processes have no way to distinguish the source of items they encounter.

Operating Parameters: Cross-Domain Coherence Monitoring

Detection of containment collapse from within the affected domain is unreliable because the affected domain has lost the metacognitive ability to evaluate its own evidentiary state. The disclosed detection mechanism is therefore cross-domain. The system instruments multiple cognitive domains, each maintaining its own promotion gate and verified memory, and computes coherence statistics across them.

The primary statistic is provenance coherence, defined as the fraction of items in a domain's verified memory whose lineage is fully reconstructible to authenticated source events. A healthy domain maintains provenance coherence near unity. A leaking domain drops below a threshold whose specific value is a deployment parameter, typically set tight enough that early-stage cascades are caught before contamination compounds.

The secondary statistic is cross-domain consistency, measured by selecting items that are referenced by multiple domains and comparing the verified-memory representations across them. Inconsistencies that cannot be explained by domain-specific scope are flagged as indicators that one of the domains has admitted content the others have not. The third statistic is action-evidence ratio, which compares the rate of action commitments to the rate of fully attested evidence accumulation. A spike in commitments without a corresponding spike in evidence is consistent with a domain acting on speculative content as if verified.

The three statistics are combined into a containment health index per domain, and the index is itself an input to the agent's higher-level governance, which can throttle the affected domain's execution authority before remediation begins.

Alternative Embodiments

In a content-tagging embodiment, every item in either store carries an explicit provenance tag that follows the item through all subsequent operations. Boundary leakage manifests as items in verified memory whose tag indicates speculative origin, and detection becomes a local scan rather than a coherence computation. This embodiment incurs storage overhead but provides immediate, point-in-time verifiability.

In a cryptographic-attestation embodiment, every promotion-gate decision produces a signed attestation, and verified memory entries are accepted by consumers only when accompanied by a valid attestation. Leakage manifests as items without attestations or with attestations that do not verify. This embodiment integrates with the cryptographic governance subsystem and produces tamper-evident detection.

In a shadow-store embodiment, the system maintains a parallel verified memory populated only by the formal promotion gate, alongside the operational verified memory that the agent uses for action. Periodic comparison between the two stores detects leakage as divergence. This embodiment is preferred in deployments where retrofitting tags or attestations onto existing memory structures is impractical.

Remediation embodiments vary in their handling of the contaminated state. A quarantine remediation marks the affected domain as non-executing, preserves the contaminated memory for forensic analysis, and rebuilds verified memory by replaying authenticated source events through the original promotion gate. A rollback remediation reverts the domain to a checkpoint known to predate the cascade. A surgical remediation identifies and removes only the items whose provenance fails attestation, preserving the rest. Surgical remediation is the least disruptive but requires that the contamination be localized.

Composition Within The Disruption Model

Containment collapse is one of several disruption patterns the cognition system models, and its detection composes with the detection of other patterns through the shared governance log. The same lineage records that support coherence monitoring also support attention-fragmentation detection, intent-drift detection, and goal-corruption detection. A single instrumentation pass produces evidence for the full pattern catalog.

Composition with execution authority is structural: the containment health index gates the agent's ability to commit irreversible actions. A domain whose index drops below the action threshold can continue to reason internally but cannot effect changes in the external world until the index recovers. This is the architectural realization of "non-executing cognitive mode," and it allows the agent to remain useful for advisory output while remediation proceeds.

Composition with the cryptographic-governance subsystem is what makes the detection trustworthy. Coherence statistics computed over an unauthenticated lineage can themselves be manipulated; computed over a signed governance log, they are as trustworthy as the root key. A consumer of the agent's outputs can independently audit the containment health of every contributing domain.

Cascade Dynamics And Cross-Domain Spread

Containment collapse rarely remains confined to the domain in which it originates. Cognitive domains in the disclosed architecture share content through controlled interfaces: a domain that has verified an item may publish it as evidence to peer domains, and peer domains rely on the publishing domain's promotion gate when accepting the item. When the publishing domain is leaking, it propagates contaminated items to peers, and the peers' verification pipelines now operate against contaminated upstream evidence. The cascade therefore exhibits two distinct dynamics: intra-domain compounding, in which the affected domain's threshold progressively erodes, and inter-domain spread, in which the contamination front advances through the graph of peer dependencies.

The cross-domain coherence monitoring is specifically structured to catch the second dynamic. Because the monitoring computes statistics across domains and not within any single domain, a leaking publisher and a previously healthy consumer will register a divergence in their shared items even before the consumer's own promotion gate has been compromised. Early divergence is the key signal: it allows containment to be enforced at the publisher boundary before contamination establishes itself in consumer memories that would then require independent remediation.

The propagation rate is a function of the publication topology and the verification thresholds in the consuming domains. Sparse topologies with high consumer thresholds slow the cascade and provide longer detection windows; dense topologies with low thresholds compress the window and require tighter coherence-statistic thresholds and faster remediation pipelines. Deployment tuning balances detection latency against false-positive rate, with the containment health index providing a continuous signal rather than a binary classification.

Distinction From Prior Art

Database isolation, transactional consistency, and information-flow control all address related problems but do not model the agent-level failure where speculative content contaminates the basis for action. Anomaly-detection systems flag unusual behavior but do not attribute it to a specific architectural failure mode with a specific remediation. Computational psychiatry models reason about analogous human conditions but do not specify a system architecture in which the conditions are detectable and remediable.

The distinguishing combination is the explicit structural boundary, the cross-domain coherence monitoring that detects boundary failure from outside the affected domain, the integration with execution authority that contains the consequences of detection, and the remediation embodiments that restore the boundary while preserving the agent's verifiable state.

Scope Of This Disclosure

This article discloses containment collapse as a structural failure mode of cognition systems with promotion-gated verified memory, the cross-domain coherence monitoring that detects it, and the alternative embodiments for instrumentation and remediation. Variations in coherence statistics, threshold parameters, embodiment form, and remediation strategy are within scope provided that the boundary is structural rather than purely procedural, that detection operates from outside the affected domain, and that remediation restores the provenance invariant under which downstream consumers operate.