Lineage Evidence Admissibility

Mechanism

Each environmental event record is published as a lineage-bound evidence object. The object carries the set of contributing observations (each with its sensor identifier, sensor attestation, observation timestamp, and observation signature), the processing primitives applied (each with its primitive identifier, primitive version, primitive signature, and the inputs and outputs of the primitive invocation), the classification result (with the classifier identity, classifier attestation, and classification confidence), and a signature chain that binds each step to the preceding step so that the entire evidence object is tamper-evident as a unit.

A downstream consumer that wishes to admit the evidence into one of its own observations declares an admissibility profile. The profile enumerates the sensor authorities the consumer accepts, the processing primitives the consumer recognises, the freshness bounds within which observations remain admissible, the minimum classifier confidence the consumer requires, and the corroboration topology the consumer demands (for example, two independent sensor authorities, or two independent classifier instances over the same observation set). The consumer's admissibility evaluator traverses the lineage chain of the evidence object, verifies each credential against its issuing authority, and returns an admissibility verdict together with a weighting derived from the chain's credentialing strength.

Weighting is provenance-bound rather than asserted. A classification carrying a confidence of 0.95 from a classifier whose attestation chain terminates at an unrecognised authority is admitted with the consumer's default unrecognised-authority weight, which may be zero, regardless of the asserted confidence. A classification carrying a confidence of 0.6 from a classifier whose attestation chain terminates at a high-trust authority and whose contributing observations are corroborated across two independent sensor authorities may be admitted with substantial weight despite the lower asserted confidence. The architecture makes the weighting function structural so that consumers cannot inadvertently admit evidence whose credentialing does not support the asserted confidence.

Evaluation is structurally idempotent and produces an admission record that is itself a lineage-bound object. The record carries the evidence object's identifier, the consumer's profile version identifier, the per-step credential verdicts produced during traversal, the resulting admission verdict, the resulting weight, and a signature of the consumer that binds the verdicts to the moment of evaluation. Re-evaluation of the same evidence under the same profile version at a later moment may produce a different admission record if any constituent credential has expired, been revoked, or had its issuing authority's recognition status changed in the consumer's profile; the prior admission record remains in lineage as a historical fact of how the consumer admitted at that earlier moment, while the later record reflects the present state. This dual-record discipline is the mechanism by which downstream audit can reconstruct both what was known at decision time and what would have been known under a later epistemic state.

Operating Parameters

Admissibility evaluation latency is bounded by the depth and fan-in of the lineage chain. Production deployments hold per-event evaluation under tens of milliseconds for chains of typical depth by precomputing credential validation for stable authorities and refreshing only the credentials that have aged beyond their declared freshness windows. Sensor attestation freshness is parameterised: high-rate sensors refresh attestations on a faster cycle than low-rate sensors, and the consumer's profile declares the maximum admissible attestation age per sensor class.

Different downstream operations carry different profiles. Defence engagement decisions typically demand multi-authority corroboration, recent attestations, high classifier confidence, and full primitive pedigree; alerting and triage operations typically admit single-authority preliminary evidence with broader freshness windows in exchange for lower assigned weight; civilian critical-infrastructure decisions sit between these poles and are often calibrated to sectoral regulatory expectations. The architecture supports the profile diversity without privileging any particular profile, and consumers may operate with multiple profiles simultaneously, admitting the same evidence object into different downstream operations with different weights.

Disputed evidence is handled through the dispute resolution primitive. When a consumer's admissibility evaluator returns a contested verdict (for example, where one credential in the chain is pending revocation review), the consumer may either refuse to admit, admit with a graduated-response weighting that reflects the dispute, or escalate to a higher authority for resolution. The dispute and its resolution are themselves recorded in the consumer's lineage so that downstream audit can recover the dispute history. Byzantine-robust admissibility tolerates a bounded fraction of compromised credentialing authorities within a corroboration set, with the bound declared per profile.

Alternative Embodiments

In one embodiment, the lineage chain is carried in-band with the evidence object as a self-contained signed structure; the consumer requires no external lookup to evaluate admissibility, at the cost of a larger evidence object. In a second embodiment, the lineage chain is carried as a chain of references resolved against a lineage retention service operated by the producing authority; the evidence object is compact, at the cost of a dependence on the retention service's availability. In a third embodiment, the chain is hybrid: critical credentials and signatures are in-band while bulk observation data is by reference, balancing object size against availability dependence.

Weighting functions admit several variants. A multiplicative weighting combines per-step credential strengths into a single scalar; an additive weighting accumulates evidence-quality contributions; a vector weighting preserves multiple weighting axes (sensor authority, classifier authority, corroboration depth, freshness) for downstream interpretation. The architecture is agnostic to the weighting language so long as the function is deterministic, declared in the consumer's profile, and bound to the lineage record of the admission decision.

Profiles may be static, dynamic, or mission-conditioned. Static profiles are fixed at deployment; dynamic profiles update through governance procedures as regulatory expectations evolve; mission-conditioned profiles are selected from a profile set by the consumer's declared mission posture at evaluation time. The selected profile is recorded with the admission decision so that downstream audit can reconstruct which profile governed which admission. Profile versioning is signature-bound: each profile version is signed by the consumer's governing authority, and the signature is committed to in every admission decision so that retroactive substitution of a different profile cannot be performed without detection by any party with access to the public verification key of the consumer.

Composition

Lineage-evidence admissibility composes with the wider environmental disruption pipeline. Cross-jurisdictional admissibility is supported because the consumer's profile may declare per-jurisdiction credential authority lists, allowing evidence produced in one jurisdiction to be admitted into a consumer operating in another jurisdiction without ad-hoc mapping. Byzantine-robust admissibility is supported because corroboration topology is declared in the profile, and the admissibility evaluator enforces the topology against the lineage chain. Graduated-response integration is supported because the weighting function delivers a continuous weight rather than a binary admit-reject, allowing downstream decision logic to scale response severity with evidence weight.

The admissibility primitive composes with the lineage-recorded-provenance primitive in that the admission decision is itself a lineage event subject to the same retention and tamper-evidence guarantees as any other operation record. It composes with the admissibility-as-skill-router primitive in that downstream skills are themselves admitted into the operating unit through their own admissibility profiles, producing a two-tier admissibility structure: the evidence is admitted into the consumer's observation, and the skill that processes the observation is admitted into the consumer's operating context.

Composition with the corroboration-aggregation primitive permits a consumer to admit a derived observation whose evidence is the conjunction of multiple lineage-bound predecessors, with the conjunction itself credentialed by the consumer at admission time and the constituent lineage chains preserved by reference. The aggregate weighting is computed by the profile-declared aggregation function — typically a corroboration-aware combination that reflects independence of the contributing authorities rather than a naive sum — and the function selection is itself part of the profile, signed and version-bound. Composition with archival replay permits the entire admission decision tree to be reconstructed at audit by replaying admissibility evaluation against the historical profile and historical credential states, recovering not only what was admitted but precisely why it was admitted at the strength it received.

Prior-Art Distinction

Prior environmental sensing pipelines have variously appended provenance metadata to event records, signed event records as a unit, or maintained sensor attestation registries against which downstream consumers may verify event authenticity. None of these constructs makes admissibility a structural function of the credentialing of the full lineage chain, with weighting derived from the chain rather than asserted on the event. Provenance metadata that is appended but not enforced does not bind admission; signature on the event as a unit does not expose the per-step pedigree to the consumer's admissibility evaluator; sensor attestation registries do not address processing-primitive pedigree or classifier pedigree.

The distinction is that the present architecture treats the lineage chain as the admissibility object. The event is not admitted because it is signed; it is admitted because every step in its lineage is credentialed against authorities the consumer's profile recognises, and it is weighted according to the strength of that credentialing. The inversion of weight assertion (provenance-bound rather than confidence-bound) is the structural distinction.

Disclosure Scope

The disclosure covers the lineage-bound evidence object format, the admissibility profile declaration, the per-step credential evaluation primitive, the provenance-bound weighting function, the dispute-resolution and byzantine-robust extensions, and the composition with downstream skill routing and lineage-recorded provenance. Defence engagement decision support, civilian critical-infrastructure decision support, and commercial environmental sensing deployments that elect the architecture are within scope. The scope contemplates admissibility evolution: as regulatory and operational standards evolve, profile schemas and weighting functions update through governance procedures without invalidating the recorded provenance of past admissions. The scope further extends to mixed-authority federations in which evidence produced by one authority is admitted into observations operated under another authority, to retention regimes spanning multiple jurisdictions, and to long-horizon archival retention supporting forensic reconstruction at points years after the original observation.