Five-Property Governance Chain: The Architectural Umbrella

Problem: Fourteen Primitives Need One Umbrella

The preceding fourteen disclosures describe spatial-mesh primitives that solve specific problems — perception distribution, actuation gating, route authorization, intent fusion, coordinate establishment, time consensus, settlement, coordination, marketplace, disruption sensing, cascade response, health monitoring, federation, skill loading. Each primitive can be claimed individually. Each, considered in isolation, is patentable. But each, considered in isolation, is also vulnerable: a sufficiently determined examiner can find prior art that approaches any single primitive when its surrounding architecture is stripped away. A tolling gantry approaches authority-credentialed actuation. A grid demand-response controller approaches admissibility. An aviation black box approaches lineage. A Byzantine consensus protocol approaches evidential weighting. A federated identity scheme approaches credential continuity. None of these prior-art systems exhibit the umbrella; all of them exhibit features that resemble individual properties of it.

The fourteen primitives are not really separate. They share an architecture, and the architecture is the actual invention. A system that implements one primitive without the others has hardware-substitutable elements that prior art arguably approaches. A system that implements all of them — or any meaningful subset — under the shared architecture exhibits a structural property that prior art does not. The architecture is what allows a marker-track route to be admitted by the same authority chain that admits a settlement, allows a disruption observation to flow into a cascade response without an out-of-band channel, and allows a health degradation event to be weighted alongside a coordination directive in a single composite admissibility evaluation. The fourteen primitives interoperate because they all conform to the umbrella; that interoperability is itself the structural property under disclosure.

The umbrella claim captures this structural property. Every mutation in the conforming architecture passes through the same five-property chain. The claim is broad in coverage but specific in structural test: a system either exhibits the chain or it doesn't, and the test is deterministic from the system's own observable behavior. This combination — broad coverage with specific test — is the property that the umbrella primitive provides and that the fourteen specific primitives, taken individually, do not.

The remainder of this paper develops the umbrella primitive in eight stages: definition of the five properties; the recursive closure that turns the properties from a flowchart into an architecture; hierarchical composition across unit, region, jurisdiction, and coalition scopes; technology neutrality as a longevity property; operating parameters and admissibility ranges; alternative embodiments demonstrating breadth without abandoning the structural test; composition with the fourteen specific primitives; prior-art distinctions; and the disclosure scope as filed.

1. Core Primitive: The Five Properties

Property 1: Authority-Credentialed Observation. Every input that can affect system state arrives as an observation signed by an authority within a published taxonomy. There are no uncredentialed observations admitted to the system. Inputs without explicit credentials are either rejected or downgraded to a lower-authority class — advisory, peer, adversarial, anonymous — for which a credential is structurally implied by the channel and class assignment itself. The taxonomy is published in the sense that any participating party can resolve a credential to its issuing authority and verify the authority's right to issue credentials of that class. Observation here is broad: a sensor reading, a peer report, a regulatory directive, an actuation acknowledgment, a clock tick, and a lineage record from another chain are all observations, each carrying the credential of its origin.

Property 2: Evidential Weighting. Each admitted observation is weighted by composite factors: authority class, credential continuity (trust slope over a defined window), corroborating observations, governance policy, operational context, and observation-specific reliability priors. The weighting produces a structured contribution rather than a binary admit/reject. Weights are not scalars in the strong sense; they are tuples that preserve the dimensions along which weighting was computed, so that downstream stages can re-weight or audit the contribution if necessary. Weighting is explicit and auditable: the weighting function, its inputs, and its output are all recorded in lineage so that any composite decision can be deconstructed back to the individual observations and the weights they carried.

Property 3: Composite Admissibility Evaluation. Weighted observations contribute to a composite admissibility decision against a proposed mutation — an actuation, a settlement, a coordination, a state update, an authority handoff. The decision produces a graduated outcome selected from a defined mode set: full admit, conditional admit (with named conditions), partial admit (with named exclusions), defer (with re-evaluation trigger), refuse (with named ground), or escalate (with named higher authority). Graduated outcomes are essential because the binary permit/suppress alternative fails at safety-margin boundaries: a system that must either fully execute or fully refuse cannot represent the case where partial execution under conditional credential is the operationally correct response.

Property 4: Governed Actuator Execution. The selected mode produces a governed actuator commitment with reversibility evaluation, harm minimization under credentialed configuration, and post-actuation verification. Execution is structurally distinct from intent: the system can decide to do, decide to defer, decide to refuse, or decide to do partially, and each decision is itself a credentialed event. Reversibility is evaluated before commitment: if an actuation is irreversible, the admissibility threshold is structurally higher than for a reversible one, and the credential required to issue it is structurally stronger. Post-actuation verification is the checkpoint where the system confirms that the actuator did what the commitment said it would do; a deviation between commitment and verification is itself an observation that re-enters the chain.

Property 5: Lineage-Recorded Provenance. Every observation, every weighting, every admissibility decision, every actuation commitment, every post-actuation verification is recorded in lineage with credentials. The lineage admits forensic reconstruction of any state under any past time, supports cross-authority audit, and is structurally tamper-evident. Tamper-evidence does not require a particular cryptographic scheme; it requires that any modification to a recorded event be detectable by a party holding only the lineage and the public credentials of the authorities that signed it. Lineage is not a log file in the operational sense; it is a first-class data structure whose integrity is part of the system's correctness contract.

Together, the five properties define what every mutation passes through. They are not stages in the sense that a request must visit them sequentially in real time — implementations may pipeline, parallelize, or pre-stage portions — but every mutation must be expressible as a path through all five before it is durable in the system's lineage. A mutation that bypasses any property is, by definition, not within the umbrella.

2. Mechanism: Recursive Closure

The five properties form a chain: observation → weighting → admissibility → actuation → lineage. The chain is closed: every actuation produces actuation-state observations that re-enter the chain at Property 1 as inputs to downstream evaluations. Every lineage record is itself a credentialed observation that downstream consumers can admit, weight, and respond to. Every refusal, deferral, or escalation is an observable event that other parts of the system, and other chains in the hierarchy, can consume. Closure is the load-bearing structural element of the umbrella.

A system that implements Properties 1–5 in isolation — observe, weight, decide, execute, log — is not the umbrella primitive. A system that implements them with output recursion is. The recursion produces self-stabilizing behavior: errors at any property produce observable downstream observations that other parts of the system respond to. A weighting anomaly produces an admissibility deviation that is itself observed and admitted as evidence at the next cycle. An actuator failure produces a verification mismatch that re-enters as a high-weight observation, raising the admissibility threshold for related actuations until corroborating evidence stabilizes the picture. A lineage gap produces an observability deficit that is itself an observation, triggering escalation to a higher chain.

Closure is what distinguishes the umbrella from a flowchart of operations. Operations can be arranged in any sequence; recursive closure forces a specific architectural shape. In particular, closure makes the chain fault-detecting in a way that open-loop sequences are not. An open-loop pipeline that observes, decides, and executes can fail silently — the actuation may not occur, the observation may have been stale, the decision may have been miscalibrated — and nothing in the pipeline notices unless an external monitor is bolted on. In the closed chain, the actuation's own consequence is admitted as evidence; the absence of a consequence becomes a high-weight observation in its own right; the calibration of the decision is itself measurable by comparing predicted to observed downstream state.

Recursion also produces multi-scale stability. At short time scales (milliseconds to seconds), the chain stabilizes individual actuations against sensor noise and transient credential failures. At medium scales (seconds to minutes), it stabilizes coordinated actuations against drift in evidential weighting. At long scales (minutes to hours and beyond), it stabilizes authority structure itself: a credential issuer that begins issuing inconsistent credentials produces, through the recursion, a weighting deficit that downstream chains observe and respond to, eventually triggering escalation up the hierarchy. Stability emerges from the closure, not from any one property in isolation.

3. Mechanism: Hierarchical Composition

The chain composes hierarchically. A unit-level chain processes observations within a single operating unit — a vehicle, a robot, a drone, a workstation, an industrial cell. A region-level chain processes observations within a bounded geographic or logical region — an intersection, a port, an airspace sector, a substation, a hospital wing. A jurisdiction-level chain processes observations within an authority's scope — a state regulator, a federal agency, a metropolitan transit authority, a healthcare network. A coalition-level chain processes observations across cooperating jurisdictions — an international body, a cross-border traffic agreement, a multi-state mutual aid pact. Each level operates the five-property chain on inputs from its own scope and produces outputs to enclosing levels.

Hierarchical composition means primitive scaling. A small-scale deployment, such as a single warehouse with a single fleet of autonomous mobile robots, operates the chain at unit and region levels only; the jurisdiction and coalition levels exist but reduce to identity transforms. A national-scale deployment adds jurisdiction-level chains that admit observations from many regions and produce directives that flow back down. International deployments add coalition-level chains. The architecture is the same at every level; only the configurations grow. Critically, the recursion property holds at every level: a coalition-level actuation (a cross-border directive) produces observations that re-enter coalition-level Property 1 as well as flowing down to jurisdiction, region, and unit levels.

Hierarchy is bidirectional. Observations and directives flow up the hierarchy as well as down, with each level's chain admitting inputs from above (regulatory directives, mutual-aid invocations) and below (peer-level observations, sensor reports, actuation acknowledgments) symmetrically. A unit-level disruption observation is weighted, admitted, and acted upon at the unit level, and is also exported as a credentialed observation to the region level, which weights it against other region-level observations. The exported observation carries its origin credential; the receiving level applies its own weighting. This produces a property essential for cross-jurisdictional operation: an observation does not lose its provenance when it crosses a boundary; the receiving authority reweights but does not forge.

The hierarchy is also not strictly tree-shaped. A unit may participate in multiple regions (a vehicle crossing jurisdictions); a region may participate in multiple jurisdictions (a port subject to both maritime and customs authority); a jurisdiction may participate in multiple coalitions. The hierarchy is a directed graph of credentialed channels; tree shape is a special case. The five-property chain operates identically regardless of graph topology, because its definition is intrinsic to a node, not to the graph.

4. Mechanism: Technology Neutrality and Future-Proofing

The chain is technology-neutral. Property 1's authority credentials can be expressed in any signature scheme: ECDSA over the NIST curves today, post-quantum lattice schemes (CRYSTALS-Dilithium, Falcon) when migration becomes mandatory, hash-based signatures (SPHINCS+) for long-lived archival credentials, threshold signatures for distributed authority, attribute-based credentials for fine-grained authority decomposition. Property 2's weighting can use any algorithm: Bayesian update, Dempster-Shafer evidence combination, fuzzy logic, formally verified rule sets, learned weighting (supervised, online, or reinforcement), or hybrid combinations of these. Property 3's admissibility can be deterministic, learned, or hybrid. Property 4's actuators can be any physical, virtual, or computational mechanism, from a robotic arm to a firewall rule update to a financial settlement. Property 5's lineage can use any signature scheme, any storage substrate (append-only log, Merkle tree, distributed ledger, content-addressed object store), and any distribution model (replicated, sharded, federated, hub-and-spoke).

Technology neutrality is essential because the architecture must outlive any specific technology generation. The patent's commercial life is twenty years; the technologies that implement the chain will turn over multiple times within that period. ECDSA may be deprecated for critical infrastructure during the patent's life; specific learned-weighting models will be retrained dozens of times; lineage substrates will migrate from local append-only logs to distributed structures and back. Specifying the architecture as a property set rather than a technology stack provides the longevity that a stack-specific specification cannot.

Technology neutrality also makes the umbrella claim portable across §101 challenges. The architecture is the practical-application hook, not the specific algorithms. As §101 jurisprudence evolves — and it has been evolving rapidly since Alice v. CLS Bank — the umbrella claim's anchor in physical actuation, cryptographic credential, and audit-grade lineage remains stable. The claim is not directed to "an algorithm for" anything; it is directed to a system whose mutations exhibit a defined structural property, and whose execution produces real-world physical or cyber-physical effect through governed actuators. The structural test reduces to observable behavior of the system, not to inspection of its internal algorithms.

Finally, neutrality supports defensive substitution. If a defendant in an infringement action argues that their system uses a different signature scheme, a different weighting algorithm, or a different lineage substrate, the umbrella's response is structural: the question is not whether the components are the same, but whether the chain exhibits the five properties under recursive closure. A system that has substituted lattice signatures for ECDSA still falls within the umbrella if its substituted scheme functions as Property 1's authority credential. Substitution within properties is permitted; substitution out of the property structure is not.

5. Operating Parameters

The umbrella is a structural primitive, but conforming implementations operate within parameter ranges that bound the chain's behavior. These ranges are illustrative of practical deployments and are not claim limitations; they support enablement and best-mode disclosure under 35 U.S.C. §112.

Authority taxonomy depth. Practical taxonomies range from two levels (root authority and delegated authorities) to six or seven (root, sector regulator, sub-regulator, operator, sub-operator, device, ephemeral). Deeper taxonomies increase delegation flexibility at the cost of credential-resolution latency. Typical deployments use three to five levels.

Weighting window. Credential continuity is computed over a sliding window. Short windows (minutes to hours) are appropriate for high-tempo operational environments; long windows (days to weeks) are appropriate for slow-changing regulatory environments. Implementations typically support multiple concurrent windows, with weighting drawn from the window most relevant to the observation class.

Admissibility threshold sets. The graduated mode set typically contains four to seven modes. Fewer than four is insufficient to express partial admit and conditional admit cases; more than seven introduces operator confusion and complicates audit. The exact set is configurable per chain; unit-level chains may use four-mode sets while jurisdiction-level chains use richer sets.

Reversibility budget. Each chain maintains a reversibility budget for irreversible actuations. The budget bounds the rate at which a chain can issue actuations that cannot be undone, forcing higher-credential paths for sustained irreversible activity. Typical budgets range from one irreversible actuation per second at unit level to one per hour at jurisdiction level, depending on operational tempo.

Lineage retention. Lineage is retained for periods bounded by the longest applicable audit horizon. Regulated cyber-physical deployments commonly retain lineage for seven to ten years; safety-critical aviation deployments retain indefinitely; medical-device deployments retain for the device life plus five years. The umbrella does not specify retention; conforming implementations specify it per regulatory regime.

Cross-chain latency. Observation export from one chain to another (region-to-jurisdiction, peer-to-peer) operates with bounded latency. Real-time deployments target sub-second propagation for high-priority observations; bulk lineage replication operates on minute or hour cadences. The chain admits observations at any latency provided the credential and timestamp survive the transit.

Verification cadence. Post-actuation verification operates on a cadence appropriate to the actuator. Mechanical actuators verify within their physical settling time (milliseconds to seconds); financial actuators verify on settlement cadence (seconds to days); regulatory actuators verify on reporting cadence (days to quarters). The chain holds an actuation as provisional in lineage until verification completes.

6. Alternative Embodiments

The umbrella primitive admits a wide range of embodiments, each preserving the five properties under recursive closure while varying technology, scope, and deployment.

Embodiment A — Autonomous vehicle fleet. Unit-level chains run on each vehicle, processing sensor observations and producing motion actuations. Region-level chains run at intersections, ports, and corridor controllers, weighting peer-vehicle reports against infrastructure observations. Jurisdiction-level chains run at metropolitan and state authority gateways, admitting safety directives and fleet-wide policy updates. Lineage is replicated to a national repository for incident reconstruction. Authority credentials use ECDSA today with planned migration to a post-quantum scheme.

Embodiment B — Smart-grid demand response. Unit-level chains run at substation controllers, weighting load observations and producing switching actuations. Region-level chains run at independent system operators, admitting market signals and reliability directives. Jurisdiction-level chains run at NERC and FERC interfaces. Reversibility budgets are tight (switching transients are expensive); admissibility uses formally verified rule sets at the unit level and learned weighting at the region level.

Embodiment C — Healthcare device network. Unit-level chains run on infusion pumps, ventilators, and monitors, admitting clinician orders as credentialed observations and producing medication or therapy actuations. Region-level chains run at care-unit gateways. Jurisdiction-level chains run at health-system and FDA interfaces for adverse-event reporting. Lineage retention extends for the device life plus five years to meet regulatory requirements.

Embodiment D — Cross-border logistics. Unit-level chains run on containers and conveyances. Region-level chains run at ports, terminals, and border crossings. Jurisdiction-level chains run at customs and trade authorities. Coalition-level chains run at multilateral trade-agreement bodies. Each chain admits observations from below and directives from above, with lineage providing chain-of-custody from manifest through delivery.

Embodiment E — Financial settlement network. Unit-level chains run at participating institutions, processing transaction observations and producing settlement actuations. Region-level chains run at clearing houses. Jurisdiction-level chains run at central banks and regulators. Lineage is structured as an append-only ledger replicated across participants; reversibility budgets reflect the irreversibility of cleared settlement.

Embodiment F — Software-defined network policy. Unit-level chains run at network elements (routers, firewalls, switches). Region-level chains run at SDN controllers. Jurisdiction-level chains run at security operations centers. Actuators are policy updates and traffic-shaping rules; observations are flow telemetry and threat intelligence. Verification compares post-update flow behavior to predicted behavior.

In every embodiment, the five properties are present and recursively closed. Substituting any property out — for example, removing Property 5 by abandoning lineage — removes the embodiment from the umbrella's coverage. Substituting any property's technology — exchanging ECDSA for a lattice scheme, or Bayesian weighting for fuzzy logic — does not.

7. Composition with the Fourteen Specific Primitives

The umbrella does not replace the fourteen specific primitives. It is the architectural condition under which they operate. Each specific primitive contributes structural detail in one or more properties of the chain. The mesh primitive contributes Property 1's distribution architecture for observations across geographic scope. The actuation primitive contributes Property 4's graduated mode set and reversibility evaluation. The marker-track primitive contributes a class of authority-credentialed observations specific to route authorization. The intent primitive contributes Property 2's evidential weighting under multi-source intent fusion. The coordinates primitive contributes the geometric substrate against which observations and actuations are referenced. The time primitive contributes the temporal substrate against which credential continuity and verification cadence are computed. The settlement primitive contributes Property 4's commitment semantics for value-bearing actuations. The coordination primitive contributes Property 3's composite admissibility under multi-actor proposals. The marketplace primitive contributes a class of admissibility evaluations specific to economic exchange. The disruption primitive contributes a class of high-weight observations specific to anomaly detection. The cascade primitive contributes Property 4's multi-stage actuation under graduated commitment. The health primitive contributes Property 2's weighting under degraded evidential channels. The federation primitive contributes Property 1's cross-authority credential semantics. The skills primitive contributes Property 4's actuator selection under capability constraints.

A patent portfolio anchored in the umbrella plus the fourteen specific primitives provides both broad coverage and specific, anchor-grade claims. The umbrella claim is structural: it reads on any system that exhibits the chain. The specific claims are detailed: they read on systems that exhibit a specific primitive within the umbrella. An accused system that exhibits one specific primitive without the umbrella is reachable by the corresponding specific claim; an accused system that exhibits the umbrella without any specific primitive (an unlikely case) is reachable by the umbrella claim alone; an accused system that exhibits both is reachable by both, and the alternate independent-claim structure provides validity insurance against the loss of any single claim under prior-art challenge.

8. Prior-Art Distinctions

The umbrella is distinct from prior architectural and security frameworks along the dimensions defined by the five properties under recursive closure.

Distinct from Zero Trust architectures. Zero Trust (NIST SP 800-207 and successors) requires authentication of every access and least-privilege enforcement. It does not require evidential weighting under composite factors, does not require graduated admissibility modes, does not require governed actuator semantics with reversibility evaluation, and does not require recursive closure of audit lineage. Zero Trust is, at most, a strengthened version of Property 1; the umbrella requires all five properties under closure.

Distinct from PKI and credential-based access control. PKI provides the cryptographic substrate for Property 1 in many embodiments, but PKI alone is a credential issuance and verification system, not a governance chain. PKI does not specify weighting, admissibility, governed actuation, or lineage; it specifies how credentials are issued and revoked.

Distinct from blockchain and distributed ledger systems. Distributed ledgers provide one possible substrate for Property 5. They do not provide Property 1 (most ledgers have no authority taxonomy beyond the consensus participant set), do not provide Property 2 (transactions are admitted by consensus rule, not weighted), do not provide Property 3 (consensus admits or rejects, but does not produce graduated modes), and do not provide governed actuation in the Property 4 sense (a settled transaction is an effect, not a governed actuator commitment with reversibility evaluation).

Distinct from policy-driven automation and orchestration. Orchestration systems (Kubernetes, Terraform, configuration-management frameworks) execute policy-defined actions and record action history. They do not credential observations to authority taxonomies, do not weight observations by credential continuity, do not produce graduated admissibility outcomes against composite evaluations, and do not exhibit recursive closure in the strong sense — a Kubernetes reconciler is a single closed loop on declared state, not a chain in which actuation outputs re-enter as credentialed observations of arbitrary downstream consumers.

Distinct from safety-instrumented systems and SCADA. Safety-instrumented systems implement layered protection in industrial settings and produce audit trails. They do not, in general, implement authority taxonomies beyond a flat operator/engineer/maintenance set, do not implement composite evidential weighting across multiple authority classes, and do not exhibit recursive closure across hierarchical scopes. They are typically Property 4 plus a constrained Property 5; the umbrella requires all five.

Distinct from formal-methods control systems. Verified-control architectures (Simplex, runtime assurance) provide governed actuation with verification, addressing Property 4. They do not, in general, address evidential weighting under composite factors, graduated admissibility under heterogeneous observations, or recursive closure of multi-scale audit lineage.

The structural test for distinguishing the umbrella from prior art is therefore not feature presence but property completeness under closure: a prior-art system is within the umbrella if and only if it exhibits all five properties under recursive closure. Most prior-art systems exhibit one or two; some exhibit three; the closure property in particular is rare.

9. Disclosure Scope

Disclosed under USPTO Provisional 64/049,409, the umbrella primitive is filed alongside the fourteen specific spatial-mesh primitives. The provisional supports independent claim sets directed to (a) the architectural umbrella as a whole, claimed by reference to the five properties under recursive closure with hierarchical composition; (b) each specific primitive, claimed individually with its specific structural elements; and (c) selected sub-combinations of primitives within the umbrella, claimed for embodiments where the sub-combination provides distinct utility.

The structural test for infringement of the umbrella claim is observable from a system's audit lineage and operational behavior, without access to the implementing party's source code. An accused system either exhibits authority-credentialed observation as the input gate, or it does not. It either weights observations through composite factors, or it does not. It either runs admissibility evaluation producing graduated outcomes, or it does not. It either produces governed graduated actuations with reversibility evaluation, or it does not. It either records audit-grade lineage with recursive closure, or it does not. The five binary determinations together produce a deterministic infringement criterion.

The umbrella claim therefore reads on the architecture that the next decade of cyber-physical systems will adopt under regulatory and operational pressure, regardless of which company first deploys it. UNECE R155 is converging on credentialed observation for vehicle cyber-systems; FDA Software Pre-Cert and the EU MDR are converging on lineage-recorded provenance for medical devices; NIS2 is converging on graduated admissibility for critical infrastructure; FIPS 140-3 and the post-quantum migration are forcing technology-neutral credential schemes; aviation and rail safety regimes have long required Property 4 verification with Property 5 lineage. The convergence is not coincidental; it reflects the structural requirements that any governable cyber-physical architecture must meet at scale. The umbrella primitive captures those structural requirements in advance of their full deployment, providing both the disclosure that supports broad claim coverage and the structural test that supports enforceable boundaries.

The disclosure is not a substitute for the fourteen specific primitives, and the umbrella claim is not a substitute for the fourteen specific claims. It is the architectural condition under which the specific primitives operate, the structural test by which the architecture is identified, and the foundation under which the portfolio's coverage extends from individual primitives to the system-level architecture they instantiate.