Containment Layer and Delusion Boundary
by Nick Clark | Published March 27, 2026
A forecast is a claim about a future state, computed by a model from evidence. Disclosed herein is a containment boundary that confines forecasts to the scope for which the producing model has been trained and evidenced, marks forecasts that would fall outside that scope as out-of-scope rather than emitting them as ordinary outputs, and renders the boundary itself tamper-evident. The boundary is a structural barrier between speculative planning-graph content and verified execution memory: speculative content cannot cross the boundary into verified memory or serve as the basis for an execution claim except through a declared promotion path that records the crossing in lineage. The result is an agent that plans ahead without contaminating its operational state and without representing extrapolations as warranted predictions.
Mechanism
The containment boundary is realized at the data-structure level rather than by convention. Speculative content is held in a planning graph whose nodes are typed as speculative and whose edges record the inferential steps by which each node was derived. Verified content is held in an execution memory whose nodes are typed as verified and whose admission is gated by a promotion function. The boundary between the two is enforced by the type system of the agent's runtime: a verified-typed reference cannot be assigned the value of a speculative-typed node, and a speculative-typed reference cannot be returned from an interface that requires a verified-typed result. Crossings occur only through the promotion function, which accepts a speculative node together with a corroborating evidence bundle and either admits a corresponding verified node or rejects the crossing.
The boundary additionally encodes a scope constraint over forecasts. Each forecast is annotated with the region of input space over which the producing model was trained and evidenced; this region is described by a manifold descriptor, an interval set, or an enumerated category list, depending on the model class. Before a forecast is emitted, its conditioning inputs are tested against the descriptor. If the inputs lie within scope, the forecast is emitted as an ordinary output. If the inputs lie outside scope, the forecast is marked out-of-scope, the marking is propagated to all downstream consumers, and the forecast is excluded from any aggregation that would treat it as a warranted prediction. The boundary is tamper-evident: the manifold descriptor, the in-scope test result, and the promotion-function record are all written to an append-only lineage log under cryptographic hash chaining, such that any retroactive alteration of the boundary or its application is detectable on audit.
The promotion function is the sole structural path from speculation to verified state, and its semantics are declared rather than implicit. A promotion request supplies a speculative node identifier, a corroborating evidence bundle, and a justification reference. The function evaluates the evidence bundle against a declared promotion policy: the bundle must contain at least the configured number of independent corroborating sources, each source must be authenticated against the agent's evidence registry, and the aggregate corroboration weight must exceed a domain-specific threshold. Successful promotion materializes a new verified node whose value is bit-identical to the speculative node's value at the time of promotion; the verified node carries a reference to the speculative node and a reference to the evidence bundle, so that the basis for promotion remains auditable. Rejected promotions are also recorded, with the rejection reason captured, so that repeated rejection patterns can be surfaced as a signal that the speculative content is systematically unsupportable.
The tamper-evidence property is realized by a hash chain whose head is published at a configured cadence to a location external to the agent. Each lineage entry carries a hash of the previous entry together with a hash of the entry's own contents, so that any retroactive alteration of a prior entry invalidates all subsequent entries' chain references. Verification reconstructs the chain from the genesis entry and compares the reconstructed head against the published head; a mismatch is treated as a tamper event and surfaces an alert through the audit subsystem. The published head is the structural anchor that prevents an actor with full agent-state access from rewriting history without detection.
Operating Parameters
Scope descriptor resolution is the granularity at which the in-scope region is represented. Coarse resolutions, such as bounding boxes over feature space, are contemplated for low-dimensional models; fine resolutions, such as kernel-density estimates or one-class classifiers, are contemplated for high-dimensional models. Promotion threshold is the minimum corroborating-evidence weight required for a speculative node to be admitted as a verified node; thresholds are declared per node type and per domain. Branch lifetime is the maximum duration for which a speculative branch is retained before pruning or dormancy; lifetimes are declared per branch class and bound the planning graph's growth.
Out-of-scope marking propagation depth is the number of downstream inference steps over which an out-of-scope marking is preserved before it is either reconciled with new in-scope evidence or excluded from emission entirely. Hash chain segment size is the number of lineage entries per cryptographic segment; smaller segments enable faster verification at the cost of larger storage, while larger segments invert the trade-off. Verification cadence is the rate at which the lineage hash chain is recomputed and compared against the stored chain head; cadences from once per second to once per day are contemplated according to the deployment's tamper-detection latency requirement.
Alternative Embodiments
In a first alternative embodiment, the planning graph and the execution memory reside in physically distinct memory regions, with the boundary enforced by a hardware memory-protection unit; a speculative-to-verified crossing requires a protection-domain transition that is logged at the hardware level. In a second alternative embodiment, the boundary is enforced by capability tokens: a verified-memory write requires presentation of a capability that is issued only by the promotion function, and the capability is single-use and bound to a specific node identifier.
In a third alternative embodiment, the scope descriptor is learned jointly with the producing model, taking the form of a one-class classifier whose decision boundary tracks the training distribution; out-of-scope detection is performed by querying the classifier at inference time. In a fourth alternative embodiment, multiple producing models are composed, with each model's scope descriptor evaluated independently and the forecast marked in-scope only when all constituent models report in-scope; this embodiment is suited to ensemble forecasting where partial coverage is insufficient. In a fifth alternative embodiment, the lineage log is replicated across independent witnesses, with a forecast treated as tamper-evident only when a quorum of witnesses agree on the chain head; this embodiment is suited to multi-party deployments where no single party is trusted to maintain the log alone.
Composition with Adjacent Mechanisms
The containment boundary is consumed by the forecasting engine's emission stage, which gates outputs through the in-scope test. It is consumed by the planning controller, which respects the promotion function as the sole path from speculation to commitment. It is consumed by the multi-agent coordination layer, which exchanges forecasts together with their scope descriptors and out-of-scope markings, so that downstream agents can apply their own policies to out-of-scope content. It composes with the lineage subsystem, which retains the hash-chained record and supports retrospective verification. It composes with the policy subsystem, which holds the promotion thresholds and branch lifetimes and admits change-controlled revision. It composes with the confidence-governance subsystem, which treats out-of-scope markings as a hard constraint on authorization rather than as a contributor to a soft confidence score.
Distinction Over Prior Art
Prior model-monitoring systems detect distributional shift between training and deployment data and emit alerts when the shift exceeds a threshold, but they do not constitute a structural barrier between speculative and verified content, and they do not mark individual forecasts as out-of-scope at the point of emission. Prior planning systems maintain speculative branches but rely on convention or runtime checks to prevent contamination of execution state; convention is violated by implementation error, and runtime checks lack the tamper-evident lineage record that audit requires. Prior provenance systems record the derivation of outputs but do not enforce a scope constraint at emission time. The present mechanism is distinguished by the conjunction of type-level boundary enforcement, declared scope descriptor with in-scope testing, out-of-scope marking with downstream propagation, and hash-chained tamper-evident lineage; each component addresses a failure mode that the others do not, and the combination is what permits the boundary to serve as a basis for governance.
Failure Modes and Mitigations
Several failure modes are identified and addressed at the structural level. The first is scope-descriptor staleness, in which the descriptor encodes a region of input space that no longer corresponds to the model's actual training and evidence base, typically because the model has been retrained without a corresponding descriptor update. Staleness is mitigated by binding the descriptor to the model artifact at training time: the descriptor and the model are stored together under a joint hash, and inference refuses to proceed when descriptor and model hashes do not match the bound pair recorded in the model registry. The second failure mode is silent crossing, in which a speculative node's value reaches verified memory through an unintended path, such as a shared mutable buffer or a serialization round-trip. Silent crossing is mitigated by the type-level enforcement of the boundary, which rejects assignments at compile time where the type system permits, and by runtime tag checks at every memory-region transition where compile-time enforcement is unavailable.
The third failure mode is lineage corruption, in which the append-only log is overwritten or truncated by a privileged actor. Corruption is detected by the hash chain: any retroactive alteration breaks the chain, and the chain head is verified at the configured cadence and replicated to independent witnesses in the multi-party embodiment. The fourth failure mode is in-scope masquerade, in which conditioning inputs are crafted to appear in-scope under the descriptor while the underlying situation is in fact outside the model's evidenced region. Masquerade is mitigated by combining the descriptor test with an evidence-density check: a forecast is treated as in-scope only when both the descriptor admits the conditioning inputs and the local density of supporting evidence exceeds a configured threshold, so that descriptor coverage without evidentiary support produces an out-of-scope marking rather than a warranted prediction.
Disclosure Scope
The disclosure encompasses the containment boundary, the planning-graph and execution-memory structures it separates, the promotion function, the scope descriptor and in-scope test, the out-of-scope marking and its propagation, the hash-chained lineage record, and the compositions described above. The disclosure is not limited to any specific scope-descriptor representation, promotion-function form, or hash-chain construction. Implementations using software type systems, hardware memory protection, capability-based addressing, and distributed witness quorums are contemplated, as are deployments in single agents, agent collectives, and supervisory hierarchies in which higher-level agents consume the forecasts and out-of-scope markings emitted by lower-level agents.
