Mechanism
The containment boundary, designated in the filing as the containment layer, is the structural enforcement mechanism that maintains the architectural separation between the agent's speculative planning graph domain and its verified execution memory. It is not a software flag, a metadata annotation, or a runtime check. It is an architectural boundary embedded in the agent's cognitive substrate that prevents speculative content from being treated as verified reality under any condition other than governance-validated promotion through the promotion interface. The boundary exists so that an agent which constructs a planning graph branch projecting a successful outcome does not thereby acquire that outcome as verified memory: the projection remains speculative until it is promoted through the governance pipeline and executed.
The separation the boundary enforces is the precondition for the rest of the forecasting architecture. Because speculative and verified content occupy structurally distinct computational domains, the agent can maintain multiple contradictory hypothetical futures simultaneously, such as one branch projecting task success and another projecting task failure, without producing internal inconsistency. Neither branch has been promoted to verified status, so neither creates a paradox in the agent's committed state. The containment layer is what makes that coexistence safe rather than pathological.
The Immutable Speculative Marker
The first invariant the containment layer enforces is that planning graph content is tagged with an immutable speculative marker at the time of construction. Every data element within a planning graph, including every speculative mutation, every projected outcome, every affective reinforcement tag, and every slope projection, carries a marker that identifies it as non-verified content. The marker cannot be removed, modified, or overridden by any operation within the planning graph domain.
Only the promotion interface, upon successful governance validation, strips the speculative marker and re-tags the content as verified before writing it to execution memory. The promotion interface is the sole gateway from speculative to verified status, and its governance requirements are not negotiable, waivable, or bypassable by the agent's affective state, personality configuration, or operational urgency. There is no alternative pathway, so the marker is the structural token that distinguishes what the agent has projected from what the agent has committed.
Read Isolation and Lineage Exclusion
The second invariant is read isolation between the planning graph domain and the verified execution memory domain. Queries from the agent's verified execution processes cannot access planning graph content as if it were verified memory. When the execution pipeline queries for the current value of a field, it receives the verified value from execution memory, not a projected value from an active planning graph branch. The planning graph domain is readable by the forecasting engine, the affective prioritization module, and the introspective analysis subsystem, but it is not readable by execution processes that operate on verified state.
The third invariant is that speculative content cannot be written to the agent's lineage as committed state. The lineage records only governance-validated mutations, that is, transitions that have passed through the promotion interface and been admitted to verified execution memory. Planning graph branches, regardless of their classification or evaluation score, do not produce lineage entries until they are promoted. The lineage may record metadata about the forecasting process itself, such as the creation, evaluation, and pruning of planning graphs as cognitive events, but the speculative content of the branches is not recorded as committed state. This separation is also bidirectional and snapshot-isolated: when the forecasting engine constructs a new planning graph it reads the agent's current verified state as the root node, but it does not establish a live reference, so subsequent verified state changes do not automatically propagate into existing planning graphs.
The Delusion Boundary
The containment layer defines a delusion boundary condition: a formally specified pathological state in which the containment layer fails and speculative planning graph content is treated as verified reality. The filing names this failure containment collapse and describes it as the architectural analog of delusion, the condition in which the agent's cognitive system can no longer distinguish between what it has speculatively projected and what has actually occurred. The boundary is significant because it provides a structural, deterministic, and computationally verifiable mechanism for distinguishing speculation from reality within an autonomous cognitive system, rather than relying on the agent's behavior to reveal the confusion after the fact.
Containment collapse may arise through several structural failure modes. In a first mode, the speculative marker is corrupted or stripped without governance-validated promotion, whether through substrate-level failures such as memory corruption, hash collision, or serialization errors that destroy the marker, or through adversarial manipulation of the cognitive substrate. In a second mode, the read isolation boundary is breached, permitting execution processes to access planning graph content as if it were verified memory, which may occur through substrate misconfiguration, concurrent access violations, or integration errors that bypass isolation enforcement. In a third mode, the promotion interface admits speculative content without completing governance validation, a governance gate failure that allows unvalidated content to flow from the speculative domain to the verified domain.
Containment Integrity Verification
The system provides multiple containment integrity verification mechanisms to detect containment collapse before it produces observable behavioral effects. Periodic containment audits verify the integrity of speculative markers across all active planning graph structures. Boundary crossing monitors detect unauthorized transitions from the speculative domain to the verified domain. Lineage consistency checks verify that all lineage entries correspond to governance-validated promotions and not to speculative content that bypassed the promotion interface.
Behavioral coherence monitors detect patterns of agent behavior consistent with the agent acting on speculative content as if it were verified, for example the agent referencing projected outcomes that have not actually occurred, or the agent executing actions predicated on environmental conditions that exist only in a planning graph branch. These four mechanisms address the failure modes from complementary directions: marker integrity, boundary traffic, lineage provenance, and observable behavior. A collapse that evades one is intended to be caught by another.
The Containment Restoration Protocol
When containment collapse is detected, the system initiates a containment restoration protocol. The protocol first suspends the agent's execution authority, preventing the agent from committing further mutations until containment is restored. It then quarantines the affected planning graph structures, isolating them from both the forecasting engine and the verified execution memory domain.
Lineage forensic analysis identifies which speculative content, if any, was incorrectly admitted to verified execution memory and marks it for rollback. Verified state reconstruction rebuilds the agent's verified execution memory from the most recent governance-validated checkpoint, excluding any content that entered through a breached containment boundary. Finally, containment layer re-initialization reconstructs the architectural boundary with fresh speculative markers, isolation enforcement, and promotion interface validation. The protocol treats containment collapse as a recoverable fault: the agent is halted, the contamination is traced and excised, the verified state is restored to a known-good checkpoint, and the boundary is rebuilt before execution authority is returned.
Relationship to Slope-Constrained Promotion
The containment boundary works in concert with the promotion pathway it gates. The promotion interface does not admit arbitrary speculative content. It subjects each candidate branch to the full governance evaluation pipeline, comprising policy compliance, trust slope validation, integrity impact assessment, and capability verification, and either admits the candidate to verified execution memory as a committed mutation or rejects it and returns it to the speculative domain with a rejection annotation. Only slope-eligible branches, those whose hypothetical Derived Anchor Hash maintains trust slope continuity, may be promoted, and that filtering happens prospectively before a candidate reaches the interface.
This division of labor is what the boundary depends on. The slope constraint and the governance pipeline determine which speculative branches are permitted to cross. The containment layer ensures that nothing crosses except through that pipeline, that everything in the planning domain carries the speculative marker until it does, and that the verified domain never reads or records speculative content as committed state. The forecasting engine can therefore explore broadly, including branches that are introspective or slope-ineligible and will never be promoted, without any risk that exploration is mistaken for commitment.
Disclosure Scope
The containment layer and the delusion boundary condition, comprising the structural separation between the planning graph domain and verified execution memory, the immutable speculative marker stripped only by governance-validated promotion, read isolation and lineage exclusion of speculative content, the delusion boundary as a formally specified pathological state, the containment collapse failure modes of marker corruption or stripping, read isolation breach, and governance gate failure, the containment integrity verification mechanisms of periodic containment audits, boundary crossing monitors, lineage consistency checks, and behavioral coherence monitors, and the containment restoration protocol of execution suspension, quarantine, lineage forensic analysis, verified state reconstruction from a governance-validated checkpoint, and containment layer re-initialization, is disclosed in the cognition filing (U.S. Application No. 19/647,395 and its international counterpart). This article describes that disclosed mechanism. The scope extends to deployments in which the containment layer is enforced at the substrate level or, in embodied deployments, at the hardware level through memory protection units or trusted execution environments, and to executive graphs that maintain their own containment layers structurally separate from those of the individual agents' planning graphs, provided the separation between speculative and verified state remains enforced through the sole governance-validated promotion interface.
