Composite Admissibility Evaluation

Mechanism

A proposed mutation arrives at the governance chain bearing a manifest of contributing admissibility profiles. The five canonical contributors are jurisdiction, operating-class, authority-class, license-class, and safety-class, but the chain is open under governance-credentialed registration. Each contributing profile produces a weighted observation: a tuple consisting of (profile-identifier, admit-state, weight, supporting-credential, evaluation-timestamp). The admit-state is itself a graduated quantity rather than a boolean — admit, conditionally-admit, defer-pending-resolution, refuse-with-rationale — and the weight reflects the profile's authority over the mutation domain as established by prior governance.

The composition operator consumes the full set of weighted observations and produces a composite admissibility envelope. Three canonical composition rules are specified. Intersection composition admits only the operations admitted by every contributing profile and is appropriate where all profiles claim coextensive authority. Weighted intersection scales each profile's contribution by its registered weight, producing a graduated composite: an operation receiving high-weight admission from four profiles and low-weight refusal from a fifth may compose to a partial-admission outcome rather than an outright refusal. Hierarchical composition orders profiles by precedence — typically jurisdiction over license, license over operating-class — such that a higher-precedence refusal masks lower-precedence admissions, while admissions propagate downward.

The composite evaluator selects an outcome from the defined mode set. Continue authorizes the mutation to proceed against the composite envelope. Defer suspends the mutation pending arrival of a missing or stale credential. Refuse rejects the mutation with a structured rationale referencing the dispositive contributing observations. Partial admits a restricted form of the mutation — for instance, a query may execute against a subset of the lineage graph corresponding to the admitting profiles' coverage, while the non-admitting region is excluded from the result envelope. The selected mode, the contributing observations, the composition rule, and the resulting envelope are written to the governance ledger as a single composite-admissibility event.

The mode set is open under governance amendment, but four modes constitute the canonical floor required for the property to operate. A continue outcome carries with it the composite envelope as a structural constraint on the resulting mutation; a partial outcome additionally carries a coverage map enumerating the lineage regions, attribute sets, or temporal windows over which the mutation is admitted. A defer outcome carries a deferral disposition specifying which credentials must be refreshed and the deadline beyond which the deferred mutation is recategorized as refused. A refuse outcome carries a refusal disposition referencing the contributing observations and the composition arithmetic that produced the dispositive result, allowing the originating operator to remediate the specific shortfall rather than re-submitting blindly.

Operating Parameters

The composition admits parametric tuning along several axes. Profile cardinality typically ranges from two to twelve contributing profiles per mutation; implementations have been characterized at up to thirty-two profiles without composition latency exceeding an order of milliseconds on contemporary hardware, though typical defense and critical-infrastructure deployments exercise four to seven profiles. Weight precision is governance-configurable; reference implementations use a fixed-point representation with three decimal places of precision, sufficient to resolve the graduated outcomes without introducing floating-point reproducibility hazards in the audit ledger.

Credential staleness windows are profile-specific. Jurisdiction profiles typically tolerate credential ages of hours to days, reflecting the comparatively slow evolution of legal authority. Operating-class and safety-class profiles often require credentials issued within seconds to minutes of evaluation, reflecting the volatility of operational state. The composition operator treats expired credentials as defer-eligible rather than refuse-eligible by default, prompting refresh rather than rejection; this default is governance-overridable per profile.

Mode selection is parametrized by a refusal-precedence policy. The default policy is conservative: any contributing refuse with weight above a configured threshold produces a composite refuse. Permissive variants allow weighted-intersection arithmetic to overcome a single low-weight refusal, while strict variants escalate any refuse to a composite refuse regardless of weight. The policy itself is a credentialed object subject to governance amendment, and its identifier enters the lineage record of every composite evaluation.

Alternative Embodiments

In one embodiment, the contributing profiles are evaluated synchronously by a single co-located evaluator, with composition performed in-process. This embodiment minimizes latency and is appropriate for trusted single-operator deployments. In a second embodiment, profile evaluation is distributed across independent authority services, each producing signed weighted observations that the composition operator aggregates; this embodiment supports cross-jurisdictional and multi-operator deployments where no single party holds authority over all profiles.

A third embodiment extends weighted-intersection composition with byzantine-robust aggregation. Where adversarial or compromised profile authorities are anticipated, the aggregator applies a quorum threshold over signed observations, treating below-threshold profile cohorts as deferred rather than admitting. A fourth embodiment introduces temporal composition: a mutation that fails composite admissibility at evaluation time may be re-evaluated against subsequent credential refreshes within a bounded window, producing eventual admission without operator intervention where the underlying refusal was driven by stale rather than substantive grounds.

A fifth embodiment composes the admissibility evaluator with the dispute mechanism. Where any contributing observation is challenged, the composite outcome is annotated as provisional; the lineage record retains both the provisional outcome and the dispute reference, and any downstream operation admitting against the provisional composite inherits the dispute annotation, enabling structural rollback should the dispute resolve against the admission.

A sixth embodiment introduces continuous admissibility re-evaluation for long-running mutations. Where a mutation produces effects over an extended interval — a streaming query, a sustained data export, a long-lived authority delegation — the composite evaluator re-runs at governance-credentialed checkpoints against the contemporary credential set. A profile transitioning from admit to refuse mid-execution converts the running mutation to a partial outcome scoped to the already-emitted envelope, preserving the work performed under valid authority while terminating future emission. A seventh embodiment supports speculative composite evaluation: where a mutation depends on credentials anticipated to arrive, the evaluator may produce a speculative continue outcome bound to a credential-arrival deadline, with downstream effects buffered against the deadline rather than emitted immediately, and converted to refuse on deadline expiry without manual intervention.

Composition with Other Properties

Composite admissibility composes with the other four properties of the governance chain. Property 1 (credentialed observation) supplies the signed inputs. Property 2 (lineage-bound mutation) consumes the composite envelope as the authority for the resulting mutation record. Property 4 (dispute resolution) operates over the composite outcome and its contributing observations. Property 5 (audit reproducibility) verifies that re-execution of the recorded composition rule against the recorded observations reproduces the recorded mode selection.

The composition primitive also composes with cross-mesh reconciliation: a mutation admitted against one mesh's composite envelope produces a lineage-bound observation that, on reconciliation with a peer mesh, enters that peer's composite evaluation as a contributing profile. This recursive composition enables federation across operator boundaries without requiring uniform admissibility policy. Composite admissibility composes with health monitoring through the safety-class profile: a unit failing PUF challenge-response or tamper-evident-seal monitoring produces a refuse-weighted safety-class observation that propagates into every composite evaluation referencing that unit.

Prior-Art Distinction

Conventional access-control systems produce binary admit/deny outcomes from a single policy decision point. Role-based access control, attribute-based access control, and capability-based systems all reduce to a Boolean predicate over the subject, object, and action. Composite admissibility differs in three structural respects. First, the outcome is graduated across a defined mode set rather than Boolean. Second, the inputs are themselves graduated weighted observations rather than predicate evaluations. Third, the composition rule, the contributing observations, and the resulting envelope are each first-class lineage objects, not implementation artifacts of a policy engine.

Threshold-based authorization schemes — quorum signatures, m-of-n multisignature, and threshold cryptography — share with composite admissibility the structure of aggregating multiple authorities into a single decision. They differ in producing a Boolean outcome conditioned on a counting predicate over uniform-weight signers. Composite admissibility supports heterogeneous weights, heterogeneous admit-states across signers, and graduated outcomes; threshold authorization is recoverable as a degenerate case in which all weights are unity, all admit-states are Boolean, and the mode set is restricted to admit/refuse.

Policy combination algorithms in XACML and related frameworks aggregate multiple policy decisions through deny-overrides, permit-overrides, first-applicable, and only-one-applicable combinators. These combinators operate over Boolean per-policy outcomes and produce Boolean composite outcomes. Composite admissibility's weighted-intersection and hierarchical rules generalize these combinators to graduated inputs and graduated outputs, and the credentialed-observation substrate supplies a structural property — lineage-bound, audit-reproducible composition — that policy combination algorithms do not provide.

Disclosure Scope

The disclosure encompasses the composite admissibility evaluator as a structural primitive of the governance chain, the weighted-observation tuple format, the canonical composition rules (intersection, weighted intersection, hierarchical), the defined mode set (continue, defer, refuse, partial), and the lineage-bound recording of contributing observations, composition rule, and resulting envelope. The disclosure further encompasses the recursive composition of admissibility evaluators across mesh boundaries, the integration with dispute and audit primitives, and the parametric tuning of weight precision, staleness windows, and refusal-precedence policies.

Defense engagement decision-support involving multiple concurrent admissibility requirements gains structurally-supported composition: a single mutation can simultaneously honor jurisdictional rules-of-engagement, operating-class authority, and safety-class hardware integrity without bespoke per-deployment policy code. Civilian critical-infrastructure decision-support — energy dispatch, financial settlement, healthcare resource allocation — gains the same structure. The disclosure further supports composition evolution: as admissibility frameworks mature through operational experience and regulatory development, composition rules and mode sets update through the same governance-credentialed procedures that admit ordinary mutations, preserving lineage continuity across policy generations.

The disclosure expressly contemplates equivalents and variations within its scope. Profile cardinalities below the canonical five and above the typical seven are within scope, as are weight precisions below and above the reference three-decimal-place fixed-point. Composition rules beyond the three canonical (intersection, weighted intersection, hierarchical) are within scope where the rule is itself a credentialed object whose identifier enters lineage. Mode sets that extend the canonical four (continue, defer, refuse, partial) with additional graduated outcomes — provisional, escalate, redirect — are within scope so long as the additional modes preserve the lineage-bound recording property. Implementations applying the architecture in environments not enumerated in this disclosure — autonomous-systems coordination, regulated-research data-sharing federations, multi-party computation governance — are within scope where the composite admissibility primitive operates against the disclosed structural specification.