Governed Actuator Execution

Mechanism and Primitive Description

The primitive operates as a transformation from a chain-selected admissibility mode into a bounded actuator commitment record. Inputs to the transformation are the upstream admission artifact (carrying authorities, evidence, and the selected mode), the actuator's declared capability envelope, the credentialed configuration set under which the actuator is permitted to operate, and the current observed-state vector from the local mesh region. The output is an actuator commitment that names the actuating unit, the bounded action it is authorized to take, the reversibility class assigned to that action, the harm-minimization constraints that bind it, and the verification schedule that must succeed for the action to enter the chain as a completed observation.

Reversibility evaluation is a first-class step rather than an afterthought. Each candidate actuation is classified into a reversibility tier — fully reversible, recoverable with declared cost, partially reversible within a stated horizon, or terminal — and the assigned tier modulates the admissibility threshold the upstream chain must have cleared. Terminal actuations require additional credential weight; recoverable actuations may proceed under lighter authority, but only with bound rollback procedures attached. Harm minimization operates as a constraint solver across the credentialed configuration: where multiple actuations satisfy the admitted intent, the primitive selects the one whose worst-case harm vector is bounded under the declared profile.

Post-actuation verification closes the loop. The actuator emits a credentialed observation describing what it physically did, the local mesh emits independent observations of the resulting state, and a deviation analysis compares the two against the bounded action that was authorized. The deviation record — whether null, within tolerance, or out-of-envelope — enters the chain and becomes admissible evidence for downstream stages and for any subsequent dispute, replay, or after-action governance review.

Operating Parameters and Engineering Envelope

The mode-selection envelope spans four graduated execution modes. Continue permits the full bounded action under the admitted authority. Defer records the admitted intent but suspends physical commitment pending an additional credentialed event — typically a human concurrence, a supervisory mesh acknowledgement, or a sensor-confirmation gate. Refuse emits a credentialed non-actuation record so the chain reflects that an authorized intent was deliberately not committed and the rationale is preserved. Partial commits a bounded subset of the action — for example, a slew without a release, a power-up without a discharge, a route change without a throttle change — under explicit subset constraints that downstream verification can check against.

Engineering parameters include the reversibility-tier table for each actuator class, the harm-vector dimensions declared in the credentialed configuration, the verification-schedule timeouts (which must be tight enough to bound exposure but loose enough to accommodate physical settling), and the deviation tolerance bands that separate nominal completion from anomaly. Latency budgets are split across admission decoding, reversibility classification, harm-minimization solve, and actuator dispatch; for high-rate actuators these stages are pipelined against the admission stream so that successive actuations can be in different phases simultaneously without violating ordering.

Operational parameters bind authority weight to mode and tier. A given authority bundle authorizes a specific (mode, reversibility-tier) cross-product; selecting a heavier mode or a more terminal tier requires additional or higher-weight credentials. The envelope is parameterized so that operators can tighten it for safety-critical regimes — for example, requiring two independent authorities for any terminal actuation — or relax it for low-stakes adaptation, all without changing the underlying primitive. Verification cadences may also be configured: continuous verification for high-risk actuators, sampled verification for routine actuators, on-demand verification for actuators behind cost-sensitive sensing.

Failure-mode parameters declare what the runtime does when a stage of the primitive itself fails. If reversibility classification cannot be performed (for example, because the actuator's declared envelope is unavailable), the primitive defaults to the most conservative tier and refuses any non-reversible action under the default. If harm minimization cannot be solved within latency budget, the primitive defers and emits a credentialed defer record naming the unmet constraint. If post-actuation verification times out, the primitive emits a credentialed unverified-completion record that downstream chain stages treat as out-of-envelope evidence. These failure-mode defaults are themselves declared in the credentialed configuration, so an operator can choose conservative or aggressive defaults bounded by their authority.

Alternative Embodiments

The primitive admits embodiments across hardware classes. A defense-system embodiment binds the four execution modes to weapon-release semantics, with terminal actuations requiring a two-authority credential and post-actuation verification driven by sensor fusion across the local mesh. A surgical-robotics embodiment binds modes to instrument motion, with reversibility tiers reflecting tissue-impact classes and harm minimization solving across surgeon-declared tolerances. An industrial-automation embodiment binds modes to process steps with rollback procedures encoded as inverse process recipes.

Software-only embodiments are also within scope. A configuration-deployment embodiment treats configuration commits as actuations, with defer mapping to staged rollout, partial mapping to canary deployment, and refuse mapping to a credentialed rejection that propagates back to the requestor with rationale. A financial-settlement embodiment treats irrevocable settlement as a terminal actuation requiring elevated authority weight, with verification consuming downstream confirmation feeds. The primitive is indifferent to actuator substrate so long as the actuator can emit a credentialed observation of what it physically (or computationally) committed.

Composition with Adjacent Primitives

Within the five-property chain, this primitive consumes the admissibility-mode selection produced by Property 3 and produces the credentialed outcome record consumed by Property 5 (post-execution governance closure). Upstream, it depends on the credentialed observation primitive for state evidence and on the lineage primitive for authority traceability; downstream, its outcome records feed dispute mechanisms, replay tooling, and after-action audit. Each commitment is itself an admissible event, so any subsequent chain that needs to act on the consequence of this actuation begins from a credentialed pre-image.

The primitive composes with byzantine-robust admission so that an actuator under conflicting authorities can only execute against a chain-resolved decision; with stage-gated rollout so that a single logical actuation can be decomposed into a sequence of bounded physical actuations, each independently governed; and with health-monitoring attestations so that an actuator failing self-attestation cannot be selected as the executing unit. Composition with cross-mesh reconciliation lets a coalition operate shared actuators where authority is admitted in one mesh and execution committed in another, with the lineage preserved across the boundary.

Prior-Art Distinctions

Conventional actuator-control systems separate authorization from execution at most via a single authorization token; reversibility, harm minimization, and post-actuation verification are typically left to higher-level mission systems or to the operator. Safety-rated control systems (for example, IEC 61508 functional-safety stacks) provide deterministic execution but do not bind execution to a credentialed multi-authority chain, do not encode graduated modes beyond go/no-go interlocks, and do not produce a credentialed outcome record that is itself admissible to downstream governance.

This primitive is distinct in three dimensions. First, the four-mode envelope (continue / defer / refuse / partial) is a primitive-level commitment surface, not an application-layer convention; the chain understands and reasons about each mode. Second, reversibility classification and harm-minimization constraints bind to the actuator's declared envelope and the credentialed configuration, producing a per-actuation bounded action rather than a fixed safety interlock. Third, post-actuation verification is closed-loop into the same chain that authorized the act, so the deviation record is admissible evidence with the same authority weight as the authorization itself. No prior actuator-governance system known to the inventor unifies these three properties under a single primitive.

Disclosure Scope

The disclosure covers methods, systems, and computer-readable media implementing governed actuator execution as Property 4 of the five-property governance chain. It encompasses the transformation from admitted intent to bounded actuator commitment, the four-mode execution envelope and its mapping to authority weight and reversibility tier, the harm-minimization constraint solver operating over a credentialed configuration, the post-actuation verification loop that produces a credentialed deviation record, and the lineage binding from authorization through commitment through verification.

Embodiments expressly contemplated include physical actuators (defense, robotics, industrial, medical, transportation, energy), software actuators (configuration deployment, settlement, model promotion), and mixed-substrate actuators that combine physical and computational effects. The disclosure extends to multi-mesh embodiments where authorization and execution cross mesh boundaries under reconciled lineage, and to embodiments where the four-mode envelope is extended with additional graduated modes provided each is bound to the same reversibility, harm-minimization, and verification structure.