Hierarchical Governance Composition

1. Mechanism: Recursive Chain Composition Across Scopes

Hierarchical governance composition specifies that the five-property governance chain — authority-credentialed observation, evidential weighting, composite admissibility, governed actuator execution, lineage-recorded provenance — operates simultaneously at four declared scopes: a unit scope (a single vehicle, robot, sensor cluster, or device), a region scope (an intersection, port apron, airspace sector, building, microgrid), a jurisdiction scope (a regulator's territorial authority, a network operator's domain, a fleet operator's enterprise boundary), and a coalition scope (multiple jurisdictions operating under a declared federation agreement). Each scope runs an instance of the chain over inputs drawn from its own horizon and produces, as outputs, credentialed observations that the next-enclosing scope admits as credentialed inputs.

The composition is structural rather than orchestrational. Lower-scope chains do not subordinate to higher-scope chains as a master/slave relationship; they operate autonomously over their declared horizon while admitting higher-scope directives as authority-credentialed inputs to property 1 of the lower-scope chain. A unit-scope chain rejecting a region-scope directive — because the directive fails property 3 admissibility under the unit-scope chain's local context — is a structurally permitted outcome, recorded in lineage and auditable by the higher scope. The architecture is therefore not a command tree but a credentialed-input lattice: every scope accepts inputs from any other scope under credential, weights them, and decides admissibility under its own composite evaluation.

Bidirectional flow is the load-bearing element. Observations and actuation-state reports propagate upward (a unit's odometry, sensor confidence, anomaly flags become observations to the region chain; the region chain's aggregate admissibility decisions become observations to the jurisdiction chain). Directives, policy updates, and credential revocations propagate downward (a coalition revokes an authority class; the revocation arrives as a credentialed observation that each lower scope's property-1 input gate admits and each lower scope's property-3 evaluation incorporates). Both directions traverse the same five-property chain at every scope boundary.

2. Operating Parameters and Engineering Envelope

Each scope declares a horizon manifest specifying its credential-issuing authorities, the authority classes it admits as inputs, the actuator commitments it is authorized to govern, and the upward and downward neighbors with which it federates. Manifests are signed by the credentialing authority of the next-enclosing scope; a unit-scope manifest is signed by a region-scope authority, a region-scope manifest by a jurisdiction-scope authority, and so on. Manifest rotation is governed by the same five-property chain that governs operational mutations: a manifest update is an observation, evaluated for admissibility, executed as a governed mutation, and lineage-recorded.

Engineering parameters include scope depth (typically two to four levels for terrestrial cyber-physical deployments; coalition scope optional and only present where federation agreements exist), credential descent rules (a credential issued at scope N can authorize observations at scope N or below, but cannot directly authorize observations at scope N+1 unless the higher scope's chain admits the credential through its own property-1 evaluation), and lineage stitch rules (each scope-crossing observation carries its originating-scope lineage hash, and the receiving scope appends its own lineage record without rewriting the origin).

Latency budgets are scope-specific: unit-scope chains typically operate at sub-millisecond cadence (sensor sampling and actuator gating timeframes), region-scope chains at tens to hundreds of milliseconds (handoff coordination, intersection arbitration), jurisdiction-scope chains at seconds to minutes (policy distribution, fleet directives), and coalition-scope chains at minutes to hours (treaty-grade governance, regulatory updates). The architecture does not require synchronous coupling across scopes; lower-scope chains continue operating under their last admitted higher-scope state when upward connectivity is degraded, with degraded-mode observations entering lineage for later reconciliation.

Authority capacity envelopes are declared per scope as part of the manifest. A region-scope chain declares the maximum number of unit-scope chains it federates with, the maximum observation rate it admits per unit, the credential rotation cadence it requires of subordinate scopes, and the lineage retention window it commits to maintain. Capacity declarations are themselves credentialed observations, evaluable by enclosing scopes for plausibility, and are recorded in lineage so that capacity-related disputes (a unit alleging a region scope dropped observations beyond declared capacity) are resolvable through forensic reconstruction. The architecture assumes finite capacity at every scope and treats capacity overflow as a structurally observable mode (property 3 emits a graduated-capacity-degraded admissibility decision) rather than as undefined behavior.

3. Alternative Embodiments

Scope counts are not fixed at four. A small deployment may operate two scopes (unit and operator); a large international deployment may operate five or more (unit, region, national, supranational, treaty coalition). The architecture is recursive; any number of scopes compose so long as each declares a manifest signed by the next-enclosing scope. Scopes need not be geographic: a logical scope (a mission tasking authority, a clinical trial governance board, a cross-corporate safety panel) composes identically with geographic scopes provided its manifest declares its credential-issuing authority.

Scope topologies may be tree, lattice, or hybrid. A tree topology assigns each lower-scope to exactly one higher-scope parent; a lattice topology permits a lower-scope chain to federate with multiple higher-scope parents under separate credentials (a vehicle operating under both a state regulator's chain and a fleet operator's chain). Lattice composition requires explicit conflict-resolution rules within property-3 admissibility evaluation; the architecture discloses both deterministic priority orderings and weighted reconciliation as supported alternatives. Embodiments include peer-only composition (no upward scope; multiple unit-scope chains federate horizontally under a coalition-scope manifest with no jurisdictional layer), useful for cross-operator interoperation in unregulated domains, and embedded-only composition (a single physical platform hosts multiple logical scopes internally, e.g., subsystem chains within a vehicle chain), useful for safety-critical avionics and medical-device architectures.

4. Composition with Adjacent Primitives

Hierarchical composition is the structural carrier for cross-scope authority operations: cross-jurisdictional handoff (a vehicle crossing a state boundary; the receiving jurisdiction-scope chain admits the originating jurisdiction's credential under its declared coalition-scope federation), regulatory directive propagation (a federal rule update entering at jurisdiction scope and descending to unit scope through credentialed observations), and lineage federation across audit boundaries (a forensic reconstruction request at coalition scope traverses lineage records issued at every lower scope under their respective credentials).

The primitive composes with byzantine-resistance evaluation (each scope's property-3 admissibility incorporates byzantine quorum tests over its admitted inputs, including inputs from neighboring scopes), with no-consensus federation (cross-scope reconciliation operates under divergence-bound lineage merge rather than synchronous global consensus), with marketplace primitives (a port-berth marketplace operates at region scope with participant credentials issued at jurisdiction scope), and with the disruption-cascade primitive (cascade observations propagate upward from unit to region to jurisdiction scope with credential preservation, supporting cross-scope situational awareness without sacrificing per-scope autonomy). It also composes with the federated-skill-training primitive: skill artifacts trained at unit scope are credentialed by region-scope authorities and propagated upward for jurisdictional review, creating a hierarchically-credentialed skill supply chain.

5. Prior-Art Distinctions

Prior multi-scope architectures fall into three classes, each structurally distinct from the disclosed primitive. PKI hierarchies (X.509, web-PKI, government PIV) compose credentialing hierarchically but do not run a five-property governance chain at each scope; they verify signatures but do not perform composite admissibility evaluation, governed actuator execution, or recursive lineage closure. Federated identity systems (SAML, OIDC federation) compose authentication hierarchically but terminate at identity assertion; they do not extend to actuator governance or to bidirectional observation-and-directive flow.

Hierarchical control systems in industrial automation (ISA-95 layered architectures, supervisory control hierarchies) compose control authority across plant, supervisory, and enterprise layers but lack credential descent under signed manifests, lack cross-layer admissibility evaluation as a structural property, and lack lineage stitching across layers. Multi-agent systems and federated learning architectures compose information flow hierarchically but do not gate actuator commitments under credentialed admissibility at every layer. The disclosed primitive's distinguishing features are: (i) the same five-property chain at every scope, (ii) signed-manifest credential descent, (iii) bidirectional credentialed flow, and (iv) lineage stitching without origin rewrite.

6. Disclosure Scope

Disclosed under USPTO provisional 64/049,409 (Governed Spatial Mesh) is the recursive composition of the five-property governance chain across declared scopes, where each scope operates the chain over its horizon, declares a manifest signed by the next-enclosing scope, admits cross-scope observations and directives through its property-1 input gate under credential, and contributes lineage records that stitch across scope boundaries without rewriting origin lineage. The disclosure encompasses tree, lattice, and hybrid scope topologies; geographic, logical, and embedded scope embodiments; two-scope through arbitrarily-deep scope counts; and all credential schemes, signature primitives, and lineage storage technologies that satisfy the structural properties.

Coverage extends to systems that exhibit the structural test even where the implementer does not name the layers as "scopes" or "chains": any cyber-physical architecture in which multiple credentialed governance layers run authority-weighted admissibility over actuator commitments, with bidirectional credentialed flow and lineage stitching, reads on the disclosed primitive. The disclosure is technology-neutral with respect to implementation language, transport, and credential format, consistent with the umbrella claim's commercial-life durability requirement.