Lineage-Recorded Provenance

Mechanism

Each operation within the architecture emits a lineage record at the moment of completion. The record carries the triggering inputs, each with its own lineage reference so that the chain extends backward without duplication; the operation primitives applied, each identified by primitive identifier and primitive version, and each with its primitive signature; the operation authority under which the operation was performed, with the authority's credential chain; the operation outputs, each with a forward-flowing lineage reference allowing downstream operations to extend the chain forward; and a binding signature that ties triggering inputs, primitives, authority, and outputs into a tamper-evident unit. The five operation classes covered by the chain are observation, weighting, admissibility, actuation, and verification; each class records under the same record schema with class-specific extensions.

Lineage records are linked rather than copied. An operation that consumes an upstream evidence object references the upstream object's lineage by content hash and by retention pointer; the upstream lineage need not be embedded in the downstream record. The chain is therefore append-only at the operation site and traversable backward through retention pointers. Forward traversal is supported because consuming operations register back-references with the producing operation's retention authority where the retention regime requires it; in retention regimes that do not require back-references, forward traversal is performed against the retention service's index.

Tamper-evidence is structural. Each record's binding signature commits to the content hashes of the inputs, the primitive identifiers and versions, the authority's credential chain, and the output content hashes. Any modification to any of these components produces a signature mismatch detectable by any party with access to the public verification key of the operating unit. Cross-record tamper-evidence is achieved because the consuming operation's binding signature commits to the upstream record's hash, so modification of an upstream record would propagate as a mismatch at every downstream consumer.

Operating Parameters

Retention authority, retention duration, and access controls are declared in each lineage record. Defence-class operations retain under the period mandated by the governing defence authority, often measured in years; civilian critical-infrastructure operations retain under the relevant sectoral regulator's schedule; commercial operations retain under the operating unit's published governance, with a minimum period sufficient to support cross-authority audit. Access controls are themselves recorded so that downstream auditors can determine, without out-of-band inquiry, who is authorised to retrieve the record and under what credentials.

Forensic reconstruction at a past time T proceeds by selecting the lineage records whose operation timestamp falls within the relevant window, traversing each record's input lineage references backward to the bounded depth required for the reconstruction, and replaying the operation primitives over the recovered inputs. Because primitive identifier and primitive version are recorded, the reconstruction uses the same primitive code path as the original operation, eliminating the class of audit failures in which the audit tool diverges from the production code. Reconstruction is bounded in cost by the depth and fan-in of the chain; deployments declare the reconstruction-time-budget envelope and prune lineage detail outside the envelope through governance-credentialed compaction.

Cross-authority audit is supported because each record's authority credential chain is independently verifiable against the issuing authority's public verification material. An auditor operating under one authority who is presented with a record signed under a second authority can verify the second authority's credential chain without requiring the first authority to vouch for the second. Where authority graphs are partially disjoint, the architecture supports federated verification through cross-authority attestations recorded as their own lineage events. Byzantine-robust lineage evaluation tolerates a bounded fraction of compromised authority signatures within a corroborating set, with the bound declared per operation class.

Alternative Embodiments

In one embodiment, lineage records are stored in an append-only retention service operated by the operating unit's governing authority; retrieval is through credentialed query against the service. In a second embodiment, records are stored in a federated retention substrate in which multiple authorities operate replicas and consistency is enforced through cross-authority attestations; this embodiment supports cross-jurisdictional audit without privileging any single retention authority. In a third embodiment, records are stored in a content-addressed substrate with retention pointers held by the governing authority and content held in a wider availability layer; this embodiment optimises for long-retention archival.

Compaction admits several variants. Hash-tree compaction reduces a depth-bounded subchain to a single Merkle root committed by the original operation's authority, preserving tamper-evidence at the cost of replayability inside the compacted region. Summary compaction replaces fine-grained primitive invocations with a coarser operation summary signed by the same authority, preserving replayability at the operation level at the cost of primitive-level replayability. Hybrid compaction applies different regimes to different chain regions according to the retention policy declared per region.

Record schemas may be extended per operation class while preserving the common core. Observation records carry sensor identity and observation context; weighting records carry the weighting function and inputs; admissibility records carry the profile and verdict; actuation records carry actuator identity and actuation parameters; verification records carry the verification primitive and outcome. The common core ensures that any auditor can traverse any record without class-specific tooling for the traversal itself, even where class-specific tooling is required for full interpretation.

Composition

Lineage-recorded provenance composes with all other primitives in the architecture. The admissibility-as-skill-router primitive emits routing decisions as lineage events; the lineage-evidence-admissibility primitive emits admission decisions as lineage events; the actuation primitives emit actuation events; the verification primitives emit verification events. Every operation class produces records under the same schema with class-specific extensions, allowing a single audit traversal to recover an end-to-end operation history without changing tools at each operation boundary.

Cross-mesh lineage is supported because retention pointers may resolve across mesh boundaries through cross-mesh attestations. Byzantine-robust lineage evaluation is supported because corroboration topology is declared per record class. Dispute mechanism integration is supported because every disputed operation's dispute and resolution are themselves recorded as lineage events, so the dispute history is recoverable by the same traversal that recovers the operation history. The composition is closed under the operation classes of the architecture: every observation, weighting, admissibility, actuation, and verification produces records under the same schema, every consuming operation commits to the upstream record's hash, and every cross-authority interaction is itself a recorded lineage event, so a single end-to-end audit traversal recovers the complete decision history without resort to logs maintained outside the architecture.

Prior-Art Distinction

Prior audit logging systems variously record operation events to append-only logs, sign log entries, replicate logs across authorities, or anchor log roots in tamper-evident substrates. None of these constructs treats lineage as the operation's record-of-being with credentialed authority chain, forward and backward traversal, and structural support for forensic reconstruction at a past time using the same primitive code path as the original operation. Logging-beside-the-operation is fragile because the log structure is not derived from the operation's signatures; signed log entries do not by themselves support replay; replicated logs do not by themselves support cross-authority verification when authority graphs are disjoint.

The distinction is that the present architecture makes provenance recording a property of the operation rather than a discipline applied around the operation. The operation cannot complete without emitting its lineage record, the record's signature commits to the operation's full execution context, and the record's content hash is committed to by every downstream operation that consumes the operation's outputs. The five-property chain treats this recording as a structural property co-equal with admissibility, weighting, actuation, and verification, rather than as an auxiliary logging concern.

Disclosure Scope

The disclosure covers the lineage record schema, the cross-operation lineage flow, the retention and access primitives, the forensic reconstruction primitive, the cross-authority audit primitive, the tamper-evidence properties, the compaction variants, and the composition with the other four properties of the governance chain. Defence audit-grade operations, civilian critical-infrastructure audit-grade operations, and commercial deployments that elect the architecture are within scope. The scope contemplates lineage evolution: as audit-grade requirements evolve and as new operation classes become relevant, record schemas and retention regimes update through governance procedures without invalidating the recorded provenance of past operations or the verifiability of the existing chain. The scope further extends to federated retention substrates spanning multiple authorities, to cross-jurisdictional audit traversal under partially disjoint authority graphs, to long-horizon archival regimes measured in years or decades, and to the structural composition of the five governance-chain properties as a unified audit surface.

The disclosure as recorded in U.S. provisional application 64/049,409 further encompasses the binding-signature construction that ties triggering inputs, primitive identifiers, authority credentials, and outputs into a tamper-evident unit; the retention-pointer mechanism by which forward and backward traversal proceed without record duplication; and the credentialed-compaction governance procedure by which retention envelopes evolve over the operational lifetime of the architecture. Operations contemplated within scope include observation, weighting, admissibility, actuation, and verification across defence, civilian critical-infrastructure, and commercial deployments, with cross-mesh and cross-authority audit traversal supported as native primitives rather than as ad-hoc integrations.