Stage-Gated Commitment for Irreversible Actions

Mechanism

A reversibility classifier inspects each contemplated actuation. Actions whose reversibility class crosses a configured threshold — actions with a commitment point past which the platform cannot return the controlled system to an equivalent prior state — are routed into the staged-commitment protocol rather than committed directly. The protocol decomposes the action into three canonical stages: a tentative stage that prepares state and binds resources without producing the irreversible physical or informational effect; a witnessed stage that exposes the prepared commitment to a credentialed witness population (peer platforms, authority infrastructure, operator review surface) and gathers counter-signatures; and an executed stage that, having received sufficient witness counter-signatures and re-confirmed admissibility, releases the irreversible effect. The classifier itself is governed by the operative policy bundle, which declares the reversibility threshold for each action class and the specific actions that are routed into staged commitment by default versus those that may be committed directly under elevated-confidence conditions.

Each stage produces a cryptographic anchor. The tentative-stage anchor binds the platform's identity, the prepared action descriptor, the input observations admissibility consumed, the policy bundle in force, and a tentative-stage timestamp. The witnessed-stage anchor binds the tentative-stage anchor's hash, the gathered witness counter-signatures, any deltas in admissibility inputs since tentative stage, and a witnessed-stage timestamp. The executed-stage anchor binds the witnessed-stage anchor's hash, the final admissibility re-evaluation, the actuator's physical-confirmation signature, and an executed-stage timestamp. The chain of anchors is itself a lineage entry under the lineage-recorded-provenance primitive, allowing audit to walk the full progression of the commit as a sub-chain within the platform's continuous lineage.

Admissibility re-evaluation occurs at each stage boundary. The platform does not commit to the next stage by inertia. At the tentative-to-witnessed boundary, admissibility re-confirms that the action remains admissible against the current observation set and policy bundle; at the witnessed-to-executed boundary, admissibility re-confirms again, additionally verifying that the gathered witnesses meet the witness-quorum policy applicable to the action class. A re-evaluation that fails at either boundary aborts the sequence: the prepared resources are released, the tentative or witnessed anchor is closed with an abort marker, and the action is not committed. The re-evaluation operates on the observation set as it stands at the boundary instant, not the set as it stood at tentative entry, ensuring that newly arrived observations — including peer warnings, authority overrides, and freshly observed environmental contraindications — are reflected in the boundary decision.

Abort is a first-class outcome at every boundary up to but not including the executed stage. Abort can be triggered by the platform's own re-evaluation, by an explicit operator abort command (if the policy bundle authorizes operator abort for the action class), by a credentialed third-party abort observation (an authority broadcasting a stop), or by witness-quorum failure (insufficient witnesses counter-signed within the witnessed-stage window). Each abort path produces its own anchor chain, distinct from the executed chain, and is recorded in lineage with equal evidentiary weight. The abort anchor includes the abort trigger's credentialing chain, allowing subsequent audit to evaluate not only that abort occurred but that the abort was authorized by an actor whose credential covered abort authority for the action class.

Witness counter-signatures are gathered through the spatial-mesh substrate. The platform broadcasts a witness-solicitation observation referencing the tentative-stage anchor; eligible witnesses — peer platforms whose credentialing matches the policy-declared eligible witness population — admit the solicitation under their own admissibility and emit counter-signatures back onto the substrate. Counter-signatures themselves are credentialed observations of class commit-witness, admitted by the originating platform under the same composite admissibility framework that governs sensor and authority observations. A counter-signature from a witness whose credential is not recognized, has lapsed, or whose continuity has not been observed within the policy-required freshness window is not credited toward the quorum even if its cryptographic verification succeeds.

Operating Parameters

Stage-window durations are configured per action class and per deployment class. Aviation flare commits use a tentative window of one to three seconds, a witnessed window of two hundred milliseconds to one second, and an executed-stage commit latency of tens of milliseconds. Surgical anastomosis commits use windows of seconds to minutes depending on the procedural sub-step. Defense engagement commits use windows configured by the rules-of-engagement governing authority, typically with witness quorums drawn from peer platforms and command infrastructure. Industrial process commits use windows ranging from milliseconds (relay closures) to minutes (batch initiations). Within each action class, the windows are tunable by the operative policy bundle, allowing the issuing authority to adapt the protocol's tempo to operational conditions without requiring code changes on the deployed platforms.

Witness-quorum size is configured per action class. Single-witness actions (the platform's own confirmation signature) admit for low-stakes irreversible commits; dual-witness actions require one peer or authority counter-signature; multi-witness actions require quorum-of-N counter-signatures drawn from a credentialed witness pool. The quorum size, the eligible witness population, and the within-window response requirement are all governed by the policy bundle in force. Quorum policy may additionally specify diversity requirements — for example, that the quorum include at least one witness from a distinct manufacturer, one from a distinct operating coalition, or one from a distinct credentialing root — to defeat correlated-failure modes in which all available witnesses share a common compromise vector.

Anchor hash construction uses a tamper-evident binding compatible with the lineage-recorded-provenance primitive's hash chain. Anchors are emitted into the platform's lineage store at stage entry and stage exit; the chain across stages is therefore embedded within the platform's continuous lineage rather than maintained as a separate structure. The double-emission (entry and exit) supports detection of partial-stage tampering: an entry anchor without a corresponding exit anchor is recognizable to audit as evidence that the platform began but did not complete the stage, distinguishing a graceful abort from a failure mode in which the platform was incapacitated mid-stage.

Abort latency — the time between an abort trigger arriving and the action being safely cancelled — is bounded by the longer of the actuator's physical reversibility latency at the current stage and the cryptographic-anchor closure latency. The architecture does not authorize the executed stage until both the witness quorum is gathered and admissibility re-evaluation completes; consequently, the abort window remains open for the full witnessed-stage duration with no race-condition gap. Operators tuning the protocol for latency-sensitive applications adjust the tentative and witnessed windows downward; operators tuning for evidentiary robustness adjust them upward. The trade-off is explicit in the policy bundle and is auditable through lineage.

Stage-progression evidence is exposed through the platform's audit-query surface, allowing credentialed inspectors to query the proportion of contemplated actions that progressed to executed versus aborted at each boundary, and to identify systematic patterns — actions that consistently fail witnessed-stage quorum, action classes whose abort rate spikes during particular operational regimes, witness populations whose counter-signature freshness is degrading. The exposure supports operational tuning of the protocol parameters without requiring offline analysis of separately archived telemetry.

Alternative Embodiments

In a first alternative embodiment, the staged-commitment protocol is extended to four or more stages for action classes whose procedural decomposition is more granular. A surgical procedure embodiment may decompose into preparation, exposure, intervention, verification, and closure stages, each with its own admissibility re-evaluation and witness-quorum requirement. The decomposition is governed by a procedural decomposition declaration that the issuing authority publishes and the platform admits. The N-stage embodiment preserves the canonical three-stage semantics by allowing each additional stage to be tagged as either preparatory (functionally equivalent to tentative), witnessing (functionally equivalent to witnessed), or commit (functionally equivalent to executed), enabling audit to interpret arbitrary procedural decompositions through a uniform structural lens.

In a second alternative embodiment, the witness-quorum population is dynamically composed from the spatial-mesh peer set within range at the time of the witnessed stage, rather than being statically declared. Dynamic-quorum embodiment allows the witness pool to reflect actual operational context — a defensive engagement under cooperative coalition operations draws witnesses from coalition platforms in range; the same engagement under degraded mesh availability draws witnesses from the platform's onboard redundant compute domains operating as logically-distinct witnesses. The dynamic-composition policy declares the eligibility predicates that any candidate witness must satisfy and the minimum diversity the resulting quorum must achieve, leaving the actual selection to runtime conditions.

In a third alternative embodiment, the tentative stage is itself decomposed into a reversible-rehearsal sub-stage that physically exercises the actuator's preparatory motion (extending control surfaces, energizing capacitor banks, opening hydraulic isolation valves) without producing the irreversible commit. The rehearsal sub-stage produces telemetric evidence that the actuator is in the expected pre-commit state, which feeds into the witnessed-stage admissibility re-evaluation. Rehearsal failure — an actuator that does not respond to the rehearsal command as expected — aborts the sequence at tentative stage, before any witness population has been engaged.

In a fourth alternative embodiment, the executed-stage anchor is conditioned on a freshness proof — a small cryptographic puzzle drawn from the witnessed-stage observations that the platform must solve to release the irreversible commit. The freshness proof binds execution temporally to the witness set, defeating replay attacks in which a witnessed-stage anchor from a prior context is presented to authorize a current-context execution. The freshness puzzle's difficulty is calibrated to the latency the action class can tolerate, ensuring that the proof-of-work step does not introduce operationally significant delay while still requiring contemporaneous computation.

In a fifth alternative embodiment, abort itself is staged: the abort signal triggers a tentative-abort that gathers abort-witnesses, then commits to executed-abort. Staged abort applies to action classes where abort is itself a high-impact commit (a surgical reversal that introduces its own risk, an industrial emergency-stop that triggers downstream cascades, a defense disengagement that exposes the platform to threat). The symmetry between staged commit and staged abort produces a uniform protocol structure for both directions. The disclosed mechanism's recursion is bounded — staged abort does not itself admit a meta-abort with its own staging — preventing pathological regress.

In a sixth alternative embodiment, the witness population includes a synthetic-witness construct: an admissibility re-evaluation executed within a separate redundant compute domain on the platform itself, treated as a logically-independent witness for purposes of quorum. Synthetic witnesses defeat compromise modes in which the spatial mesh is unavailable but the platform's internal redundancy remains intact, ensuring that the staged-commit protocol degrades gracefully under connectivity loss rather than blocking entirely.

Composition with Other Primitives

Staged commitment composes with the lineage-recorded-provenance primitive directly: each stage anchor is a lineage entry; the chain across stages is a sub-chain within the platform's lineage; abort outcomes are first-class lineage entries equal in evidentiary weight to executed outcomes. Audit walking the lineage reconstructs not only that an action was committed but the full stage sequence through which the commit advanced, with timestamps and witness identities at each boundary. The reconstruction supports counterfactual analysis (what would have happened had abort fired at the prior boundary) and pattern analysis (how often does this action class abort at the witnessed-to-executed boundary versus the tentative-to-witnessed boundary).

Composition with the credentialed-observation primitive supplies the witness counter-signatures: each counter-signature is a credentialed observation of class commit-witness, admitted by the originating platform under the same composite admissibility framework that admits any observation. Witnesses outside the platform's recognized authority set are not admitted to the quorum even if their counter-signature verifies cryptographically. The unification means that witness-eligibility is governed by the same admissibility framework that governs sensor admission, eliminating a distinct configuration surface for witness management.

Composition with the policy-distribution primitive ensures that the staged-commit protocol's parameters — stage-window durations, witness-quorum sizes, eligible witness populations, abort authorization — are themselves governed by the policy bundle in force. A change in operating posture (entry into a stricter regulatory jurisdiction, escalation of operational tempo, transition into degraded-coalition operations) propagates as a policy bundle that the platform admits, and the staged-commit protocol immediately reflects the updated parameters. The combination produces a control surface in which operational tempo and procedural rigor are configurable through the same authority channel that governs every other aspect of the platform's behavior.

Composition with the credential-continuity primitive ensures that a witness whose credential continuity has lapsed does not contribute to the quorum, even if its counter-signature is otherwise verifiable. The continuity lapse propagates as an observation; the platform's admission of the lapse precedes its evaluation of the quorum. Continuity-aware quorum evaluation defeats compromise modes in which an adversary captures or replays counter-signatures from a witness whose authority has since been revoked, ensuring that the quorum reflects the witness population's authority status as of the witnessed-stage boundary rather than at any earlier moment.

Distinction over Prior Art

Conventional autonomous control architectures execute irreversible actions through a single binary commit at the controller's output stage, with abort handled as an emergency override outside the normal control path. The architecture treats abort as exceptional; the disclosed mechanism treats abort as an ordinary outcome of admissibility re-evaluation, structurally available at every stage boundary up to but not including execution. The structural availability of abort eliminates the discontinuity in evidentiary record between actions that proceeded normally and actions that were aborted, supporting uniform audit treatment of both outcomes.

Conventional two-phase commit protocols in distributed databases coordinate atomic writes across distributed nodes but do not re-evaluate admissibility between phases against fresh sensor evidence, do not gather credentialed external witnesses, and do not anchor each phase into a tamper-evident lineage. The database protocol's prepare phase resembles the tentative stage architecturally but addresses a different failure model: distributed atomicity rather than physical-world irreversibility. The disclosed mechanism's witnessed stage has no analog in conventional two-phase commit, and the architectural role of the witness population — supplying authority that the platform itself does not hold — is structurally absent from database transaction protocols.

Conventional human-in-the-loop authorization architectures interpose a human approval step before irreversible commits, but the approval is typically a single confirmation rather than a structured multi-witness quorum, and the approval evidence is logged operationally rather than anchored cryptographically. The disclosed mechanism allows human approval to participate as one witness within a structured quorum whose composition the policy bundle governs, treating the human approver as one credentialed witness among others rather than as a singular gating authority.

Conventional procedural-bound autonomy in surgical and aviation contexts decomposes procedures into stages, but the decomposition is implemented as a state machine in the controller without architectural-authority framing. A controller-internal state transition is not equivalent to a credentialed-witness-gathered cryptographic anchor whose admission is governed by an external policy bundle. The conventional state machine produces no externally verifiable record of the transition; the disclosed mechanism produces a record that is verifiable by any party recognizing the credentialing root, without requiring access to the controller itself.

Conventional command-authentication protocols in defense and process-control contexts authenticate the issuing authority but do not gather independent witness corroboration at execution time and do not re-evaluate admissibility between authentication and execution. The disclosed mechanism extends authentication into a multi-witness, re-evaluated, lineage-anchored protocol whose evidentiary properties exceed those of single-authority command authentication.

Disclosure Scope

The disclosure encompasses the three-stage canonical protocol; the cryptographic-anchor construction at each stage; the admissibility re-evaluation at each stage boundary; the witness-quorum mechanism with policy-governed composition; the first-class abort outcome at every pre-executed boundary; the alternative embodiments described above; and the composition with the lineage-recorded-provenance, credentialed-observation, policy-distribution, and credential-continuity primitives. The scope extends to staged commitment by platforms operating in aviation, surgical, vehicular, industrial-process-control, energy-grid, and defense deployment classes, and to action classes including landing flares, surgical interventions, weapon-system engagements, batch process initiations, breaker operations, and any other irreversible commit that admits procedural decomposition. The scope further extends to hybrid embodiments in which low-reversibility-class actions are committed through the staged protocol while high-reversibility-class actions continue to be committed directly, with the reversibility classifier itself governed by the operative policy bundle.