Governed Spatial Mesh: The Architecture Where the Environment Holds Perception

1. Problem and Premise: Why Per-Unit Reconstruction Has Stalled

The dominant architecture in autonomous systems places perception inside the moving unit. Every vehicle carries its own cameras, lidar, radar, and inertial stack. Every drone carries its own GPS, IMU, and barometric reference. Every warehouse robot carries its own SLAM substrate. This pattern carried autonomy from research labs to public roads and warehouse floors, and it now defines the deployment cost ceiling that has held commercial Level 4 and Level 5 operation in pilot for nearly a decade. The bottleneck is not sensor cost, compute cost, or model accuracy in isolation; it is the per-unit obligation to reconstruct, validate, and act on every observation alone, every frame, in adversarial conditions, with reliability the unit cannot itself audit.

A camera sees a stop sign, but the unit must determine whether the sign is authentic, lawful, current, and contextually applicable. A radar sees a pedestrian-shaped return, but the unit must determine whether the return is real, a spoof, a multipath ghost, or a sensor artifact. A lidar sees a curb, but the unit must determine whether the curb is the canonical lane edge or an artifact of localization drift. Every such question requires omniscience the unit does not possess; the architecture exports the validation problem to the unit and then expects the unit to solve it without any structural support from the environment it operates within.

Cloud-mediated SLAM and centralized tracking systems attempt to relieve this burden by lifting state into a cloud or fleet-management layer, but they introduce a single point of failure, a backhaul dependency, and a centralized perception authority that owns the spatial truth on behalf of all participants. Vehicle-to-infrastructure protocols (DSRC, C-V2X, ETSI ITS-G5) attempt the same relief by letting infrastructure broadcast supplementary observations, but they leave the unit's epistemic position untouched: the infrastructure broadcasts; the unit still independently decides whether to believe. Without authority intrinsic to the transmission and without a governance umbrella binding sender, relay, and receiver, the unit is back to per-unit validation with one more sensor.

The premise of the governed spatial mesh is that perception, coordinates, and time are properties of the environment, not of the moving unit. Sensors, actors, and observers — fixed and mobile — form a peer-to-peer fabric in which spatial truth is distributed across mesh peers, admission is credentialed, and the unit's local computation is reduced from omniscience to credential evaluation against a published authority taxonomy.

2. Core Primitive: The Environment Holds Perception

The core primitive is a peer-to-peer mesh of sensors, actors, and observers in which no single peer holds privileged perception authority. Perception is distributed: each peer contributes the observations it is locally positioned to make, each peer relays observations from other peers under credentialed framing, and the composite spatial state at any point in the mesh is a function of contributions from many peers rather than the output of any one. There is no central perception authority — no cloud SLAM, no fleet tracker, no platform operator — that owns the canonical view.

Three sub-primitives define the architecture. Peer-derived perception means that any peer's view of the navigable world is constructed from credentialed contributions of mesh peers, each contribution carrying its originating authority and scope. Mesh-derived coordinates means that the coordinate frame in which observations are expressed emerges from consensus among peers — anchored by surveyed fixed peers, refined by mobile peers, and reconciled across overlapping coverage — rather than being imposed by an external GIS authority. Mesh-derived time means that the temporal frame in which observations are ordered emerges similarly from consensus, with no privileged time master and no dependency on GNSS time, NTP servers, or platform-supplied clocks.

Over this peer fabric the architecture lays a governance-chain umbrella: an authority taxonomy (regulatory, commercial, advisory, peer, adversarial), a credential structure binding observations to positions in that taxonomy, an admission policy at every receiver that evaluates credentials before acting on observations, and a chain-of-custody record covering every relay. Admission to the mesh is itself credentialed: a peer joins through observation-credentialed admission, demonstrating that its observations match what trusted peers in the same locale already report, before it is permitted to contribute mesh-derived state.

The receiving unit's question changes shape. Instead of asking "is this observation real?" — an unanswerable question without omniscience — the unit asks "who issued this observation, what is its position in the authority taxonomy, what governance scope does that authority have over my behavior, and is the credential chain intact?" The first question requires perfect sensors and perfect models. The second is a deterministic computation against a published taxonomy and a verified credential chain.

3. Mechanism: Peer-Derived Perception Without a Central Authority

Peer-derived perception is the mechanism by which spatial state propagates across the mesh without ever transiting a central perception server. Each peer publishes its observations as credentialed messages tagged with the issuing authority, the observation type and scope, the local frame in which the observation was made, and the temporal window in which the observation remains admissible. Receiving peers admit observations whose credentials and scopes align with their local governance policy, fold the admitted observations into their own spatial state, and re-publish derivative observations under their own authority where appropriate.

The mesh tolerates Byzantine peers. Hop history, recorded at every relay with signed timestamps, lets receivers compute a chain-of-custody for each observation and downweight or reject observations whose relay paths include peers with poor reliability history. Adversarial peers self-disclose by appearing in hop history; routes that consistently produce admissible observations are preferred; routes that frequently fail credential checks are pruned. The architecture does not require global agreement on which peers are honest — it requires only that honest peers can compose admissible observations under their own local policy.

Coverage is heterogeneous and the architecture is explicit about this. A region densely covered by fixed sentinel peers operates with rich live attestation. A region with sparse coverage operates with passive markers, mobile carrier peers, and store-and-forward propagation. A region with intermittent connectivity operates with cached credentialed observations whose temporal scopes are explicit and verifiable. In every case, the unit operates against a credentialed picture of what the environment knows about itself, rather than reconstructing that picture from raw sensors alone.

Environmental devices that contribute to peer-derived perception fall into three independently deployable tiers. Tier 1 passive markers are unpowered devices that hold authority-credentialed stored data — lane edges, hazard zones, jurisdictional boundaries, custody perimeters — and read out under RFID, optical fiducial, or NFC interrogation at unit cost in the cents-to-dollars range with multi-year operational lives. Tier 2 active sentinels are powered fixed peers that produce live credentialed observations: traffic signals broadcasting current state, perimeter sensors broadcasting occupancy, gantries broadcasting toll-zone parameters, port apparatus broadcasting berth occupancy. Tier 3 cognitive infrastructure agents are full computational peers that aggregate, reason, broadcast, and accept queries on behalf of the regions they govern. The tiers compose: regions can deploy any subset, and operating units adapt to whichever tier is locally present.

4. Mechanism: Mesh-Derived Coordinates and Mesh-Derived Time

Coordinates and time are properties of the mesh, not inputs from outside it. Mesh-derived coordinates emerge from consensus among peers whose relative positions are observable: surveyed fixed peers anchor the frame at known positions; mobile peers contribute pairwise range and bearing observations as they transit; the composite frame is reconciled continuously through least-squares or graph-SLAM-style updates over the credentialed observation graph. The frame is locally Euclidean within a region, stitched at region boundaries through overlap reconciliation, and convertible to and from external geodetic frames (WGS84, ECEF, local UTM zones) through credentialed transformation observations published by surveying authorities.

Operating ranges are explicit. Pairwise ranging between peers operates over distances from sub-meter (UWB inside a warehouse) to multi-kilometer (sub-GHz radio between gantries), with characteristic ranging uncertainties from approximately 5 cm (UWB time-of-flight) to several meters (RSSI on Wi-Fi). Frame convergence times after a peer joins range from tens of milliseconds in dense UWB cells to seconds in sparse sub-GHz networks. Frame stability under peer churn — peers entering and leaving the mesh — is maintained by the credentialed observation history and by hysteresis in the admission policy: a peer's contribution is not removed instantly when it departs but decays over a configurable window, typically 0.5 to 30 seconds depending on application.

Mesh-derived time follows the same logic. Peers exchange credentialed timestamp observations; the mesh constructs a consensus time scale through pairwise offset estimation and graph reconciliation; surveyed fixed peers anchor the scale to external references (UTC, TAI) where credentialed transformations are available. The architecture does not require GNSS, does not require network time servers, and does not require a privileged time master. Typical achievable synchronization is in the microsecond range for UWB-coupled peers, sub-millisecond for Wi-Fi-coupled peers, and tens of milliseconds for store-and-forward propagation across mobile carriers.

The implication is that a unit operating in a GNSS-denied environment, a backhaul-disconnected facility, or an adversarially-jammed region still holds coordinates and time with credentialed provenance, and still admits observations into a coherent spatiotemporal frame, as long as it is in mesh contact with credentialed peers. This eliminates the GNSS-dependence and time-server-dependence that have constrained autonomous deployments in tunnels, indoor facilities, urban canyons, expeditionary environments, and contested airspace.

5. Mechanism: Governance-Chain Umbrella and Observation-Credentialed Admission

Every governed-mesh message carries a fixed-position authority credential field. The credential comprises a signed identifier of the originating authority, a current dynamic-device-hash establishing continuity from a prior credentialed state, a hop-history field appended by every relaying peer with timestamp and signature, a temporal scope binding the observation to a window of admissibility, and a rateless forward-error-correction descriptor enabling reconstruction across lossy or partial transmission. The credential field is the first-class structural element of the message, not an optional extension; messages without a valid credential are not mesh messages.

Dynamic-device-hash continuity prevents replay and impersonation. An authority revokes a device by failing to issue a successor hash; a device proves it is the genuine successor of an earlier credentialed device by exhibiting an unbroken hash chain back to the authority's published anchor. This eliminates the centralized revocation infrastructure (CRLs, OCSP) that has historically been the operational weak point in V2X PKI deployments, and it allows revocation to propagate through the same mesh as observations rather than through a separate trust channel.

Observation-credentialed admission governs how new peers join. A candidate peer broadcasts its proposed observations under its own credential; established peers evaluate whether the candidate's observations are consistent with the credentialed observations they already hold for the same locale; admission is granted only when the consistency threshold is met under the admission policy. This prevents a malicious peer from injecting fabricated state into the mesh, because the malicious peer's first observations must agree with existing credentialed observations before it gains contributing status. Admission policies are configurable per region and per authority, with consistency thresholds typically expressed as residuals against the current consensus state in physical units (meters, milliseconds, decibels) rather than abstract scores.

The governance chain is recursive. The same admissibility evaluator that gates incoming observations gates incoming policy updates, firmware updates, and credential-anchor updates. A device's own governance is the substrate over which policy itself propagates. This recursion is structurally required for the architecture to operate in adversarial conditions where the policy-distribution channel cannot be assumed trustworthy: there is no out-of-band trusted channel, only the mesh itself, and the mesh's admissibility apparatus is what makes propagation safe.

6. Mechanism: Mobile Store-and-Forward and Distributed Perception State

The mesh propagates through three composable channels. Fixed infrastructure relay carries observations between sentinels and infrastructure agents over wired and wireless backhaul. Peer-to-peer transmission carries observations directly between operating units within radio range. Mobile store-and-forward carries observations through vehicles, drones, robots, and pedestrians who carry conforming devices and traverse regions, depositing credentialed observations at peers they encounter. A region under-served by fixed infrastructure receives policy and observation propagation through transit by mobile peers, with hop counts and carriage durations recorded in hop history.

Mobile store-and-forward is governed by the same admissibility framework as live transmission. A peer that carries an observation across a region carries the originating authority's credential, the hop history including the peer's own carriage record with entry and exit timestamps, and the temporal scope under which the observation remains admissible. A receiver is not asked to trust the carrier; it is asked to evaluate the original authority's credential and the temporal scope against its policy. Carriage durations from minutes (a vehicle transiting a campus) to hours (a maritime vessel relaying between port and offshore site) are routine; carriage across days is supported where temporal scopes permit.

Distributed perception state is the cumulative consequence. No peer holds the canonical state of the mesh, and no peer needs to. Each peer holds the slice of state that is locally relevant, refreshed by the credentialed observations admitted under its policy, with explicit temporal scopes governing how long admitted observations remain admissible. State coherence across the mesh emerges from overlapping admission rather than from synchronization with a central store. This produces continuous mesh operation in disconnected, intermittently-connected, and adversarially-isolated regions, eliminating the cellular-backhaul dependency that has constrained smart-infrastructure deployments to dense urban areas.

Firmware updates and governance policy updates travel through the same mesh as observations, with the same authority-credentialed framing. A regulatory authority issues a credentialed policy bundle; the bundle propagates through fixed infrastructure and mobile carriers; receiving devices verify the credential, evaluate the policy against their own governance rules, and accept or reject the update accordingly. A device with no cellular connectivity, no manufacturer backend, and no operator app still receives valid policy updates as long as it operates within the mesh.

7. Operating Parameters

The governed spatial mesh is medium-agnostic, but specific deployments are characterized by concrete parameter ranges. Wire-format messages are typically 32 to 512 bytes for sentinel observations, 128 bytes to 4 KB for infrastructure-agent observations, and up to 64 KB for policy or firmware bundle fragments, with rateless FEC overhead in the 10 to 50 percent range depending on channel quality. Credential fields occupy 64 to 256 bytes including authority identifier, dynamic-device-hash, hop history (variable length), temporal scope, and signature.

Transports include UWB (3.1 to 10.6 GHz, ranges 1 to 200 meters, ranging precision 5 to 30 cm), Wi-Fi (2.4 / 5 / 6 GHz, ranges 10 to 300 meters), sub-GHz (433 / 868 / 915 MHz, ranges 100 meters to several kilometers), cellular (LTE Cat-M1, NB-IoT, 5G NR sidelink), satellite (LEO and GEO), passive RFID (LF, HF, UHF), optical fiducial recognition, NFC, and free-space optical for high-bandwidth point-to-point links. The wire format is independent of transport: the same credentialed message can travel across any conforming carrier without re-encoding.

Admission policy parameters include consistency thresholds (in physical units appropriate to the observation type), temporal scopes (typically 100 ms to 24 hours, longer for static observations like surveyed positions), authority taxonomy depth (typically 3 to 7 levels), and revocation propagation latency (target sub-second within a connected region, bounded by carriage time across mobile store-and-forward links). Frame convergence after a peer joins typically completes within 10 ms to 5 seconds depending on transport and density. Mesh-derived time synchronization typically achieves microsecond precision in UWB-coupled regions, sub-millisecond in Wi-Fi regions, and tens of milliseconds across store-and-forward links.

Scaling characteristics support deployment from single-facility meshes (10 to 100 peers) through campus and corridor meshes (hundreds to thousands of peers) to regional and national meshes (tens of thousands to millions of peers), with hierarchical authority structures and federated admission policies handling the namespace and governance load at each scale.

8. Alternative Embodiments

The architecture admits a wide range of embodiments. Transport layers can be substituted freely: a deployment might operate exclusively over UWB inside a port terminal, exclusively over LoRa across a rail corridor, exclusively over satellite across an offshore wind farm, or in any mixed configuration. The wire format and the credential structure are unchanged across substitutions; only the channel coding and physical-layer parameters differ.

Authority taxonomies can be configured to match the regulatory and commercial context. A public-roads deployment uses a taxonomy rooted in transportation regulators, with commercial fleet operators and OEMs as subordinate authorities. A maritime deployment uses a taxonomy rooted in coast-guard and port-authority hierarchies. A defense deployment uses a taxonomy rooted in command authorities with explicit cross-domain credentialing. The architecture does not impose a particular taxonomy; it provides the structural slots that any taxonomy fills.

Tier composition is flexible. A region can deploy passive markers only, sentinels only, infrastructure agents only, or any combination. A retrofit deployment might begin with passive markers at lane edges and expand to sentinels at intersections and infrastructure agents at central nodes over years; an expeditionary deployment might begin with infrastructure agents and add passive markers and sentinels as the operational tempo permits. Operating units adapt continuously to whichever tier is present.

Coordinate-frame anchoring admits multiple embodiments. A surveyed-anchor embodiment relies on fixed peers at known geodetic positions. A self-anchoring embodiment uses no external survey and operates in a mesh-relative frame, with optional later registration to an external frame when credentialed transformations become available. A hybrid embodiment uses opportunistic external anchors (GNSS when available, optical fiducials when visible, radio beacons of opportunity) under credentialed gating.

Time-frame embodiments range from peer-consensus-only (no external reference) to externally-anchored (UTC via credentialed time authority). Combat and contested embodiments may deliberately reject external time references and operate purely on mesh consensus to deny adversaries a synchronization handle.

Admission policy embodiments range from strict (high consistency thresholds, narrow temporal scopes, shallow taxonomy) for safety-critical contexts, to permissive (broad thresholds, long scopes, deep taxonomy) for advisory contexts. Per-receiver policy customization allows a single mesh to serve heterogeneous units with different risk tolerances simultaneously.

9. Composition With Other Spatial Primitives

The governed spatial mesh is the substrate over which all other spatial primitives operate. Confidence-governed actuation receives credentialed mesh observations as the substrate against which actuation decisions are evaluated. Marker-track transport encodes observation provenance directly in passive marker readouts, composing mesh propagation with surface markers. Matched-pair settlement uses mesh-derived coordinates and time as the spatiotemporal context for transactional matching between peers. Environmental disruption sensing operates on residuals against the credentialed mesh state, identifying anomalies that depart from the governed picture.

Cross-mesh reconciliation composes multiple meshes — operated by different authorities, in different regions, under different policies — into a coherent multi-mesh fabric where credentialed observations cross authority boundaries under explicit reconciliation policy. Spatial adaptation artifacts, the runtime skill-loading primitive disclosed alongside this one, distribute through the mesh and operate against mesh-derived perception, coordinates, and time.

The governance-chain umbrella that this primitive establishes is the same umbrella under which all subsequent primitives operate; the credential field defined here is the credential field carried by every governed message in the portfolio.

10. Prior-Art Distinctions and Disclosure Scope

The governed spatial mesh is structurally distinct from cloud-mediated SLAM systems (which lift state into a centralized authority and impose backhaul dependency), from central tracking systems (which presume a single tracker as the canonical state holder), from V2X / DSRC / C-V2X / ETSI ITS-G5 protocols (which specify message formats and basic authentication but not an authority taxonomy that determines behavioral admissibility, and which leave the receiver's epistemic position unchanged), and from GIS platforms (which presume a central namespace and a platform operator who governs spatial truth on behalf of users).

The architecture is not a mesh-routing protocol like 802.11s, BATMAN, or Babel; those govern packet routing within a single transport, while the governed mesh's wire format is independent of routing and transport. It is not a smart-city or smart-road platform with a single operator; authority is hierarchical and decentralized, and any qualified authority can publish credentialed observations under the taxonomy. It is not a blockchain or distributed ledger; consensus is local, lightweight, and bounded in time scope rather than global, expensive, and immutable.

The architecture is disclosed under USPTO provisional 64/049,409, filed April 25, 2026, as the foundational primitive of a multi-step spatial portfolio. The disclosure scope covers the peer-to-peer mesh of sensors, actors, and observers; peer-derived perception with no central perception authority; mesh-derived coordinates and mesh-derived time; the governance-chain umbrella over the mesh; observation-credentialed admission; distributed perception state; the wire format and credential field structure; mobile store-and-forward propagation; mesh-distributed firmware and policy updates; the three-tier environmental device architecture; and the composition of all of these into a coherent operating substrate. Embodiments across transport layers, authority taxonomies, tier compositions, anchoring strategies, time-frame strategies, and admission policies are within scope. The architecture composes with all spatial primitives in the portfolio and is intended to be deployed both standalone and in combination.