What You Are Building
You have two networks that were each built by a different organization. Each one already has its own notion of who is allowed to say what: its own credentials, its own hierarchy of authorities, its own clock, its own record of what has happened. Now the two need to share state. A merger closes. Two coalition partners deploy in the same theater. A patient moves between provider systems. A cargo container crosses a border. Suddenly observations that were produced on one side have to be usable on the other.
The naive framing is "connect them and sync." But you do not actually want to sync, because syncing implies a single agreed-upon truth, and there is no single authority here. Neither organization will accept the other's credentials as its own, and neither will subordinate itself to a shared coordinator. What you are actually building is a way for two independently governed networks to exchange state, reconcile the histories they built while apart, and keep operating as two separate authorities afterward.
This guide describes that architecture: the Cross-Mesh Reconciliation inventive step, disclosed in U.S. Provisional Application No. 64/049,409. It is a design you implement yourself, not a package you install.
Why the Obvious Approaches Fall Short
The instinct is to reach for an existing federation tool. Each of the usual options carries an assumption that breaks the moment trust is not shared.
Database replication and federated-database protocols assume a shared schema and a resolution rule such as last-writer-wins. That is fine when one operator owns both replicas. Across two organizations it silently discards one party's record whenever a clock skews or an edit races, and it offers no account of why one version won. It also assumes both sides trust the same clock authority to order events.
Blockchain-bridge architectures move tokens or messages between ledgers, but they establish a bridge as its own trust point and typically require the two chains to agree on a consensus protocol. That is a new shared authority, which is exactly what you were trying to avoid.
Cross-cloud identity federation (mapping one directory's identities into another) solves who can log in, but not what an incoming observation is worth once it arrives, nor how to reconcile a record the other side produced while disconnected.
The common structural gap is this: all of these require the two sides to converge on something shared before they can exchange anything, whether a schema, a clock, a consensus, or a unified identity namespace. And most of them treat disconnection as a failure to be healed rather than as a normal, sometimes deliberate, operating mode. An air-gapped defense network or a sovereignty-constrained national system is supposed to stay disconnected most of the time. You need an approach where the two meshes are peers, exchange happens through governed boundary crossings rather than a merge, and being apart is not an error.
The Architecture
The disclosed mechanism rests on one prior commitment: every piece of state that moves between the meshes is not raw data but a governed observation. Per the filed specification, a governed observation carries an authority-credential field, a device-identity attestation, spatial and temporal references, a time-to-live, a payload, and, critically, a lineage field. The lineage field records provenance: the contributing device, references to any source observations it was derived from, the derivation function where applicable, and a cryptographic integrity attestation over those fields. Because provenance travels inside the unit of exchange, an observation remains self-describing after it crosses a boundary. This is the substrate the whole reconciliation depends on, so if your two systems do not already carry lineage on their records, that is the first thing to build.
On top of that substrate, the specification describes the cross-mesh reconciliation mechanism as a set of cooperating components:
A cross-mesh discovery interface admits governance-credentialed boundary agents, that is, agents that participate in more than one mesh. Nothing crosses except through these credentialed agents. There is no flat merge of the two address spaces; there is a controlled set of doorways.
A lineage-preserving import mechanism preserves the original mesh identity in imported observations. When an observation from mesh A lands in mesh B, it does not shed its origin and pretend to be native. It arrives stamped with A's authority signature and A's lineage intact. B knows exactly where it came from and can weigh it accordingly.
A taxonomy translator produces equivalence attestations between the two authority taxonomies. This is the heart of not merging trust. Rather than forcing both sides to adopt one shared hierarchy of authorities, a governance-credentialed translation asserts that a given authority level in A's taxonomy is equivalent, for admission purposes, to some level in B's. The specification frames this as taxonomy-translation-mediated admission rather than authority-taxonomy unification. The two hierarchies stay distinct; a translation bridges them per crossing.
A temporal reconciliation engine reconciles the time-ordering of observations that were produced while the meshes were disconnected. Because the two sides may not share a clock authority, the specification grounds this in mesh-derived time rather than dependence on either party's clock. This is what lets you interleave two separately produced histories into a coherent order without one side's clock winning by fiat.
A cross-mesh conflict resolution evaluator applies governance-policy-defined resolution strategies when imported observations conflict with local ones. The specification points to the shared-world-view conflict resolution, which combines observations through evidential weighting incorporating authority, staleness, and reputation, rather than canonical selection or last-writer-wins. Conflicts are arbitrated by policy over the carried provenance, not resolved by whoever wrote last.
A divergence-detection mechanism identifies when the two histories have diverged enough that the policy demands a deliberate merge rather than automatic admission. Small overlaps flow through; large divergences are flagged for governance-policy-defined merging. Automatic synchronization is explicitly not the default.
A partitioned-operation interface supports meshes that are intentionally disconnected (the specification names air-gapped defense networks, isolated industrial networks, and sovereignty-constrained national meshes) with selective inter-mesh admission through authorized gateway channels. Disconnection is a persistent operating mode, not a fault.
A reconciliation-lineage recorder records each reconciliation event as its own governed observation. The reconciliation itself is audited, so afterward you can reconstruct which observations crossed, under which equivalence attestation, and how each conflict was settled.
The property that ties this together, per the specification, is that none of it requires a single governance authority or a consensus protocol spanning both meshes. Boundary crossings preserve the originating mesh's authority signature and lineage; admission is mediated by translation, not unification; ordering runs on mesh-derived time, not a shared clock. The stated result is global-scale governed-mesh operation without global-scale governance consolidation.
How to Approach the Build
A practical order for implementing this yourself:
Make your records governed observations first. Before any cross-mesh work, ensure every shareable record carries an authority credential and a lineage field with contributing-device identity, source references, and an integrity attestation. Reconciliation has nothing to arbitrate over if the provenance is not on the record.
Define boundary agents, not a bridge. Stand up credentialed agents that hold standing in both meshes. All crossings go through them. Resist the urge to peer the two networks directly.
Author the equivalence attestations. Sit down with both authority taxonomies and, per crossing relationship, write governance-credentialed statements of which levels map to which. Keep them as first-class credentialed artifacts you can audit and revoke, not as a hardcoded lookup table.
Import with origin intact. On the receiving side, admit imported observations without rewriting their authority signature or lineage. Tag them as foreign, carrying their source mesh identity.
An illustrative interface sketch (labeled as illustrative, and faithful to the disclosed components, not a working library):
# ILLUSTRATIVE ONLY, sketch of the disclosed reconciliation flow
def reconcile(incoming, local_mesh, policy):
obs = import_preserving_origin(incoming) # keep source mesh id + lineage
cred = taxonomy_translate(obs.authority, policy) # equivalence attestation, not unify
obs = temporal_reconcile(obs, local_mesh.time) # order on mesh-derived time
if diverges_enough(obs, local_mesh, policy):
return flag_for_policy_merge(obs) # deliberate merge, not auto-sync
outcome = resolve_conflicts(obs, local_mesh, policy) # policy weighting over lineage
record_reconciliation_event(obs, outcome) # audited as its own observation
return outcome
Run ordering on a shared-derived time reference, not either clock. Implement the temporal reconciliation so that neither side's wall clock is treated as authoritative for interleaving disconnected histories.
Encode conflict resolution as policy, weighted over lineage. Write your resolution strategies as governance policy that weighs authority, staleness, and reputation carried in the observation, rather than defaulting to last-writer-wins.
Set your divergence threshold deliberately. Decide, in policy, how much divergence auto-admits versus escalates to a human-or-authority-gated merge. This is the knob that keeps a reconnection from silently overwriting a lot of state.
Record every reconciliation. Emit the reconciliation event as a governed observation so the crossing is reconstructable after the fact.
Test the disconnected case as a first-class path: run both meshes apart, produce conflicting state on each, reconnect, and confirm your policy arbitrates as intended and leaves an auditable trail.
What This Does Not Give You
This is an architecture, not a drop-in library. There is no package to install and no SDK behind this guide. Every component described above is something you design and build in your own stack; the specification describes the mechanism and its parts, not runnable code. The pseudocode is illustrative only.
It is not benchmarked or productized here. The specification discloses the approach; it does not report performance numbers, throughput, or reconciliation latency, and neither does this guide. Do not treat it as production-proven.
It also does not remove the hard human work. The equivalence attestations between two authority taxonomies still require someone with standing on both sides to author and stand behind them; the mechanism transports and enforces those attestations but does not invent the mapping for you. Likewise, the divergence threshold and conflict-resolution weights are policy you must set, and setting them badly will produce bad reconciliations.
Finally, it does not apply where you genuinely do want one authority. If two systems are meant to become a single governed domain under one hierarchy, a real merge is simpler than reconciliation. This approach earns its keep specifically when the two authorities must stay separate.
Disclosure Scope
The Cross-Mesh Reconciliation inventive step described in this guide is disclosed in U.S. Provisional Application No. 64/049,409. This guide is educational and describes an architectural approach a reader can implement independently; it is not a warranty, not a specification of a shipping product, and not an offer of software. All statements here about how the approach works are drawn from that filing; references to other technologies (database replication, blockchain bridges, cross-cloud identity federation) are provided for neutral context only.