Mechanism
Semantic lineage recording is the mechanism by which the inference-time semantic execution substrate maintains a complete, ordered, tamper-resistant record of how an inference output was produced. The lineage is not a side channel and not an external log: it is recorded in the lineage field of the semantic state object, the same persistent, typed object the substrate carries across inference steps. Because the lineage lives inside the governed state object, it is subject to the same structural discipline as every other field, and it accumulates as the inference process advances rather than being assembled after the fact.
What the lineage records is every event that the admissibility gate produces. It records every admitted inference transition, every rejected transition's rejection rationale, every decomposition event, and every trust-slope evaluation that occurs during inference. The result is a semantic audit trail that enables the inference output to be understood, verified, and disputed without re-executing the inference process. The lineage is the joint between live inference and any later reasoning about that inference.
What a Lineage Entry Records
Each lineage entry is a structured record with a defined schema. Every entry comprises a unique transition identifier, a timestamp, the mutation descriptor that was proposed, and the admissibility determination the gate returned, which is one of admit, reject, or decompose. Beyond this common core, the entry carries fields specific to the outcome.
For an admitted transition, the entry records the field modifications that were applied to the semantic state object. For a rejected transition, the entry records the evaluation stage at which rejection occurred and the specific constraint that was violated, so a reader learns not merely that a proposal was refused but where in the gate it failed and why. For a decomposed transition, the entry records the sub-mutations into which the transition was broken. Every entry also records the trust-slope value computed at the point of the transition, tying the record to the continuity assessment described in the trust-slope validation mechanism.
Constructive Entries Versus Rejection Events
The lineage distinguishes the transitions that shaped the output from the transitions that were considered and refused. Only admitted transitions are recorded as constructive entries, because only admitted transitions modify the semantic state object and contribute to the inference output. Rejected transitions are recorded as rejection events, but they do not modify the semantic state object.
This distinction is what guarantees that the semantic state object at any point is the product solely of admitted transitions and is not contaminated by residual effects of rejected proposals. The rejection events remain in the lineage as a record of what was evaluated and declined, but they have no effect on state. A reader can therefore reconstruct both the path the inference took and the paths it refused, while the state itself reflects only the admitted path.
Three Structural Functions
The lineage record serves three structural functions. The first is auditability: any party with access to the lineage record can trace the inference output back through the sequence of semantic decisions that produced it. The output stops being an opaque artifact and becomes a terminus that can be followed back to its origin.
The second is reproducibility. Given the same initial semantic state object, inference engine, and input, the lineage record enables verification that the same sequence of admissibility determinations would be produced, because each determination is deterministic. The gate produces the same admit, reject, or decompose outcome for the same state and the same proposed mutation, so the recorded sequence can be checked rather than merely trusted.
The third is a learning signal. The pattern of rejections and decompositions provides structured data about the inference engine's failure modes: which transitions are most frequently rejected, which policy constraints are most frequently violated, and which semantic contexts produce the highest rejection rates. This enables identification of systematic inference quality issues without requiring retraining of the underlying model.
Completeness Across Partial-State Outcomes
The lineage is also the record that survives when inference does not run to a clean completion. When a proposed mutation is deferred because its admissibility depends on information not present in the semantic state object and not obtainable through anchor resolution, the deferred mutation is held in a pending evaluation queue; if inference concludes without resolving the deferral, the deferred mutation is reported as unresolved in the lineage rather than silently dropped.
When the substrate exercises safe non-execution, terminating the inference process without producing a complete output because conditions for continued inference cannot be met, it produces a partial output comprising the admitted semantic content, a structured termination report identifying the triggering condition, and a complete lineage record. The treatment of non-execution as a valid, first-class outcome depends on this: the system can treat silence as the correct response precisely because the lineage preserves what was admitted, what was refused, and why the process stopped.
The Lineage Recording Module Across Deployments
The lineage recording module is one of the named components of the substrate, deployed alongside the admissibility gate, the mutation mapping module, the trust-slope validation module, and the anchor resolution module. In the embedded configuration, these components run as parts of the same process that hosts the inference engine, communicating across a function-call boundary, which provides the lowest latency and suits deployments where the inference engine and the governance substrate share an operator.
In the hardware-assisted configuration, critical components are implemented in dedicated hardware or hardware-accelerated processing units. Among these are the lineage recording module's cryptographic operations, placed in hardware to provide the highest tamper-resistance assurance. This configuration suits high-assurance deployments in which the governance substrate must resist adversarial modification, including scenarios in which the inference engine operator itself may be adversarial to governance objectives. Across all deployment configurations the same semantic guarantee holds: every admitted transition is lineage-recorded and every rejection rationale is preserved.
Composition with the Inference-Control Stack
Lineage recording composes directly with the admissibility gate, which is its source of events: every admit, reject, and decompose determination the gate produces becomes a lineage entry. It composes with trust-slope continuity validation, whose computed value is recorded at every transition and whose drift responses, including drift annotations and re-anchoring corrections, are themselves recorded for auditability. It composes with the semantic budget mechanism, since an output terminated because its budget was exhausted is tagged as budget-limited in the lineage.
In the multi-model arbitration embodiment, where several inference engines propose candidate transitions against a shared semantic state object, the lineage records the originating engine for each admitted transition. This enables contribution tracing and the identification of complementary or conflicting inference behavior across engines, and it underlies the dynamic trust weighting by which engines whose candidates are predominantly admitted are progressively favored and those predominantly rejected are de-prioritized.
Distinction from Post-Generation Logging
Conventional observability for inference systems records inputs and outputs after generation, in a logging pipeline external to the inference process, whose contents describe what was produced but not the governed sequence of decisions that produced it. Such logs capture the result, not the reasoning, and they record nothing about transitions that were evaluated and refused. The mechanism described here differs in that the lineage is produced inside the governed inference process, entry by entry, as the admissibility gate renders each determination. It records admitted, rejected, and decomposed events as distinct entry types; it records the evaluation stage and violated constraint for each rejection; and it records the trust-slope value at each transition. Because the determinations are deterministic, the record can be reproduced and verified rather than merely read.
Disclosure Scope
Semantic lineage recording during inference, comprising the maintenance in the lineage field of the semantic state object of a complete, ordered, tamper-resistant record of every admitted transition, every rejected transition's rejection rationale, every decomposition event, and every trust-slope evaluation, with each entry carrying a transition identifier, a timestamp, the proposed mutation descriptor, the admissibility determination, the outcome-specific fields for admitted, rejected, and decomposed transitions, and the trust-slope value, is disclosed in the cognition filing (U.S. Application No. 19/647,395 and its international counterpart) at Section 8.10. This article describes that disclosed mechanism.
The disclosure provides that only admitted transitions are recorded as constructive entries that modify the semantic state object, while rejected transitions are recorded as rejection events that do not, ensuring the state object reflects only the admitted path. It provides that the lineage serves auditability, reproducibility, and learning-signal functions, and that the lineage record is complete across partial-state outcomes including deferral and safe non-execution. The disclosure further contemplates implementation of the lineage recording module's cryptographic operations in dedicated hardware in the hardware-assisted deployment configuration for high-assurance, tamper-resistant operation, and the recording of the originating engine for each admitted transition in the multi-model arbitration embodiment.
