Integrity Collapse Detection

Mechanism

Integrity collapse detection operates as a deterministic evaluator embedded within Chapter 3 of the cognition patent. It receives, at every cognitive step, the current values of the agent's integrity field, the canonical reference values declared in policy, and the rolling history of constraint violations recorded in the agent's lineage. From these inputs it computes, in closed form, whether the agent has entered a collapse condition. There is no probabilistic threshold and no learned classifier. The conditions for collapse are declared as bounded predicates over canonical fields, and the evaluator either reports collapse or it does not.

The mechanism distinguishes three structurally distinct stages. Stage one is constraint violation: a single evaluation in which one or more declared bounds on the integrity field are exceeded. Stage two is repetition: a count of violations within a declared window crosses a declared threshold, indicating that the violation is not a transient excursion but a persistent pattern. Stage three is remediation failure: the remediation routines bound to the violated constraint have been engaged the declared number of times without returning the field to admissible values. Only the conjunction of all three stages constitutes collapse. This staged structure prevents premature escalation while ensuring that genuine breakdowns are caught deterministically.

When collapse is declared, the escalation path is bound. Binding means the path is not selected at runtime by the agent; it is fixed in policy at configuration time, recorded in lineage, and signed by the governance authority that authored the policy. The bound path specifies which governance role receives the escalation, what evidence is transmitted, and what suspension state the agent enters while awaiting review. The agent does not negotiate, defer, or work around this binding. Suspension is itself a declared state with a declared exit contract.

Operating Parameters

The operative parameters for integrity collapse detection are: the violation predicate set, which declares what constitutes a single constraint violation; the evaluation window, expressed in cognitive cycles rather than wall clock time so that detection is invariant under substrate speed; the violation count threshold within the window; the remediation engagement count, declaring how many remediation attempts must precede a collapse declaration; and the escalation binding, which names the governance role, the evidence package format, and the suspension state.

Each parameter is sourced from the agent's policy reference and is not modifiable at runtime by the agent itself. Policy revisions are themselves governed: a change to any collapse parameter requires a signed policy update with its own lineage entry, ensuring that loosening of detection thresholds is itself auditable. The evaluation window and count threshold together define the sensitivity of the detector. A short window with a low count produces a sensitive detector that escalates on minor excursions; a long window with a high count produces a tolerant detector appropriate for noisy operating environments. Both are valid configurations under the same structural mechanism.

Remediation routines themselves are declarative. Each routine is bound to one or more violation predicates and specifies a deterministic action, a measurable post-condition, and a maximum engagement count. The collapse detector consumes the engagement count from the remediation lineage; it does not infer remediation effort from observed behavior. This separation ensures that the remediation system and the collapse detector cannot collude or drift together: each consults declared, signed records.

Alternative Embodiments

The disclosed mechanism admits several embodiments without departing from its structural character. In a single-agent embodiment, the detector runs in process with the cognitive evaluator and writes collapse declarations to local lineage. In a federated embodiment, multiple agents share a common governance authority, and collapse declarations from any one agent are mirrored to a shared lineage register so that peer agents can adjust their trust evaluations of the suspended peer. In a hierarchical embodiment, sub-agents report integrity field values to a parent coordinator that runs its own collapse detector over the aggregate; collapse at the parent level can declare collapse for the entire sub-tree.

Embodiments may also vary in the granularity of the violation predicate. A coarse predicate evaluates a single scalar integrity score against a single bound. A fine predicate evaluates each canonical sub-field against a vector of bounds, enabling collapse to be declared on a specific dimension of integrity, such as forecast coherence or normative consistency, while other dimensions remain admissible. Both embodiments are within the scope of the disclosure provided that the predicate, window, threshold, and escalation binding remain declared in policy.

A further embodiment substitutes the bound escalation path with a graduated escalation set, in which collapse declarations of differing severity invoke differing escalation contracts. The detector emits a severity label derived deterministically from the violation history, and the policy reference maps each label to a distinct bound path. This embodiment preserves the structural property that all paths are bound at configuration time.

Composition with Other Primitives

Integrity collapse detection composes directly with confidence governance, forecasting, and discovery traversal through the integrity field. When collapse is declared, the field's admissible-value indicator is set to false, and downstream primitives that consult the integrity field observe this state through their declared interfaces. Confidence governance reduces the agent's emitted confidence to the declared collapse-state value, typically zero or a sentinel indicating non-execution. Forecasting suspends emission of new forecasts because forecast lineage requires an admissible integrity field at the moment of emission. Discovery traversal halts at the next boundary because traversal lineage similarly requires admissibility.

Composition is contractual, not behavioral. Each downstream primitive declares, in its own policy reference, how it responds to a non-admissible integrity field. The collapse detector does not call into these primitives directly; it modifies the field, and the primitives' own evaluators observe the modification at their next step. This loose coupling preserves the auditability of each primitive in isolation while ensuring system-wide coherence.

Implementation Considerations

A reference implementation maintains the violation history as an append-only ring of fixed length equal to the largest declared evaluation window across active predicates. Each entry records the violated predicate identifier, the integrity field state at the time of violation, the cognitive cycle index, and a signature derived from the policy version under which the predicate was evaluated. The ring is part of the agent's portable state, so collapse detection is consistent across substrate migrations: a migrating agent does not lose its violation history and cannot be rehosted in a manner that resets the count.

Remediation engagement is similarly recorded as an append-only ledger keyed by remediation routine identifier. Each engagement entry records the routine invocation, the post-condition outcome, and the resulting integrity field state. The collapse detector consumes engagement entries that are bound to predicates currently in violation; engagements bound to other predicates do not count toward the failure threshold. This keying ensures that a remediation routine engaged for one type of violation does not unintentionally satisfy the engagement count for an unrelated violation, preserving the disjoint accounting that the staged structure depends on.

Performance considerations favor a constant-time evaluator. With a fixed-size ring and a fixed-size engagement ledger keyed by routine identifier, each cognitive cycle's collapse evaluation is bounded by the number of declared predicates rather than by the agent's operational history. This makes integrity collapse detection suitable for deployment in cognitive architectures with strict per-cycle latency budgets, including real-time control systems where evaluation must complete within a declared cycle time.

Logging and external observability are designed for governance review rather than operator debugging. The lineage records emitted by the detector are signed under the agent's identity and the policy version, and they are formatted so that an external auditor with no access to the agent's runtime can reconstruct the sequence of violations, remediation engagements, and the final collapse declaration. This auditor independence is the touchstone of structural integrity: if the only party who can confirm collapse is the agent itself, the mechanism has not achieved its purpose.

Prior-Art Distinction

Existing approaches to detecting agent failure rely on probabilistic anomaly detection, statistical drift monitoring, or rule-based watchdogs. Probabilistic detectors emit a likelihood that the agent is failing without declaring a structural state; downstream consumers must apply their own thresholds and may disagree about whether failure has occurred. Statistical drift monitors require baselines and assume stationarity; they cannot distinguish between authorized adaptation and unauthorized deviation. Rule-based watchdogs typically halt the agent on any violation, lacking the staged structure that distinguishes transient excursions from sustained breakdown.

The disclosed mechanism is distinguished by three structural properties absent from prior art: collapse is a declared state with a single declared entry condition rather than a likelihood; the entry condition is staged through violation, repetition, and remediation failure rather than triggered on any single event; and the escalation path is bound at configuration time and signed by a governance authority rather than selected at runtime. These properties together convert collapse detection from a monitoring activity into a structural component of the cognitive architecture.

Disclosure Scope

The disclosure encompasses any system in which an agent's integrity field is evaluated against declared bounds, in which violations are accumulated within a declared window against a declared threshold, in which remediation engagement is counted from declared lineage, and in which an escalation path is bound at configuration time by a governance authority. The disclosure is not limited to any particular substrate, deployment topology, or application domain. It applies equally to autonomous vehicles, companion AI, therapeutic agents, financial advisors, and enterprise decision systems, provided the structural elements are present.

Variants that alter only the surface presentation of collapse declarations, the transport mechanism for escalation messages, or the storage format of lineage entries do not depart from the disclosed scope. Variants that remove any of the structural elements, such as systems that select escalation paths at runtime or that infer remediation engagement from observed behavior rather than declared lineage, fall outside the disclosed mechanism and do not provide its guarantees.