Policy-Based Integrity Constraints

Mechanism

The mechanism, defined in Chapter 3 of the cognition patent, treats each integrity policy as a set of typed constraints over the agent's canonical fields. A constraint is an expression that evaluates to a Boolean over a defined evaluation context; the constraint is satisfied when the expression is true. A policy is the conjunction of its constraints. The agent's effective policy is the conjunction of every policy currently in force, which is itself a constraint set, and the agent's behavior is required to satisfy that effective set on every cycle in which the policy is consulted.

Composition is the central operation. When a new policy is offered for admission, the runtime constructs the proposed effective set by taking the union of the existing constraints and the new constraints. It then asks whether the proposed set is jointly satisfiable, that is, whether there exists at least one assignment to the canonical fields that makes every constraint in the set true. The satisfiability question is answered by a deterministic decision procedure whose inputs are the constraint expressions and whose output is either a witness assignment or a structured certificate of unsatisfiability. If the procedure returns a witness, the policy is admitted and becomes part of the effective set. If it returns a certificate of unsatisfiability, the policy is rejected and the certificate is recorded in the lineage as the reason for rejection.

Rejection at admission is the load-bearing property. By refusing to admit policies that would make the union inconsistent, the mechanism guarantees that the effective set is always satisfiable, that the agent's behavior is always well-defined, and that no operational cycle can be entered in a state of normative contradiction. The alternative discipline, in which inconsistencies are tolerated until they manifest at evaluation time, is structurally rejected because it permits the agent to enter a state in which no behavior satisfies the effective policy and the runtime has no principled basis for choosing among the failing constraints.

The constraint language is closed under conjunction, disjunction, and negation, and is restricted to a decidable fragment over the canonical field types. Constraints are versioned; the version in force at any cycle is recorded in lineage. Composition is associative and commutative, so the order in which policies are admitted does not affect the resulting effective set, although it does affect which policy is identified as the cause of any rejection. Removal of a policy is the inverse operation: the effective set is reduced to the conjunction of the remaining policies and is, by monotonicity of conjunction, automatically satisfiable.

Operating Parameters

The decision procedure exposes a small set of governed parameters. A timeout bounds the time available to answer the satisfiability question; a policy that cannot be decided within the timeout is rejected with a structured timeout certificate. A complexity bound limits the syntactic size of any single constraint and the cardinality of the constraint set; bounds violations are also rejected at admission. A precision parameter governs the numerical tolerance with which inequality constraints over real-valued fields are evaluated, ensuring that floating-point representation does not produce spurious unsatisfiability.

Each constraint carries metadata, including its source policy, its declared scope, and its severity. Scope determines which canonical fields the constraint may reference. Severity governs the disposition of a runtime violation: hard constraints induce immediate halt, soft constraints induce annotation, and advisory constraints induce only recording. All three severities participate in the satisfiability check at admission; the distinction matters only for runtime evaluation. The policy reference declares the severity of every constraint, and severity may not be changed without policy revalidation.

Operating ranges are bounded to preserve decidability and analyzability. Constraint expressions are limited to the decidable fragment of the language. The policy set is limited in cardinality to a configured maximum. The decision procedure timeout is bounded above and below to prevent both unbounded admission delay and trivially short evaluations that would reject well-formed policies. Every bound is declared in the runtime configuration and is itself subject to policy review.

Alternative Embodiments

In a first embodiment, the decision procedure is an off-the-shelf SMT solver instantiated with a theory appropriate to the canonical field types. The mechanism is otherwise unchanged; the solver supplies the witness or certificate.

In a second embodiment, the constraint language is restricted to linear arithmetic over rationals, for which decision procedures are particularly efficient. This embodiment is appropriate for deployments in which the canonical fields are numerical and the constraints express bounds, ratios, and linear combinations.

In a third embodiment, policies are organized into a lattice with explicit precedence, and the effective set is constructed by taking the meet of the lattice. Composition then reduces to lattice operations, and rejection corresponds to a meet that lies below the lattice's bottom element. This embodiment is appropriate where multiple authorities issue policies and where precedence must be made explicit rather than inferred from admission order.

In a fourth embodiment, the satisfiability check is performed incrementally: when a new policy is admitted, the procedure reuses the witness from the previous admission as a seed, and only a localized re-check is required. This embodiment is appropriate for high-frequency policy churn and exploits the monotonicity of the addition operation.

Composition With Other Primitives

Policy-based integrity constraints compose with confidence governance, which consumes integrity outputs in computing the confidence value; with capability awareness, which exposes substrate properties as canonical fields against which constraints may be expressed; and with discovery traversal, which is itself constrained by integrity policies governing what may be explored. Each composition is mediated by a typed interface, and changes to a primitive's interface trigger policy revalidation against the new interface signature.

The lineage primitive composes especially tightly. Every constraint evaluation, every admission decision, and every rejection certificate is recorded in lineage with its full input context. A governance audit may reconstruct, for any cycle, the exact effective set that was in force, the witness that demonstrated its satisfiability, and the inputs that were evaluated against it. The audit trail is therefore complete with respect to integrity governance, and gaps in it are themselves policy violations.

Distinction From Prior Art

Prior art in policy languages, including XACML, OPA, and similar frameworks, treats policies as evaluable predicates and addresses inconsistency only at evaluation time, typically through precedence rules or default-deny semantics. None of these traditions performs a satisfiability check at admission, and none rejects a new policy on the structural ground that its addition would make the effective set inconsistent. Constraint programming literature addresses joint satisfiability but does not apply the technique to the runtime governance of agent behavior, and constraint-based program analysis addresses static properties of code rather than dynamic policies layered over a running agent.

The present mechanism differs structurally. It treats every policy as a constraint set, every effective state as the union of those sets, and every admission as a decidable satisfiability question. It rejects at admission, not at evaluation, and it records the rejection certificate in durable lineage. The discipline is not merely a stronger form of evaluation; it is a different placement of the consistency check that eliminates an entire class of runtime failures.

Worked Examples

Consider a deployment in which a base policy declares that the agent's output rate must not exceed a configured ceiling and a tenant-specific policy declares that the agent's output rate must not fall below a configured floor. Admission constructs the union of the two constraint sets and submits it to the decision procedure. If the floor exceeds the ceiling, the procedure returns a certificate identifying the two constraints as jointly unsatisfiable; the tenant policy is rejected at admission and the certificate is written to lineage. The base policy continues in force, and the tenant is notified through a structured channel that the offered policy was inadmissible.

Consider next a deployment in which an integrity policy declares a maximum permitted deviation from a declared value vector and a coping policy declares that, when deviation exceeds a threshold, the agent must intercept and request guidance. The two policies share the deviation field, and their conjunction defines a joint regime: the agent is permitted to operate while deviation is below the maximum, must intercept while deviation exceeds the coping threshold, and is governed by the conjunction of all other constraints in both regimes. The decision procedure verifies satisfiability across the regime boundaries at admission, ensuring that no operational state exists in which the conjunction has no solution.

Consider an additional case in which a regulatory authority issues a new constraint mandating that a particular field never assume a value drawn from a declared exclusion set. The constraint is added to the existing policy lattice at a precedence above all tenant-issued constraints. The decision procedure rechecks satisfiability against every existing tenant policy in turn; tenant policies whose admitted constraints would conflict with the new exclusion are themselves recomputed against the updated effective set, and any that no longer satisfy the joint set are flagged for re-admission under revised terms. The lineage records both the regulatory addition and the cascaded re-admission decisions, providing a complete account of how the regulatory change propagated through the deployment.

Consider finally a high-frequency policy churn scenario in which tenant policies are admitted and removed many times per second. The incremental embodiment of the decision procedure reuses the witness from the previous admission as a seed and performs only a localized re-check, keeping admission latency bounded. Lineage captures every admission and every removal, so the effective policy at any past cycle can be reconstructed by replaying the recorded operations in order. The combination of monotonic union semantics, incremental decision, and append-only lineage is what makes integrity governance composable in practice rather than only in principle.

Disclosure Scope

The disclosure encompasses the constraint-set representation of policies, the union semantics of policy composition, the satisfiability check at admission, the witness-or-certificate output of the decision procedure, the rejection of inconsistent policies, the lineage recording of admission and rejection events, and the parameter bindings that govern the decision procedure. It encompasses the alternative embodiments enumerated above and any embodiment in which integrity governance is expressed as a composable constraint set whose joint satisfiability is verified at admission and recorded in lineage. The disclosure is independent of the specific constraint language, of the specific decision procedure, and of the specific canonical fields against which constraints are expressed.