Admissibility Gate as Skill Router

Mechanism

The admissibility-gate-as-skill-router operates at the moment a request arrives at the agent runtime. The composite admissibility evaluator — already a structural component of the Cognition Patent's broader skill-gating architecture — consumes the request, the set of certified active artifacts available to the agent, the consumer's governance policy, the operational context (caller authority, request authority, environmental attestations), and the agent's affective and confidence state. From these inputs it produces a routing decision rather than the simpler execution-permission boolean produced by a conventional admissibility check. The routing decision is graduated: a request may route to a single artifact, to a weighted ensemble of artifacts each contributing in proportion to its admissibility-weighted fit, to a dormant artifact whose activation is itself subject to admissibility evaluation, to a higher-authority artifact when policy requires escalation, or to a refusal when no artifact is admissible for the request.

Cryptographic invisibility of non-admissible skills is the structural commitment that distinguishes this disclosure from conventional skill-routing schemes. In a conventional scheme, all skills are visible to the routing layer, which selects among them; the admissibility check then either approves or rejects the routed selection. This produces a visible attack surface: a routing-layer compromise can cause the wrong skill to be invoked, a logging-layer compromise can leak the existence of skills the caller is not authorized to know about, and an upstream prompt-injection can steer the router toward a skill that the admissibility gate would have refused. The unified gate forecloses each of these by binding the routing decision to the admissibility computation itself. A skill for which the caller is not admissible does not appear in the router's candidate set, does not appear in the lineage record as a refusal, and is not enumerable through the router's interface. The skill is structurally invisible — present in the agent's repertoire, but unreachable by callers outside its admissibility envelope.

The composite admissibility evaluator already consumes authority (who may invoke), evidential weighting (what evidence supports invocation), capability envelope (what the artifact is permitted to do), temporal scope (when the artifact is admissible), and disposition (what the artifact's affective and confidence posture is). To extend this evaluator into a router, three additional inputs are introduced: artifact-fit, scoring how well each candidate artifact matches the structure and intent of the request; artifact-authority, the authority chain that signs the artifact's metadata and therefore certifies its place in the routing graph; and dependency-state, the boolean that indicates whether the prerequisite artifacts on which a candidate depends are themselves currently admissible and active. The evaluator combines these with the conventional admissibility inputs through a deterministic, policy-bounded composition function, producing a vector of weighted contributions plus an explicit decision record.

Every routing decision is recorded in the agent's lineage with the same governance treatment as an execution decision: the caller, the request, the candidate set considered, the admissibility-weighted contributions assigned, the artifacts ultimately invoked, and the cryptographic attestation that binds the decision to the policy version under which it was evaluated. The lineage record is signed by the gate's attestation key and is admissible at audit time as proof that the routing was both within policy and that no skill outside the caller's admissibility envelope was considered.

Operating Parameters

The composition function combines the admissibility inputs and the routing inputs into a per-artifact score in a bounded interval, typically [0, 1]. Artifacts whose score is below the policy floor are excluded from the candidate set; artifacts above the floor are included with their contribution weight derived from the score. The floor is policy-defined per request class — safety-critical request classes carry higher floors, low-stakes classes lower floors — and the floor is itself signed at policy issuance so that an in-flight reduction of the floor is detectable by the audit substrate. Typical operating ranges place the floor between 0.6 and 0.85 for production deployments, with research and exploratory deployments operating at lower floors at the consumer's documented discretion.

Latency targets place the unified gate's evaluation in the single-digit-millisecond range for typical artifact populations (tens to low hundreds of active artifacts). Larger artifact populations admit a hierarchical evaluation in which a coarse admissibility filter narrows the candidate set in constant time before the per-artifact scoring runs over the survivors; the hierarchical structure preserves the cryptographic-invisibility property because the coarse filter operates on the same admissibility inputs that govern the fine-grained scoring. Caching of partial admissibility computations is permitted within a policy-defined window, with cache invalidation triggered by any change to policy, caller authority, or artifact certification.

Routing decisions are deterministic given identical inputs. A re-evaluation against the same request, the same policy version, the same active-artifact set, and the same context produces the same decision — which is the property that supports audit reconstruction. Stochastic components, where present in the artifact-fit scoring, are seeded from a request-bound entropy source recorded in the lineage so that reconstruction can recover the exact draw.

Lineage records carry the cryptographic attestation of the gate's evaluation, the policy version reference, the artifact certifications consumed, and the caller authority chain. Records are append-only; tampering is detectable through the lineage's hash chain. Retention windows are policy-defined and typically span the regulatory horizon of the deployment domain — months for low-stakes consumer applications, years for regulated enterprise and safety-critical domains.

Alternative Embodiments

Embodiments of the artifact-fit scoring range from explicit symbolic match (does the request shape align with the artifact's declared signature) through embedding-space similarity (cosine similarity between request embedding and artifact-description embedding) to learned scoring (a classifier trained against a held-out request-artifact alignment corpus) and ensemble combinations. The deterministic-replay requirement is satisfied as long as the chosen scoring is reproducible from recorded inputs; learned components are admissible if their model versions are referenced in the lineage and their inference is reproducible.

Embodiments of the cryptographic invisibility property include candidate-set pruning prior to enumeration (the router never sees non-admissible artifacts), encrypted artifact metadata keyed to the caller's admissibility envelope (non-admissible artifacts are present but undecryptable), and zero-knowledge proofs of admissibility that allow the router to confirm an artifact's eligibility without exposing the artifact's identity to logs that the caller is not authorized to read. Each embodiment satisfies the structural-invisibility commitment with a different operational tradeoff between simplicity, latency, and forensic posture.

Embodiments of the routing decision range from single-artifact selection (the most common case in current platforms) through weighted ensemble routing (multiple artifacts contribute proportionally), staged routing (a primary artifact runs first, with results conditioning the admissibility of secondary artifacts), and dormant-activation routing (a candidate artifact is activated for the duration of the request only if its activation is itself admissible). All embodiments share the same gate, the same lineage discipline, and the same cryptographic-invisibility property; they differ only in the action the gate authorizes.

Multi-tenant embodiments contemplate platforms hosting agents on behalf of multiple consumers each with distinct admissibility envelopes. The gate operates per tenant with tenant-scoped policy, tenant-scoped artifact certifications, and tenant-scoped lineage; cross-tenant artifact visibility is forbidden by construction, and a tenant's routing decisions are not enumerable from another tenant's audit interface. Federated embodiments extend this to inter-platform skill exchanges where one platform's certified artifacts are admissible in another platform's routing subject to a published trust mapping.

Composition with Adjacent Primitives

The unified gate composes with the Cognition Patent's confidence governance: the confidence floor required for a routing decision scales with the blast radius of the artifacts in the candidate set, so that high-stakes routing decisions are admissible only when the agent's confidence exceeds the corresponding floor. A degraded confidence state shrinks the admissible candidate set automatically without any separate logic, which is the structural advantage of unifying the layers — every governance commitment that applies to execution applies to routing without duplication.

The gate composes with the agent's affective state, including the seventh canonical field (narrative-coherence). A drifting agent — one whose narrative-coherence has fallen below the policy threshold — is structurally barred from routing to high-coherence-floor artifacts, and the bar is enforced by the same gate that governs execution. The agent does not need to consult a separate stability check before routing; the routing decision already reads coherence as part of the disposition input.

The gate composes with delegation. When a parent agent delegates to a child, the parent's admissibility envelope determines the child's routable artifact set, intersected with the child's own envelope. A parent that lacks admissibility for a given skill cannot create a child with access to it, eliminating delegation-based privilege escalation. The same gate runs at the child's runtime, so the child's routing is itself constrained by the gate's commitments.

Prior-Art Differentiation

Anthropic Skills, OpenAI Custom Actions, Google Gemini Extensions, and Microsoft Copilot Studio each implement skill activation as a two-layer construct: an upstream eligibility heuristic determines which skills can fire, and a downstream routing layer determines which do fire. Each platform records routing and execution as separable events with separable governance. The split exists for historical reasons — different teams built different layers, and the layers solidified before a unifying primitive was articulated — rather than for architectural ones, and it is precisely the bypass surface that adversarial prompt-injection literature has been exploiting.

The Cognition Patent's unified gate is patentably distinguishable on three structural moves. First, the gate is the same primitive for both selection and execution, eliminating the two-layer evaluation path. Second, non-admissible skills are cryptographically invisible to callers outside their admissibility envelope, eliminating the enumeration and refusal-leakage attack surfaces present in the conventional split. Third, the routing decision is itself an attested artifact recorded in lineage with the same cryptographic discipline as an execution decision, so audit reconstruction recovers a single decision record rather than reconciling two.

Prior agent-routing literature (mixture-of-experts, retrieval-augmented routing, learned skill selection) addresses the question of routing accuracy without addressing the governance question of routing admissibility. Where governance has been added, it has been added as an external check operating on the router's output rather than as a structural commitment of the router itself. The disclosure here moves the governance into the routing primitive, producing a router whose outputs are admissible by construction.

Disclosure Scope

The Cognition Patent's disclosure of admissibility-gate-as-skill-router covers the unification of selection and execution under a single composite admissibility evaluator, the cryptographic-invisibility commitment for non-admissible skills, the deterministic composition function combining admissibility inputs with artifact-fit, artifact-authority, and dependency-state, the graduated routing decision space (single artifact, weighted ensemble, staged, dormant-activation), the per-tenant and federated multi-platform extensions, the lineage attestation that records routing decisions with the same discipline as execution decisions, the latency-sensitive hierarchical evaluation pattern, and the composition rules with confidence governance, affective state including narrative-coherence, and delegation.

Embodiments across symbolic, embedding-based, learned, and ensemble artifact-fit scoring are within scope, as are invisibility implementations from candidate-set pruning to encrypted metadata to zero-knowledge proof. Single-tenant, multi-tenant, and federated embodiments share the same gate primitive. The licensable primitive is the unification of selection and execution under an admissibility evaluator with cryptographic invisibility — not any specific scoring function, model, or platform integration. Specific platform mappings, scoring models, and runtime stacks are left to implementers and are not the subject of restriction.