Cross-Model Skill Portability Across Base-Model Substitutions

Mechanism

The portability mechanism rests on three structural elements: a standardized artifact envelope, a compatibility-evidence record, and a consumer-side admissibility gate that evaluates the evidence against the runtime base model. The envelope is vendor-independent: it specifies the artifact's functional contract (inputs, outputs, side effects, capability claims), the adaptation technique it uses (RAG index, prompt configuration, LoRA adapter, tool-binding manifest, or composite), and the metadata fields the admissibility gate will read. The envelope does not assume any particular base model; it assumes the existence of a base model and a gate that can evaluate compatibility against that base model. Because the envelope is the addressable surface that consumers, registries, and gates all interact with, the entire portability story collapses to a question of whether the envelope is rich enough to carry the evidence the consumer needs and whether the evidence is credentialed by an authority the consumer trusts.

The compatibility-evidence record is itself a credentialed observation. Each entry declares: the base-model class the artifact has been validated against (specified by family, version range, and any architectural attributes the gate can compare); the validation methodology used (functional test suite, behavioral benchmark, formal property check, human review); the validation outcome (pass, partial pass with named limitations, fail); and the credential of the attesting authority. The attesting authority may be the artifact author, an independent compatibility-testing authority, the consumer's own validation pipeline, or any combination. Multiple attestations may coexist; the gate aggregates them according to the consumer's policy. This multi-source structure is important because it disentangles the question of authorship from the question of validation: an artifact authored by a vendor may be validated by an independent authority whose attestation the consumer weights more heavily than the author's own claim, and the consumer's policy expresses that weighting explicitly rather than implicitly.

The admissibility gate runs at activation time. When a consumer attempts to load a skill against a runtime base model, the gate reads the compatibility evidence, identifies the entries relevant to the runtime model, evaluates the credentials of the attesting authorities against the consumer's trust policy, aggregates the surviving evidence, and produces an admissibility decision: admit at full functionality, admit with named limitations, defer pending additional evidence, or reject. The decision is a credentialed observation in its own right, recorded in the consumer's audit log with the evidence chain that produced it. An auditor reviewing the decision later does not need to re-derive it from first principles; the chain is preserved, the policy that interpreted the chain is preserved, and the version of the policy that was in force at the moment of decision is preserved alongside.

Compatibility is graduated rather than binary. An artifact may be admitted at full functionality against one base model, at reduced functionality against another (with the gate disabling specific capabilities the evidence does not cover), and rejected against a third. The gate's job is to surface the graduation rather than collapse it. A binary admit-or-reject decision throws away information the consumer paid to acquire; a graduated decision preserves the information and translates it into a runtime posture the consuming application can react to. An application that depends on three of an artifact's five capabilities can continue to operate when only those three are admitted, even if the remaining two are not — and the audit log will show that the application's reduced posture was a deliberate consequence of the evidence at hand, not a silent degradation that nobody noticed.

Underlying all three elements is the principle that portability is an interface contract, not a weights-level guarantee. The framework does not promise that an artifact will produce numerically identical outputs across base models; it promises that the artifact's functional contract has been validated against each admitted base model under credentialed evidence, and that consumers know in advance which contract elements the evidence covers. This is the same discipline that governs hardware portability across operating systems: the contract is the ABI, not the silicon, and the evidence that the contract holds is what consumers buy.

Operating Parameters

Compatibility scope is the primary tunable. An artifact author declares the breadth of base-model classes the artifact targets; broader scope requires more validation evidence, narrower scope requires less. Consumers configure their gates with a minimum-evidence policy: which attesting authorities they trust, which validation methodologies they accept, what graduation tolerance they permit, and how stale evidence may be before re-validation is required. The minimum-evidence policy is the lever by which an enterprise tightens or loosens its admission posture without re-authoring artifacts; raising the bar excludes artifacts that fall short of new requirements without invalidating those that meet the old ones, and lowering the bar admits a broader catalog without forcing every artifact to be re-attested under tighter rules.

Trust policies are themselves credentialed artifacts. A consumer may delegate trust-policy authoring to an internal governance team, an external compliance authority, or a vendor-independent industry body. The policy specifies which credentials confer which evidentiary weight, and the gate enforces it without further interpretation. Policy changes are governed mutations, not configuration tweaks; the audit trail of policy changes is co-located with the audit trail of admissibility decisions. The colocation matters because regulators reviewing a deployment after an incident will ask not only whether a particular artifact was admissible, but under which policy it was admissible — and the answer is exact and machine-checkable rather than reconstructed from operator memory.

Replacement-routing parameters control the gate's behavior when an artifact is rejected against a new runtime model. The consumer specifies preferred replacement criteria (same authoring authority, same functional contract, equivalent or stronger evidence) and the gate identifies candidates and proposes activation. Replacement is opt-in by default; in higher-trust environments it can be made automatic for specific artifact classes. The replacement workflow surfaces candidate metadata to the operator, allowing a deliberate review before substitution, and records both the rejection of the original and the activation of the replacement as a single linked event in the audit log.

Validity intervals on evidence records bound the staleness that the gate will tolerate. Evidence older than the configured interval requires either re-validation or an explicit waiver. The interval is short for high-stakes domains (regulatory compliance, safety-critical decisions) and long for low-stakes domains (formatting helpers, query rewrites). Different intervals can be applied to different evidence dimensions: behavioral benchmark results may carry a shorter interval than formal property checks, because behavioral benchmarks drift with model updates while formal properties (when they apply) are more stable. The gate honors the per-dimension intervals individually rather than collapsing them to a single artifact-level expiry.

Operating tempo of base-model substitutions is itself a parameter the consumer can express. An organization that re-evaluates its base-model choice quarterly will configure its gate differently from one that re-evaluates annually; the former requires a richer multi-vendor evidence set per artifact, the latter can subsist on narrower evidence and longer validity intervals. The framework does not impose either tempo; it provides the parameters that let each consumer encode the tempo they have actually adopted.

Alternative Embodiments

Cross-model portability admits multiple embodiments distinguished by where the gate runs and how the evidence is distributed. In a consumer-resident embodiment, the gate runs inside the consumer's deployment perimeter and the evidence is fetched at activation time from a public or private registry. The consumer retains full visibility into which artifacts run against which base models with which evidence. This is the embodiment that maximizes consumer control and is the natural fit for regulated deployments where the consumer must be able to demonstrate that no third party brokered the admissibility decision.

In a registry-mediated embodiment, the gate runs at a registry that fronts multiple consumers; the registry curates evidence on behalf of subscribers, applies a shared trust policy, and exposes pre-evaluated admissibility verdicts to consumers. This is appropriate for industry consortia where members agree on a common compatibility-evaluation authority. The shared policy reduces per-consumer evaluation cost and concentrates evidence-collection effort at the registry, but it imposes the registry's policy choices on all subscribers; consumers that need more fine-grained policy must run a consumer-resident gate downstream of the registry's verdicts.

In a vendor-neutral marketplace embodiment, artifacts are published with multi-vendor evidence directly and the gate is a thin verifier inside each consumer's deployment. The marketplace curates the artifact catalog but does not curate the evidence; consumers evaluate evidence against their own policies. The marketplace embodiment optimizes for breadth of catalog and diversity of evidence sources at the cost of placing more evaluation work in the consumer's gate; it is the natural shape for ecosystems where artifacts cross many organizational boundaries and no single registry can speak for all of them.

Adaptation-technique embodiments are likewise plural. The same portability mechanism applies to RAG indices (whose vector representations may be base-model-independent or vendor-specific), to prompt configurations (typically vendor-portable with prompt-style adjustments), to LoRA adapters (vendor-portable when target architecture matches, requiring re-training otherwise), and to tool-binding manifests (typically vendor-portable since tool interfaces are vendor-independent). The compatibility-evidence record captures the technique-specific portability characteristics so the gate can apply the appropriate graduation. A composite artifact carrying a RAG index and a tool-binding manifest may admit the manifest at full functionality against a new base model while limiting the RAG component pending re-embedding under the new model's vector space; the gate handles the components individually because their evidence is individual.

Cross-modality embodiments extend the same mechanism to non-text models. A vision-model skill, an audio-model skill, or a multimodal skill carries the same envelope, the same evidence record, and the same gate semantics. The structural property — that compatibility is asserted by credentialed evidence against named base-model classes — is invariant across modalities, even though the validation methodologies that produce the evidence vary substantially.

Composition

Cross-model portability composes with the broader skill-gating framework rather than standing alone. The admissibility gate that evaluates compatibility evidence is the same gate that evaluates capability admissibility, jurisdictional admissibility, and policy admissibility; compatibility is one dimension among several. A single admit/limit/reject decision can therefore reflect every governance dimension at once: an artifact may be technically compatible with the runtime model but disallowed by jurisdictional policy in the consumer's deployment region, and the gate's verdict will name both the compatibility result and the jurisdictional override. Composition with cascade-deactivation is direct: when a base-model migration causes a parent artifact to be rejected, dependent artifacts that relied on its capabilities cascade-deactivate through the same dependency graph the framework already maintains.

Composition with replacement routing means migration is configuration rather than re-engineering. The consumer's policy specifies replacement preferences; the gate identifies candidates from the available evidence; the audit trail records the migration as a sequence of credentialed admissibility decisions rather than as an opaque deployment event. The migration is fully reconstructible from the audit log months later; an auditor asking "why is this artifact running against this base model?" gets a precise answer that names the original artifact, the substitution event, the replacement candidate, and the policy that selected it.

Composition with adjacent primitives — credentialed observations, governed scopes, asynchronous consensus over governance changes — means portability is itself governable. An enterprise can require that base-model substitutions clear governance review before being executed, with the review producing a credentialed observation that the gate consumes. The review may be a synchronous human approval, an automated policy check, or an asynchronous consensus vote across a distributed governance body; the gate is indifferent to which, because all three produce the same credentialed-observation envelope. This indifference is what permits the framework to scale from single-tenant deployments with informal governance to multi-tenant consortia with formal voting protocols, without changing the artifact format or the gate logic.

Finally, composition with observation-based monitoring closes the loop: the gate's admissibility decisions emit credentialed observations that downstream monitoring primitives consume to track the operational footprint of base-model substitutions over time. An organization can ask, structurally, how many of its artifacts have migrated from one vendor to another over the past quarter, what evidence supported each migration, and what residual exposures remain — and the answer is a query against the substrate, not an organizational survey.

Prior Art Distinction

Current LLM platforms (OpenAI Custom Actions, Anthropic Skills, Google Gemini Extensions) produce artifacts that are vendor-locked by structural default. The lock-in is metadata-level rather than weights-level: the technical content of many adaptation artifacts is largely vendor-independent, but the platform conventions, authentication boundaries, and capability declarations bind the artifact to a specific vendor's runtime. Migration between vendors requires re-authoring even when the underlying functional logic is portable. The lock-in is a consequence of platform design, not of any technical impossibility, and it persists because no vendor has commercial incentive to standardize the envelope across competitors.

Open-source adapter ecosystems (LoRA libraries, RAG frameworks, prompt-management tools) provide some portability at the technical level but lack the governed compatibility-evidence layer that admits an artifact safely into a regulated deployment. The artifact may technically load against multiple base models, but no credentialed evidence accompanies it, so the consumer cannot demonstrate to an auditor that the artifact has been validated against the specific runtime base model in use. The result is a portability that is real at the engineer's bench but unusable in any deployment that has to answer regulatory questions about why a particular adaptation is admissible against a particular model.

The cross-model portability primitive described here is structurally distinct on three axes. First, portability is established by interface contract and credentialed evidence rather than by shared weights or shared vendor. Second, compatibility is graduated and policy-evaluated rather than binary and platform-imposed. Third, migration is a sequence of governed admissibility decisions with a co-located audit trail rather than an unaudited re-deployment event. No prior platform combines these three properties. Re-implementations under different naming conventions that preserve all three structural axes are within the scope of the disclosure; partial implementations that cover any one or two axes but not the third are outside the scope and remain in the prior-art landscape.

Disclosure Scope

The cross-model portability primitive is disclosed within the Cognition Patent's skill-gating framework. The disclosure covers the standardized artifact envelope, the credentialed compatibility-evidence record, the consumer-side admissibility gate, the graduated compatibility evaluation, and the replacement-routing mechanism. Embodiments span consumer-resident gating, registry-mediated gating, vendor-neutral marketplace gating, and cross-modal extensions covering vision, audio, and multimodal skills. The disclosure explicitly contemplates composite artifacts whose components carry independent evidence and whose admissibility is evaluated component-by-component.

Licensable claim scope encompasses the standalone portability mechanism, its composition with cascade-deactivation, its composition with governance over base-model substitutions, and its composition with adjacent primitives in the credentialed-observation framework. Implementations that admit adaptation artifacts across base-model substitutions on the basis of credentialed compatibility evidence — regardless of artifact type, regardless of vendor, regardless of host platform — fall within scope. Equivalents that re-arrange the components but preserve the structural property (interface-contract portability under credentialed evidence with graduated admissibility) are likewise within scope.