Curriculum Engine Progressive Unlock

Mechanism

The curriculum engine is a data-side mechanism that controls which capabilities an agent may exercise at any given moment. Capabilities are unlocked progressively through a sequence whose stages are encoded in the agent's curriculum reference: a structured artifact attached to the agent itself rather than maintained as server policy. Each stage of the curriculum names a capability, the prerequisites that must be proven before the capability is admitted, the pilot conditions under which the capability may first be exercised in a constrained form, and the expansion gates that promote the capability from pilot to general use.

Three structural elements compose every stage. The prerequisite proof is a verifiable record that earlier stages of the curriculum have been completed, that their outputs have been validated, and that any dependent skills have themselves been admitted. Proofs are typed: a prerequisite is not satisfied by mere assertion but by a signed lineage entry that names the earlier stage, references its committed outputs, and is canonicalized so that the engine can verify it deterministically. The scoped pilot is a constrained execution mode in which the new capability is permitted within a declared scope only. Pilot scopes restrict the data the capability may touch, the side effects it may produce, and the agents it may interact with. The expansion gate is a deterministic test, evaluated against pilot lineage, that promotes the capability from pilot to general availability when, and only when, the declared expansion criteria have been met.

Because the curriculum is data-side, the agent carries its unlock state with it. An agent moved between operators, between regions, or between physical hosts retains the same admitted skills and the same pending stages, and the curriculum can be inspected without privileged access to the host. This property is the defining structural difference between curriculum-driven gating and server-policy gating: the latter binds capability to environment, while the former binds capability to the agent.

The engine evaluates the curriculum at every capability invocation. When the agent attempts to use a skill, the engine consults the curriculum reference to confirm that the skill is admitted, that the current invocation falls within any active pilot scope for the skill, and that no expansion gate has revoked the skill's general availability. If the curriculum does not admit the invocation, the engine refuses, writes the refusal to lineage, and leaves the agent's state untouched.

Operating Parameters

The curriculum reference is parameterized by a stage graph. Stages are nodes; prerequisite relationships are edges; cycles are forbidden. Operators construct the graph declaratively, naming each stage by a stable identifier and listing its prerequisites by reference. The engine validates the graph at load time and refuses curricula whose graphs are malformed, unreachable, or self-referential.

Each stage is parameterized by its proof type, its pilot scope, and its expansion gate. Proof types include direct completion of named training tasks, attestation by an authority recognized in the policy reference, lineage-based evidence that earlier stages produced expected outputs, and combinations thereof. Pilot scopes are expressed in the same vocabulary used by rights-grade governance, so a pilot scope can name partitions, resources, peer agents, and time windows. Expansion gates are expressed as deterministic predicates over pilot lineage, with declared thresholds for the volume, diversity, and outcome distribution of pilot invocations that must be observed before promotion.

The curriculum is parameterized by a revocation regime. Each admitted skill carries a revocation rule that names the conditions under which the engine must demote the skill back to pilot or remove it entirely. Revocation rules can reference subsequent expansion gates' lineage, downstream validation failures, or external signals declared in the policy reference. Revocation, like admission, is a structural event written to the curriculum's own lineage, which means an auditor can replay the entire history of a skill's admission, pilot, expansion, and any subsequent demotion.

Finally, the curriculum is parameterized by an arbitration policy. When two stages name overlapping capabilities, when an expansion gate and a revocation rule fire on the same lineage entry, or when a peer agent's curriculum supplies a conflicting unlock state, the arbitration policy determines the deterministic outcome. Defaults favor the more conservative interpretation - pilot rather than general, revoked rather than admitted - so that ambiguity does not enlarge the agent's capability surface.

Alternative Embodiments

In a self-contained embodiment, the curriculum is embedded directly in the agent's persistent state and travels with it as a single signed artifact. This embodiment is appropriate for agents that operate across heterogeneous infrastructure and that must demonstrate their unlock state without relying on remote authorities.

In a referenced embodiment, the curriculum is stored externally and the agent carries a signed pointer to its current curriculum version. The engine resolves the pointer at evaluation time, validates the resolution against the signature, and proceeds. This embodiment is appropriate where curricula are large or shared across many agents.

In a layered embodiment, the curriculum is composed from multiple sources: a base curriculum supplied by the agent's developer, an operator overlay that further constrains pilots and expansions, and a subject overlay that constrains capabilities further still. The engine merges the layers deterministically, taking the intersection of admitted skills and the most restrictive scope at each stage. No layer can broaden capability beyond what the more conservative layer allows.

In a peer-coordinated embodiment, agents in a federation share curricula and reference each other's pilot lineage to satisfy expansion gates. A peer's pilot evidence can contribute to another peer's expansion threshold provided the peers' curricula admit such cross-referencing and the contributing lineage is signed by an authority both curricula recognize. This embodiment is appropriate for fleets that learn jointly while preserving per-agent unlock state.

Composition with Other Mechanisms

The curriculum engine composes with rights-grade inference governance because pilot scopes are expressed in the same partition and resource vocabulary as rights bindings. A capability may be admitted by the curriculum and yet declined by the rights binding for a particular invocation, and the engine treats both checks as preconditions: a missing curriculum admission and a missing rights binding both produce non-execution, with the lineage entry naming which precondition failed.

The curriculum engine composes with the semantic admissibility gate because expansion gates draw their evidence from the gate's lineage. The gate's commit and reject events are the substrate against which expansion thresholds are evaluated. A skill cannot expand on the basis of invocations that the gate refused, and a skill that produces gate rejections during pilot accumulates negative evidence that may trigger revocation.

The curriculum engine composes with elegance evaluation because pilot scopes implicitly constrain the candidate set the elegance evaluator considers. During pilot, only candidates that fall within the pilot scope are evaluated; expansion broadens the candidate set the evaluator may rank. The two mechanisms therefore evolve together: curriculum widens what the agent is permitted to do, and elegance ranks the cleanest among the permitted continuations.

Distinction from Prior Art

Server-side feature flags and policy gates control what a deployed system may do at a given moment but bind capability to the deployment rather than to the agent. Moving the agent to a new environment loses the unlock state, and inspecting the unlock state requires privileged access to the deployment. Such systems also tend to be all-or-nothing: a flag is on or off, without a structural notion of pilot scope or expansion gate.

Reinforcement-style curricula in machine learning sequence training tasks but do not gate runtime capability and do not produce auditable proofs that earlier stages were completed. They influence the model that gets deployed, but they do not survive into the deployed system as an enforcement structure.

Role-based access control models capabilities but does not sequence them, does not distinguish pilot from general use, and does not provide expansion gates whose evaluation is bound to lineage. RBAC cannot express that a capability is admitted only within a constrained scope until enough evidence accumulates to broaden it.

The disclosed mechanism is distinguished by being data-side rather than server-side, by composing prerequisite proofs with scoped pilots and expansion gates, by treating revocation symmetrically with admission, and by binding the curriculum to the agent so that unlock state is portable, inspectable, and auditable.

Disclosure Scope

This disclosure covers the curriculum reference and its stage graph, the prerequisite-proof, scoped-pilot, and expansion-gate elements of each stage, the parameters that configure proofs, scopes, gates, revocation, and arbitration, and the composition of the curriculum with rights enforcement, admissibility, and elegance ranking. It covers self-contained, referenced, layered, and peer-coordinated embodiments.

The disclosure is structural. Implementations may store the curriculum in any signed format, may resolve references through any directory mechanism, and may merge layers by any deterministic rule that preserves the most restrictive intersection. The defining property is that capability sequencing is carried in data attached to the agent, that unlock progresses through prerequisite proofs, scoped pilots, and expansion gates, and that the engine evaluates the curriculum at every capability invocation.

Within scope are embodiments in which expansion thresholds are expressed as multi-dimensional predicates rather than scalar volumes, requiring not only a quantity of pilot invocations but also a declared diversity over input partitions, a declared distribution of outcomes, and a declared absence of revocation-triggering events within a freshness window. Also within scope are embodiments in which prerequisite proofs are themselves curricula, recursively, allowing the same engine to govern not only capability admission but the admission of curriculum components, with the recursion grounded in a small set of irreducible base proofs that the policy reference recognizes directly.

The disclosure further covers embodiments in which curriculum migration between agents is itself a curriculum-governed operation, such that an agent inheriting a curriculum from a peer must satisfy declared admission proofs before the inherited unlock state takes effect. It covers embodiments in which revocation cascades along prerequisite edges, demoting downstream skills when an upstream skill is revoked, and embodiments in which arbitration between competing curricula is decided by a deterministic merge function whose output is itself signed and recorded. In every such embodiment, the determinative criterion is that the unlock state is portable with the agent, that progression is gated structurally rather than heuristically, and that every admission, pilot scoping, expansion, and revocation event is recoverable from the curriculum's lineage record.