Runtime Signed Adaptation Artifacts vs Training-Time Mutation

Mechanism

The runtime-signed-artifact mechanism treats every adaptation artifact loaded into a base model at inference time as an independently credentialed object whose admissibility must be re-established at each activation. An artifact, in this sense, is any structured payload that modifies the behavior of a frozen base model without modifying the base model's parameters: low-rank adapter weights (LoRA, IA3, prefix tuning), retrieval indices supplying contextual grounding (RAG corpora, vector stores, reranker tables), prompt configurations (system prompts, few-shot exemplars, chain-of-thought scaffolds), routing tables (mixture-of-experts gating, tool-selection policies), and the dependency graphs that bind these components into a coherent runtime profile.

Each artifact carries a credential block. The credential declares the authoring authority, the artifact's compatibility scope (base-model identity, version range, hardware envelope), the artifact's declared dependencies on other artifacts, the artifact's training provenance (the dataset lineage and rights regime under which the adapter weights or retrieval corpus were produced), and a content-hash binding tying the credential cryptographically to the artifact bytes themselves. The credential is countersigned by the consuming system's certifying authority after the artifact has been admitted through a sandbox certification pass — a deterministic evaluation in which the artifact is loaded, exercised against a battery of admissibility probes, and either admitted under the consumer's policy or rejected with a structured reason.

At inference, an admissibility gate sits between the request router and the model substrate. When a request arrives, the gate enumerates the active artifacts that would compose into the response — the adapter to apply, the retrieval index to query, the prompt scaffold to inject, the expert subset to route to — and verifies, for each, that the content hash still matches the bytes resident in memory, that the authoring credential has not been revoked, that the consumer countersignature is current, and that the composite admissibility under the consumer's policy still evaluates as admit. Any failure aborts the activation. Mismatch does not produce a degraded response or a fallback to base-model behavior; it produces non-execution and a structured non-admission record.

The same admissibility evaluator that gates execution gates skill activation. There is no separate skill-management plane sitting alongside an execution plane; the architecture unifies the two surfaces because the cryptographic predicate is the same predicate. This unification is what makes runtime artifact governance tractable at the cadence at which agents activate skills — many activations per minute per agent, across many concurrent agents, against a marketplace of artifacts whose authoring authorities are themselves heterogeneous.

Operating Parameters

The runtime-signed-artifact mechanism is governed declaratively. The consumer policy specifies the credential authorities admissible to its deployment, the dependency closure rules under which an artifact's transitive dependencies must themselves be admissible, the freshness window within which a countersignature must have been re-issued, the revocation propagation latency below which a revoked artifact is considered hot (still resident, but no longer activatable), and the sandbox certification probe set that an artifact must traverse before its first admission.

Compatibility scope is structural. An adapter declares its target base model by identity and version range, the layers and projections it modifies, and the precision regime under which its weights were quantized. The admissibility evaluator refuses to activate an adapter whose declared scope does not match the live substrate, even if the cryptographic checks succeed; this prevents a correctly-signed adapter from being applied to an unintended base model where the projection geometry differs.

Provenance flows with the artifact. The training-data rights regime under which an adapter was produced — whether the underlying corpus is licensed for derivative-model distribution, whether attribution is required, whether the corpus carries jurisdictional restrictions — is declared in the credential and evaluated against the consumer's deployment posture at admission. An adapter whose training rights are admissible in jurisdiction A but not jurisdiction B is admitted in A and refused in B by the same architecture, without per-deployment reconstruction of the rights analysis.

Revocation is structural. When an authoring authority revokes an artifact — because a vulnerability was found, a rights regime changed, a downstream dependency was withdrawn — the revocation propagates through the mesh, the consumer's countersignature is invalidated on its next freshness check, and the next activation that references the artifact is non-admitted. Artifacts that depend on the revoked artifact cascade structurally: their dependency closure no longer evaluates as admissible, and they too become non-activatable until their authors republish under a corrected dependency graph.

Alternative Embodiments

The mechanism admits multiple embodiments along several axes. The credential authority may be a single platform operator, a federation of authoring entities, a public-key infrastructure rooted in an industry consortium, or a per-tenant root that the consumer operates locally. The architecture does not privilege any one of these; the admissibility evaluator treats credential-chain validation as a policy-governed predicate, and the consumer chooses which authorities its policy admits.

The sandbox certification stage is similarly pluggable. A lightweight embodiment performs only static checks — content hash, credential chain, declared compatibility — and admits on that basis alone. A stronger embodiment runs the artifact against a battery of behavioral probes, recording its response surface and refusing admission if the surface deviates from the artifact's declared behavioral envelope. A stronger still embodiment couples the certification pass to a confidence-governance step in which the artifact's behavior under adversarial probing is evaluated for drift signals.

The artifact granularity admits embodiments at multiple levels. A single LoRA adapter is one embodiment; a bundle of an adapter, its companion retrieval index, and its prompt scaffold is another; a full skill — an addressable capability composed of adapters, indices, prompts, tools, and a routing policy — is a third. The architecture treats the bundle as the unit of admission, with the bundle's manifest declaring its component artifacts and their per-component credentials.

The activation cadence admits embodiments from per-request through per-session to per-deployment. A high-stakes embodiment re-verifies on every request; a throughput-sensitive embodiment caches the admissibility decision for the duration of a session and re-verifies on session boundary or on revocation broadcast; a deployment-scale embodiment treats admissibility as a deployment-time decision that is invalidated only by revocation. The architecture supports all three under the same predicate, with the cadence selected by policy.

Composition

Runtime-signed artifacts compose with the broader cognition architecture along defined interfaces. The admissibility evaluator that gates artifact activation is the same evaluator that gates execution and that gates other credentialed observations — biological-identity binding status, lineage assertions, integrity-envelope status. A single composite admissibility decision incorporates all of these inputs, which means an artifact whose activation would violate the consumer's integrity envelope is non-admitted on the same basis as an artifact whose credential chain has expired.

Lineage records every admission and non-admission. The audit trail captures which artifacts were active for which request, which credentials were verified, which countersignatures were checked, which dependency closures were evaluated, and what the composite admissibility predicate evaluated to. The lineage is the primary governance surface; downstream auditors reconstruct the runtime configuration of the agent at any past point without access to the agent's internal state, because every admissibility decision is a recorded credentialed observation.

Cross-primitive coupling extends to confidence governance. An artifact whose admission is contested — credential present but countersignature stale, dependency present but with marginal admissibility — flows into the agent's confidence field and modulates the agent's downstream reliance on outputs produced under that artifact. The artifact is still admitted; the agent is simply less confident in the resulting output and propagates that confidence reduction structurally to consumers of its response.

Prior Art and Distinction

Existing approaches to runtime adaptation governance fall into three buckets. The first is platform-operator gating: the platform vets artifacts at submission time, signs the result, and clients trust the platform's signature. This works for closed marketplaces but does not scale across heterogeneous authorities and provides no mechanism for consumer-side policy modulation. The second is content-hash whitelisting: clients maintain an allow-list of artifact hashes and refuse to load anything else. This handles integrity but provides no provenance, no dependency reasoning, and no revocation. The third is training-time mutation governance, which addresses the orthogonal problem of how a base model's parameters change during training and provides no architecture for the runtime layer at all.

The distinction is structural rather than incremental. Runtime-signed artifacts are credentialed observations under composite admissibility, evaluated per activation, with structural revocation propagation, dependency closure, and consumer-policy modulation. The training-time governance is about how the model came to be; the runtime governance is about which adaptations are admissible right now, against this consumer's policy, for this request, on this substrate. The two architectures address different surfaces and compose without overlapping.

Disclosure Scope

The mechanism is disclosed at the layer of the admissibility predicate, the credential structure, and the composition with the broader cognition architecture. The disclosure is independent of the specific artifact format (LoRA, RAG, MoE, prompt) and independent of the specific cryptographic primitives (any signature scheme satisfying the admissibility predicate suffices). The patent claims the runtime-signed-artifact mechanism as a structural primitive of the cognition architecture, with the specific embodiments above as illustrative rather than limiting.

What this enables for the agent-skill economy follows directly. Decentralized skill distribution becomes structurally tractable: artifacts flow through the governed mesh, consumers certify on their own authority, dependencies cascade structurally on revocation, and the platform-operator gating that current marketplaces depend on becomes optional rather than required. Cross-model artifact portability follows from the compatibility-scope declaration: an artifact compatible across base models migrates as deployments shift between vendors, and the lock-in pattern of current platforms gives way to portable runtime adaptation. The patent positions the primitive that the agent-skill economy is converging toward, at the layer where the convergence is happening.