Adaptive Consensus Protocol: Memory-Native Quorum Without Fixed Validator Sets

Mechanism

ACP treats consensus not as a service offered by a designated subset of validators but as a property that emerges deterministically from the structural fields a proposal carries. When a node originates a mutation proposal, the proposal is constructed as a memory-native object containing the prior-state reference, the requested post-state, the policy reference under which the mutation is asserted to be authorized, the lineage hash chaining the proposal to its semantic predecessor, and a timestamped attestation signed by the originator. The proposal is then disseminated through the protocol's gossip substrate to peers reachable along the policy-relevant subgraph identified by the embedded policy reference. There is no broadcast to a fixed validator list and no lookup against a registered membership table; the set of nodes that may participate in voting is defined entirely by which peers hold a valid lineage-compatible copy of the policy reference and the predecessor state.

Each receiving peer evaluates the proposal locally and deterministically. The evaluation consults three classes of input: the proposal's own embedded fields, the peer's local copy of the referenced policy and predecessor state, and the peer's recent observation history concerning other peers (their attestation latency, their lineage agreement rate, and their cryptographic continuity over the trailing observation window). If the proposal is structurally valid and policy-compliant under the receiver's local view, the receiver emits a signed accept attestation; if it is structurally invalid or policy-violating, the receiver emits a signed reject attestation; if the receiver's local state is insufficient to decide, it emits a signed defer attestation referencing the missing dependency. All three attestation classes are first-class outputs and all are recorded.

The adaptive aspect of the protocol concerns how attestations are weighted and how the quorum threshold is computed. Rather than counting one vote per node against a fixed two-thirds threshold, ACP computes a per-proposal weight for each attesting peer from that peer's recent health signals: lineage agreement rate, attestation latency relative to the protocol's measured median, cryptographic continuity (an unbroken chain of signed observations), and policy-scope match (whether the peer's policy reference version is within the acceptable lineage distance from the proposal's). These weights are combined into a quorum sum, and acceptance is declared when the accept-weight crosses a dynamically computed threshold that itself adapts to the population's measured agreement rate. A network whose peers are agreeing rapidly and consistently converges on a tighter threshold and a shorter timeout; a network whose peers are diverging or slow widens the threshold band and extends the timeout, up to bounded maxima.

Bounding is essential. Without explicit minimums, an adaptive quorum could in principle shrink to a single high-weight peer, defeating Byzantine resistance; without explicit maximums, it could expand to demand attestations the network cannot deliver, defeating liveness. ACP therefore enforces a configured minimum quorum participant count, a configured minimum weight diversity (no single peer's weight may exceed a fixed fraction of the total), and configured minimum and maximum timeout values. Within these bounds the protocol adapts; outside them it refuses to decide, returning a deterministic timeout outcome that itself is recorded to the lineage chain so that the absence of a decision is as auditable as a decision.

Every outcome ACP produces, whether accept, reject, or timeout, is committed by appending a consensus record to the tamper-evident lineage chain associated with the proposal's semantic subject. The consensus record contains the proposal hash, the set of attestations considered (with their weights), the threshold that was applied, the timeout bound that was in force, and a hash linking back to the prior consensus record on the same subject. Because the chain is content-addressed and signed at each link, no later party can rewrite the history of a decision without producing a divergent chain that fails verification at the next reader. Tamper-evidence is therefore a structural consequence of the data layout, not a property maintained by a separate audit process.

The dissemination substrate over which proposals propagate is itself a structural function of the policy reference embedded in the proposal. The cognition-compatible transport layer beneath ACP routes messages along the policy-relevant subgraph rather than across an arbitrary fan-out topology, so the candidate attesting set for any proposal is precisely the set of peers whose local state carries a lineage-compatible copy of the relevant policy. This restriction is not a degradation of reachability but a sharpening of it: peers that cannot meaningfully evaluate a proposal because they do not hold the relevant policy are excluded from the attesting set by construction, eliminating the protocol overhead of soliciting and discarding attestations from peers whose votes could not be admissible. The mechanism therefore performs admission control on the attesting set as a side-effect of routing rather than as a separate filtering pass at the point of vote tabulation.

Health observation is decentralized and symmetric. Every peer maintains, as part of its ordinary protocol participation, a sliding window of observations concerning every other peer with which it has recently exchanged attestations: the time elapsed between proposal receipt and attestation arrival, the rate at which the peer's attestations agreed with the eventual decided outcome, and the cryptographic continuity of the peer's signed observations. These observation streams are not centrally aggregated; each peer computes its own per-peer weights from its own observation history, and the threshold computation is a deterministic function of those weights and the proposal's content. Because every peer applies the same deterministic function to a similar (though not identical) observation window, the threshold computations across the population converge in practice without requiring synchronization, and any disagreement between peers about the applicable threshold is itself recorded and resolved by a chained reconciliation procedure described below.

Reconciliation of divergent threshold computations is necessary because the network is not assumed to deliver identical observation histories to every peer. Two peers that have observed slightly different attestation latencies will compute slightly different per-peer weights and may, near the threshold boundary, reach opposite conclusions about whether a proposal is accepted. ACP resolves this by requiring that a peer's attestation, in addition to declaring accept, reject, or defer, includes a digest of the threshold envelope under which the peer would commit, so that the consensus record subsequently committed to the lineage chain can identify which envelope was satisfied and which peers concurred. When envelope digests disagree, the protocol declares a soft outcome and reissues the proposal under a tightened bound; the soft outcome is itself a recorded consensus record, ensuring that envelope-divergence events are auditable and bounded in frequency by the configured tightening schedule.

Defer attestations occupy a structural role distinct from accept and reject. A defer is not a vote against acceptance but a declaration that the receiving peer's local state is insufficient to decide, accompanied by a typed reference to the missing dependency. Defers participate in the threshold computation as neither accept nor reject weight, but they are counted against a separately configured defer-rate ceiling: if the fraction of attestations returning defer exceeds the ceiling, the protocol declines to apply the standard threshold and instead initiates a side-channel state synchronization procedure that disseminates the cited missing predecessors to deferring peers, after which the proposal is reattested. The mechanism thereby distinguishes an ordinary disagreement (resolved by the threshold) from a population-scale knowledge deficit (resolved by synchronization), and the distinction is structural rather than heuristic.

Operating Parameters

The ACP runtime exposes a defined set of operating parameters whose values determine the safety, liveness, and adaptivity envelope of any given deployment. The minimum quorum participant count, denoted Q_min, sets the floor below which no acceptance may be declared regardless of weight; typical deployments set Q_min between three and seven, with higher values used in deployments that prioritize Byzantine resistance over latency. The maximum weight concentration, denoted W_max, bounds the fraction of total quorum weight any single attesting peer may contribute; values of 0.20 to 0.34 are typical, ensuring that no minority of peers can independently force acceptance.

The base acceptance threshold, denoted T_base, is the fraction of total weight at which acceptance is declared under nominal network health. The protocol adjusts an effective threshold T_eff around T_base in response to the measured agreement rate over the trailing observation window; the magnitude of permitted adjustment is bounded by a configured adaptivity coefficient alpha, typically set so that T_eff is constrained within plus or minus 0.05 of T_base. The timeout bounds, denoted Tau_min and Tau_max, define the minimum and maximum durations the protocol will wait for additional attestations before declaring a deterministic outcome; these are typically expressed as multiples of the measured median attestation latency observed in the trailing window.

Health signal weights are a further class of operating parameter. Each peer's per-proposal weight is computed as a weighted combination of its lineage agreement rate, its normalized latency, its continuity score, and its policy-scope match, with the combination coefficients exposed as deployment-time configuration. The trailing observation window over which health signals are averaged is itself a parameter, typically set between fifty and five hundred prior proposals, balancing responsiveness against statistical stability. Together these parameters form a parameter vector that any deployment must commit to before participation, and that commitment is itself recorded to the lineage chain so that later observers can verify which envelope was in force when a given decision was made.

The defer-rate ceiling, denoted Delta_max, bounds the fraction of attestations that may return defer before the protocol abandons standard threshold evaluation in favor of side-channel synchronization. Typical deployments set Delta_max between 0.10 and 0.30; lower values bias the protocol toward aggressive synchronization at the cost of additional bandwidth, higher values tolerate larger knowledge deficits before triggering synchronization. The synchronization-trigger parameter coordinates Delta_max with the maximum number of synchronization rounds the protocol will attempt before declaring a hard timeout outcome on the originating proposal; this bound prevents an adversarial pattern of deliberate defers from driving the protocol into an unbounded synchronization loop.

The envelope-tightening schedule is a structured parameter governing how the threshold and timeout adjustments respond to observed envelope-digest divergence between peer attestations. When divergence is observed, the protocol tightens the threshold band and timeout bounds by a configured increment, and the tightening persists for a configured number of subsequent proposals before relaxation begins. The schedule's increments and persistence horizon are parameters set at deployment, with conservative deployments choosing larger increments and longer persistence to suppress oscillation, and aggressive deployments choosing smaller increments and shorter persistence to maximize responsiveness. The schedule itself is recorded to the lineage chain at deployment so that later observers can determine which tightening discipline was in force at the time of any soft outcome.

Deployment-manifest anchoring binds all of the foregoing parameters to the lineage chain through a manifest record that every conforming participant signs at the moment of joining the protocol population. The manifest carries the parameter vector, the protocol version, the cryptographic algorithm choices for hashing and signing, and a list of permissible policy-reference resolvers; subsequent attestations and consensus records carry references back to the manifest under which they were produced. Manifest changes are themselves consensus events under the protocol, so the parameter envelope cannot be silently mutated by an operator: any change is itself a proposal subject to the same adaptive thresholding, the same tamper-evident commit, and the same auditable record as any substantive proposal. This recursive self-governance of the parameter space is what permits ACP to evolve safely under operational stress without requiring an external administrative override.

Alternative Embodiments

Several alternative embodiments of the adaptive consensus mechanism are within the disclosed scope. In a first embodiment, the per-peer weight is computed exclusively from cryptographic continuity, with lineage agreement and latency excluded; this embodiment is suited to deployments in which all peers are operated by a single organization and the only relevant adversary is key compromise. In a second embodiment, the weight computation includes a stake-weighted term derived from a separate economic substrate, allowing ACP to operate as the consensus layer of a permissioned ledger in which validator influence reflects committed resources.

In a third embodiment, the timeout adaptation is replaced by a fixed timeout schedule indexed by proposal class, with high-priority proposals receiving shorter bounds and bulk proposals receiving longer ones; the threshold adaptation continues to operate. In a fourth embodiment, the minimum quorum participant count Q_min is itself adapted within a bounded range based on the recent rate of policy-scope matches in the population, allowing the protocol to relax participation requirements when the network is fragmented into small, mutually consistent subgraphs. In a fifth embodiment, defer attestations are aggregated and used to trigger a side-channel state synchronization protocol that pre-emptively distributes missing predecessors to peers that emitted defers, shortening the latency before a re-attestation can succeed.

In a sixth embodiment, the consensus record committed to the lineage chain includes a zero-knowledge proof of threshold satisfaction in place of the explicit attestation set, allowing later verifiers to confirm that an adequate weighted quorum was reached without learning the identities of the attesting peers; this embodiment is suited to deployments in which validator privacy is a regulatory or commercial requirement. In a seventh embodiment, the protocol operates in a hybrid mode in which a fixed minimum subset of designated peers is always required to attest in addition to the adaptive quorum, providing a structural anchor for deployments transitioning from a fixed-validator predecessor system.

In an eighth embodiment, the per-peer weight computation is replaced by a learned function, parameterized by a model whose weights are themselves committed to the deployment manifest, mapping observed health signals to per-peer weights through a deterministic inference pass; this embodiment supports deployments whose health signal interactions are sufficiently complex that a hand-tuned linear combination would underperform, while preserving auditability through manifest commitment of the model parameters. In a ninth embodiment, the protocol admits asymmetric quorum geometry in which the accept threshold and the reject threshold are computed independently, enabling deployments to bias toward either liveness (asymmetrically low accept threshold) or safety (asymmetrically high reject threshold) without symmetric reciprocal effect.

In a tenth embodiment, the protocol's commit operation is staged across a fast-path and a slow-path, with the fast-path producing a tentative consensus record on a tightened envelope and the slow-path producing a confirmed consensus record on the standard envelope, both committed to the lineage chain with typed edges; readers may consume tentative records at their own risk and reconciled records as authoritative, supporting low-latency speculative pipelines while preserving the auditable history of confirmed decisions. In an eleventh embodiment, the protocol carries a typed escalation channel through which deferred or contested proposals may be referred to a configured panel of peers whose attestations are admitted at elevated weight, supporting deployments in which structural priority is given to designated arbiters under specified conditions while preserving the adaptive character of the default path.

Composition

ACP composes with the other primitives of the memory-native protocol stack to produce system-level guarantees that none of the primitives delivers in isolation. The lineage graph carried by every memory-native object provides the predecessor references that ACP requires for proposal construction; without the lineage graph there would be no content-addressable way to identify what a proposal is mutating. The structural policy references embedded in objects provide the authorization context against which receivers evaluate proposals; without policy references the receiver evaluation reduces to a syntactic well-formedness check.

The cognition-compatible transport layer guarantees that proposal dissemination follows the policy-relevant subgraph, so that the set of peers reachable for attestation is itself a structural function of the proposal's content rather than an arbitrary network topology decision. The tamper-evident commit log into which ACP writes its consensus records is the same lineage chain that records every other state transition in the system, so the consensus history of a subject is interleaved with the substantive history of that subject and cannot be analyzed in isolation; this composition is what makes the audit trail exhaustive rather than merely partial.

Above ACP, the agent execution platform consumes accepted proposals as the authoritative state transitions for governable agents. Because acceptance is structurally bound to policy reference satisfaction, the agent platform inherits a guarantee that no state transition it observes was authorized by anything other than the policy reference embedded in the proposal that produced it. This composition closes the loop between transport-level consensus and agent-level governance without requiring a separate enforcement layer.

ACP also composes with the agent interoperability mechanism described in adjacent disclosures. When a cross-vendor delegation envelope is admitted at the execution-platform boundary, the resulting state transition is the subject of an ACP proposal whose policy reference resolves to the policy under which the boundary admitted the envelope. The acceptance of that proposal is therefore structurally conditioned on the same policy that admitted the envelope, eliminating the gap between boundary-time admission and state-time consensus that conventional architectures fill with a brittle reconciliation layer. The lineage chain into which the acceptance is committed inherits both the boundary admission record and the consensus record as predecessors of the resulting agent state, so the cross-vendor effect is auditable end-to-end without requiring that any party simultaneously trust the originating vendor's runtime, the receiving vendor's runtime, and the transport in between.

Prior-Art Distinctions

Conventional Byzantine fault-tolerant consensus protocols including PBFT, Tendermint, HotStuff, and their derivatives presuppose a fixed validator set known to all participants in advance and a fixed quorum threshold, typically two-thirds plus one of weighted stake or one-third plus one of voting nodes. Membership changes in these protocols require a separate reconfiguration ceremony, and quorum thresholds do not adapt to observed peer health. ACP differs in that quorum membership is determined per-proposal by the policy reference embedded in the proposal itself, and quorum threshold is computed adaptively from observed peer health rather than fixed at protocol design time.

Proof-of-stake and proof-of-work consensus protocols select validators or block producers through resource commitment rather than through the structural content of the proposal under consideration; they likewise apply fixed thresholds to validator output rather than adapting thresholds to measured behavior. Reputation-weighted consensus systems do incorporate per-peer weights derived from observed history, but typically apply those weights against a fixed threshold and do not bound adaptivity within the deterministic minimum-and-maximum envelope ACP requires for safety. Gossip-based eventual consistency protocols disseminate proposals along a substrate similar to ACP's but do not produce a tamper-evident decision record; they converge through repeated dissemination rather than through a discrete, recorded acceptance event.

Audit-log systems and certificate transparency systems produce tamper-evident records of decisions but do not themselves make the decisions; they observe an external decision process and commit its outputs. ACP makes the consensus decision and writes the record in a single mechanism, so the recorded outcome is structurally identical to the decided outcome rather than a separately maintained projection of it. The combination of policy-reference-defined membership, bounded adaptive thresholding, bounded adaptive timeout, and integrated tamper-evident commit, all evaluated against memory-native objects whose fields the protocol consumes directly, is not anticipated by any single prior art system known to the inventor.

Disclosure Scope

The disclosure of U.S. Provisional Application 64/050,895 covers the adaptive consensus protocol mechanism as described, including the per-proposal computation of quorum membership from embedded policy references, the bounded adaptive computation of quorum threshold from observed peer health signals, the bounded adaptive computation of decision timeout, the deterministic recording of all outcomes including timeouts to a tamper-evident lineage chain, and the alternative embodiments enumerated above. The scope encompasses implementations in software, in hardware accelerators that perform the per-peer weight computation in dedicated circuitry, and in mixed deployments that combine the two.

The scope further encompasses use of the protocol as a transport-layer consensus primitive for agent state transitions, as a coordination primitive for distributed semantic memory, and as an audit primitive for governance-bearing operations in autonomous and semi-autonomous systems. Implementations differing in the specific health signals consumed, the specific weight combination function, or the specific bounding constants applied remain within the disclosure scope provided that the bounded adaptive thresholding, bounded adaptive timeout, policy-reference-defined membership, and integrated tamper-evident commit are present together as architectural primitives. Licensing inquiries concerning the disclosed mechanism are directed to the assignee of record.