Dynamic Routing Protocol: Memory-Aware Path Selection for Semantic Agents

Mechanism

Dynamic routing in the memory-native protocol proceeds through three coupled stages: candidate enumeration, health-weighted scoring, and lineage-bound commitment. In the candidate enumeration stage the local node identifies the set of next-hop substrates that are reachable from its current position and that satisfy the scope constraints carried by the object being routed. Scope constraints include trust-zone tags, jurisdictional markers, capability requirements, and any explicit exclusion sets recorded in prior segments of the object's lineage. A candidate that violates any scope constraint is dropped from consideration before scoring begins, so scope is enforced as a hard predicate rather than a soft penalty. The enumeration is performed against the node's current view of reachable substrates, which is itself maintained by passive observation of attestation traffic rather than by an active topology-discovery protocol. Substrates that have not recently published a fresh attestation do not appear in the enumeration set, regardless of any prior topological relationship.

In the scoring stage each surviving candidate is assigned a composite score derived from multiple observed signals. The signals fall into three families. Substrate-health signals include round-trip latency to the candidate, recent loss rates, queue-occupancy estimates, and the freshness of the candidate's last attestation. Trust signals derive from the candidate's published substrate identity attestations and from witness reports contributed by peers that have recently transacted with the candidate. Topological signals include path divergence relative to prior segments of the object's lineage and an estimate of the residual fanout budget along candidate downstream paths. The signals are combined under a scoring function whose parameters are themselves carried in the object's policy field, so different objects traversing the same node may rank the same candidate set differently according to their own routing preferences. The scoring function is required to be monotone in trust: any change that reduces a candidate's trust score, holding other signals constant, must reduce the candidate's overall score, so that no health advantage can override a trust deficit.

In the commitment stage the chosen next hop is recorded in the object's lineage as an append-only entry that names the local node, the chosen successor, the epoch in which the choice was made, and a digest of the signal vector that produced the decision. The successor cannot reverse the decision; it can only extend the lineage with its own commitment when it in turn forwards. This append-only discipline guarantees that the path traversed by an object is reconstructable from its lineage without reference to any external log, and that no node along the path can rewrite history to obscure its participation. The commitment also includes a fanout counter that decrements at each duplication; when the counter reaches zero, no further duplication is permitted along that branch. The signal-vector digest serves a forensic role rather than a runtime role: an auditor reviewing the path after the fact can replay the scoring function over the digested signals and confirm that the committed successor was indeed a maximizer under the object's policy.

Cycle freedom is structural. Before committing to a candidate, the local node consults the lineage entries already attached to the object and refuses any candidate that appears in those entries within the current routing horizon. The horizon is defined in terms of lineage depth rather than wall-clock time, so cycle prevention degrades gracefully under partition: an object whose lineage shows it has previously visited node A will not be forwarded back to A even if the partition would otherwise create the appearance of a fresh route. The combination of append-only lineage, fanout counter, and visited-set predicate produces a directed acyclic propagation graph for every routed object. The acyclicity is not a property guaranteed by global agreement but a property enforced by every individual forwarder using only data carried with the object, which means it survives partitions, mergers, and the loss of arbitrary subsets of the substrate population.

The mechanism is composable with itself across different routing contexts. A node forwarding two objects with conflicting scope constraints applies each object's constraints independently; there is no shared routing state that one object's policy can taint for another. The object-local nature of the routing decision is what enables the protocol to operate correctly across administrative boundaries: a domain receiving an object from a peer domain does not need to import any policy state from the originating domain, because the object carries with it everything required to forward it.

Operating Parameters

Five parameters govern DRP behavior in deployment. The first is the fanout bound, which sets the maximum number of distinct next-hop commitments that may be produced from a single object at a single node. Smaller bounds reduce traffic amplification at the cost of slower coverage; larger bounds accelerate coverage but consume more substrate capacity. The fanout bound is enforced both at issuance, where it is written into the object's policy field, and at every forwarding node, where the lineage records visible to the node are checked to ensure that prior duplications have not already exhausted the budget. The fanout counter is decremented globally rather than per-branch, so an object that has been duplicated many times along one branch cannot be duplicated again along another beyond the global ceiling.

The second parameter is the lineage horizon used for cycle detection. Horizons that span the full lineage produce strict cycle freedom but require nodes to inspect arbitrarily long lineage records. Bounded horizons cap the inspection cost at the price of admitting cycles whose period exceeds the horizon. Practical deployments select horizons sized to the operational diameter of the substrate population so that cycles within a routing era cannot occur while older lineage segments may be summarized. Operators may also configure a hybrid horizon in which the most recent entries are inspected exhaustively while older entries are summarized into a Bloom-filter digest, achieving constant-space cycle prevention with a small tunable false-positive rate.

The third parameter is the health-signal weighting profile. The protocol exposes a profile selector through which an object may indicate whether its routing should prioritize latency, throughput, trust, or jurisdictional locality. The selector is bound to the object at issuance and travels with it; intermediate nodes apply the selected profile to their own observed signal vectors when scoring candidates. The platform constrains the admissible profiles so that no object can suppress trust-signal weighting below a floor. Profiles are selected from a published catalog rather than configured ad hoc, so an auditor can reason about an object's routing behavior from its policy field without needing to interpret arbitrary scoring expressions.

The fourth parameter is the attestation-freshness requirement. Each candidate next hop must present a substrate-identity attestation no older than a configured threshold; candidates whose attestations have lapsed are demoted to fallback status and considered only when no fresh candidate satisfies the scope predicate. This parameter ties dynamic routing to the underlying substrate-trust layer and ensures that observed-health scoring cannot override trust evaluation. The threshold is calibrated to the substrate-identity layer's epoch period: a threshold shorter than one epoch effectively requires a substrate to have published its current-epoch DDH before being eligible, while longer thresholds permit limited tolerance for verification lag.

The fifth parameter is the lineage-commitment publication rate. Local commitments are always recorded in the object's lineage, but the publication of digests to the platform's distributed lineage layer is rate-controlled to limit the bandwidth consumed by routing telemetry. Operators select a publication rate that balances observability against transport overhead, and the protocol enforces a floor below which an object's path becomes unverifiable to external auditors. Operators may not select a rate of zero: every object must contribute at least one published digest per lineage horizon, so that no object can traverse the substrate population entirely off the public record.

Beyond these configurable parameters, several invariants are non-negotiable. The scoring function is monotone in trust. The lineage is append-only. The fanout counter is a strict upper bound. The visited-set predicate is a hard rejection rather than a soft penalty. Implementations that relax any of these invariants are non-conforming and will be rejected by conforming peers regardless of any other configuration.

Alternative Embodiments

In a first embodiment the routing decision is made unilaterally by the forwarding node based on its locally observed signal vector. This embodiment is appropriate for deployments where every node is independently trusted and where coordination overhead would be prohibitive. The append-only lineage commitment provides the only cross-node coordination, and that coordination is asynchronous. Operationally this embodiment behaves much like a high-quality next-hop selector in a service mesh, except that the selection is committed durably to the object rather than evaluated transiently.

In a second embodiment the routing decision is made cooperatively by a small quorum of nodes that observe overlapping portions of the candidate set. The quorum exchanges signal vectors and produces a joint score, and the chosen next hop is committed under a threshold signature. This embodiment is appropriate for deployments where individual nodes cannot be fully trusted but where small cooperating groups are. The threshold signature appears in the lineage entry in place of the unilateral signature, and verifiers distinguish the two cases by inspection of the entry's signature type.

In a third embodiment the routing logic is partially predetermined by a path hint embedded in the object at issuance. Hints do not bind subsequent nodes but bias scoring toward hinted next hops where they remain feasible under current health and scope. This embodiment supports deployment patterns in which an issuer has prior knowledge of a high-quality path and wishes to encourage its use without mandating it. Hints are recorded in the lineage along with the actual commitment, so an auditor can determine whether the issuer's expected path was followed or whether intermediate health information caused divergence.

In a fourth embodiment the protocol supports rerouting upon receipt of a signed health-degradation notice. A node that observes its previously chosen successor degrading below a freshness threshold issues a rerouting notice and produces a new commitment to an alternative successor, recording both the original commitment and its supersession in the lineage. The append-only discipline is preserved because the supersession is a new entry rather than a rewrite. This embodiment is essential for objects that traverse long-lived substrates where conditions may change during a single object's transit.

In a fifth embodiment the lineage horizon is replaced by a Bloom-filter summary of visited nodes, allowing cycle prevention to be performed in constant space at the cost of a tunable false-positive rate. The platform exposes the false-positive parameter so that operators can trade detection precision against memory consumption. Bloom-summarized cycle prevention is particularly suited to objects expected to traverse very long paths, where exhaustive horizon inspection would dominate forwarding cost.

In a sixth embodiment the protocol accepts hop-by-hop encrypted scope predicates, allowing an object to carry confidential routing constraints that intermediate nodes can evaluate without learning the constraint's content. Each forwarder evaluates the predicate under a verifiable computation primitive, commits the result, and forwards the still-encrypted predicate to the next hop. This embodiment supports routing across mutually distrusting administrative domains where the routing constraints themselves are sensitive.

Composition With Other Primitives

DRP composes with the substrate-identity layer through the trust component of its scoring function. Each candidate next hop is identified by its current Dynamic Device Hash, and the freshness, validity, and lineage of that hash directly affect the candidate's score. A substrate whose hash has lapsed cannot serve as a high-priority next hop regardless of its observed throughput. This coupling ensures that routing decisions cannot route around trust failures. Furthermore, because the DDH rotates synchronously across the fleet, the routing layer obtains a fleet-wide refresh of trust evidence at every epoch boundary without any explicit signal from the substrate-identity layer.

DRP composes with the semantic-object layer through the policy field carried in each object. The object's policy specifies the scope constraints applied at candidate enumeration, the weighting profile applied at scoring, and the fanout bound enforced at commitment. Because the policy travels with the object, routing behavior is portable: an object that crosses an administrative boundary continues to be routed under the same rules without requiring the receiving domain to import external configuration. This portability is essential for cross-organization workflows where a uniform routing policy plane cannot be assumed.

DRP composes with the lineage layer by writing into it. Every commitment becomes a lineage entry, and every published digest contributes to the platform's audit trail. Auditors reconstructing an object's path consult the lineage entries in order, verify the chain of commitments against the participating substrates' attestations, and recover the full set of routing decisions without needing access to any node's private state. The composition is symmetric: lineage records inform routing through the cycle-prevention predicate, and routing decisions extend lineage through their commitments. The lineage layer thus simultaneously records the protocol's outputs and constrains its future inputs.

DRP composes with the execution layer by carrying delegation references in the object's policy field. When an object is decomposed into subordinate objects through recursive delegation, each subordinate inherits a routing context derived from its parent, and the lineage of the parent's path is recorded in the subordinate's initial lineage entry. Routing thus respects the execution structure rather than treating each subordinate as an independent transport problem. A subordinate's routing decisions can reference its parent's path through the inherited lineage, which is essential for ensuring that subordinates do not violate scope constraints that the parent has already committed to.

Finally, DRP composes with the policy-enforcement layer by exposing its commitments to enforcement hooks. A policy enforcement point that needs to verify whether an object has traversed only authorized substrates consults the published lineage digests rather than maintaining its own forwarding observations. This delegation of observation to the routing protocol itself reduces the trusted computing base of policy enforcement and makes enforcement decisions reproducible from public evidence.

Prior-Art Distinctions

Conventional dynamic routing protocols, including OSPF, IS-IS, and BGP, select paths on the basis of administrative metrics computed over a network topology. They do not consult application-layer scope constraints, do not bind decisions to per-object policy fields, and do not produce per-object lineage records. Their operation is correct only within the administrative domain that operates them, and crossing a domain boundary requires policy translation that is itself a frequent source of misconfiguration. DRP differs structurally: scope, policy, and lineage travel with the object itself, so routing semantics are preserved across administrative boundaries without translation, and the per-object commitment record exists at a granularity that conventional protocols do not produce.

Health-aware load-balancing systems such as those that drive consistent hashing with bounded loads or power-of-two-choices selection in service meshes select among service replicas using observed health, but they do not produce auditable per-request lineage and do not enforce cycle freedom because their topology is shallow by assumption. DRP operates on multi-hop paths in an arbitrary topology and produces append-only commitments that survive substrate migration and partition. Where load balancers select among interchangeable replicas, DRP selects among substrates that may differ in trust posture, jurisdictional placement, and capability set, and the per-object policy field captures those differences as first-class inputs.

Onion-routing and mix-net systems select paths to obscure the relationship between sender and receiver. They commit to a path before transmission and do not adapt to observed health in flight. Path commitments in onion routing are made by the originator, not by the forwarders, which means a degraded relay cannot be replaced without the originator's intervention. DRP, by contrast, makes adaptive decisions at each hop while still producing a verifiable record of the path taken; adaptivity and auditability are not in tension. The two-property combination is structural to DRP and absent from onion routing.

Content-addressed networking systems such as those that route by hash of the payload select a destination implicitly from the content rather than choosing a path explicitly. They do not consider substrate health, do not enforce per-object scope, and do not produce path lineage. DRP routes by explicit selection while leaving content addressing as an orthogonal concern; an object may be content-addressed at the application layer and dynamically routed at the transport layer without conflict.

Software-defined networking architectures centralize routing decisions in a controller that programs forwarding elements with installed flows. The centralized controller is a single point of failure and authority, and crossing administrative domains requires inter-controller protocols that do not yet exist in standardized form for this purpose. DRP requires no controller: every forwarding decision is made locally by the forwarder using object-carried inputs, so the protocol scales horizontally without introducing a control plane.

Disclosure Scope

The disclosure of Provisional 64/050,895 covers the dynamic routing mechanism described above, including the three-stage enumeration, scoring, and commitment process; the configurable fanout bound, lineage horizon, weighting profile, attestation-freshness threshold, and publication rate; the alternative embodiments enumerated for unilateral, quorum-cooperative, hint-biased, rerouting-on-degradation, Bloom-summarized cycle prevention, and hop-by-hop encrypted scope predicates; and the composition interfaces to the substrate-identity layer, the semantic-object policy layer, the lineage layer, the execution layer through delegation, and the policy-enforcement layer. The scope further covers any equivalent embodiment in which forwarding decisions are made on the basis of observed substrate health and per-object scope constraints, in which fanout is bounded by an object-bound budget, in which cycle freedom is enforced by reference to append-only lineage, and in which routing outcomes are committed to that lineage as part of the decision itself. Implementations that omit lineage commitment, that compute decisions without reference to substrate health, or that permit unbounded fanout fall outside the claimed scope. Licensees obtain the right to operate the protocol within the parameters described and to compose it with adjacent memory-native primitives that consume routing outcomes or contribute signals to routing decisions.