Authority Credential as a First-Class Field on the Wire

Mechanism of the Fixed-Offset Governance Class Field

The wire format begins, after a minimal framing preamble whose only purpose is to mark the start of a governed mesh frame, with a governance class field at a fixed byte offset. The offset is the same for every frame regardless of payload length, transport medium, or upstream history. The field is encoded in a stable, version-locked binary form: a small fixed-width prefix that names the class, followed by a fixed-width subclass selector, followed by a small fixed-width parameter block whose interpretation is determined by class and subclass. The total field width is fixed by protocol version, so any device that knows the protocol version can locate the field, parse it, and act on it without seeing the payload.

The class prefix names the broad governance regime that applies to the message: a class for routine telemetry, a class for credentialed actuation, a class for high-integrity attestation, a class for emergency or override traffic, a class for opaque-relay-only transit, and a small reserved space for future classes. The subclass selector refines the regime: under credentialed actuation, for example, subclasses distinguish synchronous control, asynchronous control, deferred control, and sealed-bid control. The parameter block carries the small handful of values that downstream handlers need before they look at the payload: a deadline, a priority, a retention indicator, a hop-cap, and a cryptographic binding to the payload that follows.

The fixed offset is the inventive commitment. Other protocols allow header fields to move with options or extensions; the governed mesh wire format does not. The field is at the same place in the byte stream for every frame in every deployment, and the protocol version that determines its width is itself bound into the framing preamble. A device receiving a frame whose framing preamble announces a known protocol version can locate the governance class field deterministically, in a fixed number of byte operations, without parsing variable-length structures. A device receiving a frame whose framing preamble announces an unknown protocol version has only one defined behaviour: discard or hold-for-relay without parse. There is no "skip unknown extension" path that allows a device to handle a frame whose governance class it cannot read.

Opaque relays are formally defined as devices that forward governed mesh frames without parsing the payload. The wire format requires only two things of an opaque relay: that it preserve the framing preamble, and that it preserve the governance class field bit-for-bit. Beyond that, an opaque relay may compress, batch, fragment-and-reassemble, or wrap the payload as required by the underlying medium, provided the relay can recover the original byte sequence on egress. The relay is not required to understand the class; it is required only not to alter or omit it. This contract is what makes the format medium-agnostic: a relay over UWB, Wi-Fi, cellular, satellite, optical, or store-and-forward bearer needs to know nothing about the governance regimes in play, only that the field at the fixed offset is sacred.

Downstream parsing takes advantage of the fixed-offset commitment by performing admissibility evaluation as a parse-time operation. The receiver locates the governance class field, reads the class, subclass, and parameter block, and dispatches to the class-appropriate handler before it touches the payload. If the class is one the receiver is not credentialed to handle, the frame is rejected at parse, before the payload is even read into a buffer that application logic could touch. If the class indicates a deadline that has already passed, the frame is dropped at parse. If the class indicates a hop-cap that has been exceeded, the frame is dropped at parse. The expensive work of payload validation, decryption, and application dispatch is gated on the cheap work of governance class evaluation.

Operating Parameters and Field Encoding

The governance class field has a width that is fixed per protocol version. The current version reserves an octet for class, an octet for subclass, and a small parameter block sized to fit within a single cache line on commodity processors, so that parsing is O(1) and fits in a single load on the receive path. The class space is partitioned into reserved blocks for routine telemetry, credentialed actuation, attestation, emergency, opaque transit, and future use. The subclass space is allocated within each class by the credentialing authority responsible for that class, so that subclass meaning is locally administered while class meaning is globally fixed.

The parameter block carries a deadline (an absolute or relative time after which the frame is to be discarded if not yet acted on), a priority (a coarse rank used by relays and receivers to schedule among competing frames), a retention indicator (a flag that tells receivers whether the frame is to be archived, summarized, or discarded after handling), a hop-cap (a small integer decremented at each relay), and a cryptographic binding to the payload (a short digest that lets the receiver detect mismatches between the announced class and the actual payload before decrypting). The cryptographic binding is the field that closes the loop between governance class and payload integrity: a frame whose governance class field has been altered in transit will fail the binding check at the receiver, and a frame whose payload has been altered will likewise fail.

Protocol-version negotiation is intentionally minimal. A device announces its supported version in its framing preamble, and a relay that cannot understand the version forwards the frame unchanged or refuses transit. There is no in-band negotiation of governance class semantics, because such negotiation would create an attack surface in which an adversary downgrades a frame to a class with weaker handling. The version is set out-of-band when the device is provisioned, and changes only through credentialed re-provisioning. This is a deliberate choice that trades flexibility for adversarial robustness: a deployed mesh has a stable governance vocabulary, and changes to that vocabulary are themselves credentialed events.

The audit surface for the governance class field is the set of receiver and relay log records that note, for each frame, the class observed and the handling applied. Audit-required classes (credentialed actuation, attestation, override) write a permanent lineage record at every device that handles them; audit-optional classes (routine telemetry) may be sampled. The audit records reference the framing preamble's protocol version, the governance class field, and a hash of the payload, so that an auditor reconstructing the chain can verify that every device along the path observed the same class declaration and applied class-appropriate handling.

Alternative Embodiments

The fixed-offset governance class field admits embodiments across the full range of mesh transports. In an ultra-wideband (UWB) embodiment, the framing preamble is a short synchronization sequence and the governance class field follows immediately, allowing low-power UWB nodes to evaluate class within their normal receive window. In a Wi-Fi embodiment, the field is carried within the payload of a standard 802.11 frame, with the governance class field at a fixed offset from the payload start. In a cellular embodiment, the field is carried in an application-layer datagram with the same offset commitment. In a satellite embodiment, the field is the first decoded structure after the satellite's framing layer.

In a passive RFID embodiment, the governance class field is encoded in the read-only portion of the tag's stored data, allowing a reader to evaluate class without depending on tag computation. In an optical-fiducial embodiment, the field is encoded in the high-contrast region of a printed or projected fiducial, allowing a camera-equipped reader to evaluate class from a single image. In a store-and-forward embodiment over carrier-pigeon-class bearers (mobile devices that physically transport frames between disconnected meshes), the field travels as part of the stored frame and is preserved by the carrier without inspection.

Composite embodiments allow a frame to traverse multiple media in sequence, with each medium's relays preserving the field byte-for-byte. A frame originating on a UWB sensor mesh may transit a Wi-Fi backhaul, a cellular uplink, and a satellite cross-link before reaching its receiver, with each segment's relays unaware of the governance regime in play but constrained by the format to preserve the class field. The receiver performs a single class evaluation against the field as received, validates the cryptographic binding against the payload, and dispatches to the class-appropriate handler.

Composition With Adjacent Primitives

The fixed-offset governance class field composes with the broader governed mesh protocol's authority credentialing on the upstream side and with downstream class-specific handlers on the parse side. Authority credentialing produces the signature that validates the class assignment; without a valid authority signature, the class declaration is unenforceable. The class-specific handlers are the bodies of code that implement, for each class, the admissibility logic, the deadline enforcement, the retention policy, and the audit emission. The wire format does not specify the handlers; it specifies only that they are dispatched against the class field at parse time.

On the relay side, the field composes with the relay's own forwarding policy. Relays that are themselves credentialed may apply class-aware forwarding (prioritize emergency, defer routine telemetry under load, refuse opaque-transit-only classes that they are not authorized to relay). Relays that are not credentialed apply only the universal contract: preserve the field. The composition of credentialed and non-credentialed relays in a single path is what allows a governed mesh to span administrative boundaries without negotiating shared trust at every hop.

On the audit side, the field composes with the lineage chain maintained at receivers and credentialed relays. Audit-required classes anchor lineage records at every device that handled them; audit-optional classes anchor lineage at the receiver only. The audit chain references the protocol version and the class field, so any future review can reconstruct what governance regime was in force at the time of handling, even if the regime itself has evolved by the time of the review.

Prior-Art Distinction

Prior-art mesh and relay protocols treat governance as either a payload concern or a routing concern. V2X protocols (IEEE 1609.2) embed certificates within message payloads, requiring receivers to parse the payload before they can evaluate authority; the payload itself is the surface on which governance is read. TCP and IP carry no governance fields at all, leaving governance entirely to application layers. Bluetooth and Bluetooth Low Energy carry a small set of fixed fields (advertising flags, service UUIDs) but none of them are governance class fields in the sense disclosed here. MQTT, AMQP, and similar message-broker protocols define topic-based access control but the topic is itself a payload artifact, not a fixed-offset field that opaque relays must preserve.

The closest antecedents are the differentiated services code point (DSCP) field in IPv4/IPv6 and the traffic class field in 802.1Q. These fields occupy fixed positions and influence relay behaviour, and they are an acknowledged ancestor of the governance class concept. They differ in two respects: they are advisory rather than mandatory (relays may ignore them without violating the protocol), and they do not bind to a credentialing authority (any sender can set them to any value). The governed mesh wire format treats the class field as mandatory and binds it cryptographically to the payload, so that the field is both unforgeable and unignorable.

Provisional patent application 64/050,895 documents this structure. The inventive step is not the existence of a header field; it is the commitment to fixed offset, the requirement that opaque relays preserve the field, the requirement that downstream parses dispatch admissibility from the field before touching the payload, and the cryptographic binding that prevents class manipulation in transit.

Disclosure Scope

This disclosure covers the structure of the governed mesh wire format with respect to the mandatory governance class field at fixed offset. It covers the partitioning of the class space into routine, credentialed, attestation, emergency, opaque transit, and reserved blocks; the subclass and parameter block within each class; the cryptographic binding of class to payload; the protocol-version commitment that fixes the field's width and offset; and the audit-required versus audit-optional handling distinctions across classes.

The disclosure extends to the opaque-relay contract that requires only preservation of the framing preamble and governance class field, allowing relays to operate over any underlying medium without parsing the payload. It extends to embodiments across UWB, Wi-Fi, cellular, satellite, passive RFID, optical fiducial, and store-and-forward bearers, and to composite paths that traverse multiple media in sequence.

The disclosure extends to downstream parsing that performs admissibility evaluation as a parse-time operation, dispatching to class-specific handlers before payload decryption or application dispatch. It does not cover specific cryptographic primitives, specific handler implementations, or specific transport-medium framing layers; these are regarded as implementation choices outside the inventive structure. The inventive structure is the wire-format commitment that places governance at the smallest fixed offset and binds it to the payload by construction.