Cross-Platform Credentialed Reader Activation

Mechanism

Every object exposed through the discovery substrate carries a governance-class label. The label is not metadata applied alongside the object; it is part of the object's structural identity in the substrate. The label declares the governance regime under which the object is discoverable: which authorities admit readers, which credential schemas constitute matching credentials, which redaction rules apply during retrieval, which audit obligations bind retrievals, and what the supersession semantics are for label changes. Two objects with different governance classes are structurally different objects from the substrate's perspective even if their underlying payload is identical, because the activation surface they expose is different.

A reader that wishes to retrieve an object presents an activation credential to the substrate. The credential is a credentialed observation in the sense the broader architecture uses: it is signed by the issuing authority, traceable through a credentialing chain to a constitutional issuer, time-bounded, and subject to supersession. The substrate evaluates the credential against the object's governance class. If the credential's class matches — meaning the issuing authority is recognised by the governance class, the credential's scope encompasses the object's class, and the credential is current under the temporal and supersession rules of the class — the substrate activates the reader against the object. Activation is not a boolean grant; it is the materialisation, in the reader's local view, of the structural handles by which the object can be retrieved at all.

A reader without a matching credential does not see the object. The distinction between this and a permission-deny is structurally important. A permission-deny pattern would expose an object reference, allow the reader to attempt retrieval, then refuse retrieval at a policy gate. The credentialed-activation pattern does not expose the reference. The unactivated reader's view of the substrate does not contain the structural handles the object would expose under activation. The reader cannot attempt retrieval because there is nothing to attempt against. This property is what the architecture means by "structurally cannot retrieve" — the absence is at the level of structural capability rather than at the level of authorisation.

Activation propagates through the substrate's discovery topology. A reader that activates at a substrate node obtains structural visibility to the objects whose governance class admits the reader's credential at that node. As the reader's query traverses the substrate (across federation boundaries, across platform boundaries, across coalition boundaries), the activation discipline applies at each substrate node the query reaches. The reader does not carry pre-computed activations across nodes; each node performs its own credential-against-class evaluation, because the governance classes themselves may be locally interpreted under federated governance and the credentialing chains may need to be re-evaluated against locally recognised constitutional issuers.

Retrieval after activation produces a credentialed retrieval observation in the lineage. The retrieval is recorded with the reader's credential, the object's governance class, the substrate node that performed the activation, and the policy version in force at the time of retrieval. The retrieval observation is itself a citizen of the lineage, subject to the historical policy-version reconstruction primitive, and inspectable to authorities authorised to audit the substrate's behaviour. Discovery is therefore not a stateless lookup; it is an audited, credentialed event with downstream consequences for accountability.

Operating Parameters

Governance-class granularity is parameterised by the deployment. A coarse-grained deployment may expose only a few classes (public, restricted, confidential); a fine-grained deployment may expose hundreds (per-jurisdiction tracking-object classes, per-authority enforcement classes, per-coalition operational classes, per-individual personal-tracking classes under owner-issued credentials). The architecture imposes no upper bound on class cardinality but does impose a structural-locality bound: a class must be locally interpretable at any substrate node that exposes objects of the class, meaning the class definition and the credentialing rules that govern it are themselves objects in the substrate, retrievable under their own governance discipline (typically a meta-class that admits broad readership while restricting authorship).

Credential lifetime parameters control activation duration. Short-lived credentials (a one-time activation for a single discovery query) limit the window in which a reader retains structural visibility to a class of objects; long-lived credentials (an organisational credential that persists across the credential's term) enable continuous discovery within the credential's scope. The substrate enforces lifetime structurally: an expired credential produces an unactivated view at the next substrate evaluation, regardless of any cached activation state the reader may hold locally, because activation handles are bound to credential validity at the substrate side rather than at the reader side.

Cross-class composition rules determine how a credential admitting class A interacts with an object whose governance class is the conjunction A-and-B. The architecture supports strict composition (the reader must hold credentials matching every component class), permissive composition (the reader matching any component class activates, with class-scoped redaction applied to the retrieved view), and explicit-composition (the conjunction class declares its own credentialing rule, which may differ from any of its components). Deployments select the composition rule per substrate region under credentialed governance.

Anti-stalking governance is structurally embedded for tracking-object classes. The activation credentials a reader can present against a tracking-object class are themselves credentialed against anti-stalking criteria: the issuing authority is bound to anti-stalking obligations, the credential's scope cannot encompass arbitrary tracked individuals (it must encompass either the credential-holder's own objects or objects under emergency-credentialed search authorisation), and tracked-object owners hold structural standing to challenge activations against their objects. The structural standing is itself an activation: the owner's credential activates an audit view over retrievals against the owner's objects, exposing who retrieved, under what credential, at what time.

Performance parameters scale with credentialing-chain depth and class-cardinality. Substrate nodes maintain credential-evaluation caches under cache-invalidation discipline tied to the supersession of credentials and class definitions. A credential supersession event invalidates downstream activation caches; a class-definition supersession event invalidates downstream class-evaluation caches; the substrate's eventual-consistency window for credentialing is bounded by the propagation latency of the supersession discipline.

Alternative Embodiments

One embodiment integrates the credentialed-activation discipline with existing tracker-detection protocols (IETF DULT, Apple Find My's accessory specification, Google's Find My Device cross-platform protocol) by treating the protocol-level detection layer as the lower stratum and the activation discipline as the upper stratum. The protocol layer continues to handle radio-level discovery and unwanted-tracker behavioural detection; the activation discipline governs which discovery results activate as retrievable objects in the credentialed substrate. This embodiment supports the cross-platform tracking ecosystem without displacing the protocol-level interoperability work that DULT and equivalent specifications have already done.

A second embodiment binds the activation discipline to a federated identity substrate (for example, a verifiable-credentials infrastructure under W3C VC standards). Reader credentials are W3C VCs issued by federation-recognised authorities; governance classes are identified by URIs that the substrate's federation registry resolves to credentialing rules; the activation evaluation is a credential-presentation exchange under VC presentation protocols. This embodiment is appropriate for civil-society and regulatory deployments that require open standards for the credentialing infrastructure.

A third embodiment implements the activation discipline as a capability-based system in the object-capability sense: the activation handle is itself an unforgeable capability reference, possession of which constitutes the structural ability to retrieve. Unactivated readers do not possess the capability and structurally cannot construct it; activated readers receive the capability scoped to the credential's lifetime. This embodiment is appropriate for high-assurance deployments where the structural-capability property must be defensible against compromise of the substrate's policy gate, because in the capability embodiment there is no policy gate to compromise — the gate has been replaced by structural capability.

A fourth embodiment supports emergency activation under credentialed override. Search-and-rescue, child-recovery, and accredited law-enforcement scenarios require activation against tracking-object classes that the searching reader does not normally have credentials to retrieve. The architecture supports an emergency-credentialing authority that issues short-lived, audit-heavy credentials valid for the duration of the emergency, with mandatory after-action review observations admitted to the lineage and retrievable by tracked-object owners. The override is structurally distinct from a back-door because it is itself a credentialed, audited event under governance-class discipline.

A fifth embodiment exposes the activation primitive to research and statistical-discovery use cases under aggregate-credentialing. A research reader presents a credential that admits aggregate retrieval over a class of objects (epidemiological research over tracked-medical-device classes, traffic-pattern research over tracked-vehicle classes) without admitting individual retrieval. The substrate's activation evaluation produces an aggregate view in which individual handles are structurally absent and only aggregate handles are present. This embodiment supports research while preserving the structural-cannot-retrieve property at individual scale.

Composition

Credentialed reader activation composes with the refusal-as-observation primitive in a structurally complete way. A reader that presents a credential the substrate evaluates as non-matching does not see the object, and the evaluation event is itself recorded as a credentialed observation — a structural refusal of activation — that the issuing authority of the credential and the governance authority of the class can subscribe to. The refusal is not surfaced to the unactivated reader (because surfacing the refusal would itself disclose the existence of the object), but it is surfaced to the credentialing authorities responsible for the activation evaluation, supporting their audit and supersession decisions.

Composition with historical policy-version reconstruction makes activation events durable as evidentiary objects. An activation that occurred at T against an object's governance-class definition in force at T is reproducible at any later time against the credentialing rules and class definitions in force at T, even if the credentialing rules have since been amended or the class has been redefined. A regulator examining an activation years later evaluates it under the historical rules that produced it, not under contemporary rules.

Composition with the broader discovery substrate's federation discipline supports cross-jurisdictional retrieval. A reader credentialed in jurisdiction A queries a substrate region governed by jurisdiction B; the substrate evaluates the reader's credential against jurisdiction B's recognition rules for jurisdiction A's authorities; activation occurs only where the federation's cross-recognition admits it. The federation's recognition rules are themselves credentialed objects, retrievable under their own meta-class, supporting transparency of the cross-jurisdictional discipline.

Composition with the lineage-of-retrievals discipline supports tracked-object-owner accountability. The owner of a tracking object holds a class-scoped audit credential that activates a view over retrievals against the owner's objects. The owner therefore has structural visibility to who has retrieved, under what credential, at what time — without needing to trust any single platform operator's reporting. The audit credential is itself part of the credentialed-activation discipline, applied recursively to the audit channel.

Prior-Art Distinction

IETF DULT (Detecting Unwanted Location Trackers) specifies behavioural interoperability between trackers and detectors at the protocol level: how trackers should advertise, how detectors should detect, how unwanted-tracker scenarios should be handled at the user-experience layer. The specification works as a behavioural standard for the tracker/detector bilateral; it does not specify the architectural layer at which cross-platform discovery interacts with credentialed governance, and in particular does not specify the structural-cannot-retrieve property by which un-credentialed readers are denied capability rather than denied authorisation. The disclosure here addresses the architectural layer DULT does not.

Apple's Find My, Google's Find My Device, Tile's discovery network, and Samsung SmartThings each operate proprietary credentialed-discovery substrates. Each platform reconstructs the activation discipline within its own trust domain; cross-platform activation is handled at the protocol-interoperability layer (DULT and equivalents) without an architectural primitive that supports cross-platform credentialing in a federation-portable way. The disclosure generalises the activation primitive to a cross-platform discipline with explicit governance-class semantics.

Capability-based security literature (KeyKOS, Capsicum, the object-capability subset of W3C VC) supports unforgeable capability references but does not embed governance-class semantics, supersession discipline, federated cross-recognition, or anti-stalking structural standing. The capability literature is a substrate for one embodiment of the disclosure rather than prior art for the disclosure as a whole.

Verifiable-credentials work (W3C VC, Decentralized Identifiers) supports credential issuance, presentation, and verification but does not specify the substrate-side structural-activation property. A VC system gates retrieval at a policy point; the disclosure's substrate denies capability at the structural point. The distinction is the substrate-side embedding of activation in the object's structural identity, which VC infrastructure supports as a layer above but does not specify.

Attribute-based access control (ABAC, NIST SP 800-162) and policy-engine architectures (XACML, OPA) handle credentialed authorisation but operate as policy gates over a universal-retrieval substrate. They do not implement the structural-capability discipline; an ABAC-protected object exists in the substrate and the policy engine refuses access to it. The disclosure's substrate does not expose the object to refuse access; the object's handles are absent in the unactivated view.

Disclosure Scope

The disclosure encompasses the credentialed-activation discipline, governance-class structural identity, the structural-cannot-retrieve property, cross-class composition rules, anti-stalking structural standing, emergency-credentialing override, aggregate-credentialing for research, the federation-portable cross-recognition discipline, the capability-based and VC-based embodiments, and the composition with refusal, reconstruction, and audit primitives. Operational deployments encompassed include cross-platform tracking-object discovery (post-AirTag interoperability across Apple, Google, Tile, Samsung, and emerging platforms), regulated-medical-device discovery, child-safety and search-and-rescue discovery, supply-chain object discovery across coalition boundaries, regulated-financial-instrument discovery, and any operational domain in which discovery capability must be a credentialed property of the substrate rather than a permission applied over a universal-retrieval substrate. The scope is the primitive and its compositions, not any specific deployment.