Integrity-Tracked Traversal Drift Detection

Mechanism

Each anchor in the discovery substrate carries an integrity descriptor: a scalar drift value, a window of recent observation deltas, a per-source weighting vector, and a decay parameter. When an observation event arrives, it is reduced to a delta against the anchor's current attested state. The delta is the divergence between what the observation asserts and what the anchor's lineage entitles it to assert at this point in time. Small deltas inside the noise floor of the source are absorbed without changing the drift value materially. Large deltas, or persistent small deltas from a single source, advance the drift.

The cumulative tamper score is the integral of these deltas over the active window, weighted by source reliability. A reliable source contributing a small delta moves the score modestly. An unreliable source contributing a similar delta moves it further, because the prior is that its contributions are more likely to be artefacts. Sources that have been previously caught contributing tampered observations carry a permanent penalty in their weighting vector, so their contributions accumulate faster.

Admissibility downgrade is the response side. The gate that controls reads against an anchor consults the drift descriptor along with the read's own context. Below the safe threshold, the read proceeds normally. Between safe and warning thresholds, the read proceeds but is annotated with the drift level so the consumer can adjust its own confidence. Between warning and quarantine thresholds, the gate refuses reads that require high-assurance admissibility while still permitting low-assurance reads that explicitly accept degraded material. Above the quarantine threshold, all reads are refused and the anchor enters a remediation state.

Decay is the recovery channel. Drift values relax toward zero on a configurable time constant, and consistent observations from reliable sources actively pull the value down. An anchor that suffered a transient burst of bad observations will, in the absence of further tamper events, eventually return to safe admissibility. This avoids the failure mode of permanent quarantine for transient faults while preserving the property that tamper history is not erased: the lineage retains the tamper events even after the score relaxes, so post-hoc audit can reconstruct the episode.

An important property of the cumulative-score formulation is that it makes drift a first-class quantity that can be reasoned about across time, across sources, and across anchor classes. Operators can ask not only whether a given anchor is currently safe to read, but how it became unsafe, when, and which sources contributed which fraction of the eventual score. Because the drift descriptor retains the windowed log of contributing deltas, a forensic reconstruction can attribute the score to its source-weighted components and identify whether quarantine was driven by a single bad actor, a coordinated set, or a population-wide artefact.

Quarantine is the terminal state. An anchor in quarantine is structurally isolated: read attempts return refusal regardless of caller authority, write attempts are buffered without commit, and dependent anchors that derived state from the quarantined anchor are recursively flagged for re-evaluation. Exit from quarantine requires an explicit remediation action, which is itself a recorded event.

Operating Parameters

The mechanism is parameterised by the window length over which deltas are integrated, the safe and warning thresholds at which admissibility transitions occur, the quarantine threshold above which the anchor is isolated, the per-source reliability priors, the decay time constant, and the policy for cascading drift to dependent anchors. Window length sets sensitivity to bursts: a short window flags brief bursts but forgives them quickly, a long window is steadier but slower to recover. Threshold spacing determines how aggressively admissibility is downgraded; tightly spaced thresholds produce a more reactive system, widely spaced thresholds produce a more permissive one.

Source priors are typically initialised from the substrate's onboarding policy and updated as the source's empirical behaviour is observed. Decay constants are selected per anchor class: long-lived structural anchors decay slowly because they should not be cleared by routine traffic, short-lived ephemeral anchors decay quickly because they are expected to churn. Cascade policy controls how a parent anchor's drift propagates to children: an inheriting policy treats child reads under the parent's worst-case admissibility, while an isolating policy contains the drift at the boundary where it occurred.

Alternative Embodiments

The drift descriptor may be co-located with the anchor record, sharded into a parallel integrity index, or maintained as a separate accumulating structure consulted by the admissibility gate. Delta computation may use exact comparison, content-addressed hashing, semantic distance functions, or lineage-aware diffs that account for the legitimate ways an anchor evolves between observations. The cumulative score may be a simple weighted sum, an exponential moving average, a Kalman-filtered estimate of the true integrity state, or a learned function trained on labelled tamper episodes.

Admissibility downgrade may be implemented as a discrete level transition or as a continuous attenuation of confidence. Quarantine may be physical isolation, logical refusal at the gate while leaving storage in place, or cryptographic sealing that requires a remediation key. Recovery may be automatic on decay, manual on operator action, or a combination in which automatic recovery is permitted only below a configured ceiling.

Cascade may be eager, propagating drift the moment a parent crosses a threshold, or lazy, evaluating the parent's drift only when a child read occurs. Lazy cascade reduces background work; eager cascade reduces detection latency. Both are within scope.

Composition

The drift mechanism composes with the lineage subsystem because tamper events are recorded as lineage edges, not merely as scalar updates. It composes with the admissibility gate because the gate's decision function takes the drift descriptor as an input. It composes with the discovery scheduler because the scheduler may deprioritise observation events targeting anchors already in warning or quarantine, conserving resources for healthier regions of the substrate.

It composes with the privacy envelope, where present, because reduced integrity tightens the cohort over which release is safe and an anchor in warning state automatically operates under stricter cohort minima. It composes with revocation, because a revocation event is a recognised remediation that exits an anchor from quarantine into a tombstoned terminal state. It composes with downstream attestation channels: an attestation issued against an anchor carries the anchor's drift level at the time of issue, so a consumer evaluating an old attestation can determine whether it was issued under safe admissibility or under a degraded regime.

The mechanism also composes with the alias-resolution pathway. A merge candidate in pending-merge whose drift exceeds the resolution-allowed ceiling is excluded from canonicalisation, preventing tampered material from polluting a clean canonical anchor. Symmetrically, a successful merge resets neither the drift score nor the lineage of either pre-merge participant; both histories survive into the canonical record so that post-merge audit can reconstruct the integrity context of the merge itself.

Prior-Art Distinction

Conventional integrity mechanisms are binary: a checksum either matches or it does not, a signature either verifies or it does not. They do not accumulate evidence across many observations of the same anchor and do not graduate downstream consumption based on cumulative evidence. Anomaly-detection systems may produce graded scores but typically do so as side-channel telemetry rather than as a structural input to the read gate. The disclosed mechanism integrates accumulation, source weighting, graded admissibility downgrade, automatic decay, and cascading propagation into a single substrate-level field consulted on every read, with quarantine and remediation as recognised state transitions.

Failure Modes and Remedies

The mechanism is designed against four failure modes. The first is the boiling-frog, in which a slow accumulation of small tampered observations from a marginally unreliable source eventually exceeds tolerable drift without ever crossing a per-observation alert threshold. The remedy is the integral-of-deltas formulation: small contributions accumulate, and a long-running marginal source eventually triggers downgrade even though no individual observation was alarming. The second is the burst-and-recover failure, in which a transient fault produces a brief spike that legitimately ought to relax. The remedy is the configurable decay constant, which permits return to safe admissibility without requiring operator intervention while retaining the lineage record of the spike. The third is the cascade-storm, in which a single quarantined parent triggers cascading flags across many dependent anchors and saturates the substrate. The remedy is the choice between eager and lazy cascade, plus rate-limited evaluation queues that bound the work performed in any window. The fourth is the silent-tamper, in which an adversary contributes deltas just below the noise floor of a trusted source. The remedy is per-source weighting that updates empirically: even sub-threshold contributions are observed, and a source that produces an unusual pattern of just-below-threshold deltas accumulates a weighting penalty that subsequently amplifies its contributions.

A further design consideration is the interaction with legitimate anchor evolution. Anchors are expected to evolve as new observations refine them, and not every divergence from prior state is tamper. The lineage-aware diff embodiment addresses this by computing deltas against entitled state rather than raw prior state, so the legitimate evolution channel does not produce drift while the unauthorised mutation channel does.

Disclosure Scope

This article discloses the integrity field as a per-anchor descriptor accumulating tamper-weighted deltas across observation events, the multi-threshold admissibility downgrade keyed to the cumulative score, the source-weighted contribution model with empirical updating, the decay channel permitting graceful recovery from transient bursts, and the quarantine state with remediation-gated exit. Claims may be directed to the field object, to the gate's consumption of the field as a precondition to release, to the cascade rules across dependent anchors, and to the remediation transitions. Embodiment choices are listed to broaden rather than narrow the claim surface.