Spatial Adaptation Artifacts: Runtime Skill Loading With Admissibility Gating

Skill Marketplaces Without an Architecture

Anthropic Skills, OpenAI Custom Actions, Google Gemini Extensions, and Microsoft Copilot Studio are converging toward a common shape: runtime-loadable adaptation artifacts that extend a base model's behavior. The shape is the right one — production AI deployments need this, and the alternative (retraining the base model for every task) is structurally infeasible.

But the platforms ship without an architecture for the questions that production deployment requires: which skill applies in this context, who certified the skill is safe, what other skills must be active for this skill to function correctly, what happens when the certifying authority revokes the skill, and how do we audit skill-routing decisions after the fact?

The current answer is that these questions are platform-internal: the platform operator handles skill admission, the operator's policy decides which skills are active, and the operator's logs record what happened. This is the same platform-operator model that the governed marketplace primitive (Article 9) eliminated for commodity exchange. It has the same problems here: operator failure compromises every consumer, operator policy preferences distort the market, no cross-platform skill portability.

1. The Primitive: Signed Adaptation Artifacts With Consumer-Side Certification

Spatial adaptation artifacts are runtime-loadable behavioral modifications signed by their authoring authority. The artifact format is technique-agnostic: LoRA fine-tuning weights, RAG retrieval indices, prompt-injection configurations, mixture-of-experts adapter routing, hybrid combinations, and emerging techniques.

Each artifact carries: the authoring authority's credential, the artifact content (the actual weights, prompts, or configurations), declared dependencies on other artifacts, declared model compatibility (which base models can host it), declared scope (which tasks the artifact applies to), and declared training provenance (which data was used and under what governance).

Critically, certification is consumer-side rather than authoring-side. The consumer (the system loading the artifact for inference) runs the artifact through a sandbox evaluation against the consumer's own admissibility policy before activation. The artifact's authoring authority signs what it is; the consuming authority certifies whether to activate it.

2. Admissibility Gate as Skill Router

At inference time, a request enters the system, and the admissibility gate routes the request to the appropriate set of active skills. The gate is the same composite admissibility evaluator used elsewhere in the architecture: it consumes the request, the available active skills, the consumer's policy, and operational context to produce a routing decision.

Routing is graduated rather than binary: a request may be routed to multiple active skills with weighted contribution, may activate a contextually-appropriate skill that wasn't already loaded (subject to admissibility), may defer to a higher-authority skill when policy requires, or may decline routing when no available skill is admissible.

Admissibility-as-router unifies what current platforms split between two layers: skill selection (which skills can fire) and inference routing (which skills do fire on this input). The unified gate evaluates both questions in a single deterministic step.

3. Always-Active Personal Layer

Every consumer maintains an always-active personal layer that is exempt from the de-weighting that admissibility may apply to other skills. The personal layer carries the consumer's own preferences, identity, history, and authority — the irreducible 'self' of the consuming system — and contributes to every inference at full weight.

Personal-layer carve-out solves a recurring problem in marketplace-style skill ecosystems: third-party skills can dominate, override, or even adversarially manipulate the consumer's intent. The personal layer prevents this structurally: even if a third-party skill is fully admitted, the personal layer remains sovereign over the consumer's intent and will modulate the third-party skill's contribution accordingly.

The personal layer is itself a signed adaptation artifact, but signed by the consumer's own authority and held in a privileged position by the admissibility evaluator. Its content is the consumer's own; its authority is the consumer's own; its admissibility is the consumer's own.

4. Dependency Chains and Cascade Deactivation

Real skill ecosystems have dependencies. A medical-coding skill may depend on a clinical-vocabulary skill, which depends on a base medical-language adaptation. A legal-research skill may depend on jurisdictional-corpus skills. A code-review skill may depend on language-specific syntax skills.

Each artifact declares its dependencies in its credentialed metadata. The admissibility gate evaluates dependency satisfaction before activation: a skill cannot fire if its declared dependencies are unmet.

Cascade deactivation handles dependency revocation: when an authority revokes a skill, all skills that declared dependency on it deactivate as well, transitively. The cascade is recorded in lineage; consumers see the cascade as a credentialed observation and can re-activate alternatives, request replacements, or operate in degraded mode.

5. Cross-Model Portability

Adaptation artifacts authored against one base model often need to apply across model versions, vendors, or substitutions. A regulatory compliance skill authored for one LLM should remain usable when the deployment migrates to another. Current platforms handle this poorly: artifacts are typically locked to a specific base model and require re-authoring at migration.

The governed primitive supports cross-model portability through declared compatibility metadata: the artifact specifies which base-model classes it is compatible with, which adaptation techniques it uses, and what compatibility evidence supports the claim. Compatibility is itself a credentialed observation; an authority can sign 'this artifact tested compatible with these models' for downstream consumers.

When a consumer migrates between base models, compatible artifacts continue to operate without re-authoring. Incompatible artifacts deactivate (cascade deactivation) and are replaced by compatible alternatives or degraded-mode operation.

6. Federated Skill Training

Skills improve through use. The governed primitive supports federated skill training: a deployed skill records its performance against admissibility-evaluated outcomes; the records propagate (with privacy and rights governance) back to the authoring authority; the authority improves the skill and publishes a new credentialed version; consumers re-evaluate the new version under their admissibility policies.

Federated training is governance-credentialed, not blockchain-mediated. The training authority and the contributing consumers operate under the same governance-chain framework that admits any other observation. Privacy preservation is structural: the contributing consumers control what observations they release, the training authority signs what it received, and the audit trail covers every contribution.

This produces an evolving skill ecosystem where authority-credentialed skills continuously improve under operating use, rather than being frozen at training time and replaced wholesale.

7. Decentralized Mesh-Distributed Distribution

Skill artifacts distribute through the governed mesh (Article 1). There is no central skill marketplace operator. Authoring authorities publish credentialed artifacts; consumers subscribe to authorities they admit; artifacts propagate through fixed infrastructure relay, peer-to-peer transmission, and mobile store-and-forward.

Mesh distribution composes with intentional-disconnect (Article 13): a consumer in an isolated environment can pre-stage credentialed artifacts before disconnect, operate during disconnect with the staged artifacts, and reconcile any updates after reconnect. This serves expeditionary, defense, maritime, and other operational contexts where centralized skill distribution is infeasible.

Distribution authority is decentralized: any authority with relevant standing can publish artifacts, and consumers choose which authorities to admit. No platform operator gates the skill economy.

8. Artifact Lifecycle and Sub-Primitive Decomposition

A spatial adaptation artifact passes through a defined lifecycle, and the disclosure decomposes that lifecycle into sub-primitives that can be independently implemented or substituted. The lifecycle phases are authoring, signing, publication, discovery, fetch, sandbox certification, dependency resolution, activation, routing, observation, and either revocation-driven cascade deactivation or federated-training contribution and supersession.

Authoring produces the technique-specific payload (LoRA weight tensors, RAG index shards, prompt templates, MoE adapter routing tables, or hybrid bundles) along with a declared metadata envelope including authority identity, declared dependencies, declared base-model compatibility classes, declared task scope, declared regulatory scope, declared training-data provenance summaries, and declared compatibility evidence. The metadata envelope is normative: any artifact that does not carry the required envelope is structurally inadmissible regardless of its functional content.

Signing binds the metadata envelope and the payload under a credentialed authority signature. The signing sub-primitive is signature-scheme agnostic; what matters architecturally is that the bound tuple cannot be modified post-signature without detection and that the authority's credential is itself verifiable through the governance chain.

Sandbox pre-activation certification is the consumer-side sub-primitive that runs the artifact through deployment-defined evaluations before the artifact is admitted to the live inference path. Evaluations include numerical-stability checks (for weight artifacts), retrieval-quality and content-policy checks (for index artifacts), injection-resistance and policy-conformance checks (for prompt artifacts), and integration checks against any declared dependencies. The certification produces a credentialed observation recording what was tested, under what policy, and with what outcome; the observation is itself a governance-chain object.

Activation is the structural transition from sandbox-certified to live-routable. The admissibility gate consults the certification observation, the dependency-graph state, and the consumer's policy at activation time; activation is reversible, and any subsequent revocation, dependency loss, or policy change can deactivate the artifact through the same gate semantics. Cascade deactivation, federated-training contribution, and cross-model portability are all expressed as transformations on this lifecycle rather than separate processes.

9. Operating Parameters and Engineering Envelope

The primitive is parameterized by a small set of operating quantities that together define the engineering envelope of a deployable implementation. Sandbox certification latency is the time between artifact arrival at a consumer and admissibility decision. Practical deployments target sub-second certification for prompt-class artifacts (typical size 4 KB to 64 KB), one to thirty seconds for RAG index slices (typical size 1 MB to 500 MB), and bounded background certification (one to thirty minutes) for full LoRA adapters (typical size 4 MB to 2 GB at common rank/precision settings). Certification is amortized: a credentialed observation that an artifact passed sandbox under a given policy can be reused across consumers that admit the certifying authority, so most consumers see near-zero certification cost on cache hit.

Admissibility gate decision latency is bounded by the gate evaluator's policy compilation. Production targets place per-request routing at one to ten milliseconds for the gate decision itself, with the dominant cost being signature verification and dependency-graph traversal. For deployments with hundreds of concurrently-loaded artifacts, the gate maintains a precompiled dependency closure so that revocation cascades resolve in O(log n) rather than full graph re-walk. Personal-layer evaluation runs in parallel and is never gated, ensuring that the consumer's own intent always contributes at full weight regardless of upstream gate latency.

Cascade deactivation propagation is bounded by lineage depth and mesh diameter. In closed deployments (single organization, single trust boundary) cascade reaches all dependents within a single inference cycle; in cross-mesh deployments propagation completes within reconciliation windows on the order of seconds to minutes, with consumers operating in degraded mode until cascade settles. Operating envelope is therefore characterized not by a single number but by three coupled quantities — certification time, gate latency, and cascade horizon — each of which is independently tunable against the deployment's tolerance for risk and staleness.

Federated training cycles operate at deployment-defined cadences ranging from continuous (streaming gradient or preference signals) to monthly authority-published versions. The governance-chain framework imposes no minimum cycle; the practical lower bound is the privacy-aggregation window required to prevent re-identification of contributing consumers, which for typical enterprise deployments lands between one hour and seven days depending on contributor count.

10. Alternative Embodiments

The primitive admits several embodiments that vary by artifact format, certification topology, and routing implementation without departing from the disclosure. In a LoRA-only embodiment, all artifacts are low-rank adapter weights authored against a declared base-model class, certified through numerical-stability sandboxing that bounds activation magnitude and gradient flow under representative inputs. In a RAG-only embodiment, artifacts are signed retrieval indices with declared corpus provenance, certified through retrieval-quality and content-policy sandboxing. In a prompt-only embodiment, artifacts are signed prompt templates with declared variable contracts, certified through injection-resistance and policy-conformance evaluation. Hybrid embodiments combine techniques within a single artifact bundle, with the admissibility gate evaluating each component under its technique-appropriate sandbox.

Certification topology admits a centralized embodiment in which a single trusted certifier serves many consumers (suitable for regulated industries where the certifier is a regulator or compliance authority), a federated embodiment in which consumers form certification consortia and share credentialed certification observations, and a fully consumer-side embodiment in which every consumer certifies independently. The choice is policy, not architecture: the same artifact format and admissibility-gate semantics support all three.

Routing implementation admits a learned-router embodiment in which the admissibility gate is itself a small neural classifier trained on credentialed routing observations, a rule-based embodiment in which routing follows declarative policy expressions, and a hybrid embodiment in which the learned router proposes and the rule engine confirms. The personal-layer carve-out is implementation-invariant: regardless of router type, the personal layer contributes at full weight.

A regulatory-aware embodiment specializes the primitive for jurisdictionally-bounded LLM adaptation. Artifacts declare regulatory scope (GDPR, HIPAA, CCPA, EU AI Act risk class, FDA SaMD class, and analogous frameworks); the admissibility gate refuses activation outside declared scope; and cascade deactivation triggers automatically when a consumer crosses a jurisdictional boundary detected through credentialed location or data-classification observations. This embodiment is particularly relevant to multinational deployments where a single base model serves consumers under disparate regulatory regimes.

11. Composition with the Broader Architecture

Spatial adaptation artifacts are not a standalone product. They compose with several other primitives in the disclosed architecture, and the composition is load-bearing for production deployment. Composition with the governed mesh (Article 1) provides the distribution substrate: artifacts propagate through the same credentialed-observation infrastructure that carries any other governed payload, inheriting the mesh's properties of authority-credentialing, mobile store-and-forward, and intentional disconnect.

Composition with cross-mesh reconciliation (Article 14) provides the consistency story across trust boundaries. When an artifact is admitted in one mesh and observed in another, reconciliation determines whether the second mesh's admissibility policy admits the first mesh's certification or requires its own. The reconciliation primitive handles the four canonical cases (mutual admission, asymmetric admission, mutual refusal, and conditional admission with re-certification) without requiring a global authority.

Composition with the governance chain (Article 2) provides the five umbrella properties — credentialing, lineage, attribution, revocability, and admissibility — to every artifact lifecycle event. Artifact authoring is credentialed; activation is lineage-recorded; routing decisions are attributed; revocation is first-class; admissibility is the gate. No artifact event escapes the governance chain.

Composition with mesh-distributed firmware updates extends the same primitive to non-LLM substrates: a robot's behavior policy, a vehicle's perception adapter, a sensor's calibration profile can all be expressed as signed adaptation artifacts under the same admissibility-gate semantics. The architecture is therefore not LLM-specific; it is a general primitive for runtime behavioral adaptation under governance.

Composition with the personal-layer primitive (referenced above and disclosed in detail in adjacent articles) ensures that no degree of third-party skill admission can override consumer sovereignty. This is the structural answer to the recurring concern in agent-platform discourse that runtime-loaded skills can be adversarially manipulated to subvert consumer intent.

12. Prior-Art Distinctions

Several adjacent technologies share surface features with the disclosed primitive but do not anticipate the combination claimed. Sigstore and related software-supply-chain signing frameworks provide artifact signing and transparency logs, but do not provide consumer-side admissibility evaluation, dependency-chained cascade deactivation, or admissibility-gate-as-router. They sign that an artifact is what it claims to be; they do not gate whether to activate it under a consumer's policy.

LoRA, PEFT, and adapter-tuning literature describe artifact formats and training procedures but do not address runtime admissibility, cross-model portability under credentialed compatibility, or the unification of skill selection and inference routing in a single gate. They are component techniques, not architectures.

HuggingFace Hub, Replicate, and analogous artifact registries provide centralized hosting and basic provenance metadata but operate under a single platform-operator trust model. They do not provide consumer-side certification, do not propagate cascade deactivation transitively across dependent artifacts, and do not unify the admissibility decision with the routing decision.

Anthropic Skills, OpenAI Custom Actions, Google Gemini Extensions, and Microsoft Copilot Studio ship runtime-loadable skill abstractions but, as currently disclosed, embed admissibility and routing within the platform operator's policy rather than the consumer's. They do not provide always-active personal-layer carve-out, cross-platform portability, or transitive cascade deactivation under decentralized authority.

Federated learning literature describes training cycles across distributed contributors but does not unify the trained artifact with admissibility gating, dependency chaining, or cross-model portability. The disclosed primitive imports federated training as one component of a broader architecture rather than constituting a federated-learning system on its own.

13. What This Is Not

This is not the App Store / Google Play / HuggingFace Hub. Those have a single platform operator and centralized policy gating. The governed primitive operates without an operator.

This is not Anthropic Skills, OpenAI Custom Actions, Google Gemini Extensions, or Microsoft Copilot Studio as currently shipped. The governed primitive could underpin those products with the architecture they currently lack: consumer-side certification, dependency-chained cascade deactivation, cross-model portability, and admissibility-gate-as-skill-router.

This is not LoRA / PEFT / sigstore alone. Those are component techniques that the governed primitive composes; the architecture is broader than any single technique.

14. Disclosure Scope and Implementation Latitude

This article discloses spatial adaptation artifacts as runtime-loadable, signed, dependency-chained behavioral modifications gated through consumer-side sandbox certification and routed through an admissibility gate that doubles as skill router. The disclosure includes operating-parameter envelopes, multiple alternative embodiments across artifact format and certification topology, composition with adjacent governed-mesh primitives, and structural distinctions from neighboring prior art including Sigstore, LoRA/PEFT, HuggingFace Hub, and the current generation of agent-platform skill abstractions.

Implementation latitude within the disclosure is broad. Specific signature schemes (Ed25519, ECDSA, post-quantum candidates), specific sandbox technologies (containers, microVMs, WebAssembly, hardware-isolated enclaves), specific routing-engine implementations (rule-based, learned, hybrid), specific dependency-graph encodings, and specific federated-training algorithms (FedAvg, FedProx, secure-aggregation variants) are all implementation choices that remain within the scope of the disclosed primitive when they preserve the architectural properties: signed authoring, consumer-side admissibility, dependency-chained cascade deactivation, cross-model portability under credentialed compatibility, and admissibility-gate-as-router with always-active personal-layer carve-out.

Substrate latitude is similarly broad. While the motivating case is large-language-model adaptation, the same primitive applies to vision-model adapters, multimodal model adapters, robot policy artifacts, vehicle perception adapters, sensor-calibration profiles, and any other runtime-loadable behavioral modification under governance. The disclosure is substrate-independent at the architectural level, and the parameter envelopes given are characteristic ranges rather than constraints.

Conclusion

Spatial adaptation artifacts provide runtime skill loading with consumer-side sandbox certification, admissibility-gate-as-skill-router, always-active personal layer, dependency chains with cascade deactivation, cross-model portability, federated training, and decentralized mesh distribution.

Disclosed under USPTO provisional 64/049,409, the primitive provides the missing architecture for the AI-agent skill marketplace that current platforms are building ad hoc. It composes with the governed mesh, mesh-distributed firmware updates, and the five-property governance chain umbrella.