Governed Observation: Authority-Credentialed Bytes on the Wire

Mechanism

A governed observation is the unit of communication on the spatial-mesh substrate, as taught in Provisional Application 64/049,409. Each observation is a structured payload comprising the observation content (sensor reading, environmental state, detected event, broadcast policy), an authority-credentialed source identifier, a dynamic-device-hash establishing continuity from prior credentialed state, a temporal scope expressed as a TTL signed by the issuing authority, a spatial scope expressed as credentialed location bounds, the governance class drawn from a published taxonomy, and a cryptographic signature binding the entire envelope including the governance class.

The governance class is not a hint and not metadata. It is a structural field of the observation envelope, populated by the issuing authority at the moment of emission and bound into the same signature that protects the payload. A relay that strips the governance class invalidates the signature; a relay that rewrites the governance class invalidates the signature; a relay that re-signs the observation under its own authority replaces the governance class with one drawn from the relay's authority, and downstream consumers see the relay's class rather than the original. The governance class therefore travels intact, or it travels not at all.

Each consumer of governed observations holds a consent envelope. The consent envelope is itself an authority-credentialed structural object, issued to the consumer by the governance authority that authorizes the consumer to operate. The envelope enumerates the governance classes the consumer is permitted to admit, the temporal and spatial scopes within which admission is authorized, and the conditions under which admission is conditional rather than free. The envelope is held in the consumer's policy reference and is loaded into the admissibility evaluator at startup.

Admission is performed by a composite admissibility evaluator that runs ahead of any payload-handling logic in the consumer. The evaluator receives the observation envelope, the consumer's consent envelope, and the current governance reference. The evaluator first verifies the cryptographic signature, then confirms that the issuing authority is recognized within the published taxonomy, then confirms that the observation's temporal and spatial scopes are within the consumer's admissible scopes, and finally confirms that the observation's governance class is enumerated within the consumer's consent envelope. The evaluator emits one of three deterministic decisions: admit, gate, or refuse. An admit decision passes the observation to the consumer's payload-handling logic. A gate decision holds the observation pending an additional authority assertion (for example, a human-in-the-loop confirmation or a higher-class governance signal). A refuse decision discards the observation and emits a refusal record into the consumer's lineage.

Default-deny is structural. An observation whose governance class is absent from the consumer's consent envelope is refused, not held. The evaluator does not fall through to a permissive default, does not consult the payload, and does not log the payload contents. The refusal record contains only the envelope fields and the reason code; the payload is structurally unread.

Operating Parameters

The governance taxonomy is published and versioned. Each governance class is identified by a stable identifier, a human-readable label, an authority-issuing scope, and a structural relationship to other classes (for example, subsumption or mutual exclusion). The taxonomy is held by a governance authority recognized within the spatial-mesh deployment; consumers and producers reference the taxonomy by version, and version mismatches are themselves grounds for refusal.

The consent envelope is bounded in scope. Each enumerated governance class within the envelope carries a temporal scope (the period during which admission is authorized), a spatial scope (the location bounds within which admission is authorized), and an optional conditional clause (the additional governance signals required for a gate-to-admit transition). An observation that matches the class but exceeds the temporal or spatial scope is refused; an observation that matches the class within scope but lacks the conditional signal is gated.

The continuity proof — the dynamic-device-hash — is verified before the governance check. A producer whose continuity is broken (a hash that does not chain to the producer's prior credentialed state) cannot have its governance class accepted, regardless of the class's match to the consent envelope. Continuity is a precondition for the governance class to be considered authentic.

Refusal is auditable. Every refusal emits a structural record into the consumer's lineage containing the envelope fields, the reason code, the consent-envelope version, the taxonomy version, and the timestamp. The record does not contain the payload. An auditor reading the lineage can confirm that the consumer refused the observation under the policy in force at the time, without the auditor's inspection becoming a side channel for the refused payload.

Gating is bounded. A gated observation is held for a policy-specified maximum interval; if the gating signal does not arrive within the interval, the gated observation is refused and a timeout-refusal record is emitted. Gating cannot be used to indefinitely retain payloads outside the consumer's consent envelope.

Alternative Embodiments

In a first embodiment, the consent envelope is held entirely on the consumer device and the admissibility evaluator runs in-process. This embodiment is suitable for autonomous units operating with intermittent connectivity to governance authorities; the envelope is refreshed when connectivity is available and is enforced from the local copy in between.

In a second embodiment, the consent envelope is held by an edge governance proxy that fronts a fleet of consumers. Observations arrive at the proxy, are evaluated against the fleet-wide envelope, and are forwarded to the consumers only on admit. This embodiment is suitable for dense deployments in which envelope updates are issued at fleet scope and individual consumer devices are constrained.

In a third embodiment, the governance class is hierarchical: an observation may carry a primary class and one or more subordinate classes, and the consumer's consent envelope is matched against the most specific class that resolves within the published taxonomy. This embodiment supports cross-domain interoperation in which a base class is broadly admissible but specialized subclasses are restricted.

In a fourth embodiment, gating is delegated: the consumer's consent envelope identifies a gating authority to which gated observations are referred, and the gating authority returns admit or refuse decisions on the consumer's behalf. This embodiment supports human-in-the-loop and supervisor-attested workflows without coupling each consumer to the gating authority's implementation.

In a fifth embodiment, the consent envelope is itself produced by composition: a consumer holds multiple envelopes (for example, a regulatory envelope, an operator envelope, and a mission envelope) and the effective admissibility is the intersection of the envelopes. An observation must satisfy all three to be admitted; refusal under any one is sufficient. This embodiment supports operations that are simultaneously bound by regulatory, contractual, and mission-specific governance regimes.

Composition with the Spatial-Mesh Architecture

Every other primitive in the spatial-mesh architecture consumes governed observations, and consumes them through the same admissibility framework. Marker-track transport admits credentialed marker observations whose governance class authorizes route construction; observations outside the route-construction class are refused without payload inspection. Confidence-governed actuation admits credentialed environmental observations whose class authorizes mode transitions; off-class observations cannot move the actuator out of its current mode. Matched-pair settlement admits credentialed pairing observations whose class authorizes settlement within the pairing's proximity window; off-class observations cannot complete a settlement.

The uniformity is the architectural property that makes the spatial mesh composable. A new primitive added to the architecture inherits the admissibility framework: it declares which governance classes it admits, it loads its consent envelope from the policy reference, and it consumes governed observations through the same composite evaluator that every other primitive uses. There is no per-primitive authentication path, no per-primitive governance integration, and no per-primitive audit pattern; all three emerge from the structure of the observations themselves and the structure of the consent envelopes.

Cross-domain interoperation follows from the same property. Maritime, aviation, terrestrial, and indoor authorities each issue observations within domain-specific governance taxonomies; consumers operating across domains hold consent envelopes that enumerate the classes they admit from each domain. A maritime authority's observation cannot enter an indoor consumer that has not enumerated the maritime class, and vice versa, regardless of the underlying transport. The cross-domain reach of the architecture is the reach of the consent envelopes, and is structurally bounded by them.

Prior-Art Distinction

Conventional protocols treat communication at the packet level: the unit is a packet, authentication is a layer above the packet, and governance is a layer above authentication. Each layer is a separate integration; the cumulative integration produces friction at every cross-layer boundary and creates structural gaps where governance assumptions made at one layer are not visible at another. Governed observation collapses the layers into a single structural unit. The credential, the continuity proof, the temporal and spatial scopes, the governance class, and the payload travel together under a single signature, and receivers evaluate the unit as a whole rather than reconstructing governance from layered components.

Attribute-based access control systems likewise associate attributes with subjects and objects, but they typically evaluate access at a policy decision point that is logically separate from the data's transport. Governed observation binds the access-relevant attributes (governance class, authority, scope) into the transported envelope itself, so that no policy decision point exists between the producer and the consumer that could be bypassed, replayed against, or desynchronized from the data in flight. The substrate carries the access decision's inputs, not just the data the decision concerns.

Disclosure Scope

The disclosure covers the governed-observation envelope, the inclusion of the governance class within the signed envelope, the consent-envelope structure held by consumers, the composite admissibility evaluator, the admit/gate/refuse decision, default-deny semantics, the structural refusal record, and the embodiments enumerated above. It also covers the composition of the primitive with marker-track transport, confidence-governed actuation, matched-pair settlement, and any subsequently added spatial-mesh primitive that adopts the same admissibility framework.

The disclosure is independent of any particular sensor modality, transport medium, or operational domain. The same governed observation applies to acoustic, optical, radio, and inertial sensors; to wired, wireless, and store-and-forward transports; and to maritime, aviation, terrestrial, and indoor deployments. The disclosure is the structural primitive on which the spatial-mesh substrate's governance properties rest.