Appendix A: Formal Models and Invariants
Mathematical formalization of ASCP transitions and invariants.
Reference depth
Authority, evidence, and replay
Appendix B: Threat Model
The Autonomous State Control Plane can be modeled as a governed transition system in which probabilistic reasoning produces candidate intents, but only validated intents may induce bounded execution events. This appendix defines the core objects used by the architecture and states the invariants that should hold across implementations.
Formalization Goal
The goal of the formal model is not to prescribe one implementation, but to define the invariants that any trustworthy implementation must preserve.
To complement the systems and institutional descriptions in the main text, this appendix establishes the formal mathematical skeleton of the control plane. This model does not claim to prove absolute safety or dictate specific verification engines; instead, it establishes the minimum set of relational invariants necessary to govern, rather than merely automate, autonomous execution.
Notation
Table 21 summarizes the symbols used throughout the appendix.
| Symbol | Meaning |
|---|---|
| A | Actor, agent, or requesting principal |
| M | Reasoning model or external agentic system |
| I | Structured intent proposed for governance |
| C | Context snapshot used for policy evaluation |
| Ξ | Policy set or policy evaluation function |
| D | Governance decision |
| K | Execution contract |
| EID | Proof-derived execution identity |
| X | Execution event or bounded state mutation |
| π | Evidence chain |
| π | Protocol in Protocol-Driven Development |
| π’ | Structural invariants |
| π | Behavioral invariants |
| π | Operational invariants |
| t | Time or validity interval |
These symbols represent logical abstractions rather than specific implementation constraints. An execution contract K, for instance, may be encoded as a cryptographically signed token, a database record, a policy-engine artifact, or a capability descriptor. The invariant lies not in the concrete representation, but in the strict confinement of execution authority to the bounds of the approved contract.
System Model
At a high level, the Autonomous State Control Plane can be represented as:
where S is system state, I is a structured intent, C is a context snapshot, Ξ is a policy set or evaluation function, D is a governance decision, K is an execution contract, EID is proof-derived execution identity, X is an execution event, and π is the evidence chain.
A governed transition can be written as:
Admissibility of a state transition requires prior intent evaluation, a formal policy decision, contract issuance, derivative identity binding, and non-repudiable evidence recording. Crucially, the reasoning model M lacks the authority to induce state transitions directly. While M may generate proposals, plans, or candidate configurations, it cannot establish authorization.
This distinction formalizes the control-plane doctrine: M may influence the candidate intent I, but it must never induce execution X directly. State mutation occurs exclusively through the governed transition relation.
This architecture isolates probabilistic uncertainty from deterministic authority. While the reasoning layer proposing I may be non-deterministic, heuristic-driven, or external, the governance relation remains deterministic: given the same intent, context snapshot, policy definition, and contract parameters, the control plane must reconstruct an identical decision. Conformant implementations need not employ identical engines, but they must guarantee the reproducibility of the decision path.
Furthermore, the transition system treats non-execution outcomes (such as denial, escalation, simulation, or deferral) as first-class events. Recording blocked or constrained candidate transitions is essential for system auditing, policy refinement, and continuous context adjustments. Consequently, the transition system tracks both state-changing executions and evidence-updating rejections.
Compositionality of Governed Transitions
Governed workflows often contain multiple steps. A single high-level task may decompose into sub-intents, delegated actions, tool calls, or nested agentic loops. A governed transition can be represented as:
A composed workflow is then:
Let Gov(gi) = true denote that transition gi satisfies the governance requirements of this appendix: intent precedes execution, policy precedes contract, identity is no broader than contract, execution satisfies contract, and evidence is complete. A governance-preserving composition can be stated as:
A composed workflow preserves governance if and only if every constituent transition is governed and the composition prevents authorization creep, evidence loss, or policy evasion. Composition must not become a mechanism for policy bypass. This compositionality requires explicit sub-intents, distinct contracts for delegated actions, nested evidence chains that preserve lineage, and explicit policy controls governing delegation.
For foundational approaches to these formalizations, we refer readers to categorical semantics [1], compositional verification [2], and denotational semantics [3].
Intent Model
An intent is the boundary artifact between reasoning and governance. It captures a claim that a state transition should be considered; it is not itself authority. A compact intent model is:
where a is the actor or requester, o is the objective, r is the requested action, q is the target scope, j is the justification, and Ξ± is the set of assumptions or constraints proposed by the reasoning layer.
The intent object decouples semantic intent from executable authority. Unlike raw tool invocations, an intent encapsulates the objective, contextual assumptions, risk categorization, and institutional justification required for governance.
Define:
only if the intent is structurally well-formed and contains sufficient fields for governance evaluation. Structural validity does not imply approval. It means the control plane has enough information to proceed to context acquisition and policy evaluation. A syntactically valid intent may still be denied, constrained, escalated, deferred, or returned for additional context.
Context and Policy
Policy evaluation depends on context. A context snapshot can be modeled as:
where St is current system state, R is the relevant resource or domain scope, and t is the time of evaluation. The context snapshot may include system health, ownership metadata, dependency state, user or workflow state, risk signals, incident status, change windows, or domain-specific constraints.
Policy evaluation is written:
where:
Policy decisions are intrinsically bound to the context snapshot under which they are evaluated. The same intent may yield divergent decisions as context evolvesβfor example, permitting resource termination when a node is out of rotation, but denying it when serving active traffic. To maintain accountability, the evidence chain must store the complete context snapshot and the exact policy version used during evaluation.
Execution Contracts
An execution contract is the bounded artifact that connects governance to runtime authority. It can be modeled as:
where Ξ² denotes execution bounds and Ο denotes the validity interval. The contract specifies the allowed operation, target resources, parameter bounds, time bounds, context assumptions, evidence requirements, and revocation conditions.
The execution contract translates policy decisions into enforceable bounds. A decision that denies execution must never yield a contract. A decision that allows or constrains execution generates a contract K defining the parameters, resources, and temporal boundaries of permissible operations.
Contract compliance can be written:
meaning that the observed execution event satisfies the bounds specified by the contract. Admissibility requires that the observed execution event strictly satisfies the contract (X β¨ K). Any deviationβsuch as exceeding a traffic-shifting percentage, targeting an unapproved resource, or executing outside the temporal windowβconstitutes a violation that must be blocked by runtime enforcement. The contract is a dynamic boundary enforced at runtime, not mere retrospective documentation.
Proof-Derived Execution Identity
Execution identity is derived from proof artifacts rather than standing entitlement. A compact model is:
where identity is computed from validated intent, context snapshot, policy decision, execution contract, and validity interval. The identity may be implemented as a short-lived credential, signed capability, scoped token, session policy, workload identity claim, or adapter-enforced authorization. The implementation may vary, but the authority must be derived from the approved contract.
Identity validity can be expressed as:
where EID βΌ K means that the authority granted by the identity is no broader than the authority specified by the contract.
The inequality EID βΌ K formalizes the principle of proof-derived least privilege: the issued execution identity must never convey authority exceeding the limits set by the contract.
Execution identity must be transient, task-scoped, revocable, and tightly coupled to the evidence chain. If an identity outlives its contract, targets unauthorized resources, or permits unapproved operations, the system collapses back into a model of standing privilege.
Evidence Chain
The evidence chain records the governance path. A minimal sequence is:
where eI is the intent event, eC is the context snapshot event, eD is the policy decision event, eK is the execution contract event, eEID is the identity issuance event, eX is the execution event, and eV is the verification event.
Define evidence completeness:
if the chain contains all evidence required for the executed mutation. Evidence completeness ensures that an independent auditor can reconstruct the entire authorization lineage. This completeness must extend to rejections, escalations, and simulations, as these negative paths contain vital information regarding policy efficacy and system safety.
While concrete implementations may utilize append-only logs, cryptographic signatures, or distributed ledgers to guarantee non-repudiation, this model remains mechanism-neutral. The invariant requires only that the recorded evidence is sufficient to verify, audit, and reconstruct the decision path.
Replay Semantics
Replay reconstructs the governance decision path from recorded evidence. A simple replay function is:
A replay is consistent if:
under the recorded intent, context snapshot, and policy version. Replayability guarantees that a past governance decision can be deterministically reproduced from the evidence chain under the corresponding context snapshot and policy version.
Replay does not require the reasoning model to reproduce its internal probabilistic generation paths. Instead, replay reconstructs the deterministic governance boundary that validated and authorized the execution. Replayability isolates the probabilistic reasoning layer from the deterministic control plane, focusing exclusively on the structured intent, context snapshot, policy version, and contract parameters.
Protocol-Driven Development Model
Protocol-Driven Development governs generated software and system components before they participate in operational execution. The protocol is modeled as:
where π’ denotes structural invariants, π denotes behavioral invariants, and π denotes operational invariants.
An implementation is admissible when:
meaning that the implementation satisfies the structural, behavioral, and operational invariants required by the protocol. Under Protocol-Driven Development, source code is treated as a candidate realization of a protocol, rather than the primary source of authority.
Type-Theoretic View of Protocol Admission
A type-theoretic interpretation of PDD treats protocol admission as the judgment that a candidate implementation inhabits the admissible space defined by structural, behavioral, and operational invariants.
where impl : π represents the judgment that the implementation code inhabits the space defined by the protocol.
Here, structural invariants (π’) map to interface type constraints, behavioral invariants (π) map to refinement types or behavioral contracts, and operational invariants (π) map to effect types and resource bounds. While advanced type systems (such as refinement, dependent, or effect types) can statically verify some of these properties, they complement rather than replace sandboxing, runtime simulation, and audit capabilities.
Advanced formalizations of the symbolic layer can draw upon foundational work in refinement types [4], dependent types [5], and typed effect systems [6].
Admission may be verified through static analysis, type checking, schema validation, property-based testing, sandboxed execution, simulation, or manual review. The critical requirement is that a generated artifact only transitions to operational status when explicit evidence demonstrates conformity to the governing protocol.
Core Safety Invariants
The following invariants formalize the core constraints of governed execution and constitute the implementation compliance criteria.
Invariant 1 - No Direct Reasoning-to-Execution.
A reasoning model must never induce a state mutation directly. Reasoning models generate proposals and candidate actions; execution authority is established solely by the control plane.
Invariant 2 - Intent Precedes Execution.
Every execution event must map to a prior structured intent. Unattributed or direct execution violates the governance boundary.
Invariant 3 - Policy Decision Precedes Contract.
Execution contracts must derive from a deterministic policy decision evaluated against the active context. A contract generated without a corresponding decision has no standing authority.
Invariant 4 - Identity Is No Broader Than Contract.
The authority granted by the proof-derived execution identity must never exceed the bounds of the active contract, enforcing runtime least privilege.
Invariant 5 - Execution Must Satisfy Contract.
Observed execution must conform strictly to the active contract. Runtime enforcement must block any out-of-bounds mutation.
Invariant 6 - Evidence Completeness.
Every execution event must produce an evidence chain sufficient for complete decision replay and audit, preserving the authorization path.
Invariant 7 - Replayability.
The original governance decision must be reconstructable from the evidence chain using the recorded context snapshot and policy version.
Invariant 8 - Protocol Admission.
A generated artifact transitions to operational status if and only if it is formally admitted under its governing protocol.
| Invariant | Meaning |
|---|---|
| No direct reasoning-to-execution | Models may propose, but cannot directly mutate governed systems |
| Intent precedes execution | Every execution event is linked to a structured intent |
| Policy precedes contract | Contracts are derived from policy decisions over context |
| Identity no broader than contract | Runtime authority cannot exceed approved execution bounds |
| Execution satisfies contract | Observed execution remains within approved scope |
| Evidence completeness | Execution has sufficient evidence for replay and audit |
| Replayability | Governance decisions can be reconstructed from evidence |
| Protocol admission | Generated artifacts are operational only after satisfying protocol invariants |
Discussion
This formal model remains strictly implementation-neutral. The logical componentsβsuch as contracts, decisions, and evidenceβcan be instantiated across diverse environments, policy engines, and identity layers. For example, one deployment may represent contracts as cryptographically signed capability tokens, while another may use database-backed records enforced by resource adapters. Similarly, policy evaluation may utilize languages like Cedar, OPA/Rego, or bespoke institutional workflow engines.
The core invariants represent portable governance obligations that survive changes in underlying infrastructure. Whether deployed on domestic, global, sovereign, public, or hybrid clouds, the control-plane properties remain identical. The appendix serves as a formal interface contract between architectural design and concrete implementations. It acknowledges the realities of engineering systems: context snapshots may be incomplete, reasoning models will remain probabilistic, and policy configurations will evolve. The control plane handles this incomplete information through deterministic mechanisms like escalation, context requests, or constraints.
Future formalizations can extend this model by defining equivalence relations over intents, refinement relations over contracts, temporal decay models for context, and composition rules for multi-agent validation. Regardless of these extensions, the fundamental flow of authority remains invariant: reasoning models propose, policies decide, contracts bound, identities authorize, execution emits evidence, and replay enforces accountability.
The specific mechanisms may vary across institutions and infrastructures, but the invariants should remain stable: intent before execution, proof before privilege, evidence before trust, and protocol before implementation.
References
- [1]Benjamin C. Pierce. Basic Category Theory for Computer Scientists. MIT Press. 1991.
- [2]Willem-Paul de Roever; Hans Langmaack; Amir Pnueli. Compositionality: The Significant Difference. Springer-Verlag. 1998.
- [3]Winskel, Glynn. The Formal Semantics of Programming Languages: An Introduction. MIT Press. 1993.
- [4]Tim Freeman; Frank Pfenning. Refinement types for ML. Proceedings of the ACM SIGPLAN 1991 Conference on Programming Language Design and Implementation (PLDI), ACM. 1991.
- [5]Hongwei Xi; Frank Pfenning. Dependent types in practical programming. Conference Record of the 26th Symposium on Principles of Programming Languages (POPL'99), ACM. 1999.
- [6]John M. Lucassen; David K. Gifford. Polymorphic Effect Systems. Proceedings of the 15th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, ACM. 1988.