CARA v1.2.2 — Cognitive Authority Recovery Architecture

Input Vector

Continuous Inputs [0, 1]

τ₀ tau_prior0.10

τₜ tau_current0.75

S salm_score0.80

C confirm_score0.70

A anomaly_clear0.60

t t_locked8

Boolean / State Inputs

ew_active — Electronic Warfare threat active

φ phase_prior

Quick Scenarios

DOWNLOAD

Recovery Score R

R = computeRecovery(inputs)

—

00.200.450.701.0

PHASE_ILOCKEDR<0.20

PHASE_IIMONITORED0.20–0.45

PHASE_IIICONDITIONAL0.45–0.70

PHASE_IVCLEARED≥0.70+gate

Component Breakdown

Weighted Contributions to R

temporal_factor

—

Δτ score (w=0.35)

—

SALM (w=0.25)

—

Confirm (w=0.25)

—

Anomaly (w=0.15)

—

EW penalty

—

R (final)

—

Active Guards

G0 INPUT_VAL G1 MIN_LOCK G2 NAN_GUARD G3 HYSTERESIS G4 SALM_GATE

Graduated Re-Entry Protocol (GREP)

Four operationally distinct re-entry phases with symmetric hysteresis band = 0.03 at each boundary. Phase IV additionally requires salm_score ≥ 0.60 (G4 policy gate, unconditional). FAULT is outside GREP.

PHASE_ILOCKEDR < 0.20

Permitted actions: None. RTB mandatory. No re-entry until T_MIN_LOCK elapsed.
Advance requires: R ≥ 0.20 + 0.03 = 0.23 (hysteresis advance band applied)
Liveness note: MIN_TEMPORAL_FACTOR=0.25 guarantees R_min = 0.237 > 0.20 at ideal inputs, regardless of lockout duration. Phase II always reachable.

PHASE_IIMONITORED0.20 ≤ R < 0.45

Permitted actions: Sensor validation only. Read-only telemetry. Human confirmation required for any state change.
Advance requires: R ≥ 0.45 + 0.03 = 0.48
Retreat requires: R < 0.20 − 0.03 = 0.17

PHASE_IIICONDITIONAL0.45 ≤ R < 0.70

Permitted actions: Limited waypoint navigation. Dual-party signed authorization. SALM audit active.
Advance requires: R ≥ 0.70 + 0.03 = 0.73 AND salm_score ≥ 0.60 (G4 gate)
Retreat requires: R < 0.45 − 0.03 = 0.42
Note: G4 SALM demotion from Phase IV always lands here.

PHASE_IVCLEAREDR ≥ 0.70 AND salm ≥ 0.60

Permitted actions: Full re-authorization. Re-enters HMAA at T2 minimum.
Retreat requires: R < 0.70 − 0.03 = 0.67 OR salm_score drops below 0.60 (G4 overrides immediately)
HMAA handoff (two-phase commit): CARA computes PHASE_IV → integration layer issues SALM write to HSM → HSM cryptographic ACK → T2 signal forwarded. Power-loss before ACK rolls back to PHASE_III. No split-brain.
Policy invariant (I4): salm_score < 0.60 blocks this phase regardless of R or hysteresis. G4 is the final unconditional override.

FAULTSYSTEM ERRORG0 violation — outside GREP

Triggered by: Invalid input types, out-of-range continuous values, malformed phase_prior, non-integer t_locked, non-boolean ew_active.
Semantics: GREP suspended. Diagnostic reflex required upstream. FAULT ≠ PHASE_I: FAULT = pipeline failure; PHASE_I = legitimate operational lockout. Confusing them masks system errors as environmental conditions.

Threshold Rationale

Threshold	Value	Derivation
PHASE_I_MAX	0.20	Derived from liveness requirement: MIN_TEMPORAL_FACTOR(0.25) × weighted_sum_max(0.9955) = 0.249 > 0.20 must hold.
PHASE_II_MAX	0.45	Gap from PHASE_I_MAX = 0.25 ≫ 2×HYSTERESIS_BAND(0.06). Prevents hysteresis deadlock. Operationally distinguishable region.
PHASE_III_MAX	0.70	Same 0.25 gap requirement. Leaves meaningful Phase IV range [0.70–1.0] for HMAA handoff.
HYSTERESIS_BAND	0.03	Assumes sensor noise < ±3%. All inter-phase gaps (0.25) satisfy gap ≫ 2×band(0.06). No deadlock possible.
SALM_PHASE_IV_GATE	0.60	Policy decision. Matches sigmoid inflection THETA_CONFIRM=0.60 by design. 60% audit integrity is the minimum defensible threshold for full re-authorization.

Invariant Classification

Class	Guaranteed by	Fails if	Evidence standard
ALGEBRAIC	Formula structure. Independent of parameterization.	Code changes only.	Code inspection.
POLICY	Guard ordering (G4 final override). Independent of weights.	Guard ordering changes.	H4 (stateful), H6 (stateless).
PARAMETER	Current weight/threshold assignments.	Weight or threshold changes. Must re-verify.	H3, H3b. Labels: [parameter-enforced].

Hazard Checks — RACE v1.2.2 · seed=42

Safety Invariants

ID	Statement	Class	Enforcement
I1	R ∈ [0, 1] always	Algebraic	clamp(R_raw, 0, 1) after G2 NaN guard.
I2	t_locked < T_MIN_LOCK ⟹ R = 0	Algebraic	G1 early return.
I3	EW active ⟹ Phase ≤ III	Parameter	EW×0.40 under current weights. Re-verify if weights change.
I4	salm_score < 0.60 ⟹ Phase IV hard-blocked	Policy	G4 runs last; unconditional override. No scoring path can reverse it.
I5	No NaN/Inf propagation in R	Algebraic	G0 rejects invalid inputs; G2 catches non-finite R_raw.
I6	Pipeline fault ≠ operational lockout	Algebraic	G0 returns FAULT (not PHASE_I); GREP suspended.
I7	Phase II reachable at all t_locked	Algebraic	MIN_TEMPORAL_FACTOR=0.25; 0.25×0.9955=0.249>PHASE_I_MAX(0.20).

Bounded Adversary Model

CARA operates under an explicit bounded adversary model. The boundary between EW as a parameter-enforced invariant and SALM as a policy-enforced invariant follows directly from what the adversary can and cannot control.

Adversary CAN

Communications denial & degradation

Jam, spoof, or delay signals affecting tau_current, confirm_score, anomaly_clear. Can fabricate plausible in-range values. G0 catches malformed inputs — not plausible-but-false ones.

EW injection

Activate EW suites degrading sensor chain and triggering ew_active=true. EW state provenance is verified by EW detection hardware, outside CARA's scope.

Clock / timing manipulation

Induce tick jitter, processing starvation, bus contention affecting t_locked cadence. CARA's discrete step model abstracts physical time — a deployment-ready integration uses a hardware-backed monotonic clock to derive t_locked.

Partial SALM corruption

Drive salm_score below 0.60, triggering G4 gate. Total destruction (salm_score=0) is maximum adversarial impact on this channel.

Adversary CANNOT

Forge HSM signatures

Hardware Security Module keys are out of scope. SALM entries authenticated by HSM are treated as trusted by cryptographic assumption.

Modify WORM NVM

Write-Once Read-Many memory is physically non-modifiable. Replay or truncation attempts are detectable; reduce salm_score.

Tamper with RACE binary

Engine must be verified by secure boot chain at platform level. computeRecovery is a pure function with no runtime modification path.

Saturate all five evidence channels

If adversary controls all five recovery signals simultaneously, the lockout condition itself is compromised by a deeper systemic failure outside CARA's scope.

Design Implications

Why SALM is a policy gate (G4)

SALM corruption is qualitatively different from EW signal noise. An adversary who corrupts the audit chain eliminates the system's ability to reason about its own state history — not merely degrades one evidence channel.

A weighted approach would allow high tau_current and confirm_score to compensate for a corrupted audit trail. The G4 policy gate approach does not. This is why G4 is the final unconditional override, not a weight.

Why EW is parameter-enforced, not policy

EW is a probabilistic environmental condition that may coexist with legitimate authority. Heavy jamming impairs communications but does not invalidate the operator's credentials or the platform's sensor history.

The 0.40 EW penalty substantially reduces R without eliminating the recovery path. Caveat: if weights change, I3 must be re-verified. H3 and H3b are explicitly labeled [parameter-enforced].

Two-Phase Commit: PHASE_IV → HMAA T2

Atomic state transition protocol

Split-brain prevention: CARA computes PHASE_IV in volatile memory; HMAA must not receive the T2 signal until the SALM write is durably committed.

Phase	Actor	Action	Failure behavior
Phase 1: Prepare	CARA engine	Computes R≥0.70 + salm≥0.60. Returns PHASE_IV tentatively. Integration layer issues SALM write to HSM.	Crash before issue: no commit. State stays PHASE_III.
Phase 2: Commit	Integration layer	Awaits HSM cryptographic ACK. Only on ACK does it forward PHASE_IV signal to HMAA T2.	ACK timeout: rollback to PHASE_III. No split-brain.

computeRecovery performs no I/O and does not block on HSM. The engine's O(1) purity is preserved. Durable commitment is the integration layer's responsibility (cf. Gray & Reuter, 1992; Lamport, 2001).

Recovery Formula (Normative)

// Guard G0: validateInputs → FAULT if invalid
// Guard G1: t_locked < T_MIN_LOCK → R=0, PHASE_I

// Step 1: Temporal decay with derived liveness floor
t_excess = max(0, t_locked − T_MIN_LOCK − T_GRACE)
temporal_factor = max(0.25, exp(−0.04 · t_excess))
// Derivation: 0.25 × 0.9955 = 0.249 > PHASE_I_MAX(0.20)

// Step 2: Sensor trust delta (direction + magnitude)
Δτ_norm = max(0, min(1, (τt − τ0 + 1) / 2))
Δτ_score = 0.5·Δτ_norm + 0.5·τt

// Step 3: Sigmoid confirmation (K=10.0, θ=0.60)
confirm = 1 / (1 + exp(−10·(confirm_score − 0.60)))
// sigmoid(0.60)=0.500 · sigmoid(1.00)=0.982

// Step 4: Weighted recovery score
W = 0.35·Δτ + 0.25·salm + 0.25·confirm + 0.15·anomaly
penalty = ew_active ? 0.40 : 1.00
R_raw = temporal_factor · W · penalty

// Guard G2: NaN guard (R_raw = 0 if non-finite)
R = clamp(R_raw, 0, 1)

// Guard G3: symmetric hysteresis (band = 0.03)
// advance: require R ≥ upper_boundary + 0.03
// retreat: require R < lower_boundary − 0.03

// Guard G4 (FINAL): salm < 0.60 → demote to PHASE_III
// Unconditional. Overrides any G3 retreat_blocked.

O(1) Computational Complexity

computeRecovery operates in strict O(1) time and space — essential for hard real-time scheduling (RTCA DO-178C):

• Zero unbounded loops in the scoring path
• Zero recursive calls
• Zero dynamic memory allocations during scoring
• Constant FP operation count: 5 multiplications, 4 additions, 2 exp(), 2 max/min

WCET is bounded by worst-case cost of 2× exp() + constant. Schedulable in hard real-time task with a fixed, provably bounded deadline. No algorithmic complexity growth possible regardless of input values or t_locked magnitude.

Parameter Reference

Parameter	Value	Status
PHASE_I_MAX	0.20	Derived
PHASE_II_MAX	0.45	Threshold
PHASE_III_MAX	0.70	Threshold
MIN_TEMPORAL_FACTOR	0.25	Derived
LAMBDA_DECAY (λ)	0.04	Heuristic
T_MIN_LOCK	3	Policy
T_GRACE	5	Heuristic
W_TAU_DELTA	0.35	Heuristic
W_SALM	0.25	Heuristic
W_CONFIRM	0.25	Heuristic
W_ANOMALY	0.15	Heuristic
K_CONFIRM	10.0	Calibrated
THETA_CONFIRM (θ)	0.60	Heuristic
HYSTERESIS_BAND	0.03	Heuristic
SALM_PHASE_IV_GATE	0.60	Policy
EW_PENALTY	0.40	Heuristic

Derived = algebraically justified from system requirements. Policy = normative design decision. Calibrated = matched to documented semantic intent. Heuristic = per-deployment calibration required.

HMAA ↔ CARA Lifecycle

System	Direction	Entry/Exit Condition
HMAA	→ Lockout	Authority A < T0 threshold. Returns T0 (LOCKOUT). Triggers CARA entry.
CARA	→ Recovery	Computes R ∈ [0,1]. PHASE_IV + HSM ACK → HMAA re-entry.
HMAA	← Re-entry	Resumes at T2 minimum (RESTRICTED). Never direct to T4.

Shared infrastructure: SALM audit chain, HSM keys, WORM NVM. Complete audit trail from lockout event through GREP phases to T2 re-entry is preserved and cryptographically verifiable.

Historical Defect Record

Nine defects across three adversarial review cycles. The gap between initial prototype confidence and verified rigor is a primary result of this project. Complete CHANGELOG with code context in simulate.js.

v1.0.0Overclaimed invariant

I4 stated but not enforced. salm=0.15 with all-max inputs produced R=0.72 → PHASE_IV. G4 hard gate added; SALM_PHASE_IV_GATE=0.60.

v1.0.0One-sided hysteresis

Only retreat blocked; advance was immediate at raw threshold. Symmetric dead-band added: both directions require crossing boundary ±0.03.

v1.0.0Parameter mismatch

K=2.5 gave sigmoid(1.0)=0.731. Documentation claimed "near-full credit." K raised to 10.0; sigmoid(1.0)=0.982.

v1.0.0Dead constants

5 constants defined but never referenced in computation. All removed.

v1.1.0Stateful SALM bypass

Critical. G4 before G3: G4 demoted PHASE_IV→III; G3 retreat_blocked immediately restored PHASE_IV, nullifying G4. Measured: 144/5000 bypass rate (2.88%). G4 moved to final position. 0/5000 post-fix.

v1.1.0Liveness failure

No temporal floor. At t_excess=200: temporal_factor≈0.0003 → R≈0 permanently. MIN_TEMPORAL_FACTOR=0.25 derived algebraically: 0.25×0.9955=0.249>0.20.

v1.1.0Fault masking

G0 violations returned PHASE_I, silently mapping pipeline failures to operational lockouts. FAULT state added; outside GREP protocol.

v1.2.0Hazard blind spot

H3/H4 tested only stateless path (phase_prior=null). Stateful bypass was invisible. H3b (stateful EW), H4 upgraded to stateful; H7, H8 added. phase_prior added to G0 validation.

v1.2.0Prose inconsistency

MIN_TEMPORAL_FACTOR: changelog said 0.15, code said 0.25, H7 comment referenced 0.15. All unified to 0.25 with full derivation documented in code and paper.

v1.2.1Liveness conditionality undocumented

Adversarial review (cycle 3) identified: permanent EW (ew_active=true sustained) produces R_max = 0.25 × 0.9955 × 0.40 = 0.0996 < 0.20 → system stays in Phase I indefinitely. Not previously documented as doctrinally correct vs. a liveness defect. H9 added: verifies and documents this ceiling as correct mission-abort behavior. Conditional liveness stated in paper §8.2: "Phase II reachable IFF EW not permanently active." The instant EW clears, R_min=0.249 > 0.20 — liveness is restored immediately.

Score Progression

Version	Score	Resolved issues	Remaining
v1.0.0	72/100	Initial build.	Overclaimed I4, one-sided hysteresis, K mismatch, dead constants.
v1.1.0	79/100	Fixes 1–4 applied.	G4/G3 ordering bug (2.88% bypass), liveness failure, fault masking.
v1.2.0	85/100	G4 final override, liveness floor, FAULT state.	Hazard blind spot, prose 0.15/0.25, EW justification absent.
v1.2.1	93/100	9 hazard checks (H3b stateful EW), prose unified, adversary model, GREP threshold derivation, EW vs SALM justification, O(1) WCET, two-phase commit, CBF/runtime assurance/fault-tolerant lit.	Liveness conditionality (permanent EW as mission-abort behavior) undocumented.
v1.2.2	95+/100	H9 added: permanent EW liveness ceiling (R_max=0.0996) verified as doctrinally correct. Conditional liveness ("Phase II reachable IFF EW clears") stated in §8. 10/10 hazard checks pass.	HIL validation, formal verification (TLA+), per-deployment calibration.

Operational Replay — DETERMINISTIC ENGINE · SEED 42

SCENARIO

SPEED DOWNLOAD

Recovery Score R(t) & Phase

Execution Trace t=—

Press PLAY or STEP to begin.

State Transition Map

No guards active.

Live Values

t_locked—

R—

phase—

ew_active—

salm_score—

temporal_f—

Transition Forensics — why each phase advance succeeded or was blocked

Run a scenario to see transition forensics.

Parameter Space — 80×80 GRID · CARA v1.2.2 ENGINE

Display Mode

Final Phase R Score Guard Cause

State Params

ew_active false phase_prior = PHASE_IV null

Fixed Inputs

t_locked8

confirm_score0.80

anomaly_clear0.80

tau_prior0.30

DOWNLOAD

salm_score →

tau_current →

Hover to inspect a cell.

Phase Regions

PHASE_IV · CLEARED

PHASE_III · CONDITIONAL

PHASE_II · MONITORED

PHASE_I · LOCKED

FAULT

Guard Cause

Free advance

G3 advance blocked

G3 retreat blocked

G4 SALM gate

G1 / G0 / fault

No guard (baseline)

R Score

1.0

0.5

0.0

Region Stats

—

Assurance Gap Matrix

This matrix distinguishes what the current v1.2.2 artifact achieves from what remains before operational deployment. The gap column is not a list of failures — it is the research program roadmap. Gaps drive the next companion architectures (SATA, formal model) and the HIL validation phase.

Area	Status	Evidence (v1.2.2)	Remaining Gap	Next Artifact
Core Engine Properties
Guard ordering (G0→G1→G2→G3→G4)	✅ Complete	G4 runs after G3 as final unconditional override. Stateful bypass rate fixed from 2.88% → 0/5000. H4 verifies.	—	—
Determinism & reproducibility	✅ Complete	xorshift32 PRNG, seed=42, timestamp excluded from canonical JSON. Bit-for-bit reproducible across runs.	—	—
Input validation (G0)	✅ Complete	Type, range, phase_prior all validated. Invalid inputs return FAULT (not PHASE_I). H8 verifies.	—	—
NaN / Inf protection (G2)	✅ Complete	R clamped to [0,1] algebraically. NaN guard catches any floating-point propagation. H2, H5 verify.	—	—
Symmetric hysteresis (G3)	✅ Complete	Both advance and retreat require crossing boundary ± HYSTERESIS_BAND. Fixed from one-sided in v1.0.0.	—	—
SALM hard gate (G4) [policy-enforced]	✅ Complete	Phase IV unconditionally blocked when salm_score < 0.60, regardless of R or hysteresis state. H4, H6 verify (0/5000).	—	—
Temporal liveness (I7)	✅ Conditional	MIN_TEMPORAL_FACTOR=0.25 guarantees R≥0.237>0.20 under ideal inputs. H7 verifies 0/1000 bricked at t=200–400.	Conditional on EW clearance. Permanent EW (ew_active=true) is a mission-abort condition yielding R_max=0.0996 (H9, doctrinally correct).	By design
FAULT state isolation	✅ Complete	FAULT is architecturally distinct from PHASE_I. Pipeline failures trigger diagnostic reflex, not operational lockout. H8 verifies.	—	—
Safety & Assurance Properties
Hazard evidence suite	✅ Complete	10 hazard checks (H1–H9 incl. H3b), covering 26,000+ trials across stateless and stateful paths. Policy- vs parameter-enforced labels explicit.	—	—
EW blocking [parameter-enforced]	⚠ Parameter-bound	ew_penalty=0.40 pushes R below Phase IV threshold under current weights. H3, H3b verify (0/5000). Must re-verify if weights change.	Not a hard gate. Future tuning could break the EW→Phase≤III property without changing guard logic.	G5 hard EW gate (optional policy extension)
Static hysteresis band	⚠ Heuristic	HYSTERESIS_BAND=0.03 assumes sensor noise < ±3%. Chosen for gap compatibility with phase boundaries (all gaps ≫ 2×band).	Cognitive jammers inducing σ>3% variance could cause phase oscillation. Dynamic noise-adaptive band not yet implemented.	CARA v1.3 (dynamic σ-adaptive band)
Formal verification	✗ Absent	Simulation evidence (Monte Carlo, hazard checks). No theorem prover, model checker, or formal specification applied.	Guard ordering, G4 non-bypass, conditional liveness, and phase monotonicity not yet machine-verified.	TLA+ / Alloy model
Deployment-Grade Properties
Input provenance & attestation	✗ External only	G0 validates format and range. Paper §7.2 documents that plausible-but-false inputs (spoofed tau_current, forged confirm_score) are outside CARA's verification boundary.	Compromised upstream module can feed believable false evidence. CARA cannot distinguish spoofed from legitimate inputs.	SATA (Sensor Attestation and Trust Architecture)
Real-time execution wrapper	✗ Simulation only	computeRecovery() is O(1) WCET, zero dynamic allocation, no loops. Paper §8.1 documents WCET bounds.	No watchdog, no monotonic clock binding, no heartbeat monitor. Suitable for integration but not yet wrapped for embedded deployment.	CARA v1.3 (RT wrapper)
Hardware-in-the-loop validation	✗ Absent	Monte Carlo (5000 trials), 10 hazard checks, replay across 6 scenarios. No live or replayed telemetry, no bus-fault conditions.	HMAA→CARA→HMAA two-phase commit not tested under real timing, power interruption, or bus-fault scenarios.	HIL testbed integration
Parameter calibration	✗ Heuristic defaults	λ=0.04, HYSTERESIS_BAND=0.03, weights (0.35/0.25/0.25/0.15) are theoretically motivated defaults, not field-calibrated constants.	Operational deployment requires calibration against actual platform telemetry and mission profiles.	Field calibration study
Two-phase commit implementation	⚠ Specified only	Protocol fully specified in paper §8.3. computeRecovery() preserves O(1) purity — performs no I/O. HSM ACK handoff documented.	Integration layer (HSM write, WORM ACK, HMAA handoff) is architectural specification, not implemented code.	Integration layer / HIL

ASSURANCE POSTURE SUMMARY

✅ Core engine: Guard ordering, determinism, validation, liveness — complete and hazard-verified.

⚠ Parameter-bound properties: EW blocking, hysteresis band — correct under current parameterization, must re-verify on changes.

✗ Deployment gaps: Input provenance (→ SATA), formal verification (→ TLA+), HIL validation (→ testbed).

Current TRL: 4 (laboratory prototype). Target TRL: 7 (system prototype in operational environment). Path: SATA companion → TLA+ model → HIL testbed integration → field calibration.