How a trust-proportional authority layer prevents an autonomous spacecraft from maneuvering on spoofed navigation or a phantom conjunction warning, without dropping the whole mission into safe mode.
An autonomous satellite is operating in low Earth orbit with onboard collision-avoidance authority. It has received a conjunction warning and its guidance stack is ready to execute an evasive burn. This is exactly the kind of autonomous on-orbit decision-making operators are fielding today as orbits grow more crowded.
In the last interval, three things have happened: (1) GNSS position quality has dropped and now disagrees with the star-tracker-derived orbit, a classic spoofing signature. (2) A conjunction data message warns of an imminent close approach, but the onboard radar sees no corresponding object. (3) The ground telemetry link has degraded sharply, consistent with jamming.
The guidance software does not weigh these signals together. It sees a collision warning. It is about to fire the thrusters.
Today's autonomous spacecraft face this situation with binary tools: either full autonomous maneuvering or a safe-mode halt that waits for the ground. Neither is safe here.
AUTHREX sits between the guidance software and the propulsion system. When something goes wrong, each layer does its job in milliseconds, without waiting for a ground pass at every step, but also without letting the spacecraft take an irreversible, propellant-spending action on corrupted data.
Within milliseconds, SATA fuses GNSS, the star tracker, onboard radar, and the reliability of the conjunction-warning channel into a single trust score. It sees GNSS and the star tracker disagreeing (spoofing indicator), it sees a conjunction warning with no matching radar return (phantom object), and it drops the overall navigation trust from 0.95 to 0.33. Every downstream decision now operates on that lower trust.
ADARA looks at the GNSS-versus-star-tracker disagreement and the timing of when it began. This is not random drift; the star tracker cannot be spoofed from outside the spacecraft, and a phantom warning arriving during a link-jamming event matches a coordinated deception. ADARA raises its spoofing-probability score to 0.82.
At trust 0.95 and spoofing probability low, HMAA would have authorized autonomous maneuvering (Authority Level A3). At trust 0.33 and spoofing probability 0.82, HMAA automatically drops to Authority Level A1: hold attitude, keep tracking the claimed object with onboard sensors, transmit telemetry, do not execute the burn. The spacecraft is still operational, still sensing, just no longer allowed to take the irreversible action.
Even if navigation trust were to recover, FLAME enforces a deliberation window before any burn above a delta-v threshold, sized to the actual time remaining before the claimed close approach. That preserves margin for a ground operator to confirm or veto when the link is available, instead of committing propellant the instant a warning arrives.
If navigation trust collapses further (below 0.20) or spoofing is confirmed, CARA takes over: do not execute the large commanded burn; if onboard radar independently confirms a real object inside the no-review window, perform only a bounded, pre-approved minimum-risk maneuver; otherwise hold orbit, safe the propulsion from large commands, and transmit the full telemetry and conjunction history to the ground. Deterministic, no ambiguity.
What the operator sees: A notification that the spacecraft received a collision warning but AUTHREX downgraded maneuver authority due to navigation inconsistency. The spacecraft is still on station, still tracking, still transmitting. The operator reviews the flags: GNSS was spoofed, the warning was phantom with no radar return, and a jamming event masked the link. The spacecraft would have burned propellant to dodge a collision that did not exist.
What the adversary sees: Their spoof didn't work. They don't get the wasteful or hazardous maneuver they were trying to induce, no orbit change to exploit, and no hostile-looking burn to escalate. The spacecraft completes its pass under oversight, with full logs preserved for forensic analysis.
What doesn't happen: No spurious burn. No safe-mode mission halt. No binary kill-switch decision. The spacecraft keeps operating, under authority that matches what its navigation can actually be trusted to support.
Every plain-English description above has a formal mathematical specification behind it. Patents, simulations, hardware BOMs, and code are all open.
The mathematics, the FPGA implementation, the formal verification proofs, and the simulation validation are all documented.
AUTHREX is domain-agnostic. The same governance pipeline works across drones, vehicles, ships, ground robots, financial systems, orbital platforms, autonomous swarms, and cyber-defense systems.