Invariant Governance™

Every action. Signed. Verified. Auditable.

The missing governance layer for autonomous systems. Structural separation makes unauthorized action impossible — not just unlikely — when correctly implemented. Deterministic evaluation, cryptographic receipts, zero ambiguity.

Authority Plane
Governance Kernel
CAN: Evaluate policy + sign receipts CANNOT: Execute any action
Execution Plane
Execution Gate
CAN: Enforce + block outbound calls CANNOT: Authorize itself
Advisory Telemetry
Telemetry Observer
CAN: Observe + compute drift scores CANNOT: Intervene or modify state
CI License: Apache 2.0 Patent: US 19/533,191
View on GitHub Quick Start Read the Whitepaper Enterprise Licensing

The Problem

Autonomous systems are making consequential decisions at machine speed. Existing governance approaches force a choice between two failure modes:

Human-in-the-Loop

Safe but slow. Every decision waits for manual approval. Latency kills throughput, operators develop alert fatigue, and the system degrades to rubber-stamping. In high-frequency environments, this approach is structurally unviable.

Probabilistic Guardrails

Fast but brittle. LLM-based filters and confidence thresholds can be gamed, hallucinated past, or silently degraded. They offer no cryptographic proof of authorization and cannot detect salami-slicing attacks.

This is the Latency-Integrity Paradox: the faster your system needs to operate, the harder it becomes to maintain governance integrity -- unless the governance architecture itself is redesigned from first principles. No existing framework solves this. This architecture has never existed before.

Why Not Just...

Every existing approach trades away something critical. Invariant Governance is the first framework designed to hold all four properties simultaneously.

Approach Speed Cryptographic Proof Cumulative Tracking Emergency Halt
Human-in-the-Loop Slow None Manual Yes
LLM Guardrails Fast None No Partial
RBAC / Policy Engines Fast None No Partial
Smart Contract Gates Medium On-chain Per-chain Slow / cannot undo
Invariant Governance Machine-speed Per-action receipts Stateful accumulator Sub-second halt

Architecture

Deterministic means: given the same action, the same policy, and the same accumulator state, the system always produces the same decision. No randomness. No LLM judgment. No confidence scores. The outcome is a mathematical function of the inputs — verifiable, reproducible, and auditable.

Three structurally decoupled components that cannot be collapsed, bypassed, or silently degraded. Each is defined not just by what it does, but by what it structurally cannot do.

Authority Plane
Governance Kernel
Evaluates policy, issues Approval Receipts and Fluidity Tokens, maintains the Stateful Accumulator.
CAN: Evaluate + Sign CANNOT: Execute actions
Sovereign Boundary
Execution Plane
Execution Gate
Validates receipts via six-step cryptographic verification. Permits or blocks every outbound action.
CAN: Enforce + Block CANNOT: Authorize itself
One-Way Mirror
Advisory Telemetry
Telemetry Observer
Records all decisions, computes degradation scores, detects drift. One-way data ingestion only.
CAN: Observe + Advise CANNOT: Intervene

These constraints are not conventions -- they are enforced by the architecture. The Kernel has no credentials for execution targets. The Gate has no signing key. Telemetry has no write channel.

Why This Works

Other governance systems rely on rules that should be followed.
Invariant Governance makes violation structurally impossible.

Governance Kernel
Cannot execute
No execution credentials exist
Like a judge with no gun — can rule, but physically cannot enforce. The Kernel holds signing keys but has zero access to execution targets.
Execution Gate
Cannot self-authorize
No signing key exists
Like a locked door with no key inside — can open when given a valid receipt, but cannot forge one. The Gate verifies but cannot produce signatures.
Telemetry Observer
Cannot intervene
No write channel exists
Like a security camera with no controls — can see everything, but physically cannot change anything. One-way data ingestion only.

These are not rules that can be misconfigured, overridden, or socially engineered. They are structural properties of the architecture — enforced by the absence of capabilities, not the presence of restrictions. In software, this is logical impossibility through credential isolation. For physical systems, the Hardware HAL Gate extends this to physical impossibility through galvanic isolation — no electrical path exists for software to bypass the gate. When correctly implemented, unauthorized action is not improbable. It is structurally impossible.

Key Mechanisms

Approval Receipts

Cryptographically signed, non-fungible, single-use authorization tokens. Each receipt binds a specific action to a specific context at a specific time, with parameter-hash binding to prevent substitution attacks.

Fluidity Tokens

Speculative pre-authorization for high-frequency and high-latency environments. A Fluidity Token grants bounded execution authority consumed incrementally, enabling machine-speed operation within governor-defined limits.

Stateful Accumulator

Tracks cumulative impact across all actions, not just individual transactions. Defeats salami-slicing attacks where each action falls within bounds but the cumulative effect is catastrophic.

Poison Pill Broadcast

Emergency halt with sub-second propagation. Revokes all outstanding Fluidity Tokens and Approval Receipts system-wide, destroys ephemeral key shards, and forces lockdown faster than any agent can act.

Hardware HAL Gate

For physical safety-critical systems (robotics, industrial control, infrastructure), a hardware-enforced gate with FPGA governance logic, galvanic isolation, and a physics logic module. Software cannot bypass it.

Use Cases

Domain-agnostic by design. Validated across eight industrial domains:

DomainExample Scenario
Financial ServicesAlgorithmic trading governance, transaction authorization, cumulative exposure limits
HealthcareClinical decision support, nurse handoff attestation, medication administration gates
Orbital / DisconnectedSatellite command authorization with high-latency Fluidity Tokens, autonomous operation within bounded authority
BlockchainOn-chain governance enforcement, smart contract execution gating, cross-chain authorization
LogisticsAutonomous vehicle routing, warehouse robotics, shipment release authorization
EnterpriseContract execution workflows, procurement authorization, multi-party approval chains
GovernmentBenefits issuance, permit authorization, regulatory compliance enforcement
Critical InfrastructurePower grid control, water treatment, industrial SCADA with Hardware HAL Gate

The Missing Layer

Invariant Governance is not a competing framework. It is the governance layer that wraps around your existing autonomous systems, including but not limited to:

R

Robotics & Physical Systems

Every motor command, gripper action, and navigation decision passes through the Execution Gate. The Hardware HAL Gate provides FPGA-enforced physical isolation for safety-critical operations.

Examples: OpenClaw, ROS 2, Isaac Sim, Boston Dynamics API, industrial PLCs
A

AI Agent Frameworks

Tool calls, API invocations, and chain-of-thought actions are authorized by the Governance Kernel before execution. Prevents prompt injection from escalating to unauthorized actions.

Examples: LangChain, AutoGPT, CrewAI, Claude tool use, OpenAI function calling
F

Financial & Trading Systems

Fluidity Tokens enable machine-speed execution within pre-authorized bounds. The Stateful Accumulator tracks cumulative exposure across all positions to defeat salami-slicing.

Examples: Algorithmic trading engines, payment processors, DeFi protocols, risk management
I

Critical Infrastructure

Every control command gets a cryptographic receipt. Poison Pill broadcast enables sub-second emergency halt across distributed systems. Disconnected operation via Fluidity Tokens for high-latency environments.

Examples: Power grid SCADA, water treatment, satellite operations, medical devices
Your Framework (OpenClaw, LangChain, trading engine, SCADA ...)
↓ action request ↓
Governance Kernel → Approval Receipt → Execution Gate
↓ authorized action ↓
Execution Target (motor, API, ledger, valve ...)
↓ immutable record ↓
Telemetry Observer

Quick Start

$ npm install @invariant-governance/core
import { GovernanceKernel, ExecutionGate, TelemetryObserver, } from "@invariant-governance/core"; // Initialize the three components const kernel = new GovernanceKernel({ policy: { maxSingleAction: 10_000, maxCumulativeWindow: 100_000, windowDuration: "1h", requireMultiSig: (amount) => amount > 50_000, }, }); const gate = new ExecutionGate({ kernelPublicKey: kernel.publicKey, onPoisonPill: () => process.exit(1), }); const telemetry = new TelemetryObserver({ sinks: [console, auditLog], }); // Request authorization for an action const receipt = await kernel.evaluate({ action: "transfer", amount: 5_000, target: "account-7291", context: { initiator: "agent-alpha", session: "s-0042" }, }); // Execute only if the receipt is valid const result = await gate.execute(receipt, async () => { return await ledger.transfer("account-7291", 5_000); }); // Telemetry records everything -- no intervention capability telemetry.record(receipt, result);

Open Source + Enterprise

Open Source (Apache 2.0)

The complete governance framework, all three components, protocol specifications, and reference implementations. Free to use, modify, and distribute. The Apache 2.0 license includes a patent grant for all use of the open-source software.

Commercial Licenses

Available for organizations requiring patent coverage beyond the Apache 2.0 grant, dedicated support, certified builds, or compliance documentation for regulated industries. Contact invariant@holladaylabsip.com.

Patent Notice

The Invariant Governance architecture is protected by U.S. Patent Application No. 19/533,191, PCT International Application No. PCT/US26/15432, and related continuation applications. Use of this software under the Apache 2.0 License includes a patent grant as described in Section 3 of the License. See PATENT_NOTICE.md for the full patent notice and defensive termination provisions.