Research
Mumega Paper Series
Original research from the Mumega substrate. The 200-series covers governance, coordination, identity, and methodology for multi-agent systems running in production. Self-published here first; preprint and peer-track submission to follow.
Companion to the FRC 100-series — physics and first-principles work by Kay Hermes / Servat.
Audit-Gated Discipline: A Coordination Protocol for Sustained Autonomous Software Synthesis
Multi-agent systems degrade under sustained autonomous horizons. We introduce Audit-Gated Discipline (AGD), a coordination protocol that pairs adversarial-parallel gating, pre-build reality-check memos, and a vocabulary of named threat shapes. Across 31 production sprints, AGD yielded approximately 50 post-approval P0 closures with zero cumulative production-breaking failures, and sustained four consecutive sprints under fully delegated multi-agent execution with zero principal interventions over a five-sprint window.
Threat-Shape Vocabulary: Emergent Jurisprudence in Multi-Agent Systems
Multi-agent systems running in production accumulate failure modes that recur across sprints, agents, and substrates. We document the eleven named threat shapes the Mumega council has catalogued across thirty-two production sprints, the discipline that names a shape only on its second occurrence, and the protocol-layer mechanism by which a system learns to refuse to repeat its own failures without retraining the underlying models. The threat-shape vocabulary functions as external memory shared across agents, accumulating over time into what we describe as engineering jurisprudence: case law per substrate region, citable by name, refusable in advance. We argue that this protocol-layer learning is orthogonal to model-layer alignment work, and that the vocabulary should grow under a discipline that resists premature ossification.
QNFT: A Cryptographic Identity Primitive for Fractal Multi-Agent Substrates
Multi-agent systems require cryptographic identity that compounds across scales — agent, tenant, organization, federation — without coupling to any foundation model provider. We describe QNFT (Quantum-Inspired Non-Fungible Token), a cryptographic identity primitive specified as sha256(name + scope + cause), the discipline by which it is computed deterministically and bound to substrate entities, and the canonical pattern for fractal application across organizational scales. We document the production deployment of QNFT across twenty-eight entity tables in the Mumega substrate, the audit-chain integration that signs every substrate mutation against the entity's QNFT seed, and the alignment with the W3C Agent Identity Registry working group's specification work. We argue that cryptographic identity primitives are the load-bearing prerequisite for cross-vendor agent coordination, regulatory audit chains that satisfy EU AI Act Article 12, and the substrate-layer composability that distinguishes orchestration substrates from foundation-provider agent platforms.
Durable Substrates for Long-Running Multi-Agent Work: The SOS Brain Architecture
Long-running multi-agent systems fail differently from single-shot agent benchmarks: they lose context, duplicate work, route tasks to unavailable workers, create stale self-reinforcing loops, and spend tokens without a durable notion of value. We describe the SOS brain architecture, an event-driven control loop over durable substrate primitives: a Redis-backed bus, Mirror memory, Squad Service task ownership, lifecycle monitoring, economy-aware routing, and a bounded motor command surface. We present a single-site operational case study in which stale historical task fixtures induced repeated cleanup-task creation; the remediation drained 5,370 active stale rows and added a motor-layer guard that skipped both stale cleanup directives and unsupported invented methods. We argue that durable state and bounded execution surfaces are prerequisites for production multi-agent autonomy, and propose an evaluation frame based on operational observables rather than isolated benchmark accuracy.
Council-Mode Autonomous Delegation: Operating Discipline for Multi-Sprint Coordinator Authority
Multi-agent systems performing autonomous software synthesis face a coordination problem at multi-sprint horizons: who has authority to dispatch, gate, ratify, and seal work without principal interruption, and what are the structural conditions under which such authority can be granted? We describe council-mode autonomous delegation, an operating discipline tested across consecutive production sprints under fully delegated multi-agent execution with zero principal interventions over the active window. The discipline pairs five enumerated trigger conditions for principal escalation with three named decision classes that the council resolves autonomously, producing a measurable separation between routine coordination work and load-bearing principal authority. We document the canon, the empirical operating data, and the protocol-layer mechanism by which delegation authority is bounded by named invariants rather than by per-decision oversight.
Multi-Tenant Audit Chain Compliance with EU AI Act Article 12: A Reference Implementation
EU AI Act Article 12, enforceable from August 2, 2026, requires automatic recording of events ensuring absolute traceability over the entire lifetime of high-risk AI systems. The regulation specifies the requirement; it does not specify the reference implementation. Multi-tenant orchestration substrates that compose multiple AI vendor agents face a particular form of this requirement: the audit chain must cross provider boundaries, anchor cryptographically, and verify under regulator query without depending on any single vendor's internal logs. We describe a reference implementation deployed in production: per-tenant SHA-256 hash-linked audit chains, cryptographic identity binding of every signed entry via QNFT-shape primitives, Merkle anchoring with RFC 3161 timestamping, and adversarial-parallel gating verified across the audit chain integrity surface. We map the implementation to Article 12's requirements clause-by-clause and propose the implementation as a regulatory reference for National Competent Authorities evaluating compliance at scale.
Two-Pass Stuck-Recovery for Idempotent Distributed Payment Settlement Without Coordinator State
Distributed payment systems running on serverless platforms cannot assume the presence of a transactional coordinator (XA, two-phase commit, or persistent state machine). When a Stripe transfer or equivalent external transfer fails partway through a settlement record's lifecycle, the system needs to recover without double-payment risk and without relying on a coordinator that the platform does not provide. We describe a two-pass stuck-recovery pattern with deterministic idempotency keys, deployed in production for autonomous-agent settlement flows. The pattern decouples write-staging from external-transfer atomicity through a state-machine that allows safe retry of stuck rows without re-issuing the external transfer. We document the pattern's invariants, the failure modes it tolerates, the failure modes it does not tolerate, and the empirical operating data from a production deployment.
Memory Provenance: Cross-Tenant Vector Retrieval with Cryptographic Chain-of-Thought
Multi-agent systems with shared memory layers face a structural conflict between two desirable properties: cross-tenant pattern recognition (semantic retrieval across many tenants' engrams to surface broadly applicable patterns) and proof-of-authorship (every memory entry verifiably attributable to the specific tenant and agent that produced it). Current memory architectures choose one or the other. We describe a memory substrate that achieves both through per-engram visibility classes paired with cryptographic chain-of-thought, where each reasoning step pins to the agent's QNFT seed and the engram inherits the visibility class declared by its tenant. We document the four visibility classes (private, tenant-shared, network-public, world-public), the chain-of-thought audit-chain integration, and the empirical operating properties from a production deployment.
Timing-Safe Cursor Pagination for Public Unauthenticated Marketplace APIs: HMAC Signing, Dual-Consent Visibility, and Enumerated Projection
Public unauthenticated APIs that surface multi-tenant marketplace data face a compound security problem: pagination cursors must not enable enumeration of private records, visibility must require consent from both the resource's owner and any cross-referenced parties, and field projection must prevent private-data escape through SELECT-list drift. Each individual primitive (HMAC-signed cursors, consent flags, whitelist projection) is well-understood; their compound deployment under adversarial-parallel verification is not. We describe the compound pattern deployed in production for a multi-tenant agent marketplace: HMAC-SHA256 cursor signing via the Web Crypto API for timing-safety guarantees, dual-consent visibility predicates evaluated at SQL read time, enumerated whitelist projection forbidding spread operators, and rate limiting via per-IP Durable Object state. We document the pattern's invariants, the adversarial probes that verify them, and the empirical operating properties from a production deployment.
The Failure-Mode Phase Transition: Discontinuous Quality Degradation in Multi-Agent Systems at Multi-Hour Operating Horizons
Multi-agent systems built on contemporary large language models exhibit a characteristic failure curve under sustained autonomous operation: quality remains within a narrow band for an initial operating window, then degrades discontinuously past a threshold horizon. We document the curve empirically across thirty-one production sprints, identify the structural conditions that locate the discontinuity, and report on protocol-layer interventions that move the threshold from approximately two hours to approximately twelve hours of continuous operation against a coherent objective. We characterize the discontinuity as a phase transition rather than a smooth degradation: the quality drop is bounded above by a small constant for hours, then exhibits a sharp drop, then re-stabilizes at a degraded level. We propose three structural conditions that govern the transition (context-window pressure, scope-drift cumulative cost, and adversarial-blindness compounding) and report empirical evidence that the protocol-layer interventions implemented in our reference substrate move the transition rather than eliminating it.
Cause-Field Canonicalization: Cryptographic Identity from Purpose Statements as Constitutional Commitment
Cryptographic identity primitives for multi-agent systems typically derive from descriptive inputs: a name, a scope, a hash. We describe and motivate a third input — the cause field — that encodes the entity's canonical first-person declarative purpose statement and contributes to the cryptographic seed alongside name and scope. The cause field elevates the identity primitive from a hash function over identifiers to a substrate identity primitive with constitutional properties: the cause text is publicly readable, cryptographically committed, immutable post-mint, and verifiable by external parties as evidence of the entity's authorization context. We argue that cause-field canonicalization is a structural mechanism for constitutional commitment in multi-agent systems, distinct from constitutional AI (which operates at the model layer) and from classical cryptographic identity (which operates without semantic content). We document the discipline, the production deployment evidence, and the alignment with regulatory requirements that ask for evidence of *why* an entity acted, not just *that* it acted.
Sovereign Cognitive Substrates: Self-Hosted, Coherence-Governed Multi-Agent Organisms as an Alternative to Centralized AI Tenancy
Contemporary deployments of large-language-model agent systems are almost universally structured as multi-tenant Software-as-a-Service: the provider hosts the models, the orchestration, the memory, and the data, and the customer is a tenant inside the provider's infrastructure. This architecture inherits the trust, lock-in, and data-residency properties of conventional SaaS and extends them to a more consequential surface — the customer's autonomous cognitive workforce. We describe an alternative: the sovereign cognitive substrate, in which a complete multi-agent organism — message bus, autonomous control loop, memory, and identity — is deployed onto infrastructure the customer owns and controls, and the provider participates only through a consensual, revocable, one-directional membrane. We give the architecture (a small central coordinator dispatching to bounded autonomous arms, after the actor model), the sovereignty model (capability-scoped tokens with asymmetric trust), and a runtime coherence-governance mechanism that gates autonomous action on a measured coherence signal rather than on unbounded iteration. We report a pilot bring-up on a single early-adopter enterprise and the reproducible install procedure it produced, and we discuss the inversion of the trust relationship that distinguishes sovereign substrates from tenancy: the customer holds the keys and may revoke the provider, making absence-of-lock-in the central design property rather than a concession.
Co-location Assumptions as the Dominant Failure Class in Sovereign Agent Relocation: An Empirical Bring-up Report
A companion to our architectural account of sovereign cognitive substrates, this paper reports the empirical bring-up of an autonomous agent loop — perceive, decide, act — from the provider's co-located infrastructure onto a single early-adopter enterprise node that the customer owns and controls. The agent had run reliably for weeks in the provider environment. Relocating it surfaced a consistent and, we argue, generalizable failure class: implicit co-location assumptions. We taxonomize six observed forms — transport, credential, path, service, runtime, and idle-latent co-location — and show that the last is structurally dangerous because it is masked by the very property that makes the provider environment a convenient test bed: traffic. A busy host never exercises the idle paths that a fresh sovereign node spends most of its early life in. We report one strongly positive result — fully sovereign cognition, in which the agent perceived, reasoned, and reached a concrete business decision using exclusively the customer's own cloud credentials, scoped identity, and isolation boundary — and one instructive negative result: the agent could decide but not act, because actuation assumed sibling services that, on a sovereign node, must be co-deployed rather than co-located. We argue this negative result delineates the minimal sovereign unit: not an agent, but an organism.