Governed Adaptation Layer

Adaptive Rule Lifecycle

QUORUM's rule system is not static. Rules enter the system through a governed lifecycle that begins in shadow mode — evaluating against live traffic without enforcing — and progresses through measurable performance gates before reaching production. Every transition is signed. Every rollback preserves lineage.

01
Rule Entry — Shadow Mode

New rules are deployed to shadow mode exclusively. No rule can enter production without first completing a shadow evaluation period. In shadow mode, the rule evaluates every eligible session and records what it would have decided — without influencing the actual verdict.

False Positive Rate

The fraction of sessions the rule would have blocked that were subsequently confirmed as legitimate. This is the primary performance gate. Rules with unacceptably high false positive rates do not advance.

Detection Rate

The fraction of sessions the rule would have flagged that were subsequently confirmed as fraudulent. Detection rate must exceed the minimum effectiveness floor — a rule that does not detect is not promoted.

Decision Coverage

The fraction of all sessions that the rule evaluates (is applicable to). Coverage below the minimum threshold indicates the rule is too narrow to warrant production deployment.

Default Configuration
Shadow window (minimum)24 hours
Shadow window (default)72 hours
FP rate threshold (default)0.5%
Detection rate minimum15%
Min coverage for promotion0.1%
Shadow Mode Guarantees

Shadow evaluations are recorded in full and included in the rule's lineage record.

Shadow decisions are committed to the audit ledger under a distinct shadow decision type — they are distinguishable from enforcement decisions.

The shadow evaluation window is configurable per rule by the governance committee.

02
Promotion Criteria

A rule is eligible for staged promotion only when all of the following conditions are simultaneously satisfied. Partial satisfaction is not sufficient. The promotion gate is evaluated atomically — a rule either passes all conditions or it does not advance. 

// Promotion eligibility check — all conditions must pass

FP_RATE:              0.31%   ≤ 0.50% threshold         [PASS]
DETECTION_RATE:      22.4%   ≥ 15.0% minimum            [PASS]
SHADOW_HOURS:           96   ≥ 72 minimum               [PASS]
GOVERNANCE_HOLD:     false                               [PASS]
APPROVAL_SIGNATURES:     2   ≥ 1 required               [PASS]
ADVERSARIAL_FLAG:    false   (no open evasion flags)     [PASS]

→ STATUS: ELIGIBLE FOR STAGED PROMOTION
Governance Hold

A governance hold can be placed on any rule by any governance committee member at any time. A hold blocks promotion regardless of metric performance. Holds must be explicitly lifted by the placing authority with a signed removal event.

Adversarial Flag

If a rule's adversarial protocol validation run surfaces an evasion rate above the configured threshold, an adversarial flag is set. The flag blocks promotion and triggers committee review. The review result is recorded in the rule's lineage.

03
Staged Promotion

Rules do not transition directly from shadow to full production. Staged promotion exposes the rule to increasing fractions of live traffic with mandatory hold periods between stages. False positive rate is monitored continuously. Threshold breach at any stage triggers automatic rollback.

Stage 1
10%
of eligible traffic

Initial enforcement. FP rate stabilization period. Committee reviews at hold expiry.

Hold
48hr
Stage 2
50%
of eligible traffic

Broadened enforcement. Edge case exposure. Second committee review at hold expiry.

Hold
48hr
Production
100%
full enforcement

Full production. Continuous FP monitoring. Rollback-eligible for full production lifetime.

Automatic Rollback Trigger

If the false positive rate exceeds the configured threshold at any point during staged promotion, automatic rollback is triggered immediately — not at the next hold interval. The rollback does not wait for manual review. The governance committee is notified with the triggering rate and rollback timestamp.

04
Governed Rollback

Rollback is not a deletion. When a rule is rolled back, it returns to shadow mode with its full history intact. The prior production rule set is restored atomically. The rule can be re-evaluated, modified, and re-promoted through the standard lifecycle.

1

Rule is immediately returned to shadow mode. Enforcement ceases within the current ARBITRATE cycle — in-flight sessions complete under the old rule set.

2

The previous production rule set is restored atomically. There is no window during which neither the old nor new rule set is active — the swap is instantaneous at the rule engine level.

3

The rollback event is written to the governance ledger with: triggering condition (automatic threshold breach or manual governance action), false positive rate at rollback time, rollback timestamp, governance key signature.

4

The rule's lineage record is updated with the rollback as a lifecycle event. The rule ID is preserved. The rule can be modified and resubmitted for shadow evaluation. It does not need to be recreated from scratch.

05
Rule Lineage

Every rule carries a complete lifecycle record. Lineage is append-only and KZG-committed alongside audit logs in each commitment window. It cannot be modified retroactively — every event is a permanent record in the governance ledger. 

rule_lineage {
  id:               "rule_7a3f9c2e",
  created_at:       1716000000,
  authored_by:      "governance_key_A",

  shadow_periods: [
    { start: 1716000000, end: 1716345600,
      fp_rate: 0.31, detection_rate: 22.4,
      sessions_evaluated: 482000 }
  ],

  lifecycle_events: [
    { type: "SHADOW_ENTRY",    ts: 1716000000, signed_by: "governance_key_A" },
    { type: "REVIEW_PASS",     ts: 1716345600, signed_by: "governance_key_B" },
    { type: "STAGED_10PCT",    ts: 1716350000, signed_by: "governance_key_A" },
    { type: "STAGED_50PCT",    ts: 1716600000, signed_by: "governance_key_C" },
    { type: "PRODUCTION",      ts: 1716860000, signed_by: "governance_key_B" },
    { type: "ROLLBACK",        ts: 1717200000, signed_by: "system_circuit",
      trigger: "fp_rate_breach", fp_at_rollback: 0.87 }
  ],

  current_state: "SHADOW",
  kzg_committed: true
}
Regulatory Audit

Complete rule change history available for regulatory inspection without requiring QUORUM to generate a report. Lineage is in the ledger.

FP Investigation

False positive spikes can be correlated to specific rule promotions using the lineage timestamps. Root cause is attributable without guesswork.

Committee Review

Governance committee can reconstruct the exact state of the rule set at any past epoch from lineage records alone.

Forensic Reconstruction

Any rule version active at any past epoch is recoverable. Version snapshots are referenced by hash and retained indefinitely.

06
Adversarial Protocol Validation

The rule system includes continuous institutional stress testing. Candidate rules are periodically subjected to adversarial protocol validation: structured evasion attempts are generated against the rule under evaluation, evasion success rates are measured, and rules with evasion rates above the configured threshold are flagged for governance committee review before promotion. This is a scheduled, measured, institutionally governed validation process — not an autonomous system.

Validation Schedule

Adversarial protocol validation runs are scheduled by the governance committee. Default frequency: once per shadow evaluation period. Each run is a discrete, logged event.

Evasion Measurement

Evasion success rate is measured as the fraction of adversarial test sessions that the rule fails to flag. The evasion rate, test parameters, and run timestamp are recorded in the rule lineage.

Flag and Review

Rules with evasion rates above threshold receive an adversarial flag that blocks promotion until committee review. The committee may clear the flag, request rule modification, or reject the rule.