Autonomous systems treat rejection as the start of a retry. When KAIROS Substrate rejects an action, the caller comes back: a SOC pipeline reissues the isolation order, an agent reformulates its plan and submits again. The retry is the normal shape of the interaction. It is also where three different behaviors hide behind traffic that looks identical from the gate’s side.
Three shapes of a retry
A retry can be one of three things. A legitimate reformulation changes the approach and earns a fresh evaluation. A wasteful loop resubmits the same rejected action forever. Adversarial pressure hammers the gate to drain operator attention or to probe for a timing seam.
A stateless gate reads all three as one request, judged in isolation on every call. The cost lands on the human: identical escalations pile into the operator queue until the signal drowns. The Distributed Retry Ledger gives the gate a memory of what each caller has already tried.
What the ledger remembers
Each entry is keyed by three fields: the domain namespace, the actor, and a caller-supplied intent that groups every attempt at one goal. The entry holds the running history of that goal: a window of recent attempts, two retry budgets (one for state rejections, one for action rejections), loop counters, and a write-once human-escalation flag.
Every attempt collapses to a failure fingerprint: a SHA-256 hash over the action, the strategy, the engine effect it maps to, and the outcome of the evaluation. The outcome is bucketed before hashing. The risk-margin reading (gamma headroom) collapses to negative, low, medium, or high. The distance-to-breach reading collapses to immediate, close, moderate, or distant.
Bucketing is the load-bearing choice. Raw floating-point readings would make every attempt unique and erase the memory. Coarse buckets let two failures of the same severity share one fingerprint, so a repeated mistake reads as a repeat.
From the fingerprints the ledger derives a novelty score: one minus the similarity to recent attempts, weighted by strategy (0.40), action (0.30), mapped effect (0.20), and target (0.10). High novelty means the caller changed course. Low novelty means it barely moved.
The budget that funds reformulation
Each goal opens with a retry budget measured in thousandths of an attempt. A high-novelty reformulation costs the baseline thousand. A weak variation costs more. A near-repeat costs the most, draining the budget in a few moves.
The pricing is the incentive. Material strategy changes stay cheap, so the caller keeps retrying on its own. Cosmetic changes grow expensive, and the budget empties fast. The structure rewards the behavior worth rewarding and starves the loop.
When the ledger hands control to a human
The ledger escalates to a human operator the moment any one structural condition fires:
- The retry budget for the goal reaches zero
- The same fingerprint repeats past its limit
- Headroom stops improving across a run of attempts (a stall)
- The goal stays open past its maximum age
- A live reading crosses an immediate-danger threshold on headroom, steps-to-breach, or criticality
Escalation is sticky. Once the flag is set, it holds: every later attempt routes to the human. Safety decisions move in one direction.
Why the ledger is distributed
Real deployments run more than one evaluator. A SOC pipeline scales horizontally; an agent fleet spreads across processes. A ledger confined to one process would let a caller shed its history by landing on a different node.
So the ledger lives in a shared store: SQLite in write-ahead-logging mode, each entry carrying a version number. Writes use optimistic concurrency. An evaluator loads the current version, computes the new state, and commits only if the version still matches. A losing writer retries with jittered backoff, up to five times.
The failure mode is biased toward caution. A read error, or a write that loses all five attempts, forces a human handoff in place of a guess.
Above the evaluators sits the HITL coordinator, an authoritative control plane that issues the override tokens. When an operator clears an escalation, the coordinator signs an RSA-PSS token bound to the request hash, the operator’s identity, and an expiry. The token redeems exactly once, and the replay checks reject any second use.
What this looks like in the field
In the cyber adapter, the intent is the incident. An operator who reissues the same isolation order against the same zone produces the same fingerprint. The repeat counter climbs, the budget drains, and the incident escalates to a credentialed reviewer before the queue fills with copies of one rejected order.
In the AI-safety adapter, the intent is the agent’s task. A rejected action returns reformulation guidance: the least-changed dimension of the last attempt, surfaced as a direction to move. An agent that adjusts its strategy keeps its budget and keeps working on its own. An agent that resubmits the same risky call burns the budget and hands the task to a human. The retry budget is the autonomous runway between a rejected action and a human review.
Determinism and audit
Every step is deterministic. Canonical serialization sorts keys before hashing, so the same attempt always yields the same fingerprint. Two evaluators replaying the same sequence converge on the same ledger state.
That determinism makes the ledger admissible as evidence. Replay the same incident later and it reaches the same human-handoff at the same attempt, for the same recorded reason. The ledger is the audit trail of every goal a system declined to abandon.
For the readings the fingerprint buckets (gamma headroom and steps-to-breach), read the companion piece on per-action gamma headroom.
Strategic Summary
A gate decides one action. A ledger remembers a goal. KAIROS prices reformulation, starves the loop, and escalates on a one-way flag, across every process that shares the store. The budget is the autonomous runway. The signed token is the human’s authority at the end of it. The trace is the receipt.