Twin Spaces And Operational Hypergraph Federation

Position: untool.ai should run one shared hypergraph fabric with multiple governed graph spaces. Operational state, digital twins, simulations, advisory overlays, and promotion candidates share ontology and identity rules, but they do not share write authority.

The core invariant is:

same semantic space, separate authority spaces

This lets humans and agents reason across live operations, snapshots, counterfactuals, and proposed changes without letting simulated reality leak into operational truth.

Why This Exists

The demo harness gives a human a touchable review surface. Simulations explore bounded conditions. Digital twins bind scenarios to model-backed state, policy, and provenance. Operational twins recommend, gate, and execute through approved tools.

The risk is collapse: if a simulation, generated recommendation, or transcript can write directly into the live operational graph, the graph stops being a source of truth. The platform needs a membrane between graph spaces.

Graph-Space Types

Space	Purpose	Write authority
operational	Live current-state hypergraph from real systems, agents, humans, tools, telemetry, and evidence.	Trusted ingestion gateways and approved tool gateways only.
digital-twin	Snapshot or controlled refresh of an operational domain.	Twin sync process only.
simulation	Counterfactual branch with scenario parameters, fake time, injected failures, synthetic agents, and synthetic events.	Simulation engine only.
advisory-overlay	Findings, risks, recommendations, assumptions, proposed deltas, and evidence emitted by simulations or reviews.	Evidence and proposal writers only.
promotion-candidate	Approved change set waiting to become real action.	HITL and policy gate only, executed through tool gateway.

The spaces can sit in the same user experience and query surface. They must not share mutation rights.

Architecture

flowchart LR
  Operational["Operational Space<br/>observed + derived truth"]
  Snapshot["Digital Twin Space<br/>as-of snapshot or controlled refresh"]
  Simulation["Simulation Space<br/>fake time, parameters, failures"]
  Overlay["Advisory Overlay<br/>findings, risks, proposals"]
  Candidate["Promotion Candidate<br/>approved change set"]
  Policy["Policy + HITL Gate<br/>clearance, approval, rollback"]
  Tools["Tool Gateway<br/>MCP/A2A/runbooks"]
  Evidence["Evidence Store<br/>traces, media, reports, decisions"]

  Operational -->|snapshot or masked slice| Snapshot
  Snapshot -->|fork| Simulation
  Simulation -->|finding, risk, proposal, trace| Overlay
  Overlay -->|proposal requiring gate| Policy
  Policy -->|promotion candidate| Candidate
  Candidate -->|approved tool action only| Tools
  Tools -->|observed result| Operational
  Operational --> Evidence
  Snapshot --> Evidence
  Simulation --> Evidence
  Overlay --> Evidence
  Candidate --> Evidence

The operational graph can be live while many simulations run beside it. The simulations inform the operational graph by exporting evidence and proposed actions. They do not mutate operational state.

Assertion Authority

Every persisted assertion must carry an authority label.

Assertion type	Meaning
observed	Came from a real system, human, agent, tool, telemetry event, or approved ingestion source.
derived	Inferred from admitted operational facts under a known policy and reasoning trace.
simulated	Exists only inside a simulation branch.
predicted	Forecast result with assumptions, parameters, and uncertainty.
proposed	Candidate change or recommendation, not reality.
approved	Human and policy gate accepted the proposal for a bounded scope.
executed	Actually performed through an approved tool gateway and observed afterward.

Agents, APIs, dashboards, and exports must never flatten these labels into an unqualified fact.

The Safety Membrane

Operational to twin/simulation may pass:

• model snapshots;
• masked production slices;
• synthetic fixtures;
• policy versions;
• ontology versions;
• telemetry samples;
• event windows;
• approved read-only object slices.

Twin/simulation to operational may pass only:

• findings;
• confidence and assumptions;
• counterfactual deltas;
• proposed actions;
• risk assessments;
• evidence packs;
• HITL approval requests.

Denied exports include raw PII, unredacted transcripts, raw media, production mutation rights, long-lived credentials, and direct tool authority.

Federation Links

Federation is a typed contract between spaces, not an implicit join.

Each link declares:

• source and target space IDs;
• source and target space types;
• ontology and policy versions;
• allowed and denied export kinds;
• identity mapping rules;
• redaction status;
• whether HITL is required;
• whether policy gates are required;
• proof that direct mutation is disabled.

Example:

{
  "linkId": "talent-hcm-urgent-staffing-sim-export",
  "sourceSpaceId": "talent-hcm-sim-urgent-staffing-001",
  "sourceSpaceType": "simulation",
  "targetSpaceId": "talent-hcm-operational-dev",
  "targetSpaceType": "operational",
  "linkType": "advisory-export",
  "allowedExports": ["finding", "risk", "proposal", "trace", "evidence"],
  "deniedExports": ["rawPii", "rawMedia", "productionMutation"],
  "membrane": {
    "directMutationAllowed": false,
    "requiresPolicyGate": true,
    "requiresHitl": true
  }
}

Operational Loop

1. Operational graph observes real events.
2. Twin snapshot is created or refreshed.
3. Simulation forks from the snapshot.
4. Simulation runs a scenario matrix.
5. Results become advisory overlay evidence.
6. Active hypergraph inference reads operational facts plus advisory evidence.
7. It proposes next moves with trace IDs and policy exclusions.
8. HITL and policy gates approve, reject, or request more simulation.
9. Approved actions execute through the tool gateway.
10. The observed result updates the operational graph.
11. Twin calibration improves.

This gives the platform learning without contamination. Simulation improves operations, but operational truth remains evidence-bound.

Relationship To Active Hypergraph Inference

Active hypergraph inference should operate over a declared serving view:

Serving view	Inputs	Allowed output
operational-now	Operational facts and derived facts only.	Current-state answer, trace, insufficiency result.
twin-as-of	Twin snapshot plus policy version.	State comparison, drift report, readiness finding.
simulation-branch	Simulation facts, fake time, injected events.	Scenario outcome, risk, assumptions, proposal.
operational-plus-advisory	Operational facts plus advisory overlay evidence.	Recommended next move, blocked by HITL/tool gates.

The model renderer can explain, summarize, and compare these views. It cannot erase the view boundary.

Relationship To Realtime Agents

Realtime audio, video, and screen sessions are interaction inputs and evidence sources. They may help a human guide a simulation or inspect an operational trace. They do not grant write authority.

The live agent can say:

The simulation predicts staffing risk under this scenario.

It cannot say:

The team is understaffed.

unless the operational graph has an admitted observed or derived fact that supports that claim.

UI Pattern

Workspace and Fleet Console should use three lanes:

Lane	Graph space	User job
Now	operational	See current admitted truth, trace, policy state, and live events.
What If	digital-twin and simulation	Explore scenarios, failures, assumptions, and projected outcomes.
Next Move	advisory-overlay and promotion-candidate	Review findings, approve proposals, request more evidence, or execute via tool gateway.

This is the human-facing expression of the membrane.

First Implementation Slice

The first durable slice is contract-first:

1. Register hypergraph.space.federation as the contract family.
2. Add schemas for graph spaces, federation links, twin snapshots, simulation runs, simulation findings, and promotion candidates.
3. Add a synthetic self-modeled systems engineering example.
4. Validate that simulation exports cannot contain production mutation, raw PII, raw media, or executed operational assertions.
5. Wire Demo Harness twin bindings to reference graph-space IDs and federation links.
6. Add active hypergraph serving views for operational-now, twin-as-of, simulation-branch, and operational-plus-advisory.
7. Add Fleet Console lanes: Now, What If, Next Move.

Contract Artifacts

The initial contract family is:

• contracts/hypergraph-space.schema.json
• contracts/federation-link.schema.json
• contracts/twin-snapshot.schema.json
• contracts/simulation-run.schema.json
• contracts/simulation-finding.schema.json
• contracts/promotion-candidate.schema.json
• contracts/hypergraph-space-federation.example.json
• tools/validate-hypergraph-space-federation.py

Non-Negotiable Rules

1. A simulation never writes operational truth.
2. A digital twin never grants production tool authority.
3. Advisory overlays contain findings and proposals, not facts.
4. Promotion candidates execute only after policy and HITL gates.
5. Every action-bearing recommendation carries evidence, assumptions, policy exclusions, and rollback posture.
6. Every graph assertion carries an authority label.
7. Every federation link is deny-by-default.