Guard Architecture Matrix — S40 → Current → Target¶
Purpose: show exactly what changed between the last fully working session (S40) and today, and what the target state is after the two Atlas-mandated structural fixes. Orion implements the delta from Current → Target.
Summary¶
| Session | Ticks | Fills | Halt |
|---|---|---|---|
| S40 (last working) | 316 | 84 | duration_elapsed ✅ |
| S52 (most recent) | ~180 | 1 | manual SIGINT (engine blocked post-fill) |
S40 and S52 ran under the same hostile anchor regime (~100% saturation). The difference is entirely in the guard machinery added between Apr 19 and Apr 22.
Feature-by-Feature Comparison¶
| Feature | S40 (Apr 19) | Current (Apr 22) | Target (post-Atlas ruling) | Delta |
|---|---|---|---|---|
| Anchor saturation guard | ✅ Present | ✅ Present | ✅ Unchanged | — |
| Directional drift guard (A, B, C) | ✅ Present | ✅ Present | ✅ Unchanged | — |
| Inventory corridor guard | ✅ Present | ✅ Present | ✅ Unchanged | — |
| Drift C mode-awareness | ❌ Absent — C fired on counter values only, blind to engine state | ✅ C suppressed while ANCHOR_IDLE (containment fix) | ✅ Same — already correct | — |
| DEGRADED recovery path | ❌ Absent — DEGRADED had no exit except 300s truth-halt | ✅ Recovery evaluators for anchor, drift, corridor | ✅ Unchanged | — |
| Recovery cooldown | ❌ Absent | ✅ 120-tick cooldown per source after failed recovery | ✅ Unchanged | — |
| Episode counting | ❌ Absent — engine could stay in any state indefinitely | ✅ Per-source per-session count | ✅ Split into active_episode_count + idle_episode_count |
CHANGE |
| Episode limit halt | ❌ Absent | ✅ degraded_episode_limit_halt at 3 episodes (pooled) |
✅ degraded_episode_limit_halt gates on active_episode_count only |
CHANGE |
| ANCHOR_IDLE state | ❌ Absent — anchor saturation routed through DEGRADED, consumed episode budget | ✅ ANCHOR_IDLE is first-class state, no episode count | ✅ Unchanged (conceptually correct) | — |
| Idle-sourced episode accounting | ❌ N/A (no episode counting) | ❌ Idle-sourced episodes pool with active-sourced | ✅ Idle episodes tracked separately, do not trigger halt | CHANGE |
| Drift C fill history reset on ANCHOR_IDLE entry | ❌ N/A (no ANCHOR_IDLE) | ❌ Counter persists across idle boundary (FLAG-050) | ✅ _drift_ticks_since_opposing_fill reset to 0 on ANCHOR_IDLE entry |
CHANGE |
| Startup mode reset | ❌ Absent — stale DEGRADED state could carry forward | ✅ Present | ✅ Unchanged | — |
| Dual-signal anchor calibration (FLAG-048) | ❌ Absent | ✅ Present (50-tick warm-up required) | ✅ Unchanged — but now reachable once episode fixes land | — |
| Cancel-fill race fix (FLAG-047) | ❌ Absent | ✅ Present | ✅ Unchanged | — |
| Phantom fill protection (FLAG-037) | ❌ Absent | ✅ Present | ✅ Unchanged | — |
The Two Required Changes (Orion's Scope)¶
Only two things in the table above are marked CHANGE. Everything else either stays the same or was already correct.
Change 1 — Drift C fill history reset on ANCHOR_IDLE entry¶
What: Reset _drift_ticks_since_opposing_fill (and any other C-specific quoting-continuity state) to 0 when the engine enters MODE_ANCHOR_IDLE.
Why: Pre-idle fill imbalance is already handled by entering idle. Carrying the counter forward double-penalizes the same event — the engine exits idle, tries to quote, and C fires before it can place a single order.
What stays: A/B state, _drift_fills_seen_this_session, other non-C-specific counters.
Change 2 — Idle-sourced vs active-sourced episode accounting split¶
What: At DEGRADED entry, route episode increment to idle_episode_count[source] if current mode is MODE_ANCHOR_IDLE, else to active_episode_count[source]. degraded_episode_limit_halt gates on active_episode_count only. Idle count is tracked but does not trigger halt (exact idle limit TBD — Atlas has not yet set it).
Why: An idle-sourced DEGRADED is structurally different from an active-sourced DEGRADED. The engine was already paused. Burning the same safety budget for consequences of that pause defeats the purpose of ANCHOR_IDLE.
What S40 Had That Made It Work¶
S40 ran 316 ticks / 84 fills in a fully hostile anchor regime because:
- Guards were present and firing correctly
- No episode counting existed — the engine could stay in any guard state indefinitely
- No episode limit halt existed — no mechanism could terminate the session via guard interaction
- The session terminated naturally at
duration_elapsed
The target state after the two changes is not S40. It is a system with all the post-S40 safeguards intact, but with the interaction boundaries corrected so the engine can survive a hostile regime the way S40 did — by waiting it out, not by silently burning through an episode budget.
What Does NOT Change¶
Per Atlas: "We are not rolling back to S40."
The following post-S40 additions are directionally correct and stay: - Truth reconciliation (FLAG-036, FLAG-037, FLAG-047) - DEGRADED recovery evaluators (FLAG-042) - Recovery cooldown as anti-oscillation (FLAG-044) - ANCHOR_IDLE as regime pause (FLAG-046) - Dual-signal anchor calibration (FLAG-048) - Startup mode reset
— Vesper 2026-04-22