News Part of the AUTHREX Application Set: one Kernel architecture, six application profiles
VIEWING 01 / 06MISSIONAUTHREX-SPACECYBER
● ONBOARD ORBITAL AUTHORITY · REFERENCE ARCHITECTURE

AUTHREX-SPACECYBER
When Ground Control Is Light-Minutes Away

In space the human is structurally out of the loop: minutes of contact per pass, or light-minutes of delay. SPACECYBER runs the governance pipeline onboard: data freshness checked, authority scaled to consequence, and when there is no time to ask ground, the vehicle enters a governed safe-hold instead of gambling on a blind burn.

4 ONBOARD GATESSAFE-HOLD DEFAULT UNDER UNCERTAINTY23,748 TLA+ STATESSPD-5 ALIGNEDTRL 2-3 SELF-ASSESSED HARDWARE
[ The Concept ]

Act Alone, or Wait: A Governed Decision.

  • Hard-coded fault responses: brittle, and can act on bad or stale data
  • Or conservative safe-modes: safe, but waste opportunities and mishandle novel faults
  • No bounded, evidence-checked authority model for novel onboard decisions
  • A stale conjunction warning can trigger a wasted or dangerous maneuver
  • SATA checks whether the triggering data is fresh and trusted before anything else
  • HMAA sets the authority tier by the consequence of the proposed response
  • FLAME asks whether there is time to reach ground before committing
  • Default under uncertainty is a governed safe-hold with CARA holding the safe state
VIEWING 02 / 06WHO IT SERVESAUTHREX-SPACECYBER
[ Who It Serves ]

Between "Act Now" and "Safe-Hold for Ground."

Satellite Operators

Operators of LEO constellations get vehicles that can handle anomalies between contacts without either freezing (and risking the asset) or acting recklessly on stale data. The proposed policy engine classifies registered actions using configured consequence, data-freshness, and time-to-contact rules, distinguishing "act now" from "safe-hold for ground" within the stated design.

Mission Designers

Designers of autonomous spacecraft get a bounded authority model they can reason about: registered action classes are intended to be assigned authority tiers, freshness checks, and recovery paths in the proposed design, so autonomy is auditable rather than a black box.

NASA & Civil Space

Civil-space programs pursuing autonomous onboard health management get a governance reference that is mapped by the author to publicly described NASA interests in autonomous onboard health management and resilient spacecraft operations; proposed safety constraints are represented in the architecture and must be implemented, tested, and independently evaluated.

VIEWING 03 / 06NATIONAL CASEAUTHREX-SPACECYBER
[ The National Case ]

A Governance Reference Architecture for Delayed-Communication Space Operations.

Autonomous onboard capability appears in publicly described NASA interest areas, and space-system safety is a directive-level concern:

Author-mapped to a public NASA subtopic

NASA SBIR 2026 BAA subtopic EXPAND.3.S26B seeks autonomous onboard health management for small spacecraft and distributed systems. SPACECYBER is a governance reference for exactly that: onboard autonomy that is bounded, evidence-checked, and reversible.

It supports space-system safety policy

Space Policy Directive 5 addresses cybersecurity principles for space systems. A governed onboard authority model, where the vehicle will safe-hold rather than act on untrusted data, is a concrete safety control aligned with that direction.

It protects national space assets

Space assets are expensive, scarce, and strategically vital. The proposed governance layer is designed to reduce the risk of a satellite acting on spoofed or stale data by selecting a configured safe-hold response under the modeled conditions, addressing both faults and manipulation.

It is the same pipeline the other five files exercise

SPACECYBER is the AUTHREX pipeline instantiated for orbit, the same governance core used across the other domains. One shared, model-checked pattern serving space reduces the cost of trusting autonomy in a high-stakes environment.

VIEWING 04 / 06HEILMEIER CATECHISMAUTHREX-SPACECYBER
[ The DARPA Questions ]

The Heilmeier Catechism, Answered Plainly.

Govern what a spacecraft is allowed to do on its own when ground control is too far away to ask in time, and make it safe-hold instead of guessing when data is uncertain. No jargon: teach the satellite when to act alone and when to wait.

Today, onboard autonomy is either hard-coded fault responses (brittle, can act on bad data) or conservative safe-modes (safe, but waste opportunities and can still mishandle novel faults). Neither has a bounded, evidence-checked authority model for novel autonomous decisions.

Running an explicit authority pipeline onboard , where the decision to act versus safe-hold depends on data freshness, action consequence, and whether there is time to reach ground. The vehicle defaults to a governed safe-hold under uncertainty rather than to action.

Satellite operators, mission designers, and NASA care. If it works, autonomous spacecraft handle anomalies between contacts without either freezing or acting on bad data, reducing risk to high-value space assets, within the stated design assumptions.

The main risks are over-conservatism (safe-holding when it should act, wasting a window) and the radiation-hardness and compute limits of running governance logic on a flight processor. The simulation shows the act/hold logic; the flight-compute budget is a hardware design parameter.

The reference platform, BLADE-SPACE, is a preliminary design around rad-hard flight parts (the most expensive of the AUTHREX platforms, approximately $505K in the reference BOM, reflecting space-grade components). The governance logic itself is software.

The architecture and simulation exist now (self-assessed TRL 2 to 3 for the space hardware). Maturing it toward flight is a multi-year path; the governance logic can be validated in a hardware-in-the-loop testbed much sooner.

Midterm: in simulation, the vehicle safe-holds on a stale-data conjunction warning and acts on a fresh, low-consequence one. Final: the governance logic runs on a representative flight processor in a hardware-in-the-loop testbed within the compute and power budget.

VIEWING 05 / 06LIGHT-SPEED DELAY DECISIONAUTHREX-SPACECYBER
[ Try It ]

Make the Light-Speed Delay Decision.

An anomaly is detected onboard. Set how far ground is (the signal delay), pick the situation, then run it. The vehicle decides whether to act onboard within its authority, or to enter a governed safe-hold and wait. Illustrative simulation, not operational validation.

GROUND SIGNAL DELAY
◇ THE LIGHT-SPEED DELAY DECISIONSET DELAY · PICK · RUN
01SATAIs the triggering data fresh & trusted?STANDBY
02HMAAAuthority tier set by action consequenceSTANDBY
03FLAMEIs there time to wait for ground?STANDBY
04CARASafe-state held if uplink never arrivesSTANDBY
[ READY ] AWAITING ONBOARD ANOMALY

Synthetic scenarios; no real spacecraft is commanded.

VIEWING 06 / 06FOUNDATION & SCOPEAUTHREX-SPACECYBER
[ Formal-Methods Foundation ]

Model-Checked, Not Just Described.

Every AUTHREX application shares one model-checked authority core: the HMAA authority state machine, specified in TLA+ and model-checked across the stated finite model. The checker also caught a real S5 view-change regression during development, evidence the method finds defects rather than rubber-stamping them.

The profiles share a model-checked authority-state specification. Results apply to the finite model, properties, and assumptions analyzed and do not validate a spacecraft, vehicle, controller, or operational integration.

23,748 REACHABLE STATES6 PROPERTIES VERIFIED2 VACUOUS AT BOUNDTLA+ FORMAL SPEC
[ Anchors & Honest Limitations ]

What This Rests On, and What It Is Not.

FEDERAL ANCHORS

NASA SBIR 2026 BAA subtopic EXPAND.3.S26B (autonomous onboard health management for small spacecraft) · Space Policy Directive 5 · hardware anchor: BLADE-SPACE →

HONEST LIMITATIONS

Reference architecture; the space hardware (BLADE-SPACE) is a preliminary design, self-assessed at TRL 2 to 3, not flight-qualified. Running governance logic within a real flight processor’s radiation, compute, and power budget is a hardware design parameter, not yet demonstrated. The act-versus-safe-hold thresholds are one researcher’s analytical judgment, released for independent review. No agency adoption or endorsement is implied.