Idea: Agentic Undo & CRDT Attribution for Human-AI Co-Creation

Origin: Originally tracked as Strategic Blind Spot SB-19. Relocated to ideas because it represents Phase 3 F&E for AP28, not an immediate architectural risk for the current phase.

1. Problem Statement & Context

When non-deterministic AI agents and human dispatchers collaborate synchronously on the same document using Conflict-free Replicated Data Types (CRDTs like Loro or Yjs), the underlying data structures natively lack semantic actor-type metadata.

If an AI agent hallucinates or makes a suboptimal route change, the human dispatcher needs the ability to selectively undo only the AI's contributions (Agentic Undo) without losing their own parallel edits. No current CRDT framework provides this out of the box because CRDTs resolve conflicts mathematically based on causality and logical timestamps, not on user intent or actor classification.

Relevant Work Packages

This sits at the intersection of three major architectural initiatives:

• AP18 (CRDT Infrastructure): Establishes the Loro/Yjs sync, relational projections, and GoBD audit trails.
• AP9 (Agentic Governance): Defines the guardrails, blast radius, and access control for AI as a "virtual workforce".
• AP28 (Human-AI Co-Creation): The direct effort to implement synchronous agentic workflows in realtime environments, which explicitly requires Agentic Undo and Provisional State Awareness.

---

2. Technical Analysis

A. The Limitation of Standard CRDTs

CRDTs (like Loro's DAG or Yjs's doubly-linked list of Item blocks) identify operations using a unique client_id. While this allows the system to trace an operation back to a specific socket connection, it lacks semantic context:

1. Actor Type Omission: The CRDT core does not know if client_id: A is a human or an AI agent.
2. Intent Blindness: Operations are atomic (e.g., "Insert char 'x' at position 5"). The intent of a batch of operations (e.g., "AI optimized route schedule") is lost at the CRDT primitive level.

B. The Selective Rollback Challenge (Agentic Undo)

Standard undo managers (like y-undo or Loro's Undo/Redo) operate chronologically per client_id. They reverse the exact operations the local client performed.

• Agentic Undo requires a selective rollback: finding all operations contributed by client_id: AI, computing their inverse, and applying them as new operations.
• The Concurrency Trap: If the AI adds a stop to a route (Stop B), and the human immediately attaches a note to Stop B, selectively undoing the AI's insertion of Stop B creates an integrity conflict. The human's note becomes an orphaned node or the document enters a semantically invalid state, even if it is mathematically conflict-free.

C. Speed vs. Intent Conflict

As outlined in AP28, AI agents mutate data at superhuman speeds. A human might be reading a provisional state while the AI has already altered the downstream nodes. By the time the human reacts, the state they are reacting to might be stale, leading to conflicting intents merging gracefully (mathematically) into a nonsensical business reality.

---

3. Strategic & GoBD Implications

• Auditability (AP18): GoBD requires that financial or operative state changes are uniquely attributable. If the relational projection service merges a CRDT state into Postgres without distinguishing AI vs. Human actions, the change_events audit trail fails to reflect whether a change was autonomous or human-driven.
• Liability & Governance (AP9): If a human dispatcher cannot quickly and safely revert an AI's destructive interference, the AI violates the "blast radius" principles of the Agentic Governance model.

---

4. Potential Solution Vectors & Research Paths

To bridge the gap between mathematical CRDT merge mechanics and semantic domain logic, there are three research paths:

Path 1: Granular Operation Tagging & client_id Segregation

• Mechanism: Assign dedicated client_id ranges or metadata tags to AI agents. Use CRDT extensions to annotate batches of AI operations with a transaction_id and actor_type: 'AI'.
• Pros: Keeps everything in a single document.
• Cons: High write-amplification. Does not solve the "Concurrency Trap" (what happens to human edits on AI-created data when the AI data is reverted).

Path 2: Shadow Branching & Provisional States (Recommended)

• Mechanism: The AI agent does not write directly to the main CRDT branch. Instead, it forks a "shadow branch" or uses version vectors (frontiers) to maintain a parallel state. The UI renders the AI's suggestions as an overlay (Provisional State). The human dispatcher explicitly "accepts" the diff, merging the shadow branch into the main branch under the human's client_id (or a dual-signed transaction).
• Pros: Completely sidesteps the "Agentic Undo" problem. If the human dislikes the AI's work, the shadow branch is simply discarded. Zero risk of corrupting the human's parallel work.
• Cons: Requires a complex UI to render CRDT diffs in real-time. The projection service must ignore shadow branches.

Path 3: The "Draft Entity" Boundary Layer

• Mechanism: Constrain the AI's access to only specific fields or "draft" sub-documents within the CRDT. For example, the AI can reorder a proposed_itinerary list, but cannot mutate the active_itinerary list.
• Pros: Enforces blast radius natively via data structure design.
• Cons: Limits the true "Co-Creation" vision.