# Comparative Synthesis: Recurring Meta-Rules and Recurring Failure Modes

**Status:** Research input to Kernel v0.1 — normative for design, not itself part of the constitution.
**Inputs:** `01-national-constitutions.md` (national/state systems), `02-nonstate-systems.md` (open-source foundations, DAOs, co-operatives, deliberative bodies).
**Output:** The meta-rule shortlist and failure-mode catalog that the kernel articles must answer, with a traceability table mapping each failure mode to a kernel countermeasure and a future constitutional test ID.

---

## 0. Method recap

Across the two comparative documents we surveyed 24 systems:

| # | System | Class |
|---|--------|-------|
| 1 | United States Constitution (1789–) | National |
| 2 | German Basic Law (1949–) | National |
| 3 | Swiss Federal Constitution (1999 rev.) | National |
| 4 | Constitution of India (1950–) | National |
| 5 | Constitution of South Africa (1996–) | National |
| 6 | French Fifth Republic (1958–) | National |
| 7 | UK uncodified constitution | National |
| 8 | Weimar Constitution (1919–1933) | National (failed) |
| 9 | Iceland crowd-sourced draft (2011–13) | National (unratified) |
| 10 | Chile constitutional process (2019–23) | National (rejected drafts) |
| 11 | Japan Constitution (1947–, zero amendments) | National |
| 12 | Alabama Constitution (1901, ~1000 amendments) | Sub-national (pathological control) |
| 13 | Debian (Constitution + GRs) | Open source |
| 14 | Apache Software Foundation | Open source |
| 15 | Python (PEP process; BDFL → Steering Council) | Open source |
| 16 | Rust (RFC process, council, moderation crisis 2021–23) | Open source |
| 17 | IETF (rough consensus and running code) | Standards body |
| 18 | Wikipedia / Wikimedia governance | Commons |
| 19 | MakerDAO / Sky | DAO |
| 20 | ENS DAO | DAO |
| 21 | Optimism Collective (bicameral) | DAO |
| 22 | Nouns DAO (incl. the 2023 "rage-quit" fork) | DAO |
| 23 | Mondragon Corporation | Co-operative federation |
| 24 | Robert's Rules of Order / classical parliamentary procedure | Procedural canon |

Plus two analytic frameworks used as lenses rather than systems: **Ostrom's eight design principles** for commons governance, and **Hirschman's exit/voice/loyalty** triad.

Scoring convention used below: a meta-rule or failure mode is marked **recurrent** if it appears in ≥8 of the 24 systems, **dominant** if ≥16.

---

## Part I — Meta-rules that recur

These are the rules-about-rules that independent traditions keep reinventing. Recurrence across systems with no shared lineage (e.g., the Swiss double-majority and Optimism's bicameral houses; Debian's GR quorum and Mondragon's assembly quorum) is the strongest evidence available that a mechanism is load-bearing rather than ornamental.

### M1. Tiered amendment difficulty — *dominant (21/24)*
Almost every surviving system distinguishes at least two tiers of change: ordinary decisions at simple majority, structural change at a higher bar. Many run three tiers (ordinary / structural / entrenched). The systems that *don't* tier — UK parliamentary sovereignty, early BDFL projects, single-multisig DAOs — concentrate the most catastrophic failure modes (F3, F12).

> **Kernel consequence:** semver for governance is the native encoding of tiering. PATCH = clarification, MINOR = compatible addition, MAJOR = kernel-breaking, INVARIANT-tier = effectively a fork event. (Article IX, Article II.)

### M2. Mandatory delay between proposal and ratification — *dominant (19/24)*
Multiple readings (parliamentary canon), bicameral passage, India's notice periods, Debian's minimum discussion period, MakerDAO's Governance Security Module delay, the ASF's 72-hour vote window. Delay is the cheapest known defense against snap capture and emotional cascades. The notable counter-case is the DAO flash-loan governance attack class (Beanstalk, 2022: $182M drained in a single block via borrowed voting power) — exactly the systems that skipped M2.

> **Kernel consequence:** non-overridable *minimum* review and voting windows, scaled by tier. Userland may lengthen, never shorten below kernel floors. (Article II §2.4.)

### M3. Quorum and participation floors — *recurrent (17/24)*
Nearly universal in membership organizations (Debian: 3×Q where Q derives from developer count; Mondragon; co-op law generally) and in referendum-based nations (Italy's 50% referendum quorum). National legislatures usually have chamber quorum. DAOs learned it painfully (early proposals passing with <1% of supply voting).

But quorum is double-edged — see F2. Italy's abrogative referendums are routinely killed by *boycott* (opponents stay home to deny quorum), converting absence into a "no" vote. Several modern systems therefore use **participation-relative** thresholds (Debian's Q scales with active developers) rather than fixed ones.

> **Kernel consequence:** quorum defined against *active membership* (defined in-kernel), with an anti-boycott provision: a quorum-failed vote at a given tier re-runs once with a reduced quorum floor, announced in advance — removing the incentive to boycott rather than vote no. (Article III §3.3–3.4.)

### M4. Supermajority for structural change — *dominant (20/24)*
2/3 is the modal figure (US Congress proposal stage, Germany, Japan, ASF for some actions, most co-op bylaws); 3/4 appears at ratification stages (US states, some DAO constitutions); Debian uses 3:1 for constitutional changes. Systems that demand near-unanimity (Articles of Confederation: 13/13; Poland's *liberum veto*) died of rigidity; the lesson cuts both ways.

> **Kernel consequence:** MAJOR changes at 2/3 of votes cast with quorum, INVARIANT amendments effectively require the fork path (see M7) — we deliberately do not offer a "high enough" supermajority for invariants, because every historical "eternity clause with an escape hatch" became the escape hatch (F3).

### M5. Entrenchment / eternity clauses — *recurrent (11/24)*
Germany's Art. 79(3) (human dignity, federal democratic order unamendable), India's judge-made basic-structure doctrine, the US equal-suffrage-in-Senate clause, several DAO constitutions' "unalterable" sections. Entrenchment works **only when paired with an independent interpreter willing to enforce it** (Germany, India) and is dead letter otherwise. Pure-text entrenchment with no enforcement mechanism (Weimar's rights chapter) protected nothing.

> **Kernel consequence:** the invariant set (Article IV) is entrenched, and its enforcement is *mechanical where possible* (CI tests block ratification of violating text) rather than purely interpretive. What cannot be mechanized routes through Article V interpretation with the invariants as supreme law.

### M6. An interpreter independent of the rule-maker — *recurrent (16/24)*
Constitutional courts (Germany, South Africa, India), the US judiciary, Debian's Technical Committee and Secretary (who rules on constitutional interpretation), Wikipedia's ArbCom, Rust's moderation team (whose 2021 mass resignation demonstrated what happens when the interpreter has responsibilities but no power). Where the same body writes, executes, *and* interprets the rules, interpretation drifts toward incumbent convenience within a generation.

> **Kernel consequence:** Article V creates an interpretation role that is (a) selected by sortition from members plus confirmation vote, (b) term-limited, (c) bound to written, published reasoning, and (d) overridable only by a tier-appropriate amendment — not by the ordinary majority of the day.

### M7. Exit and fork rights — *recurrent in non-state systems (12/24 overall; near-universal in OSS/DAO)*
The single sharpest divide between state and non-state governance. Nations almost never grant exit (secession clauses are vanishingly rare; the few that exist — Ethiopia Art. 39 — are contested). Open source treats forking as a constitutional fact (every OSI license guarantees it), and it demonstrably disciplines incumbents: the *threat* of the fork keeps maintainers honest far more often than forks actually occur (XFree86→X.Org, OpenOffice→LibreOffice, Node→io.js→reunification). Nouns DAO 2023 went further and built **fork-with-assets**: a dissenting quorum can exit *with their pro-rata share of the treasury*, which converts exit from a punishment into a credible bargaining position.

> **Kernel consequence:** Article VII makes the fork a first-class constitutional act: any member may fork the text freely; a qualifying dissenting bloc may trigger a *recognized fork* with defined treatment of shared assets (parameterized by userland within kernel bounds). This is the kernel's ultimate backstop — every other protection can fail and members still have a lawful exit that doesn't strand them.

### M8. Explicit, bounded emergency provisions — *recurrent (10/24)*
Most national constitutions have them; most non-state systems don't and improvise (Rust 2021, MakerDAO emergency shutdown being a rare designed exception). The comparative record is brutal: **unbounded** emergency powers are the leading proximate cause of constitutional death (Weimar Art. 48 used 100+ times before 1933; emergency rule in India 1975–77 nearly ended its democracy). But systems with *no* emergency pathway either break their own rules under stress (creating precedent that rules are optional) or fail to respond at all. The successful pattern — post-1949 Germany, South Africa §37 — is: emergency powers exist, are narrow, **self-expire**, cannot amend the constitution, and are reviewed by the independent interpreter.

> **Kernel consequence:** Article VI: emergency actions are enumerated-power, auto-sunsetting, cannot touch the kernel or invariants, require retroactive ratification, and every invocation is itself a ledger event and a future test case.

### M9. Sunset and mandatory-review clauses — *moderate (8/24)*
South Africa §37 (states of emergency expire in 21 days unless renewed at escalating thresholds), US appropriations (the entire budget sunsets annually — for better and worse), many DAO grants programs, Texas-style sunset commissions. Underused in constitutional text generally; where used, it forces the affirmative re-justification of power instead of its passive accumulation.

> **Kernel consequence:** emergency powers sunset (M8); userland modules may declare sunsets; the kernel itself mandates a periodic constitutional review trigger (Article IX §9.5) that *forces a vote on whether to open a review*, not a forced revision.

### M10. The change process is itself codified and versioned — *recurrent in non-state systems (10/24)*
PEP 1 governs PEPs; the Rust RFC process is an RFC; Debian's constitution specifies how to amend the constitution; IETF's process is RFC 2026 and successors. Nations codify amendment *thresholds* but rarely amendment *workflow* (who drafts, how text is fixed, how versions are identified) — and that gap is exploited (riders, omnibus bundling, last-minute substitution; see F1).

> **Kernel consequence:** Article II specifies the full pipeline — proposal format, single-subject rule, freeze point after which text cannot change without restarting the clock, canonical text hashing — so that "what exactly are we voting on" is never ambiguous.

### M11. Term limits and role rotation — *recurrent (13/24)*
Presidential term limits, Debian's annual DPL election, ASF annual board elections, Mondragon's rotating council seats, ArbCom terms. Rotation is the structural defense against the slow conversion of office into property. Systems without it (BDFL projects, lifetime court appointments) rely on the officeholder's personal virtue — which works until it doesn't, and the failure is unrecoverable from inside.

> **Kernel consequence:** every kernel-defined role has a kernel-defined maximum term and a recall mechanism (Articles V, VI); userland roles inherit the same requirement as a module-spec constraint.

### M12. Transparency: decisions on a public, append-only record — *dominant in non-state (15/24)*
Parliamentary journals are the ancient form; git history, mailing-list archives, and on-chain ledgers are the modern ones. The systems with the strongest legitimacy under stress are the ones where any member can independently reconstruct *what was decided, by whom, under which rule, when* — Debian GRs, on-chain DAO votes. Secret or reconstructible-only-by-insiders decision records are the precondition for F11 (text/practice divergence).

> **Kernel consequence:** Article VIII: all constitutional acts (proposals, votes, interpretations, emergency invocations, membership changes, treasury movements in dogfooding mode) are valid **only when recorded** on the public ledger. Unrecorded acts are void, not merely improper.

---

## Part II — Failure modes that recur

Each entry: mechanism, exhibits, and the design obligation it imposes. IDs (F1–F12) are stable and will be referenced by the kernel annotations and the constitutional test suite (CT- IDs reserved here; the suite ships in a later milestone).

### F1. Ambiguity exploitation — *the universal solvent*
Every surveyed system has been attacked through underspecified text: what counts as a "natural-born citizen," whether the VP "presides" or *decides* over electoral count (US 2020–21, patched only afterward by the Electoral Count Reform Act 2022), what "rough consensus" means when the chair is a partisan, whether a DAO "constitution" binds the multisig that actually holds the keys. Ambiguity is not neutral: it resolves in favor of whoever holds power at the moment of dispute.
**Obligation:** every kernel term used operationally gets an Article 0 definition; every article annotation lists its known ambiguity surface; the test suite's first job is adversarial reading. → **CT-AMB-\***

### F2. Quorum attacks (both polarities)
(a) **Boycott to deny quorum**: Italian referendums; chamber-fleeing legislators (Texas 2003/2021, Oregon 2019–23); DAO proposals strangled by organized abstention. (b) **Snap votes in low-attention windows**: holiday-scheduled votes, flash-loan governance (Beanstalk 2022), Wikipedia RfCs closed before the relevant community notices.
**Obligation:** quorum floors that scale with active membership; mandatory notice and minimum-duration windows; the announced quorum-step-down re-vote that removes the boycott payoff; vote-weight snapshots taken *before* proposal publication to kill flash acquisition. → **CT-QRM-\***

### F3. The emergency ratchet
Powers claimed under emergency are rarely returned. Weimar Art. 48; Hungary's renewable "state of danger" (2020–, repeatedly extended); post-9/11 authorities still in force two decades later. The ratchet mechanism is always the same: the emergency power has **no self-executing expiry** and the body that would have to repeal it benefits from it.
**Obligation:** sunsets that require *affirmative renewal at escalating thresholds*; an absolute bar on emergency modification of the kernel/invariants; mandatory post-hoc review converting every invocation into a regression test. → **CT-EMG-\***

### F4. Interpreter capture
Pack the body that decides what the rules mean and you've amended the constitution without an amendment: court-packing campaigns (US 1937 attempt; Hungary 2010–13 and Poland 2015–23 executed versions), DAO "constitutions" interpreted by the foundation that wrote them, a project's code of conduct enforced by the people it would most plausibly apply to.
**Obligation:** interpreter selection by sortition+confirmation (no faction can *choose* its judges), fixed body size as a kernel parameter with bounds, staggered short terms, and a written-reasoning requirement that makes capture visible. → **CT-INT-\***

### F5. Plutocratic weighting and vote-buying
Token-weighted DAO voting reliably produces whale rule (most major DAO votes are decided by <10 addresses); historical property-qualified suffrage is the same mechanism. Delegation was supposed to fix participation and instead created delegate cartels (Curve/Convex-style governance markets make vote-buying a literal, liquid market). One-member-one-vote systems (Debian, Mondragon, co-op law) have their own pathologies (Sybil pressure, F6) but do not exhibit *this* one.
**Obligation:** the kernel hard-codes one-member-one-vote for **kernel-tier** decisions, non-overridable. Userland may weight votes for its own substantive decisions (a DAO weighting treasury allocation by stake is legitimate userland) but can never weight the rules-about-rules. Membership criteria (the Sybil surface this creates) become a first-class parameterized section with kernel bounds. → **CT-PLU-\***

### F6. Participation decay → de facto minority rule
Wikipedia's shrinking administrator corps, DAO turnout collapsing below 5%, co-op AGMs attended by the same eleven people for a decade. The constitution still says "the members decide"; in practice an unaccountable active core decides. This failure is slow, invisible, and *the most common of all* — most systems die of apathy, not coup.
**Obligation:** "active member" is a defined, measured status; quorum tracks it; the ledger publishes a live participation metric; and the kernel's review trigger (M9) fires on participation collapse, forcing the question into the open rather than letting it rot. → **CT-PRT-\***

### F7. Mis-calibrated amendment difficulty (both directions)
Too hard: the US (Article V's bar plus modern polarization yields the 203-year latency this project is named for; defunct text accumulates and interpretation mutates to compensate — amendment-by-judiciary). Too easy: Alabama (~1000 amendments; the constitution becomes an ordinary statute book and loses its coordinating power); early DAOs where a single proposal could rewrite everything.
**Obligation:** tiering (M1) with calibrated, *empirically revisable* thresholds — the thresholds themselves are MINOR-amendable parameters within kernel-set bounds, so the system can tune its own stiffness without a constitutional crisis. The release-cadence counter is the instrument panel for this. → **CT-AMD-\***

### F8. Constitutional hardball / norm dependence
Written rules everywhere float on unwritten norms, and adversaries win by complying with the text while torching the norms: refusing to consider nominations, gaming the calendar, "lawful but awful" procedural play. The Weimar lesson restated: a constitution that requires good faith from all players to function does not have a failure mode, it *is* one.
**Obligation:** this is the deepest obligation and the reason for the project's central asymmetry — *optimism in the defaults, paranoia in the tests*. Wherever the comparative record shows a norm being load-bearing, the kernel either codifies it (mandatory consideration windows, anti-bundling, deadline-default outcomes so that inaction has a defined result rather than being a veto) or explicitly hands it to the test suite as an adversarial scenario. → **CT-HDB-\***

### F9. Exit suppression
CLAs and trademark control used to make forks nominally legal but practically impossible; non-competes; nations criminalizing secession advocacy; DAOs where exit means abandoning your share of the commons. When exit is suppressed, voice loses its credibility (Hirschman) and grievances accumulate toward rupture instead of reform.
**Obligation:** Article VII's fork right is itself invariant-protected; the kernel mandates that everything needed to fork (full text, full ledger, member list under privacy constraints) is continuously exportable; asset treatment on recognized forks is parameterized but bounded so userland cannot reduce it to confiscation. → **CT-FRK-\***

### F10. Retroactivity and targeted rules
Bills of attainder, ex post facto punishment, "rules" written to apply to one named enemy. Universally condemned across legal traditions and *still* regularly attempted (DAO proposals to seize a specific address's tokens; project votes to expel a named member under a rule invented that day).
**Obligation:** a generality requirement and non-retroactivity in the invariant set (Article IV), mechanically testable: a proposed rule naming specific members, or attaching consequences to past lawful conduct, fails CI before it reaches a vote. → **CT-RET-\***

### F11. Text/practice divergence (dead letters)
The Soviet 1936 constitution's rights chapter; corporate bylaws nobody has read; the gap between a DAO's published constitution and what its multisig actually does. Divergence is fatal because it converts the constitution from a coordination device into camouflage.
**Obligation:** the ledger-validity rule (M12) — acts not recorded under the constitution's procedures are *void* — plus the Incumbent Benchmark's later role: continuously replaying real events against the text keeps the text honest. → **CT-DIV-\***

### F12. Founder and admin backdoors
The BDFL who can override any vote; the deployer key that can upgrade the contract; the foundation board that "stewards" the community constitution it can also ignore; the project where governance is real *except* for the npm publish rights. Every non-state system surveyed launched with at least one backdoor; the healthy ones (Python 2018, ASF at founding) executed an explicit, scheduled handover.
**Obligation:** Article IX includes a **bootstrap clause**: founder privileges are enumerated, published, sunset on a fixed schedule, and their exercise is ledger-recorded. FablePool dogfoods this — the build agent and project founders operate under the same clause, and the first scheduled sunset is itself a milestone. → **CT-BCK-\***

---

## Part III — Traceability: failure mode → kernel countermeasure → test family

This table is the contract between this research and the kernel text. Every row must be satisfiable by pointing at specific article language; the kernel design doc and annotations cite back to these IDs.

| Failure | Kernel countermeasure | Article(s) | Test family |
|---|---|---|---|
| F1 Ambiguity | Definitions article; annotation of attack surface; adversarial-reading CI | 0, all | CT-AMB |
| F2 Quorum attacks | Activity-scaled quorum; notice/duration floors; step-down re-vote; pre-proposal snapshots | II, III | CT-QRM |
| F3 Emergency ratchet | Enumerated powers; auto-sunset; escalating renewal; kernel untouchable in emergency | VI | CT-EMG |
| F4 Interpreter capture | Sortition+confirmation; bounded body size; staggered terms; written reasoning | V | CT-INT |
| F5 Plutocracy | One-member-one-vote for kernel tier, non-overridable; bounded membership criteria | I, III, IV | CT-PLU |
| F6 Participation decay | Defined active membership; live participation metric; collapse-triggered review | I, VIII, IX | CT-PRT |
| F7 Mis-calibrated difficulty | Tiered semver; thresholds tunable within bounds; cadence counter | II, IX | CT-AMD |
| F8 Hardball | Deadline-default outcomes; anti-bundling; mandatory consideration; codified norms | II, III | CT-HDB |
| F9 Exit suppression | Invariant fork right; continuous exportability; bounded asset treatment | IV, VII | CT-FRK |
| F10 Retroactivity | Generality + non-retroactivity invariants; mechanical pre-vote check | IV | CT-RET |
| F11 Dead letters | Ledger-validity rule (unrecorded acts void); Incumbent Benchmark replay | VIII | CT-DIV |
| F12 Backdoors | Bootstrap clause: enumerated, published, sunsetting founder powers | IX | CT-BCK |

---

## Part IV — Open tensions the kernel must hold, not resolve

1. **Rigidity vs. adaptability (F7's two horns).** Resolved procedurally, not substantively: thresholds are parameters with bounds, and the cadence counter makes stiffness observable. The kernel's bet is that a system that can *see* its own amendment latency will tune it.
2. **Sybil resistance vs. open membership (created by the F5 fix).** One-member-one-vote pushes the attack to the membership boundary. The kernel cannot solve identity; it can only force every instance to declare its membership criteria explicitly, bound them with invariants (no criteria that violate Article IV), and test them adversarially. This is the largest acknowledged open surface in v0.1.
3. **Mechanical enforcement vs. judgment.** CI can block a rule that names a member; it cannot detect a rule *engineered* to apply to exactly one member without naming them. Every mechanical check has an interpretive backstop in Article V, and the division of labor between them is annotated per-article rather than pretended away.
4. **Exit-with-assets vs. commons integrity.** Nouns-style fork rights discipline majorities but can be weaponized for treasury raids (fork in, vote to fail, rage-quit out with assets). The kernel sets bounds (tenure requirements, pro-rata caps, cool-down) and leaves calibration to userland — flagged for adversarial self-play in the later milestone.

These four tensions are carried forward as standing items in the kernel design doc (`docs/design/kernel-design.md` §8) and are the seed list for the adversarial self-play milestone.