# Kernel Design Document — Constitution v0.1

**Status:** Normative for the v0.1 kernel text (`kernel/constitution.md`). Cites `docs/research/comparative/03-synthesis.md` (meta-rules M1–M12, failure modes F1–F12) and `docs/research/04-moral-convergence.md` (invariants INV-1–6).

---

## 1. Goals and non-goals

**Goals**

1. A constitutional **kernel** of ~10 articles containing *only* meta-rules — how rules change, who votes, what quorum means, how disputes are interpreted, how emergencies are bounded, how members exit — plus the six entrenched invariants.
2. **Parameterization without forking the text**: one canonical kernel; every instance (a family, a Discord server, a DAO) differs only in a validated config. Same document, different config.
3. **Testability as a first-class property**: every article declares its attack surface; every clause is written so a violation is *detectable*, mechanically where possible.
4. **Scale-invariance within reason**: the kernel must function from N=3 (a household) to N≈10⁵ (a large online polity) by parameter choice alone. Beyond that is explicitly future work.

**Non-goals (v0.1)**

- No substantive policy: no property, speech, or distribution rules (moral-convergence §5).
- No identity solution: the kernel *requires* each instance to declare membership criteria and bounds them; it does not solve Sybil resistance (synthesis Part IV, tension 2).
- No software enforcement layer yet: v0.1 is text + spec + configs. The vote-gate CI and test suite are subsequent milestones; this document reserves their interfaces (CT- test families, ledger event types).

## 2. The layer model

```
┌──────────────────────────────────────────────┐
│ Layer 3: INSTANCE      one group's config     │  e.g. examples/family.config.json
│   (validated JSON conforming to the schema)   │
├──────────────────────────────────────────────┤
│ Layer 2: USERLAND MODULES  substantive rules  │  spec/userland-module-spec.md
│   (treasury, moderation, chores, grants…)     │
├──────────────────────────────────────────────┤
│ Layer 1: KERNEL        meta-rules, Arts 0–IX  │  kernel/constitution.md
├──────────────────────────────────────────────┤
│ Layer 0: INVARIANTS    INV-1…6 (Article IV)   │  entrenched; fork to change
└──────────────────────────────────────────────┘
```

**Supremacy order (Article 0):** Invariants > Kernel > Modules > Instance config > Ordinary decisions. A conflict is resolved in favor of the higher layer; a lower-layer provision in conflict is void *to the extent of the conflict* (severability, so one bad clause doesn't nuke a module).

**Parameter discipline:** every kernel parameter has: an identifier (`param.<area>.<name>`), a type, a **kernel-defined legal range**, a default, and an override level (which layer may set it). Userland can never move a parameter outside its kernel range. This single mechanism is how the kernel stays small: wherever the comparative research showed legitimate variation (quorum levels, voting windows, fork asset treatment), we ship a bounded parameter instead of a rule.

## 3. Governance semver (Article IX)

| Tier | What changes | Threshold (votes cast) | Quorum (of active members) | Review window | Maps to |
|---|---|---|---|---|---|
| **PATCH** x.y.Z | Wording clarification; no behavior change (must pass equivalence review by Interpreters) | > 1/2 | `param.vote.quorum_patch` (default 10%, range 5–25%) | ≥ `param.time.review_patch` (default 7d, floor 3d) | M1 |
| **MINOR** x.Y.0 | Backwards-compatible kernel addition; parameter default/range change within meta-bounds | ≥ 3/5 | default 20%, range 10–40% | default 14d, floor 7d | M1, F7 |
| **MAJOR** X.0.0 | Kernel-breaking change: alters thresholds' meta-bounds, articles' obligations, roles' powers | ≥ 2/3 | default 30%, range 20–50% | default 28d, floor 14d | M1, M4 |
| **INVARIANT** | Any change to Article IV or to this tier table's existence | *no threshold offered* — lawful path is Article VII fork | — | — | M5, F3 |

Rationale for "no threshold" at the top tier: every historical eternity-clause-with-an-escape-hatch became the escape hatch (synthesis M5). The honest design is: if you need different invariants, you are founding a different polity, and Article VII makes that lawful and non-punitive.

Module-tier changes (userland) default to >1/2 with module-declared quorum within kernel bounds; modules may raise their own bars, never lower kernel floors.

## 4. Article map and per-article design rationale

| Art. | Title | Core content | Primary counters |
|---|---|---|---|
| 0 | Definitions & Supremacy | Defined terms; layer supremacy; severability; canonical-text rule (hash of ratified text is authoritative) | F1 |
| I | Membership & Suffrage | Member lifecycle (admission → active/inactive → exit/removal); *active member* defined mechanically; one-member-one-vote at kernel tier | F5, F6 |
| II | Proposals & the Amendment Pipeline | Proposal format; single-subject rule (anti-bundling); sponsorship; freeze point; mandatory consideration (no pocket veto); deadline-default outcomes | F1, F2, F8 |
| III | Voting, Quorum & Thresholds | Tier table; activity-scaled quorum; anti-boycott step-down re-vote; pre-publication snapshot of the voter roll; ballot secrecy parameter | F2, F5, F8 |
| IV | Invariants | INV-1…6, normative text; non-derogability; mechanical-check hooks | F9, F10, F11 |
| V | Interpretation | Interpreter panel: sortition from active members + confirmation vote; staggered terms; written reasoning; recusal; override only by amendment at the tier of the text interpreted | F1, F4 |
| VI | Emergency Powers | Enumerated emergency actions only; declaration threshold; auto-sunset with escalating renewal; kernel/invariants untouchable; mandatory post-mortem → regression test | F3 |
| VII | Exit & Fork | Individual exit without sanction; recognized-fork trigger (dissent threshold); continuous exportability of text+ledger; bounded asset treatment | F9 |
| VIII | Transparency & the Ledger | Append-only public ledger; enumerated event types; **validity rule**: unrecorded acts are void; live metrics (participation, amendment latency — the cadence counter) | F11, F12, F6 |
| IX | Versioning, Ratification & Bootstrap | Semver tiers; adoption/ratification of an instance; periodic review trigger; **bootstrap clause** (enumerated, sunsetting founder powers) | F7, F12 |

Numbering note: Article 0 is deliberate — definitions are infrastructure, and starting at 0 signals that this document expects to be read by both humans and programs.

## 5. Roles defined by the kernel

The kernel defines exactly three roles; userland may define more (all inherit the term-limit and recall requirements, per M11/F12):

1. **Secretary** — operates the pipeline mechanics: records ledger events, runs vote tallies, certifies quorum. *Zero discretion by design*: every Secretary action is a deterministic function of the rules and the ledger, so the role can be (and is intended to be) performed by software with a human fallback. Term: `param.role.secretary_term`.
2. **Interpreters** — panel of `param.role.interpreter_count` (default 3, range 1–9, must be odd) resolving disputes about meaning. Sortition + confirmation, staggered terms, written reasoning (Article V).
3. **Emergency Steward(s)** — exist only while a declared emergency is live; powers enumerated by the declaration from the Article VI menu; dissolve at sunset.

There is deliberately no executive. The kernel governs rule-making, not operations; operational leadership is a userland module if an instance wants one.

## 6. Decision log — chosen vs. rejected alternatives

| Decision | Chosen | Rejected | Why |
|---|---|---|---|
| Kernel-tier vote weighting | One member, one vote (INV-4) | Token/stake weighting; quadratic voting; reputation weighting | Stake-weighting reproduces F5 at the constitutional layer. Quadratic voting needs collusion-resistant identity we don't have and isn't convergent across traditions. Userland may weight *substantive* votes. |
| Delegation (liquid democracy) | Not in kernel; permitted as a userland voting module for module-tier votes only | Kernel-level liquid democracy | Delegate-cartel evidence (synthesis F5); kernel-tier decisions are rare enough that direct voting is affordable. |
| Interpreter selection | Sortition from actives + confirmation vote, staggered terms | Election; appointment by proposer-of-the-constitution; external arbiter | Pure election reproduces court-capture campaigns (F4); appointment is F12; sortition gives capture-resistance, confirmation gives consent. |
| Invariant amendment | Impossible in-place; fork instead | 90%+ supermajority path | Every escape hatch becomes the attack (M5/F3). Fork-with-rights is the honest pressure valve. |
| Quorum failure handling | One announced re-vote at stepped-down quorum | Treat as rejection; treat as adjournment sine die | Pure rejection rewards boycott (F2a); unlimited re-votes reward attrition. One pre-announced step removes the boycott payoff while keeping a floor. |
| Emergency model | Enumerated-menu, auto-sunset, escalating renewal | General necessity clause; no emergency powers at all | General clauses are the Weimar ratchet (F3); "no powers" forces rule-breaking under stress (F8). |
| Text authority | Hash-pinned canonical markdown per ratified version | "Living document" prose authority | F1/F11: there must be exactly one answer to "what text is in force." |

## 7. Testing interfaces reserved (for later milestones)

- **Ledger event types** (Article VIII §8.2) are the test suite's I/O alphabet: `member.admit`, `member.exit`, `member.sanction`, `proposal.open`, `proposal.freeze`, `vote.cast`, `vote.certify`, `interpretation.publish`, `emergency.declare`, `emergency.renew`, `emergency.sunset`, `fork.notice`, `fork.settle`, `release.tag`, `treasury.move` (dogfooding).
- **CT- families** (synthesis Part III) bind to articles via the annotations; each annotation's "Attack surface" block is a test-authoring checklist.
- **Metrics** (Article VIII §8.4): amendment latency (the cadence counter), participation rate, quorum margin, sanction rate, and the **empathy metric harness point** — every simulated scenario must expose a worst-off-member trace.

## 8. Standing tensions carried into v0.1 (from synthesis Part IV)

1. **Threshold calibration** — defaults in §3 are reasoned guesses pending the Incumbent Benchmark; they are MINOR-amendable within MAJOR-amendable bounds, by design.
2. **Sybil/membership boundary** — bounded but unsolved; flagged in Article I annotations; the family config sidesteps it (closed roster), the DAO config documents its chosen mitigation and residual risk.
3. **Mechanical vs. interpretive enforcement** — division annotated per article; Interpreters are the backstop for everything CI can't see.
4. **Fork-with-assets calibration** — bounds in Article VII; adversarial self-play milestone owns the tuning.