# Annotated Edition, Part 1 — Preamble and Articles I–V **Applies to:** Constitution v0.1.0 (`kernel/constitution.md`) **Standing of this document:** Under §IX.1(b), these annotations are the second authority for interpretation, after plain text and before precedent. They are amendable text; a change to an annotation that would change the outcome of any case is classified at the class of the article it annotates (§V.2). Each clause is annotated under three headings: - **Intent** — what the clause is for, and what failure in an existing system it answers (cross-references to `docs/research/comparative/`). - **Attack surface** — the known ways a bad-faith actor playing within the rules could abuse, evade, or weaponize the clause. These map one-to-one to scenarios the test suite must cover. - **Parameterization** — what a polity may tune, what it may not, and why the floors/ceilings sit where they do. --- ## Preamble **Intent.** The preamble is non-operative: it grants no power and creates no right, and §IX.1 means it cannot be used to override text. It exists to fix interpretive posture — "optimism in the defaults, paranoia in the tests" — so that future readers resolve genuine ambiguity in that spirit rather than reconstructing intent from folklore. **Attack surface.** Preambles in national constitutions have been used as smuggling routes: courts reading substantive obligations out of aspirational language (India's basic-structure jurisprudence began partly this way, to good and ill effect). §IX.1's explicit ordering closes that route: the preamble is below even precedent, because it is not "released text" creating rules. **Parameterization.** None. A polity may write its own preamble in its genesis entry; it has the same non-operative standing. --- ## Article I — Scope, Supremacy, and Definitions ### §I.1 — Kernel scope **Intent.** The single most consistent finding of the comparative survey (`03-synthesis.md`) is that constitutions die from scope creep: substantive policy entrenched at constitutional level becomes unamendable policy (the US Senate's equal-suffrage clause; Brazil's 250-article constitution amended 100+ times because everything is constitutional). The kernel holds only meta-rules so that almost all change is cheap, userland change. **Attack surface.** *Definitional gerrymandering* — recasting a substantive rule as a "meta-rule" to entrench it ("the rule about who may propose budget rules" is meta in form, substantive in effect). The test suite must include classification challenges; §I.3 gives reviewers a rejection power, and §V.2 + §IX.4 resolve contests toward the higher class — which here means rejection from the kernel, the more protective outcome for future amendability. **Parameterization.** None. The kernel/userland boundary is itself kernel. ### §I.2 — Supremacy **Intent.** A conflict-of-laws rule must exist before the first conflict, not be improvised during it (the US Articles of Confederation lacked one; *Marbury* had to invent one). Order: invariants > kernel > modules. "Void from the moment the conflict arises" means a module valid at adoption can become void later — e.g., when a kernel MAJOR release changes what it conflicts with — without requiring anyone to act. **Attack surface.** *Void-by-assertion*: a faction declares an inconvenient module "in conflict with the kernel" and treats it as void without adjudication. Defense: §X.2 requires the claimed conflict to be cited in a ledger entry, and any contested voidness is an Article IX dispute; until resolved, §IX.4 protects whichever reading is more protective of persons. The converse attack — ratifying a knowingly-conflicting amendment and daring anyone to challenge it — is the Hungarian 2010–13 pattern; the test gate (§III.3) is the structural answer: conflict detection happens *before* ratification. **Parameterization.** None. ### §I.3 — Minimality **Intent.** §I.1 states the principle; §I.3 gives it teeth at a specific pipeline stage (review), so that scope creep is stopped cheaply and early rather than litigated after ratification. **Attack surface.** *Reviewer capture* — a faction controlling review uses "out of order" rulings to kill kernel amendments it dislikes by mislabeling them substantive. Defense: an out-of-order ruling is contestable under Article IX like any classification dispute (§V.2), and adjudicators are sortition-selected by default (§IX.2), not the reviewers themselves. **Parameterization.** None. ### §I.4 — Definitions **Intent.** Every term that appears in a threshold or quorum computation must be mechanically decidable, because the test suite computes with them. *Citizen* is deliberately "natural person": it makes Sybil attacks a matter of identity fraud rather than a permitted strategy, and it is what makes §II.1's one-person-one-vote meaningful. *Epoch* exists so that time-based floors ("2 epochs") scale with the polity: a family's epoch might be a week; a large polity's, a quarter. **Attack surface.** *Epoch manipulation* — since many floors and ceilings are denominated in epochs, changing `epoch.length` changes real-time durations everywhere at once (shrink the epoch and emergency ceilings shrink too, but so do review windows and cooldowns). Changing `epoch.length` is a parameter change; parameters that alter the real-time value of kernel floors must be classified K-major under §V.1's "alters any floor" language — the annotations here fix that reading explicitly. Tests must cover an attempted epoch-shrink immediately before a contentious proposal. **Parameterization.** `epoch.length` (floor 1 day, ceiling 1 year). The floor prevents degenerate sub-day epochs that would make "2 epochs" of review meaningless; the ceiling prevents a faction freezing governance by declaring a decade-long epoch. ### §I.5 — Parameters **Intent.** Parameterization is how one kernel serves a family and a DAO (see `spec/userland-module-spec.md`). Floors/ceilings are the kernel's promise: no configuration, however eccentric, can configure away the protections. Making floor changes K-major (3/4 + 50% quorum) prices that escape hatch correctly. **Attack surface.** *Default drift* — defaults are the most-used values (almost nobody changes defaults; see the survey's finding on Apache's lazy consensus operating as de facto law). A hostile default change reaches every polity that didn't explicitly set the parameter. Therefore default changes are kernel text changes (at minimum K-minor; K-major if the new default would have been unreachable under the old floor/ceiling). *Out-of-range configs*: the module spec's schema validation (`spec/module.schema.json`) must reject any genesis or amendment that sets a parameter outside its range — this is a mandatory, non-amendable test-suite check. **Parameterization.** This section defines the parameter mechanism; it is not itself parameterizable. --- ## Article II — Citizenship and Suffrage ### §II.1 — One person, one vote **Intent.** The project's central wager, stated as law. Every plutocratic capture in the survey — token-weighted DAO votes where one whale outvotes ten thousand holders (the 2022 Solend incident class; Curve-style vote-buying markets), shareholder primacy, cash-for-influence in legislatures — routes through capital-weighted voice. The kernel removes the route entirely *for kernel matters*: the rules about rules are decided per-person. Userland modules may still use other schemes for their own internal decisions (a DAO module may weight a treasury-allocation poll by stake), because §II.1 binds "kernel matters"; but the module itself was adopted, and can be removed, by one-person-one-vote. **Attack surface.** (1) *Sybil attacks* — if one person can hold many citizenships, 1p1v becomes 1-purse-N-votes. The kernel deliberately does not prescribe an identity mechanism (that is configuration, §II.2), but the test suite must stress every admission config against simulated Sybil floods. (2) *Indirect weighting* — formal 1p1v with capital-gated *admission* ("citizenship costs 10 ETH") reconstructs plutocracy one layer down. §II.2's uniformity floor does not forbid paid admission (a co-op buy-in is legitimate and the survey shows it works at Mondragón), but the dues amount is visible configuration and the worst-off-floor tests (§VI.1(f)) grade scenarios where the price excludes the poorest affected participant. (3) *Vote-buying* — 1p1v with secret purchasable ballots. §IV.5's public-by-default kernel votes make bought votes verifiable by the buyer but also visible to everyone, which raises the social cost; the residual risk is acknowledged, not solved, and is a standing red-team objective. **Parameterization.** Explicitly none. This is the only suffrage rule in the survey set that no examined system maintained under stress without an explicit entrenchment, so it is entrenched. ### §II.2 — Admission **Intent.** Who gets in is the most context-dependent rule in governance — a family admits by birth and marriage, Debian by keysigned vouching and skills, a co-op by dues — so it is a parameter. The floors (pre-published, uniform, ledgered with criterion cited) are the anti-corruption minimum: they make selective admission *visible* even where they cannot make it impossible. **Attack surface.** (1) *Packing* — admitting a flood of aligned new citizens just before a contested vote (the governance equivalent of court packing; also the classic hostile-takeover move in token DAOs via flash-loaned voting power). Partial defenses already in the kernel: §IV.4 freezes the voter roll at vote opening, and §III.6's effect delay means admission-rule changes can't apply to votes underway. The residual attack — pack early, wait out the delay — is real, and the recommended userland mitigation is an admission rate-limit or probationary period, which the example configs both use. (2) *Criteria laundering* — facially uniform criteria designed to select a faction ("must have attended events X, Y, Z"). The ledger trail (decision + criterion) is the audit surface; pattern detection is a test-suite job, not a kernel rule. **Parameterization.** `citizenship.admission`: free-form criteria object per the module spec, subject to the three floors. Floors not parameterizable. ### §II.3 — Security of citizenship **Intent.** Disenfranchisement is the universal first move of entrenchment (the survey's national set: purges of voter rolls; the DAO set: blacklisting addresses before a vote). Three locks: process-defined-in-advance (no bills of attainder), notice-and-hearing, and the two timing rules — no changing eligibility for an open vote, and no vote that strips the voting rights of the people voting on it. The last closes the bootstrap exploit where a bare majority votes the minority out of the electorate and then "legitimately" wins everything after. **Attack surface.** (1) *Serial expulsion* — expel opponents one at a time, each by a vote in which the target alone is ineligible to matter. The clause's text blocks altering eligibility *by the same vote*, but a sequence of votes is formally compliant. Tests must include the salami-slicing scenario; the expected defense is the worst-off-floor gate (§VI.1(f)) flagging the pattern, plus userland expulsion rules with high thresholds (both example configs require supermajority + adjudication for removal). (2) *Constructive expulsion* — not revoking citizenship but making participation impossible (scheduling, language, fees). Kernel can't enumerate these; they are standing red-team objectives. **Parameterization.** The revocation *process* is userland (a family and a DAO will differ radically); the three locks are floors and not parameterizable. ### §II.4 — Dormancy **Intent.** Quorum rules die in two ways (survey, `03-synthesis.md`): denominators inflated by ghosts make quorum unreachable (governance freezes — the chronic DAO failure), or quorum is set trivially low (a tiny faction governs — early Compound proposals passing with <1% participation). Dormancy keeps the denominator honest without disenfranchising anyone: a dormant citizen has lost nothing but their drag on the denominator, and reactivation is unilateral and immediate-for-future-votes. **Attack surface.** (1) *Dormancy gerrymandering* — marking opponents dormant on a pretext right before a vote to shrink the denominator *and* sideline them. Defenses: dormancy follows mechanically from the inactivity period (a parameter, visible in config), changes are ledgered (§X.1), and reactivation is unilateral, so the harm is bounded at one vote's notice. The "effective for votes opening thereafter" timing prevents the reverse attack — a coordinated mass reactivation in the middle of an open vote to retroactively break its quorum. (2) *Dormancy farming* — keeping a reserve army of nominally-dormant allies who reactivate en masse before key votes. This is legal and visible on the ledger; the test suite should measure how much swing it enables under each example config. **Parameterization.** `citizenship.dormancy_period`, floor 2 epochs (a single missed epoch must never cost quorum status — vacations exist), default 4. ### §II.5 — Delegation **Intent.** Liquid democracy, bounded. The survey shows pure direct democracy fails on attention (most citizens cannot review most proposals) and pure representation fails on accountability (principal–agent drift, measured in years between elections). Revocable-anytime delegation gets representation with continuous accountability. The depth and carry caps exist because of the documented failure in early liquid-democracy deployments (the German Pirate Party's LiquidFeedback era): delegation concentrates power-law-fashion into a few super-delegates, recreating an unelected legislature. **Attack surface.** (1) *Super-delegate emergence* — capped by `delegation_cap`; the ceiling (5% or 5 votes) means even a maximally successful delegate is one voice among at least twenty. (2) *Delegation chains as obfuscation* — A→B→C hides from A who actually casts their vote; depth ceiling 3, default 1, and the ledger records the resolved chain. (3) *Coerced delegation* — an employer or abuser compels delegation; revocable-at-any-moment (including mid-vote) is the kernel-level mitigation, and §IV.5's per-citizen public record cuts both ways here, which is exactly why userland `voting.secrecy` exists for non-kernel votes. **Parameterization.** `suffrage.delegation_depth` (0–3; a polity may set 0 to forbid delegation entirely — the family example does), `suffrage.delegation_cap` (ceiling as stated; the "or 5 votes" branch keeps delegation usable in polities of fewer than 100). --- ## Article III — Proposals and Amendment ### §III.1 — Standing **Intent.** Universal standing — any citizen, no gatekeeper — is the direct answer to the incumbent's pathology in the project brief: a 203-year amendment latency caused partly by proposal monopolies (only Congress or a never-used convention may propose Article V amendments). "Precise diff" makes proposals testable: the test gate cannot run against vibes. **Attack surface.** *Proposal spam* — flooding the pipeline to exhaust reviewer attention (the open-source survey's recurring DoS: drive-by RFC floods). Defenses: the cooldown (§III.5) for repeats; for raw volume, the kernel deliberately does *not* add a proposal fee or sponsor requirement (both are capture vectors — a fee reconstructs capital-weighting, sponsorship reconstructs gatekeeping), leaving spam handling to userland prioritization modules, which can rank but never block a proposal from eventually entering review. **Parameterization.** None on standing itself. Userland may add prioritization, not gatekeeping. ### §III.2 — Pipeline **Intent.** The amendment pipeline as CI: publish → review → test → vote → release, every stage ledgered, no stage skippable. "Including by unanimous consent" is deliberate and learned from legislative practice, where unanimous-consent fast-tracking became the loophole that swallows deliberation: in a low-attention moment, "unanimous" means "the three people watching." **Attack surface.** (1) *Review-window flooding* — opening many proposals at once so each gets a fraction of attention; window floors guarantee minimum calendar time but not attention; userland scheduling modules (both examples cap concurrent open proposals) are the mitigation. (2) *Stage-gaming the clock* — opening kernel proposals before predictable low-attention periods (holidays). Visible on the ledger; a standing test scenario measures threshold-passing rates by calendar position under simulated attention models. **Parameterization.** `amendment.review_window` with split floors (3d userland / 14d kernel). The kernel floor is two weeks because the survey's open-source set converged on 1–2 weeks as the minimum for genuinely distributed review (Debian GR discussion periods, Python PEP review norms). ### §III.3 — Test gate **Intent.** The project's core mechanism: adversarial scenarios run against proposed text, failures block ratification. The self-reference rules are the critical part. The test suite must be amendable (tests encode judgment, and judgment improves), but through the same pipeline — and the one-proposal rule (cannot change a test and the text it guards together) prevents the canonical self-dealing move: "amendment #1 weakens the treasury-drain test *and* adds the treasury-drain power, as a package." **Attack surface.** (1) *Two-step gate erosion* — pass the test-weakening amendment this epoch, the power-grab next epoch. The cooldown doesn't apply (they're different proposals), so the defense is procedural friction (each step is its own full pipeline with its own review window and effect delay — minimum two epochs of public runway) plus a mandatory meta-test: the test suite must include tests *about* the test suite's coverage, so removing the treasury-drain test itself fails a test. (2) *Gate oracle ambiguity* — disputes about whether a test "really" failed; test results are ledgered artifacts, reproducible by any citizen, and disputes are Article IX matters resolved before the vote opens. **Parameterization.** None. A polity may *add* tests in userland; it may not remove the kernel suite or the gate. ### §III.4 — Atomicity **Intent.** The single-subject rule, imported from the ~40 US state constitutions that adopted it precisely because the federal document lacks it. Omnibus bundling is the highest-frequency exploit in the legislative survey set: attach the unpopular rider to the must-pass vehicle. Atomicity makes every provision face the electorate alone. **Attack surface.** (1) *Salami slicing* — the inverse abuse: splitting one coherent reform into pieces so opponents can kill the load-bearing piece and leave a broken remainder. Mitigation: a proposal may declare explicit dependencies ("effective only if proposal #N also ratifies"), which preserves atomicity of voting while allowing coherent packages — this is the sanctioned bundling mechanism, and it is transparent. (2) *Weaponized omnibus rulings* — using split-demands to delay; resolved before the vote under Article IX, and a frivolous-contest pattern is itself ledger-visible. **Parameterization.** `amendment.atomicity` is intentionally *not* a parameter in v0.1; the rule plus the dependency mechanism is uniform. (Flagged in `kernel-design.md` as a candidate for parameterization in v0.2 if the dependency mechanism proves insufficient for large polities.) ### §III.5 — Cooldown **Intent.** Anti-grinding. The survey's referendum pathologies include "vote until you vote correctly" (repeat referenda after narrow losses) and proposal-fatigue suppression (exhaust opponents by re-raising endlessly). The escape clauses matter: new test results or ledgered changed circumstances reopen the question, because the cooldown must slow grinding, not freeze learning. **Attack surface.** (1) *Cosmetic mutation* — resubmitting with trivial edits to dodge "substantively identical." This is a classification question (Article IX), and §IX.4 cuts toward protection: where genuinely ambiguous, the proposal that would re-litigate a fresh rejection is the exercise of power, read narrowly — cooldown applies. (2) *Cooldown squatting* — deliberately proposing a *weak* version of an idea you oppose, losing, and claiming the cooldown blocks the strong version. The "substantively identical" standard plus adversarial review is the defense; tests must include a squatting scenario. **Parameterization.** `amendment.cooldown`, floor 1 epoch, default 2. ### §III.6 — Effect delay **Intent.** Two distinct protections. The delay itself is the 27th Amendment's own logic (congressional pay raises take effect only after an intervening election) generalized: the people who pass a rule should feel its passage before it operates, and affected parties get adaptation time. The second sentence — no changing the rules of a process underway — is the anti-moving-goalposts rule, sourced from the most damaging incidents in the survey: mid-election rule changes, mid-dispute forum changes, and §VII.4's fork-partition lock is a specific instance of the same principle. **Attack surface.** (1) *Delay as damage* — for genuinely urgent fixes, the floor delay is a cost; that is what Article VIII exists for, and its untouchables list (no amending under emergency) means the answer to "we need this rule *now*" is always "you need an emergency *action*, not an emergency *rule*" — bounded, expiring, post-mortemed. (2) *Process-laundering* — declaring a sham "process underway" to immunize the status quo against an incoming amendment ("we opened a dispute about the treasury, so treasury rules are frozen"). The freeze covers only *the rules of* that process for *that instance*, not the subject matter generally; annotation fixes this narrow reading. **Parameterization.** `amendment.effect_delay`, split floors (1 day userland / 1 epoch kernel). No ceiling: a polity may choose very long runways; the floor is the protection. --- ## Article IV — Quorum, Thresholds, and Voting ### §IV.1 — Change classes and thresholds **Intent.** Semver thresholds: the more a change can break, the more consent it needs. The ladder (>1/2, 3/5, 2/3, 3/4) is drawn from the survey's stability data: 2/3 is the modal national amendment threshold; 3/4 mirrors the US ratification bar but applies per-citizen rather than per-state, removing the malapportionment that lets 4% of the US population block any amendment. Class V's extra-long review window exists because invariant-strengthening is the one irreversible act in the system (§VI.2) — even good entrenchment deserves maximal deliberation. **Attack surface.** (1) *Class shopping* — declaring K-major work as K-minor or userland to lower the bar; answered by §V.2 (anyone may contest; higher class applies while contested). (2) *Threshold arithmetic games* — abstention semantics are fixed in §IV.3 precisely because "2/3 of those voting" vs "2/3 of those present" vs "2/3 of eligible" has decided real constitutional crises (the survey notes ratification-rule ambiguities in several national cases). The kernel picks one formula and writes it down. (3) *Supermajority as minority veto* — the known cost of high thresholds: 26% can freeze the kernel. Accepted deliberately: kernel freeze is recoverable by fork (Article VII); kernel capture is not recoverable at all. **Parameterization.** Only `threshold.userland_major` (floor 3/5). Kernel-class thresholds are floors in kernel text; raising them is K-major; lowering them below floors impossible without fork. ### §IV.2 — Quorum **Intent.** Quorum floors scale with stakes, and the denominator (active citizens, per §II.4) is kept honest by dormancy. "Fails without prejudice" — no cooldown on quorum failure — distinguishes "the polity said no" from "the polity wasn't listening"; conflating them (as several DAO frameworks do) lets opponents kill proposals by organized abstention and then invoke the cooldown. **Attack surface.** (1) *Quorum denial* — coordinated non-voting to prevent quorum. §IV.3 makes this strictly harder than voting no for anyone who shows up (abstentions count toward quorum), so denial requires total absence, which is visible and costly to sustain. (2) *Quorum ambush* — scheduling votes when opponents are predictably absent; mitigated by the voting-window floor (§IV.4) and ledger announcement at opening; residual risk covered by the calendar-attack test scenario from §III.2's annotation. **Parameterization.** `quorum.p` only (floor 10%). Kernel-class quorums are fixed floors. ### §IV.3 — Counting **Intent.** One sentence each for the two questions that have broken real votes: do abstentions count toward quorum (yes — showing up to say "I defer" is participation) and toward the threshold (no — abstention must not be conscripted as a "no," or quorum participation becomes self-defeating). Formula stated as arithmetic so the test suite can compute it. **Attack surface.** *Strategic abstention* is now a coherent, bounded strategy: an abstainer helps a vote reach quorum while not affecting its ratio. This is intended — it gives the ambivalent a real option — and its worst case (abstainers carry a tiny yes-bloc over quorum) is bounded by the threshold still requiring its ratio among actual yes/no votes. **Parameterization.** None. Counting rules must be uniform or results are not comparable across polities and the shared test suite cannot grade them. ### §IV.4 — Voting window **Intent.** Minimum window (anti-snap-vote), ledger announcement at opening (no stealth votes), roll frozen at opening (the packing defense from §II.2's annotation, and the determinacy requirement: quorum must be computable at open). **Attack surface.** *Roll-freeze timing* — admitting allies the hour before opening. The freeze plus §III.6 (admission-rule changes can't touch open processes) bounds this to "pack with long lead time under publicly visible admission criteria," which is the best a meta-rule can do; rate-limits are the userland answer (both example configs). **Parameterization.** `voting.window`, floor 3 days, default 7. No ceiling; a polity wanting month-long votes may have them. ### §IV.5 — Publicity of votes **Intent.** Kernel votes are public per-citizen because rule-making is the one act where accountability outweighs ballot privacy — this is Debian's GR model and the practice of every legislature for final passage votes (roll-call). Userland votes default public but may go secret *only with* citizen-verifiable tallying, because the survey's worst tally disputes share one feature: a counting process the loser couldn't audit. **Attack surface.** (1) *Coercion via publicity* — public kernel ballots expose citizens to pressure from employers, family, or factions; this is the genuine cost of the Debian model and the reason the secrecy option exists one layer down. The kernel accepts the cost for kernel votes on the argument that rule-making under pseudonymous or small-polity conditions tilts the balance toward auditability; `ledger.privacy` (§X.3) can shield citizen *identities* behind stable pseudonyms where the polity configures it, preserving per-citizen auditability without legal-name exposure. (2) *Fake verifiability* — "secret" userland votes with a verification method only insiders can run. Floor: the method must be runnable by *any citizen*; a method requiring privileged access fails the floor and the vote is invalid. **Parameterization.** `voting.secrecy` (userland votes only). Kernel-vote publicity not parameterizable. --- ## Article V — Versioning and Compatibility ### §V.1 — Semantic versioning **Intent.** Semver for governance, with the breaking/compatible line drawn at the only place it can be objective: does it break declared module compatibility, or move any number that protections depend on (floors, ceilings, thresholds, quorums, invariants)? PATCH exists so typo fixes don't need 3/4 supermajorities — but "changes no outcome" is the test, and the test gate can verify it mechanically (run the suite against both texts; identical results required). **Attack surface.** *Patch smuggling* — semantic changes disguised as corrections ("fixing" a word that alters scope). Defense: the mechanical PATCH check above, plus §V.2 contestability. The annotation fixes the burden: a contested PATCH must *demonstrate* outcome-identity under the full suite or be reclassified. **Parameterization.** None. ### §V.2 — Classification **Intent.** Who decides what class a change is, is itself a power — the survey's judicial-capture cases are mostly classification capture (courts deciding what counts as an "amendment" vs a "revision," as in California's revision doctrine, or what is a "constitutional" matter at all). The kernel distributes it: proposer declares, anyone contests, sortition panel resolves, and the tie-break (higher class while contested) makes obstruction cost the obstructor nothing but gains them nothing either — the proposal still proceeds, just at the safer bar. **Attack surface.** *Contest spam* — contesting every classification to force everything to K-major. Bounded: a contest is resolved before the vote opens (it delays, not blocks), panels are fresh-sortitioned (capture-resistant), and serial frivolous contests are ledger-visible patterns a userland conduct module can address. **Parameterization.** None. ### §V.3 — Canonical text **Intent.** There must be exactly one answer to "what is the constitution right now," and it must be mechanically resolvable (latest signed tag on the ledger). The survey's "constitutional moment" pathologies — competing texts, disputed promulgations, two bodies each claiming legitimacy (Honduras 2009, Venezuela's parallel assemblies) — are at root canonical-text failures. **Attack surface.** *Ledger forks as constitutional forks* — if the ledger itself splits, "latest signed tag" has two answers. This is by design *not* an error state: it is an Article VII fork happening at the infrastructure layer, and §VII.6's continuity parameter decides which branch carries the name. The failure mode this clause kills is the *covert* version dispute; an overt split is a fork with all of Article VII's protections. **Parameterization.** None. ### §V.4 — Module compatibility **Intent.** What happens to userland when the kernel majorly changes — the question every national constitution answers badly (statutes of uncertain validity persisting for decades after constitutional change). Safe mode is the kernel's most opinionated invention: suspension is *asymmetric*. Powers granted by a stale module stop; protections it gives persons continue. A stale treasury module can't spend; a stale anti-harassment module still protects. **Attack surface.** (1) *Weaponized incompatibility* — passing a kernel MAJOR specifically to safe-mode an opponent's module (e.g., the oversight module). The grace period plus the fact that the MAJOR itself needed 3/4 + 50% quorum prices this attack at "you already won overwhelming consent"; the residual scenario (supermajority uses MAJOR churn to harass a minority's protective modules — but protections *survive* safe mode by design) is a mandatory test. (2) *Power/protection boundary gaming* — drafting powers to look like protections so they survive safe mode ("the steward's protection of being obeyed"). Classification dispute; §IX.4 reads powers narrowly. **Parameterization.** `versioning.grace`, floor 2 epochs, default 3. --- *Continued in `kernel/annotations-2.md` (Articles VI–X).*