Design thesis

A protocol change should be treated like a raid boss.

It begins as a sketch. If automation says the sketch is complete enough to deserve scarce human attention, it enters a ticket queue. If it wins a Boss Ticket, the protocol funds packaging and hostile review because protocol improvement is a public good. Independent reviewers are paid to cover specific attack surfaces. Outsiders retain open kill rights. Temporary cells classify claims under a fixed severity rubric. The proposal must survive five damage bars, including not just exploits but power creep and maintenance burden. It then moves through a staged activation ladder. Temporary human and ecosystem chambers can quarantine or reclassify it. If a kernel conflict stays hot across seasons, the protocol prepares both branches and lets the disagreement resolve as an explicit fork contest.

This is not democracy, not plutocracy, and not committee rule. It is a bounded hostile arena with protocol-funded review, temporary kill rights, and fork readiness.

---

The machine

1. State machine

Every proposal lives in one of these states: Sketch → Qualified Sketch → Boss Candidate → Live Boss → Cleared / Quarantined / Wiped / Reclassified → Shadownet → Canary → Ready → Activated → Fuse Cleared

• Emergency path: Night Boss can open directly after exploit validation.
• Each transition is automatic once the required proofs, thresholds, or time windows are met. No step depends on an unnamed authority.

2. Capacity Governor

Governance cannot outrun monitoring capacity. A Capacity Governor recomputes live-boss capacity each epoch from:

• audited reviewer throughput,
• unresolved appeals,
• emergency load,
• compiler latency,
• witness participation,
• and Governance-Security Buffer runway.

It outputs class-specific slot counts:

• Kernel: 0 or 1
• World: 0 to 2
• Field: 0 to $N$
• Night Boss: emergency only

If capacity drops, new Boss Tickets stop minting for the affected class.

3. Boss classes

• Field Boss: Routine fixes, cleanup, low-blast-radius optimizations, non-kernel parameter tuning.
• World Boss: Major features, fee logic, execution or networking changes, broad ecosystem-impact upgrades.
• Kernel Boss: Changes to the upgrade route itself, verified-human negative rights, emergency powers, validator-role boundaries, issuance floor, or treasury burn-first rule.
• Night Boss: Emergency hotfixes for live exploits or imminent catastrophic failure.

---

How a proposal becomes a Boss Candidate

4. Sketch Lane

Any verified human may submit a Sketch. Each gets:

• one active Sketch slot,
• one linked resubmission chain.

A sketch must include:

• code sketch or interface draft,
• a short rationale,
• expected boss class,
• affected modules,
• preliminary tests or simulation notes,
• repo-signing key,
• payout address.

Sketch Lane is automation-only:

• completeness checks,
• duplicate detection,
• static sanity checks,
• rough kernel-touch detection,
• rough complexity estimate,
• rough blast-radius estimate.

If it fails, it is returned with machine-readable reasons. If it passes, it becomes a Qualified Sketch.

5. Boss Ticket Scheduler

A Boss Ticket is the right to consume human review. Tickets mint once per governance epoch, capped by the Capacity Governor. Qualified Sketches compete by a mixed rule:

• 50% of tickets go to highest Readiness Score
• 30% go to oldest qualified sketches
• 20% go by lottery among all qualified sketches, with 2x weight for first-time proposers

Readiness Score is automatic:

• package completeness: 25%
• test/simulation coverage: 25%
• dependency disclosure quality: 20%
• blast-radius clarity: 15%
• resubmission quality delta: 15%

Additional constraints:

• one live Boss Candidate per proposer cluster
• one World or Kernel Boss Ticket per proposer cluster per rolling 180 days
• near-duplicate sketches merge unless explicitly forked as distinct designs

A proposer cluster is defined by the verified-human account, payout address, and repo-signing key. When a sketch wins a Boss Ticket, it becomes a Boss Candidate.

---

Funding and proposer incentives

6. Governance-Security Buffer

The protocol, not the proposer, carries the fixed cost of honest governance labor. A capped Governance-Security Buffer is funded from protocol revenue before excess reverts automatically to buy-and-burn. It pays for:

• compiler infrastructure,
• simulation infrastructure,
• review coverage contracts,
• outsider bounty pool,
• Public Ring and Edge Ring stipends,
• Sentinel leases,
• translation and migration packets,
• appeals,
• post-activation monitoring,
• bootstrap drills.

Rule:

• Target buffer = 24 months of trailing median governance-security spend
• Hard cap = target + one peak Night Boss year
• Excess returns automatically to buy-and-burn

7. Proposer economics

The proposer should not be punished for trying to improve the chain in good faith. So the proposer posts only a Truth Bond:

• low for Field,
• medium for World,
• high for Kernel.

It is slashed only for:

• deliberate misrepresentation,
• hidden scope expansion,
• knowingly omitted critical dependencies,
• abusive resubmission loops,
• disappearing after consuming live review capacity.

Once a Boss Ticket is granted, the protocol creates a Boss Escrow with:

• Prep Pool
• Coverage Pool
• Bounty Pool
• Ring Pool
• Monitoring Pool
• Ship Reward Pool

Automatic proposer payments:

• 25% of Prep Pool on full package submission
• 25% when compiler quorum completes without unresolved omissions
• 50% when coverage matching completes and the proposer commits to a response calendar

If the boss fails in good faith:

• un-slashed Truth Bond returns automatically
• Prep Pool is kept
• a fixed Postmortem Payment releases if a root-cause report is filed within 7 days

If the boss ships:

• 30% of Ship Reward at activation
• 40% after fuse-window close
• 30% after a 180-day negligence-challenge window

Successful proposers also gain decaying proposer signal, which only modestly lowers future Truth Bond size and modestly improves queue weight.

---

Live review

8. Compiler quorum

A Boss Candidate becomes a Live Boss only after compiler quorum finishes. The full package must include:

• exact diff or canonical patch hash,
• invariant list,
• rollback target,
• simulation harness,
• operator impact note,
• user migration note,
• blast-radius summary.

Every World and Kernel Boss must be processed by three independent compiler clients. Field Bosses require two in normal mode and three in bootstrap mode.

Compiler outputs:

• semantic diff,
• dependency map,
• privilege delta,
• state-growth delta,
• hardware delta,
• migration map,
• coverage matrix,
• proposed boss class.

If compiler outputs disagree materially, the boss enters Compiler Dispute. A temporary Spec Cell of 7 non-conflicted high-signal reviewers decides within 7 days whether the disagreement is:

• tooling noise → proceed
• under-specification → return to Boss Candidate
• semantic disagreement → reclassify upward or wipe

9. Coverage matrix and reviewer selection

The compiler quorum emits a coverage matrix: affected modules × five bars. The bars are:

1. Exploit
2. Liveness
3. User
4. Power
5. Maintenance

Qualification: Anyone can become review-eligible through open gauntlets (drills, simulation tasks, bar-specific tests). Qualification tiers:

• Tier F: Field
• Tier W: World
• Tier K: Kernel shadow-bar
• Tier N: Night Boss

Matching: A Coverage Matcher fills the matrix under hard rules:

• each critical cell gets at least 2 independent reviewers
• each critical Power and Maintenance cell gets at least 3
• no reviewer covers more than 20% of total weighted risk on one boss
• no identity cluster covers more than 25%
• at least 15% of cells go to apprentices paired with higher-tier reviewers
• at least 25% of total coverage budget is reserved for Power and Maintenance

If critical cells are still unfilled after five escalations, the boss pauses automatically.

10. Coverage contracts and Proof-of-Review

Selected reviewers become Coverage Contractors. Each contract pays:

• 40% on accepted review plan
• 30% on audited submission
• 30% after fuse-window close

Each reviewer posts Miss Escrow. Each submission must include Proof-of-Review (surfaces examined, invariants checked, attack hypotheses tested).

11. Assassin Bounties

Outsiders retain open kill rights. Any outsider may file a structured claim through commit-reveal. First complete proof gets the lead premium; materially independent confirmations share a secondary pool.

12. Claim classification

Every revealed claim is routed to a temporary Claim Cell (drawn randomly from non-conflicted reviewers). The Claim Cell classifies by fixed rubric:

• Minor
• Moderate
• Major
• Catastrophic

Payout logic:

• 20% of bounty payout on initial Major/Catastrophic classification
• 80% after the appeal window closes

13. Raid rounds

Live bosses run through three rounds:

1. Fast Break: Obvious exploit or liveness failures.
2. Siege: Adversarial testnet, operator scenarios, app breakage.
3. Shadow Raid: Power creep, maintenance burden, specialization lock-in.

Wipe rules: A boss wipes immediately if any catastrophic claim survives, any major Power/Maintenance claim survives, or two major claims survive anywhere else.

---

Human and ecosystem veto

14. Public Ring

Heated World Bosses and all Kernel Bosses trigger a Public Ring of 256 randomly drawn verified humans who have posted a civic bond.

• Powers: allow progression, quarantine, or reclassify as Kernel.
• Threshold: 55% of returned ballots.

15. Edge Ring

The Edge Ring represents materially affected dependencies (wallets, bridges, validators).

• Selection: 64 members weighted by measured relevance.
• Threshold: 60% of returned ballots to quarantine or reclassify.

---

Conflict heat and forks

16. Twin Heat Thermostat

Every World and Kernel Boss tracks two heats:

• Human Heat: one alarm ticket per verified human.
• Edge Heat: commitments from Edge Registry members.

Effects:

• Sustained Human Heat or combined Human+Edge heat across two seasons triggers a Fork Drill.
• Fork Drill prepares replay-protected branch packages and state snapshot rules.

---

Activation ladder

17. Activation ladder

A boss that survives the raid climbs:

1. Compiler quorum cleared
2. Coverage complete
3. Claim and appeal windows closed
4. Public/Edge Ring windows (if required)
5. Shadownet
6. Canary
7. Validator readiness
8. Activation
9. Fuse window
10. Negligence window close

Transition rules: Validators do not vote on policy; they only attest deployability. Consensus changes require independent verification stacks or implementations.

---

Emergency path

18. Night Boss and Sentinel Lease

A qualified Sentinel Registry is built from responders who pass drills. A Sentinel Lease is randomly drawn for a short term.

• Powers: freeze pending activation, revert to last safe release hash, or safe mode.
• Forbidden: kernel rewrite, treasury allocation, self-extension.

A validated exploit opens a Night Boss directly with compressed review and release windows.

---

Bootstrap mode and progression

19. Bootstrap mode

The chain starts in Bootstrap Mode.

• Restrictions: no Kernel Bosses except emergencies; at most one live World Boss; Field/World bosses require 1.5x normal coverage.

20. Exit from bootstrap

Normal mode begins only if conditions (compiler agreement, reviewer count, Sentinel count, Edge Registry diversity, and buffer runway) hold for 90 consecutive days and neither Ring vetoes.

21. Reversion to degraded mode

If any three of the six normal-mode conditions fail for 60 days, the protocol enters Degraded Mode automatically.

---

Walkthroughs

Ordinary upgrade

A proposer submits a sketch for parallel signature verification. Automation clears it. It becomes a Qualified Sketch. On the next epoch, it wins a Field Boss Ticket under the 50/30/20 scheduler. Boss Escrow is created. The proposer receives the first prep payment after delivering the full package.

Compiler quorum runs and flags Liveness and Maintenance as key bars. Coverage matching fills those cells. One cell underfills, so its pay auto-escalates for 48 hours before a contractor accepts it.

Review proceeds:

• Fast Break finds no major exploit
• Siege finds a low-bandwidth liveness regression
• Shadow Raid finds a dependency that would narrow future reviewer diversity

The proposer patches both. No major claims survive. The boss moves through Shadownet, Canary, readiness, activation, and fuse close. Deferred contractor payments release, then the proposer’s ship reward vests across activation, fuse, and the 180-day window.

Adversarial capture attempt

A cartel submits an “anti-spam” patch that quietly expands validator discretion and adds a privileged override path. Automation qualifies it. It wins a World Boss Ticket. Compiler quorum flags a privilege delta. Coverage matching allocates extra Power and Maintenance scrutiny.

Fast Break finds nothing dramatic. Shadow Raid lands the real blows:

• Power reviewers show censorship-surface expansion
• Maintenance reviewers show future dependence on a narrow technical subgroup

Both claims are classified Major and survive appeal. The boss wipes automatically. The proposer’s Truth Bond is partially slashed for under-disclosing privilege expansion. If resubmitted, the idea is reclassified as Kernel. Human Heat and Edge Heat both spike. Fork Drill starts if it survives into the next season.

Emergency exploit

A live inflation bug is reported privately. A Sentinel Lease validates enough evidence to enter safe mode and revert to the last safe hash. Surge pay begins. A Night Boss opens immediately. Compiler quorum, coverage fill, and claim windows compress to emergency timings.

Patch, verification, and deployment work orders are funded automatically from Night Boss Escrow. After the patch activates and immediate danger passes, the postmortem hash is posted and remaining surge and disclosure awards vest automatically.

---

Failure modes and defenses

Failure mode	Defense
Sketch spam	Free automated Sketch Lane, one active sketch per identity
Live-queue spam	Scarce Boss Tickets, scheduler, one live boss per proposer cluster
Good proposers under-incentivized	Prep payments, postmortem payment, delayed ship reward
Review market underfilled	Automatic pay escalators, protocol-funded coverage
Reviewer oligarchy	Open qualification, apprentice lanes, cluster caps, outsider kill rights
Fake review traces	Proof-of-Review, miss-escrow, post-fuse clawback
Governance overload	Capacity Governor
Emergency council ossification	Short Sentinel leases, no consecutive terms
Normal mode silently degrades	Automatic Degraded Mode re-entry rules