Constitutional Framework

The Constitutional Machine

36 min read

This document is the institutional companion to "Computational Republicanism: A Constitutional Orientation for the Agent Economy." That essay specifies the diagnosis, axiom, principles, and articles. This document specifies how they become enforceable. The Orientation states the rights; this document operationalizes them. Where the two conflict, the Orientation governs and this document is amended.

I. Definitions

The following terms carry specific constitutional meaning throughout. Each names a structural feature, not a contingent technology.

Coercive Computational Authority (CCA). Any entity — state agency, platform, protocol, or autonomous agent system — that exercises power over persons through computational processes at or above a threshold of systemic significance. Two gating tests determine inclusion:

  1. Scale threshold. The entity must operate above a defined threshold of systemic significance, measured by user count, transaction volume, market share in the relevant domain, or dependency ratio (the proportion of affected persons for whom the entity constitutes a non-substitutable service). A small community forum does not meet the threshold. A payments platform that controls a merchant's revenue stream does, regardless of legal classification.

  2. Procedural automation threshold. The adverse act must be materially mediated by automated or model-driven processes without contemporaneous individualized human deliberation. A human manager who fires an employee after personal review is exercising authority, but not coercive computational authority. A platform that deactivates a driver based on an algorithmic rating threshold without human review of the specific case is. The distinction tracks the locus of the constitutional problem: machine-speed coordination producing non-locatable accountability.

An entity that satisfies both tests is a CCA regardless of its self-description, legal form, or stated intent.

Coercive Computational Act. Any act by a CCA that restricts, denies, degrades, suspends, or eliminates a person's access to services, funds, credentials, reputation, communication, or economic participation. The act need not be intentional. Emergent effects of algorithmic classification, model retraining, and automated policy application qualify if they produce material adverse consequences for identifiable persons. An act is "material" when it plausibly changes a person's access to livelihood, housing, banking, insurance, employment, legal standing, or essential communication — not merely the visibility of speech in a discretionary feed, unless that feed is itself livelihood-critical for the affected person. The definition covers: account freezes and holds; deplatforming and service denial; content removal or distribution throttling where the creator's livelihood depends on the platform; credential invalidation or reputation suppression; algorithmic scoring changes that alter access to services; payment-rail severance; and automated denial of employment, housing, insurance, or credit.

Receipt. A structured, machine-readable, human-evaluable record of a coercive computational act, containing five mandatory fields:

FieldContentConstitutional Function
ActThe specific predicate that fired, the specific state transition imposedNames the harm so it can be evaluated
AuthorityThe specific rule, clause, or algorithmic threshold that triggered the actConverts discretion into articulable authority
BoundsScope (which services affected), duration (how long), reach (associated accounts, family)Enables proportionality review
JustificationEvidence or reasoning that triggered the actionConverts assertion into argument
Appeal PathThe mechanism for contestation, the timeline, the reviewing bodyConverts doom into process

A receipt is issued at the time of the act. A provisional receipt — Act and Bounds filled immediately, Justification completed within forty-eight hours — is permitted for emergency actions. A receipt whose fields contain only template language satisfies the form but not the substance and is subject to challenge. Receipt schema is defined by the Standard-Setting Body and versioned for backward compatibility.

Appeal. A process for contesting a coercive computational act, reviewed by a party independent of the entity that took the action, operating on defined timelines, with the power to reverse or modify the action. Independence means: no contractual, commercial, or employment relationship between the reviewing body and the operator. An appeal reviewed by the entity that took the original action is reconsideration, not appeal. An appeal whose timeline exceeds the duration of the harm is autopsy, not contestation.

Proportionality tiers for review (illustrative calibration points; thresholds set by the Standard-Setting Body):

SeverityExamplesReview RequirementTimeline
CriticalPayment freeze >$5K, account termination, credential invalidation, employment-determining actionMandatory human review by independent arbiter3–5 business days
SignificantContent removal, temporary restriction, rating adjustment affecting livelihoodExpedited algorithmic reconsideration + right to escalate to human review5–10 business days
RoutineTemporary visibility reduction, minor threshold adjustment, informational flagAlgorithmic reconsideration + sampled audit by independent body15 business days

Exit. The right to leave a coordination substrate without forfeiting the value accumulated within it. Exit is credible only when it preserves four layers:

  • Data — including relational context: network position, connection patterns, community memberships. Export formats defined by interoperability standards.
  • Identity — portable credentials attesting to performance. The credential travels with the person, not the platform.
  • Rules — governance formula, modifiable above the constitutional floor.
  • Protocol connections — interoperability preventing exit from becoming exile.

Portable Credential. A verifiable attestation of a person's performance, history, or standing that can be presented to any compatible system without requiring the issuing platform's permission or cooperation. Privacy-preserving mechanisms (zero-knowledge proofs, differential privacy, k-anonymity) protect counterparty data. The credential attests to what the person did, not to membership.

Settlement Layer. The substrate of record on which receipts, credentials, and constitutional commitments are registered. The editability constraint governs: no single actor, or plausibly coordinating bloc, can rewrite the record without publicly detectable cost.

Audit. Systematic inspection of a CCA's receipt stream by a body with the technical capacity and legal authority to identify patterns of abuse, deficient receipts, proportionality violations, and demographic disparities. Audit addresses systemic practice. Appeal addresses individual acts.

Delegating Principal. The persistent party at the end of every delegation chain — the entity that set the objective the computational process pursued, bears liability for its effects, and answers when the process has terminated. Infrastructure providers that did not set the objective are not the principal.

Designed Forgetting. The structured constraint on a system's memory through five operations (periods and thresholds below are illustrative defaults; calibration is a political determination made by the administering jurisdiction through democratic deliberation):

OperationFunctionExample
ExpirationRecords leave the composition space after defined periodsHealth records unrelated to ongoing treatment expire from commercial queries after seven years
SealingRecords visible only to defined parties via due processCompleted misdemeanor convictions sealed from commercial background checks
Aggregation limitsNo single system composes records across more than a defined number of domains without consentBackground-check companies cannot join health, criminal, and financial records into a single cross-domain portrait
SeparationProtocol-level barriers between domain databasesSocial-media archive cannot communicate with professional-credential database without authorization
AmnestyJurisdictional determination that dismissed or resolved cases do not burden future prospectsDismissed eviction proceedings expunged from housing databases after five years

Designed forgetting applies to records of persons. It does not apply to records of coercive authority.

II. The Separation of Powers

Four Institutional Separations

Issuers vs. Verifiers. The entity that issues a credential may not be the sole entity that can verify it. An employment credential issued by Platform A must be verifiable by Platform B, Auditor C, and Court D without requiring Platform A's cooperation. Monopoly over verification is monopoly over identity. Implementation: credential standards based on W3C Verifiable Credentials or equivalent, with resolution independent of the issuing platform.

Operators vs. Auditors. The entity that exercises coercive computational authority may not audit its own compliance. Independent auditors — publicly chartered or privately bonded, with access to receipt streams and the technical capacity to evaluate them — inspect operators the way financial auditors inspect banks: systematically, adversarially, with the power to compel disclosure. Auditor independence requirements mirror those of financial auditing: no commercial relationship with the audited entity, mandatory rotation, liability for negligent audit.

Rule-Makers vs. Adjudicators. The entity that sets the rules governing a coordination substrate may not adjudicate disputes arising under those rules. Standard-setting bodies draft the receipt format, portability requirements, and audit criteria. Arbitration bodies — independent, bonded, accountable to judicial review — adjudicate disputes. The separation prevents the rule-maker from interpreting its own rules in its own favor.

Credentialers vs. Identity Providers. The entity that attests to a person's performance is distinct from the entity that attests to a person's identity. A seller's reputation is credentialed by the transaction record. Her identity is attested by an identity provider. The two functions are separated at the protocol level to prevent any single entity from controlling both what a person can prove she did and who she can prove she is.

Institutional Blueprint: Payment Platform

How the separations work for a payment platform operating above the systemic-significance threshold:

┌─────────────────────────────────────────────────────────┐
│                    COURT SYSTEM                          │
│  Judicial review of Adjudicator decisions               │
│  Legislative override of Standard-Setting Body rules    │
│  Public accountability for Auditor charter              │
└────────────────────────┬────────────────────────────────┘
                         │
┌────────────┐   ┌──────┴───────┐   ┌──────────────────┐
│  STANDARD- │   │              │   │    INDEPENDENT    │
│  SETTING   │───│  ADJUDICATOR │   │     AUDITOR       │
│  BODY      │   │              │   │                   │
│            │   │ Reviews      │   │ Receives receipt  │
│ Defines:   │   │ individual   │   │ streams from      │
│ - Receipt  │   │ appeals.     │   │ Operator.         │
│   schema   │   │ Power to     │   │ Inspects for      │
│ - Porta-   │   │ reverse,     │   │ patterns,         │
│   bility   │   │ modify,      │   │ disparities,      │
│   standards│   │ award remedy.│   │ deficient receipts.│
│ - Audit    │   │ No commercial│   │ Publishes reports. │
│   criteria │   │ relationship │   │ Compels disclosure.│
│ - Propor-  │   │ with Operator│   │ Refers cases to   │
│   tionality│   │              │   │ Adjudicator.      │
└────────────┘   └──────────────┘   └─────────┬─────────┘
                                              │
                    ┌─────────────────────────┴──────────┐
                    │           OPERATOR                  │
                    │  (Payment Platform)                 │
                    │                                     │
                    │  Processes transactions.            │
                    │  Applies fraud-detection models.    │
                    │  Exercises coercive acts.           │
                    │  Issues receipt to affected person  │
                    │  + files copy with Auditor.         │
                    └─────────────────┬──────────────────┘
                                      │
                    ┌─────────────────┴──────────────────┐
                    │        AFFECTED PERSON              │
                    │                                     │
                    │  Receives receipt.                  │
                    │  May contest via Adjudicator.       │
                    │  May request audit referral.        │
                    │  May exercise fork rights.          │
                    └────────────────────────────────────┘

The Operator processes transactions, applies fraud-detection models, and exercises coercive acts (freezes, holds, restrictions). For every coercive act, it issues a receipt to the affected person and files a copy with the Auditor.

The Auditor receives receipt streams, inspects them for patterns of abuse, template justifications, proportionality violations, and demographic disparities. It publishes periodic reports. It compels disclosure of receipt metadata. It refers cases to the Adjudicator. It does not reverse individual decisions.

The Adjudicator reviews individual appeals. The affected person files a contestation. The Adjudicator evaluates the receipt against the rule invoked, the evidence cited, and the proportionality of the bounds. It has the power to reverse, modify, or uphold the action, and to award remedy including expedited release, compensation, and structural injunctions.

The Standard-Setting Body — a multi-stakeholder organization including platform representatives, civil-society organizations, technical experts, and affected-party advocates — defines the receipt schema, portability standards, audit criteria, and proportionality guidelines. It does not adjudicate. It publishes, reviews, and revises.

The Court System provides the backstop. Adjudicator decisions are subject to judicial review. Standard-Setting Body rules are subject to legislative override. Auditor charters are subject to public accountability. No element of the Constitutional Machine is beyond democratic contestation.

Why the Separations Hold: Structural Incentives Against Capture

A separation of powers is an architectural diagram until it is given teeth. Madison's central insight in Federalist 51 was not that powers should be separated but that each separated institution must have the structural incentive to resist encroachment by the others. "Ambition must be made to counteract ambition." The question is not whether the Auditor should be independent of the Operator but what makes independence self-sustaining when the Operator has resources, information, and political influence the Auditor does not.

Each separation below is examined for its failure mode and the structural mechanism that prevents it.

Issuer/Verifier. Failure mode: the issuer also controls verification, making credentials irrevocable only by the issuer's consent, so that departure from the issuing platform means credential death. Structural incentive: the receipt regime makes verification results public. A verifier whose results are consistently overturned on appeal or whose verification correlates with the issuer's commercial interests loses standing in the adjudication system. The verifier's market position depends on independence. Historical precedent: the collapse of Arthur Andersen after Enron demonstrated that an auditing firm perceived as captured by its client loses not only the client but its entire practice. The receipt regime replicates this dynamic by making verification outcomes inspectable. Capture becomes detectable, and detectable capture is costly.

Operator/Auditor. Failure mode: the auditor depends on the operator for funding, access, or appointment, which aligns the auditor's incentive with the operator's interest in favorable reports. Structural incentive: the funding model is the key mechanism. Three options exist, each with known failure modes: (a) operator-funded auditing reproduces the Andersen problem; (b) government-funded auditing creates regulatory-capture risk but eliminates operator dependency; (c) user-funded auditing via receipt fees aligns the auditor's revenue with the affected person's interest in rigorous inspection. The recommended structure is (b) with (c) as supplement, modeled on the PCAOB (Public Company Accounting Oversight Board): industry-funded through a mandatory levy, government-supervised through SEC oversight, with rotating appointments preventing long-term relationship capture. The auditor's charter is publicly accountable, and its periodic reports are published and subject to challenge. Historical precedent: the PCAOB was created in 2002 precisely because operator-funded auditing had failed at Enron, WorldCom, and Tyco. The constitutional machine applies the same structural lesson to computational governance.

Rule-Maker/Adjudicator. Failure mode: the body that writes the rules also interprets them. This allows it to resolve ambiguities in its own favor and to insulate its rules from challenge by collapsing the distinction between legislation and adjudication. Structural incentive: the adjudicator's legitimacy depends on not having written the rules it applies. Staggered appointments across political and industry cycles prevent unified capture. Affected-person representatives sit on the Standard-Setting Body with formal veto power over rules that weaken the constitutional floor, creating a structural counter-interest to industry-dominant rule-making. The adjudicator's decisions are subject to judicial review, which means the adjudicator itself faces institutional accountability for decisions that do not withstand scrutiny. Historical precedent: the SEC's separation of rule-making (Commissioners) from adjudication (Administrative Law Judges) instantiates this pattern. The constitutional machine generalizes it beyond securities regulation.

Credentialer/Identity Provider. Failure mode: the entity that attests to a person's performance also controls the person's identity. This creates the power to erase not just what someone has done but who they can prove they are. Structural incentive: portable credentials (Article 5) structurally prevent monopoly. If credentials are portable and presentable at any accepting institution, no single credentialer has the market power to make its identity-gating decisions final. The W3C Verifiable Credentials specification provides the technical standard. The constitutional requirement is that no entity may simultaneously issue identity AND gate access based on that identity. The separation is enforced by the portability right itself: the governed can always present credentials from an alternative source. Historical precedent: the separation of church and state in civil status records. When the church was the sole issuer of birth, marriage, and death certificates, ecclesiastical authority extended into every domain of civil life. Civil registration separated identity from institutional membership. The computational version separates identity from platform membership.

The general principle. Each separation is sustained not by the good character of the institutional actors but by a structural arrangement in which the captured institution's value proposition depends on its independence. Capture becomes a self-defeating strategy: the captured auditor loses credibility, the captured adjudicator loses judicial confidence, the captured verifier loses market position, the captured credentialer loses portability relevance. This is not a guarantee against capture. It is an arrangement in which capture is structurally costly rather than structurally cheap.

III. Implementation Pathway

Phase 1: Receipts and Appeal (Years 1–3)

Scope. Payment platforms, employment platforms, housing-eligibility systems, and critical-communications platforms above the systemic-significance threshold.

Requirements. Every coercive computational act produces a receipt with five fields. Every affected person has access to appeal with defined timelines and independent review. Provisional receipts permitted for emergency actions, with justification required within forty-eight hours.

Legislative mechanism. Modeled on existing consumer-protection frameworks:

  • TILA (Truth in Lending Act) model for financial disclosure requirements
  • FCRA (Fair Credit Reporting Act) model for adverse-action notice requirements
  • GDPR model for data-subject rights and penalty structures

Alternatively, regulatory mandate through existing agencies: CFPB for payments, FTC for platform practices, sectoral regulators for domain-specific applications. Early voluntary adoption creates compliance infrastructure and competitive pressure.

Institutional build.

  • Training and certification pipeline for independent arbiters
  • Receipt-schema standards through multi-stakeholder standard-setting process
  • Standardized verification software for receipt-adequacy evaluation
  • Verification-advocate roles analogous to public defenders — professionals who inspect receipts on behalf of affected parties lacking technical capacity

Phase 2: Portability and Fork Rights (Years 2–5)

Scope. All Phase 1 entities, plus social platforms, credential-issuing systems, and marketplace platforms above the threshold.

Requirements. Data portability in interoperable formats, including relational context. Portable credential standards. Protocol interoperability. Privacy-preserving mechanisms protecting counterparty data during export.

Legislative mechanism. Modeled on telecommunications portability:

  • Number portability → credential portability
  • Interconnection requirements → protocol interoperability mandates
  • Account-switching services → data-export standards with defined timelines

Credential-portability standards developed through industry consortia with regulatory backstop. Overlap with existing legislative proposals (ACCESS Act, Digital Markets Act) provides coalition surface.

Institutional build.

  • Independent audit bodies with technical capacity and legal authority
  • Portability standards through standard-setting organizations
  • Privacy-preserving export protocols (zero-knowledge proofs, differential privacy, secure multi-party computation)

Phase 3: Settlement and Audit Infrastructure (Years 3–10)

Scope. The settlement layer on which Phase 1 and Phase 2 commitments are registered.

Requirements. Receipt registries satisfying the editability constraint. Periodic independent audits with published reports and enforcement consequences.

Settlement-layer requirements calibrated by assurance level:

Assurance LevelApplicationsEditability Requirement
HighCriminal-justice records, financial regulatory receipts, identity credentialsThermodynamic grounding or equivalent: rewriting requires physical expenditure detectable by any participant
MediumPayment-dispute receipts, employment-action receipts, housing-eligibility recordsMulti-institutional architecture where no single actor, or plausibly coordinating bloc, can rewrite records without publicly detectable cost
StandardContent-moderation receipts, marketplace dispute records, service-level recordsAppend-only logs with multi-party attestation and periodic anchor to higher-assurance layer

The constitutional question at each level: what would it cost to rewrite this record, and who would have to cooperate?

Institutional build.

  • Professional culture of computational auditing: standards, certification, liability for negligent audit, independence requirements
  • Cross-jurisdictional mutual recognition of audit findings
  • Settlement-layer interoperability standards allowing credentials and receipts to move between assurance tiers

III-B. How This Constitution Enters the World

A constitutional framework must have a theory of its own founding. The twelve articles, the institutional separations, and the implementation pathway describe what the constitutional order looks like from the inside. This section describes how it comes into existence from the outside.

The founding paradox. A constitutional order faces a paradox at its birth. It claims authority to constrain power, but the authority to make that claim cannot precede the order that confers it. A constitutional text cannot legitimize itself by reference to its own articles. The traditional solution, a constituent power that acts before institutions exist and delegates to the institutions thereby created, reproduces the paradox one level up: what authorized the constituent power? The question admits no historical answer free of circularity.

The response available to this framework is structural rather than historical. The act of founding carries its own principle within itself. A community of signatories who have exited one jurisdiction and not yet entered another can bind one another by the act of binding, because the act itself presupposes the mutual recognition it enacts. The transnational predicament of the agent economy is not a liability here. It is the same predicament under which every transnational coordination regime has ever been constituted: participants who stand outside any shared sovereign but inside a shared need for rules. No prior authority issues the warrant. The warrant is issued by the signing.

Constituent power, in this framing, is not a single mythic moment. It is iterated. The protocol can have many small constitutional moments — each new adopter, each extension of scope, each ratification of an amendment — rather than a foundational event that authorizes everything after. The fork rights enshrined in Articles 4 and 5 keep the constituent moment permanently accessible. A person who withdraws participation and establishes a new substrate under the same articles is not seceding. She is exercising the same power that founded the order in the first place. The framework does not lock the door behind the founders, because no door was ever locked. Founding is a continuous act, renewed each time a participant places herself within the regime.

Who can found it. Not states, initially. Standards bodies (W3C, IEEE, ISO), industry consortia with affected-person representation, multi-jurisdiction compacts, or protocol communities. The pattern follows how internet governance actually developed: the IETF established technical standards through rough consensus and running code, and states ratified those standards into national law after demonstrated adoption had made them indispensable. The constitutional order for computational governance follows the same trajectory. It begins as a voluntary framework adopted by entities that find its receipt and portability requirements useful. It becomes statutory when adoption reaches the point where holdouts create systemic risk for the governed.

Minimum viable adoption. The constitution becomes operational when adopted by entities whose coercive computational acts affect a critical mass of persons. The threshold is functional, not numeric: the constitution matters when the entities that adopt it are the ones whose decisions materially affect lives. The minimum bootstrapping threshold is Articles 1 and 2 (receipt and contest). An entity that issues receipts and provides independent appeal has begun to adopt the constitutional order. But the full constitutional floor, once the order is constituted, comprises Articles 1, 2, 3, and 10 (receipt, contest, human review for material actions, and anti-waiver). These four are the non-derogable minima identified in the Orientation's amendment procedure. Articles 1-2 are sufficient to begin. Articles 1-2-3-10 are necessary to sustain.

The standards-to-statute pathway. Begin as a voluntary standards regime, as PCI-DSS did for payment card security. Gain adoption through market pressure: entities that issue receipts are demonstrably more trustworthy than those that do not, and affected persons increasingly expect them. Transition to statutory backing when adoption reaches the point where non-adopting entities impose externalities on the governed that voluntary frameworks cannot address. Historical precedent: accounting standards began as professional self-regulation (GAAP), became market expectations, and were eventually mandated by statute (SEC requirements, Sarbanes-Oxley). Environmental reporting followed the same arc. The constitutional order does not require a founding convention. It requires demonstrated value followed by political recognition.

Evidence that coordination substrates can bear constitutional weight. The proposition that a coordination substrate can host an order with named articles, amendment procedures, and adversarial institutional roles is not speculative. It has been tried at scale, and where it has been tried with sufficient seriousness it has worked.

One established protocol has adopted and executed nineteen formal amendments to its governance layer across six years, each ratified through an on-chain procedure requiring public proposal, deliberation, and supermajority approval. None of those amendments degraded the protocol's operational integrity. Several improved it. A second protocol maintains a written constitution with named articles, a formal amendment procedure, oath-bound institutional actors, and a nested scope framework that constrains what future amendments may touch. A third operates under a bicameral design with two distinct voting bodies — one weighted by economic stake, one weighted by personhood — and has adopted a constitution explicitly provisional in nature, designed to give way to a successor constitution once participation has generated the legitimacy the initial text could not claim at founding.

These are not thought experiments. They are operating governance systems with cumulative track records. They demonstrate that written constitutions, named separations, and formal amendment procedures can be executed in coordination infrastructure at scale without reduction to technocratic administration or collapse into unrestrained majoritarianism. The framework proposed here is not asking whether such architectures are possible. That question has been answered by operating examples. It is asking how to generalize the answer beyond the protocols that have already borne the proof, and how to bind the generalized answer to the constitutional commitments the articles specify.

Partial adoption and interoperability. Entities may adopt subsets of the articles. A payment platform that implements Articles 1-3 (receipt, contest, human review) but not Article 7 (designed forgetting) has adopted a partial constitutional position. Partial adoption is better than no adoption. The framework does not require all-or-nothing commitment because the articles are structurally cumulative: each builds on the preceding ones, and the constitutional position strengthens with each addition. Interoperability between partially adopting entities is governed by the portability standards (Articles 4-5): a credential issued under a regime that includes Article 7 should be recognized by a regime that does not, because the credential's validity does not depend on the receiving entity's retention policy.

What binds non-consenting operators. The constitution creates rights in persons, not obligations that operators volunteer for. If an entity's computational acts meet the CCA threshold (systemic significance plus procedural automation), affected persons have standing to demand receipts regardless of whether the entity has adopted the framework. The constitutional floor is not contractual. It is a condition of legitimate governance, the same way labor law binds employers who did not consent to it and environmental law binds polluters who would prefer not to comply. The authority derives from the structural condition: when an entity exercises coercive computational power over persons, those persons have standing to demand that the exercise be legible, contestable, and bounded. The entity's consent is not required because the entity's power is not contingent on the person's consent.

The boundary objection. The strongest philosophical objection to a constitutional order claiming transnational reach is that every legal order is bounded in space, in time, in membership, in content, and that any framework which refuses to name its boundary is either confused about what a legal order is or covertly extending the authority of a particular community beyond the limits of its legitimate claim. The objection is correct, and the framework concedes it.

The concession locates the boundary in voluntary participation. Inside the boundary: persons subject to coercive computational acts by any entity operating within a jurisdiction that has adopted the framework, or by any entity that has itself adopted the receipt, appeal, and portability commitments. Outside the boundary: entities that have not adopted the commitments, operating in jurisdictions that have not adopted the framework, dealing with persons who have not sought its protection. Inside, the constitutional floor applies. Outside, ordinary law governs, with the framework contributing nothing beyond whatever moral force its arguments carry in the relevant political conversation.

The placement of the boundary is deliberate. It is a libertarian move because participation is opt-in rather than compulsory at the level of the order itself, even where adoption by a jurisdiction makes participation compulsory for entities operating within. It is a republican move because non-domination, the framework's governing commitment, operates inside a political community rather than as a universal abstraction indifferent to the particular institutions that sustain it. It is a strategic move because it narrows the category of sovereignty claims the framework makes. The framework does not claim universal authority over every computational system on the planet. It claims authority over those systems whose operators, through jurisdictional adoption or direct participation, have accepted the receipt regime.

The price of this concession is candor about what the framework can and cannot do. It cannot compel entities operating entirely outside the regime. Its authority over such entities is moral rather than legal, which is to say no more authoritative than the arguments it can bring to bear. The framework accepts the price because a proposal that claims universal reach at the level of its own text tends to receive less serious engagement from exactly the kind of reader whose serious engagement it needs.

IV. Coalition Map

Who Benefits Immediately

Small and medium business. Merchants whose livelihoods depend on platforms they do not control. The receipt regime makes the payment hold contestable. Fork rights make the platform replaceable. The potter whose ninety-day hold was disproportionate can fight it — and if the platform will not reform, she can leave without forfeiting her eight hundred reviews.

Gig workers and algorithmic labor. Drivers, delivery workers, freelancers subject to opaque ratings, undisclosed thresholds, uncontestable deactivation. The receipt converts algorithmic management from a black box into a contestable system. Coalition overlap with labor organizations is direct and immediate.

Civil liberties and privacy organizations. Civic asymmetry is their core commitment stated as constitutional architecture. The transparency direction aligns with existing advocacy for surveillance reform, data minimization, and algorithmic accountability.

Consumer finance reform. The receipt regime extends FCRA/TILA/ECOA to computational governance. Natural coalition with existing consumer-finance advocacy infrastructure.

Dissidents, journalists, and at-risk populations. Fork rights and settlement-layer integrity are existential for populations whose access to communication, payment, and identity can be severed by a state or platform.

Antitrust and interoperability advocates. Fork rights and portability standards directly advance interoperability-focused antitrust policy. Overlap with ACCESS Act and Digital Markets Act provisions.

Open-source and protocol-development communities. Open standards, interoperable implementations, and public standard-setting processes align with existing commitments.

National-security institutionalists. Auditability and receipt integrity serve institutional accountability interests. A receipt regime makes it harder for foreign platforms to operate opaquely within domestic markets. Settlement-layer integrity prevents adversaries from editing records undetectably.

Who Pays

Platforms above the significance threshold. Receipt requirements impose compliance costs. Portability reduces lock-in. Fork rights reduce switching costs. Legitimacy has a price, and these institutions will be asked to pay it.

Institutional build. Training arbiters, chartering auditors, developing standards requires investment. Funding: regulatory fees on operators, fines from deficient-receipt issuers, public investment in digital-governance infrastructure.

Who Fights

Lock-in-dependent platforms. Will argue portability compromises security, interoperability degrades quality, fork rights endanger privacy. Each contains a genuine concern wrapped in a structural defense of market position. Genuine concerns addressed in Phase 2 design. Structural defense overcome through legislative mandate.

Surveillance-advertising interests. Will argue targeted advertising funds the free internet. Response: the free internet is not free — its price is domination, invisible because the advertising model requires it to be.

State surveillance interests. Will argue national security. Response: civic asymmetry does not prohibit lawful surveillance under judicial oversight. It prohibits the inversion that makes every citizen visible to the state while the state's criteria remain invisible to the citizen.

The Three Wedge Lines

Three sentences that translate constitutional architecture into political grammar:

  • Receipts are consumer protection for the agent economy.
  • Portability is antitrust for the agent economy.
  • Designed forgetting is the civil rights act for the agent economy.

V. The Opponent Model

The Quiet Foreclosure is not an accident. It is a stable equilibrium maintained by four structural interests, each of which resists a corresponding constitutional commitment.

InterestHow It ProfitsWhat Threatens It
OpacityDecision criteria invisible to users → extraction without political response. The trust tax is invisible because visibility would invite competition.Civic asymmetry — transparency obligations on authority
Lock-inNon-portable data, credentials, reputation → retention through switching cost, not quality. Proprietary formats are not product features; they are structural barriers.Fork rights — credible exit across four layers
Permanent memoryComprehensive documented past as leverage over institutional future → risk pricing from decades-old data, employment screening from archived social media. The permanence is an asset.Designed forgetting — temporal limits on personal records
Editable ledgersThe entity that controls the audit log can edit the audit log. Accountability is voluntary when the record-keeper can revise the record.Thermodynamic grounding — editability constraint on settlement layer

These four interests — opacity, lock-in, permanent memory, editable ledgers — constitute the structural architecture of the Quiet Foreclosure. Each serves a constituency. Each generates revenue. Each is rationally defended by well-funded, politically organized entities. A constitutional orientation that does not name its opponents cannot defeat them.

VI. What This Is Not

Not crypto-libertarianism. The crypto-libertarian position holds that code is the only legitimate law and exit is the only legitimate remedy — that governance itself is the problem and sovereign individuals can coordinate without constitutional constraints. Computational republicanism argues the opposite: ungoverned coordination at machine speed is domination automated, because the party with the most compute, the most capital, and the most network effects will set the terms for everyone else, and "just fork" is not a constitutional guarantee when the fork costs more than the submission. The Protocol Republic requires institutions — auditors, arbiters, standard-setting bodies, appeal processes, verification advocates, professional cultures of impartiality — because constitutionalism is the technology for constraining power, and power does not constrain itself. Exit without voice is exile. Voice without exit is petition. The framework requires both, institutionally guaranteed.

Not techno-utopianism. A floor, not a ceiling. Magna Carta did not end tyranny. It specified what the governed could demand, in terms precise enough to argue over and durable enough to survive the arguing.

Not a party platform. Prior to any specific policy agenda. A social democrat and a market liberal can both operate within the constitutional floor, disagreeing about tax rates while agreeing that no computational authority exercises coercive power without a receipt.

VII. What Would Falsify This Proposal

Constitutional proposals, like empirical claims, should name the conditions under which they would be wrong. The following conditions, if demonstrated, would require fundamental revision of the framework:

  1. Designed forgetting proves incompatible with accountability. If the records needed for liability, fraud detection, and institutional learning cannot coexist with temporal limits on personal data, the tension between Articles 7 and 12 becomes irreconcilable. The framework assumes these can be separated (aggregate patterns preserved, individual records expired). If they cannot, the temporal-asymmetry principle must be narrowed or abandoned.

  2. Fork rights prove practically unusable. If the cost of exit remains prohibitive despite portability standards (network effects too strong, switching costs too high, credential recognition too sparse), Articles 4-5 become formal rights without practical force. The framework assumes that portability infrastructure makes exit credible. If it does not, fork rights become constitutional decoration.

  3. The receipt regime creates more bureaucratic overhead than it prevents harm. If compliance with Articles 1-3 produces a paperwork regime that degrades the services it governs without meaningfully improving contestability, the constitutional cure is worse than the disease. The framework assumes that receipt issuance is cheap relative to the coercive acts it documents. If this assumption fails at scale, the proportionality tiers must be recalibrated or the threshold for "coercive computational act" must be raised.

  4. The anti-waiver clause proves unenforceable across jurisdictions. If regulatory competition produces a race to the bottom in which entities relocate to jurisdictions that do not enforce Article 10, the constitutional floor becomes geographically contingent. The framework assumes that market pressure and mutual recognition can sustain the floor despite jurisdictional variation. If they cannot, the floor holds only where it is statutory.

VIII. Open Questions

Constitutional documents that pretend completeness invite brittle implementation. The following questions are identified as requiring further development through multi-stakeholder deliberation:

  1. Threshold calibration. What user count, transaction volume, or dependency ratio defines "systemic significance"? The answer is political, not technical, and different jurisdictions may set different thresholds.

  2. Cross-jurisdictional enforcement. How are receipt and portability requirements enforced against entities operating across jurisdictions with different regulatory frameworks? Mutual recognition agreements, treaty-based coordination, and unilateral market-access conditions are candidate mechanisms.

  3. Funding the institutional build. Who pays for arbiter training, auditor certification, standard-setting infrastructure, and verification advocates? Regulatory fees, penalty revenue, and public appropriation are candidate mechanisms, each with different political viability.

  4. AI agent delegation chains. When an autonomous agent system exercises coercive authority on behalf of a delegating principal, and the agent was itself deployed by an intermediate service provider, the question of who answers when harm occurs admits no easy reduction to existing agency law. A regime in which coercive authority can be laundered through delegation layers until no principal can be identified has recreated the very condition the architecture was designed to prevent. The concepts of orphan commitments and the surviving principal provide the analytical foundation. The following doctrine translates them into architecture, and in doing so moves the question from open problem to solved problem whose remaining specifications are political determinations rather than conceptual gaps.

First, bonded principal registration. Any entity deploying an agent above a defined capability threshold must pre-register a legal person, individual or corporate, who accepts strict liability for the agent's coercive computational acts. Registration is a condition of market access in adopter jurisdictions. The registered principal posts a bond or maintains insurance sized to the expected-worst-case damages of the deployed capability, with the coverage floor calibrated by the Standard-Setting Body and scaled by deployment volume. Entities that decline to register may not operate agents of the relevant class within adopter jurisdictions. The choice to operate is the choice to register.

Second, strict liability on the deployer. Liability for harm flows to the party that set the objective and deployed the agent, not to the nearest human operator who executed a narrow instruction within the delegation chain. This allocation is the architectural response to a pattern, observed repeatedly in automation-mediated harms, in which liability settles on the human closest to the failure rather than on the principal with decision authority. The framework refuses this allocation as a matter of constitutional design. The principal is the party with the capacity to prevent the harm at the level at which it could have been prevented, which is the level at which the objective was set and the agent was deployed. Upstream vendors who supplied components retain indemnity claims against the principal for their contributions, but do not bear primary liability to affected persons. The operator-at-the-keyboard is not the constitutional addressee.

Third, mandatory insurance pools with experience rating. Principals with demonstrated safety records pay lower premiums. Principals with repeated adverse receipts pay higher ones. The pool aggregates risk across deployments, ensuring that individual insolvency does not leave affected persons without remedy, while experience rating preserves the price signal that pushes principals toward safer design. The pool is not a waiver of liability. It is the mechanism that makes liability collectable when the principal lacks resources to satisfy a judgment alone.

Fourth, designated-human-principal default. Below a defined scale threshold, the registered principal must be a named natural person, not a corporate entity. Above the threshold, corporate principals are permitted, subject to disclosure of the responsible officer within the corporate structure. This default prevents the construction of principalless agent swarms at small scale while admitting corporate delegation where scale justifies corporate form. A human being stands behind every agent below the threshold, identifiable, reachable, answerable.

Fifth, cross-jurisdictional allocation rules. The law of the place of harm governs substantive liability. The jurisdiction of principal registration accepts mandatory in-personam service, preventing the registered principal from hiding behind forum selection. A victim-choice-of-forum safety valve allows plaintiffs in asymmetric-information situations to file in a forum with adequate procedural protections even when the principal's preferred forum would not. The rule forecloses the common escape route by which multinational operators render themselves effectively unreachable: no forum inconvenient to the principal is a forum from which the framework permits escape.

Sixth, orphan commitments. When a principal has become unreachable, insolvent, or definitionally defunct, the insurance pool is the primary payer. Subrogation against the principal is preserved, ensuring the pool does not absorb costs that legally attach elsewhere. The affected person is not left to search for a vanished counterparty. The agent does not die; the commitment does not evaporate with the agent. Someone answers, always, because the architecture guarantees someone.

The six mechanisms together answer the central cautionary pattern of automation liability by refusing, at the design level, to locate responsibility on the nearest human operator. The architecture is feasible without inter-jurisdictional legislative agreement because it operates through private-law mechanisms (registration, bond, insurance, strict liability) that do not require supranational treaties to function. Adoption by any sufficiently large market creates outward compliance pressure. The framework preserves its commitment to voluntary participation: registration is voluntary for principals but is a condition of operating within adopter jurisdictions at scale. The principal who prefers to remain outside the regime may do so. She may not do so while exercising coercive computational authority within jurisdictions that have adopted the framework.

The calibration details (capability thresholds, bond amounts, pool structures, scale definitions) are political determinations to be set by adopting jurisdictions through democratic deliberation. Leaving them to that deliberation is not an evasion. It is the point at which the constitutional architecture hands off to the politics that must always complete it.

  1. Mercy calibration. What expiration periods, sealing conditions, and amnesty terms are appropriate for which domains? These are moral-political questions that require democratic deliberation, not technical specification.

  2. Thermodynamic grounding at scale. If high-assurance settlement requires energy expenditure proportional to security, what is the acceptable energy cost for constitutional infrastructure? The question mirrors existing debates about the energy cost of military defense, judicial systems, and financial infrastructure.

This document operationalizes "Computational Republicanism: A Constitutional Orientation for the Agent Economy." Both documents together constitute the constitutional proposal. Neither is sufficient alone.

Neither document is sufficient alone because the rights require machinery, and the machinery requires a theory of rights.