Chapter 9: The Penumbra

The double meaning has been given to suit people's diverse intelligence. The apparent contradictions are meant to stimulate the learned to deeper study.

Ibn Rushd (Averroes), The Decisive Treatise (c. 1180)

Where Code Runs Out

A smart contract says: "Release funds when the goods are delivered."

The code is precise. The Solidity compiles. The bytecode deploys. The mechanism is ready.

Then the world intrudes.

The shipping company marks the package "delivered." But the buyer was not home. The package sits on a porch. It rains. The goods are water-damaged. The buyer claims non-delivery. The seller claims delivery per tracking. The smart contract cannot decide.

Or: the delivery address was wrong. The buyer entered it incorrectly. The goods went to the neighbor. The neighbor kept them. Who bears the loss?

Or: the goods arrived, but late. The buyer needed them for an event that has passed. The goods are worthless to them now. The contract said "delivered," not "delivered on time." Is late delivery still delivery?

Or: a pandemic closes borders. The goods are stuck in customs indefinitely. Force majeure. Neither party is at fault. The contract has no force majeure clause because the parties never imagined one would be needed.

Or: the buyer claims the goods do not match the description. The seller claims they do. The contract says "release funds when goods are delivered," not "release funds when goods match description." The specification was incomplete. The parties did not anticipate this dispute.

The contract executes according to its logic. But what should the code do? Someone must decide what "delivered" means in each of these contexts. That decision is interpretation, and interpretation cannot be fully automated.

Mechanism design can make the clear cases self-enforcing. The synthesis was clear: Buchanan's constitutional economics plus Hurwicz's mechanism design plus cryptographic enforcement equals a system where compliance is structurally necessary, not merely advisable. But the synthesis has a limit. It works where rules are clear. It fails where rules run out.

The unclear cases remain: the edge conditions, the zone where rules run out and human judgment must fill the gap.

This zone has a name. H.L.A. Hart called it the Penumbra. (Hart 1961)H. L. A. Hart, The Concept of Law (Oxford: Oxford University Press, 1961).View in bibliography

The smart contract that says "release when delivered" is a rule, and like every rule it is stated in general terms. The world produces particular cases. At the boundary, the rule does not determine its own application. Someone must decide. That decision is interpretation. The Protocol Republic can only structure interpretation, never escape it.

The structure matters. Unstructured interpretation is discretion. Structured interpretation is bounded authority. The Protocol Republic must build the structure: specify who interprets, by what process, with what evidence, under what standard, subject to what appeal. The interpretation remains, but it operates within constraints.

The Penumbra exists. It cannot be abolished. But it can be governed. Traditional systems governed the penumbra through unchecked discretion: the official decided, the citizen submitted. The Protocol Republic governs the penumbra through receipted discretion: the arbiter decides, but leaves a trace that can be checked, challenged, and learned from.

The penumbra is a structural feature of all rules, not a coding failure.

Hart's famous example: "No vehicles in the park." The rule's core is clear: cars and trucks are prohibited. But what about bicycles? Wheelchairs? A military jeep on a memorial plinth? Each is a "vehicle" under some reading and not under others. The rule does not determine its own application at the boundary.

No rule can anticipate all future applications. Language is general; the world is particular. The rule says "vehicle." The world produces Segways, invented decades after the rule was written. The penumbra is inherent in language itself.

Ronald Dworkin challenged Hart's picture. (Dworkin 1986)Ronald Dworkin, Law's Empire (Cambridge, MA: Harvard University Press, 1986).View in bibliography Beyond rules, Dworkin argued, there are principles that guide interpretation. The judge in a hard case is discovering what the law, properly understood, already requires.

For protocols, this debate maps onto "code is law" versus "intent is law." The strict view says the code is what it is: if the code permits an action, the action is valid. The Dworkinian view says the code implements purposes: actions that defeat those purposes are invalid even if technically permitted.

The DAO made the debate concrete. On June 17, 2016, an attacker exploited a reentrancy vulnerability in The DAO's smart contract to drain approximately 3.6 million ETH — roughly $60 million at the time — from a collectively governed investment fund holding nearly 14% of all Ether in existence. The code permitted every action the attacker took. The splitDAO function could be called recursively before the balance was updated; the attacker called it recursively. No rule was broken. Under Hart's positivism, the withdrawal was valid: the code defined the rules, the rules were followed, the funds were released. Under Dworkin's interpretivism, the exploit violated the purpose of a collectively governed investment fund — a fund whose participants deposited ETH expecting collective stewardship, not recursive drainage. The code could not determine its own interpretation at the boundary where specification and purpose diverged.

The community split. One faction chose intervention: a hard fork at block 1,920,000 that rolled back the attacker's transactions and restored the funds. The other chose immutability: Ethereum Classic, the minority chain that preserved the original ledger, attacker's withdrawal and all. Both sides were right about something. The interventionists were right that the exploit violated the fund's evident purpose. The immutabilists were right that retroactive alteration of executed code destroys the determinism that makes "code is law" meaningful. Neither could demonstrate that the other was wrong. The penumbra is real precisely because the code cannot adjudicate the disagreement that the code produced.

The lesson is not that one side was correct. It is that "code is law" is a slogan that dissolves under pressure, not a jurisprudence. Human judgment was required — and the judgment split the chain. The Protocol Republic inherits this requirement and can only structure how that judgment is made, by whom, with what accountability, and subject to what appeal. Chapter 10 examines this episode in detail. Here, the structural point suffices: the penumbra is inherent in any rule system, and protocols are rule systems.

Lon Fuller approached the problem from a different angle: "what makes law work?", not "what is law?" (Fuller 1964)Lon L. Fuller, The Morality of Law (New Haven: Yale University Press, 1964).View in bibliography His answer: law has an inner morality — requirements of generality, publicity, clarity, consistency, stability, and congruence between declared rules and official action. Rules that fail these requirements are not merely bad law. They fail to function as law at all.

Protocols satisfy some of Fuller's conditions automatically. Code that compiles is consistent; contradictory instructions will not run. Code on-chain is public. Code that executes is congruent: declared rules and actual rules are identical. These are genuine advantages over paper constitutions, where the gap between declared and actual rules can persist for decades.

But protocols can fail Fuller in ways he never anticipated. Clarity fails when smart contracts are technically public but practically opaque — a Terms of Service of 47,000 words is published but incomprehensible; Solidity bytecode is on-chain but unreadable. Stability fails when protocols upgrade constantly, so that users cannot learn the rules before the rules change. Congruence fails when nominal governance masks founder control: the rules say "governance by token vote," the reality is governance by founders who hold enough tokens to override any vote. And generality fails when governance councils govern by ad hoc exception, declaring emergencies that suspend the rules they are constituted to enforce.

Tornado Cash exposed a failure Fuller could not have imagined: a jurisdictional penumbra where the code satisfies Fuller's conditions and a sovereign state treats it as sanctionable anyway. On August 8, 2022, the U.S. Treasury's Office of Foreign Assets Control designated Tornado Cash smart contract addresses under the International Emergency Economic Powers Act — the first time a sovereign sanctioned autonomous, immutable code rather than a person or entity. The code was public (Fuller's publicity satisfied). It was consistent (the mixer operated deterministically). It was congruent (declared and actual behavior were identical, verifiable on-chain). Yet the state treated it as a sanctionable entity, and anyone interacting with those addresses became subject to criminal liability. The Fifth Circuit reversed in November 2024, holding that immutable smart contracts are not "property" under IEEPA because no person or entity can alter, control, or withdraw assets from them. Treasury delisted the addresses in March 2025 rather than appeal. The penumbra here is jurisdictional: where does protocol governance end and state sovereignty begin? Fuller's inner morality asks whether rules function as law within their system. Tornado Cash functioned perfectly as law within its system. The question the case posed was whether a sovereign can treat functioning law-within-a-system as a violation of law-outside-that-system — and the answer remains contested. The inner morality of law must become the inner morality of protocols, and the translation is not automatic.

The lesson from legal philosophy: even sophisticated frameworks cannot abolish the zone where judgment is required. The Protocol Republic inherits this limit. What matters is how the penumbra is governed.

Consider a DeFi protocol's governance mechanism. Token holders vote on proposals. But what counts as a valid proposal? The rules say "proposals that benefit the protocol." What benefits the protocol? A proposal to pay the founders a large bonus might benefit the protocol by retaining talent, or it might be self-dealing. A proposal to airdrop tokens to new users might grow the user base, or it might dilute existing holders unfairly. The principles (benefit the protocol, treat users fairly) can conflict.

Dworkin would say there is a right answer: the interpretation that makes the protocol the best it can be, given its purposes. Hart would say the rule has run out, and the voters are legislating, not interpreting. The Protocol Republic must function regardless of which philosopher is correct. What matters is that the decision be made accountably, with receipts, and subject to exit if the interpretation becomes intolerable.

Smart contracts face the same structural limit as natural language rules. The contract says "release funds when the oracle reports delivery." What is the oracle reporting? A tracking number? A physical inspection? A photograph? Each specification generates new boundary cases. The oracle reports "delivered" but the recipient says the package was empty. The oracle is accurate to its specification, but the specification does not capture every case.

The temptation is to specify more precisely. But precision has limits. At some point, the specification becomes as long as all possible cases, which is impossible. The rule must be general. Generality entails penumbra. The penumbra is a feature to be managed, never a flaw to be fixed.

Power's Retreat

When rules become checkable, power retreats into interpretation. The Protocol Republic, for all its advances, cannot abolish the political.

Power seeks domains where it can operate without accountability. Traditional governance offered many such domains: secret decisions, unverifiable claims, discretionary enforcement. The verification revolution closes some of these.

Make rules transparent, publish them on-chain, and power can no longer hide in secret regulations. But power adapts. It retreats to rule-making: who decides what rules are encoded?

Make rule-making transparent, require governance votes, publish deliberations, and power can no longer hide in the smoke-filled room. But power adapts. It retreats to interpretation: what do the rules mean in this case?

Make interpretation contestable, require receipts for interpretive decisions, allow appeals, and power can no longer hide in arbitrary judgment. But power adapts. It retreats to the contest rules: who decides what counts as a valid appeal? What standard of review applies? Who selects the arbitrators?

At each level, transparency pushes power to the next level. The penumbra is the limit: the zone where the rules themselves cannot specify their application, where judgment is irreducible, where some human or institution must decide.

This is the human condition made visible, not a flaw in the verification revolution. Traditional systems hid the penumbra behind opacity. The official could claim to be "just following the rules" when in fact they were making choices that the rules did not determine. The verification revolution exposes the penumbra by making the clear cases obviously clear. What remains is what was always there: the zone where human judgment is required.

This exposure is valuable. A system that pretends to have no penumbra is lying. A system that acknowledges its penumbra and structures accountability around it is honest. What the Protocol Republic can do is require that judgment be accountable: receipted, reasoned, contestable, and subject to exit.

The Protocol Republic relocates the penumbra rather than eliminating it. Traditional systems had penumbras at every level: secret rules, secret interpretations, secret enforcement. The Protocol Republic pushes the penumbra to the edges: the rules are clear, but the edges are not.

This is progress. A system with penumbras only at the edges is more accountable than a system with penumbras everywhere. The contestable zone shrinks. The clear zone expands. But the contest does not end.

Consider the analogy to other revolutions that delivered improvement without delivering utopia. The printing press did not eliminate propaganda; it made propaganda and its critique simultaneously more accessible. Democracy did not eliminate corruption; it made corruption contestable. The market economy did not eliminate poverty; it created unprecedented wealth alongside persistent inequality. Each revolution changed the terrain of struggle without ending struggle.

The verification revolution follows this pattern. It makes evasion harder, more visible, and more costly, even though it cannot end power's capacity to evade accountability entirely. The penumbra remains, but it is a smaller penumbra, contested on more favorable terms.

Power will fight to expand the penumbra. Actors who benefit from discretion will seek to classify cases as ambiguous, to create exceptions, to widen the zone where interpretation governs. The Protocol Republic must be defended continuously against the pressure to erode its clarity.

The strategy of penumbra expansion is visible in traditional governance. An official who wants to act outside the rules will argue that this case is different, that the rule was not intended to apply here, that special circumstances require flexibility. If the argument succeeds, the penumbra expands. The next case that is similar can also be argued as different. Eventually, the exception swallows the rule.

Protocols face the same pressure. A governance proposal will argue that normal rules should be suspended because of market conditions, hacking risk, or competitive pressure. If the suspension passes, the next suspension is easier. The penumbra expands. The clear rule becomes the exception; the exception becomes the norm.

Defense requires vigilance. The Protocol Republic must have mechanisms for resisting penumbra creep: high thresholds for exceptions, sunset clauses that require reauthorization, automatic return to baseline when emergency conditions end. The mechanisms require participants who understand the value of clarity and resist the appeal of case-by-case flexibility.

The verification revolution is a new terrain of struggle, more favorable than the old terrain yet still contested.

Bounding the Penumbra

If the penumbra cannot be eliminated, it can be bounded. The Protocol Republic governs interpretation through structure rather than discretion.

Specificity where possible, explicit process where not. "Release funds when package tracking shows delivered status from approved carrier list" is more specific than "release funds when delivered." Specificity shrinks the penumbra. But specificity has limits: no rule can anticipate every case. The honest approach: state the rule precisely for the core, state the process for resolving edge cases. "In standard cases, X. In disputed cases, submit to arbitration under process Y."

Structured discretion with skin in the game. Where interpretation is unavoidable, the interpreter must bear consequences for error.

Different disputes require different architectures. A DeFi liquidation dispute is time-sensitive, high-stakes, and technical, requiring rapid resolution by parties who understand oracle mechanics and collateral ratios. An NFT provenance dispute is slower, cultural, and interpretive, requiring arbiters who understand art markets and authentication practices. A content moderation appeal involves context, intent, and community norms, requiring different expertise again. There is no universal optimum. The architecture must match the dispute type.

The emerging practice illustrates the range. Kleros uses Schelling point voting: randomly selected jurors stake PNK tokens and vote independently; those who vote with the majority keep their stake, dissenters lose theirs. By 2022, the protocol had resolved over 362 disputes (documented in a Stanford Computational Policy Lab study). The mechanism resists capture through anonymity and random selection, but it sacrifices expertise — jurors need not understand the domain, only identify the focal answer. The real-world test came in 2021, when a Mexican court recognized a Kleros arbitral award — the first known instance of a national judiciary validating blockchain-based arbitration. The penumbra extended from on-chain to off-chain: a protocol's interpretive output acquired legal force in a sovereign jurisdiction, and the jurisdictional boundary shifted.

UMA's optimistic oracle takes the opposite approach: assertions are accepted as correct unless challenged within a dispute window, and challenges escalate to a token-holder vote where UMA stakers determine the outcome. The mechanism powers Polymarket's prediction markets, and the 2024 U.S. presidential election cycle exposed its game-theoretic boundary. Large UMA token holders who served as oracle voters also held significant positions on the prediction markets the oracle was resolving. The external profits from influencing market outcomes could exceed the internal cost of voting dishonestly — the security model assumed the game ended at the oracle's boundary, but the game extended beyond it. The interpretive structure was formally intact; the incentive landscape had been reshaped by external stakes the mechanism could not observe. Each system makes interpretation accountable through a different mechanism: stake forfeiture, optimistic defaults, appeal escalation. None eliminates interpretation. All structure it.

The discretion is real. The interpreter exercises genuine judgment. But that judgment operates within constraints: stakes at risk, reasons required, appeals available. Unstructured discretion says "trust me." Structured discretion says "check my work."

Interpretation receipts. The receipt 5-tuple from the previous chapter applies to interpretation as it applies to any coercive act: which rule was interpreted, under what authority, within what bounds, by what justification, through what path of appeal. The application is straightforward. The consequence is not.

Traditional legal systems already generate interpretation receipts in the form of judicial opinions. A court decision includes the facts, the applicable law, the reasoning, and the holding. Appellate courts review these receipts for error. But the standard is inconsistent and the access is restricted. A platform's content moderation decision arrives as a form letter: "Your post violated our community standards." Which standard? What about the post violated it? What evidence was considered? The letter answers none of the questions that make accountability possible.

The Protocol Republic can surpass traditional rule of law here. Interpretation receipts that are cryptographically signed, timestamped, and immutably recorded can link to the evidence considered, the precedents cited, the arguments rejected. They can be searchable across all interpreters and all time periods. Patterns of bias or inconsistency become detectable at machine speed rather than through years of appellate litigation.

What the receipt regime gives the penumbra, and what traditional legal interpretation lacks, is a computable record of discretion. A judicial opinion is interpretable by trained lawyers; an interpretation receipt is queryable by anyone with access to the ledger. Traditional legal systems accumulate precedent in prose that must be read, parsed, and argued over by expensive specialists. The Protocol Republic accumulates precedent in structured data that can be searched, compared, and analyzed at machine speed. When a thousand arbiters have resolved a thousand variants of "what counts as delivery," the pattern is visible in a queryable dataset, not buried in a thousand written opinions. Drift in interpretation becomes detectable. Inconsistency across arbiters becomes measurable. The penumbra persists, yet the cost of monitoring how it is governed falls by orders of magnitude. This is the distinctive contribution: making judgment's record computable, not eliminating judgment — auditable at scale by parties who lack the resources to hire lawyers but can run queries.

The penumbra of interpretation is one problem. The penumbra of meaning is another, and it is prior: before you can interpret a rule, you must know what the terms in the rule denote. Consider a content governance system that receives a query for "pomegranate." The word splits. In a culinary context, pomegranate is a fruit with specific nutritional properties and seasonal availability. In a design context, pomegranate is a color, a particular deep red used in textile and interior specifications. In a decorative-arts context, pomegranate is a motif, a recurring pattern in Persian rugs and Moorish tilework with centuries of iconographic history. Each sense is valid. Each belongs to a different domain with different governance rules, different experts, different standards of relevance.

A system that conflates these senses returns noise: the user searching for pomegranate tiles receives recipes. A system that forces a single reading discards information: it resolves the ambiguity by suppressing legitimate alternatives. Both responses govern the penumbra of meaning through concealment, either hiding the multiplicity or hiding the choice.

The structured alternative surfaces the ambiguity rather than suppressing it. Instead of returning a single conflated result set, the system returns scoped alternatives with their domain assignments. The user sees three readings, each marked with the context in which it holds. The choice of which reading governs is made by the person who asked, not by the system that answered. The ambiguity becomes visible, navigable, and auditable: which senses were offered, which was selected, which scope applied. This is what "specificity where possible, explicit process where not" looks like at the level of meaning itself. The penumbra of language, Hart's problem rendered in a content system, is not eliminated but structured. Each sense assignment carries its scope, and violations of that scope are detectable rather than silent. The structured response is an interpretation receipt for meaning.

Jurisdictional humility. Define what the protocol governs and what it does not. A protocol for escrow governs fund release; it does not govern what counts as delivery in the physical world. That judgment must come from elsewhere: from oracles, from designated arbitrators, from human institutions.

The Membrane from Chapter 2 reappears here as a jurisdictional concept. The Membrane is where digital proposals become biological consequences. It is also where protocol jurisdiction ends and other systems begin. A protocol can govern what happens on-chain. It cannot govern what happens to bodies.

The temptation is jurisdictional overreach. A protocol that claims to govern "all disputes arising from transactions" claims too much. It cannot govern disputes that require physical investigation, criminal prosecution, or state enforcement. Honest protocols acknowledge their limits: "this protocol governs fund release; disputes about underlying goods go to specified arbitration." Jurisdictional humility is accuracy about the domain of computational governance.

Precedent with exit. Interpretive consistency reduces manipulation; subjects can predict outcomes if similar cases are decided similarly. But precedent can also entrench error: a bad interpretation, once established, becomes the rule.

Exit provides the escape valve. If an interpretive line becomes intolerable, subjects can leave for protocols with different interpretations. Precedent binds within a system; exit allows escape between systems.

The combination is essential. Precedent without exit creates tyranny of the initial interpreters: the first decision becomes permanent law, even if it was wrong. Exit without precedent creates unpredictability: each case is decided fresh, no one can plan. The Protocol Republic needs both: enough precedent that users can anticipate how rules will be applied, and enough exit that users trapped by bad precedent can leave.

But exit must be real, not nominal. The distinction is architectural, not merely economic.

A protocol fork preserves exit architecturally: the code is open, the state is public, the network can split. Anyone can copy the software, launch an alternative, and invite users to migrate. The Ethereum/Ethereum Classic split after the DAO hack demonstrated what this makes possible: those who wanted the transaction rolled back followed one chain; those who wanted immutability followed another. Neither interpretation was forced on the other. The exit was expensive — the minority chain lost most of its liquidity and developer attention — but real. Exit preserved genuine choice.

Platform exit is architecturally obstructed. The data is proprietary; the APIs are controlled; the network cannot split. A user who leaves Facebook cannot take their social graph. A merchant who leaves Amazon cannot take their seller ratings. A developer who leaves AWS cannot take the infrastructure assumptions baked into their code. The platform has designed the exit to be fictional: technically permitted, practically impossible.

This connects to Chapter 2's Neo-Feudal Stack. The five layers of dependency (Identity, Settlement, Governance, Recourse, Exit) are mechanisms of lock-in. The Protocol Republic must preserve architectural exit: portable credentials, open data, forkable code. Without architectural exit, precedent becomes permanent regardless of its quality. The interpretive regime calcifies. Bad decisions cannot be escaped, only endured.

These principles contain the penumbra problem without solving it. The penumbra remains, but smaller, more visible, and more contestable than in systems that do not apply these principles.

Receipt Test: Penumbra Governance Compared

On October 11, 2022, Avraham Eisenberg executed what he publicly described as a "highly profitable trading strategy" on Mango Markets, a Solana-based decentralized exchange. He pumped the price of the MNGO perpetual contract by more than 1,300% in approximately thirty minutes, trading against his own positions across oracle feed exchanges to inflate the mark price. He then used the inflated collateral value to withdraw roughly $110 million from the protocol's reserves — every asset the platform held. His public statement afterward: "I believe all of our actions were legal open market actions, using the protocol as designed, even if the development team did not fully anticipate all the consequences of setting parameters the way they are."

The code permitted every action Eisenberg took. No rule was broken. The oracle reported prices; the collateral ratios were computed; the withdrawals were authorized by the protocol's own logic. Eisenberg was convicted in April 2024 on all three federal counts — commodities fraud, commodities manipulation, and wire fraud. Then, in May 2025, a federal judge vacated the convictions. The reason was structural: Mango Markets had no terms of service, no manipulation prohibition, no repayment requirement. The protocol's own rules did not prohibit what Eisenberg did, and the court found insufficient basis for treating as fraud what the protocol's architecture treated as valid.

This is the penumbra made empirical. The rule ("release funds when collateral ratio exceeds threshold") is clear. The application is contested. The code could not determine whether the outcome was legitimate — and neither, in the end, could the legal system. Someone must decide whether "the price the oracle reported" satisfies the rule's purpose when the oracle was deliberately manipulated. That decision is interpretation, and interpretation requires a framework the code itself does not provide.

SystemHow Penumbra Is GovernedReceiptError Correction
Traditional CourtJudge interprets "good faith," "reasonable reliance"Written opinion with reasoningAppeal to higher court
Platform TOSSupport team decides; no stated standardForm email: "decision final"None (or PR crisis)
Kleros-styleBonded jurors vote; stakes at riskJuror reasoning publishedAppeal with higher stake
Protocol RepublicStructured discretion + interpretation receiptFull 5-tuple: act, authority, bounds, justification, appeal pathAppeal + fork option

The differences are structural, not cosmetic. Each column represents a design choice: who interprets, with what accountability, subject to what correction. The Protocol Republic claims to make interpretation answerable.

Traditional courts provide interpretation receipts (judicial opinions) and error correction (appeals), but they are slow, expensive, and jurisdiction-bound. A DeFi liquidation dispute cannot wait eighteen months for trial.

Platform terms of service provide neither receipts nor correction. The support team's decision is final because the platform says it is final. The user has no recourse except public complaint, and public complaint works only when the user has enough visibility to create reputational cost.

Kleros-style systems provide receipts (published reasoning) and correction (appeal escalation), but the reasoning may be thin: jurors vote without obligation to explain, and the "reasoning" may be post-hoc rationalization of a Schelling point convergence.

The Protocol Republic combines structured discretion (bonded arbiters with domain expertise), full interpretation receipts (answering the five questions), multiple error correction paths (appeal within the system, fork outside it), and architectural exit (if the interpretive regime becomes intolerable, users can leave for alternatives).

No system eliminates the penumbra. The question is whether the penumbra is governed accountably or arbitrarily. The receipt regime extends to interpretation: power must leave traces, even when power is the power to interpret.

Statutes of Forgetting

The penumbra includes a special case: when should records be forgotten?

The Protocol Republic generates records. The chain remembers. This is the source of accountability. But not all records should persist forever. A system that remembers everything with equal weight cannot forgive, cannot allow redemption.

The tension between transparency and forgetting is governed by a single constitutional constraint:

This asymmetry is the Anti-Coverup Invariant. Citizens may seek forgetting of their own records: the youthful mistake, the resolved condition, the debt long since paid. Power-holders may not seek forgetting of their exercises of power: the official act, the coercive decision, the use of public authority.

The asymmetry distinguishes democratic forgetting from authoritarian erasure. Authoritarian systems forget what power wants forgotten: inconvenient history, embarrassing records, evidence of abuse. Democratic forgetting forgets what citizens need forgotten for redemption while preserving what accountability requires.

This asymmetry (eternal records for power, mortal records for persons) reflects a difference in the kind of entity being governed.

Power is exercised through institutions that outlive individuals. The official who approved the loan may retire; the bank persists. The moderator who suspended the account may quit; the platform persists. Institutional memory must be eternal because institutions are functionally immortal. They cannot claim the fresh start that mortality provides. When an institution exercises coercive authority, the record of that exercise must outlive any individual who participated in it.

Persons are mortal. They can change. The borrower who defaulted at twenty-two may be creditworthy at forty. The user who violated terms in anger may have matured. Mortality creates the possibility of becoming someone new—a possibility institutions cannot claim. The person who committed an offense and served their consequence has, in some meaningful sense, become a different person. Perfect memory denies this transformation. It treats the person of today as identical to the person of decades past, collapsing the distinction between who someone was and who they have become.

The receipt regime encodes this asymmetry: power-time is eternal, person-time is mortal. Receipts for the exercise of authority persist indefinitely. The liquidation, the suspension, the denial: each must remain inspectable as long as the institution that issued them exists. Receipts for individual conduct decay according to contextual norms: faster for minor infractions, slower for serious ones, never for institutional actors who imposed the sanctions. The architecture distinguishes between the governed and the governors, granting to persons the mercy that institutions cannot claim.

Three instruments implement the asymmetry. Expiration ages out records automatically: decades-old minor infractions disappear. Sealing makes records inaccessible after conditions are met: criminal records after rehabilitation, debts after satisfaction. Separation siloes records from each other, preventing aggregation that reveals more than any single record. Helen Nissenbaum's framework of "contextual integrity" provides the normative grounding: (Nissenbaum 2009)Helen Nissenbaum, Privacy in Context: Technology, Policy, and the Integrity of Social Life (Stanford: Stanford University Press, 2009).View in bibliography information flows are appropriate when they match the norms of specific contexts. A medical record shared with a treating physician is appropriate; the same record shared with an employer is not. Zero-knowledge proofs enable precisely this discrimination: prove creditworthiness without revealing income sources; prove age without revealing birthdate.

Implementation is technically challenging — blockchain ledgers are append-only — but solutions exist: zero-knowledge proofs can demonstrate a record has expired without revealing it, cryptographic access controls can implement sealing, selective disclosure protocols can implement separation. The harder problem is governance: who decides what gets forgotten? The anti-coverup invariant excludes the worst abuses. Coercive records are never subject to forgetting. Intimate records may expire or seal. The architecture starts from the right asymmetry: power is glass, persons are veiled.

The asymmetry has a limit. Where the cost of error is irreversible harm to those who cannot protect themselves — a child in the care of an abuser, a client trusting a fiduciary who has betrayed trust before — narrow query rights persist for those specific gatekeeping contexts. Mercy has scope, and its boundary falls where the vulnerability of the potential victim outweighs the right of the offender to move past the offense.

The tension between accountability and redemption does not resolve cleanly. Consider the reformed fraudster: a person committed financial fraud at twenty-five, served their consequence, and has lived honestly for twenty years. Should the record sunset when the victims' harm persists? The answer the architecture provides: the person record may sunset; the institutional record of prosecution, conviction, and sanction never sunsets. Victims can locate accountability through the institutional record without the reformed fraudster carrying a permanent scarlet letter. The fraud endures in the institutional record; the fraudster may be forgiven. And if a person accumulates multiple minor records, each individually sunsetting yet collectively suggesting a pattern, pattern detection across sunsetted records is prohibited — the system that preserves pattern memory while sunsetting individual components has not implemented sunset; it has implemented cosmetic sunset with actual perpetual surveillance. The architecture accepts the vulnerability this creates. The alternative forecloses the transformation that sunset exists to protect.

The Adversarial Clause

The penumbra creates a security vulnerability. Hostile actors will exploit it.

Any rule that can be satisfied while defeating its purpose has become an attack surface.

Agents, and adversarial humans, will seek hostile compliance: letter-true behavior producing spirit-false outcomes. The smart contract says "release funds when goods are delivered." An adversary delivers an empty box. The tracking shows "delivered." The letter of the contract is satisfied. The spirit is defeated.

A system that checks only formal validity invites exploitation by design. The adversary studies the rules, identifies the gap between letter and spirit, and drives through that gap. The more precisely the rules are specified, the more precisely the adversary can comply with the letter while violating the spirit.

This is the Penumbra weaponized. The honest actor asks "what does the rule require?" The adversary asks "what does the rule permit that defeats it?"

Beanstalk Farms provided the paradigmatic case. On April 17, 2022 — Easter Sunday — an attacker flash-loaned more than $1 billion in cryptocurrency, acquired over 67% of Beanstalk's governance token (Stalk), and called the emergencyCommit() function to pass BIP-18, a governance proposal that drained all protocol deposits. The attack and governance vote were executed in a single transaction block. Loss: approximately $182 million. Beanstalk's own spokesperson acknowledged the structural irony: "the same governance procedure that put Beanstalk in a position to succeed was ultimately its undoing." Every procedural requirement was satisfied. The proposal was submitted through the correct function. The voting threshold was met. The execution followed the protocol's own logic. Letter-perfect; spirit-destroyed. This is process theater at its most precise: the governance mechanism was honored in every formal particular — and the protective function it was designed to provide never existed.

A protocol rule says "withdrawals require multi-signature authorization from three of five keyholders." An adversary compromises two keyholders and bribes a third. The withdrawal is technically authorized. The security model is defeated.

A content moderation rule says "users may not post harmful content." An adversary posts technically compliant but contextually harmful content: true statements selected and arranged to mislead, legal speech designed to harass, accurate information weaponized against vulnerable individuals. The content does not violate the letter of any rule. The platform's purpose is defeated.

In each case, formal compliance coexists with substantive violation. The adversary has found the gap between letter and spirit and driven through it.

This is not hypothetical. DeFi protocols have been exploited through flash loans that technically satisfied collateral requirements while draining protocol reserves. Governance attacks have used technical compliance with voting procedures to push through extractive proposals. Content moderation has been gamed by sophisticated actors who understand exactly where the rules draw lines.

The design principle follows: where a constraint has a purpose, enforcement must test substance, not merely form. The question is "Did it realize the schema's protective function under adversarial interpretation?", not only "Did the action match the schema?"

This is why the Penumbra cannot be eliminated by better specification. You can make the rule more specific. The adversary will find the edge of the more specific rule. You can add more rules. The adversary will find the gap between rules. Ambiguity is irreducible at the edges; hostile readers will find those edges. The bonded arbiter's role is to evaluate legitimacy, not just validity: whether the spirit survived the letter.

The Adversarial Clause connects the Penumbra to security. A constitution that can be gamed has become a vulnerability disclosure. The Protocol Republic must be designed with adversaries in mind, which means accepting that some judgment will be required to distinguish genuine compliance from hostile compliance. That judgment is interpretation. The Penumbra returns.

Consequence

The Penumbra is irreducible but boundable.

Traditional systems have penumbras at every level: secret rules, secret interpretations, secret enforcement, arbitrary discretion compounded at each stage. The Protocol Republic has penumbras only at the edges: the rules are clear at the core, published, and verifiable. A system where 90% of cases are decided by clear rules and 10% require interpretation is better than a system where 50% require it. The Protocol Republic can make that remaining 10% accountable through structured discretion, interpretation receipts, jurisdictional limits, and precedent with exit. Statutes of Forgetting govern the special case of when records should expire, distinguished from authoritarian erasure by the anti-coverup invariant. The Adversarial Clause reveals interpretation as a security surface: hostile compliance exploits the gap between letter and spirit, and enforcement must test substance beyond form.

When rules become checkable, power retreats into interpretation. The struggle continues on new terrain.

Even with these bounds, interpretation can fail. The arbiter can be wrong. The precedent can entrench error. The rules can prove inadequate to novel circumstances. When this happens, when interpretation breaks down, when crisis exceeds the system's capacity to resolve by normal means, what then?

This is the exception problem. Carl Schmitt argued that sovereignty reveals itself in crisis: "Sovereign is he who decides on the exception." The one who can suspend the rules, who acts outside the legal order to preserve it, is the true sovereign, regardless of what the constitution says.

Schmitt's challenge is fundamental. The liberal tradition wants rule of law, not rule of men. But when the rules fail, when crisis exceeds the system's capacity, someone must act. That action is outside the rules. The one who takes that action reveals themselves as sovereign, regardless of what the constitution says about sovereignty.

The Protocol Republic cannot pretend exceptions will not arise. Smart contracts have bugs. Protocols face attacks. Markets crash. Adversaries find exploits that no one anticipated. The system must respond. But if the response is "the founders decide" or "the whale majority decides" or "whoever acts first decides," then the Protocol Republic has a dictator. It has merely hidden the dictatorship behind procedural language.

Schmitt's challenge demands an answer: if not the dictator, then what? The exception without the sovereign. Fork rights as constitutional safety valve. Exit as the answer to crisis.

Rules meet their everyday limit in the Penumbra; their extraordinary limit in the exception. Both must be addressed. Both require something beyond mechanism.

But the something need not be a someone. Structured interpretation governs the Penumbra: bonded arbiters, interpretation receipts, precedent with exit. Analogous structures can govern the exception: fork rights, exit-as-veto, selection rather than decision. If the Protocol Republic can govern normal interpretation without a dictator, it may yet govern exceptional crisis without one too.