SPEC v1.0 — APPENDIX

Governance Invariants

The five primitives define what a governed decision requires. These four invariants define what prevents a governed decision from becoming ceremonially compliant while formally correct.

A(α) = G ∧ R ∧ T ∧ E ∧ C ∧ I1 ∧ I2 ∧ I3 ∧ I4
← Spec v1.0

The failure the primitives do not catch.

The FM_R audit found a real governed record where every primitive was satisfied. The record was compliant. The reasoning scored 4 out of 10.

The gate existed. The confirmation existed. The reasoning was hollow at the point that mattered.

Binary gate passed, therefore safe. That is not governed reasoning. It is the absence of Reasoning dressed as its presence.

The primitives require that reasoning exists. They do not require that it is genuine. The invariants close that gap.

Four invariants

I1
Reasoning Depth
Specification The Reasoning record must contain at least one falsifiable claim about the world that was not already known to be true at the time of commitment. A reasoning chain that could have been written before any analysis is not reasoning. It is transcription.
What it prevents Hollow reasoning dressed as governed reasoning. Records that satisfy the Reasoning primitive formally while containing no genuine epistemic content.
Real case — FM_R A hostile audit of a real re-entry governed record scored Reasoning 4/10. Gate existed. Confirmation existed. Reasoning was hollow at the point that mattered. I1 would have flagged the record before execution.
Adversarial limit Who verifies a claim was not already known? The verifier must be external to the system that produced the record. I1 requires I3 to be meaningful.
I2
Expectation Binding
Specification The Expectation record must specify at least one outcome that would falsify it. An expectation with no falsification condition is not an expectation. It is a disclaimer. The falsification condition must be more probable than the tail risk it purports to constrain.
What it prevents Expectations so vague any outcome confirms them. “Performance within normal parameters” is a tautology with governance formatting.
Real case — Credit rating agencies, 2008 AAA ratings issued on models with unfalsifiable assumptions about correlated default risk. When challenged in court, agencies declared ratings were opinions not falsifiable claims. An I2 invariant would have blocked any rating without a pre-committed falsification condition. $300B in losses followed from expectations that could not fail by design.
Adversarial limit Falsification conditions can be set at the boundary of the impossible. Minimum specificity must be defined externally — the condition must be achievable under plausible scenarios.
I3
Confirmation Independence
Specification For any irreversible action above a defined consequence threshold, Confirmation must be performed by an entity that did not produce the Governance, Reasoning, or Expectation records. The confirming entity must have genuine veto power — the structural ability to hold the decision without consequence to itself.
What it prevents Self-authorising systems. Formal independence without structural independence. An entity that confirms its own decisions is not governed.
Real case — Boeing 737 MAX, 2019 MCAS was categorised as an enhancement not a new safety-critical system, by the organisation that built it. The FAA had delegated certification authority to Boeing. The confirming entity was not structurally independent. Veto power was formal not genuine. 346 people died. I3 would have required an independent confirming entity with genuine authority to hold the certification.
Adversarial limit An entity financially dependent on the decision system fails I3 in substance regardless of formal separation. The Arthur Andersen pattern — $52M annually from the audited entity — satisfies formal independence and violates structural independence completely.
I4
Measurement Integrity
Specification The signals used to evaluate Reasoning, Expectation, and Confirmation must be independently verifiable and resistant to manipulation by the system producing the decision. At least one critical measurement must be externally sourced or redundantly verified, accessible to the confirming entity, and not transformable by the decision system without detection.
What it prevents Correct reasoning about incorrect reality. A system can produce falsifiable claims, define genuine falsification conditions, and use an independent confirmer — and still govern decisions made on corrupted inputs.
Real case — Deepwater Horizon, 2010 Pressure tests on the Macondo well produced ambiguous results. Multiple interpretations were possible. The decision to proceed was made by people with incentives to interpret optimistically. The measurement layer was not independently verified. Governance operated on a reality model that was wrong. 11 people died. I4 would have required at minimum one critical measurement — well pressure — to be independently verified before Confirmation could be satisfied.
Adversarial limit Who defines which measurements are critical? The decision system has incentives to classify fewer as critical. Critical measurement classes must be defined externally before deployment, not at the point of decision.

What sits outside the system.

One structural gap remains named but unsolved.

Selection bias on which decisions enter OMEGA at all.

Hard decisions can bypass the system. Easy decisions can be fully governed. Everything inside looks compliant. The real risk sits in what is never submitted.

This is not solved by any primitive or invariant. It requires institutional design outside the protocol's scope. It is named here because a standard that does not name its own limits is not a standard.

The non-action record concept in the core spec is a partial answer: absence of a record is itself a governance signal. But it is not a complete solution.

How invariants and Continuity Protocol interact.

I1 and I2 require external verification of what genuine means. This is the C5 External Witness requirement of the Continuity Protocol applied to OMEGA records.

I3 requires structural independence that survives transformation of the confirming entity. This is the C7 External Substrate requirement.

I4 requires measurement infrastructure defined before deployment. This is C7 applied to the reality interface.

The invariants govern individual decision records. The Continuity Protocol governs the agents producing those records over time. Both are required. Neither substitutes for the other.

Continuity Protocol →

Honest limits

  • The invariants do not prove a decision was correct. They prove a decision was genuinely reasoned, genuinely expected, genuinely confirmed, and made against genuine measurements.
  • Genuine is not the same as correct.
  • Auditability is not correctness. It is the precondition for measuring correctness.