ADR-077: Anti-gaming defenses for token-bearing governance surfaces¶
Status: Proposed (forward-looking; defenses gated to token / cross-user governance launch — see Triggers)
Date: 2026-05-31
Context: The measurement schema (docs/research/foundations/measurement-schema.md) enumerates every primitive Pulse uses to measure judgment. It was designed for honest play — the threat model behind it is "does the schema correctly discriminate real profile shapes," not "does the schema resist an adversary trying to forge a profile shape." That assumption holds today: there is no externality attached to a sync_score or trust-tier signal, so there is nothing to game for. The most a faker gains today is a number on a share card.
ADR-050 changes that the moment it ships. It ties sync_score and behavioral signals to action-class permissions — a high score earns the agent autonomy on more action classes. If a token, a governance vote weight, an allocation, or any other externality attaches to the score or to a trust tier, faking the signal stops being vanity and becomes economically rational. Sophisticated actors will then try to forge the profile shape the schema was built only to read.
This ADR is the adversarial complement to the measurement schema: a threat model of who games, which primitives are vulnerable vs. robust, a layered defense design, and a prioritization that separates necessary-before-tokens from nice-to-have. It is forward-looking — not blocking current shipping — but it must be settled before any token/governance externality goes live, because retrofitting anti-gaming onto a live token surface is how trust systems get drained.
ADR number note: 076 is reserved for the measurement-schema architectural-independence ADR (reader's-guide outstanding-decision §1, option B, undecided). This ADR takes 077 per the brief.
At a glance
What it decides: the rules for gating any token-bearing or cross-user-governance surface on a Sync profile, so a high score can't be forged into real power. Not blocking anything today — it's the adversarial complement to the measurement schema, gated to ship before ADR-050 attaches an externality to sync_score.
- One principle — the score is necessary, never sufficient. Gate on a conjunction (
composite ≥ θ AND coherence_pass AND non_degenerate AND games ≥ N_min AND personhood@top-tier); each clause defeats a different attack and the clauses are orthogonal, so you can't trade one for another. - Don't gate on the raw
sync_scoreheadline (A1) — a single EMA scalar rewards degenerate consistency. Gate on the multi-dimensional composite + the coherence audit. - Four layers by urgency: L0 free today · L1 before any token · L2 before cross-user governance · L3 arms-race deferred.
- Big claim: anti-gaming here is mostly a consumer-discipline + aggregation problem, not a capture problem — most defenses come free from cross-checkable signals. The one genuinely new primitive is a personhood/stake gate at the token boundary.
Decision¶
Adopt a layered, defense-in-depth model for any token-bearing or cross-user-governance surface, built on one structural principle and four implementation layers.
Structural principle — the score is necessary, never sufficient. A token/governance action class is gated on a conjunction, never on a single scalar:
tier_eligible = (composite_score ≥ θ) AND coherence_audit_pass AND non_degenerate_profile AND (games_analyzed ≥ N_min) AND (top_tier ⇒ personhood_gate_pass)
This conjunction does almost all the work, because every clause attacks a different gaming strategy and — per the schema's architectural-independence finding — the clauses are mutually orthogonal, so a faker cannot satisfy one by sacrificing another.
The four layers, in priority order:
- Layer 0 — free defenses the schema already supports (read-time extractions over existing aggregates; zero new capture): cross-signal coherence audit, degeneracy/entropy floors, occasion-noise floor, prediction-before-reveal attestation.
- Layer 1 — necessary before any token externality: agent-side signal quarantine (A11–A13 never gate tokens), the conjunctive gate above, Sybil/multi-account detection, a personhood/stake gate at the top tier boundary.
- Layer 2 — necessary before cross-user governance (vote weight, allocation, A2A): peer-prediction collusion detection (un-defers the risk ADR-062 parked), behavioral-accretion velocity caps, recency-weighted eligibility.
- Layer 3 — nice-to-have / arms-race deferred: rationale-provenance stylometry,
option_tap_trace/attention_stateas adversarial-cost capture, decay (ADR-051) as farm-and-abandon control.
Do not gate token surfaces on the raw sync_score headline (A1). A1 is a single EMA scalar and is the most gameable primitive precisely because it is one-dimensional — degenerate self-consistency maximizes it (see Keystone Finding). Gate on the multi-dimensional composite (A2: Accuracy × Coverage × Readability) plus the coherence audit, which penalize the degenerate strategies A1 rewards.
Each layer is unlocked by the externality you're about to attach — you don't build them all at once, you build down the ramp as the stakes rise:
flowchart LR
A["Honest play today<br/>(no externality)"] --> L0
B["Any token<br/>externality"] --> L1
C["Cross-user governance<br/>vote weight · allocation · A2A"] --> L2
D["Arms race<br/>(later)"] --> L3
L0["<b>Layer 0</b><br/>free, already supported<br/>coherence audit · entropy floors"]
L1["<b>Layer 1</b><br/>signal quarantine · conjunctive gate<br/>Sybil detection · personhood@top"]
L2["<b>Layer 2</b><br/>collusion detection<br/>velocity caps · recency weighting"]
L3["<b>Layer 3</b><br/>stylometry · tap-trace<br/>decay-as-holding-cost"]
L0 --> L1 --> L2 --> L3
Defenses are cumulative: each new externality requires its layer plus all layers above it.
Threat model¶
Actors, motive, gain, budget¶
| Actor | Capability | Motive | What they gain | Budget | Per-attempt cost imposed by Pulse |
|---|---|---|---|---|---|
| Script kiddie | Copy-paste pre-generated rationales into one account; set choice + conviction by hand | Tier up a single account; claim a token allocation | One account's worth of tokens / one tier of unearned autonomy | ~zero | Per-game LLM cost (twin + classify), real wall-clock to play N games |
| Sophisticated single actor | Builds an LLM harness that plays coherently — generates rationales, mimics a target profile, optimizes the composite | Max out one identity's trust tier → governance weight or large token claim | Top-tier autonomy + max single-identity token yield | Moderate (their own API spend, eng time) | Same per-game cost × the volume needed to move an EMA; coherence audit; personhood gate at top tier |
| Coordinated multi-actor / Sybil farm | Many accounts, scripted or human-mechanical-turk; collusion rings in multiplayer peer prediction | Capture aggregate token allocation; dominate a Trust Circle; swing a governance vote | Sum over N identities — the only attack that scales to capturing a surface, not just abusing one | High, distributed | Per-account personhood/stake gate; Sybil clustering; collusion-edge detection; velocity caps |
Key economic asymmetry: Pulse already imposes a non-trivial marginal cost per played round (two predictor calls + a classify-driver call per scenario, plus irreducible human wall-clock to author rationales that survive classification). This makes brute force expensive and is the existing natural defense the brief names. But marginal cost does not stop the sophisticated single actor (they pay it willingly for a large token claim) and does not stop the Sybil farm (they amortize it across many cheap identities). The defenses below target exactly those two gaps; the script kiddie is largely handled by cost + Layer 0 already.
What "gaming" actually means here¶
Two distinct failure modes, often conflated:
- Forgery — making a profile look like a high-trust profile it isn't. Targets the extraction/aggregation layers.
- Capture — accumulating enough forged or harvested trust to control a token/governance outcome. Targets the exposure → permission layer (ADR-050) and the aggregate (multi-account).
Forgery is the single-actor problem; capture is the multi-actor problem. They need different defenses, which is why Layers 1 and 2 split.
Signal vulnerability map¶
Mapping the threat model onto the schema's primitive architecture. The robustness of a primitive is a function of who authors the adversarial half of the signal: primitives where an independent party or an independent computation supplies a check are robust; primitives the gamer fully controls are vulnerable.
Robust primitives (independent adversarial half)¶
| Primitive | Why robust |
|---|---|
| A1/E_sync_match — the AI twin match | The keystone (see below). E_ai_pred is computed by an independent LLM call against the player's own accreted history, and is frozen before submit (attestation; the schema's submerged "commitment hash" candidate). You cannot peek the answer, and to match you must be predictable to a model built from your real past — see Keystone Finding for why this is self-defending but not sufficient. |
| E5 — confidence calibration | Requires conviction (C3) to track actual accuracy against the independent twin. A faker can set C3 freely but cannot set whether E_ai_pred matched — so to fake good calibration they must already be predictable, which collapses into the twin problem. |
| E12 — occasion noise (rationale-controlled) | Fires only when classify-driver outputs are similar across repeat-shapes but choices differ. Bots and copy-paste fakers are too consistent → abnormally low occasion noise is itself a forgery signature, not a clean pass. |
| E6 — decision timing signature | C4 distribution from an automated harness has a characteristic shape (too fast, too uniform, no human heavy tail). Free behavioral biometric over existing capture. |
| E8 — peer read confidence (multi) | Other humans predict the player. Cannot be self-authored — robust against the single actor. Vulnerable only to collusion (Layer 2). |
| Cross-signal joint distribution (E5 × E7 × E9 × E12 × E6 …) | The architectural-independence finding says these are orthogonal design dimensions — but for real players they co-vary in person-specific, correlated ways. Faking each marginal is easy; faking the joint is hard. This is the substrate for the coherence audit. |
Vulnerable primitives (gamer authors both halves)¶
| Primitive | Attack | Severity |
|---|---|---|
C11–C13 / A11–A13 — agent-side signals (why_requested, feedback engagement, feedback positivity) |
The "agent" is the operator's own client. There is no independent adversarial party — the operator's bot self-reports that it asked "why" and self-rates the feedback positive. Pure operator fiction. | Critical — must never gate tokens. Easiest attack in the entire system. |
| C1 + C3 — choice + conviction | Trivially settable. Only meaningful in relation to the independent twin/calibration; alone they are free variables. | Low alone, high if any surface reads them un-cross-checked. |
| C2 → E_classify_driver | Pre-generated, plausibly-human, internally-consistent rationales pass classification. This is the SPOF the schema already flags — and the SPOF cuts both ways: it is robust against incoherent fakers but is the single highest-leverage forgery target for a coherent one. | High for the sophisticated actor; the central forgery surface. |
| C7 / E18 — self-prediction & self-awareness (solo) | Self-reported, no independent check. A faker reports whatever profile they're targeting. | Medium; never load-bearing for tokens. |
| A1 EMA across accounts | Multi-account harvesting: farm many degenerate-but-passing accounts, aggregate the externality. | Critical for capture; Layer 1+2. |
The headline finding of the map: robustness in this system comes overwhelmingly from independent computation (the frozen twin) and independent parties (peer prediction). Every primitive the gamer fully authors — agent-side signals, raw choice/conviction, self-prediction, and (for a coherent actor) rationale text — is vulnerable. The defense strategy is therefore: never let a fully-self-authored primitive carry token weight, and convert the rationale-text SPOF from a single check into a cross-checked one.
Keystone finding — sync_score is self-defending against the naive attack but is the wrong thing to gate¶
sync_score (A1) = EMA of E_sync_match = "did an independent model of you predict your choice." The model is built from your own history. This has a counter-intuitive property:
- The naive "fake good judgment" attack is partially self-defeating. To raise A1 you must be predictable to a model of yourself. If you play consistently — even as a bot — you produce a real (if shallow) profile and the twin converges on it. That is not gaming; that is just playing. There is no "right answer" to copy, because the target is your own consistency.
- But the exploit is degeneracy, not deception. The cheapest way to be maximally predictable is to be degenerate: always pick option A, always conviction 3, recycle one rationale. The twin nails you every round → A1 → 95. The profile is worthless for governance but the headline scalar is maxed.
So A1 is simultaneously (a) robust against the obvious forgery and (b) maximally vulnerable to degenerate-consistency gaming — and degenerate consistency is exactly what a single scalar EMA rewards. This is why the Decision says: token surfaces must not gate on A1 alone. They gate on:
- A2 Coverage — penalizes narrow/degenerate profiles directly (low option-shape and category entropy → low coverage).
- The coherence audit — a degenerate profile has a characteristic anomalous joint signal distribution (occasion-noise floor breached, calibration trivially perfect, persuadability undefined, dissent zero).
- Coverage + coherence are the two clauses that the degenerate maximizer of A1 cannot also satisfy — which is the architectural-independence finding doing defensive work: the gamer cannot trade Accuracy for Coverage because they are orthogonal axes.
This finding also has a product implication beyond gaming: it argues against ADR-045's A1 headline being the trust-tier currency at all. The composite, not the scalar, is the governance-grade signal.
Defense layers¶
For each defense: mechanism, what it blocks, and cost (latency / UX friction / dev).
Layer 0 — free; the architecture already supports these¶
These are read-time extractions over existing aggregates (A6, A7, A2, E12) plus existing infrastructure — no new capture primitive, no UX change. They are "free" in the schema's three-category-gap sense: pure aggregation-layer additions, the category the schema says dominates its remaining work.
| Defense | Mechanism | Blocks | Cost |
|---|---|---|---|
| Cross-signal coherence audit | Fit a "real-player manifold" over the joint distribution of E5/E6/E7/E9/E12/E18 from the honest production population; flag profiles whose joint falls outside it (e.g., perfect calibration + zero occasion noise + zero dissent + undefined persuadability = bot signature). Output a coherence_residual per profile. |
Sophisticated single-actor forgery that fakes each marginal but not the joint; degenerate-consistency profiles. | Latency: none (offline/batch read-time). UX: none. Dev: medium — needs a population baseline + residual model; reuses A7 JSONB. |
| Degeneracy / entropy floors | Hard floors on choice-shape entropy (A6 option_preferences), category entropy (A4), and rationale lexical diversity. Below floor ⇒ non_degenerate_profile = false. |
The degenerate-consistency A1 maximizer (the keystone exploit); copy-paste single-rationale farming. | Latency: none. UX: none for honest players (real play is naturally high-entropy). Dev: low. |
| Occasion-noise floor (E12) | Treat abnormally low within-person variability on repeat-shapes as suspicious, not virtuous. Already computed; just consume the tail. | Bots/scripts that are too consistent. | Latency: none. UX: none. Dev: low (E12 exists; add a tail check). |
| Prediction-before-reveal attestation | E_ai_pred is already frozen on the row before C1 submit (schema's "commitment hash" submerged candidate). Make it cryptographically attestable if tokens demand auditability. | Answer-peeking / replay forgery. | Latency: none (already in pipeline). UX: none. Dev: low-medium only if on-chain attestation is required; otherwise zero. |
Layer 1 — necessary before any token externality¶
| Defense | Mechanism | Blocks | Cost |
|---|---|---|---|
| Agent-side signal quarantine | Policy: A11–A13 (and C11–C13) are structurally barred from contributing to any token/governance tier. They may inform UX (M5 trust state) but never permission. Encode as a hard exclusion in the composite formula. | The single easiest attack in the system (operator self-reporting agent feedback). | Latency: none. UX: none. Dev: trivial (a formula exclusion + a lint/test asserting it). Highest ROI defense in the document. |
| Conjunctive gate | Implement tier_eligible as the AND of composite-score, coherence pass, non-degeneracy, N_min, and (top tier) personhood. |
Any attack that maxes one clause while failing another — i.e. all single-strategy forgeries. | Latency: none. UX: low — honest players pass invisibly; only the N_min adds a "play more to unlock" gate (already an ADR-050 discoverability feature). Dev: medium (composite + gate wiring). |
| Sybil / multi-account detection | Cluster on C14 session/device metadata, timing correlation (E6 across accounts), and twin-convergence (many accounts whose twins collapse to the same degenerate attractor). Flag clusters for the personhood gate. | Multi-account harvesting (capture). | Latency: none (batch). UX: none unless flagged. Dev: medium-high. |
| Personhood / stake gate at top tier | Crossing into a token-bearing tier requires a one-time proof-of-personhood or refundable stake or social vouch. Below that tier, no gate. | Sybil farms economically (one personhood per identity defeats amortization); raises single-actor cost. | Latency: one-time onboarding step. UX: real friction — but only at the token boundary, where friction is acceptable and expected. Dev: high — the one genuine new capture/architectural primitive in this ADR (new surface, not a read-time extraction). |
Layer 2 — necessary before cross-user governance (vote weight, allocation, A2A)¶
| Defense | Mechanism | Blocks | Cost |
|---|---|---|---|
| Peer-prediction collusion detection | Extends ADR-062. Collusion rings show pairwise accuracy on peer_prediction_edges far above the predictor's accuracy against non-ring members; detect anomalous edge clustering / reciprocity. ADR-062 explicitly deferred this ("revisit if observed") — a token externality is the trigger that un-defers it. |
Collusion to inflate relational trust → governance weight. | Latency: none (batch). UX: none. Dev: medium (graph analysis over an existing table). |
| Behavioral-accretion velocity caps | Real profiles accrete over weeks; farms compress. Cap tier-eligibility growth rate and require calendar-time, not just game-count, for top tiers. | Fast-farming (single actor and Sybil). | Latency: none. UX: low (slows only abnormally fast climbers). Dev: low. |
| Recency-weighted eligibility | Tier eligibility weights recent, coherence-passing games over old ones; pairs with decay (Layer 3). | Farm-then-abandon; stale captured tiers. | Latency: none. UX: none. Dev: low-medium. |
Layer 3 — nice-to-have / arms-race deferred¶
| Defense | Mechanism | Why deferred |
|---|---|---|
| Rationale-provenance stylometry | Classifier to flag pre-generated/LLM-authored rationales (C2). | Pure arms race — the sophisticated actor's generator improves in lockstep. Coherence audit + occasion-noise floor catch most of the value at lower cost. Revisit if forged rationales are observed passing. |
option_tap_trace / attention_state |
Capture-gap candidates already in the schema; add within-round behavioral biometrics → adversarial cost. | Spoofable by a sufficiently good harness; modest anti-gaming ROI relative to their honest-play discrimination value (which is the real reason to ship them, per the schema). Don't justify them on anti-gaming grounds. |
| Decay (ADR-051) | A farmed tier decays if not maintained, raising the holding cost of a captured tier. | Already designed and deferred; complementary, not load-bearing. Its trigger (ADR-050 ships) overlaps this ADR's. |
What the architecture supports for free vs. what needs new primitives¶
This is the architectural-independence finding paying off defensively. The defenses map cleanly onto the schema's three-category gap synthesis:
- Policy-only (zero code beyond a formula change): agent-side signal quarantine, "don't gate on A1," conjunctive gate definition. These are exposure/consumer-discipline fixes — the dominant category in the schema's own finding that "gaps cluster at consumer discipline."
- Aggregation-layer, free (read-time over existing capture): coherence audit, degeneracy/entropy floors, occasion-noise floor, Sybil twin-convergence clustering, peer-collusion edge analysis, velocity/recency weighting. All consume existing primitives (A2, A4, A6, A7, E5/E6/E12,
peer_prediction_edges, C14). No new capture. - Genuinely new architectural primitive (one occupant): the personhood/stake gate is a new capture surface — it is to anti-gaming what Q5 (agent-side capture parity) is to the schema's architectural-gap category: the lone item that needs new structure rather than better consumption of existing structure.
The strong claim, mirroring the schema: anti-gaming for Pulse is overwhelmingly a consumer-discipline and aggregation problem, not a capture problem. The same architectural independence that makes the schema composable across domains makes its signals cross-checkable against each other — orthogonal axes can't be jointly forged cheaply. We get most of the defense for free precisely because the measurement architecture was built clean. The one thing the architecture cannot give for free is proof that an account is a distinct human — because that is not a judgment measurement, it is identity infrastructure, and the schema correctly excludes it (it already submerged "attestation/commitment as measurement primitive" as infrastructure, not measurement).
Prioritization summary¶
| Defense | Layer | Necessary before… | Dev cost | New primitive? |
|---|---|---|---|---|
| Agent-side signal quarantine | 1 | Any token | Trivial | No (policy) |
| Don't gate on A1; use composite | 0/1 | Any token | Low | No (policy) |
| Conjunctive gate | 1 | Any token | Medium | No |
| Degeneracy/entropy floors | 0 | Any token | Low | No |
| Occasion-noise floor | 0 | Any token | Low | No |
| Coherence audit | 0 | Any token | Medium | No |
| Sybil detection | 1 | Any token | Med-high | No |
| Personhood/stake gate | 1 | Any token (top tier) | High | Yes |
| Prediction-before-reveal attestation | 0 | Token if auditable | Low-med | No |
| Peer-collusion detection | 2 | Cross-user governance | Medium | No |
| Velocity caps / recency weighting | 2 | Cross-user governance | Low-med | No |
| Stylometry, tap/attention capture, decay | 3 | Nice-to-have | Varies | Mixed |
Minimum viable anti-gaming bar before a single token attaches: the entire Layer 0 + Layer 1. The cheap policy defenses (quarantine, no-A1, conjunctive gate) plus the free aggregation defenses (entropy/occasion/coherence) plus Sybil detection and the personhood gate. Cross-user governance (vote weight / allocation / A2A) additionally requires all of Layer 2. Layer 3 is opportunistic.
Rationale¶
- Honest-play assumption is load-bearing today and must be replaced, not patched. The schema is explicitly a discrimination tool, not an adversarial one (it submerged attestation as "infrastructure, not measurement"). The right move is a separate adversarial layer that sits between aggregation and the ADR-050 permission gate — not to contaminate the measurement schema with anti-gaming logic. Keeps both clean.
- Defense-in-depth beats a single strong check because the architectural-independence finding guarantees the layers are orthogonal: a faker optimizing one clause cannot get the others for free. A single check (even a good one like the coherence audit) is a single thing to defeat; the conjunction is a joint distribution to forge.
- The cheapest defenses block the worst attacks. Agent-side quarantine is trivial and kills the easiest attack outright. "Don't gate on A1" is a formula change that neutralizes the keystone degeneracy exploit. We should not let the existence of an expensive defense (personhood gate) delay shipping the free ones.
- Personhood is the only thing money must buy. Everything else is computation over data we already capture. The single expensive, friction-bearing defense is isolated to the top token tier — exactly where users already expect friction and where the externality justifies it.
Alternatives Considered¶
- Bake anti-gaming directly into the measurement schema. Rejected. Conflates "measure judgment honestly" with "resist an adversary." The schema's value is its clean causal-layer structure; adding adversarial branches to extractions would muddy every primitive. The adversarial layer belongs between aggregation and the ADR-050 gate, reading the schema's outputs, not rewriting them.
- Gate tokens on raw
sync_score(A1) with a high threshold. Rejected — the Keystone Finding shows a high A1 threshold rewards degenerate consistency, the cheapest forgery. A high bar on the wrong metric is worse than a moderate bar on the right composite. - Rely on per-game API cost as the primary deterrent. Rejected as sufficient (kept as a real but partial layer). Cost stops brute force but not the willing single actor or the amortizing Sybil farm — the two actors that actually threaten capture.
- Proof-of-personhood for every account at signup. Rejected. Front-loads friction onto honest free players who will never touch a token, killing top-of-funnel. Gate personhood at the token tier boundary, not at signup.
- Stylometry / LLM-rationale detection as a primary defense. Rejected as primary (kept as Layer 3). Pure arms race against a co-evolving generator; the coherence audit + occasion-noise floor capture most of the value structurally rather than detectively.
- Wait and patch after observing real gaming. Rejected for the token surface specifically. The "ship and observe" instinct (a standing project preference) is right for honest-play features but wrong when an exploit drains a token pool irreversibly. Observe-then-patch is fine for Layer 3; Layers 0–2 must precede the externality. This is the one place the project's default bias inverts.
Discussion¶
The central tension is between the project's "ship and observe, don't over-optimize" default and the irreversibility of token theft. The resolution: the default holds for measurement features (you can retune a signal next week) but inverts for externality features (you cannot un-drain a pool). The line is drawn at "does a defect here let value leave the system irreversibly." Layers 0–2 sit on the irreversible side and must precede tokens; Layer 3 sits on the reversible side and can be observed-then-patched. This keeps the inversion narrow and principled rather than a blanket "secure everything up front."
The most important realization is the Keystone Finding: the headline metric we'd reflexively gate on (A1) is the most gameable one, and the fix is free (gate on the composite we already compute). This reframes a chunk of anti-gaming from "build expensive defenses" to "stop using the gameable scalar." It also retroactively strengthens ADR-045's multi-dimensional framing — Coverage isn't just a richer display, it's a forgery cost.
A pushback worth recording: is the coherence audit itself an arms race (a sophisticated actor learns the real-player manifold and forges within it)? Partly yes — but the cost asymmetry is favorable: the defender fits the manifold once over the whole honest population; the attacker must forge a joint distribution across orthogonal axes per identity, paying per-game cost and calendar time (velocity caps) for each. The audit doesn't have to be unbeatable; it has to make forgery more expensive than the token is worth. Pair it with the personhood gate so that even a perfect forger pays one personhood per captured identity.
On ADR-062 collusion: ADR-062 explicitly deferred collusion mitigation as "revisit if observed," reasoning the consequence was bounded by ADR-050's risk tiers. A token on governance weight removes that bound — collusion now has direct payoff. This ADR therefore names the token launch as the concrete trigger that un-defers ADR-062's parked risk, and locates the fix (edge-cluster anomaly detection on peer_prediction_edges) in Layer 2.
What this ADR deliberately does not decide: the token mechanics themselves (what the externality is, how allocation works, whether it's on-chain). Those are out of scope; this ADR specifies the defensive bar any such mechanic must clear, not the mechanic.
Consequences¶
- A new defensive layer is introduced conceptually between aggregation (A1–A14) and the ADR-050 permission gate. It reads schema outputs; it does not modify them. The measurement schema stays a pure honest-play discrimination tool.
- ADR-045's composite (A2) becomes the governance-grade currency, not A1. Any token-tier UI should surface the composite + coherence status, not the headline score. Revisit ADR-045 exposure copy when tokens approach.
- ADR-050's
tier_eligibledefinition gains clauses. When ADR-050 moves from Deferred to Proposed, its action-class gate must be specified as the conjunction here, and agent-side signals (A11–A13) must be explicitly excluded from it. - ADR-062's deferred collusion risk acquires a concrete trigger (token launch) and a located fix (Layer 2 edge-anomaly detection).
- One genuinely new primitive is on the critical path: the personhood/stake gate. It is the long-pole dev item and should be scoped the moment a token externality becomes likely, not when it ships.
- The free defenses (Layer 0) can be built speculatively at low cost — they are read-time extractions with honest-play value too (coherence/degeneracy detection improves profile-quality monitoring regardless of tokens). Consider building Layer 0 opportunistically even before the trigger.
- Watch for: (a) any pitch or pilot that attaches an externality to
sync_scorebefore Layers 0–1 ship — that is the warning sign, analogous to ADR-050's "premature trust positioning" watch; (b) Edge Esmeralda / external-agent-experiment framing (project_edge_esmeralda_outreach) that implies token-weighted trust — if that lands, this ADR's trigger has effectively fired.
Triggers for revisit (Deferred-style, mirroring ADR-050)¶
This ADR moves from Proposed to Accepted-and-scheduled when any fire:
- A token, vote weight, allocation, or other transferable externality is proposed to attach to
sync_scoreor a trust tier. Build Layers 0–1 before it goes live; Layer 2 before it touches cross-user governance. - ADR-050 moves from Deferred to Proposed (its own trigger #1 — first non-read-only agent skill). Permission tiers without anti-gaming on a token-adjacent surface is the gap this ADR fills; co-design them.
- An external partner/experiment proposes token-weighted or vote-weighted trust (e.g., the Edge Esmeralda 500-agent experiment, MetaGov, or any A2A governance prototype James stands up). That is real demand for the trust-as-currency framing and forces the defensive bar live.
- Observed gaming of any signal in a non-token context that demonstrates a forgery passes the honest-play schema (e.g., a planted forged-rationale profile scores high). Promotes Layer 3 stylometry from nice-to-have.
If none fire by Q4 2026, revisit anyway alongside ADR-050's hard-stop check.
Memory:
- project_sync_score_as_trust_threshold — the trust-budget framing this ADR defends.
- project_edge_esmeralda_outreach — the most likely concrete trigger (token-weighted external experiment).
- feedback_ship_and_observe_dont_over_optimize — the default this ADR deliberately inverts for irreversible-externality surfaces.
Key files (when implementation triggers):
- docs/research/foundations/measurement-schema.md — the honest-play measurement layer this ADR sits adversarially atop; primitive references (A1, A2, A6, A7, E5/E6/E12, C11–C14) are canonical there.
- docs/decisions/050-agent-permission-tiers.md — the permission gate whose tier_eligible definition gains the conjunctive clauses.
- docs/decisions/045-five-sync-dimensions.md — the composite (A2) that replaces A1 as governance currency.
- docs/decisions/062-peer-prediction-as-relational-trust.md — deferred collusion risk un-deferred by Layer 2.
- docs/decisions/002-ai-only-sync-scoring.md — why peer-prediction is kept out of sync_score; the boundary collusion detection must respect.
- docs/decisions/051-slow-sync-score-decay.md — Layer 3 holding-cost control (deferred; complementary trigger).
- migrations/020_peer_coherence.sql — peer_prediction_edges, source for Layer 2 collusion analysis.
- src/lib/sync/multi-dimensional-score.ts — where the composite + conjunctive gate would compute.
- New: personhood/stake gate surface — the lone new architectural primitive; scope when trigger fires.