Governance Ladder

A per-participant governance ladder manifest, signed and pinned at federation handshake time. It declares which action classes map to which governance modes, and which consistency model each class requires.

Forward-looking concept

The full ladder-manifest schema lives in the research repo as a draft (v0.1, schema id chio.chiodos-ladder.v1). The summary below is enough to follow the rest of the section.

Five modes

Mode	Coverage	Required artefact
Observation	Detection, investigation, correlation, memory, status publication	Standard signed deposits and audit only
Guarded response	Non-destructive escalation, decoy deployment, listing publication	Policy validation and ordinary audit
Receipt-backed response	Destructive actions (block, isolate, revoke)	Signed governance receipt; bilateral co-signing if cross-org
Partition contingency	Destructive response under partition	Staged contingency lease + later reconciliation
Maintenance	Operator review, export, replay	Authenticated operator access only

Most cross-org coordination is Observation (cheap, no joint signature). Only the destructive minority requires Receipt-backed bilateral co-signing.

Per-action-class fields

The manifest declares, per action class:

mode: Observation, Guarded, Receipt-backed, Partition-contingency, Maintenance.
destructive: boolean. Destructive must be at or above the declared destructive_floor.
cross_org_visibility.
evidence_required.
co_sign: none, bilateral_if_cross_org, bilateral_required, or n_of_m.
partition_fallback (optional): with lease_kind, blast_radius_cap, and TTL.
consistency_model: crdt-commutative, totally-ordered, or quorum-required.

Consistency model

Bilateral trees prove N parties signed but not that they signed consistently. A and B can co-sign credential X’s revocation at t=10 while B and C co-sign continued use of X at t=11, with both receipts independently valid. The fix is to declare consistency at the action-class level.

crdt-commutative: deposits and observations whose merge is commutative and absorbs divergence. Bilateral trees are sufficient; partition-divergent co-signs converge automatically on reconnect.
totally-ordered: actions that require a hash-chained ordering anchor (workflow steps, sequential capability grants). Bilateral trees plus an anchor reference catches divergence. Requires consistency_anchor set to hash-chain or chio-anchor.
quorum-required: destructive actions that mutate shared state. FROST-aggregated quorum signature over a canonical body, with quorum scope declared in co_sign_quorum and consistency_anchor: "frost-quorum".

A ladder manifest that declares a destructive class as crdt-commutative is rejected at handshake (validation rule ladder.consistency_underspecified).

Full manifest example

A complete manifest spans the three consistency models. The ladder below mixes a CRDT-commutative pheromone deposit class, a totally-ordered capability grant, and a quorum-required revocation. Signature blocks are elided for brevity; in production the manifest body is signed under chio.chiodos-ladder.v1#/$defs/signature.

ladder-manifest.yaml

schema: chio.chiodos-ladder.v1
manifest_id: blueteam.cybersec.ladder.2026-05-04
participant_id: did:chio:blueteam-soc
domain: cybersec
ladder_version: 1.0.0
modes:
  - observation
  - guarded
  - receipt_backed
  - partition_contingency
  - maintenance
default_unmapped_mode: receipt_backed
destructive_floor: receipt_backed
ladder_refusal_policy:
  on_unknown_class: fall_back_to_default
  on_intersection_empty: refuse
  on_floor_disagreement: refuse
  on_alias_conflict: refuse

action_classes:
  # CRDT-commutative: stigmergic deposit, no anchor required
  - id: whisker.pheromone_deposit
    title: Whisker pheromone deposit
    mode: observation
    destructive: false
    cross_org_visibility: treaty_only
    evidence_required: [listing]
    co_sign: none
    consistency_model: crdt-commutative

  # Totally-ordered: capability grant, parent-hash chained
  - id: tom.capability_grant
    title: Tom capability grant (sequential)
    mode: receipt_backed
    destructive: false
    cross_org_visibility: treaty_only
    evidence_required: [trust_activation, workflow_receipt]
    co_sign: bilateral_required
    consistency_model: totally-ordered
    consistency_anchor: hash-chain

  # Quorum-required: cross-issuer credential revocation
  - id: pouncer.revoke_credential
    title: Pouncer RevokeCredential (cross-issuer)
    mode: receipt_backed
    destructive: true
    cross_org_visibility: federated
    evidence_required: [trust_activation, passport_presentation, anchor_epoch]
    co_sign: n_of_m
    co_sign_quorum: { n: 2, m: 3, scope: treaty }
    consistency_model: quorum-required
    consistency_anchor: frost-quorum
    partition_fallback:
      lease_kind: narrow_destructive
      blast_radius_cap: { unit: credential, max: 1 }
      ttl_secs: 600

signature:
  signer_key: ed25519:0x9c7b3f...
  alg: ed25519
  value: 0x7e2b1f3a...c104

The destructive_floor field binds the floor below which a class may not declare destructive: true. A manifest that violates the floor is rejected at handshake with ladder.destructive_downgrade. The partition_fallback on the revocation class is structurally permitted by the schema but forbidden at execution time for quorum-required classes (FROST quorum cannot be assembled under partition by definition); the block is retained here to illustrate the field shape.

Co-signed intersection artefact

At handshake, the two participants’ manifests are reconciled into a co-signed chio.chiodos-ladder-intersection.v1 artefact pinned to the FederationPeer record. The intersected mode is the higher-intensity of the two ladders per class, the intersected co_sign is the strictest, and the intersected consistency_model is the strictest (quorum-required > totally-ordered > crdt-commutative). Treaty scope only authorises classes present in the intersection.

ladder-intersection.yaml

schema: chio.chiodos-ladder-intersection.v1
intersection_id: int.blueteam-vs-treasury.2026-05-04
treaty_scope: treaty:cross-domain.incident-response.v1
left_manifest:
  manifest_id: blueteam.cybersec.ladder.2026-05-04
  participant_id: did:chio:blueteam-soc
  ladder_version: 1.0.0
  sha256: 5b41362bc82b7f3d56edc5a306db22105707d01ff4819e26faef9724a2d406c9
right_manifest:
  manifest_id: treasury.financial.ladder.2026-05-04
  participant_id: did:chio:treasury-cfo
  ladder_version: 1.0.0
  sha256: 9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08
destructive_floor: receipt_backed
intersected_classes:
  - intersected_id: shared.deposit
    left_id: whisker.pheromone_deposit
    right_id: market.bid_publish
    mode: observation
    co_sign: none
    consistency_model: crdt-commutative
    alias_collapsed_from: []
  - intersected_id: shared.revocation
    left_id: pouncer.revoke_credential
    right_id: credentials.passport_revoke
    mode: receipt_backed
    co_sign: n_of_m
    consistency_model: quorum-required
    alias_collapsed_from:
      - cybersec.pouncer.revoke_credential
      - compliance.credentials.passport_revoke
produced_at: 1746710400
co_signature:
  left:
    signer_key: ed25519:0x9c7b3f...
    alg: ed25519
    value: 0x7e2b1f3a...
  right:
    signer_key: ed25519:0x4d5a92...
    alg: ed25519
    value: 0xb2c58e91...

Aliases collapse same-semantic classes published under different names across domains. If both sides declare cross-references and the references contradict, the handshake fails with ladder.alias_conflict. Classes present on only one side fall back to the other side’s default_unmapped_mode only when both refusal policies agree on fall_back_to_default; otherwise they drop from the treaty surface.

Validation rules

Every named rule below MUST be enforced by participants and surfaced verbatim in GenericGovernanceFinding.code_extension so a third party can replay the dispute deterministically.

Rule	Condition	Resolution
`ladder.invalid_schema`	Body fails JSON Schema validation, signature does not verify, or canonical-JSON re-serialisation produces a different hash.	Refuse the manifest at handshake. File a Dispute case carrying the code as the finding extension.
`ladder.destructive_downgrade`	An action class declares `destructive: true` at a mode below the declared `destructive_floor`.	Reject manifest. Author raises the class’s mode or weakens the destructive flag, then re-signs.
`ladder.missing_floor`	`destructive_floor` is absent, or differs from the peer’s by more than one rung at intersection time.	Refuse handshake. Both peers reconcile floors out-of-band, then republish.
`ladder.consistency_underspecified`	A `destructive: true` class declares `crdt-commutative`, or a `totally-ordered` / `quorum-required` class omits its `consistency_anchor`.	Reject manifest. Author tightens the consistency model or supplies the anchor.
`ladder.consistency_class_mismatch`	An action class declares a `consistency_model` incompatible with its substrate (e.g. a pheromone-deposit class declared `totally-ordered` or `quorum-required`).	Reject. Pheromones are intrinsically `crdt-commutative`.
`ladder.alias_conflict`	Two manifests’ `aliases` declarations cannot be reconciled into a single intersected id.	Refuse handshake. Operators agree on canonical id, then republish.
`ladder.partition_overcap`	A `partition_fallback.blast_radius_cap.max` exceeds the treaty-scope cap, or `ttl_secs` exceeds the manifest-wide ceiling.	Reject. Author tightens the cap or TTL.
`ladder.co_sign_visibility_contradiction`	`co_sign: none` paired with federated/public visibility on a destructive class, or `bilateral_required` paired with `private` visibility.	Reject. Author resolves the visibility/co-sign tension.
`ladder.unknown_class_default_too_low`	`default_unmapped_mode` is `observation` or `guarded`, or is below the destructive floor.	Reject. Default MUST be `receipt_backed` or higher.
`ladder.quorum_misdeclared`	`co_sign: n_of_m` declared without `co_sign_quorum`, or `n > m`, or `consistency_model != quorum-required`.	Reject. Supply quorum block or drop n_of_m.
`ladder.intersection_empty`	Reconciliation produced no class for the requested treaty scope.	Refuse handshake. Operators expand class coverage and republish.
`ladder.amendment_downgrade_unsigned`	An amendment downgrades a class without co-signature from every active peer.	Reject amendment. Collect missing peer signatures, then re-submit.
`ladder.amendment_stale`	An amendment references a `prior_manifest_sha256` no longer current at any active peer.	Refresh the prior hash to the current pinned manifest, re-sign.

Cross-domain example

A cybersec org (Blueteam SOC) and a finance org (Treasury) federate to coordinate response to a compromised payment-issuing agent. Both publish manifests. The cybersec ladder declares pouncer.revoke_credential as receipt_backed / n_of_m / quorum-required with a 2-of-3 FROST quorum. The finance ladder declares credentials.passport_revoke as receipt_backed / bilateral_required / totally-ordered with a chio-anchor.

Each side declares the other’s id under aliases. The intersection artefact takes the strictest co_sign (n_of_m 2-of-3 wins over bilateral_required), the strictest consistency model (quorum-required wins over totally-ordered), and the higher floor (receipt_backed on both sides, identical). The intersected class lands at shared.revocation with FROST quorum required and alias_collapsed_from listing both source ids. Treasury’s side runs the FROST signing-key share ceremony for that class even though its own ladder did not require it; the intersection rules climb, never descend.

For an observation-only class (cybersec whisker.pheromone_deposit vs finance market.bid_publish) the intersection lands at observation / none / crdt-commutative with no anchor. No joint signature is needed for the steady-state cross-domain telemetry exchange; only the destructive minority pays the FROST coordination cost.

PreviousPheromone Substrate NextBilateral Co-Sign