Layered Boundary Evolution
Authority to change authority must itself be bounded. Otherwise evolution is drift.
The architecture governs at a point in time. Systems do not stay at a point in time.
Cross-Domain Governance resolved the federation problem: constitutional hierarchy, monotonic reduction at every boundary, control-surface bands at every seam. The architecture was correct at T=0. The global invariants were defined. The domain constitutions were designed. The pairwise contracts were negotiated. The federation began operating.
Then conditions changed. An organisation restructured its internal domains. A new partner entered the federation. A regulatory environment shifted, and an invariant that was correct became inadequate. A pairwise contract designed for one operational context encountered interactions its authors did not anticipate.
The problem is not that the architecture was wrong. It is that correctness at design time does not guarantee correctness across time. Static constitutional structures face two failure modes. Brittleness: the boundaries hold, but the system cannot adapt. Interactions the architecture does not accommodate are denied, even when the denial serves no governance purpose. Permissiveness: the boundaries loosen to accommodate change, and governance erodes. Exceptions accumulate. Scope expands without formal authorisation. Both failure modes produce the same outcome: ungoverned evolution.
The question is not whether the federation will need to change. It is whether that change will be governed or ungoverned.
Operational change is not constitutional evolution
The most natural response to changing conditions is operational adjustment: update a configuration, modify a policy, change a parameter. This is routine. Every system does it. The governance engine’s five-minute cache refresh ensures that newly encoded case law entries or modified authority scopes take effect within one cycle. Operational change works within the existing constitutional framework. The framework authorises it.
Constitutional evolution is different in kind. It modifies the framework itself: the authority graph, the composition contracts, the global invariants. The entity making the change is changing the rules that constrain it.
This is the self-amendment paradox. Suber named it in The Paradox of Self-Amendment as a logical trilemma: if the amendment rule applies to itself, contradiction results (the amended rule might delegitimise the process that created it). If the amendment rule does not apply to itself, an infinite regress of higher-order rules is required (who governs the meta-rule?). If the rule is immutable, the system is brittle. Real constitutional systems resolve the paradox through two engineering devices: tiered amendment thresholds that make constitutional change more expensive than operational change, and eternity clauses that place certain provisions categorically outside the amendment process.
The US Constitution’s Article V requires two-thirds of both chambers to propose an amendment and three-fourths of state legislatures to ratify. The German Basic Law’s Article 79(3), the Ewigkeitsklausel, goes further: amendments affecting human dignity, the democratic state principle, and the federal structure are inadmissible at any threshold. These provisions cannot be reached by the amendment procedure. They are constitutionally frozen. Germany engineered this in direct response to the Weimar Republic’s failure: the Enabling Act of 1933 was constitutionally valid under Weimar’s amendment rules, which had no eternity floor.
The architectural distinction is precise: operational change is a governed action within the constitutional framework. Constitutional evolution is a modification of the framework itself, and it requires a separate governance mechanism that the framework constrains but cannot contain. Conflating parameter updates with authority graph evolution misses the structural boundary where governance-of-governance begins.
The case law feedback loop
The series has already established a concrete mechanism for bounded evolution within the constitutional framework: the case law feedback loop. An action escalates to a human because the governance engine cannot resolve it deterministically. The human reviews the escalation, determines the resolution, and encodes it: pattern, resolution, scope of applicability, precedence, and the human identifier. The next time the same class of action occurs, the governance engine matches the pattern and applies the resolution without escalation. The scope of autonomous governance expands, one encoded resolution at a time, without any change to the authority graph or the constitutional hierarchy.
This is the first tier of evolution. The framework does not change. The body of precedent within it grows. Legal systems call this stare decisis: the doctrine that courts follow prior rulings from courts with binding authority, promoting what Cornell’s Legal Information Institute describes as “the evenhanded, predictable, and consistent development of legal principles.” Each resolved case becomes a reusable resolution pattern applied to sufficiently similar future disputes without re-adjudicating from first principles.
The reference implementation makes the lifecycle concrete. The case_law_admin utility exposes four operations: encode a new resolution, list all entries, verify an entry against a test context before deployment, and revoke an entry that is no longer valid. There is no auto-promote command. Every encoding requires a human caller. The system cannot extend its own case law without human command. This is the source independence requirement at the case law layer: the entity whose governance scope expands is not the entity that authorises the expansion.
Case law evolution has a critical structural property: it is bounded by the constitutional layer above it. In the governance engine, case law entries are evaluated first (highest precedence), but case law permits must survive constitutional review. A case law resolution that permits an action the global constitution prohibits is denied at the constitutional tier. Case law cannot bypass the constitution. Evolution within the framework is still constrained by the framework.
Courts do not scale by rewriting the constitution. They scale by producing precedent that the constitution enables.
Authority graph versioning
Case law governs within the existing framework. But what happens when the framework itself must change?
A new agent is added and needs authority units. A domain restructures and its composition contracts no longer reflect operational reality. A pairwise contract with an external partner must be renegotiated. These are not case law problems. They require modification of the authority graph, the composition contracts, or the constitutional layers themselves.
The key structural claim: authority to modify the authority graph must be an authority unit itself. It must have scope (which parts of the graph this authority can modify), delegation rules (who else can be granted modification authority), and termination conditions (when the modification authority expires). The modification mechanism is itself subject to the constitutional hierarchy.
The governing principle: “the enumeration evolves; what cannot evolve is the mechanism governing how it evolves.” The constitutional layer that constrains the modification process is fixed. What the process modifies is variable.
The initial authority graph, including the modification authority itself, is seeded at deployment time. The genesis of the governance architecture is a design-time act, not a governed process within the architecture. This is the constitutional founding moment: the point at which human design establishes the framework that subsequent governed evolution operates within. Every constitution has a founding. The founding is not governed by the constitution it creates.
The A/B partition pattern provides the implementation architecture. The pattern is established in production systems such as Android’s seamless system updates or fleet-scale IoT firmware management: two complete slots, one active, one receiving the candidate. Cryptographic hash verification before any transition begins. The invariant layer continues operating throughout, unaware of the update. If the candidate boots successfully and confirms itself within the timeout, the slot is promoted. If it fails, automatic rollback restores the previous slot. The invariant layer never noticed the change.
For authority graph versioning, the same architecture applies. A candidate modification is staged in an inactive partition. The modification is verified against the constitutional invariants before promotion: it does not violate the global constitution, does not expand scope under unconfirmed state, does not break the monotonic guarantee. Only after verification succeeds is the modification promoted to the active governance state. If verification fails, the candidate is discarded and the current graph continues operating unchanged.
The rollback guarantee is structural, not procedural. The governance engine loads its state from a persistent store on each cache cycle. The staged modification either replaces the current state (promotion) or is discarded (rollback). There is no partial state. The transition is atomic.
This is not infrastructure version control. Infrastructure pipelines track what changed. Authority graph versioning governs whether the change was constitutionally permitted. A Git commit has no opinion on whether the modification violates the global invariants. The A/B pattern with constitutional verification before promotion is a governance mechanism, not a deployment mechanism. The deployment pipeline delivers the candidate. The constitutional layer decides whether it is promoted.
Four properties of safe transitions
Any modification to the authority graph or composition contracts must satisfy four properties. These are not design recommendations. They are constitutional requirements.
Monotonic reduction under uncertainty. When the state of the system is unconfirmed, scope must reduce, never expand. A modification that expands authority during a period of uncertainty is structurally prohibited. The governance engine implements this: the _is_state_confirmed() method halts evaluation if unconfirmed state keys are relevant to the authority scope being evaluated. Expansion under uncertainty is not a policy preference. It is a structural impossibility within the architecture.
Authority source independence. A transition cannot be authorised by the entity whose scope is being changed. The modifier and the modified must be constitutionally separate. This is the independence requirement from Governance at Machine Speed extended from evaluation to evolution: Anderson’s reference monitor requires that the governance mechanism be tamper-proof and independent of the entities it constrains. An agent that can modify its own authority units is ungoverned, regardless of how carefully it makes the modification.
Immutability within a reasoning step. Authority boundaries cannot change during a single reasoning episode. The agent reasons against a stable constitutional state. If the boundaries change mid-reasoning, the agent’s conclusions may no longer be within scope. The governance state must present a consistent snapshot for the duration of the reasoning episode; the cache cycle defines the maximum duration of that stability. This is the governance equivalent of a database isolation level. If convergence sits outside the authority layer, the guarantee is already lost. Validating state after permission has been granted is not a control mechanism. It is a recovery mechanism.
Auditability of the transition. Every modification to the authority graph produces a legibility record: who authorised the change, what changed, what the previous state was, and what constitutional authority sanctioned it. Evolution that cannot be audited is indistinguishable from drift. The governance engine produces a GovernanceFinding for every evaluation. The evolution mechanism must produce an equivalent record for every modification. The finding and the modification record together provide the complete legibility chain: what the system decided, and how the rules it decided under were established.
Case law staleness and the review cycle
Case law entries have a temporal problem the Arbitration Patterns companion paper named but deferred: an entry encoded in month one may still fire in month twelve after the operational context has changed.
Revocation handles entries known to be incorrect: the revoke command marks the entry inactive, records the revocation timestamp, and the entry stops firing on the next cache refresh. Staleness is subtler. The resolution was correct when encoded. The conditions that justified it no longer hold. The entry is not wrong. It is outdated.
This failure mode has a name: inherited permission. The evaluation was valid when performed. The system proceeds on the assumption that validity persists. At the evaluation layer, the gap between evaluation and execution is milliseconds. At the case law layer, the gap between encoding and firing is months. Inherited permission at months-long timescales is a structural governance failure. Four admissibility dimensions map to four staleness checks: is the mandating authority still active? Is the delegation chain still valid? Are the conditions under which the resolution was encoded still met? Has a superseding resolution been issued?
The maturation model requires three mechanisms the current implementation does not yet provide. First, review dates or sunset conditions: entries carry a defined time after which they are flagged for human review rather than continuing to fire indefinitely. The encoded_at timestamp exists in the data model; the review-date logic is a query against it. Second, periodic review triggered by operational signals: escalation patterns that suggest existing entries are no longer sufficient (the same conflict class escalating again despite an active entry may indicate the entry’s scope is too narrow or its conditions have shifted). Third, the interaction between case law maturation and authority graph versioning: when the authority graph changes, entries encoded under the previous graph version may reference scopes that no longer exist. A graph version change must trigger a review of all case law entries referencing the modified scopes.
Legal systems address this through appellate review and the distinguishing doctrine: courts apply precedent narrowly when the facts of a new case differ in material respects from the original, and overrule precedent entirely when prior decisions are “unworkable or badly reasoned.” The scope_of_applicability field on each case law entry provides the distinguishing mechanism. The precedence field provides the hierarchical authority to override prior entries with higher-precedence resolutions. What the implementation lacks is the appellate review trigger: the periodic reassessment of whether existing entries still serve the governance purpose that justified them.
Evolution at the federation layer
The constitutional hierarchy from Cross-Domain Governance adds a sovereignty dimension to evolution. Within a single domain, the authority to modify the authority graph is an internal constitutional question. At the federation layer, three evolution problems arise.
Modifying a pairwise contract requires both parties’ agreement. Neither can amend unilaterally without violating the other party’s sovereignty. The amendment process for pairwise contracts inherits the same constitutional properties as the contracts themselves: conjunction as the default (both parties must agree to the modification), monotonic reduction (the amendment cannot expand authority beyond what the original contract permitted), and auditability (both parties produce records of the amendment, interpretable by both).
Modifying the global constitution requires consensus across all federated domains. A global invariant that one domain considers essential and another considers obsolete cannot be removed unilaterally. The eternity clause model applies here: certain global invariants may be categorically unamendable, placing them beyond the reach of any amendment process regardless of consensus. The German Basic Law’s eternity clause is the constitutional precedent: some provisions resist the amendment procedure itself.
One domain’s internal evolution may invalidate existing pairwise contracts that other domains depend on. If Organisation A restructures its authority graph and the restructured scopes no longer match the scopes referenced in its pairwise contract with Organisation B, the contract is silently broken. The four properties require that internal evolution produce legibility records interpretable by affected parties. The amendment record must propagate to parties whose contracts reference the modified scopes.
This article names the federation evolution problem and its structural constraints. The full mechanism belongs to the Constitutional Evolution Patterns companion (to come).
The frontier this article opens
The evolution mechanism is constitutional. It is governed by the same properties that govern the system it modifies. The authority to change authority is itself bounded, scoped, auditable, and terminable. Case law encodes precedent within the framework. Authority graph versioning modifies the framework through a governed process. Four properties constrain every transition. The case law maturation model ensures precedent does not outlive its relevance.
But the mechanism requires an operator. Case law entries require a human to encode. Authority graph modifications require a human to design and authorise. The invariants that the mechanism itself cannot violate require a human to define. The evolution mechanism is constitutional. The agency that drives it is human.
Who designs the initial authority graph? Who determines what the global invariants should be? Who encodes the resolution when an escalation reaches a human? Who decides that a case law entry is stale, that a composition contract needs renegotiation, that the constitutional hierarchy requires amendment?
These are not implementation questions. They are questions about what human agency means when the architecture is capable of governed self-evolution. The human does not review individual decisions. The human encodes the principles that govern classes of decisions. The human does not intervene at execution time. The human designs the constitutional structure that makes intervention unnecessary. The human does not oversee the system. The human is on the system: at the design layer, the exception layer, and the evolution layer.
The next article addresses what that means.
The architecture was correct at T=0.
Time does not stop at T=0.
Static governance produces brittleness or drift.
The evolution mechanism navigates between them.
Case law evolves within the framework.
The authority graph evolves through governed process.
Four properties constrain every transition.
The mechanism governing how the hierarchy evolves cannot be subject to the hierarchy it governs.
The mechanism is constitutional. The agency is human.
What human agency means at machine speed is the next question.
Next in the series: Human Agency at Machine Speed