Institutional Powers and Legitimacy Invariants
Status: spec, work-in-progress. This document names how ICN encodes institutional power so that law, governance, economics, justice, contribution, and protective authority cannot become unaccountable state or capital power in new clothes. It is design-level doctrine over primitives the canon already names —
InstitutionalDomain,DomainPolicy,AuthorityGrant,Mandate,TypedScope,EffectManifest,KernelEffect,GovernanceDecisionReceipt,InstitutionalEffectRecord,EffectDispatchEvidence— and the Effect Dispatch Contract. It introduces no Rust types, schemas, wire formats, CCL grammar, routes, or runtime behavior. Clauses that depend on objects or kernel behavior not yet landed are named as forward-direction. The PR introducing this doc usesRefs:; it closes nothing.
Purpose
ICN must host real institutions — bodies that make binding collective decisions, collect and allocate shared contributions, interrupt active harm, and resolve injury. The danger is not that institutions exist; it is that institutional power tends to become sovereign: self-justifying, unbounded, invisible, and irreversible. State power and capital power both take that shape. ICN's wager is that the same legitimacy machinery the canon already uses for governed effects — authority, adopted policy, bounded execution, receipts — is exactly what keeps institutional power accountable rather than sovereign.
This spec states that machinery as a single rule and four power classes, and maps each onto seams that already exist.
The ICN does not reject institutions. It rejects sovereign, self-justifying institutions.
The ICN does not make institutions harmless by trusting them. It makes them accountable by forcing every act of institutional power through visible authority, adopted policy, bounded execution, receipts, and repair.
The legitimacy circuit
Every binding institutional action in ICN must pass through the same circuit:
authority basis -> adopted policy -> bounded effect -> receipt -> challenge / repair path
No stage is optional, and the stages are ordered: an effect with no adopted policy behind it, or a policy with no authority basis, or an effect with no receipt, or a receipt with no challenge path, is not a legitimate institutional action. The circuit is the same one the Effect Dispatch Contract already describes for turning an accepted decision into bounded effects with receipts; this spec adds that all institutional power — not only service/tool binding — must traverse it, and names the failure-closed invariants that hold at each stage.
InstitutionalPowerEvent
InstitutionalPowerEvent is the abstract envelope every binding institutional act is an
instance of. It is not a new kernel type; it is the doctrine-level shape that the existing
record types already carry in pieces. An InstitutionalPowerEvent names, at design level:
- the power class exercised (
GovernancePower/ContributionPower/ProtectivePower/RepairPower); - the authority basis that legitimizes it (an
AuthorityGrant/Mandate/ standing, tied to a governing decision); - the adopted policy under which it acts (a
DomainPolicyclause / CCL policy selected from the registry); - the bounded effect it produces (an
EffectManifestresolving to one or more primitiveKernelEffects); - the receipt(s) it emits (
GovernanceDecisionReceipt+InstitutionalEffectRecord+EffectDispatchEvidence); - the challenge / repair path by which it can be contested or reversed.
Concretely, an InstitutionalPowerEvent is reconstructable from existing records, each stage
anchored to the record that actually carries it:
- decision anchor — the
GovernanceDecisionReceipt(proposal_id,domain_id,outcome,decision_hash;icn-governance/src/proof.rs): that a decision occurred and which domain it binds. - authority basis + adopted policy — reached through that decision, not embedded in the
v1 receipt: the proposal/domain's adopted
DomainPolicyand theMandate/AuthorityGrantthat scope-attest the act (the v2/v3 attestation surfaces). - bounded effect — the
EffectManifest/InstitutionalEffectRecord. - dispatch proof —
EffectDispatchEvidence(that the effect actually dispatched).
Forward-direction: the v1 GovernanceDecisionReceipt carries only
proposal/domain/outcome/tally/vote-hash/decision-hash — it does not embed the adopted
policy or mandate, so for existing events the authority/policy stage is verified by joining the
receipt to the proposal/domain DomainPolicy and Mandate records, not from the receipt
alone. A future receipt/proof envelope (ADR-0026) that binds the policy/mandate references into
the decision record is what would make the authority/policy stage verifiable from the receipt
by itself. This spec asserts these records describe one accountable event and must not be
separable in a way that hides any stage.
Power classes
The four classes partition what kind of binding institutional power is being exercised. Each is defined as the ICN reconciliation of a real-world power with the sovereign form ICN rejects.
GovernancePower
The authority to make binding collective decisions: adopt or amend policy, amend charters,
bind tools / services / routes, join or leave federations, and change standing rules. It is
the power that creates the other powers' authority bases — it is how a domain decides what
is legitimate. GovernancePower is exercised only through an adopted governance procedure and
recorded as a GovernanceDecisionReceipt.
ContributionPower
The democratically adopted power to assess, collect, waive, allocate, refund, or redistribute shared contributions to the commons. This is the ICN reconciliation of taxation without sovereign extraction: a contribution is legitimate only when an adopted policy makes its basis visible and contestable, never because an institution can simply take. ICN-native vocabulary is contribution / obligation / allocation / settlement, never sovereign levy.
ProtectivePower
Temporary, reviewable authority to interrupt active or imminent harm. This is the ICN reconciliation of force without police power or a permanent coercive class: protective authority exists to stop a harm in progress, expires by construction, and is always reviewable and challengeable. There is no standing enforcement office; there is only scoped, time-bounded, receipted interruption that someone must answer for.
RepairPower
The authority to resolve harm: assign repair obligations, compensate affected parties, reverse invalid effects, restore standing, and produce accountable repair. This is the ICN reconciliation of justice without punishment-first carceral logic: the first move is repair and restoration of standing, surfaced to affected parties with a receipt and a challenge/reversal path — not punishment, and never a silent or retroactive rewrite.
Legitimacy invariants
These hold for every InstitutionalPowerEvent. Each is fail-closed: when the condition
cannot be established, the action does not happen.
- No institutional power without an authority basis. Every binding act references an
AuthorityGrant/Mandate/ standing that legitimizes it. - No authority basis without adopted policy. An authority basis is valid only under a
DomainPolicy/ CCL policy the domain has adopted. - Unadopted policy is inert. A drafted-but-unadopted policy authorizes nothing and produces no effect.
- Ambiguous authority fails closed. If the authority basis cannot be resolved unambiguously, the action is denied — never granted on a guess.
- Protective authority is temporary by construction. Emergency / protective authority must be scoped, time-bounded, receipted, reviewable, and challengeable. No protective action may be permanent at creation — an expiry/review obligation is part of the act.
- Contributions are fully disclosed. No contribution may be collected without a visible assessment formula, a liable entity, an amount, a due date, an allocation target, a waiver path, and an appeal / challenge path.
- Repair respects due process. No repair / justice effect may bypass due process, affected-party visibility, a receipt, and a challenge / reversal path.
- No ledger / treasury bypass. Contribution and settlement effects flow only through adopted policy and receipts — never a direct ledger or treasury write that skips the circuit.
- No silent mutation. No resource, standing, route, treasury, federation, membership, or
policy mutation may be silent: each emits a receipt /
InstitutionalEffectRecord. - Reversal is forward-only. A reversal is a new transition / counter-effect with its own receipt — never a retroactive edit of a prior record.
- The right to exit remains constitutional wherever the domain model already defines it; no institutional power may revoke it.
- The meaning firewall holds. The kernel must not import domain semantics; meaning stays
in the governance / domain / package / CCL layers. The kernel receives primitive
KernelEffects only and enforces them blindly.
Mapping to existing seams
This spec is doctrine over the existing object model, not new machinery. Each stage of the circuit binds to seams that already exist:
| Circuit stage | Existing seam(s) | Source |
|---|---|---|
| authority basis | AuthorityGrant, TypedScope, Mandate, standing |
icn-governance/src/authority.rs, icn-governance/src/mandate.rs; ADR-0019 |
| adopted policy | InstitutionalDomain, DomainPolicy, CCL policy registry / evaluator selection |
icn-governance/src/institutional_domain.rs; institutional-domain.md, ccl-policy-registry.md |
| bounded effect | EffectManifest → KernelEffect |
icn-governance/src/effect_manifest.rs, icn-kernel-api/src/effects.rs; effect-dispatch-contract.md |
| receipt | GovernanceDecisionReceipt, InstitutionalEffectRecord, EffectDispatchEvidence |
icn-governance/src/proof.rs, apps/governance/src/institutional_effect.rs, apps/governance/src/dispatch_evidence.rs; ADR-0025, ADR-0026 |
| challenge / repair path | counter-effect / reversal / counter-receipt (RepairPower) | effect-dispatch-contract.md; ADR-0027 (action-card contract: mandate + reversibility + receipt before confirm) |
The constitutional object model (ADR-0014) and the authority-grant minting / mandate
persistence seam (ADR-0019) anchor the authority side; the institutional effect record
(ADR-0025) and receipt/provenance proof envelope (ADR-0026) anchor the receipt side. The
coop_id → EntityId resolver lane (RFC-0018; #2187–#2190) is the prerequisite that lets the
authority side name which entity an authority basis belongs to, fail-closed, with
provenance.
Power class → effect family (design level only)
This mapping is descriptive: it says which existing effect families a power class may produce, and under what gate. It introduces no new effect types and changes no dispatch code.
| Power class | May produce (effect families) | Only through |
|---|---|---|
GovernancePower |
policy / charter / binding / federation / config effects | an adopted governance procedure recorded as a GovernanceDecisionReceipt |
ContributionPower |
treasury / ledger / clearing effects | an adopted contribution DomainPolicy + receipts (never a direct ledger/treasury bypass) |
ProtectivePower |
temporary membership / resource / control / dispute effects | a scoped authority with an expiry and a review obligation at creation |
RepairPower |
dispute / reversal / compensation / standing effects | a due-process path with affected-party visibility, a receipt, and a challenge / reversal path |
Every row still traverses the full legitimacy circuit and obeys every invariant above. The table narrows which primitive effects are reachable; it does not loosen how they are authorized.
What this spec is not
- Not runtime implementation. No code, no schemas, no wire formats, no CCL grammar changes.
- Not a route, auth-behavior, or token-issuance change.
- Not a redefinition of the meaning firewall, the policy-oracle pattern, the kernel/app boundary, or the effect dispatch chain; where this spec touches them, existing canon remains authoritative.
- Not a package-vocabulary surface: a specific institution's role names, ceremonies, and fixtures stay in their own repositories.
- Not a production, pilot, live-federation, NYCN, or complete-API readiness claim.
- Not closure of any implementation issue.
Relationship
- Refs RFC-0018 (entity-aware request authorization) and the A2 resolver lane #2187, #2188, #2189, #2190.
- Refs ADR-0014 (constitutional object model), ADR-0019 (authority-grant minting + mandate persistence seam), ADR-0025 (institutional effect record canonical schema), ADR-0026 (receipt & provenance proof envelope), ADR-0027 (action-card contract).
- Refs sibling specs: institutional-domain.md, effect-dispatch-contract.md, ccl-policy-registry.md, governed-service-binding.md.
- Refs #2061, #2080, #1868, #2082 (entity-aware authorization / trusted issuance / scope decomposition / coop↔entity mapping — the authority-side work this doctrine governs).