Essay
PAAS — Anti-Capture Properties
Why attacking or infiltrating a PAAS community is structurally futile
Most governance systems face a direct tradeoff: open systems are easy to infiltrate, amorphous systems have no stable structure to defend, and fluid membership means no institutional memory to detect patterns. PAAS inverts each one. Six structural layers make attacking or infiltrating a PAAS community genuinely difficult, and they reinforce each other.
The Six Layers
1. Influence Acquisition Is Expensive
Unlike token-weighted systems where you can buy governance weight, PAAS influence requires either costly external credentials (W_h) or sustained peer-reviewed contribution (W_s). You can't purchase either quickly. W_s especially is slow to accumulate — it's gated by formal reviewer pools who themselves need competence, and capped at 120pts per event with an audit trigger at 50pts.
The economics are straightforward: accumulating enough W_s to matter takes months of visible, reviewable contribution. Each contribution is assessed by reviewers whose identities you cannot determine. There is no shortcut, no marketplace, no way to front-load influence.
2. The Audit Layer Doesn't Sleep
An aSTF is embedded in every Circle and rotates frequently — typically 2–6 weeks. The composition is randomised and biased toward filling domain gaps, so you can't predict who will review your Circle's decisions. You also can't be on both sides of the audit relationship simultaneously.
This means any influence you accumulate is reviewed by someone you didn't choose, on a schedule you don't control, with domain expertise you can't predict. The audit isn't a periodic event — it's a continuous structural condition.
3. Collusion Is Detectable
The Integrity Engine runs continuous anomaly detection looking for correlated voting patterns, auditor-auditee statistical correlation across multiple STFs, and suspicious competence trajectories. A coordinated ring attempting to endorse each other's W_s upward leaves exactly the kind of statistical signature that triggers a flag and a Judicial STF.
The detection doesn't require anyone to be suspicious. It's automated, continuous, and structural. Colluders don't need to be caught in the act — their pattern of behaviour produces a statistical trace that becomes visible over time.
4. The Judicial Track Is High-W_h Gated
Even if you captured a Circle, escalating or blocking accountability mechanisms requires passing through Meta-aSTFs selected from members with W_h ≥ 2400 in legal, ethics, and governance domains. Those credentials are externally verified and can't be manufactured internally.
The judicial track is the backstop. It's gated by the kind of competence that takes years to earn and that the system doesn't produce internally — it requires external verification. You can't create fake credentials for the people who adjudicate the system's highest-stakes accountability processes.
5. STF Reviewer Identities Are Permanently Sealed
You can't identify who is auditing you to apply pressure. The only unsealing conditions are malpractice findings or judicial penalties — both of which require their own high-stakes processes.
This eliminates the social attack vector entirely. You can't lobby, threaten, or co-opt reviewers you can't identify. The anonymity isn't a feature layered on top — it's structural. The system's audit function operates in a space where social pressure cannot reach.
6. Dissolving Oversight Isn't Straightforward
The System Custodian Circle holds no system write access — the Integrity Engine holds the keys exclusively. Flushing or capturing any single Circle doesn't give you the ability to change system parameters. That requires an enacted Resolution with a completed Gate 2 diff.
There is no single point of failure. Capturing a Circle captures a Circle — nothing more. The system's parameters, its audit logic, its integrity checks are all held by the Integrity Engine, which no Circle can modify unilaterally.
The Paradox of Open, Amorphous, Yet Not Capturable
In most governance designs, these properties trade off directly against each other:
| Property | Usual Assumption | PAAS Inversion |
|---|---|---|
| Open | Easy to infiltrate | More eyes, more reviewers, more aSTF pool diversity |
| Amorphous | No stable structure to defend | Capture targets are rotating and temporary |
| Fluid membership | No institutional memory | The Integrity Engine carries everything |
Openness is a trap for attackers. The Commons is open, Cells are open, curiosity-matching pulls in diverse participants. But openness means more eyes, more reviewers, more aSTF pool diversity. The more open the deliberation, the harder it is to control who shows up with relevant competence to audit you.
Amorphousness makes capture targets unstable. In a fixed hierarchy you identify the chokepoint — the VP, the board seat, the treasury key — and you capture it. In PAAS the "chokepoint" is a rotating STF that dissolves in 6 weeks. By the time you've built the relationships to influence it, it no longer exists.
Fluidity preserves institutional memory precisely because humans don't carry it. The Integrity Engine holds everything. Members come and go but the ledger doesn't forget anomalous patterns, prior audit findings, or competence trajectories. A long-game infiltration attempt that spans multiple member rotations is visible in the record even if no individual human noticed it in real time.
The Two-Layer STF Enigma
Even if an attacker manages to map the aSTF composition through social inference — watching who becomes unavailable, reading activity patterns — the Gate 1 motion review STF is a completely separate, independently composed body. Two unknowns, sequenced.
And because composition is biased toward filling domain gaps in the deliberation record, the second body is partly shaped by what the first body's audit surfaces. The attacker isn't just facing two black boxes — the second box is partly defined by the first box's findings. That's a moving target that gets harder to predict the deeper into the process you go.
Identity Through Uncertainty
This doesn't require trust — it manufactures alignment through uncertainty. You don't need to believe reviewers are virtuous. You just need to accept that someone with relevant competence, whose identity you cannot determine, will assess what you did and why.
That's a structural incentive that works on self-interested actors just as well as principled ones. The anonymity isn't just protecting reviewers — it's disciplining participants. When you act, you must act in favour of the organisation, because your decisions will be reviewed by someone you cannot predict, who has the competence to find fault, and whose identity you will never know.
Organisational Identity Separated From Membership
Most organisations are effectively the shadow of whoever currently holds power. Their mandate drifts with leadership, their memory is selective, their identity is negotiated each time a new dominant coalition forms.
PAAS separates the organisation's identity from its current membership in a way that's structurally enforced rather than culturally aspirational. The founding tenets require a supermajority to amend. Resolutions are immutable — they can only be superseded, never erased. The ledger carries the full reasoning trail. The Circles hold mandate, not people.
So when the membership turns over — even completely — the organisation doesn't become a different organisation. It continues the same trajectory, with the same documented commitments, accountable to the same audit history. Change happens through the governed process, which means it leaves a record of why it happened and who argued for it.
The mandate evolves because the organisation genuinely encountered something that required evolution — and that encounter is in the ledger. Not because someone powerful decided it should.
Why Anti-Fragile, Not Just Secure
The deeper point is that PAAS doesn't rely on any single defence. Each mechanism compensates for the potential failure of others, which is why the paper frames it as anti-fragile rather than just secure — stress on the system tends to activate more scrutiny, not less.
The attacker is essentially funding the defence. Every attempt to accumulate influence produces auditable contributions. Every attempt to identify reviewers produces statistical noise. Every attempt to capture a Circle produces a documented record. The system doesn't just resist attack — it gets stronger from the attempt.
That's a fundamentally different relationship between an institution and adversarial pressure than most governance models achieve.