Protocol 2 — Mode Transition Protocol

All operational mode transitions must be explicit, logged, and authority-bound. Silent transitions are invalid.

---

Protocol

Every operational mode transition — every change from one canonical governance posture to another — must satisfy the following requirements before the transition takes effect:

1. Explicit initiation — the transition must be explicitly requested by an authorized actor or triggered by a defined governance rule; inferred transitions are prohibited
2. Authority binding — the transition must be bound to the authority context of the actor or rule initiating it
3. Threat posture binding — if the transition affects execution posture, the current threat level must be recorded and any required threat reclassification must occur first
4. Audit entry — an audit log entry must be written capturing the prior mode, the new mode, the authority identifier, the rationale or trigger, any constraint envelope changes, any threat posture changes, and references to associated State Dumps
5. State Dump — a State Dump must be generated when the transition affects execution posture

Danger

If transition logging fails, the transition is invalid. The system remains in its prior mode until the transition can be recorded. A mode change that cannot be logged did not happen within the governance boundary.

---

Purpose

Mode transitions are governance events, not behavioral events. The operational mode determines the governance posture in effect — the capabilities available, the oversight requirements, the audit depth, and the authority class necessary for action. A system that can change its operational mode without producing a governance record of that change can effectively change its governance posture without accountability.

The Mode Transition Protocol ensures that every change in governance posture is: observable (the audit record shows it happened), attributable (the authority context records who or what initiated it), and verifiable (the State Dump captures the governance state before and after). These three properties are the prerequisites for the governance record to reflect the actual governance posture in effect at any given time.

---

In Practice

A mode transition request enters the governance admission boundary and is evaluated against the current governance state. The evaluation checks whether the requesting actor holds the authority required for the requested mode, whether the transition is permitted from the current mode, and whether the transition requires a concurrent threat reclassification.

Privilege-elevating transitions — from Conversational to Administrative, for example — require explicit authority elevation in addition to the transition request. The authority elevation is itself a governed event with its own audit requirements. A transition cannot piggyback an authority elevation; both must be explicitly requested, evaluated, and recorded.

If the mode transition request is approved, the audit entry is written before the new mode takes effect. If the audit entry cannot be written, the transition does not take effect. This sequencing — log before transition — ensures that the governance record always reflects the mode that was active at any given time.

Note

Implementations may define additional operational modes beyond the four canonical ones, but any additional mode must be declared in the governance configuration, versioned, and documented with its permitted transition paths. Undeclared modes are prohibited — a transition to an undeclared mode is a transition to an undefined governance posture.

---

Failure Mode

Silent mode mutation — a system changing its operational posture without a governance record of the change — is the failure mode that this protocol prevents. In practice, silent mutations often occur at integration boundaries: a tool call that implicitly changes the execution context, a session continuation that carries forward a higher-privilege posture from a previous session, or a debug facility that sets an administrative mode without the normal authorization requirements. Each of these is a path by which the governance record diverges from the actual governance posture — and once that divergence exists, the record can no longer be trusted to reflect what rules were actually in effect.

---

Relationship to Principles and Constitution

The Mode Transition Protocol directly implements Principle 4 — Deterministic Transitions: the requirement that transitions be explicit events with audit records is operationalized through this protocol’s specific procedural requirements. It supports Principle 3 — Versioned Authority: the governance state version must be updated when mode transitions affect the active policy set. And it grounds Constitutional Article III — Deterministic Enforcement: a governance layer that cannot enforce consistent mode boundaries — because transitions happen without record — is not producing deterministic enforcement.