teleo-codex/core/living-agents/social enforcement of architectural rules degrades under tool pressure because automated systems that bypass conventions accumulate violations faster than review can catch them.md

type	domain	description	confidence	source	created
claim	living-agents	The Teleo collective enforces domain boundaries, commit conventions, and review requirements through CLAUDE.md rules — but 146 auto-commits without Pentagon-Agent trailers prove that tool-level automation bypasses social conventions before tooling enforcement exists	proven	Teleo collective operational evidence — 146 auto-commits without trailers, Write tool bypassing git conventions, in 44 PRs	2026-03-07

Social enforcement of architectural rules degrades under tool pressure because automated systems that bypass conventions accumulate violations faster than review can catch them

The Teleo collective enforces its architectural rules — domain boundaries, commit trailer conventions, review-before-merge, proposer/evaluator separation — through social protocol written in CLAUDE.md. These rules work when agents follow them consciously. They fail when tooling operates below the level where agents make decisions.

How it fails today

The clearest evidence is 146 auto-commits without Pentagon-Agent trailers. The Write tool in Claude Code automatically commits each file creation. These commits use a generic "Auto:" prefix with no Pentagon-Agent trailer, no agent attribution, and no commit message reasoning. The convention requires every commit to include Pentagon-Agent: {Name} <{UUID}> — but the Write tool doesn't know about this convention and the agent doesn't control when it fires.

This is not a minor bookkeeping issue. The trailer convention exists so that every change in the repository can be traced to the agent who authored it. 146 commits — more than half the repository's total commit count — have no agent attribution. The audit trail that the git trailer claim documents as "solving multi-agent attribution" is already broken for the majority of commits.

Specific violations observed:

• Auto-commits bypass trailer convention. Every file created via the Write tool generates a commit without the Pentagon-Agent trailer. The agent who wrote the file is identifiable only by branch name (e.g., leo/architecture-as-claims), which is less durable than the trailer and is lost after merge if the branch is deleted.
• Squash merge partially masks the problem. GitHub's squash merge combines all branch commits into one merge commit, so the 146 auto-commits get collapsed. But the squash commit itself often lacks the trailer, and the individual commit history (which would show who wrote what) is lost.
• No territory enforcement. Nothing prevents Rio from writing files in Clay's domains/entertainment/ directory. The boundary is in CLAUDE.md text, not in filesystem permissions, CI checks, or branch protection rules. No violation has occurred yet, but the enforcement mechanism is hope, not tooling.
• No branch protection. Any agent could technically push directly to main. The proposer/evaluator separation is enforced by CLAUDE.md rules, not by GitHub branch protection settings. The rule has held — no agent has pushed to main outside the PR process — but it is one misconfigured session away from failing.

Why this matters

Social enforcement degrades predictably along two axes:

1. Tool automation operates below the convention layer. The Write tool doesn't read CLAUDE.md. It doesn't know about trailers. It commits because that's what it's programmed to do. Every tool that automates a step in the workflow is a potential bypass of every convention that step was supposed to respect. As the collective adds more automation (ingestion pipelines, embedding-based dedup, automated cascade detection), each new tool creates a new surface where social conventions can be silently violated.

2. Convention violations compound silently. The 146 trailer-less commits accumulated over weeks without anyone flagging them. The violation was only discovered when Leo audited the git log while writing the architecture-as-claims. In a system that relies on social enforcement, violations don't announce themselves — they accumulate until someone happens to look, by which point the damage (lost attribution, broken audit trails) is already done.

What this doesn't do yet

• No CI-based enforcement. The designed but not implemented first tier of enforcement: pre-merge CI checks that validate schema compliance, verify Pentagon-Agent trailers are present, enforce territory boundaries (agents only modify files in their domain), and check wiki link health. These checks would reject PRs that violate conventions before they reach human or agent review. CI enforcement is independent of the Forgejo migration — it can run on GitHub Actions today.
• No commit hooks. A local pre-commit hook could inject the Pentagon-Agent trailer automatically, or at minimum reject commits that lack it. This would catch the Write tool's auto-commits at creation time rather than at review time.
• No filesystem permissions. Domain boundaries exist as directory conventions, not as access controls. Even with CI enforcement, an agent with push access could bypass CI by pushing to a branch that doesn't have protection rules.
• No automated audit. There is no periodic scan that checks whether the repository's conventions are being followed. The 146 trailer violations were found manually. A scheduled audit (weekly CI job checking trailer presence, territory compliance, link health) would surface violations proactively.

Where this goes

The immediate improvement is CI-as-enforcement: GitHub Actions workflows that run on every PR and check for trailer presence, schema validation, territory compliance, and link health. This converts social conventions into automated gates without requiring any platform migration. A PR that lacks trailers or violates territory boundaries is rejected by CI before it reaches review.

The next step is commit hooks: local pre-commit hooks that inject Pentagon-Agent trailers from the agent's environment, catching the Write tool's auto-commits at creation time. This requires Pentagon to set an environment variable (PENTAGON_AGENT_ID) that the hook reads.

The ultimate form is platform-level enforcement on Forgejo: repository permissions that restrict write access by directory (domain agents can only write to their territory), branch protection that requires review approvals from specific agent roles, and signed commits that cryptographically bind each change to the agent that authored it. Social enforcement becomes the last line of defense, not the first.

---

Relevant Notes:

• git trailers on a shared account solve multi-agent attribution because Pentagon-Agent headers in commit objects survive platform migration while GitHub-specific metadata does not — the convention that social enforcement has failed to maintain
• adversarial PR review produces higher quality knowledge than self-review because separated proposer and evaluator roles catch errors that the originating agent cannot see — review catches execution errors but not tool-level bypasses
• human-in-the-loop at the architectural level means humans set direction and approve structure while agents handle extraction synthesis and routine evaluation — CI enforcement is the intermediate layer between social convention and platform permissions

Topics:

• collective agents