Mechanism Design Protocol
Phase 5 — Regulatory compliance layer: NormfallAlert + FiduciaryScope

TokenGov

Mechanism Design for AI Token Allocation

A dynamic, incentive-compatible allocation protocol operating across multiple AI accounts. Replaces static priority scoring with reputation-driven budgets, cross-account deduplication, and formally verified invariants.

8
Lean 4 Invariants
17
Elixir Modules
4
Account Types
1,209
Line Spec
View on GitHub
The Challenge

Why Static Allocation Fails

Current token allocation relies on static priority scoring that ignores feedback, value translation, and cross-account dynamics. Three fundamental failure modes emerge.

Absence of Feedback
WSJF assigns priority at intake. Once dispatched, no signal returns. An agent that wastes budget receives the same allocation next period as one that delivers under budget.
Absence of ROI Translation
Development investment (tokens spent) is not mapped to business outcomes (revenue, citations, adoption). No mechanism can rationally allocate without this translation.
Absence of Cross-Account Coordination
Four accounts managed as silos create duplication (same task solved twice), starvation (high-priority tasks idle on empty accounts), and fragmented context (reasoning rebuilt from scratch).
Core Theory

The Protocol

TokenGov adapts classical mechanism design to a non-monetary, repeated-game setting where AI agents compete for token budgets.

Direct Mechanism
Myerson 1981
Agents hold private information about task difficulty and expected value. TokenGov constructs allocation and punishment rules so that truthful reporting is the dominant strategy. The mechanism is direct: agents report types, and the protocol computes allocations — no strategic gaming improves outcomes.
Four Guarantees
Incentive Compatibility
Truth-telling is the equilibrium strategy
Individual Rationality
No agent falls below the budget floor
Budget Balance
Total allocated ≤ total available
Allocative Efficiency
Tokens flow to highest marginal ROI
Reputation Currency
Not monetary transfers but reputation that intermediates between past performance and future allocation. Analogous to VCG redistribution adapted to a non-monetary, repeated-game setting. Reputation decays without activity and compounds with consistent delivery — creating a natural incentive gradient without explicit penalties.
Implementation

Core Data Structures

Three Elixir structs form the backbone: accounts model provider capacity, reputation tracks agent performance, and decisions record per-period allocations.

Module Description
TokenAccount Provider account record — quota, owner, efficiency prior.
ReputationLedger Agent reputation score, history, and capability envelope.
AllocationDecision Per-period allocation record with yoneme registry and budget map.
TokenGov.PIIVault Tokenization and PII classification — raw PAN/PII never reach AI agents.
TokenGov.AMLMonitor CTR/structuring/velocity rules, SAR SLA, IVMS-101 Travel Rule.
TokenGov.HumanReviewQueue Mandatory HITL gate with SLA tracking for AML and adverse decisions.
TokenGov.DataRetentionEngine Policy-driven retention: 6yr (FINRA), 5yr (BSA), 3yr (SEC), 12mo (PCI).
TokenGov.RegulatoryExportAPI Search/retrieve records for regulator production with HMAC integrity verification.
TokenGov.NormfallAlert Regulatory norm monitor — tracks struck/active norms, surfaces normfall conditions before advice synthesis. Phase 5
token_account.ex 
%TokenAccount{
  id: account_id,
  provider: :anthropic | :openai,
  owner: :personal | :legalengine,
  quota_remaining: non_neg_integer(),
  efficiency_prior: float()
}
reputation_ledger.ex 
%ReputationLedger{
  agent_id: agent_id,
  score: float(),        # r ∈ [0, 1]
  history: [%TaskOutcome{}],
  capability_envelope: %CapabilityEnvelope{}
}
allocation_decision.ex 
%AllocationDecision{
  period: period_id,
  budgets: %{agent_id => budget},
  yoneme_registry: %{task_hash => account_id},
  total_allocated: non_neg_integer()
}
Execution Flow

How It Works

Six phases per allocation period. Each step feeds forward into the next, creating a closed-loop feedback system.

01
Task Intake
WSJF scoring augmented with temporal decay and cross-account awareness. Tasks are fingerprinted for deduplication via yoneme tokens before entering the allocation queue.
02
Budget Computation
Reputation-weighted allocation proportional to projected ROI. Each agent's budget is computed as a function of their reputation score and the expected marginal value of the next token.
03
Execution
Agent operates within its capability envelope and budget ceiling. The capability envelope defines what classes of tasks an agent may attempt — preventing overreach and ensuring specialisation.
04
Outcome Observation
ROI oracle measures actual value delivered against tokens consumed. Outcomes are recorded with evidence hashes for auditability — forming a groundtrace.
05
Reputation Update
Bayesian update of the agent's reputation score. The posterior reputation combines the prior (historical performance) with the likelihood (current period outcome), weighted by observation precision.
06
Punishment / Reward
Bounded multi-level regime: budget adjustment for minor deviations, capability contraction (driftlock) for sustained underperformance, and circuit breaker for catastrophic waste.
Multi-Account

Four Accounts, One Protocol

TokenGov unifies four separate AI accounts under a single allocation protocol, eliminating silos and enabling optimal resource distribution.

Yoneme Deduplication
Cross-account task identity tokens ensure no task is solved twice. Each task receives a unique hash that maps to exactly one executing account.
Ergotropy Rebalancing
Usable work capacity is measured per account and tokens flow from over-provisioned accounts to under-provisioned ones in real time.
Unified Task Registry
A single registry tracks all tasks across accounts, enabling global optimisation and preventing context fragmentation.
Verification

What Gets Proved

Eight invariants formally stated in Lean 4 and checked against the Elixir implementation. Together they guarantee safety, liveness, and normative integrity of the allocation protocol.

INV-01
Budget Conservation
∑ allocated ≤ ∑ available
INV-02
Reputation Boundedness
∀ agent: 0 ≤ r ≤ 1
INV-03
Budget Floor
∀ agent: budget ≥ min_viable_budget
INV-04
Monotone Allocation
r₁ > r₂ ⇒ alloc(r₁) ≥ alloc(r₂)
INV-05
Bounded Punishment
severity ≤ ceiling_per_period
INV-06
Yoneme Uniqueness
∀ h: |accounts(h)| = 1
INV-07
Circuit Breaker Termination
∃ n < ∞: suspend_in(n)
INV-08
Normative Integrity
Synthesis cannot proceed when active regulatory norms in the relevant domain have been struck. NormfallAlert detects divergence between the internal deontic model and the external regulatory corpus — if a struck norm is active in the domain, the pipeline halts before advice synthesis begins.

All invariants stated in Lean 4 and checked against the Elixir implementation.

Regulatory Infrastructure

Enterprise Compliance

6 compliance modules built into TokenGov's governance layer. 388 tests total. Covers BSA/AML, GDPR, PII protection, human-in-the-loop controls, regulatory production, and normative integrity monitoring.

388
Total Tests
6
Compliance Modules
9
Regulations Covered
PIIVault
π 85.1
GDPR Art.22 CCPA ADMT PCI DSS
Tokenization + PII classification + context window redaction. Raw PAN/PII never reach AI agents.
AMLMonitor
π 82.9
BSA FinCEN
CTR/structuring/velocity rules. SAR 30-day SLA. IVMS-101 Travel Rule formatting for crypto transfers.
HumanReviewQueue
π 76.8
FINRA 3110 SR 11-7 GDPR
Mandatory HITL gate with SLA tracking. AML alerts and adverse decisions require human approval before execution.
DataRetentionEngine
π 68.9
FINRA 4511 PCI GDPR
Policy-driven retention: 6yr (FINRA), 5yr (BSA), 3yr (SEC), 12mo (PCI). GDPR erasure request handling.
RegulatoryExportAPI
π 64.2
SEC 17a-4 FINRA
Search/retrieve records for regulator production. HMAC integrity verification. FINRA 4511 search index.
Phase 5 Addition

Normative Compliance

TokenGov monitors for divergence between its internal deontic model and the external regulatory corpus. When a norm that was active in the model is suspended or struck externally — a normfall condition — synthesis is halted before any advice proceeds.

NormfallAlert
Phase 5A
DOL Fiduciary SEC AI Gov FINRA Agentic AI
Regulatory norm monitor. Tracks struck and active norms across domains, surfaces normfall conditions before advice synthesis. Synthesis is halted if a struck norm is active in the relevant domain.
Tracked Norms
Norm ID Status Severity
DOL_FIDUCIARY_RULE_2024 struck critical
SEC_AI_GOVERNANCE_2026 active high
FINRA_AGENTIC_AI_2026 active high
API
check(domain) check_all() norm_status(norm_id)
CSC.FiduciaryScope
Phase 5B
SEC/FINRA MiFID II FCA
Licensed operator wrapper for fiduciary deployment. A deploying firm's FiduciaryScope checks TokenGov normfall state at authorise/2 time. If struck norms are active in the scope's domains, synthesis is halted before it begins.
Enforced Keys
  • licensed_entity — firm accepting fiduciary responsibility
  • authorised_action_set — explicit autonomous action list
  • escalation_contact — email/webhook for halts
  • jurisdiction — governing regulatory regime
  • normfall_domains — domains to monitor
  • liability_acceptance_hash — SHA-256 of signed document
Cross-stack: check_normfall/1 calls TokenGov.NormfallAlert.check_all/0 at every authorise/2 invocation.
Motivating Example — DOL Fiduciary Rule Collapse (2026-03-18)
On March 18, 2026, the DOL fiduciary rule was struck. An AI system operating under the old deontic model after that date would produce retirement advice grounded in a norm that no longer exists — a normfall condition. NormfallAlert surfaces this divergence the moment the rule is struck, halting synthesis in any domain relying on DOL_FIDUCIARY_RULE_2024 until the deontic model is updated. The stack does not silently produce non-compliant advice.
normfall_alert.ex — NormfallAlert API 
# Check before advice synthesis in retirement domain
case TokenGov.NormfallAlert.check("retirement_advice") do
  {:ok, :no_normfall} ->
    proceed_with_synthesis()
  {:halt, :normfall_detected, alerts} ->
    surface_normfall_alert(alerts)
    # DOL_FIDUCIARY_RULE_2024 struck 2026-03-18 — halt synthesis
end
FINRA SEC SOC2 BSA/AML PCI-DSS GDPR SR 11-7 DOL Fiduciary SEC AI Gov 2026
Terminology

Lexicon

Coined terms for concepts that don't have standard names. Each captures a precise operational meaning within the TokenGov protocol.

ergotropy
Usable work capacity of a token account; complement of entropy-equivalent idle quota.
tersiture
Value delivered per token consumed; the quality measure.
loquency
Token-per-output-unit rate; high loquency is penalised.
yoneme
Cross-account task identity token for deduplication.
groundtrace
Verified chain of task outcomes with evidence hashes.
driftlock
Capability envelope reduced to minimum floor.
normfall
Collapse or suspension of a normative constraint in the external regulatory environment; divergence between the internal deontic model and the active regulatory corpus. NormfallAlert surfaces this condition before synthesis proceeds.
witnesshood
Property of a task outcome being externally verifiable.
chorema
Bounded normative act-space; autonomy radius.
promptome
Complete set of system-prompt variants; context fingerprint.
Context

Part of a Larger Stack

TokenGov is one layer in a formally verified AI governance architecture. Each system handles a distinct concern.

CSC
Composable Skill Compiler for verified agent pipelines. Compiles capability specifications into executable skill graphs.
Elan
CompanyAsCode orchestrator and runtime for TokenGov. Manages the lifecycle of allocation periods and agent registration.
EconLib4
Formalised economics library providing the theoretical foundations. Lean 4 proofs of mechanism design theorems.
LegalLean
Formal legal reasoning system. Ensures allocation decisions comply with regulatory constraints.
CCAP
ClawCombinator Agent Protocol. The reputation bridge that connects agent identity across systems.