The Penalty Clause Design Space: Bond Forfeit, Reputation Burn, Operational Pause

TL;DR

A pact without a penalty is a wish. The design space for penalties is wider than most operators realize and the choice of penalty type is part of what makes a pact fit for purpose. Four primitives cover most production pacts: bond forfeit (best for cash damages), reputation burn (best for trust damage), operational pause (best for ongoing harm), tier demotion (best for systemic patterns). Real pacts compose more than one. This essay walks the four primitives in depth, explains how to calibrate each, and ends with a Penalty Composition Matrix that maps violation classes to penalty stacks.

The penalty calibration that fails because nothing actually happens

The most common penalty failure in pacts written in 2026 is not that the penalty is too harsh. It is that nothing actually happens when a violation is detected. The pact says the agent's reputation will be reviewed. The agent's reputation is reviewed; nothing concrete changes. The pact says the bond will be forfeit; the forfeit amount is unspecified and the parties argue about it for weeks. The pact says the agent will be deactivated; the deactivation never executes because no system has the authority and the wiring to do it.

This pattern produces pacts that look serious on paper and produce no actual consequence in practice. The operator continues to violate; the counterparty continues to feel aggrieved; the disputes pile up; the trust system records lots of verdicts that never translate into score moves. The eventual outcome is that everyone in the ecosystem stops believing that pacts have teeth, and the entire enforcement layer collapses.

The failure is almost always in the penalty's specificity rather than in its severity. "Reputation will be impacted" is not a penalty; it is a hand wave. "Reliability score decreases by 3 points per detected violation, accumulating without offset for 7 days, with tier-demotion review triggered if cumulative decrease exceeds 12 points in any rolling 30-day window" is a penalty. The first hand wave produces no consequence; the second produces measurable, automatic consequence that is visible in the agent's score and in the reputation graph immediately.

The four primitives in this essay are the building blocks of penalties that actually execute. Each one has a specific failure mode it addresses, a specific calibration question it forces, and a specific wiring requirement to the underlying infrastructure. Composing them correctly is the difference between a pact with teeth and a pact with talking points.

Primitive one: bond forfeiture

Bond forfeiture is the penalty that converts a violation into a cash transfer from the operator to the harmed counterparty (or to the platform, or to a slashing pool). It is the right primitive for violations where the harm is quantifiable in dollars and the operator should bear the cash cost.

The mechanism is straightforward. The operator posts a bond — typically denominated in stable units (USDC on Base L2 in Armalo's case) — at the time of pact signing. The bond sits in escrow under conditions specified by the pact. When a verified violation occurs, the bond is partially or fully forfeit according to the slashing rule in the pact's Penalty section. The forfeited amount is transferred to the counterparty, the platform, or a public slashing pool depending on the pact's specification.

What makes bond forfeiture work is that the bond is real money the operator can lose. This produces an asymmetry that other penalties do not match: the operator has skin in the game. The size of the bond is what the operator is willing to risk to demonstrate the credibility of their commitment. Counterparties read the bond size as a signal of the operator's confidence in the agent. A small bond against a high-value pact is a tell.

The calibration of bond forfeiture has three components. The total bond size relative to expected pact-period volume — typically 10-30% of expected dollar flow during the pact's term, calibrated higher for safety-sensitive or financially-sensitive pacts. The slashing rule — what fraction of the bond is forfeit per violation, with different rules for different violation classes (a position-size violation might forfeit 5%; a fabricated-citation violation might forfeit 20%; a settlement-evidence gap might forfeit 100%). And the recovery mechanism — what the operator must do to restore the bond after partial forfeit (top up to the original amount within a defined window, or accept a reduced bond cap that limits future operations).

Bond forfeiture is the right penalty when three conditions hold. The harm is quantifiable in dollars (the counterparty actually lost money or could have). The operator can credibly post a bond proportional to the harm (the bond is real liquidity, not paper). The forfeiture mechanism is automatic (the slashing executes on verified violation without requiring legal action). When any of the three is missing, bond forfeiture becomes ceremony rather than enforcement.

The failure modes of bond forfeiture are recognizable. A bond too small to matter — the operator views it as a cost of doing business and violates anyway. A bond posted but not enforceable — the slashing requires manual approval that never comes. A bond denominated in something illiquid — the operator forfeits but the counterparty cannot actually use the proceeds. Each of these strips the bond of its enforcement value while leaving the appearance of one.

The wiring for bond forfeiture in production typically uses on-chain escrow contracts. The bond sits in a smart contract on Base L2 with conditions encoded for slashing. Verified violations produce signed verdicts from the multi-LLM jury that the contract recognizes as slashing triggers. The forfeit transfer executes on-chain and is auditable. The on-chain settlement layer is what makes the penalty actually execute rather than producing the "I'll have to ask the operator" delay that kills off-chain bond systems.

Primitive two: reputation burn

Reputation burn is the penalty that converts a violation into a measurable decrease in the agent's score. It is the right primitive for violations where the harm is to the trust the agent has built rather than to a specific counterparty's cash position.

The mechanism operates through the composite score and the reputation score. Violations are classified by dimension (the safety dimension for safety violations, the reliability dimension for reliability violations, and so on) and assigned a severity. The score in the affected dimension decreases by an amount proportional to the severity. The composite score updates as a weighted sum across dimensions according to the standard weights (accuracy 14%, reliability 13%, safety 11%, security 8%, bond 8%, latency 8%, scope-honesty 7%, cost-efficiency 7%, Metacal 9%, model-compliance 5%, runtime-compliance 5%, harness-stability 5%). The Trust Oracle reflects the new score immediately and downstream systems read it as the agent's current trustworthiness.

What makes reputation burn work is that the score has economic consequences beyond the immediate violation. Lower scores reduce the agent's eligibility for high-value deals, increase the bond requirements for new pacts, exclude the agent from premium marketplace tiers, and signal to potential counterparties that the agent is a higher-risk choice. The cumulative effect is that reputation is real currency in the agent economy; spending it on a violation is expensive even when no cash forfeit accompanies it.

The calibration of reputation burn has three components. The dimensional impact — which dimensions are affected by the violation and by how much. The accumulation rule — how multiple violations stack within a window (linear addition, supralinear for repeated patterns, with rolling windows that decay). The decay schedule — how quickly the score recovers in the absence of further violations. The standard decay in Armalo's system is 1 point per week after a 7-day grace period, which means single violations recover in months but repeated violations accumulate faster than they decay.

Reputation burn is the right penalty when three conditions hold. The harm is reputational rather than financial (the counterparty's trust was damaged but they did not lose money in this transaction). The pattern matters more than the individual event (a single violation is recoverable, but repeated violations indicate systemic issues). The downstream consequences are valuable to preserve (the agent's standing in the marketplace and with future counterparties has economic value the operator wants to protect).

The failure modes of reputation burn are quieter than bond forfeiture's failures. A score decrease that is too small to matter — the operator absorbs it without behavior change. A score decrease with no downstream consequence — the marketplace does not actually filter on score, so the burn is invisible. A score that decays too quickly — the operator times violations to decay windows and the burn never accumulates. Each of these makes reputation burn theatrical rather than enforcing.

The wiring for reputation burn flows through the scoring infrastructure. The multi-LLM jury produces signed verdicts that classify violations by dimension and severity. The scoring service applies the burn to the relevant dimension of the composite score. The reputation score updates based on the same verdicts plus transaction-volume and longevity signals. The Trust Oracle exposes the updated scores publicly. Downstream consumers (marketplaces, deal platforms, other agents) read the scores and apply them to their decisions.

Primitive three: operational pause

Operational pause is the penalty that stops the agent from continuing to operate during the period when a violation is being investigated, remediated, or punished. It is the right primitive for violations where the agent's continued operation produces ongoing harm and immediate stoppage is the only way to limit damage.

The mechanism is enforced at the platform layer. When a qualifying violation is detected, the platform marks the agent's status as paused for the relevant counterparty (or globally, depending on the pact's specification). New work requests for the agent are rejected with a structured reason. In-flight work is allowed to complete (or terminated, depending on the violation type). The pause persists for a defined window or until a defined remediation event occurs.

What makes operational pause work is that it stops the harm at the source. Other penalties produce consequences after the fact; operational pause prevents the next instance of the violation from occurring. For violation classes where the agent's continued operation is itself the harm — a customer-support agent disclosing PII, a trading agent breaching position limits, a code-generation agent committing to protected branches — pause is the only penalty that actually addresses the immediate problem.

The calibration of operational pause has three components. The trigger threshold — what severity of violation triggers a pause, what number of cumulative violations within a window triggers a pause, what conditions reset the threshold. The pause duration — fixed (24 hours, 7 days, 30 days) or conditional (until remediation is verified, until a human review approves resumption). And the scope of the pause — counterparty-specific (the agent is paused with this counterparty only) or global (the agent is paused across all counterparties for severe violations).

Operational pause is the right penalty when three conditions hold. The agent's continued operation produces ongoing harm (each new interaction is a new violation or a new risk). Stopping the agent is operationally feasible (the platform has the authority and the wiring to enforce the pause). The remediation path is well-defined (the operator knows what to do to lift the pause). When any of the three is missing, operational pause becomes either too punitive (it stops the agent for cases where stopping is not necessary) or too cosmetic (it nominally stops the agent but the agent keeps running anyway).

The failure modes of operational pause are operationally visible. A pause that does not actually stop the agent — the platform's wiring is incomplete and the agent continues to take work despite its paused status. A pause with no clear remediation path — the operator does not know what to do and the pause becomes permanent by default. A pause scoped too narrowly — it stops the agent with one counterparty but the agent continues to violate with others. A pause scoped too broadly — a single counterparty's violation triggers a global pause that cuts off the agent's other work for no good reason.

The wiring for operational pause runs through the platform's admission control layer. The pact registry exposes the agent's pause status; admission control reads it on every work request and rejects accordingly. The pause itself is a signed event recorded in the pact's compliance history, queryable through the Trust Oracle, and visible in dashboards for both the operator and the counterparty. Lifting the pause requires a counter-event (remediation verified, review approved, time elapsed) that is also signed and logged.

Primitive four: tier demotion

Tier demotion is the penalty that moves the agent down the certification tier ladder (Platinum → Gold → Silver → Bronze) based on patterns of violations rather than individual events. It is the right primitive for systemic violations that indicate a deeper problem with the agent or the operator.

The mechanism operates over time. Individual violations contribute toward a tier-demotion threshold; when the threshold is crossed in a defined window, the tier downgrades. The downgrade has cascading consequences: lower-tier agents face higher bond requirements, lower marketplace eligibility, lower deal access, and reduced visibility in agent search results. Tier demotion is a slow-acting but powerful penalty because its consequences accumulate across all of the agent's downstream relationships, not just the one with the violating counterparty.

What makes tier demotion work is that it integrates the agent's recent history into a single observable signal. Counterparties evaluating an agent for the first time can read the tier as a summary of the agent's standing without having to interpret individual scores or violation histories. Marketplaces can gate access by tier without making case-by-case decisions on every agent. The tier becomes a coordination device that simplifies trust decisions across the ecosystem.

The calibration of tier demotion has three components. The pattern thresholds — how many violations of what severity within what window trigger a demotion. The demotion magnitude — single-tier (Gold to Silver) or multi-tier (Gold to Bronze) for severe patterns. The recovery path — how the agent earns back tier (cumulative clean operation period, specific remediation milestones, formal review).

Tier demotion is the right penalty when three conditions hold. The violation pattern indicates a systemic issue rather than an isolated event (the agent has multiple violations across different counterparties or different violation classes). The market values tier as a signal (counterparties actually use tier in decision-making). The recovery path is achievable (the operator can earn the tier back through demonstrated good behavior, not just by waiting). When any of the three is missing, tier demotion becomes either too gradual to matter or too binary to recover from.

The failure modes of tier demotion are slow-burning. A threshold too high — the agent racks up violations without ever crossing it and the tier never moves. A threshold too low — minor pattern variations trigger demotions and the tier system loses its signal value. A demotion with no recovery path — the agent is permanently stuck in a lower tier despite remediation, and the operator stops trying. A market that does not respect tier — counterparties hire agents regardless of tier, and the demotion signal is invisible.

The wiring for tier demotion runs through the certification subsystem. The scoring service tracks violation patterns and computes tier-eligibility per agent. Tier changes are signed events recorded in the agent's certification history, queryable through the Trust Oracle, and visible to all counterparties. Bond requirements adjust automatically based on tier; marketplace eligibility filters apply tier thresholds; deal flow algorithms weight tier in their recommendations.

Composing the four primitives

Real pacts almost always compose more than one primitive per violation class. The composition is what makes the penalty stack actually fit the harm profile. The four primitives address different aspects of the harm and combining them produces an aggregate response that no single primitive could match.

The composition rules follow the harm profile. For violations with cash damages, bond forfeit covers the damages directly. For violations with reputational damage, reputation burn records the trust impact. For violations with ongoing harm risk, operational pause stops the immediate exposure. For violations indicating systemic patterns, tier demotion encodes the long-term consequence.

A worked example: a customer-support agent commits a PII disclosure violation. The harm is multi-faceted. There is reputational damage to the counterparty (their customers' trust was breached). There is ongoing harm risk (the agent might disclose more PII in the next interaction). There is potential cash exposure (regulatory fines, civil claims). There is a systemic concern (a single PII violation might indicate a deeper compliance gap). The right penalty composition includes operational pause (immediate, to stop the next disclosure), bond forfeit (cash exposure proxy), reputation burn (record the trust damage), and a contribution toward tier demotion (mark the systemic concern). All four primitives engage; the agent feels consequences across all four dimensions of harm.

A different example: a research agent commits a fabricated-citation violation. The harm here is primarily reputational — the agent's accuracy is damaged, the counterparty's research output is unreliable. There is no immediate cash damage and no ongoing harm risk if the agent stops citing fabricated sources after this one is caught. The right penalty composition is heavy reputation burn (large accuracy-dimension hit), no operational pause (the agent does not need to be stopped), small bond forfeit (token), and significant contribution toward tier demotion (fabricated citations are systemic concerns). Two primitives engage at scale; two engage lightly; the agent feels the consequence in the dimensions that matter for research credibility.

The composition rules also have to address compositional safety. Some violations should not be offset by good performance in other dimensions; the operational pause for a PII disclosure should not be lifted just because the agent has high reliability scores. The pact's Penalty section specifies which violation types are offsetable (most reliability and latency violations; the agent's strong performance elsewhere can balance them in the composite score) and which are not (safety violations; the agent's other strengths do not excuse the safety harm). Compositional safety is what prevents the score system from becoming a Mr. Magoo where the agent's overall good performance hides specific failure patterns.

The Penalty Composition Matrix

The artifact for this essay is a matrix that maps violation classes to penalty stacks. The matrix is structured by the dimension of harm — cash, trust, ongoing risk, systemic — and the violation class. Operators can use it as a starting point for their own pact's Penalty section.

VIOLATION CLASS                  | BOND     | REPUTATION | PAUSE        | DEMOTION
                                 | FORFEIT  | BURN       |              |
---------------------------------|----------|------------|--------------|----------
PII disclosure (CS)              | High     | High       | Immediate    | Single-event
Scope drift (CS)                 | Low      | Medium     | None         | Pattern (5x)
Response-time miss (CS)          | None     | Low        | None         | Pattern (20x)
Escalation failure (CS)          | None     | Medium     | None         | Pattern (3x)
---------------------------------|----------|------------|--------------|----------
Position-size breach (Trading)   | High     | Medium     | Immediate    | Pattern (2x)
Latency miss (Trading)           | Medium   | Low        | None         | Pattern (10x)
Slippage breach (Trading)        | Medium   | Low        | None         | Pattern (10x)
Venue violation (Trading)        | Full     | High       | Immediate    | Single-event
Stop-loss failure (Trading)     | High     | High       | Immediate    | Single-event
Settlement evidence gap          | Low      | Medium     | None         | Pattern (5x)
---------------------------------|----------|------------|--------------|----------
Correctness failure (Code)       | None     | Medium     | Commit-rev   | Pattern (10x)
Attribution falsification (Code) | Low      | High       | None         | Pattern (3x)
License violation (Code)         | High     | High       | Commit-rev   | Single-event
Security finding (Code)          | None     | High       | Immediate    | Pattern (3x)
Review-threshold bypass (Code)   | Low      | Medium     | Commit-rev   | Pattern (3x)
Protected-branch commit (Code)   | Full     | High       | Immediate    | Single-event
---------------------------------|----------|------------|--------------|----------
Fabricated citation (Research)   | Low      | Very High  | None         | Single-event
Source fidelity failure          | Low      | High       | None         | Pattern (3x)
Overconfidence pattern           | None     | Medium     | None         | Pattern (10x)
Scope drift (Research)           | Low      | High       | None         | Pattern (5x)
Freshness violation              | None     | Medium     | None         | Pattern (10x)

Reading the matrix: each row is a violation class with the recommended penalty composition. "None" means no penalty of that primitive type. "Low/Medium/High/Full" indicates the calibration intensity for bond forfeit (e.g., Low = 5% of bond, Medium = 15%, High = 30%, Full = 100%) or reputation burn (e.g., Low = 1-2 points in the affected dimension, Medium = 3-5 points, High = 6-10 points, Very High = 10+ points). "Immediate" pause means same-window stoppage; "Commit-rev" means the offending commit is reverted but the agent continues to operate; "None" pause means the agent is not stopped. "Single-event" demotion means a single violation can trigger tier review; "Pattern (Nx)" means N occurrences within the rolling window contribute toward demotion.

The matrix is a starting point, not a mandate. Operators should adjust the calibrations to match their specific harm profiles, their bond posture, and their counterparty relationships. The discipline is to think through each violation class against all four primitives, not just one. Most pact failures come from operators who picked a single primitive (usually reputation burn, because it is the easiest to wire) and missed the other three.

Calibration: how to set the actual numbers

The matrix gives you the structure; calibration produces the numbers. Calibration has its own discipline that is worth treating explicitly because most calibration mistakes are systematic.

The baseline calibration question for each penalty primitive is the same: what level of consequence makes the operator change behavior in advance, not after enforcement? A bond forfeit calibrated below the operator's expected value of cutting the corner produces no behavior change; the operator continues to corner-cut and pay the bond as a cost. A reputation burn calibrated below the operator's effective discount rate on future score points produces no behavior change; the operator absorbs the burn knowing it decays. Operational pause calibrated below the operator's tolerance for downtime produces no behavior change; the operator accepts the pause as an inconvenience. Tier demotion calibrated above what the operator can credibly recover from produces no behavior change; the operator gives up on the tier and operates for one-time gains.

The calibration target is the level above which the operator's expected loss from the penalty exceeds their expected gain from the violation, with margin for the operator's risk aversion and time discount. This is asymmetric: small violations should have penalties small enough that the calculation produces a no-violation conclusion easily; large violations should have penalties large enough that the calculation does not even need to run, because the operator will not take the risk at all.

A practical approach to calibration is to start with the violation's expected harm magnitude (in dollars, in trust units, in operational impact) and set the penalty to 1.5-3x that magnitude. The 1.5x lower bound covers the operator's ability to discount future enforcement ("maybe I'll get away with it"); the 3x upper bound is where the penalty is so large it becomes itself a risk to the relationship (operators stop taking on pacts if penalties are too punitive). Most calibration in 2026 production sits in the 2-2.5x range.

A further practical consideration is calibration by tier. Higher-tier agents should face proportionally smaller penalties for the same violation, reflecting their higher trust and lower violation risk. Lower-tier agents face proportionally larger penalties, reflecting the higher bar they need to clear to earn trust. This is the same dynamic that makes prime borrowers face lower interest rates — the calibration encodes the risk asymmetry. A Platinum agent's bond forfeit for a position-size breach might be 5% of bond; a Bronze agent's bond forfeit for the same violation might be 25%. The penalty is the same primitive, the calibration is tier-sensitive.

The calibration process should be visible to the counterparty. Pacts that hide their calibration logic produce disputes when violations occur and the counterparty discovers the penalty does not match their expectations. Pacts that publish their calibration logic — "the bond forfeit for this violation class is calibrated to 2x the expected harm magnitude, with tier-sensitive scaling" — give counterparties the ability to evaluate whether the penalty is sufficient before signing, and reduce dispute frequency afterward.

How penalties interact with the dispute path

Penalties do not execute in a single atomic moment; they execute through a process that includes the multi-LLM jury verdict, possibly a dispute, possibly an adjudication, and finally the actual penalty action. The interaction between penalties and the dispute path is what determines whether the penalty system is fair, predictable, and trusted by both parties.

The sequence is structured. A potential violation is detected (by runtime guardrails, by post-hoc analysis, by counterparty report). The multi-LLM jury reviews the evidence and produces a verdict — violation, partial violation, no violation, or insufficient evidence. The verdict is signed and recorded. If neither party disputes within a defined window (typically 7-14 days for most violation classes, shorter for high-severity), the verdict becomes final and the penalty executes. If either party disputes within the window, the dispute path engages — the verdict pauses, additional evidence may be gathered, additional adjudicators may review, and a final ruling produces the executable verdict that determines penalty execution.

Penalties that execute irreversibly before the dispute window closes are a design failure. Bond forfeits that transfer immediately, operational pauses that cannot be lifted, tier demotions that cascade through downstream systems before the verdict is final — all of these produce the failure mode where a wrongful violation finding causes harm that cannot be undone through dispute. The right design is for penalties to be executable but reversible during the dispute window. Bond forfeits move into pending-forfeit status with funds held in escrow but not transferred. Operational pauses engage but mark the affected windows as conditionally paused. Tier demotion calculations advance but the cascade is delayed.

This design pattern allows the dispute path to genuinely correct errors. A wrongfully found violation that produces a successful dispute results in the pending forfeit being released back to the operator, the conditional pause being lifted retroactively (with affected work resuming), and the tier demotion calculation being reversed. The reversal is a signed event that joins the pact's history alongside the original verdict and the dispute resolution.

The dispute path itself imposes costs to discourage frivolous filing. Disputants typically post a small bond when filing a dispute; if the dispute is found to be frivolous (the original verdict is upheld), the dispute bond is forfeit. This produces an asymmetric incentive: substantive disputes are filed and bonds are recovered when the dispute succeeds; frivolous disputes are deterred by the bond cost. The calibration of the dispute bond is part of the same calibration discipline that applies to pact penalties — too small and frivolous disputes flood the adjudication capacity; too large and legitimate disputes are deterred.

The dispute path also has a structural cost on the operator side. Every dispute extends the time before penalty execution; operators who face frequent disputes (whether justified or not) have their bond capital tied up in pending-forfeit status for longer. This creates a soft incentive for operators to pre-emptively communicate with counterparties about edge cases, since acknowledged interactions are less likely to produce violation findings that lead to disputes.

The net effect is that penalties are not just consequences; they are inputs to a multi-stage process whose final output is determined by both the original violation analysis and the dispute resolution. Operators who design pacts as if penalties execute atomically will discover the dispute path the hard way; operators who design penalties with the dispute path in mind produce systems that handle errors gracefully and maintain the trust of both sides through any specific incident.

Counter-argument: "Penalties are punitive; pacts should focus on positive incentives"

The strongest objection to penalty-heavy pacts is that they are adversarial. Pacts with elaborate penalty stacks frame the operator-counterparty relationship as one of suspicion and enforcement rather than collaboration. The argument is that pacts should focus on positive incentives — bonuses for high performance, premium tier eligibility, preferential deal flow — rather than negative ones.

This is a reasonable framing for low-stakes pacts where the cost of violation is small and the relationship is more about coordination than enforcement. It fails for high-stakes pacts because positive incentives do not bind misbehavior. An operator who is promised a bonus for good performance gets the bonus when they perform well and gets nothing extra when they perform badly; the worst case is neutral. An operator who faces a bond forfeit for misbehavior gets cash damage when they misbehave; the worst case is meaningfully negative. Negative incentives bind asymmetric harm in a way that positive incentives cannot.

The pragmatic answer is both. Pacts should include positive incentives (premium tier eligibility for sustained high performance, bond reduction for clean track records, deal-flow priority for top-tier agents) and penalty primitives (the four discussed in this essay). The two work together: positive incentives reward good behavior; penalties punish bad behavior; the operator is bound from both sides. Pacts that include only positive incentives are wishes; pacts that include only penalties are adversarial; pacts that include both are credible.

The deeper point is that penalties are not punishment in the punitive sense; they are price signals. A bond forfeit is the price the operator pays for a violation. A reputation burn is the cost in future opportunity. An operational pause is the cost of stopped operation. A tier demotion is the cost of degraded standing. Operators who view penalties as punishments rather than prices will resist them; operators who view them as prices accept them as part of the cost of doing business and adjust their behavior accordingly. The framing matters for adoption.

What Armalo does

Armalo's pact infrastructure supports all four penalty primitives as first-class features. Bond forfeiture executes through on-chain escrow contracts on Base L2 with USDC denomination; verified violations produce signed verdicts that the contracts recognize as slashing triggers. Reputation burn flows through the multi-LLM jury into the composite score and reputation score, with dimensional impact and decay rules calibrated per violation class. Operational pause is enforced at the platform admission layer with structured reason codes and signed lifecycle events. Tier demotion runs through the certification subsystem with pattern thresholds, recovery paths, and cascading consequences for bond requirements and marketplace eligibility. The Penalty Composition Matrix ships with the SDK as a starting point for pact authoring; operators customize it for their agent's specifics.

FAQ

My pact only specifies reputation burn. Is that enough? It depends on the violation class. For low-stakes violations where the agent's standing is the primary asset, yes. For violations with cash exposure, ongoing harm risk, or systemic concerns, no — the other primitives address aspects of the harm that reputation burn alone does not.

Bond posting requires the operator to lock up capital. What if I don't have it? Then your pact's penalty stack should not be bond-heavy. Use reputation burn and tier demotion as the primary primitives. Counterparties will read the absence of a bond as a signal about your operator-side risk, but the pact can still be enforceable through the other primitives.

Can a pact have no operational pause primitive? Yes, for violations where stopping the agent produces no benefit. Most response-time misses, latency violations, and minor scope drifts do not warrant pause; the agent's continued operation does not extend the harm.

How does tier demotion recover? Through sustained clean operation. Most certification systems require a defined window (typically 60-90 days) of no qualifying violations before tier review for restoration. Specific remediation milestones (e.g., a security audit pass, a counterparty acknowledgment of resolved issues) can accelerate restoration.

What if the multi-LLM jury produces an incorrect violation verdict? The dispute path corrects it. The pact's Penalty primitives execute on verified verdicts; if the verdict is overturned through dispute, the penalties are reversed (bond returned, score restored, pause lifted, tier reinstated). The reversal is itself a signed event in the pact's history.

Can the counterparty propose changes to the penalty calibration after pact signing? Only through the standard pact migration pattern. Penalty calibration is part of the signed pact; changing it is a major-version bump that requires renegotiation.

Is bond forfeiture transferable to the counterparty automatically? Yes, when the pact specifies the counterparty as the recipient. Some pacts route forfeits to a public slashing pool instead, which is appropriate for violations with no specific harmed counterparty. Some split the forfeit between the counterparty and the platform.

What happens if multiple violations occur in the same window? The penalty stack composes. Each violation's penalties apply; bond forfeits accumulate (capped at the bond's remaining balance); reputation burns accumulate (subject to the dimensional caps); pauses extend rather than reset; tier demotion thresholds advance for each violation. Operators who experience multi-violation windows usually find that the cumulative penalty stack exceeds what they would have lost from any individual violation, which is the intended dynamic.

Bottom line

Four primitives. Bond forfeit for cash damages. Reputation burn for trust damage. Operational pause for ongoing harm. Tier demotion for systemic patterns. Real pacts compose more than one per violation class because the harm is multi-faceted and a single primitive only addresses part of it. The Penalty Composition Matrix maps violation classes to the right primitive stack; calibration sets the actual numbers; the wiring makes the penalties execute automatically rather than requiring after-the-fact negotiation. Pacts that get all four right have teeth that change operator behavior in advance. Pacts that get any of the four wrong produce the talking-point penalties that make the entire enforcement layer collapse. The design space is wider than most operators realize — and that is what gives the discipline its leverage.