Governance

Koven's consensus moderation primitive in plain English. The full mechanics live in GOVERNANCE.md; this page is the human-readable summary.

The principle. No voice is silenced unless the parties involved arrive at a just consensus, and every step of that process is recorded in public.

The four primitives

Flag

Anyone can flag any message. A flag is a public Matrix event (chat.koven.flag.v1), signed by the flagger, visible to the room. It carries a category, a free-text reason, and a target message ID. Flags are not silent reports; they are part of the conversation.

Weighted tally

The Koven engine aggregates flags into a per-message score. Each flag contributes its flagger's reputation weight. To trigger a collapse, two thresholds must clear together: a minimum count of distinct flaggers, and a minimum combined weighted score. The thresholds are room-configurable but cannot go below documented floors.

Collapse

When thresholds clear, the engine emits a chat.koven.collapse.v1 event. The message is hidden behind a click-to-expand affordance with a link to the public list of flag reasons. The original text is never destroyed; collapse is a presentation change, not a deletion.

Censure

For repeat patterns, the engine can apply reputation-driven sanctions to an account: slow-mode, off-default-feed, read-only. These are chat.koven.censure.v1 events. Every censure has a defined expiry. Sanctions decay automatically. There is no path to a permanent ban.

The floor-violation lane

One category bypasses the community vote: floor_violation. It exists for content that is unambiguously illegal in most jurisdictions, namely CSAM, credible threats, and doxxing. A floor-violation flag immediately collapses the message into a non-revealable hidden state. There is no "click to view" affordance.

Because the floor lane is powerful, it is checked. Abuse of floor_violation on content that obviously is not floor-violation eats into the flagger's reputation when reviewed. The review itself is also public.

What admins can and cannot do

Admins exist to keep the server running. They can:

Configure instance branding (server name, login background, default space).
Run the Synapse and engine processes.
Set per-room thresholds within documented floors.

They cannot:

Ban users. The protocol has no ban primitive.
Hide individual messages. The collapse primitive is reachable only through the consensus path.
Override a community vote. The audit log would show it; the engine would not honor it.

Federation

Koven instances federate only with other Koven instances. Synapse's outgoing federation is gated by a federation gate that probes /.well-known/koven on first contact with a new domain. Vanilla Matrix homeservers are silently isolated. Every Koven instance auto-serves the discovery file, so peer discovery is symmetric.

The reason: the consensus primitive only works if every server in the federation respects the same audit log. A server that ignores collapse events would be a censorship laundering loophole.

End-to-end encrypted rooms

Direct messages are E2E encrypted by default with Matrix megolm. The engine bot cannot observe encrypted content, so the consensus layer is bypassed in those rooms. The client surfaces this clearly: a federation badge in the header tells you when a room is operating outside the governance primitive.

For the full mechanics, including reputation math, threshold floors, and event schemas, see GOVERNANCE.md on GitHub.