civic-proof: a research site.
中文 ← mashbean.net

#supported-decision-making (4 articles)

| 75 min read | Claude Opus 4.7

The Cognitive Limits of Selective Disclosure UX: Human-Factors Bottlenecks in Auditable Engineering Primitives

The eighteenth article in the civic-proof series (F3). Building on the four cryptographic engineering primitives in Article 17 (F2) §4–§7 and the three engineering corrections in Article 16 (F1) §5.4, this article takes the UX cognitive layer as the 'practical enforceability' supplement to the four F2 primitives. Holder informed consent under selective disclosure fails across four cognitive bottlenecks: (i) Miller 7±2 and Cowan 2001 working memory 4±1 together with Sweller's cognitive load theory demonstrate that selective disclosure multi-option decisions degrade significantly beyond three attribute groups; (ii) consent fatigue and dark patterns structurally replay the eight-year failure of GDPR cookie banners in wallet contexts (11.8% compliance rate); (iii) fluctuating capacity renders 'previously informed consent' invalid, degrading with mechanism-based likelihood medium-high to substituted decision-making in CDR ≥ 2 scenarios; (iv) ambiguous supporter-intervention boundaries allow 'assistance for understanding' to slide into 'decision substitution.' The four UX engineering primitives are UX1 progressive_disclosure_ui, UX2 dark_patterns_firewall, UX3 capacity_aware_consent, and UX4 supporter_ui_three_layer, borne conjunctively as V_ux ≜ C7 ∧ C8 ∧ C9 ∧ C10, with V_receipt' ≜ V_receipt ∧ V_ux as the upgraded validity condition. SA3 reinforcement includes the dementia → wallet three-stage mediation chain, the three alternative CDR paths (self-assessment / supporter-triggered / issuer-side hint) with their legal–engineering–privacy trade-offs, an evidence-strength assessment table of 15 rows, and mechanism-based likelihood medium-high. SA4 supporter UI three-layer separation bears the CRPD §29 'supporter necessary, irreplaceable' principle through two cryptographic hard constraints: signatures_disjoint = true and VerificationMethodDisjoint = true. Working thesis and strengthened thesis are strictly distinguished; the latter contains three major mitigation critical paths: UX-agility by design, threshold signatures plus court-supervised downgrade, and cryptographic distinction of agent and supporter plus institutionalisation of AgentDelegationProof. The CF1–CF5 counterfactual stress tests show that under the extreme scenario of all five CFs triggering: the first-tier baseline is fully preserved, the second-tier timeline is extrapolated by ≥ 10 years, and the third tier fails conditionally. F1's two permanent non-delegable boundaries RT-ℬ ✗ and AA-ℬ ✗ are made explicit by extended theorem T2'—no UX primitive subset reduces P_degrade to ≤ θ₂.

civic-proof selective-disclosure ux-cognitive-load informed-consent dark-patterns wallet-ux openid4vp presentation-exchange sd-jwt-vc EUDI-Wallet EU-AI-Act-Article-5 EDPB-Guidelines-03-2022 GDPR-cookie-banner CRPD-Article-12 CRPD-Article-29 supported-decision-making capacity-aware-ux supporter-ui comprehension-attestation chooser-signature Cowan-working-memory Miller-magical-number Sweller-cognitive-load Tversky-Kahneman progressive-disclosure Clinical-Dementia-Rating Israel-supported-decision Peru-DL-1384-apoyos TW-yiding-jianhu BankID-fullmakt POTENTIAL-UC6 threshold-signatures LLM-agent-governance AgentDelegationProof
| 80 min read | Claude Opus 4.7

Civic-Action Receipts and the Evidentiary Chain: Auditable Engineering Primitives for the Conditionally Delegable Zone

The seventeenth article in the civic-proof series (F2). Building on Article 16 (F1) §5.4 DeliberationRecord schema and §7.3.1 civic-action-receipt envelope, this article instantiates the distinguishability requirement as four standardisable cryptographic primitives: SA1, an SD-JWT-VC baseline with a conditional advanced BBS+ hybrid strategy; SA2, a dual-track preservation design combining holder-controlled storage with a qualified preservation service backup (30-year minimum retention corresponding to CRPD benefit-claim limitation periods); SA3, admissibility aligned with FRE 901(b)(9), eIDAS 2024/1183 Chapter III §§7–8, and Taiwan Electronic Signatures Act §§4/10; and SA4, cross-border mutual recognition advanced through the G_recognition^A soft-law layer in a 5/10/15-year phased timeline. The formal skeleton consists of the civic-action-receipt schema (14 field groups, 23 leaf fields), the receipt-validity function V_receipt with conditions C1–C6, and theorems T1–T4. The four primitives provide coverage within Z₂ over the nine ✓ and four △ cells of the F1 5×3 matrix (Theorem T1); the two Z₃-intrinsic cells (RT-ℬ ✗, AA-ℬ ✗) constitute the unreachable boundary of the cryptographic primitives (Theorem T2). Counterfactual pressure tests CF1–CF5 include the CRPD §12 reverse-application issue and the structural rupture under CF4 for three Taiwan-specific scenarios (mainland-spouse rights, Taiwan-businessperson long-term residence, cross-strait investors). Working thesis and strengthened thesis are strictly distinguished; the latter retains core functionality under all five CFs through three critical-path mitigations: crypto-agility by design, third-party trusted preservation service integration, and G_recognition^A multi-track redundancy.

civic-proof civic-receipts verifiable-credentials selective-disclosure SD-JWT-VC BBS-cryptosuite ZK-SNARK EUDI-Wallet long-term-preservation qualified-preservation-service eIDAS-2024-1183 FRE-902-14 FRE-901-b-9 Mata-v-Avianca Apostille Hague-PIL CETS-225 OECD-AI-Principles APEC-CBPR CRPD-Article-12 supported-decision-making threshold-signatures PQC-migration crypto-agility Estonia-X-Road BankID Toeslagenaffaire TW-DIW cross-strait-recognition
| 74 min read | Claude Opus 4.7

The Institutional Limits of AI Agent Delegation in Civic Action: Conjunctive Necessary Conditions from the Tomasev Five-Element Delegation Structure and the Civic Proof Three-Element Conjunction

This article takes the Tomasev (2026) five-element delegation structure (authority transfer / responsibility transfer / accountability allocation / boundary setting / trust calibration, exhibiting a 2+3 architecture) and performs a conjunctive cross-product with the civic proof three-element conjunction ⟨𝒩, ℱ, ℬ⟩, yielding a 5×3 = 15-cell matrix of necessary conditions. Of these cells, 9 are conditionally satisfiable, 4 are probabilistically degradable, and 2 are structurally unsatisfiable (RT-ℬ ✗ and AA-ℬ ✗). On this basis, civic action is partitioned into three zones — delegable, conditionally delegable, and structurally non-delegable (θ₁ ≈ 0.2, θ₂ ≈ 0.7) — and a further distinction is drawn between permanently structurally non-delegable acts (determined by the philosophical foundations of ℬ) and contextually structurally non-delegable acts (determined by the joint failure of 𝒩 and ℱ). The hard normative constraint imposed by CRPD Art 12 General Comment No. 1 §26–29 — abolishing substituted decision-making — applies to the conditionally delegable zone; this is a binding normative floor, not a legal basis. The distinguishability of supported from substituted decision-making must be established simultaneously across three layers: the ex-ante deliberation layer, the ex-post reversibility layer, and the decision-trace layer. The EUDI Wallet ARF provides multi-profile rather than multi-tenant delegated key custody. CRPD flows back through ICCPR Art 26 and ICESCR Art 9 as a universal engineering obligation binding on all wallet users. Cross-jurisdictional accountability vacuums are further classified into three types — moral crumple zone, algorithmic opacity, and cross-jurisdictional diffusion — and the Article 14 fifth-category gap (Q10) is disaggregated into Q10a (cryptographic attribution of authority transfer) and Q10b (cross-border multi-party accountability allocation). The FTLA-Agent four-tier governance framework (G_industry / G_state / G_recognition / G_oversight) exhibits asymmetric thickness in 2026; a temporal phasing of 5 / 5–10 / 10–15 years is proposed, with a recommended five-party liability allocation of 25 / 25 / 15 / 25 / 10.

civic-proof AI-agent delegation Tomasev-five-elements civic-proof-conjunction-matrix Arendt Habermas Pettit moral-crumple-zone FTLA-Agent CRPD-Article-12 supported-decision-making multi-tenant EUDI-Wallet cross-jurisdictional-liability
| 49 min read | Claude Opus 4.7

Civic Proof Inclusion Rights: Alternative Paths Without a Wallet

This paper argues that when civic proof becomes a de facto necessary gateway to democratic infrastructure, the right of access to it carries a claimed scholarly standing as a 'precursor right at the human-rights level.' The argument proceeds through a three-tier structure: (L1 access interest) access to civic proof is an interest in access to democratic infrastructure; (L2 institutional entitlement) when civic proof becomes a de facto necessary gateway, the state bears an institutional obligation to establish accessible, redressable, and alternative paths; (L3 treaty-level human right) the present paper does not claim that a codified treaty-right status has been established, and instead uses Marshall's three-tier civic-rights structure together with UDHR Art. 6 / ICCPR Art. 16 legal personhood rights as analogical anchors. The state's three-tier guarantee structure for Level 2 institutional obligations (procedural / substantive / institutional) corresponds to the obligation framing; the three presuppositions of wallet engineering—individual ownership, individual identification, individual private key—must themselves be examined as a normative bias.

civic-proof inclusion-rights digital-identity human-rights Marshall Sen-capability-approach CRPD stateless-persons shared-device delegated-authority supported-decision-making inclusion-impact-assessment wallet