The principles say what a trustworthy system refuses. This says what changes in an organization that keeps them, where the keeping breaks under pressure, how it is kept alive — and, most honestly, where it breaks first. Practice, not policy: lived, not filed.
A practice document that showed only the upside would violate P4 and P9. So this names the cost, the tensions, and the first crack openly. The honesty about where it breaks is what makes the rest trustworthy.
What changes
| Principle | What changes on Monday |
|---|---|
| P1 — Minimize the secret | Hiring: no one is indispensable. Firing: no one can burn it down. |
| P2 — Prove, don't grant | The senior engineer's word is not enough. The junior's question is valid. |
| P3 — Architect for change | The roadmap includes replacement, not just addition. |
| P4 — Never overclaim | The hard conversation before launch: "what are we pretending?" |
| P5 — The rule binds its keeper | The leader who says "log me too" builds trust faster than the one who says "trust me." |
| P6 — Leave no hostage | Revenue cannot depend on trapped users. |
| P7 — The user may refuse | Legal reviews for clarity, not coverage. |
| P8 — No surplus extraction | Unit economics include the user's cost of exit. |
| P9 — The leap remains | The humility that markets, that hires, that builds. |
Where it breaks — the tensions
| Tension | The pressure | The Nine response |
|---|---|---|
| Speed vs P1–P4 | "We need to ship." | The threshold is not bureaucracy. It is the speed of honest proof. |
| Growth vs P6–P8 | "Retention at all costs." | Retention through value, not captivity. Captive retention is a debt borrowed against a future reckoning. |
| Authority vs P5 | "The founder knows best." | The founder proves best, or the system does. |
| Completeness vs P9 | "We need to sound secure." | Sounding secure is a P4 violation. Naming the gap is P9 fulfilment. |
How it's kept — four rituals
- The Nine Questions — before any launch, hire, or partnership: which of the nine does this test? Where does it fail? (A named failure is required — "nowhere" is itself a P9 violation.)
- The Keeper's Proof — the leader is in the same audit stream as everyone, always; the public log is the proof. Not the leader attesting compliance — the leader having no exemption to attest away. P5 as structure, not performance.
- The Release Review — quarterly: what did we let users keep, leave with, or refuse — and where did we still hold them?
- The Vigil — annual: the organization names what it has not solved, where the leap still remains. A keeping-awake to the unresolved, not a celebration of the done.
Where it breaks first
If a framework is honest, it names its own first failure. This one breaks first not at the cold edges, but at the warm centre — the founder's quiet exemption.
P1–P4 break visibly; P6–P8 break externally; both have natural alarms. P5 breaks silently, from the top, where no alarm is pointed. The founder does not announce the exemption; it is a backdoor kept "just in case," a report sanitized "not to alarm," an access kept "because I'm faster alone." Each is justified by competence and urgency — and it is always fine because it is me — until the once it is not.
The canary: the first sanitized report. Watch for the first time someone decides the board, or the users, get the cleaned-up version "for their own good." That is the moment P5 has begun to fail, before anyone has noticed. Keep the reports unsanitized, keep the founder in the ledger, and the first break has nowhere to begin.
The defence of P5 is not more architecture — you cannot out-architect the architect. It is visibility plus a body that can act. The framework cannot guarantee the founder will not exempt themselves. It can only guarantee that if they do, it cannot be done in the dark. That is the most the discipline can honestly promise — and, per P9, it does not pretend to promise more.