The Nine are a discipline for building systems worthy of trust. They are stated as refusals — nine things a trustworthy system, and its architect, decline to do, even when they could.
They are not a checklist to complete or a certification to hold. They are a practice to keep — applied by whoever chooses to keep them, verifiable by anyone, granted by no authority. Conformance language follows RFC 2119 (MUST / SHOULD / MAY).
The progression
| Movement | Principles | What is refused |
|---|---|---|
| Restraint | P1–P4 | What the system does not do: hoard, assume, freeze, overclaim. |
| Reflexivity | P5 | What the architect does not do: exempt themselves. |
| Liberation | P6–P8 | What the system does not do to the user: trap, coerce, extract. |
| Acknowledged limit | P9 | What the system cannot do: generate trust itself. |
From restraint, through reflexivity and liberation, to the open hand.
Restraint — what the system refuses
P1 — Minimize the secret. Refuses to hoard.
Hold as little that must be secret as possible; split what must be held so that no single place, party, or component is sufficient to compromise it. A secret no one holds in full cannot be stolen in full.
Read the full chapter in the library →
P2 — Prove, don't grant. Refuses to assume.
Trust is demonstrated and recorded, never assumed or delegated on assertion. Verify before connecting; log what was verified; prefer transparency over delegated authority. The default answer to "trust me" is "prove it."
Read the full chapter in the library →
P3 — Architect for change. Refuses to freeze.
What is true now will not remain true. Build so that any algorithm, key, or credential can be retired and replaced without re-architecting. A primitive treated as permanent is a vulnerability awaiting time.
Read the full chapter in the library →
P4 — Never claim more than you can verify. Refuses to overclaim.
State plainly what the system does not defend, where trust rests on assumption, and what remains unresolved. A false promise of safety is itself a harm — it causes others to rely on a guarantee that does not exist.
Read the full chapter in the library →
Reflexivity — what the architect refuses
P5 — The rule binds its keeper. Refuses to exempt itself.
Observer and observed are separable — the auditor is not the audited, the record is not written by the one it watches — yet all are bound by the same discipline, up to and including the author. The one who builds the trust is not exempt from proving it. Not one entity — one rule, applied reflexively, that does not exempt its keeper.
Read the full chapter in the library →
Liberation — what the system refuses to do to the user
P6 — Be safely endable. Refuses to trap in time.
Plan from the outset for the system's end: how secrets retire, how data is exported or rendered safe, how records are stewarded or destroyed. Ending the system must not create the breach it existed to prevent.
Read the full chapter in the library →
P7 — Let entry be freely chosen. Refuses to coerce.
Verify who enters — and honor the freedom of the choice to enter. No coercion, no manufactured urgency, no dark patterns. A connection obtained by manipulation is not trustworthy, however well it is cryptographically proven.
Read the full chapter in the library →
P8 — Do not trap, coerce, or extract. Refuses to capture.
The system serves the user's purpose, not its own capture of them. No lock-in, no covert harvesting, no taking of more than is knowingly given. The user can always leave with what is theirs.
Read the full chapter in the library →
The acknowledged limit — what the system cannot do
P9 — Trust itself cannot be generated by the architecture. Refuses to claim false completion.
The discipline prepares the conditions for trust; it cannot supply the trust. Completion is not the architect's to grant; the leap remains the user's — and the system that claims to have eliminated the need for that leap has, in that very claim, become the threat.
Without P9, the first eight refusals would themselves become a new false promise — that enough structure eliminates risk. P9 refuses that final, totalising claim. The incompleteness is not a flaw in the design. It is the design's deepest honesty.
Read the full chapter in the library →
One gesture, nine times
Each refusal is the same act in a different domain: the voluntary refusal of a power one could take. The empty vault, the proven word, the replaceable cipher, the named exposure, the bound maker, the open door, the free yes, the ungrasped user, and the open hand. The most trustworthy thing is the one that refuses the power it could have held.