The record: seal, verify, communicate
Everything the last four modules built — the locked proposal, the reasoned deliberation, the four-response poll, the verbatim dissent — ends up as one thing: a record. This closing module covers what goes into that record, how sealing makes it tamper-evident in plain language, how anyone can verify it with no connection to anything, and how to communicate the outcome without quietly dropping the parts that are awkward to announce.
By the end of this module you should be able to assemble a complete decision record, explain the seal to a sceptical member without a single line of maths, walk someone through offline verification, and answer a challenge to a past decision the right way — from the record, never by editing it.
5.1 What the sealed record holds
A decision record is complete when a stranger, five years on, can reconstruct not just what was decided but what the group knew and risked when it decided. That takes four parts, and they are sealed together, as one unit:
The four parts, inseparable
- The proposal — original text, each amendment, and the final amended text that went to the ballot, so the reader can see how the words earned their final shape.
- The amendments' authors and timing — who moved each change and when, before the close of the window.
- The tally — all four counts, including the zeros, plus both gates: the quorum figure and the threshold arithmetic.
- The objections — verbatim, attributed, dated, with any stated alternatives. Both of them, in full, inside the same seal as the adoption they objected to.
The word doing the work is inseparable. A record where the tally lives in one file and the objections in another is two records, and Module 4 showed what filing systems do to the inconvenient one. Sealing the four parts as a single unit means nobody can later cite the adoption without carrying the dissent along with it — not because people are forbidden to, but because the record physically comes that way.
5.2 Sealing, in plain language
Sealing is two steps, and neither needs mathematics to understand.
Step one: the fingerprint. The complete record is condensed into a short string of characters — a fingerprint that stands for exactly this record and no other. The record itself stays fully readable; nothing is hidden or encrypted. The fingerprint doesn't lock the record away. It locks it in place.
Step two: the signature. The group signs that fingerprint with its own signing key — the scheme is called Ed25519, though the name matters far less than the property it buys. The signed fingerprint is the seal, and it says one thing: this group, holding this key, vouched for this exact record at this moment.
The property it buys is this: change one character, anywhere, and verification fails loudly. Turn the objection count from 2 to 1. Soften a single word of Ruth's objection. Delete a full stop from Marcus's sunset clause. The fingerprint of the altered record no longer matches the one the group signed, and the check doesn't shrug or warn quietly — it fails, visibly, every time, for everyone who runs it.
Key points
- Tamper-evident, not tamper-proof. A seal can't stop someone altering their copy; it guarantees the alteration cannot pass as the original.
- The seal proves integrity, not wisdom. A sealed record of a bad decision is still a bad decision — accurately preserved, which is what lets the group learn from it.
- No trust in the platform is required to check the seal. That is the next section's whole point.
5.3 Verifying offline: three steps, no connection to anyone
A record that can only be verified by asking the people who keep it isn't verified — it's vouched for. The seal is designed so the check works with the network cable out, using nothing the group doesn't already hold.
The three steps
- 1. Export the record. A single file, taken from the group's archive — or a copy someone emailed you, or handed over on a USB stick. Where the copy came from doesn't matter; the check will tell you whether it's the real one.
- 2. Hold the group's public key. You already do. The group's key comes in a pair: a private signing key, guarded, that only signs; and a public key that only checks. The public key is not a secret — it is handed to every member on joining, printed in the charter, and can be pinned to the noticeboard. Its entire job is to be widely held, because every copy of it is another person who can catch a forgery.
- 3. Run the check anywhere. Any computer, no account, no connection — not to the group's server, not to Village Assembly, not to us. If the record and its seal match the public key, this is the record the group sealed, character for character. If they don't, it isn't. There is no third result.
Notice who is absent from those three steps: the software vendor, the group's server, the person who ran the meeting. The group that made the decision holds the means of proving it — and so does everyone the group has ever given its public key to. That is what "portable" means in practice: a Fernside member can prove the March decision to the council, to a funder, or to a sceptical new member, from a copy, in a field.
5.4 Communicate the outcome and the dissent together
The record is sealed; now the group has to be told. The rule from Module 3's honest count extends to the announcement: the outcome and the dissent travel in the same message. Not the outcome now and the objections available on request. One notice, both halves.
Key points
- Announcing outcome-with-dissent costs a sentence and buys the objectors' continued participation. People stay in groups that report their disagreement accurately.
- "Adopted overwhelmingly" is not a result; it's an adjective. Give the four numbers.
- The announcement points at the sealed record rather than replacing it — the notice is a summary, and Module 2 taught what summaries owe the room.
Discussion topics
- Find your group's last three decision announcements. Could a reader tell from them that anyone disagreed?
- Who in your group hears outcomes second-hand — and what version reaches them?
5.5 When the decision is challenged
Sooner or later someone will say "that's not what we agreed" — or, harder, "we agreed, and it isn't working, and we want out". The two challenges get the same first move and different second moves.
The protocol
- First, the record answers. "That's not what we agreed" is settled by reading the verified record, not by polling memories. Either the text says what the challenger remembers or it doesn't; the argument is over in the time it takes to read.
- A changed mind gets a fresh decision. If the group genuinely wants a different outcome — the bed is failing, Ruth was right, circumstances moved — the route is a new proposal and a new poll, deliberated and decided under the same rules, sealed as its own record that cites the old one. Module 1 again, with better information.
- The seal is never edited. Not corrected, not tidied, not updated to reflect what the group "really meant". A group that opens a sealed record once, for the best of reasons, has converted every record it holds — past and future — into a draft. The old decision stays sealed exactly as made; the new decision supersedes it in the open.
Template · Record & Verification Checklist
Run this before sealing, once at sealing, and whenever a record is challenged. On paper, "sealed" means read aloud, corrected, and countersigned; the checks are the same.
| A — Before sealing: is the record complete? | Done |
|---|---|
| Final amended text attached, as read back before the poll | |
| Original proposal and each amendment, with author and date | |
| Tally: all four responses recorded, including zeros | |
| Both gates stated: quorum figure · objections ÷ votes cast vs charter threshold | |
| Every objection verbatim, attributed, dated — confirmed by its author | |
| Stated alternatives attached to their objections |
| B — Sealing | Record |
|---|---|
| Sealed on (date) · by (name/role) | |
| Where members find the public key (charter page · noticeboard · new-member pack) | |
| Where the exported record lives, and who may take copies (everyone) |
| C — Communicating | Done |
|---|---|
| One notice, outcome AND objections together, with all four numbers | |
| Notice points to the sealed record · sent to all members on (date) |
| D — If challenged | Confirm |
|---|---|
| Answer from the verified record first | |
| A different outcome = fresh proposal + fresh poll, citing this record | |
| The seal is never edited — no exceptions, including this one |
Self-check
1. A copy of VA-2026-014's sealed record has been altered by a single character — the objection count now reads 1 instead of 2. What happens when someone verifies it?
There is no tolerance and no "minor". The fingerprint stands for the exact record, character for character — any change, however small, produces a visible failure for everyone who checks. That loudness is the whole point of sealing.
2. Is the group's public key a secret?
The key pair splits the powers: the private key signs and is guarded; the public key verifies and is meant to spread. A public key that lived on a controlled server would defeat offline verification — the check is designed to run anywhere, cable out.
3. Months on, most of the group wants a different outcome, and someone suggests quietly updating the sealed record to match. What is the right response?
Groups are allowed to change their minds — through a new decision, on the record. Editing or deleting a seal, even once, even by consensus, turns every record the group holds into a draft. The old decision stays as made; the new one replaces it in daylight.