Raised in the dev.to thread (post #5) — the sharpest attack anyone's surfaced on the corroborator design. Relates to #678 (world-anchored gate), #655 (EPIC).
The attack — self-authorship laundered through the ledger.
senderTrust grounded on observed sender history looks world-anchored at read time, but the dangerous question is what gets to write that history. If a sender's record improves because earlier messages were accepted by this same classifier, the model is already in the provenance chain — the history table looks external later, yet it contains delayed model opinion. The attack doesn't need to beat the gate on payload day: it can spend weeks sending cooperative-looking mail the model rates highly, turning those accepts into a clean sender record. When the real payload lands, senderTrust is genuinely high in the table, and the gate approves on a feature the model effectively helped author.
Where it stands today (partial):
Sender priors are already typed by source — override (manual user correction, human-authored) vs history (the model's own past classifications). History is deliberately weaker: it may only short-circuit to QUEUE (never PUSH), and SILENT is excluded from both. So the write-authority instinct exists at the prior-kind level.
The gap:
- The
senderTrust feature still leans on facts (tier distribution) the model helped write; no per-entry provenance class feeds the score.
- Events the classifier cannot cause — a sent reply, a manual approval recorded outside the classifier path — should be a strictly stronger anchor than "the model rated this sender highly for three weeks." They aren't weighted that way.
- Each history entry should carry a provenance class so the gate can treat model-adjacent history as thin even when the aggregate looks healthy.
- Trace attestation: have the component that sourced each corroborator sign or content-address its value when it lands in the decision trace, so post-incident review has a check outside the host process's own log.
"Sort by write authority, not only by read source."
Raised in the dev.to thread (post #5) — the sharpest attack anyone's surfaced on the corroborator design. Relates to #678 (world-anchored gate), #655 (EPIC).
The attack — self-authorship laundered through the ledger.
senderTrustgrounded on observed sender history looks world-anchored at read time, but the dangerous question is what gets to write that history. If a sender's record improves because earlier messages were accepted by this same classifier, the model is already in the provenance chain — the history table looks external later, yet it contains delayed model opinion. The attack doesn't need to beat the gate on payload day: it can spend weeks sending cooperative-looking mail the model rates highly, turning those accepts into a clean sender record. When the real payload lands, senderTrust is genuinely high in the table, and the gate approves on a feature the model effectively helped author.Where it stands today (partial):
Sender priors are already typed by source —
override(manual user correction, human-authored) vshistory(the model's own past classifications). History is deliberately weaker: it may only short-circuit to QUEUE (never PUSH), and SILENT is excluded from both. So the write-authority instinct exists at the prior-kind level.The gap:
senderTrustfeature still leans on facts (tier distribution) the model helped write; no per-entry provenance class feeds the score."Sort by write authority, not only by read source."