Skip to content

[engine-accuracy] senderTrust provenance: split corroborators by write authority (stop model-authored history laundering into the anchor) #712

Description

@k08200

Raised in the dev.to thread (post #5) — the sharpest attack anyone's surfaced on the corroborator design. Relates to #678 (world-anchored gate), #655 (EPIC).

The attack — self-authorship laundered through the ledger.
senderTrust grounded on observed sender history looks world-anchored at read time, but the dangerous question is what gets to write that history. If a sender's record improves because earlier messages were accepted by this same classifier, the model is already in the provenance chain — the history table looks external later, yet it contains delayed model opinion. The attack doesn't need to beat the gate on payload day: it can spend weeks sending cooperative-looking mail the model rates highly, turning those accepts into a clean sender record. When the real payload lands, senderTrust is genuinely high in the table, and the gate approves on a feature the model effectively helped author.

Where it stands today (partial):
Sender priors are already typed by source — override (manual user correction, human-authored) vs history (the model's own past classifications). History is deliberately weaker: it may only short-circuit to QUEUE (never PUSH), and SILENT is excluded from both. So the write-authority instinct exists at the prior-kind level.

The gap:

  • The senderTrust feature still leans on facts (tier distribution) the model helped write; no per-entry provenance class feeds the score.
  • Events the classifier cannot cause — a sent reply, a manual approval recorded outside the classifier path — should be a strictly stronger anchor than "the model rated this sender highly for three weeks." They aren't weighted that way.
  • Each history entry should carry a provenance class so the gate can treat model-adjacent history as thin even when the aggregate looks healthy.
  • Trace attestation: have the component that sourced each corroborator sign or content-address its value when it lands in the decision trace, so post-incident review has a check outside the host process's own log.

"Sort by write authority, not only by read source."

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions