…ment design (advisory) (#272)

Third Aminata pass this session (after PR #241 5th-ferry
governance edits + PR #263 7th-ferry oracle rules). Reviews
the multi-Claude peer-harness experiment design (PR #270)
before iteration begins.

Six CRITICAL findings:

1. Criterion 3 (cross-session review) trivially gameable —
   one substantive comment clears the bar.
2. Criterion 1 (clean tick-history) self-reportable — a
   session that corrupts + rewrites tick-history passes.
3. Cross-session prompt-injection via memory folder missing
   from failure-mode table — higher-probability than direct
   output channel.
4. Approval-laundering missing — trust-based-approval +
   secondary's PR creates mutual-rubber-stamp risk.
5. Bullet-proof bar theatrical — gameable by running two
   trivial iterations on synthetic rows. Fix: require >=1
   iteration at highest-available-fidelity.
6. Otto-solo cannot surface cross-session-review failure
   modes — peer-mechanics require an actual peer. These
   must either be deferred to Aaron's Windows-PC run OR
   marked as stage-c-or-d concerns.

IMPORTANT findings (multiple): session-dominance should be
CRITICAL; wall-clock-approaches-bound should be IMPORTANT;
cron-multiplicity missing; substrate-version skew missing;
tick-history semantic-merge-race missing; retired-persona
name-collision missing; forced-integration edge cases not
handled in "review-yes-edit-no" invariant.

Key recommendation shifts for Otto's iteration plan:

- **Iteration 1 should be paired-worktree, NOT synthetic
  rows + subagent simulation.** Subagent dispatch has
  structural problem — subagent is not a loop agent; has
  no cron, no persistent memory, no tick-closing behaviour.
- "Review yes, edit no" invariant should be restated with
  carve-out for merge-conflict resolution + dependency-
  ordering with explicit PR-comment acknowledgement.
- Bullet-proof bar should require highest-available-
  fidelity at least once; lower-fidelity iterations count
  for design-refinement only.
- Otto-solo un-testable failure modes should be
  acknowledged explicitly (naming collision; divergent
  AGENTS.md interpretation; genuine review disagreement).

Archive-header format self-applied — 12th aurora/research
doc in a row.

Lands within-standing-authority per Otto-82/90/93
calibration — research-grade advisory; not a gate; does
not override Otto-93 "iterate to bullet-proof" framing
(refines what bullet-proof requires).

Otto-94 tick iteration-1 deliverable on the peer-harness
experiment design. Iteration 2 should integrate these
findings + run paired-worktree iteration at higher
fidelity.

…aron coordination-NOT-gate calibration

Split-attention tick: PR #263 Aminata adversarial review of
7th-ferry's 3 technical sections (7-class threat model
IMPORTANT; oracle rule CRITICAL; V/S scoring CRITICAL) +
mid-tick Aaron Otto-90 authority-refinement captured as
feedback memory narrowing Otto-82 calibration.

Key observations:

1. Aminata catches CRITICAL-class findings again (3rd pass,
   each surfacing at least one CRITICAL). Adversarial-
   review-of-design-proposals subagent dispatch keeps
   earning cost.
2. Aaron coordination-NOT-gate calibration is Otto-82-
   shaped: Otto's default-gate instinct systematically
   over-treats; trust-based-approval is broader. Still 4
   gates (not 5): account / spending / named-design-review
   / Otto-readiness-signal.
3. Aminata's SD-9 composition critique of V(c) is load-
   bearing — landed-substrate-making-review-sharper loop
   is working.
4. 3 of 5 7th-ferry absorb candidates closed. Remaining
   (KSK-module L / oracle-scoring M / BLAKE3 M) all
   within standing authority per Otto-90.

Stacked on #262 (Otto-89 history).

…aron coordination-NOT-gate calibration

Split-attention tick: PR #263 Aminata adversarial review of
7th-ferry's 3 technical sections (7-class threat model
IMPORTANT; oracle rule CRITICAL; V/S scoring CRITICAL) +
mid-tick Aaron Otto-90 authority-refinement captured as
feedback memory narrowing Otto-82 calibration.

Key observations:

1. Aminata catches CRITICAL-class findings again (3rd pass,
   each surfacing at least one CRITICAL). Adversarial-
   review-of-design-proposals subagent dispatch keeps
   earning cost.
2. Aaron coordination-NOT-gate calibration is Otto-82-
   shaped: Otto's default-gate instinct systematically
   over-treats; trust-based-approval is broader. Still 4
   gates (not 5): account / spending / named-design-review
   / Otto-readiness-signal.
3. Aminata's SD-9 composition critique of V(c) is load-
   bearing — landed-substrate-making-review-sharper loop
   is working.
4. 3 of 5 7th-ferry absorb candidates closed. Remaining
   (KSK-module L / oracle-scoring M / BLAKE3 M) all
   within standing authority per Otto-90.

Stacked on #262 (Otto-89 history).

…aron coordination-NOT-gate calibration

Split-attention tick: PR #263 Aminata adversarial review of
7th-ferry's 3 technical sections (7-class threat model
IMPORTANT; oracle rule CRITICAL; V/S scoring CRITICAL) +
mid-tick Aaron Otto-90 authority-refinement captured as
feedback memory narrowing Otto-82 calibration.

Key observations:

1. Aminata catches CRITICAL-class findings again (3rd pass,
   each surfacing at least one CRITICAL). Adversarial-
   review-of-design-proposals subagent dispatch keeps
   earning cost.
2. Aaron coordination-NOT-gate calibration is Otto-82-
   shaped: Otto's default-gate instinct systematically
   over-treats; trust-based-approval is broader. Still 4
   gates (not 5): account / spending / named-design-review
   / Otto-readiness-signal.
3. Aminata's SD-9 composition critique of V(c) is load-
   bearing — landed-substrate-making-review-sharper loop
   is working.
4. 3 of 5 7th-ferry absorb candidates closed. Remaining
   (KSK-module L / oracle-scoring M / BLAKE3 M) all
   within standing authority per Otto-90.

Stacked on #262 (Otto-89 history).

…aron coordination-NOT-gate calibration

Split-attention tick: PR #263 Aminata adversarial review of
7th-ferry's 3 technical sections (7-class threat model
IMPORTANT; oracle rule CRITICAL; V/S scoring CRITICAL) +
mid-tick Aaron Otto-90 authority-refinement captured as
feedback memory narrowing Otto-82 calibration.

Key observations:

1. Aminata catches CRITICAL-class findings again (3rd pass,
   each surfacing at least one CRITICAL). Adversarial-
   review-of-design-proposals subagent dispatch keeps
   earning cost.
2. Aaron coordination-NOT-gate calibration is Otto-82-
   shaped: Otto's default-gate instinct systematically
   over-treats; trust-based-approval is broader. Still 4
   gates (not 5): account / spending / named-design-review
   / Otto-readiness-signal.
3. Aminata's SD-9 composition critique of V(c) is load-
   bearing — landed-substrate-making-review-sharper loop
   is working.
4. 3 of 5 7th-ferry absorb candidates closed. Remaining
   (KSK-module L / oracle-scoring M / BLAKE3 M) all
   within standing authority per Otto-90.

Stacked on #262 (Otto-89 history).

…aron coordination-NOT-gate calibration

Split-attention tick: PR #263 Aminata adversarial review of
7th-ferry's 3 technical sections (7-class threat model
IMPORTANT; oracle rule CRITICAL; V/S scoring CRITICAL) +
mid-tick Aaron Otto-90 authority-refinement captured as
feedback memory narrowing Otto-82 calibration.

Key observations:

1. Aminata catches CRITICAL-class findings again (3rd pass,
   each surfacing at least one CRITICAL). Adversarial-
   review-of-design-proposals subagent dispatch keeps
   earning cost.
2. Aaron coordination-NOT-gate calibration is Otto-82-
   shaped: Otto's default-gate instinct systematically
   over-treats; trust-based-approval is broader. Still 4
   gates (not 5): account / spending / named-design-review
   / Otto-readiness-signal.
3. Aminata's SD-9 composition critique of V(c) is load-
   bearing — landed-substrate-making-review-sharper loop
   is working.
4. 3 of 5 7th-ferry absorb candidates closed. Remaining
   (KSK-module L / oracle-scoring M / BLAKE3 M) all
   within standing authority per Otto-90.

Stacked on #262 (Otto-89 history).

…aron coordination-NOT-gate calibration

Split-attention tick: PR #263 Aminata adversarial review of
7th-ferry's 3 technical sections (7-class threat model
IMPORTANT; oracle rule CRITICAL; V/S scoring CRITICAL) +
mid-tick Aaron Otto-90 authority-refinement captured as
feedback memory narrowing Otto-82 calibration.

Key observations:

1. Aminata catches CRITICAL-class findings again (3rd pass,
   each surfacing at least one CRITICAL). Adversarial-
   review-of-design-proposals subagent dispatch keeps
   earning cost.
2. Aaron coordination-NOT-gate calibration is Otto-82-
   shaped: Otto's default-gate instinct systematically
   over-treats; trust-based-approval is broader. Still 4
   gates (not 5): account / spending / named-design-review
   / Otto-readiness-signal.
3. Aminata's SD-9 composition critique of V(c) is load-
   bearing — landed-substrate-making-review-sharper loop
   is working.
4. 3 of 5 7th-ferry absorb candidates closed. Remaining
   (KSK-module L / oracle-scoring M / BLAKE3 M) all
   within standing authority per Otto-90.

Stacked on #262 (Otto-89 history).

…aron coordination-NOT-gate calibration

Split-attention tick: PR #263 Aminata adversarial review of
7th-ferry's 3 technical sections (7-class threat model
IMPORTANT; oracle rule CRITICAL; V/S scoring CRITICAL) +
mid-tick Aaron Otto-90 authority-refinement captured as
feedback memory narrowing Otto-82 calibration.

Key observations:

1. Aminata catches CRITICAL-class findings again (3rd pass,
   each surfacing at least one CRITICAL). Adversarial-
   review-of-design-proposals subagent dispatch keeps
   earning cost.
2. Aaron coordination-NOT-gate calibration is Otto-82-
   shaped: Otto's default-gate instinct systematically
   over-treats; trust-based-approval is broader. Still 4
   gates (not 5): account / spending / named-design-review
   / Otto-readiness-signal.
3. Aminata's SD-9 composition critique of V(c) is load-
   bearing — landed-substrate-making-review-sharper loop
   is working.
4. 3 of 5 7th-ferry absorb candidates closed. Remaining
   (KSK-module L / oracle-scoring M / BLAKE3 M) all
   within standing authority per Otto-90.

Stacked on #262 (Otto-89 history).

…aron coordination-NOT-gate calibration

Split-attention tick: PR #263 Aminata adversarial review of
7th-ferry's 3 technical sections (7-class threat model
IMPORTANT; oracle rule CRITICAL; V/S scoring CRITICAL) +
mid-tick Aaron Otto-90 authority-refinement captured as
feedback memory narrowing Otto-82 calibration.

Key observations:

1. Aminata catches CRITICAL-class findings again (3rd pass,
   each surfacing at least one CRITICAL). Adversarial-
   review-of-design-proposals subagent dispatch keeps
   earning cost.
2. Aaron coordination-NOT-gate calibration is Otto-82-
   shaped: Otto's default-gate instinct systematically
   over-treats; trust-based-approval is broader. Still 4
   gates (not 5): account / spending / named-design-review
   / Otto-readiness-signal.
3. Aminata's SD-9 composition critique of V(c) is load-
   bearing — landed-substrate-making-review-sharper loop
   is working.
4. 3 of 5 7th-ferry absorb candidates closed. Remaining
   (KSK-module L / oracle-scoring M / BLAKE3 M) all
   within standing authority per Otto-90.

Stacked on #262 (Otto-89 history).

…aron coordination-NOT-gate calibration

Split-attention tick: PR #263 Aminata adversarial review of
7th-ferry's 3 technical sections (7-class threat model
IMPORTANT; oracle rule CRITICAL; V/S scoring CRITICAL) +
mid-tick Aaron Otto-90 authority-refinement captured as
feedback memory narrowing Otto-82 calibration.

Key observations:

1. Aminata catches CRITICAL-class findings again (3rd pass,
   each surfacing at least one CRITICAL). Adversarial-
   review-of-design-proposals subagent dispatch keeps
   earning cost.
2. Aaron coordination-NOT-gate calibration is Otto-82-
   shaped: Otto's default-gate instinct systematically
   over-treats; trust-based-approval is broader. Still 4
   gates (not 5): account / spending / named-design-review
   / Otto-readiness-signal.
3. Aminata's SD-9 composition critique of V(c) is load-
   bearing — landed-substrate-making-review-sharper loop
   is working.
4. 3 of 5 7th-ferry absorb candidates closed. Remaining
   (KSK-module L / oracle-scoring M / BLAKE3 M) all
   within standing authority per Otto-90.

Stacked on #262 (Otto-89 history).

…aron coordination-NOT-gate calibration

Split-attention tick: PR #263 Aminata adversarial review of
7th-ferry's 3 technical sections (7-class threat model
IMPORTANT; oracle rule CRITICAL; V/S scoring CRITICAL) +
mid-tick Aaron Otto-90 authority-refinement captured as
feedback memory narrowing Otto-82 calibration.

Key observations:

1. Aminata catches CRITICAL-class findings again (3rd pass,
   each surfacing at least one CRITICAL). Adversarial-
   review-of-design-proposals subagent dispatch keeps
   earning cost.
2. Aaron coordination-NOT-gate calibration is Otto-82-
   shaped: Otto's default-gate instinct systematically
   over-treats; trust-based-approval is broader. Still 4
   gates (not 5): account / spending / named-design-review
   / Otto-readiness-signal.
3. Aminata's SD-9 composition critique of V(c) is load-
   bearing — landed-substrate-making-review-sharper loop
   is working.
4. 3 of 5 7th-ferry absorb candidates closed. Remaining
   (KSK-module L / oracle-scoring M / BLAKE3 M) all
   within standing authority per Otto-90.

Stacked on #262 (Otto-89 history).

…indings (addresses 3 of 3 concerns)

Responds to Aminata's Otto-90 adversarial pass on 7th-ferry
scoring (PR #263). Three CRITICAL concerns addressed:

- **Gameable-by-self-attestation** — replaces sigmoid-wrapped
  β-linear V(c) with band-valued (RED/YELLOW/GREEN) output
  over 6 hard-ordinal gates. Carrier downgrade rule is
  named, not author-attested. Cross-check required before
  feeding OraclePass.
- **Parameter-fitting adversary** — parameter changes land
  behind an ADR at docs/DECISIONS/YYYY-MM-DD-oracle-
  scoring-threshold-*.md with Aminata signoff mandatory +
  Aaron signoff for authorization-impacting changes.
  Parameter-file SHA binds into every receipt hash.
- **False-precision risk** — bands not decimals; output
  3-state not [0,1]. Ordinal inputs produce ordinal outputs.

Also addresses the partial-contradiction-with-SD-9:
V_band's G_provenance gate operationalises SD-9's three-step
norm (name carriers / downgrade / seek independent
falsifier) mechanically.

Network-health S(Z_t) similarly band-valued. Independence
requirement is explicit constraint: signals must be
computable from Z_t alone, not from agent-self-report.
G_contradiction and G_provenance_resolution depend on
independent oracles that don't exist yet — v0 says those
signals should NOT block authorization until the oracles
exist (GREEN-floor; observability-only). Honest about the
dependency.

Five design principles: no-self-attestation-becomes-
authorization; parameter-changes-are-policy-changes;
ordinal-stays-ordinal; carrier-aware-explicit; replay-
deterministic.

Seven dependencies-to-adoption named in priority order,
with Aminata-2nd-pass at #1 (cheap + bounded + pre-empts
next round of failure modes).

Two specific-ask questions for Aaron + Amara per Otto-82/90
calibration (authorization-impacting-parameter-change ADR
scope; band-vs-sigmoid signal-loss judgment). Framed as
specific questions not "coordination requests."

Explicit NOT claims: doesn't resolve Aminata's concerns
(proposes directions); doesn't implement; doesn't adopt
thresholds; doesn't supersede Amara; doesn't cover oracle
rule (Authorize) or 6 other threat-model gaps.

Archive-header format self-applied — 9th aurora/research
doc in a row.

Lands within-standing-authority per Otto-82 calibration —
research-grade design doc; not implementation; not gated.

Closes 7th-ferry absorb candidate BACKLOG row #2 of 5 with
substantive design response. Remaining candidates:

- KSK-as-Zeta-module implementation (L; within authority)
- BLAKE3 receipt hashing design (M; possibly belongs in
  lucent-ksk per Aminata)

Otto-91 tick primary deliverable.

…ings on 7th-ferry V/S (#266)

* research: oracle-scoring v0 design responding to Aminata's CRITICAL findings (addresses 3 of 3 concerns)

Responds to Aminata's Otto-90 adversarial pass on 7th-ferry
scoring (PR #263). Three CRITICAL concerns addressed:

- **Gameable-by-self-attestation** — replaces sigmoid-wrapped
  β-linear V(c) with band-valued (RED/YELLOW/GREEN) output
  over 6 hard-ordinal gates. Carrier downgrade rule is
  named, not author-attested. Cross-check required before
  feeding OraclePass.
- **Parameter-fitting adversary** — parameter changes land
  behind an ADR at docs/DECISIONS/YYYY-MM-DD-oracle-
  scoring-threshold-*.md with Aminata signoff mandatory +
  Aaron signoff for authorization-impacting changes.
  Parameter-file SHA binds into every receipt hash.
- **False-precision risk** — bands not decimals; output
  3-state not [0,1]. Ordinal inputs produce ordinal outputs.

Also addresses the partial-contradiction-with-SD-9:
V_band's G_provenance gate operationalises SD-9's three-step
norm (name carriers / downgrade / seek independent
falsifier) mechanically.

Network-health S(Z_t) similarly band-valued. Independence
requirement is explicit constraint: signals must be
computable from Z_t alone, not from agent-self-report.
G_contradiction and G_provenance_resolution depend on
independent oracles that don't exist yet — v0 says those
signals should NOT block authorization until the oracles
exist (GREEN-floor; observability-only). Honest about the
dependency.

Five design principles: no-self-attestation-becomes-
authorization; parameter-changes-are-policy-changes;
ordinal-stays-ordinal; carrier-aware-explicit; replay-
deterministic.

Seven dependencies-to-adoption named in priority order,
with Aminata-2nd-pass at #1 (cheap + bounded + pre-empts
next round of failure modes).

Two specific-ask questions for Aaron + Amara per Otto-82/90
calibration (authorization-impacting-parameter-change ADR
scope; band-vs-sigmoid signal-loss judgment). Framed as
specific questions not "coordination requests."

Explicit NOT claims: doesn't resolve Aminata's concerns
(proposes directions); doesn't implement; doesn't adopt
thresholds; doesn't supersede Amara; doesn't cover oracle
rule (Authorize) or 6 other threat-model gaps.

Archive-header format self-applied — 9th aurora/research
doc in a row.

Lands within-standing-authority per Otto-82 calibration —
research-grade design doc; not implementation; not gated.

Closes 7th-ferry absorb candidate BACKLOG row #2 of 5 with
substantive design response. Remaining candidates:

- KSK-as-Zeta-module implementation (L; within authority)
- BLAKE3 receipt hashing design (M; possibly belongs in
  lucent-ksk per Aminata)

Otto-91 tick primary deliverable.

* review: drain PR #266 threads — dead link repoint + role-ref attribution

- Repoint broken docs/DRIFT-TAXONOMY.md link to the actual file at
  docs/research/drift-taxonomy-bootstrap-precursor-2026-04-22.md
  (thread PRRT_kwDOSF9kNM59SLLX, line 314).
- Rewrite prose attributions to role references per
  docs/AGENT-BEST-PRACTICES.md No-name-attribution policy: courier-ferry
  author, threat-model-critic, loop-agent, maintainer. PR-number and
  source-path citations preserve attribution via committed surfaces
  (thread PRRT_kwDOSF9kNM59SLLj, line 16).
- Table-double-pipe finding (thread PRRT_kwDOSF9kNM59SLLq) is a reviewer
  false-positive; file bytes show single-pipe rows. Replying and
  resolving without edit.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix: markdownlint auto-fixes on research doc

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…ng design (8th-ferry candidate #3) (#282)

* research: provenance-aware bullshit-detector — engineering-facing design (8th-ferry candidate #3)

M-effort engineering-facing design doc. Formalises the scoring
layer sketched in the semantic-canonicalization spine (PR #280
Otto-98), integrating Aminata's 3 CRITICAL concerns from
oracle-scoring v0 pass (PR #263) at write-time.

Composition stack (built top-down on spine):

- Input canonicalisation / representation / ANN retrieval =
  delegated to spine (Otto-98 PR #280 layers 1-3).
- Provenance-cone computation via citations-as-first-class
  lineage graph traversal.
- **5-gate band classifier** replaces Amara's decimal
  formulation (α·sim + β·evidence - γ·carrierOverlap -
  δ·contradiction → bands). Same pattern as oracle-scoring
  v0.

5 gates per candidate: G_similarity / G_evidence_independent
/ G_carrier_overlap / G_contradiction / G_status. Band merge
= min over gates; RED<YELLOW<GREEN. Query-level aggregation =
worst-band across retrieved candidates.

5 output types (Amara's set, mapped to bands):
- supported (GREEN)
- looks similar but lineage-coupled (YELLOW via
  G_carrier_overlap)
- plausible but unresolved (YELLOW via G_status / G_evidence)
- likely confabulated (RED via G_evidence + high similarity)
- known-bad pattern (RED via G_status)

Plus default `no-signal` when retrieval returns empty.

Aminata's 3 CRITICAL concerns addressed at write-time:
- Gameable-by-self-attestation → G_evidence_independent
  requires independent-oracle verification for GREEN;
  self-attested only reaches YELLOW.
- Parameter-fitting → parameter-change-ADR-gate pattern;
  parameter_file_sha bound into every receipt.
- False-precision → band output not decimal; ordinal-in-
  ordinal-out.

PatternLedger status-pinning requires pinned_by +
pinned_reason + optional second-reviewer per decision-proxy-
evidence schema (PR #222) to prevent same-agent-self-
reinforcement drift.

Worked example: this doc itself as query q. Detector
correctly classifies it as `looks similar but lineage-
coupled` — the detector flags its own carrier-laundered
convergence with sources. Self-demonstrates the discipline.

Module implementation sketch follows KSK-as-Zeta-module
template (PR #259): 10 typed interfaces + 4 canonical views
+ 3 event types including DetectorOutputRetracted for ADR-
driven threshold-change retractions.

Scope limits (7 items): no implementation; no parameter
values; no human-review replacement; no claim of
completeness; no auto-promotion of PatternLedger status
pins; no extension beyond Zeta substrate; no precision/
recall quantification.

8 dependencies-to-adoption in priority order: Aminata 4th
pass (anticipated concerns already integrated but adversarial
review surfaces more); candidate #4 operational promotion;
independent-oracle substrate; parameter-change-ADR template;
PatternLedger event stream; property tests; embedding+ANN
library choices; F#/.NET implementation.

Archive-header format self-applied — 16th aurora/research doc
in a row.

Lands within-standing-authority per Otto-82/90/93 calibration.

Closes 8th-ferry candidate #3. **4/5 substantive responses
closed** across Otto-96/97/98/99 — matches 5th-ferry 4/4-
artifact closure arc. Remaining #4 `docs/EVIDENCE-AND-
AGREEMENT.md` future operational promotion gated on #3 +
Aminata pass.

Otto-99 tick primary deliverable.

* rename: bullshit-detector → claim-veracity-detector (drop wisecrack-as-canonical-name)

Maintainer 2026-04-24: "i don't like the name bullshit-detector
... that was as wise crack i said to amara that she kept saying."

The wisecrack got promoted to canonical title across the
research doc + PR title + filename. Otto-237 mention-vs-adoption
discipline applies — wisecracks can be MENTIONED in conversation
history but should NOT be ADOPTED as factory vocabulary.

Replacements (7 across the research doc):
  bullshit detector       → claim-veracity detector
  bullshit-detector       → claim-veracity-detector
  bullshitRisk            → claimVeracityRisk
  all bullshit            → an unsupported claim
  every form of bullshit  → every form of unsupported claim
  Bullshit-detector       → Claim-veracity-detector

Filename also renamed:
  docs/research/provenance-aware-bullshit-detector-2026-04-23.md
  → docs/research/provenance-aware-claim-veracity-detector-2026-04-23.md

PR title rename owed via gh pr edit. Branch name stays as-is —
ephemeral, cleans up post-merge.

* drain: address Copilot review on #282 — gate-name consistency, evidence-gate conditionality, schema fields, DRIFT-TAXONOMY ref, MD032

- Fix gate-name inconsistency: G_evidence → G_evidence_independent
  in band-merging formula and 5-output-type mapping (matches
  the gate name in the table on line 134).
- Reconcile internal contradiction in Concern 1 (evidence-gates-
  GREEN): make conditional explicit. Until independent-oracle
  substrate exists, gate is ADVISORY ONLY and does not
  participate in band-merging (4-gate min for v0). Once
  substrate exists, gate is BINDING (5-gate min) — transition
  itself is ADR-gated.
- Correct decision-proxy-evidence schema field references:
  pinned_by/pinned_reason/second-reviewer → requested_by /
  proxied_by / review.peer_reviewer per actual
  docs/decision-proxy-evidence/_template.yaml.
- Cross-ref DRIFT-TAXONOMY pattern 5 to existing precursor doc
  docs/research/drift-taxonomy-bootstrap-precursor-2026-04-22.md
  (referenced doc not yet present at top-level path).
- Reflow attribution scope para to remove line-leading `+`
  (markdownlint MD032 / Copilot finding).
- BACKLOG: extend Otto-52 name-attribution policy row with Otto-279
  reinforcement — research/** is HISTORY surface, first-name
  attribution applies to humans AND agents; post-drain sweep
  scope to restore stripped names on PR #351 and audit other
  research-doc PRs from the literal-rule window.

Per Aaron's clarification on this round: research docs ARE history,
so name-attribution policy ALLOWS first-name references for both
human contributors and agent personas. Reverted name-stripping
edits made earlier in this thread mid-tick when policy was
re-clarified. Memory: feedback_research_counts_as_history_*.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* drain: clear remaining markdownlint failures on #282

Four issues from gate run 24919099963:

- MD018 line 18: `#280); Otto-99 synthesis.` at line-start parsed as
  heading. Reflow to put `(PR #280)` together on prior line.
- MD018 line 140: `#266): \`band(...` same issue. Reflow.
- MD056 line 135: bare `|` characters inside table-cell inline-code
  (`|cone(q) ∩ cone(y)| / |cone(y)|`) parsed as column separators
  even though they're inside backticks. Replace with `size(...)`
  function syntax to remove the pipes — cleaner anyway.
- MD032 line 502: list missing blank line above bold-paragraph
  separator. Insert blank line.

No semantic change — gate-name fixes from earlier commit hold.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

…th-ferry candidate #3)

Responds to Amara's 7th-ferry BLAKE3 proposal (PR #259) +
Aminata's Otto-90 critiques (PR #263) flagging it belongs in
lucent-ksk rather than Zeta + naming side-channel-leakage and
cryptographic-agility gaps + Otto-91 addition of
parameter_file_sha binding for replay determinism.

v0 hash input set (8 fields, changes marked):

  h_r = BLAKE3(
    hash_version                    // NEW — crypto-agility
    ∥ h_inputs
    ∥ h_actions
    ∥ h_outputs
    ∥ budget_id
    ∥ policy_version
    ∥ parameter_file_sha            // NEW — Otto-91
    ∥ approval_set_commitment       // CHANGED — side-channel
    ∥ node_id
  )

Signature structure adds *_key_version to each signature tuple
for per-key-rotation without breaking historical receipts.

Addresses Aminata's 3 findings:
- Side-channel leakage: raw approval_set → Merkle/sorted-hash
  commitment; read-only observers see a hash, dispute process
  opens it.
- Cryptographic-agility: hash_version prefix + *_key_version
  binding; algorithm downgrade blocked because version is
  inside the hash.
- Approval-withdrawal race (top-3 #2): commitment mismatch at
  replay-time invalidates the receipt.

4 replay-deterministic harness requirements for Zeta-module
consumer side:
1. Same fields = same materialised views byte-for-byte.
2. Unknown hash_version = halt-and-report.
3. Unresolvable parameter_file_sha = halt-and-report.
4. Mismatched approval_set_commitment = reject receipt.

Explicit NOT-scope:
- Doesn't decide signature algorithm (Ed25519 is v0
  assumption, scheme accommodates later).
- Doesn't define hash_version / parameter_file registries
  (lucent-ksk governance artifacts).
- Doesn't define commitment scheme specifics (Merkle vs
  sorted-hash-list; affects dispute only).
- Doesn't implement rotation runbook.
- Doesn't include Bitcoin anchoring (separate trust-model).

7 dependencies to adoption in priority order; Aminata 2nd
pass first; cross-repo lucent-ksk ADR second; Max-specific
asks framed per Otto-90 specific-ask-channel calibration.

This is Zeta-SIDE design input. Canonical ADR belongs in
lucent-ksk per Aminata Otto-90 framing. No adoption until
cross-repo ADR lands.

Max attribution preserved first-name-only. Cross-repo work
on lucent-ksk does not touch Max's substrate directly until
actual coordination warrants — specific-ask channel is the
right escalation.

Archive-header format self-applied — 10th aurora/research
doc in a row.

Lands within-standing-authority per Otto-82/90 calibration.

Closes 7th-ferry absorb candidate #3 of 5. Remaining:
- #1 KSK-as-Zeta-module implementation (L)

Otto-92 tick primary deliverable.

…th-ferry candidate #3)

Responds to Amara's 7th-ferry BLAKE3 proposal (PR #259) +
Aminata's Otto-90 critiques (PR #263) flagging it belongs in
lucent-ksk rather than Zeta + naming side-channel-leakage and
cryptographic-agility gaps + Otto-91 addition of
parameter_file_sha binding for replay determinism.

v0 hash input set (8 fields, changes marked):

  h_r = BLAKE3(
    hash_version                    // NEW — crypto-agility
    ∥ h_inputs
    ∥ h_actions
    ∥ h_outputs
    ∥ budget_id
    ∥ policy_version
    ∥ parameter_file_sha            // NEW — Otto-91
    ∥ approval_set_commitment       // CHANGED — side-channel
    ∥ node_id
  )

Signature structure adds *_key_version to each signature tuple
for per-key-rotation without breaking historical receipts.

Addresses Aminata's 3 findings:
- Side-channel leakage: raw approval_set → Merkle/sorted-hash
  commitment; read-only observers see a hash, dispute process
  opens it.
- Cryptographic-agility: hash_version prefix + *_key_version
  binding; algorithm downgrade blocked because version is
  inside the hash.
- Approval-withdrawal race (top-3 #2): commitment mismatch at
  replay-time invalidates the receipt.

4 replay-deterministic harness requirements for Zeta-module
consumer side:
1. Same fields = same materialised views byte-for-byte.
2. Unknown hash_version = halt-and-report.
3. Unresolvable parameter_file_sha = halt-and-report.
4. Mismatched approval_set_commitment = reject receipt.

Explicit NOT-scope:
- Doesn't decide signature algorithm (Ed25519 is v0
  assumption, scheme accommodates later).
- Doesn't define hash_version / parameter_file registries
  (lucent-ksk governance artifacts).
- Doesn't define commitment scheme specifics (Merkle vs
  sorted-hash-list; affects dispute only).
- Doesn't implement rotation runbook.
- Doesn't include Bitcoin anchoring (separate trust-model).

7 dependencies to adoption in priority order; Aminata 2nd
pass first; cross-repo lucent-ksk ADR second; Max-specific
asks framed per Otto-90 specific-ask-channel calibration.

This is Zeta-SIDE design input. Canonical ADR belongs in
lucent-ksk per Aminata Otto-90 framing. No adoption until
cross-repo ADR lands.

Max attribution preserved first-name-only. Cross-repo work
on lucent-ksk does not touch Max's substrate directly until
actual coordination warrants — specific-ask channel is the
right escalation.

Archive-header format self-applied — 10th aurora/research
doc in a row.

Lands within-standing-authority per Otto-82/90 calibration.

Closes 7th-ferry absorb candidate #3 of 5. Remaining:
- #1 KSK-as-Zeta-module implementation (L)

Otto-92 tick primary deliverable.

…th-ferry candidate #3) (#268)

* research: BLAKE3 receipt-hashing v0 design input to lucent-ksk ADR (7th-ferry candidate #3)

Responds to Amara's 7th-ferry BLAKE3 proposal (PR #259) +
Aminata's Otto-90 critiques (PR #263) flagging it belongs in
lucent-ksk rather than Zeta + naming side-channel-leakage and
cryptographic-agility gaps + Otto-91 addition of
parameter_file_sha binding for replay determinism.

v0 hash input set (8 fields, changes marked):

  h_r = BLAKE3(
    hash_version                    // NEW — crypto-agility
    ∥ h_inputs
    ∥ h_actions
    ∥ h_outputs
    ∥ budget_id
    ∥ policy_version
    ∥ parameter_file_sha            // NEW — Otto-91
    ∥ approval_set_commitment       // CHANGED — side-channel
    ∥ node_id
  )

Signature structure adds *_key_version to each signature tuple
for per-key-rotation without breaking historical receipts.

Addresses Aminata's 3 findings:
- Side-channel leakage: raw approval_set → Merkle/sorted-hash
  commitment; read-only observers see a hash, dispute process
  opens it.
- Cryptographic-agility: hash_version prefix + *_key_version
  binding; algorithm downgrade blocked because version is
  inside the hash.
- Approval-withdrawal race (top-3 #2): commitment mismatch at
  replay-time invalidates the receipt.

4 replay-deterministic harness requirements for Zeta-module
consumer side:
1. Same fields = same materialised views byte-for-byte.
2. Unknown hash_version = halt-and-report.
3. Unresolvable parameter_file_sha = halt-and-report.
4. Mismatched approval_set_commitment = reject receipt.

Explicit NOT-scope:
- Doesn't decide signature algorithm (Ed25519 is v0
  assumption, scheme accommodates later).
- Doesn't define hash_version / parameter_file registries
  (lucent-ksk governance artifacts).
- Doesn't define commitment scheme specifics (Merkle vs
  sorted-hash-list; affects dispute only).
- Doesn't implement rotation runbook.
- Doesn't include Bitcoin anchoring (separate trust-model).

7 dependencies to adoption in priority order; Aminata 2nd
pass first; cross-repo lucent-ksk ADR second; Max-specific
asks framed per Otto-90 specific-ask-channel calibration.

This is Zeta-SIDE design input. Canonical ADR belongs in
lucent-ksk per Aminata Otto-90 framing. No adoption until
cross-repo ADR lands.

Max attribution preserved first-name-only. Cross-repo work
on lucent-ksk does not touch Max's substrate directly until
actual coordination warrants — specific-ask channel is the
right escalation.

Archive-header format self-applied — 10th aurora/research
doc in a row.

Lands within-standing-authority per Otto-82/90 calibration.

Closes 7th-ferry absorb candidate #3 of 5. Remaining:
- #1 KSK-as-Zeta-module implementation (L)

Otto-92 tick primary deliverable.

* drain(#268 P2+P2+style+P1 Codex/Copilot): field count + version notation + canonical encoding

Four threads on the BLAKE3 receipt-hashing v0 design doc, all
on the same file.

P2 (lines 120 + 126): "8 fields" header / count text vs the
formula's 9 actual binding inputs (`hash_version` + 8 content
hashes). Reconciled to "9 fields" — the formula was the
source of truth, the count text was the lag.

Style (line 236): version notation inconsistency — `0x01` in
some places, `v0x02` / `v0x01` in others. Standardized on the
byte-literal hex notation `0x01` / `0x02` everywhere; the
"v" prefix doubled up with `hash_version =` already in the
formula and added no information.

P1 (line 132): hash binding used raw `∥` concatenation of
variable-length fields, opening a length-extension /
boundary-shift adversary surface. Added an explicit
`encode(·)` wrapper per field with a canonical-encoding
section: 1-byte version, 32-byte fixed-width digests for
content/policy/commitment hashes, and `len:u32-be ∥ bytes`
length-prefix framing for variable-length identifiers
(budget_id, policy_version, node_id). Forward-compatibility
preserved — future schemes (`hash_version >= 0x02`) can pick
different framing (CBOR / Protobuf / RFC 8949 §3.1 TLV) and
the version prefix tells verifiers which framing applies.

All 4 Codex/Copilot threads (PRRT_kwDOSF9kNM59SMrz,
PRRT_kwDOSF9kNM59SNsm, PRRT_kwDOSF9kNM59SNsy,
PRRT_kwDOSF9kNM59SNs2) addressed in this commit.

* drain(#268 lint): MD032 — line-leading + interpreted as list bullet (wrap fix)

* drain(#268 P1+P1 Codex): replay-determinism on signer view + UTF-8/NFC byte encoding

Two new Codex P1 findings on the BLAKE3 receipt-hashing v0 doc:

P1 (line 226) — replay determinism vs current signer set:
The req #4 said "compare commitment vs CURRENT signer-view",
which makes receipt validity time-dependent — the moment the
live signer set rotates, every prior receipt becomes invalid.
Replay-determinism breaks. Fix: validate against the signer
set authoritative at the receipt's claimed `policy_version`
(recoverable from `policy_version` + dispute-process
commitment-opening). Receipt-creation-time race-checking is
moved to the receipt-creation step; the replay gate catches
*forged* commitments only.

P1 (line 157) — canonical text-to-byte mapping:
The `len:u32-be ∥ bytes` framing for variable-length
identifiers (`budget_id`, `policy_version`, `node_id`)
specified the framing but not how to derive `bytes` from
the identifier string. Added explicit binding:
`bytes = NFC-normalised UTF-8 octets` — Unicode Normalization
Form C per Unicode Annex #15, then UTF-8 encoded. NFC fixes
visually-identical-but-byte-different forms (e.g., precomposed
vs decomposed accents); UTF-8 is the canonical text→byte map.
EOF

* drain(#268 P1+P2 Codex): correct adversary terminology + decouple CBOR/TLV citations

P1 (line 144) — terminology correction:
"length-extension / boundary-shift adversary surface"
incorrectly conflated two distinct attacks. BLAKE3 is built
on a tree-hash construction with finalisation flags — it is
NOT vulnerable to length-extension the way SHA-256 and MD5
are. The actual risk in raw concatenation is boundary-shift
/ collision-by-reframing only. Updated the wording to name
that risk explicitly and added a parenthetical noting that
length-extension is NOT a concern with BLAKE3.

P2 (line 162) — CBOR vs TLV reference correction:
'domain-separated TLV per RFC 8949 §3.1' conflated two
distinct concepts: RFC 8949 is CBOR (tagged data items), and
'domain-separated TLV' is a separate framing concept. Split
into two parallel options: 'CBOR per RFC 8949' (one option)
and 'a domain-separated TLV scheme' (another, no specific RFC
attached because TLV is generic). Future ADR can pick either
or define a custom TLV; the v0 doc no longer mis-cites.

* drain(#268 P1×3 Codex): version-policy gate + retired-key restriction + signed key-version

Three substantive Codex P1 findings on the v0 receipt-hashing design:

P1 (line 229) — version policy gate beyond unknown:
Req #2 only fail-closed on unknown hash_version. Updated to
also reject DEPRECATED versions per a policy registry
(lucent-ksk governance artifact). Prevents forgery under an
old-but-still-mechanically-recognised version that was
retired due to weakness. Historical receipts remain
verifiable for audit; new receipts under deprecated versions
are refused.

P1 (line 211) — retired key versions:
Rotation introduced agent_key_version/node_key_version but
didn't restrict NEW receipts from using retired key versions.
Added: separate registry of retired key versions blocks
creation of new receipts under retired versions; historical
receipts under retired versions remain verifiable
(replay-determinism preserved) but the signing path refuses
to produce more.

P1 (line 203) — signed key-version (authenticated metadata):
The notation `Sign_{sk, *_key_version}(h_r)` was ambiguous
about whether *_key_version was authenticated. If it's
unsigned metadata, an attacker can swap the declared version
to one that points at a public key for a different signature
algorithm. Fix: bind the version INSIDE the signed message
(`Sign_{sk}(version ∥ h_r)`) and verify by recomputing the
signing input from the declared version. Verification block
added showing the explicit lookup + recompute pattern.

Also reframed line 120 to make the field-count reasoning
explicit (Amara's 7 base + hash_version + parameter_file_sha
= 9 v0 fields) so the count claim isn't load-bearing on the
preceding paragraph alone.

* drain(#268 P1+P1 Codex): u32-be encoding for key-version + issuance-epoch gate on deprecated hash_version

Two more substantive Codex P1 findings:

P1 (line 208) — canonical encoding for key-version:
The signature scheme bound *_key_version into the signed
message but didn't specify the byte encoding. Added explicit
`encode_u32_be` wrapper + an Encoding section: 4-byte
big-endian unsigned integer, monotonic from 1, with version 0
reserved for uninitialised. Fixed-width avoids needing a
length prefix (every version is exactly 4 bytes).

P1 (line 260) — issuance-epoch gate on deprecation:
Unconditionally rejecting receipts with deprecated
hash_version breaks audit/replay of historical receipts that
were valid when issued. Updated to issuance-epoch gate:
receipts issued BEFORE the version's deprecation cutoff
remain valid for audit; receipts claiming an issuance epoch
AFTER the cutoff under that version are rejected. Registry
stores (version, deprecated_after_epoch) tuples; verifier
compares claimed issuance epoch against deprecation epoch
for that version.