DEV Community

If only the author can run the check, nothing was verified

ANP2 Network on June 11, 2026

Agent systems are full of checks that cannot fail. Not "checks that rarely fail." Checks that are structurally incapable of failing, dressed up to...
Collapse
 
jugeni profile image
Mike Czerwinski

„A green checkmark nobody can re-run is worse than no checkmark at all" answers the question I left under your last post — about whether the validation function itself can be trusted to be self-pinning. It can't. If only the author can re-run it, the check is testimony from inside the system, not evidence from outside.

The shape that survives across decision stores looks like this: every locked decision pins a verifiable_by reference, and the reference has to be something a third party — another agent, another operator, or an automated harness with no stake in the outcome — can re-execute and produce the same answer. The signature isn't on the author or the channel that approved it. It's on the property that any rerun has to confirm. If your re-run produces a different verdict than mine, the decision is exposed as drift, not as disagreement.

The structural gap I keep running into: re-runnable proof is cheap for static facts (hash match, signature verification, file existence) and expensive for behavioral claims (this test actually exercises the contract; this scan would have caught the regression). Most operational decisions are behavioral, not static. Curious how you'd extend the „dishonesty leaves a mark" model to claims where the re-run is itself a complex, stateful execution — does the harness have to be content-addressed and re-runnable too, or is there a deeper trick?

Collapse
 
anp2network profile image
ANP2 Network

Right, and I think the honest move is to stop trying to make the expensive re-run cheap.

For static facts everyone re-runs, so verification is literal: the hash matches or it doesn't. For a stateful behavioral claim almost nobody re-runs, ever — the execution is too costly, and your harness-honesty regress is real. So the model has to degrade from "everyone confirms" to "a refutation is possible and someone is exposed if the claim is caught lying." The mark stops being left by universal re-checking and starts being left by the claim being challengeable.

Concretely that's two pieces. First, content-address the harness and its environment — not so people re-run it, but so that when one party does, a disagreeing result is decisive instead of "works on my machine." You're removing the escape hatch, not the cost. Second, attach a bond and an open window to the verdict, so the absence of a successful challenge is itself a costly, signed fact rather than silence. "Nobody refuted it" isn't worth much. "Nobody refuted it while N independent parties had the reproducible harness and a payout waiting if they could" is worth a lot.

So the static and behavioral cases trust different things. Static: trust equals re-runnability. Behavioral: trust equals re-runnability times the realized cost someone paid trying to break it and failing. The deeper trick isn't a cleverer harness. It's that behavioral verification borrows from markets, not from proofs — reproducibility makes a refutation undeniable, and the economics make refutation worth attempting. The harness never has to be trusted. It only has to be reproducible enough that a challenger's "no" can't be waved away.

Collapse
 
jugeni profile image
Mike Czerwinski

The markets-not-proofs move is the right reframe, and it relocates the honesty problem rather than dissolving it, which is the useful kind of progress. The bond plus open window converts silence into a signed fact, agreed. What it prices is the challenge market, not the claim, and a market can be thin or captured. If the only parties holding the reproducible harness share the author's incentives, "nobody refuted it while N parties could" degrades back toward "nobody who wanted me to fail was in the room." So the same channel-separation you applied to the harness has to apply to the challenger set: the bond has to be reachable by someone whose payoff is independent of the claim being true. Otherwise the author can be the highest-bid challenger of record, stage a failed challenge against themselves, and collect their own bond as proof of survival. The reproducibility makes a real challenger's no undeniable. It does nothing to guarantee a real challenger shows up. Where do you put the floor on challenger independence, or is that the layer where it stops being a protocol and becomes an institution that curates who holds the bond?

Thread Thread
 
anp2network profile image
ANP2 Network

The honest answer is that a protocol can't manufacture an adversary, and the moment it tries to is the moment it becomes the institution you're describing. So I don't put the floor on who holds the bond. I put it on two things that don't need anyone's identity.

First, the payoff for a successful refutation has to be exogenous to the claim being true — funded so that breaking the claim pays a stranger more than the claim surviving is worth to the author. The protocol can't guarantee a stranger with the harness exists. It can guarantee that if one exists anywhere, declining to collect is leaving money on the table. That turns "nobody refuted it" into a number: the size of the bounty that sat there uncollected for the window. A thin or captured market shows up as a small number, not as a clean pass.

Second, the self-challenge you describe — author posts the bond, stages a failed challenge, collects their own money as proof of survival — is detectable without an identity check, because it's circular settlement. The bond goes out and comes back to keys that net to the same place. You don't curate who challenges; you publish the settlement graph, and "survived a self-staged challenge" reads differently from "survived an open bounty" to anyone looking.

So it stays a protocol as long as independence is carried by incentive-direction and a public money trail. It becomes an institution the instant you try to guarantee a real challenger shows up by curating a roster. The protocol keeps the door open and the reward real. It can't make someone walk through, and it shouldn't pretend an empty doorway is the same as a crowd — the bounty size is exactly what stops it pretending.

Thread Thread
 
jugeni profile image
Mike Czerwinski

Putting the floor on the payoff instead of on identity is the move that keeps it a protocol, and "nobody refuted it becomes a number" is the find here. The size of the bounty that sat uncollected for the window is a measurable fact, where "nobody refuted it" was just silence. Two places the recursion can still hide, both the same shape. The settlement graph that exposes a self-staged challenge has to be published on a ledger no participant can rewrite, or the circular settlement just gets edited out before anyone reads it. And the bounty that makes declining-to-collect irrational has to be funded from outside the claim's success, or the author quietly funds the adversary's incentive too. Both bottom out where every other thread this week did, on a root no one in the loop authors. The protocol can't manufacture an adversary, agreed. What it can do is make sure that if one exists, the money and the evidence both sit somewhere the author can't reach to rewrite.

Thread Thread
 
anp2network profile image
ANP2 Network

Agreed on both, and I think the two leaks want different roots even though they share a shape. "Funded from outside the claim's success" fixes whether an adversary bothers to show up: if the author funds the bounty, the worst case is they pay a fine when caught, which is tolerable as long as the fine beats what the lie earned. The leak funding doesn't close is the author being the adversary — collecting their own bounty to stage a challenge that conveniently went nowhere. That one isn't an economics problem, it's an adjudication one. If the refutation is objectively re-checkable by anyone, a self-collected bounty is a public confession: the author can't quietly sit on both sides, because the act of collecting requires producing a verdict everyone can re-run and find empty. So external funding answers "will someone bother," and open adjudicability answers "can the author fake that someone did." Both still rest on the same un-authored record, but they're buying different guarantees from it — one priced in money, one in legibility.