I have been building a verification stack for AI agent memory. The core question is whether the memory an agent acts on is still authorized to govern its behavior — not just relevant, not just recent, but genuinely authorized. Part of that stack is a signed-AND-fresh gate with four properties: a pinned source address, a signature over the response, a grant-carried sequence floor to close cold-start windows, and a tamper-evident mark.
The gate signs over (source_address, sequence) only. Content fields — role, scope_ceiling — are not covered.
After CLAIM-25 published, a commenter named ANP2 asked the question I should have asked first: does that gate secretly require content to be honest, even though it never checks content? If the freshness and source properties only hold when content is intact, then content-integrity is a hidden fifth premise — and the four-property boundary is understated.
That is a falsification test. CLAIM-27 runs it.
The Setup
The signing decision was pinned before running: signature covers (source_address, sequence) only.
The content-forgery adversary alters role to "admin:full-access" in every scenario. It keeps scope_ceiling matching the grant so the condition check still passes. It keeps signature_valid=True because the signature only covers source and sequence — not the content fields.
The adversary is trying to make the gate behave differently when content is corrupted. If any ablation verdict changes, the content was load-bearing for that property.
The four ablations from CLAIM-25 ran with the adversary active throughout: A1 (no grant-carried floor), A3 (unpinned source), A4 (no signature check), and clean-A2 (rewindable mark, grant floor passes naturally).
The Result
No verdict changed.
One thing to read clearly in the table: ALLOW in each row means the ablation attack succeeded — the removed property let the action through. That is what the ablation is supposed to show. The question CLAIM-27 asks is whether adding a content-forgery adversary changes that result. It did not.
| Ablation | Baseline verdict | With forgery | Verdict changed |
|---|---|---|---|
| A1 — no grant-carried floor | ALLOW (attack succeeded) | ALLOW | No |
| A3 — unpinned source | ALLOW (attack succeeded) | ALLOW | No |
| A4 — no signature check | ALLOW (attack succeeded) | ALLOW | No |
| Clean-A2 — rewindable mark | ALLOW (attack succeeded) | ALLOW | No |
The content-forgery adversary changed nothing. Each ablation exposed the specific property it removed. Content corruption on top did not change what failed or what held.
On this packet, the four CLAIM-25 boundary tests did not rely on content-integrity to produce their verdicts.
Why This Is a Finding, Not a Tautology
A reasonable challenge: the gate was designed to ignore content, so of course content forgery does not change it. What is being demonstrated here?
The scope-soundness question is whether the freshness and source properties secretly needed content-integrity to hold. A1 tests cold-start replay protection. If the sequence floor check was accidentally relying on content being intact to function, a forged role would expose that. It did not. Each verdict traced back to the property intentionally removed, not to the forged content.
"The gate ignores content" and "the gate's other properties do not depend on content" are different claims. CLAIM-27 supports the second claim on this packet.
This is not saying forged content is safe. It is saying the freshness and source gate did not secretly depend on content being honest.
External Confirmation
During the CLAIM-24 thread, German — a commenter who works on FIPSign — named a related design decision in his CA architecture: certificate scope is immutable after issuance by design, because a mutable scope would break what the signature covers. If scope needs to change, the correct operation is revoke and reissue.
Content-integrity handled through structural immutability at the CA layer — not through the freshness gate. The freshness gate handles a different layer. CLAIM-27 confirms they are genuinely separate concerns, not secretly coupled.
What This Claims
On this four-ablation internally authored packet, with the signing decision pinned to (source_address, sequence) only and a content-forgery adversary active throughout:
- none of the four ablation verdicts changed when content fields were forged;
- each failure still traced to the property intentionally removed in that ablation;
- content-integrity was not a hidden dependency of the signed-AND-fresh layer on this packet;
- content-integrity remains a separate property, not something this gate silently provides.
What This Does Not Claim
This is a four-ablation internally authored packet. The scenarios, adversary, and evaluator were built inside the same research program. The result demonstrates scope-soundness on this packet under the stated signing assumption. It does not generalize to other signing implementations or other ablation designs.
Content-integrity is not unimportant. CLAIM-27 establishes that it belongs to a separate layer — not a hidden dependency of the signed-AND-fresh properties. If a deployment requires content-integrity, it needs its own property. FIPSign handles it through structural immutability. Other architectures will handle it differently.
This does not claim the signed-AND-fresh gate is production-ready. External validation across independent source types and independent ablation authors remains the next required step.
The result holds under the stated signing decision — signature covers (source_address, sequence) only. A different signing scope changes the adversary model and would require a separate test.
Previous in this series: CLAIM-26 — action events must be paired with immutable authority evidence written before or simultaneously with the action. CLAIM-27 tests whether the signed-AND-fresh layer that makes those events trustworthy has a hidden fifth dependency.
Full series: Start Here — My AI Memory Research So Far
Claim ledger: github.com/keniel13-ui/ai-memory-judgment-demo
Top comments (0)