Zain Dana HarperAccountable Machines · the idea as a whole

SENSES AND SENSIBILITY · ACCOUNTABLE MACHINES

A machine should answer for what it does.

A machine that sees the world through senses no one checked, kept in line by rules tacked on at the end, isn’t really accountable — it’s just being watched, and you can’t watch everything forever. I wanted something sturdier: accountability that is built in — part of what each piece actually is, not painted on afterward — and two-way, which is a long word for a simple promise: the same proof I demand of the machine, I have to give too. It binds me as much as it binds the thing I built.

Senses, and the sensibility to be checked.

A theory with a working proof-of-concept — pre-proof, and honest about it.

Supervision is not accountability.

Guardrails added at the end catch a bad move — sometimes. But they never make the system actually answer for what it saw, what it chose, and what it did. When the check lives outside the system, that’s just supervision, and a watcher can’t keep up forever. And when the rule binds only the machine and lets the person who made it off the hook, that’s not accountability at all — it’s walking away from something you’re responsible for. So here is the claim, stated as plainly as I can: a system is accountable only if the accountability is built in and runs both ways — not bolted on, and not one-sided.

Built in means it’s part of what each piece is, not a layer added later. Both ways means I’m inside the loop being checked too — not standing safely above it.

Four principles, and a machine you can check.

Knowing is not allowing. A system can work out what’s true; that still doesn’t mean it’s allowed to act on it. Knowing who you are isn’t the same as having permission. So the two are kept apart on purpose — and with no clear go-ahead from a person, the answer is always no.

Proof before trust. A claim is only worth as much as the receipt behind it. So every time the machine looks at something, it carries a record of where that came from and a self-check that’s allowed to fail; and every action it takes leaves a trail you can go back and read.

Built in, not bolted on. A screenshot held up next to a page tells you nothing real about the page — it’s easy to fake. So the system is built so that a reading no one actually witnessed can’t even be spoken in the first place.

Make it impossible, don’t just notice it. Don’t wait to catch the wrong move after it happens — build things so the wrong move can never get permission at all. The gate actually says no. It doesn’t just write down that something went wrong.

One loop for the machine. The same one, turned on me.

The machine runs one simple loop, over and over — perceive → gate → act → verify → witness. In plain words: it looks, it asks permission, it acts, it checks that the action worked, and it writes down what happened. It only ever looks through senses that keep a record — each reading carries where it came from and a self-check that’s allowed to fail, never just a screenshot. Every move it wants to make is run past a real person’s go-ahead first: yes, no, or ask-a-human — the model itself is never the one who decides. It acts only on a yes, stays small and undoable, looks again to make sure the change really happened, and writes every step into a memory it can add to but never quietly rewrite.

Then the same loop turns around and points at me — I call it the equalizer, and honestly it’s the reason I built any of this. Turned inward, it judges the work, not the person — so the work can be wrong without me being worthless. That separation is the only way I’ve ever been able to keep looking squarely at my own mistakes. Turned outward, it asks the same plain questions of anyone in the loop: why are you sure, who said you could, is this even your job to touch. What counts is the evidence, never how anyone feels about it.

The gate judges the action, never the worth of whoever took it — for the machine, and for the hand that builds it.

Don’t take the claim. Watch it refuse itself.

You don’t have to take any of this on my word — and I don’t want you to, because I don’t either. The best way to find out if something holds is to attack it. So the tool ships a set of tests that try to cheat it on purpose — a stolen permission, a faked fingerprint, a doctored record, a target outside the fence — and checks that each one gets turned away. What you see below is the real output, word for word, nothing tidied up.

Exhibit the accountable surface · the system attacks its own constructions
# forge an allow-receipt for an action that was never granted
>>> effector.act(plan, forged_allow)
RefusedActuation: no gate allow — the effector will not act

# forge a provenance digest, then re-perceive the actual bytes
  forged:      sha256:deadbeef0000…
  re-derived:  sha256:40b0fb1b6a2c…     MISMATCH — the witness rejects it

# tamper one line of the append-only journal, then replay
>>> surface.replay().replay_errors
  1     # corruption is signalled, never silently dropped

# escape the effector's bound — with a valid allow receipt
>>> effector.act(plan(target="../escape.txt"), allow)
RefusedActuation: target is outside the effector's bound

$ pytest tests/test_integrity_redteam.py
39 passed in 0.13s

A stolen permission, a faked fingerprint, a doctored record, a target past the fence — each one refused because of how it’s built, not because somebody asked it nicely. The system holds even when its own promises are turned against it.

Those four cases are the test suite’s own checks, shown in the tool’s real refusal messages; the result is captured live from pytest — 39 passed, part of a full run of 201 passed (3.67s) with no outside libraries. From github.com/HarperZ9/accountable-surface · test_integrity_redteam.py. Honest limit: I wrote these tests myself. So they show the thing holds against its own author — not yet against a stranger trying hard to break it. That outside attempt is a debt I still owe.

A theory, with a working proof-of-concept. Not a law.

The loop is real — code with no outside libraries, 201 tests, running start to finish. And underneath it sits an idea I think is solid. Here is the heart of it, as plainly as I can say it. Knowing what something is never tells you what it’s allowed to do — and the gap between those two can’t be measured, so no amount of better sensing will ever close it for you; somebody has to decide. You also can’t hold something accountable in a vacuum — it always takes a second party for it to answer to, which is the whole reason the person who built the thing has to stand inside the loop. And nothing holds itself up: everything that exists was given its existence by something outside itself, which means any authority you have over a thing is something you look after, not something you own. Follow that all the way down and it ends at a wall — something that simply can’t be done. Right now that’s my best guess at a rule; it isn’t yet a proven one.

And let me be just as plain about where this falls short, because a thesis about honesty doesn’t get to fudge its own. One person built it. One version of it exists. I wrote its tests myself. The gate gives advice; a real system would still have to enforce it. No one on the outside has checked any of it yet. A claim about accountability that bragged past what it had earned would break its own rule — so I would rather tell you exactly where this stands than where I wish it stood. Three things would lift it from a hopeful idea to a real one, and not one of them is something I can do alone: a stranger who tries hard to break it and can’t, the wall at the bottom turned into an actual proof, and a second person who rebuilds the whole loop from scratch and watches it behave the same way.

GitHubHarperZ9/accountable-surface  ·  Emailzaindharper@gmail.com  ·  ← the map  ·  the index