The same gap, found in five different fields — then fixed in code.
The idea is simple: knowing what a thing is never, on its own, settles what it’s allowed to do. Proving your identity can’t hand you permission — and that gap isn’t a missing piece of technology, it’s a gap in logic. No clever tool ever fills it; you have to check across it, every time. (The long-form version — the philosophy behind it — is in the research.)
Then I went looking to see if it was really out there, in five fields that have nothing to do with each other — AI provenance, old mainframe systems, quantitative finance, DeFi, enterprise security. Each one had a confident claim, and each claim cracked in the very same spot. Written down isn’t the same as checked. Translated isn’t the same as still meaning the same thing. A practice run isn’t money in hand. A transaction that goes through isn’t a safe one. A certificate isn’t the same as actually being protected. Five separate investigations, and underneath them all, one shape: something that looks verified, mistaken for the thing it’s supposed to guarantee.
Verified is not the same as trustworthy. Work the guarantee out again yourself, from outside the thing making the claim — or say plainly that you can’t.
And the same move fixes it everywhere. Don’t just take the thing’s word for itself; go back to the original evidence and work out the answer again from scratch; be honest about what you checked and what you didn’t; and then give one of three answers — MATCH (it holds up), DRIFT (it changed), or UNVERIFIABLE (there’s no way to tell) — never the word trusted, and never a guess dressed up as an answer. The philosophy argues for it; the five investigations show it happening; a small set of rules pins it down; and a working tool actually runs it in code. Four separate roads, none of them borrowing from the others, all arriving at the same place — that’s about the strongest evidence you can have, short of an outright proof.
Where it fits.
Wherever someone hands work to a model — or hands a model's work to someone else — the same gap opens: you can't see what it saw, and you can't check what it claims. The same gap, in a clinic, a courtroom, a newsroom, an audit, a repo. Here is what closing it looks like.
Radiology.
a model assists a CT read and flags a nodule "likely benign."
the radiologist sees a label, not what the model saw — was it the right patient's study, re-compressed, keyed on what? The read is over-trusted or waved off, and a mislabeled or altered image rides through. → Trust by reputation; the error surfaces downstream, if ever.
clinician and model stand before the same witnessed frame; an identity hash proves it's the unaltered, correct study; the model's call is grounded in measured features the clinician re-derives on the spot. → A second read you can actually interrogate — and a record of exactly what was seen.
eDiscovery.
a model summarizes 80,000 documents for a filing.
a confident summary cites a subtly altered exhibit, or a quote that doesn't exist; neither side can reproduce the chain. → A sanctions risk and a summary no one can stand behind.
every exhibit carries a provenance receipt (identity + drift); each claim is grounded and re-checkable against the source. → A filing that survives scrutiny because it was built to be checked.
Audit.
an AI agent reconciles two ledgers and reports "balanced."
a silent data swap or an unstated assumption passes as a clean result; the auditor signs on trust. → An attestation resting on a black box.
the gate refuses anything it can't verify; each figure carries a re-derivable receipt; "unverifiable" is reported as unverifiable, not passed. → The auditor checks instead of trusting — and can show their work.
Newsroom.
a desk receives a dramatic clip and an AI-enhanced still on deadline.
the clip is a re-encode of something older; the still is partly synthetic; both publish as authentic and the correction comes after it spreads. → A retraction, and eroded trust.
origin is witnessed (content + perceptual); drift between "what we received" and "what we publish" is flagged before it ships. → You publish what you can vouch for.
Your codebase.
an autonomous agent edits a repo and reports "done, tests pass."
a silent overwrite, an unrun test, a fabricated green check — you find it in production. → Debugging a failure the agent said couldn't happen.
the work is fingerprinted before and after; the gate blocks any action it can't verify; you see exactly what changed and why, re-derivable. → You hand a model real work and still hold the receipts.
The design desk.
a model generates a brand asset.
is it novel or derivative, on-brief or off? Taste is asserted and defended in a meeting. → Opinion versus opinion.
human and model shape it on one surface (the Studio); novelty and fit are measured and checkable. → A decision grounded in more than the loudest voice.
Different fields, one shape: a person, a model, a shared thing between them, and a way to check it. That is the floor — and the launchpad for everything above it.
The body of work.
Everything below has my name on it and a date, and is either published with a citable DOI or shipped as tested, public code. The research is where I say the idea out loud; the tools are where I actually made it run. And every page links straight to its own source, so you never have to take my word for any of it.
The spine
Languages & systems
Creative & color
Tools & products
Research & writing
Also on the site — the home and its receipts, the résumé, and the CV. WARDEN matured into proof-surface.
See it run. Watch it refuse.
Here is how it actually works: derive the answer from evidence rather than assertion, then reply in a fixed set of outcomes — never say trusted, never paper over what you don’t know with a guess. Here it is twice over — in the witness (the part that checks) and the gate (the part that says yes or no) — straight from the real tests.
# re-derive a file's bytes from scratch and compare to the seal >>> witness(path, seal) MATCH sha256 re-derived, identical to the sealed digest # the same file, one byte changed >>> witness(tampered, seal) DRIFT re-derived digest differs from the seal # asked to confirm a property with no evidence to re-derive it from >>> witness(path, seal=None) UNVERIFIABLE no seal to check against — not a pass, not a fail
The witness never says trusted. It works the file out byte by byte itself and tells you what it actually found — and when there’s nothing to check it against, it says exactly that, instead of guessing.
EMET ships a tamper-seal that rebuilds a file’s bytes from scratch and reports MATCH or DRIFT — 19/19 tests, three languages. That third answer, UNVERIFIABLE, is the one most systems quietly leave out — and it’s exactly where most failures end up hiding. Honest limit: a seal with no secret key can tell you a file hasn’t drifted from itself, but it can’t stop a determined forger who simply recomputes the seal too. Stopping that needs an anchor from outside — and until there is one, the verdict honestly says UNVERIFIABLE rather than fake a pass.
# a gate request whose authorization receipt is absent >>> evaluate_gate(request) GateDecision(decision="deny") authorization: no receipt — deny budget: unknown — needs-human # a delegate trying to widen its own granted scope >>> verify_delegation(chain) DENIED hop scope is not a subset of its parent — privilege escalation $ pytest 258 passed in 0.26s
Knowing isn’t allowing. No receipt means no; an empty permission list lets nothing through; and something acting on your behalf can never quietly hand itself more power than you gave it. A yes has to be earned by passing every single check — it’s never just what’s left over when nothing said no.
The gate ships in proof-surface — standard-library only, zero dependencies, 258 passing tests, github.com/HarperZ9/proof-surface. Honest limit: the gate gives advice — a careful recommendation the real system still has to carry out. The library itself doesn’t hold the power to force it.
And these two aren’t separate party tricks anymore. The witness and the gate are built on one shared backbone — system/spine.js — that all the pieces run on: EMET’s SHA-256 fingerprinting and proof-surface’s default-deny, pulled out once and reused everywhere a thing has to be re-checked or an action has to be earned. The studio is where the two finally shake hands: it signs every drawing it makes, and when you drop one back in, the gate decides whether it’s allowed in — MATCH lets it through, DRIFT turns it away, UNVERIFIABLE hands the call to a person. One tool checking another tool’s work, using the very same machinery that earns any action anywhere else.
Run it yourself — the witness and gate run live, with real SHA-256 and the real default-deny logic. Flip the inputs → · watch the studio verify its own art →
How it checks itself
The same checking runs underneath everything here — try it, then forget about it.
The witness — derive it from the bytes themselves.
Try it. Type something, then seal it — the witness takes a fingerprint of those exact words and remembers it. A fingerprint here is a short code that any change, even one character, would scramble into something completely different. Now change one letter and witness again: the fresh fingerprint no longer matches the one it kept, so the answer is DRIFT — something changed. Clear the seal and there is nothing to compare against, so the answer is UNVERIFIABLE — not a pass, not a fail, just honestly unknown. That is the whole idea, and it is a small one: rather than trust that the words held, the witness checks for itself, and tells you plainly what it found.
This demo needs JavaScript and the Web Crypto API. The real witness ships in EMET, linked below.
The fingerprinting is the real thing — crypto.subtle.digest("SHA-256"), a tool built right into your browser, run on what you typed and never sent anywhere. EMET does the same across whole files in three languages — 19/19 tests, github.com/HarperZ9. Honest limit: a plain seal like this proves the words weren’t changed by accident; it cannot stop a determined faker who simply computes a fresh fingerprint to match their new version. For that, the fingerprint has to be kept somewhere separate from the thing it describes — and when the witness can’t be sure, it says UNVERIFIABLE rather than fake a pass.
The gate — allow is earned, not assumed.
An action arrives at the gate, hoping to go ahead. The gate says no by default — it is a checkpoint that says no until it is sure. When anything is unclear it still says no: no permission slip means deny; anything it can’t be sure about becomes needs-human (stop and ask a person); and allow comes back only when every single thing checks out. Flip the conditions below and watch the answer move. Try to earn an allow — and notice just how much has to be true at the same time.
This is the real decision logic: a single no settles it; anything unknown becomes needs-human; and an allow needs every check to pass at once. The tested original lives in proof-surface — plain Python, nothing extra to install, 258 passing tests, github.com/HarperZ9/proof-surface. Honest limit: the gate only gives a recommendation — the program around it does the enforcing. This page can never grant a yes on its own.
The standing invitation.
I’m putting all of this out in the open under one rule I’m also trying to live by myself: proof before trust — and that includes trusting me about who made it. It’s dated so the timeline is clear, licensed openly so no one can quietly take it and call it theirs, and honest about exactly where each piece stands — finished, still unproven, or only half-built, and labeled as such. I built it with AI’s help, and I’ve gone back and worked out every claim in it myself, so I can stand behind each one.
And none of it is trying to talk you into anything. I’ve laid the idea and the work out as plainly as I know how; what it’s worth to you — whether you’re a researcher, a builder, or just curious — is yours to judge from the substance itself, not from how well I sold it.
If you can break it, that is the most useful thing you could do — and exactly what I built it to invite.