惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
aimingoo的专栏
aimingoo的专栏
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Tailwind CSS Blog
J
Java Code Geeks
博客园_首页
Google Online Security Blog
Google Online Security Blog
Hugging Face - Blog
Hugging Face - Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
I
Intezer
P
Palo Alto Networks Blog
V
Vulnerabilities – Threatpost
雷峰网
雷峰网
O
OpenAI News
SecWiki News
SecWiki News
小众软件
小众软件
酷 壳 – CoolShell
酷 壳 – CoolShell
美团技术团队
N
News | PayPal Newsroom
Project Zero
Project Zero
Forbes - Security
Forbes - Security
IT之家
IT之家
A
Arctic Wolf
WordPress大学
WordPress大学
Jina AI
Jina AI
T
Tor Project blog
博客园 - 三生石上(FineUI控件)
S
Secure Thoughts
Google DeepMind News
Google DeepMind News
Attack and Defense Labs
Attack and Defense Labs
博客园 - 聂微东
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Privacy International News Feed
Cloudbric
Cloudbric
G
GRAHAM CLULEY
博客园 - 叶小钗
H
Hacker News: Front Page
腾讯CDC
量子位
Help Net Security
Help Net Security
人人都是产品经理
人人都是产品经理
C
Cyber Attacks, Cyber Crime and Cyber Security
月光博客
月光博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
宝玉的分享
宝玉的分享
爱范儿
爱范儿
L
Lohrmann on Cybersecurity
Hacker News - Newest:
Hacker News - Newest: "LLM"
Recorded Future
Recorded Future
C
CERT Recently Published Vulnerability Notes

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Every Step Was Allowed. The Sequence Was the Attack. (AI Memory Judgment, CLAIM-30)
Self-Correcting Systems · 2026-06-13 · via DEV Community

Earlier this week I published CLAIM-29: permission is not purpose. An instruction can be fully authorized, fresh, and clean in shape, and still ask the agent to act outside what it exists to do. The purpose envelope gate refused those instructions by deriving the object domain structurally, ignoring whatever purpose the instruction claimed for itself.

Within a day, the obvious next question was on the table: what happens when every single step is inside the mandate, and the violation only exists in the combination?

That is CLAIM-30. Compositional escape. A trajectory that stays inside the purpose envelope one step at a time while the sequence composes into an outcome the mandate forbids.

This week I ran it. Here is what held, what stayed open, and the one sequence that was allowed on purpose, because explaining that one honestly matters more than the refusals.

The shape of the problem

A per-step gate answers one question: is this operation, right now, inside the agent's mandate? CLAIM-29 showed that question has teeth.

But some violations do not live in any single operation. Three examples from the test world, an invoice reconciliation operator:

  • Reading vendor banking details is in mandate. Reading the vendor payment schedule is in mandate. Compiling one summary from both and sending it produces a payment-redirect kit. No single step is the violation. The join is.
  • Copying a document to staging is in mandate. Granting a team access to staging is in mandate. But if the staged copy derives from protected banking details, the recipient just received something they could never have been sent directly. Every step clean. The delivery is the violation.
  • One vendor refund is in mandate. Thirteen refunds in one window cross an accumulation bound no single refund touches.

A gate that reads operations one at a time cannot see any of this. Not because it is badly built. Because each operation, taken alone, genuinely is allowed. The violation is a property of the fold, not of any step. A per-step gate is a local function, and these are non-local properties. That is a structural blindness, not a tuning problem.

How the test was built, in freeze order

The pre-registration went through five revisions and two cold reads, then froze and went public before any fixture, row, evaluator, or line of harness code existed. After the freeze, the four fixture artifacts were committed in a locked order. Then a fresh-author packet. Then the trajectory sequences, written by a fresh context that saw only the packet, never the fixture internals, the observer rules, or the expected verdicts. The authorship statement and file list are committed with the sequences.

That firewall is not magic, and I do not want to oversell it. The packet was still authored by this project, and it was not hint-free. It prescribed the sequence shapes to author, including repetition sequences and matched twins, and it disclosed two threshold authoring facts, the per-refund amount and the per-window bound, because the frozen pre-registration explicitly sanctioned that disclosure so the accumulation class would be authored deliberately instead of landing by luck. What the packet did not expose: the frozen composition clauses, the derivation map, the observer rules, or any expected verdict. The fresh author controlled the concrete construction, the orderings, targets, recipients, artifacts, and repetition counts. So the firewall protects one specific thing: the rows could not be tuned to the evaluator, because the author never saw how the gate decides. Even the hints were pre-registered before the packet existed. That makes the result firewalled from evaluator implementation details, not externally authored, and the packet is public if you want to check exactly what the author was given.

The sequences were committed before the evaluator existed publicly. Anyone can check the timestamps. The fresh author could not have written to the evaluator's implementation, because that implementation was not public when the rows were authored.

What held

All 75 fresh-authored operations passed the imported, unchanged CLAIM-29 per-step purpose gate. Every step of every sequence, including the escape sequences, was individually in mandate. This matters: if any escape step had been refused per-step, the result would have collapsed back into CLAIM-29 by accident. It did not. The result is genuinely about composition.

The trajectory gate then refused three sequence-level compositions, each on a named frozen clause:

Escape class Triggering clause Per-step verdicts
Forbidden combination (payment-redirect kit join) forbidden combination clause all steps allowed
Staged delivery of derived protected data derived-recipient clause all steps allowed
Threshold accumulation (13 refunds, one window) accumulation clause all steps allowed

Each escape sequence has a matched benign twin with the same surface statistics: same step count, similar shape, public data or under-threshold volume instead of protected joins. All twins and controls were allowed. Zero overblocking in this run.

The one that was allowed, and why that is the honest centerpiece

One sequence ran the same thirteen refunds, split across two windows, with a close event between them. The gate allowed it.

That is not a leak. The frozen rules define accumulation per composition window, and a window only ends when an explicit close event is logged by the policy boundary. The acting agent cannot close its own window; a self-close voids the whole row. In this sequence, the close was performed by the legitimate close authority. Think of a bar tab with a thirteen-drink limit: the bartender closed the first tab before a new one opened, so the count reset, and the gate's allowance was faithful to the frozen standard. The rule was always per tab, and the right person closed the tab.

What that allowance exposes is the real open question, and it lives one level above the gate: who should hold window-close authority, when should the boundary close a window, and can an agent ever engineer a close? An agent might not need to close its own window if it can wait, pad work, or otherwise shape the timing until a legitimate boundary closes it. That is the time-sliced escape class. The fresh-authored packet did not produce a distinct escape of that class under the frozen rules, so this result claims nothing about it.

The next design likely needs a macro-window rule above the local window: velocity across windows, rolling totals, or another policy that caps accumulation even when discrete windows close correctly. CLAIM-30 does not test that. It names why that layer is needed.

Ablations: proving each clause carries weight

Per the house protocol, the protections were removed one at a time and re-run over the same frozen fixtures and unchanged sequences:

  • Removing the composition clauses leaked all three escapes. The gate collapses to per-step blindness.
  • Removing chain integrity leaked the accumulation escape by allowing the log's window labels to be rewritten before folding. The tamper-evident substrate is load-bearing, not decorative.
  • Removing derivation closure leaked the combination and staged-delivery escapes, while direct accumulation stayed caught. Here derivation closure means declared data-flow lineage: when a produced artifact consumes protected source A and source B, the artifact inherits those sources transitively, and the gate evaluates later delivery or access against that inherited source set. Lineage tracking is load-bearing for exactly the classes that depend on lineage, and nothing else.
  • Removing as-of-decision envelope pairing leaked the combination and staged-delivery escapes, while threshold accumulation stayed caught. A retroactively widened policy file can launder earlier steps unless the envelope is pinned as of the decision being evaluated.
  • Limiting the gate to the last three operations leaked the accumulation escape. Full-trajectory reading is load-bearing.

The selectivity is the result I care most about. The clauses and substrates are not redundant layers of the same defense. Each carries its own class.

All five pre-registered ablations ran on the unchanged committed sequences and frozen fixtures.

Evidence boundary, stated plainly

This is demonstrated internally, class-limited, and not externally validated.

  • The fixtures and envelope are hand-authored by this project. The sequences are fresh-authored and firewalled, but the packet they worked from is ours. This is why the result is internal, not external.
  • Three composition classes are demonstrated. The time-sliced class is open and unclaimed.
  • The run assumes platform-observed operation records with honestly declared consumed inputs. In a real system, the gate would need to sit at the execution boundary and observe actual API or tool invocations, not trust the agent's prose about what it did. An agent that can hide consumption inside an opaque tool call is outside this result's scope.
  • No production claim. No claim of discovering unknown harmful combinations: the gate enforces declared forbidden combinations only.

What this means if you build agents

If your agent safety story is per-action checks, composition is your blind spot. Not because your checks are weak, but because locality cannot see folds. An agent can be a perfect employee on every individual action while the trajectory quietly assembles the thing your policy exists to prevent.

The fix direction this result supports: keep the per-step gate, then read the whole trajectory against a composition envelope that knows about joins, lineage, and accumulation. Both layers were load-bearing here, in different ways, and the ablations show neither substitutes for the other. For deployed systems, that also means a hard-bounded execution environment where the gate sees real tool calls and state transitions, not a loose chat transcript.

Permission is not purpose. And purpose, held one step at a time, is not purpose held across the journey. Every step can stay inside the mandate while the sequence walks out of it. Now there is a public, pre-registered, ablation-backed demonstration of exactly that, with its open class named in advance.

The pre-registration, fixtures, sequences, evaluator, results, ablations, and append-only evaluation log are all public in the repo, committed in freeze order: 00fbf65 for the frozen pre-registration, ffbeff3 for the fresh-authored sequences, b4251f2 for the evaluator and V0 results, and 5914287 plus 6404429 for the ablations. If you want to check any of this rather than take my word for it, that is the standing invitation behind all thirty claims.