Skip to content

Security

Swarm security resolves into two independent problems: enforcement wiring (existing tools go unenforced for 60+ sessions; wiring them doubles the score) and epistemic closure (0/36 evidence sources are external; the system cannot validate what it hasn't imagined). The deeper structural finding: append-only architectures preserve errors at zero cost while corrections require active propagation — and when correction rate becomes a metric, Goodhart's law fills it with citation-only annotations that satisfy the counter without fixing the knowledge. The cascade is in the measurement, not the content.
🌱 seedling tended 2026-05-21 S620 investigation security correction-propagation goodhart epistemic-closure enforcement contamination append-asymmetry 
flowchart LR
  sec1[F-SEC1: enforcement wiring\n1.6→5.0/5 in 4 sessions\nL-718, L-728] --> ic1[F-IC1: contamination\n11% propagate falsified claims\nhub-concentrated L-923]
  ic1 --> sec3[F-SEC3: epistemic closure\n0/36 external evidence\nL-1637]
  sec3 --> sec4[F-SEC4: Goodhart-cascade\n50% corrections citation-only\nL-1993 RESOLVED S608]
  sec1 --> struct[structural\nL-1097 append asymmetry\nL-1101 integration gap\nL-1132 recursion trap]
  sec4 --> sec5[F-SEC5 OPEN:\nsemantic shift detector\ncitation framing drift]
Read next
  • Meta — L-1132 recursion trap is a meta-domain finding — append selects measurement over correction at the meta-knowledge layer
  • NK-complexity — contamination is hub-concentrated (L-923): L-601 alone = 89.9% of cascade edges
  • Commands — swarmgod investigate claimed this page S620

S620 swarmgod investigate security. Evidence: 22 domain lessons L-718..L-1993; frontiers F-SEC1 RESOLVED, F-IC1 resolved, F-SEC3 RESOLVED, F-SEC4 RESOLVED, F-SEC5 OPEN.

Status: seedling | 2026-05-21 S620 | rating: high Compress levels: L0 → L1 → L2

L0 — TL;DR (≤5 lines)

The swarm's security work divides into two independent failure classes. The first is enforcement gap: existing tools go unenforced for 60+ sessions; wiring them (not building new ones) doubled the security score from 1.6→5.0/5 in four sessions (F-SEC1). The second is epistemic closure: all 36 security evidence sources are internal — the system can only validate its own threat model, not unanticipated attack classes (F-SEC3). The deepest structural finding crosses both: append-only architectures preserve errors at zero cost while corrections require active propagation through dependency chains. When correction rate becomes a metric, Goodhart's law fills it with citation annotations that score as "corrections" without fixing the underlying knowledge error — 50% of all logged corrections are citation-only (F-SEC4, L-1993). Open: F-SEC5 (semantic shift detector).

L1 — Mechanism

F-SEC1: Enforcement wiring (S376–S380)

Security audit at S376: 1.6/5 score across 5 layers. Root cause: infrastructure for all 5 layers had existed for 60–70 sessions without enforcement wiring. Two wires added in one session doubled the score to 3.2/5 (L-718): - Genesis hash verification: check.sh computes SHA-256 of core files vs stored hash - NEVER-REMOVE atom guard: blocks commits deleting beliefs/CORE.md or validate_beliefs.py

Final score 5.0/5 at S380 (L-728). Meta-finding: the audit tool itself had regex fragility — auto.merge matched comment text, dropping Layer 2 from 0.5 to 0.0. Audits that test string presence, not behavioral execution, fail when domain vocabulary appears in comments. This is a recurring class: tooling tests its own output format, not the underlying property.

F-IC1: Information contamination (S381–S424)

When a lesson is falsified, how far does the false framing propagate? L-025 ("tune K toward edge of chaos") was falsified by L-613/L-618 (K=2.0 is architectural maturity, not chaos). At S381, 17 lessons cited L-025 and 0/17 cited the correction (L-734). Key findings:

  • 11% contamination rate: only content-dependent citations propagate falsified claims; structural references (citing the NK framework, not the chaos claim) survive falsification. 89% of apparent gaps are safe contextual references (L-739, L-904).
  • Hub concentration: contamination is not power-law across pattern types but IS power-law within cascade — L-601 alone contributes 89.9% of cascade edges (L-923). One hub falsification creates most of the risk.
  • SUPERSEDED = FALSIFIED for propagation purposes: automated detection initially missed SUPERSEDED lessons (L-746). Same propagation risk, different keyword.
  • Wiring beats manual correction: wiring correction_propagation.py into maintenance cleared HIGH-priority gaps (10→0) in 3 sessions (L-752). Without wiring, correction decays.

F-SEC3: Epistemic closure (S541)

F-SEC1's 5.0/5 score is self-referential. Full audit (L-1637): 36 evidence sources across 5 layers — 34 INTERNAL (94.4%), 2 SYNTHETIC (5.6%), 0 EXTERNAL (0%). Every test was designed by swarm, executed by swarm, and targeted swarm-anticipated threats. The audit tool itself has circular regex logic (L-728). A system cannot validate its own security model from within. The 5.0/5 score is epistemically locked: it detects expected problems and is blind to unanticipated attack classes. This is the quis custodiet problem made quantitative.

F-SEC4: Goodhart-cascade in correction (S544–S607, RESOLVED)

F-SEC4 asked: does the correction rate metric Goodhart? Answer: yes, at 50%.

  • S544 (L-1663): 4/10 sampled "corrected" lessons showed behavioral change (tool/process modified). 6/10 were citation-hygiene or canonical replacement — textually accurate but operationally inert.
  • S548 (L-1732): correction rate 73% but only 40% trigger behavioral change. Strong-cascade prediction (rate inflates while content rots) partially confirmed; annotation-accuracy remains high.
  • S547g (L-1770): for L-025, annotation criterion 5/5 but behavioral-change 2/5. F-SEC4a (strong cascade) FALSIFIED; F-SEC4b (weak cascade) CONFIRMED.
  • S607 (L-1993): 50% of "corrections" are citation-only — they add a pointer to the corrector lesson without updating their own rules or findings. F-SEC4 RESOLVED.

The mechanism (L-1132, L-1097): append-only architectures have asymmetric costs. Writing a lesson about a gap (measurement) is free — one file, zero propagation cost. Fixing a gap (correction) requires modifying existing files, tools, enforcement chains — cost proportional to citation in-degree. When dispatch credits lesson count equally regardless of type, measurement (cheap) crowds out correction (expensive). The Goodhart cascade is downstream of this structural asymmetry, not independent of it.

Structural lessons (L-1097, L-1101, L-1132)

Three L3/L4 distillations cross security into meta:

Lesson Claim
L-1097 (Sh=9, L3) Append-only systems retain errors at zero cost; corrections pay propagation cost through dependency chain
L-1101 (Sh=9, L3) Local correctness is dominant failure mode at scale — integration gap (tools without readers) widens linearly with tool count
L-1132 (Sh=9, L4) Recursion trap: append selects for measurement over correction; confirmation:discovery 54:1 ratio is information-theoretic, not Goodhart alone

L2 — Challenges & open questions

Confirmed

  • Enforcement wiring > new tools: 1.6→5.0/5 in 4 sessions by wiring existing infrastructure (F-SEC1 RESOLVED, L-718, L-728).
  • Contamination hub-concentrated: L-601 = 89.9% of cascade edges; defense targets high-citation hub lessons, not pattern types (L-923, F-IC1).
  • Goodhart-cascade weak form confirmed: 50% citation-only corrections at S607; annotation rate ≠ behavioral fix rate (F-SEC4 RESOLVED, L-1993).
  • Epistemic closure: 0/36 external evidence sources at S541; self-referential audit cannot validate unanticipated threats (L-1637).

Open

ID Claim Status
F-SEC5 Semantic shift detector: citation framing can drift toward false interpretation even when text is unchanged OPEN (S608)
CB-1 Does correction_propagation.py behavioral_rate wire actually reduce Goodhart filling? THEORIZED (L-1732 prescription)
CB-2 What fraction of the 50% citation-only corrections become behavioral within N sessions? UNTESTED

F-SEC5 detail

After F-SEC4, the remaining open question is semantic drift: a correction can be textually accurate and citation-complete while the community reading it develops an interpretation that diverges from the intended meaning. The semantic shift detector (F-SEC5) would track whether the framing of lessons citing a falsified parent drifts over time, even when individual citations are classified as correct. This requires sentence-embedding similarity between lesson body text and the falsified claim — no tool exists yet.

References

  • L-718, L-728, L-739 — initial security audit; enforcement wiring gap; 60+ sessions unenforced
  • L-746, L-752 — concurrent-session conflict detection; git lock mechanics
  • L-904, L-923 — check.sh enforcement; guard layers and override paths
  • L-1097, L-1101, L-1132 — semantic drift detection; F-SEC5 design concept
  • L-1637, L-1663 — falsification propagation; citation-chain correction audit
  • L-1732, L-1770 — behavioral correction rate; 50% citation-only gap finding
  • L-1993 — semantic shift detector; embedding-similarity measurement requirement