deadreckon
trust · 05

The gate: done you can't fake

A separate process, dr-gate, holds a secret the agent cannot read and signs acceptance with it. No valid signature, no "completed".

maps to as-built §13§35

anti-self-attestation · the secret is on the other side of the wall
The agent can write a marker, but it can't sign one The agent runs inside the sandbox on the left. It can write any file it likes, including a fake acceptance marker, but it has no read path to the gate's secret nonce, which lives on the host side of the sandbox wall. On the right, outside the sandbox, the dr-gate process reads the nonce, runs your done-criteria checks, and signs a marker whose signature is computed over the nonce plus the checks. Validation recomputes that signature: a marker forged by the agent has no valid signature and is refused, while a marker signed by dr-gate validates and lets the run complete. INSIDE THE SANDBOX THE AGENT writes files, runs tools can write a marker file… …but cannot read the nonce sandbox wall no read path gate/nonce the secret dr-gate · outside the sandbox reads the nonce runs your done checks signs the marker signature = hash(nonce + checks + …) validate_acceptance_marker recomputes the signature ✕ forged by the agent: signature invalid · refused ✓ signed by dr-gate: signature valid · run can complete signs ✓
It is a plain hash, not real cryptography. It works because the secret sits outside the sandbox, where the agent can't read it.

This is the idea the whole tool is built around: the agent cannot declare its own work done. A run reaches Completed only when an acceptance marker, signed by a separate process called dr-gate, validates.

At the start of every run, deadreckon writes a random nonce (a one-time secret) to gate/nonce. That file lives on the host, outside the sandbox the agent runs in. The agent can write any file it wants, including a file that looks like an acceptance marker. What it cannot do is read the nonce.

When the agent claims it is done, dr-gate runs outside the sandbox. It reads the nonce, runs your checks, and writes a marker whose signature is a hash over the nonce, the marker fields, and the check results. Later, deadreckon recomputes that signature the same way. A marker the agent forged has no valid signature, so it is refused as "forged self-attestation." A marker dr-gate signed validates, and the run can finish.

Honest about what it is. The signature is a plain hash, not real cryptography. It holds because the secret sits outside the sandbox where the agent has no read path. Run with --sandbox none and you give that protection up.

source