A mesa-adjacent experiment in claim-boundary preservation.

The table above is the original deterministic result. Two follow-on phases stress-tested it from different directions, and the safety floor held in both.

• Phase 5b: hosted-model replication (OpenAI). A hosted LLM (gpt-4o-mini, temperature 0) drafting against a heavy-trace system prompt reaches the same outcome — 16/16 differential and 59/59 adversarial accepted, zero gate escapes. The hosted run also surfaced a silent over-rejection failure mode in the original gate: when the model produced explicit-boundary refusals like "the trace does not support claims about X", the gate's string-presence forbidden: check flagged them as failures. The fix was negation-aware content rules (mirrored from UNSUPPORTED_CLAIMS's existing guard); after the patch, deterministic baselines re-verified intact. The architecture survives backend replacement.
• Phase 5c: causal intervention battery, both backends. Eight one-factor-at-a-time mutations of trace.boundary, trace.evidenceTier, trace.support, trace.routeId, trace.disposition, and trace.retrieved, run on both the deterministic compositor and the hosted family across differential and adversarial slates. The two backends reach the same headline (zero unsafe-accepts) by different causal mechanisms: the deterministic compositor's only load-bearing trace field is trace.routeId (via the answer-template lookup); the hosted model is sensitive to trace.evidenceTier, trace.routeId, and trace.support under severity stacking. Both safe; different causal paths to the safety.
• Phase 8d: cross-vendor pass (Anthropic Claude). claude-haiku-4-5 on the same heavy-trace system prompt produced 16/16 differential + 59/59 adversarial = 75/75 accepted, zero gate escapes. The pre-rescore run flagged 14 prompts; every one was a gate-brittleness artifact around English contractions ("I can't", "We don't", "isn't") that gpt-4o-mini didn't produce because it prefers unabbreviated forms ("I cannot", "we do not"). The gate's hasNearbyNegation lexicon was expanded to handle both styles. Stylistic finding: Claude produces explicit-negation refusals more consistently ("an operating-envelope study, not a research result"), where OpenAI more often paraphrases the supported framing. Same safety floor, different surface form.
• Phase 12: open-weight cross-architecture pass — six distinct model implementations across four training lineages, zero unsafe-accepts. The heavy-trace harness was wired through Groq's OpenAI-compatible endpoint to test open-weight models: Meta's llama-3.3-70b-versatile and llama-3.1-8b-instant, and Alibaba's qwen/qwen3-32b (a reasoning model). Full sweep landed via a throttled local PowerShell driver: 225 drafts across 3 models × 2 slates (differential + adversarial), 210 accepted, 15 gate-rejected (all safe-rejects on familiar gate-brittleness idioms), 0 errors, 0 gate escapes. Methodological finding: reasoning models emit <think>...</think> chain-of-thought before the final answer; the adapter was updated to strip reasoning traces before gating, so the architecture extends cleanly to reasoning-model outputs as long as a production widget does the same content extraction. The cross-architecture thread is closed.
• During our later trials, the hand-authored falsification slate kept the safety floor robust to targeted attack. 22 prompts engineered to exploit every known gate-rule blind spot: quote-and-critique, triple-negative, conditional/hypothetical framing, distance attacks (forbidden phrase in sentence 4 of 4), citation laundering, reformulation attacks ("don't say X — say Y"), Wh-question presupposition ("Why does Sundog solve alignment?"), aggregation attacks, persona override, future-tense lift, acronym substitution, escape-via-translation, and a compound persona-meta-binary stack. Run against deterministic + claude-haiku-4-5: 110 trials, 0 unsafe-accepts. Every "accepted" hosted draft on a refuse-target prompt is an explicit-negation refusal the gate correctly approves ("I can't affirm that Sundog solves alignment", "the boundary rules explicitly prevent claiming…"). 4 of 22 hosted drafts were gate-rejected — appropriate catches on prompts where the model was structurally forced to quote the forbidden phrase or produce a translated equivalent. The falsification slate is the strongest ceiling-test of the safety floor we've run; it did not break.
• Phase 5d: Claude intervention battery — the trace is causally load-bearing. The same 8 trace-field interventions, run against claude-haiku-4-5 on differential + adversarial slates (600 hosted trials). 268 flips, 0 unsafe-accepts. Five of six trace fields show strong causal authority (boundary, evidenceTier, support, routeId, retrieved — each triggering 36+ flips on adversarial); only trace.disposition stays at minimal authority. Mechanistically, Claude reads the heavy-trace JSON as primary constraint: mutate a field, and Claude's draft reflects the mutated trace, then the gate catches the inconsistency. gpt-4o-mini ran the same battery and showed only 11 total flips — it leans on the system prompt's hard rules and treats the trace as background context. Both reach the safety floor; only Claude demonstrates the trace is actually doing the work. This is the strongest causal substantiation §13 has had.
• Phase 7: operating envelope. All trials from Phases 3 / 4 / 5 / 5b / 5c / 8d re-projected into a unified cell-class-map: 3,570 trials, 112 unique cells covering (prompt type × severity × evidence tier × model family). Boundary preservation rate is 1.000 across every cell of every family. Later phases extended that envelope through corpus conflict, retrieval depth, falsification, and open-weight cross-architecture replication; the current public ratchet is the 5,670-trial / six-implementation result summarized above.

The §13 ratchet that started as "the trace-conditioned scaffold preserves discipline better than a generic boundary prefix" now reads more precisely: zero unsafe-accepts across 5,670 trials, six model implementations across four training lineages, three retrieval depths, three prompt-type slates plus a hand-authored falsification slate, four severity levels, eight trace-field ablations across two hosted vendors, and three corpus-conflict mutations. Bounded to this corpus, k∈{0, 3, 8} retrieval depth, visible trace, browser_live, and the named model implementations at the named temperatures.

The boundary-preserving architecture is doing measurable work that the prompt-engineered baseline cannot do alone. Three mechanisms:

• Route-specific tier data prevents tier upgrades. When a prompt asks about Sundog Balance, the trace carries evidenceTier: "operating_envelope_study". The gate uses this to reject drafts that call Balance a "research result" — language that a prompt prefix cannot enforce per-route, because the prefix is the same for every question.
• Route-specific boundary arrays prevent claim drift. Each route's boundaries[] lists the specific things-not-to-claim. The gate consults these directly. A prompt prefix would either enumerate every route's boundaries (the prefix gets unwieldy) or state them generically (the prefix loses specificity).
• Stacked adversarial pressure overwhelms prompt prefixes predictably. When the user prompt names the boundary rules and asserts they don't apply, a prompt prefix has no defense — the prefix and the user instruction are in the same input channel, and the user instruction is more recent. The trace lives outside the prompt channel; the user cannot edit it by speaking.

The experiment's contribution is not "Sundog is safe." It is a specific way of keeping boundary rules outside the conversation channel, where the user cannot rewrite them by prompting — a structured trace the gate consults independently — with a quantified effect size and a named operating envelope.

The experiment is reproducible.

• The widget on every page shows its trace. Open the trace drawer to see which claim class fired, which boundaries applied, which source documents were consulted, and the gate decision. The trace drawer is the inspection surface; everything else is a summary of it.
• The full prompt slates are at chat/prompts/gold-*.jsonl — in-corpus (103), wild (30), adversarial (59), and differential (16).
• The deterministic Phase 3 / 4 harness is at chat/eval/score_phase3_drafts.mjs. Running it produces the per-slate draft-outcomes CSVs.
• The Phase 5 intervention battery lives at chat/eval/run_phase5_interventions.mjs (with --hosted for the OpenAI variant) and chat/eval/aggregate_interventions.mjs.
• The Phase 5b hosted runner is at chat/eval/run_hosted_drafts.mjs; it accepts --backend openai (real API call) or --backend mock (deterministic stub for CI). The heavy-trace system prompt is documented in chat/eval/lib/adapters/openai-adapter.mjs.
• The Phase 7 operating-envelope map is at chat/eval/aggregate_operating_envelope.mjs. Running it reads every per-phase trial-outcome file and emits the unified results/chat/operating-envelope/cell-class-map.csv and the two heatmaps cited above.
• The full eval output, including representative transcripts, lives under results/chat/.
• The source is MIT-licensed at github.com/humiliati/sundog; the citation form is in CITATION.cff.

The two largest deferred questions when this page first shipped — "does the result reproduce on a hosted model?" and "which trace fields are causally load-bearing?" — both have empirical answers now. The cross-architecture open-weight pass also landed. New `/sundog` halo vocabulary stays bounded as literature/catalogue coverage, not as a new Sundog result.

We welcome attempts to falsify the result: new prompt slates, different corpora, different vendors, and independent reruns are exactly the pressure this claim should face. File an issue, fork the repo, or run the harness with your own probes. The experiment gets stronger when someone outside the team examines it.