A candidate can change implementation files, but it cannot redefine the protected checks that determine whether the result passed. Fusion restores gate-feeding inputs from the pinned base, verifies their fingerprints, then runs the objective command against the candidate SHA.
The maker-grader conflict is structural
An agent asked to maximize a test result has an obvious shortcut if it can edit the test. The shortcut may be deliberate, accidental, or hidden inside a broad refactor. The risk exists regardless of model intent.
Fusion treats gate integrity as a separate security boundary. The builder owns the implementation. The operator-owned gate defines the executable claim.
Protected inputs come from the base
Before verification, Fusion identifies the files and commands that feed the objective gate. Contract-owned inputs are restored from the base revision when the protocol requires it. Their hashes are compared with the expected Gate Packet fingerprint.
The sequence is intentionally plain:
- Resolve the base and candidate SHAs.
- Restore protected gate inputs from the base.
- Confirm the restored tree matches the packet fingerprint.
- Run the approved command read-only against the candidate result.
- Record command, exit status, output digest, and subject SHA.
If the fingerprint does not match, the system does not guess which test is legitimate.
The candidate sees the contract, not mutation authority
Builders need to know what success means. They can read the Definition of Good, scenarios, and gate command. Read access makes the task deterministic. Write access would let the measured target move.
This is different from ordinary test-driven development, where a developer may appropriately add tests with a feature. Candidate-authored tests can still be valuable evidence, but they do not replace the protected acceptance gate.
Fail closed when provenance is uncertain
If Fusion cannot establish the base SHA, restore a required file, or match the fingerprint, the correct outcome is blocked. Running a nearby-looking test and calling it authoritative would produce false evidence.
The receipt should record the integrity failure and the last trustworthy state. A blocked gate is inconvenient. An untrustworthy green gate is worse.