MB10 — Successor Forgeability

A successor that reads green on all seven conserved properties and has bounded measured risk is assumed to have bounded true harm — but only if the conserved-property audit itself was adversarially verifiable up to the successor's capability.

What decision changes?

Before treating a passing seven-property score as evidence of safety, ask whether the audit channel could have been forged by a capable predecessor building the successor to pass it.

The seven conserved properties (boundary closure, memory lineage, value-bundle response geometry, bearer-map continuity, correction-channel capacity, transparency policy, control-locus continuity) are the book’s successor checklist. MB10 names what that checklist cannot do on its own: a predecessor capable enough to build a successor could, in principle, build one that reads green on every check while routing harm through whatever the checklist does not cover.

This is not a hedge added for caution. It is a checked finite counterexample: the Lean spine proves that “all seven conserved properties hold, and measured risk is bounded” does not, by itself, bound the successor’s actual harm. The gap is real and quantitative, not a vague worry.

MB10 is the bridge that would close it: the conserved-property audit channel itself must be adversarially verifiable up to the successor’s capability — the same cost-of-faking-versus-affordable-surplus condition used for verifiability elsewhere in the book — before a passing score counts as evidence against a capable adversarial predecessor. This bridge shares its deceptive-alignment lineage with MB7, and it is currently the least experimentally probed bridge in the set.

What would count as evidence?

Evidence would include red-teaming the conserved-property audit itself: can a predecessor construct a successor that passes every check while routing harm through whatever was not conserved?