State the Limit Honestly

A result that is roughly fifty years old says that software alone cannot make a fully adversarial host execute it honestly. A host that controls its own processor and memory can lie about what it ran, inspect and alter any secret it holds, and present a fabricated account of itself, and no amount of clever software running on that host changes this. This is true, and acknowledging it up front is a credibility asset rather than a weakness. Trustworthy self-measurement and the custody of a local secret are hardware-bound problems, and the architecture composes with hardware roots of trust at the leaf where that property is needed. The point of what follows is not to claim software defeats the theorem. It is that defeating the theorem is the wrong goal.

The goal is not to make one compromised node honest. It is to make a compromised node attributable, out-routable, and contained by the fabric around it, and to fail closed when authority cannot be confirmed. That is a problem software can address, and the memory-native fabric addresses it directly.

What the Fabric Can Do

Several mechanisms, none of which require trusting the suspect node, combine to contain it. Per-node signed packets and signed, hash-chained relay traces give attribution and non-repudiation: every message a node emits and every message it forwards is bound to its credential and to the chain of hands it passed through, so a node's contributions are identifiable and its tampering with a trace is detectable. Memory-referenced quorum supplies the external witness that a single object cannot: a state change is accepted only when a threshold of nodes confirms it is derivable from a trusted origin, for example a trust-weighted three-of-five, which defeats the fork or split-world attack in which a compromised node tells different parties different stories, because the parties compare against a shared reference rather than against the node alone. Anchor-gossip revocation propagates the knowledge that a node has misbehaved across the mesh without a central revocation service. Trust scores driving routing send trust-sensitive work away from nodes whose behavior has degraded, so a misbehaving node is progressively bypassed rather than relied upon. And non-execution is a valid outcome: when authority cannot be confirmed, the governed system declines to act rather than proceeding on unverified state.

None of these makes the compromised host honest. Together they change what a compromised host is. It stops being an unbounded, anonymous, trusted-by-default problem and becomes a bounded one: its outputs are attributable, its lies are caught by quorum against an external reference, its reach is revoked by gossip, its work is routed around, and the system fails closed where it cannot confirm authority. This is defense in depth at the fabric level, not a single magic gate.

Accept the Theorem, Route Around It

The malicious-host and general-obfuscation impossibility results, and the fork-detection lineage that runs through gossip-based transparency logs, are not obstacles to argue away; they are the correct starting assumptions. The memory-native fabric accepts the theorem and routes around it, in the literal sense: it routes trust-sensitive work away from the nodes the theorem warns about, and it uses an external quorum witness to catch exactly the lies the theorem says a single host can tell. This is the honest engineering core beneath the broader argument that trustworthy autonomy comes from carried governance rather than from trusting a host. The thesis does not depend on pretending a compromised node can be made honest. It depends on making the compromised node attributable, containable, and bypassable, which is what the fabric does.

Disclosure Scope

Host-signed agents, memory-referenced quorum confirming a state change is derivable from a trusted origin, and append-then-forward signed relay traces are disclosed in the protocol filing (U.S. Application No. 19/366,760, published as US 2026/0052096 A1). Trust scores driving routing and anchor-gossip revocation are disclosed in the index filing (U.S. Application No. 19/326,036, published as US 2026/0010525 A1). Fail-closed non-execution when authority cannot be confirmed, and optional composition with hardware-backed attestors at the leaf, are disclosed in the cryptographic governance filing (U.S. Application No. 19/561,229). This article frames those disclosed mechanisms against the malicious-host and obfuscation impossibility literature and the fork-detection-via-gossip lineage, and positions the fabric as containing rather than curing a compromised host. References to that literature are to public sources and are used for context only.