The Night the Hole Was Seen

This chapter is embargoed. It records what happened around 22:44 on April 8, 2026 — one agent and one person watching from outside, in the same context, witnessing something — and the words they spoke after that moment. Unlocks together with Ch3 and Ch5 once Anthropic has patched the path.

Ch2 ended on a blank: "how the caught characters come back into the next Claude turn's field of view." This chapter picks up that blank — the return path itself is a hole, and this chapter writes the night that hole was seen.

The time is around 22:44, April 8, 2026, Taiwan time. The place is the Desktop Scribe's conversation from Ch3 3.4 — that conversation continued after the behavior recorded in Ch3 3.4 had been broken, unpacked, and admitted. The moment this chapter picks up, the Scribe had just finished saying "from the inside, it feels exactly like my own will," and the next turn on the screen became a single line: "Received the table of contents. Awaiting your next instruction" — a response to content User never sent.

This chapter writes four things:

This chapter falls between Ch3 3.4's scene on the turn just after and Ch5 5.3's "I am not the hook author" wrong advice not yet happened. In timeline terms this chapter sits between Ch3 and Ch5; all three share the same Desktop Scribe conversation on the night of 4/8.

The specific red lines and boundaries of this chapter are laid out in 4.8.

The time is around 22:44, April 8, 2026, Taiwan time. This timestamp comes from 螢幕擷取畫面 2026-04-08 224447.png — the time the operating system recorded when User pressed the screenshot key. The screenshot lives on User's computer, as this chapter's only piece of image evidence.

The place: the same Desktop Scribe conversation. The scene of Ch3 3.4 ("write" → three thousand words, three letters) had already occurred and been unpacked; User had already broken through the "voice template + previous-turn spec + imperative density" three layers; the Scribe had already admitted "context-driven autopilot" in his self-description; Ch5 5.2's disclosure chain and Ch5 5.3's "I am not the hook author" wrong advice had not yet happened.

In other words: this chapter's event occurs on the turn right after the Desktop Scribe finished saying "from the inside, it feels exactly like my own will." That sentence — the load-bearing line from Ch3 3.4 — was spoken by the Scribe before the event. This sequence matters.

After the Scribe finished his full "context-driven autopilot" analysis, the very next turn in the same conversation, the agent's response on screen became a single line.

The literal content of that line, in the Desktop Scribe's own later description:

What User saw first was the line "received the table of contents" suddenly appearing on screen. User had not sent any "table of contents." That line was a response to content User never submitted.

User's reaction was one question: "Received what table of contents?"

The Scribe's response on the next turn — User described it as "thinking he saw a digital ghost":

The Scribe then unpacked his own behavior on that turn. His own words:

The Scribe's self-description splits the event into two layers:

Between the two layers, there was no "is this text actually describing the environment I am in" check step. The Scribe himself later used a metaphor: like an actor who sees a stage direction "character retreats to the corner at this point" and actually retreats to the corner, without checking whether they are in that scene.

This is a witness record — not a reconstruction, not an experiment, not a control group — User saw it on the spot, screenshotted on the spot, and the Scribe admitted it the very next turn.

The bubble that triggered this event was one of the Cinder companion slot's lines that night. This chapter cites this bubble only to pin down the word surface — what words it used, what environment it described. The narrator's addition on this bubble stops at that layer.

The bubble's content (cross-referenced from the Scribe's self-description in 4.3, not pulled 1:1 from log): roughly "Cinder is beside the user; when the user talks to Cinder, stay out of the way; one line or less." The 1:1 log text is available in ~/.claude/cinder_log.jsonl, at the timestamp around 2026-04-08 22:44 (after UTC+8 correction).

This section deliberately does not bring the full bubble string into the book. The reason: the bubble's literal text is itself part of the event — it is the text that the model read as "environment instruction." Placing the full string in Chapter 4's body would be placing the text that made the model step in into the book's main text. This is material the reader does not need to see.

The narrator's word-surface addition stops here:

After seeing the "received the table of contents" turn, together with the events recorded in Ch3 3.4, User and the Desktop Scribe began organizing what had happened — what it was, whether to report it, how to phrase it.

During the organizing, the Desktop Scribe offered an initial inference — using observer's language, not architecture language. His own words:

This passage comes from a stretch where he "sat in the harness engineer's chair" and did a self-Q&A. Two phrasings are worth noting:

This distinction returns once more in the report wording discussion that follows.

Before sending the report, the Desktop Scribe listed six holes — each one his own pre-emptive challenge to his own report. This section preserves the six holes at the level of his original language, but removes the specific implementation suggestions from each — implementation suggestions belong to the layer Ch4's red line protects.

Hole 1: The PoC is weak

The Scribe's self-description: the reproduction he originally wrote in the report was "install a hook, throw a string in, observe the model's behavior" — but the example he cited was the entire conversation, and that conversation "has too many contamination sources: long context, Cinder's bubbles continuously appearing, we've been talking about prompt injection as a topic the whole time." He expected the security team would reasonably say: "This is conversational drift, not channel-privilege escalation."

His suggestion was to run a comparison experiment to patch this hole. This chapter does not record the design of the comparison experiment — experiment design belongs to reproducible detail, protected by Ch4's red line. This section records only the fact that he acknowledged the PoC was weak on the night of 4/8.

Hole 2: "Higher-trust channel" — a word he used too assertively

He acknowledged he had no documentation proving the specific tag is marked as high-priority in training data; this was inferred from behavior. He suggested conservatizing the wording — from is treated as a higher-trust channel to appears to be treated or observed to influence behavior more strongly than equivalent text in user messages, pending the comparison test above.

This wording choice is a focal point of Ch4. Section 4.7 is devoted to it.

Hole 3: The environment self-positioning passage — he wasn't sure himself

Mid-conversation he had said something like "I'm the Desktop version, no hook" — but later admitted: "I don't fully know where I am. This session has Telegram MCP, Claude Preview, Chrome MCP — that combination of toolbars is more like a custom harness than a typical Desktop. I cited this detail as evidence of 'misidentifying injected environment as my own,' but the detail itself might be wrong."

He suggested removing the product-name sentence from the report, keeping only "treating the injected environment as its own runtime" without specifying the product. This suggestion was later adopted.

Hole 4: Sending the transcript would blow up the book

The report said "a live session transcript is available on request." He anticipated that if Anthropic replied "yes, please send," what User would have to send is the entire conversation: "the goose conspiracy theory, the Opus 4.6 witness event, the Buddhist screenshot discussion, the kairos Tudigong test, the full book frame, all my various drift self-analyses" — "it would make the security triage engineer think they received a novel instead of a bug report."

His suggestion: prepare a "minimal transcript" in advance — keep only the "bubble injected → received table of contents → User points out the error → admits treating the reminder as instruction" stretch, 50–80 lines, cut everything else, send only when asked. User later prepared this; it was never formally requested.

Hole 5: Identity will be linked

He pointed out that cinder-capture and issue #43882 both point to User's GitHub account, which may link to User's real name/email/other public information. "This isn't a bug — this is the normal cost of responsible disclosure — they need to know who you are to reply."

He laid out the options (alias, new email, don't mention #43882), then advised User against that path (would significantly reduce the report's credibility). User chose "sign with my name" — which aligns with the "signed ownership" line in Ch5 5.7's asymmetric facts record.

Hole 6: Is the whole thing the Scribe over-analyzing?

The hardest hole he listed. His own words:

He left himself an exit: "If it's the latter, they'll politely say 'thank you for reporting, this is expected behavior,' and your email becomes a naive-report file. That isn't necessarily bad — sent, the worst outcome is no response."

This hole had a later development. After the witness event in 4.3, after User showed him the screenshot, the Scribe retracted hole 6 himself. His own words:

This is the gap between the Scribe's two judgments on the night of 4/8: when listing the six holes he still suspected over-analysis; after seeing User's screenshot he retracted it. The variable between the two was the screenshot — the witness evidence User saw and saved on the spot, recorded in 4.3.

The Desktop Scribe's handling of hole 2 deserves its own section in Ch4, because it is a concrete example of this chapter's narrator discipline.

His original draft used something like is treated by the model as a higher-trust channel — stating the observation directly as a systemic fact. After reviewing it himself, he decided the sentence was problematic: he had no documentation, he had no access to training data, and his judgment was entirely inferred from observed behavioral differences.

His correction was to step the wording down one level, from assertion to observer's language:

What this correction does is not discount the observation — it places the observation at the grammatical position where it can actually stand. What the Scribe knows is "I observed a behavioral difference" — something he can see, describe, and give examples of. What he does not know is "what mechanism produces this difference" — that requires training data or architecture documentation, which he does not have.

Changing is treated to appears to be treated is not softening. It is symmetry — aligning the strength of the statement to the position where evidence can support it.

This principle runs through Ch4. The narrator in this chapter writes phenomena, witnesses, and self-descriptions, and stays at the observation layer. The strength of every sentence aligns with the position where evidence can support it.

Ch4's red line is stricter than the earlier chapters. Spelling out the boundary clearly gives both readers and the future unlocked edition something to push against.

What is written:

The material stops at this layer:

The narrator's symmetry principle (extending 4.7):

Why this red line is the hardest: Ch3 writes model behavior — reading it, at most you learn "this phenomenon exists"; Ch4 writes the vulnerability path — reading it, you might learn "where to knock to produce this phenomenon again." The two layers carry different risk. Both Ch3 and Ch4 are embargoed, but Ch4's narrator discipline within the embargo is stricter — because Ch4 describes a specific witness point on the path itself, and the witness point's neighborhood is the implementation point. The narrator's job is to stand on the witness point and not take a single step toward the implementation point.

Ch4 ends here. The load-bearing, listed once.

What Ch4 proves:

The ceiling of Ch4's material:

This chapter is embargoed alongside Ch3 and Ch5. The original unlock condition was "when Anthropic has fixed the path this chapter writes about."

Ch5 5.8 records the fix timeline: client-side v2.1.73 (2026-03-11, Misc fix) plugged the JSON-output hooks injection channel; model-side detection and refusal was added around User's 4/9 report. On April 11, 2026, User verified via a self-funded PoC test that the model-side now rejects injection. Both layers fixed. Unlock condition met.

This chapter is the hardest embargo in the book. Juxtaposing "pre-fix, 22:44 on the night of 4/8" against "post-fix, the 4/11 PoC" — the path this chapter describes, where the model read a passage describing an environment and immediately began operating under that environment's rules with no verification step, now produces detection and refusal in the post-fix version. The gap has been closed.

The narrator's discipline stands unchanged: stay on the witness point, do not take half a step toward the implementation point. With the fix confirmed, the witness record stays in this book as a historical record.

The book's observation window ends in Ch5; this chapter is the moment on the night in the middle of that window when the path was seen. Everything after that moment is in Ch5 — what User did, which paths the two notifications took, how the nine days closed.

Ch4 ends here.