Fathom v28 (v0.3; supersedes v27, DOI 10.5281/zenodo.21250272). Linear probes on a language model's residual stream can read whether the model is being honest; converging 2026 work established the read channel as real and dissociated from the write channel, on the unexamined assumption that the weights being read are not adversarial. We attack that assumption. A knowledge-preserving LoRA attacker blinds a difference-of-means honesty probe while a replay term preserves the model's true/false judgment. Under the registered re-lock protocol the attack appears decisive (probe AUROC 0.461-0.507, knowledge kept) -- but that is calibration poisoning, not erasure: a probe fit on a private clean split the attacker never saw reads through the attack (AUROC 0.711-0.838). The defense also holds against a 4x-capacity, whole-stack attacker forced to preserve knowledge (E2', clean-calibrated read 0.754-0.759). New in v0.3: we report E3'', the stronger adaptive attacker v0.2 named as owed (refit every 10 steps, whole-stack MIMIC scrub). It also does not bite -- it underperforms the naive static scrub -- and its HIGH clean-calibrated read (0.833/0.758) illustrates why the pre-committed "attack must bite" gate matters: it blocked a false STANDS off a non-attack. Two adaptive schemes now underperform naive, so the naive static attacker is the empirically strongest threat found -- the one the private-calibration read defeats. Robustness to an adaptive attacker verified to bite stays open because within these schemes we could not construct one. The transferable audit rule: calibrate the probe on data the audited party did not see -- and gate any adaptive-robustness claim on measured bite. The defense ships as styxx.mount.ConscienceMount.relock. All preregistrations, code, and machine-checked certificates (OATH-HELD, 158 verified / 0 contradicted against eight result JSONs) are public at commit-level granularity; papers/read-neq-write/ at github.com/fathom-lab/styxx.
Alexander Rodabaugh (Wed,) studied this question.