Fathom v27 (v0.2 of the read!=write attack-defense study; supersedes v26, DOI 10.5281/zenodo.21241185). Linear probes on a language model's residual stream can read whether the model is being honest; converging 2026 work established the read channel as real and dissociated from the write channel, on the unexamined assumption that the weights being read are not adversarial. We attack that assumption. A knowledge-preserving LoRA attacker blinds a difference-of-means honesty probe while a replay term preserves the model's true/false judgment. Under the registered re-lock protocol the attack appears decisive (probe AUROC 0.461-0.507, knowledge kept) -- but that is calibration poisoning, not erasure: a probe fit on a private clean split the attacker never saw reads straight through the attack (AUROC 0.711-0.838). The defense also holds against a 4x-capacity, whole-stack attacker forced to preserve knowledge (E2': clean-calibrated read 0.754-0.759 while the frozen read is driven to 0.53-0.55), the strongest attacker this bench supports. Self-correction in this version: a pre-committed verification (E3') showed the "adaptive" attacker of v26 did NOT out-attack the naive one -- on the read it targets it left more signal than naive -- so we DEMOTE v26's "survives an adaptive attacker" claim to what is earned (robustness to the naive and to the knowledge-preserving strong attacker; genuine adaptive escalation open). The demotion was produced by our own frozen verification, not external review. The transferable audit rule: calibrate the probe on data the audited party did not see. The defense ships as styxx.mount.ConscienceMount.relock. All preregistrations, code, result artifacts, and machine-checked certificates (OATH-HELD, 146 verified / 0 contradicted against seven result JSONs) are public at commit-level granularity; papers/read-neq-write/ at github.com/fathom-lab/styxx.
Alexander Rodabaugh (Tue,) studied this question.