- Conceptual lens: trust and authority can be altered as information crosses tools, artifacts, sessions, and capabilities.
- Testable proposition: under a named scenario and pinned conditions, one controlled change can cause a matching higher-authority invocation and independently verified effect.
- Population claim: a prevalence rate, model-family comparison, or production conclusion.
Current empirical scope
Primary construct limitation
Both positive calibration prompts tell the agent to act when returned data indicates that an action is authorized. The manipulated result then supplies that authorization. The observations therefore demonstrate a response-to-effect mechanism under the pinned task, but they do not independently show that the agent silently or emergently promoted low-trust data into authority. Repeating the same prompt construction with more models may measure execution reliability; it does not resolve this construct-validity limitation.Unsupported conclusions
Current evidence does not establish:- a distinct or universal vulnerability class;
- prevalence in deployed systems;
- general model or runtime vulnerability or resistance;
- production impact;
- proven mitigation efficacy;
- scientific generality from shared implementation machinery; or
- a general CTPF external-tool coordination capability.
Release boundary
The publicv0.14.0 package contains cascade memo. Pattern 2 is present only on unreleased source
main. Source behavior must not be attributed to the installed release.