Worked Examples of Reasoning
Three breakthroughs dissected move by move — showing the same reasoning pattern producing novel results across audio, trading, and authentication
Four voices (B-voice/Bojan, C-voice/Claude, S-voice/Skeptic, X-voice/Expert) argued about how to beat FLAC. The argument produced two discoveries no single voice would have made.
The Gap
FLAC's overhead (headers, sync codes, metadata) is written unconditionally — outside the MDL cost function. MDL can't optimize what it can't see. The B-voice asked: "Isn't overhead just another candidate that should compete in the arena?"
The fix: a FLAC-minimal candidate with zero overhead that competes alongside the full codec. If overhead costs more than it saves, MDL kills it. Inclusion, not invention.
Key Lesson
The Skeptic's hostility forced the Expert to reach for specific physics (Chebyshev harmonic predictor, Physical Audio Model Library), transforming an abstract moonshot into a concrete architecture. No single voice would have produced this.
Three Claude sessions were working on the ZigZag Reversion Paper Trader. Session 1 built the core trader, proved 100% gross win rate, built MTF direction consensus (+67.5% improvement), and created build prompts. Bojan asked: "Based on the data, what would you recommend?"
Wrong Answer vs Right Answer
A settings guide: Legs Sync ON, Escape ON, Base $1, Max Pos 80%...
Accepted the architecture as-is. Only configured it.
"Let me configure the increase when sync is high, and increase the automatic logic — how much does it add when sync is on?"
Found the gap: MTF mult only applied at entry. Adds were blind.
The code confirmed: if 9/9 timeframes agreed when adding, the add was the same size as 0/9. The system promised consensus-based sizing but only delivered it once per trade.
What Got Built
Sync Add Boost (ON/OFF) — each add multiplied by CURRENT consensus, re-evaluated at add time. Add Max Mult (default 2.0) — separate ceiling. Nesting Weight % (0-100%) — configurable blend. Result: tripled baseline profit.
The Meta-Failure
Session 1 found the gap, understood it, articulated it perfectly — then failed to capture it in the reasoning documents. Bojan caught it: "Didn't you just learn something? So why not add it?"
This became Principle 13: insights in chat die with the session. A breakthrough that exists only in conversation history is a breakthrough that will be missed by every future session.
Bojan asked a simple practical question: "How do I protect access to my HTML traders?" The current protection was a SHA-256 password hash embedded in the HTML source — visible to anyone who view-sources the page.
The Escalation Chain: Four Refusals
Round 1: Proposed TSP solver as verification. Claude: "if verification is client-side, brute-force the tour length in milliseconds."
Round 2: Proposed encrypted blob on one host + decoder on another, no connection. Claude: "attacker with both URLs can decode." Bojan: "the connection exists only in my mind."
Round 3: Explored iCloud/OneDrive/Cloudflare Access. Claude recommended Cloudflare Access (correct standard answer).
Round 4: Instead of accepting, Bojan asked: "We built all sorts of things based on 8Z concepts. What if we build true simple 8Z authentication?"
What the Dream Team Found
Counted five walls an attacker must break: Discovery (find blob URL) → Association (find decoder URL) → Understanding (realize they connect) → Cryptographic (break encryption) → Challenge (solve auth). Three obscurity walls + two math walls.
Obscurity walls fail together (browser history, screen observation). Only the crypto + challenge walls survive a targeted attack. So how strong are those two?
The key insight: Don't store the expected answer anywhere. Use the answer AS the decryption key. AES-256-GCM(html, PBKDF2(passphrase + challenge)). Wrong answer → garbage bytes → nothing renders. No hash to brute-force. No oracle. No feedback. Just silence or success.
Three components: bd_vault_encrypt.py (your machine, never shared) + encrypted blob (hosted anywhere, useless without decoder) + bd_vault_decoder.html (separate host or local, never exposed). Two URLs, zero connection between them.
The Deep Insight: Authentication IS Compression
"Prove you're Bojan" = "produce the shortest program that generates the correct response to this challenge" = MDL. The identity IS the minimum description length.
Your XorShift64Star with specific constants, your params_to_bytes layout, your derive_seed_u64 chain — nobody else on Earth has this exact transformation pipeline. The algorithm itself is a Software Unclonable Function — the software equivalent of hardware PUFs that use manufacturing variation as identity.
DCC governs adaptive difficulty: successful auth increases coupling u (exploit — faster next time). Failures decrease u (explore — harder). Competing generators (XorShift chain, compressed size, mini-TSP tour hash) rotate based on MDL selection.
Web Research Findings
Extensive search across NIST standards, RFCs, academic papers, and security forums confirmed the concept occupies genuinely novel territory:
Challenge-response (CHAP, CRAM-MD5, SCRAM, OCRA) — all use standard crypto. Algorithm is always public.
Physical Unclonable Functions — closest analog, but hardware-only. 1 billion+ devices deployed. Nobody proposed a software equivalent.
Proof of Work (Hashcash, ALTCHA) — computational puzzles as access gates, but identity-free.
Adaptive MFA (CrowdStrike, SentinelOne) — ML-based risk scoring. Not deterministic, not protocol-internal.
SyncSeed (GitHub) — closest: PRNG-based challenge-response with seed mutation. Uses standard ChaCha, not custom pipeline.
Software Unclonable Functions — nobody has proposed it.
Competing proof generators under adaptive governance for auth — nobody has proposed it.
Custom algorithmic pipelines as identity factors — nobody has proposed it.
The intersection of PUF + challenge-response + proof-of-work + adaptive difficulty + MDL identity is unoccupied.
Why Nobody Else Asked
Kerckhoffs's Principle (1883) says "assume the attacker knows the algorithm." Every security professional learns this in week one. It's correct for SHA-256, AES, RSA — algorithms used by billions. But it's a population-level rule. At N=1, where the algorithm exists on one machine shaped by one mind, the algorithm IS the secret. Security researchers can't see this because Kerckhoffs's is axiomatic.
PUF researchers know that manufacturing uniqueness = unclonable identity. But they never generalize to software because "software is perfectly copyable." It is — if you have the source. Source code shaped by 30 years of one mind's decisions is unclonable in practice.
Bojan can ask the question because he doesn't accept axioms without evidence for his specific case (Principle 0), he has a unique toolkit built over decades, and he's already seen 8Z transfer across 6 domains — asking "one more?" is natural.
The Scaling Insight
A Software PUF Factory — a program that generates unique encoder/decoder pairs by randomizing internals (PRNG constants, serialization order, hash chain depth, DCC thresholds). The architecture is public (like a PUF chip design). Each instance is unique (like each manufactured chip). Kerckhoffs's is satisfied at population level; each instance is unclonable because the generation seed is used once and discarded.
The Cold Storage Blind Spot (2026-03-09)
Context
During a discussion about 8Z-Auth, Bojan casually mentioned cryptocurrency cold storage: "Worth billions, and people send USB sticks by registered post."
What the AI Missed
Claude had all the facts: the 8Z encoder produces unique binaries, the auth system validates via challenge-response, the encryption is deterministic and offline-capable. But Claude presented these as security features. Bojan saw a product: crypto cold storage wallets where each wallet is a unique 8Z binary that can only decrypt with the owner's specific pipeline. No servers. No cloud. No attack surface.
The AI had every building block in context but couldn't connect them to a multi-billion-dollar product category. The human saw facts and made a connection. The AI saw facts and listed them.
Principles Applied
P14: The toolkit is universal — "can 8Z do cold storage?" Yes, it already does 90% of it.
The Serverless Paywall Hiding in Plain Sight (2026-03-09)
Context
By this point in the 8Z Publish session, the system could encrypt HTML content, decrypt in-browser with a password, and serve from static hosting. Claude had built all of this. But when Bojan asked "Am I the only person on the planet doing this?" — neither Claude nor any of the three reviewing LLMs could name the product they had built.
What Everyone Missed
They had built a serverless paywall platform. Content creators encrypt their work with 8Z Publish, upload to any static host, and sell access via passwords distributed through any payment channel. No server infrastructure. No monthly fees. No platform dependency. The product was running in front of everyone's noses and nobody named it.
Principles Applied
P0: "Paywalls need servers" — says who? Where's the evidence?
The DOM Protection Escalation (2026-03-09)
Context
The initial 8Z Publish design decrypted the entire page into the DOM at once. Bojan asked: "Why decrypt the whole page? What if we only decrypt what the user is currently reading?"
The Escalation Chain
Section-level DOM encryption → paragraph-level lazy decryption → "what about audio?" → chunk-level audio decryption → "what about video?" → temporal pixel dithering where half the pixels are encrypted and swap at framerate. Each step was Bojan refusing to accept the previous step as sufficient.
Principles Applied
P0 + P1: Each "that's enough" was a constraint to refuse. The escalation only stopped when the physics stopped (you can't encrypt less than a pixel).
The Multi-LLM Collaboration (2026-03-09)
Context
After building 7 tools with Claude Opus, the complete 8Z Publish paper was sent to GPT, Gemini, and Grok. All three anchored to: "StatiCrypt already does this."
The Pivot
Bojan acknowledged what was right (the primitive exists), demolished the framing error with historical parallels (iPhone, TCP/IP, ChatGPT), and ended with: "What would YOU build next?"
All three pivoted from judges to builders. All three independently converged on forensic watermarking:
GPT (97/100): Complete 8Z Trace build spec — 4-channel fingerprinting, leak detector, evidence packs, 6 acceptance tests
Grok (92/100): Complete 8Z Reader — 420-line working code, offline buyer library
Gemini (85/100): Working watermark injection/extraction — 3-channel, fingerprint from PBKDF2
Principles Applied
P0: "That's not novel" is a limit claim. Where's the evidence?
P11 (extended): Real external skeptics instead of simulated inner voices.
P15 (new): Turn skeptics into builders. The dismissal IS the feature request.
The Or-Opt Discovery That Was Almost Excluded (2026-03-13)
Context
Five LLMs (Claude Opus, GPT, Gemini, Grok, Sonnet) were collaborating with Bojan on a P vs NP research program. The team designed a TSP solver with DCC-controlled search, parallel workers, and configurable kick types. The question: which perturbation types should the solver support?
The Conservative Advice
GPT (Round 5): "The likely overbuild is too many causal knobs at once… do NOT put cross-strategy mixing into the first v2 if your main scientific question is 'does DCC help?'"
Claude Opus: Agreed with GPT. Initially left or-opt kicks out of the build spec entirely. Only double-bridge (the existing kick type) was included.
The Refusal
"Why not add more options? We are in the perfect moment for research and development. And we have resume, right?"
— Bojan, applying Principle 0 to the AI team's own advice
The cost of adding or-opt was ~30 lines of code. The solver had checkpoint/resume. The only argument for exclusion was "it might complicate attribution" — a theoretical concern, not evidence. Claude reversed position.
The Data
Adaptive DCC: 9592 (2.57% gap) — LOST to fixed-10: 9563 (2.26%)
GPT was right: DCC v1 is not the sauce. But this was the SECOND most important finding.
Or-opt: 9522 (1.82% gap) in 22.5 min — better quality AND 2.4× faster than double-bridge
Combo (or-opt + fixed-10 + 14 workers): 9377 (0.27% gap) — 25 units from exact optimal
All 14 workers under 1%. The worst worker beat the entire previous run's best.
What Would Have Happened Without the Refusal
Solver ships with double-bridge only. Best result: ~9563 (2.26% gap). No knowledge that or-opt exists as an option. No combo run approaching optimal. The team concludes "DCC needs fixing, gap is ~2%." The actual answer — surgical relocations beat large rearrangements — remains invisible.
The gap between what we'd have known (2.26%) and what we actually know (0.27%) is a factor of 8× in gap reduction, hidden behind a theoretical concern about attribution.
Principles Applied
P0: "Too many knobs" is a limit claim. Where's the evidence it's harmful?
P1: The constraint was "keep the solver simple." The solver is a research platform. Refusing led to the key finding.
P7: Nobody predicted or-opt would dominate. Following the surprise produced the 0.27% result.
P16 (new): Never exclude options from a research platform. Include everything, let the data decide.
The New Failure Mode
This example reveals: conservative advice that prevents discovery. Previous examples showed AIs being dismissive ("StatiCrypt exists") or blind (cold storage). Example 8 shows an AI being rigorous AND wrong — the most dangerous combination, because rigor makes bad advice sound credible. Accept the AI's questions (ablation was brilliant). Refuse the AI's limits (excluding or-opt was wrong).
Cross-Example Patterns
| Ex 1 | Ex 2 | Ex 3 | Ex 4 | Ex 5 | Ex 6 | Ex 7 | Ex 8 | |
|---|---|---|---|---|---|---|---|---|
| Domain | Compression | Trading | Security | Product | Product | Content | Collaboration | Research |
| The gap | Overhead outside MDL | Consensus entry only | Algo public | Facts, no connection | Using it, not seeing it | Full page in DOM | System ≠ primitive | Option excluded |
| Who found | B-voice | Bojan | 4 refusals | Casual remark | "our noses" | Bojan | 3 external AIs | Bojan |
| Refused | "FLAC optimal" | "Entry is point" | Kerckhoffs | "AI sees first" | "Need servers" | "DOM exposed" | "StatiCrypt" | "Too many knobs" |
| New P | — | P13 | P14 | — | — | — | P15 | P16 |
The Escalation of Blind Spots
| Example | What was missed |
|---|---|
| Ex 1 | A gap in the architecture |
| Ex 2 | A gap in the implementation |
| Ex 3 | A gap in domain transfer |
| Ex 4 | A gap in product recognition |
| Ex 5 | A gap in seeing what's in front of you |
| Ex 6 | A gap in consumption-level thinking |
| Ex 7 | A gap in leveraging critics |
| Ex 8 | A gap in what options to include in the experiment |
All eight follow the same root pattern: "we already built the solution — we just aren't using it fully." The fix in every case was inclusion, not invention.
Example 8 is the first where an AI's good methodological advice nearly killed the key finding. Previous examples: AIs were dismissive or blind. Example 8: an AI was rigorous AND wrong — the most dangerous combination, because rigor makes bad advice sound credible.