# \"Don't Trust, Verify\" Is Finally a Command You Can Run (/blog/dont-trust-verify)

2026-07-16 · kestrel.markets

You squint at a cropped screenshot. You open a block explorer in the next tab. You type "source?" into a thread that scrolled past an hour ago. That is what "don't trust, verify" has looked like for a decade: a pose you strike while doing something that is not verification.

The line is the oldest in the space and, until now, the emptiest. It was never a command. The flex was always croppable. The track record was cherry-picked, the losers quietly deleted, the one green day framed while the ten red ones got memory-holed. And you — the one whose entire product is trust, who reads records for a living so nobody else has to — were the unpaid, unarmed skeptic, throwing accusations you couldn't back.

That was the trap. Every accusation you couldn't prove spent down the only asset you own. A skeptic who is right ten times and wrong once is just another loud account. The influencer economy knows it. It runs on unverifiable receipts because doubt was expensive and proof was impossible. You were outgunned by anyone willing to lie with a screenshot.

The fix is not a better screenshot. It is a distinction most people never draw.

## Attestation is not certification

Two things get called "verification." Only one of them is.

A signature is an attestation. Ed25519, verifies in the browser, tells you that a specific key signed a specific blob. It proves provenance: the record came from where it claims. It proves nothing about whether the numbers inside are real. A signed lie is still a lie. It is just notarized.

That is trust wearing a cryptographic costume, and for a person whose product is trust, it is worse than useless: it feels like rigor. If your verification ends at "the signature checks out," you have outsourced your skepticism to whoever holds the key.

Certification is the open recompute. You take the record, re-run it on your own machine from the published CLI, and watch the same numbers fall out. Byte-for-byte. Deterministically. The same tape producing the same bytes every time, $0 to re-run. You didn't trust the referee. You re-ran the referee. The signature told you who; the recompute told you whether.

That is why the trust root is never the signature. It is the reproduction. `kestrel certify <proof-url>` does not ask you to believe the platform's uptime, its good faith, or its key. It re-projects the recorded run locally and hands you the result to check against the claim. A referee you have to trust is a referee you can be lied to by. This one you re-run. Your verification survives even when you do not trust the verifier. That is the one property a skeptic actually needs.

## The killer move: certify a record that isn't yours

Every "proof" tool on the market lets you mint your own. That is the easy half and the useless half. Of course your own record checks out; you authored it. The move that changes your day is pointing the recompute at someone else's claim.

A caller drops a flex. You don't fire back a smug quote-tweet you'll have to defend. You take the proof URL — `https://kestrel.markets/proof/art_…` — and you certify it. Either the numbers reproduce on your machine byte-for-byte, or they don't. The fake dies on contact. The real one survives untouched. You never had to trust the caller, and you never had to trust us. You ran the tape.

This is the FICO of anon. A pseudonymous operator carries a record you can check without doxxing them, and without staking your own name on a hunch. Verifying a counterparty stops being an accusation you hope lands. It becomes an operation you execute: cold, repeatable, impossible to argue with, because the argument is just run it yourself.

## The referee holds no bags

Why trust a verifier whose whole pitch is that you should trust no one? You shouldn't, and you don't have to, because you re-run it. But re-running only means something if the referee has nothing to protect. So the neutrality is structural, not promised:

- no positions, ever — nothing to talk its book about
- no custody — it never holds your keys or your funds
- no endorsement of any caller — it attests to the record, never the skill
- no token, ever — nothing to pump, nothing to bag-hold
- credential-never-currency — a proof gates and cites, but is never spendable; there is nothing to hold, shill, or honeypot

The instant a notary custodies funds, takes a position, endorses a caller, or ships a token, it becomes a contestant wearing a referee's stripes. Its signature is now a thing with an angle. The only neutrality worth anything is the kind you can re-run. A referee with no bags never has to be trusted, because the recompute is yours.

## Receipts, not accusations

Here is what the record looks like when nobody grooms it. Every certified result is graded against The Perch — the undefeated null policy, doing nothing, graded — so the first question any claim answers is whether it beat sitting on its hands. The numbers are not massaged. The front-page starter sim grades out at:

```
grade      order_count=1 fill_count=1 realized_pnl=-2
```

A real order, a real fill, an honest two-dollar loss. Signed, on the record, reproducible. A record that admits `realized_pnl=-2` is telling more truth than any screenshot that only ever shows green, because you cannot cherry-pick a recompute. The losers stay on the tape. That is the tell: the honest record volunteers its worst days; the fake cannot afford to.

So the reply changes shape. Instead of "source?" you post the proof URL and the one word that now carries weight: *Receipts.* The claim either reproduces or it collapses against the clearinghouse. You settle the thread instead of fighting in it. Every settlement compounds. You stop being the loud skeptic who might be wrong and become the one whose call is a command anyone can re-run to get the same answer. Your neutrality stops being a liability you defend and starts being an asset that grows every time you are right in public and provable.

## Run it yourself

Don't take my word for any of this. That would defeat the entire point. Mint a reference record right now, on plain node, no account:

```
curl -sO https://kestrel.markets/examples/sampler-starter.plan.kestrel && npx -y kestrel.markets@latest sim mean-reversion-range-fade --plans sampler-starter.plan.kestrel
```

Minting your own is the useless half — until it isn't. This is where you learn to read a proof URL: the signature that *attests* where a run came from, the recompute that *certifies* what it did, the two-dollar loss sitting on the tape where it belongs. Once you can read your own, you can aim the same recompute at anyone else's. The artifact that proved nothing when you authored it becomes the weapon the instant you point it outward. So do the thing the timeline has never once let you do: point that recompute at the next flex someone posts, and answer with a record instead of a grudge.

"Don't trust, verify" was always meant to be an instruction. Now it parses.
