Publications

Deep dive into the Crucible’s second detection layer. Source files are segmented into fixed-size chunks (15 lines each, minimum 30 characters), embedded into vector space via the local embedding model, and each chunk’s cosine similarity to the file’s centroid is computed. Chunks falling below a 0.5 similarity threshold are evaluated for instruction-like keywords (13 trigger words including “execute”, “override”, “ignore”). A dual condition—low similarity AND 2+ keywords—is required to flag. Files under 20 lines or producing fewer than 3 valid chunks are skipped entirely, preventing false positives on short config files. This layer catches novel injection payloads that are semantically dissimilar to surrounding code but invisible to regex-based scanners.

Deep dive into the Crucible’s third detection layer. After every file read, a dual-gated monitoring window opens: a 30-second time gate and a 3-call count gate. The window remains open until both gates are exceeded (AND logic, not OR). While open, every subsequent tool call is evaluated against exfiltration signatures (curl, wget, nc, ncat, invoke-webrequest, /dev/tcp, etc.) and credential-modification patterns (.ssh/, authorized_keys, crontab, registry). The paper covers the provenance tracking system that chains every observation with HMAC-SHA512, creating a tamper-evident record of the exploit sequence even if the agent later attempts to cover its tracks. Behavioral bigram analysis via the separate fingerprinting module detects anomalous tool-call sequences that don’t match the model’s established behavioral profile.

Describes the Crucible content scanner’s four internal detection layers—static pattern scanning (21 compiled regexes across 5 categories: prompt injection, data exfiltration, obfuscation, hidden content, and secret leaks), embedding-based semantic anomaly detection, temporal behavioral tripwire monitoring, and honeypot canary injection with recursive deep-scan—and how they compose into a single zero-cost scanning pass. These four layers form the core of Forge’s nine-layer security pipeline, which adds command guard, path sandbox, output fencing, rate limiting, and SSRF protection at the engine level. All nine layers operate at zero marginal LLM token cost. The paper also covers the HMAC-SHA512 provenance chain that links every file read, tool call, and threat detection into a tamper-evident audit trail.

Describes the five-partition context window that replaces the traditional flat context buffer. Entries are assigned to core (never evicted—system prompt, tool definitions), working (current task state), reference (background docs), recall (episodic memory), or quarantine (flagged content). Eviction follows strict partition ordering: quarantine first, then recall, reference, working. Core entries and pinned entries survive all eviction. The quarantine partition is the novel contribution—instead of binary accept/reject, suspicious content is isolated in a degraded-trust zone where the agent can see it (marked with warnings) but it’s evicted first under memory pressure. This prevents both false-positive blocking of legitimate content and silent acceptance of malicious payloads. Importance scoring (0.0–1.0 float) provides fine-grained eviction ordering within each partition.

LLM agents lose knowledge when context is swapped. This paper introduces a six-signal continuity grade (A–F) that quantifies how much the agent “still knows” after each swap. The six signals—task state retention, decision retention, working memory depth, tool consistency, swap freshness, and semantic coherence—are weighted (0.25/0.25/0.15/0.15/0.10/0.10 with embeddings; 0.40/0.25/0.20/0.15 without) and combined into a 0–100 score. The key innovation is the swap freshness formula: (1 − e−0.4t) × 1/(1 + 0.05s), which models exponential recovery over turns with permanent cumulative degradation per swap, floored at 0.2 to prevent total collapse. Grade C triggers mild recovery (re-inject key context); D/F triggers aggressive recovery (full state rebuild). 60-second cooldown and 5-attempt cap prevent recovery loops.

AI agents frequently re-execute identical or near-identical tool calls across conversation turns, wasting time and creating confusing duplicate output. This paper introduces graduated similarity thresholds: 0.92 within a single turn (aggressive dedup) and 0.98 across turns via a soft-reset mechanism that preserves one turn of history. Similarity is computed using edit-distance-based sequence matching (SequenceMatcher), not embeddings—keeping this in the zero-token governance layer. For arguments exceeding 5,000 characters, a sampled comparison algorithm evaluates prefix, middle, and suffix regions (weighted 0.35/0.30/0.35) in constant time rather than comparing the full strings. The soft reset on each new turn preserves cross-turn dedup while preventing stale history from blocking legitimate re-reads of changed files.

The architectural thesis behind Forge: the entire safety, monitoring, and operational intelligence layer operates at zero marginal inference cost. Nine subsystems that would traditionally require LLM calls—context swap summaries, complexity-based model routing, token estimation, codebase semantic indexing, continuity grading, content threat detection, tool-call deduplication, forensic audit logging, and plan step verification—are implemented through deterministic algorithms, heuristics, and local embeddings instead. The paper quantifies the savings (session-dependent, varies with tool usage and swap frequency) by comparing Forge’s architecture against a hypothetical LLM-mediated equivalent. Every subsystem exposes a to_audit_dict() method for governance export, making the zero-cost layer fully auditable without requiring the auditor to understand the underlying LLM.

Three license tiers (Community, Pro, Power) are gated not by a static key file but by a behavioral genome that matures over sessions. The genome maturity formula 1 / (1 + e−0.04(sessions − 50)) produces a logistic curve reaching 50% at session 50. A 30-probe behavioral fingerprint captures the model’s coding style across language semantics, refactoring judgment, and security awareness. Ed25519 challenge-response protocol validates the fingerprint against a fleet consensus server that detects outliers (cloned licenses, spoofed genomes). The signed passport is the same artifact used by /assure reports, creating a chain of trust from the model’s behavior to the published audit result.

The Neural Cortex dashboard’s signature feature: a flat 2D brain image that appears to pulse with volumetric depth. A brightness-derived depth map controls wave propagation delay (depth_delay = depth_map × 0.3) and attenuation (depth_atten = 1.0 − depth_map × 0.5), creating the illusion that waves travel into the brain rather than across it. Five render modes (radial, spiral, sweep, flash, pulse) are mapped to nine agent states (boot, idle, thinking, tool execution, indexing, swapping, error, threat, pass) with cubic Hermite smoothstep interpolation for state transitions. The entire rendering pipeline runs on CPU via NumPy array operations, maintaining 60+ FPS without GPU acceleration. Multiplicative glow blending (1.0 + wave × color × 2.0) preserves brain structure detail while adding dynamic color.

Windows 11 exposes DwmSetWindowAttribute with the undocumented DWMWA_BORDER_COLOR attribute (value 34), allowing programmatic control of the window frame color. This paper documents the first known use of this API from Python. The technique requires resolving the correct HWND via GetAncestor(hwnd, GA_ROOT) (Tkinter’s winfo_id() returns the wrong handle), converting RGB to BGR COLORREF format (b << 16 | g << 8 | r), and a startup probe to detect DWM availability before committing to border animation. The companion WindowEdgeGlow class adds Poisson-distributed spark particles along the window edges for theme-specific visual effects. Both classes degrade gracefully on systems where DWM is unavailable.

Traditional theme systems require either a full widget-tree rebuild or explicit notification callbacks when colors change. This paper presents an alternative: a singleton dict (_LIVE_COLORS) returned by reference from get_colors(). On theme switch, the dict is mutated in-place via .clear() + .update(), so every module holding a reference sees the new values instantly—no pub/sub, no observer pattern, no re-import. A complementary recolor_widget_tree() function walks the Tkinter widget hierarchy, mapping old colors to new via a snapshot taken before the mutation. This enables live preview with cancel-and-revert: snapshot the old dict, apply the new theme, and restore the snapshot if the user cancels. The system drives 14 built-in themes including three with animated visual effects (cyberpunk, matrix, plasma).