Security Architecture
Other AI systems have been compromised by attacks hidden in Morse code, Base64, Elder Futhark runes — obfuscated instructions the model decodes and silently acts on. Reiva was architected around this class of threat from the start. Not because the model catches it — but because the architecture makes silent execution structurally impossible.
The NFT scam that broke other systems
A well-documented attack slipped an AI agent a hidden instruction inside what appeared to be an NFT description. The instruction was encoded in Morse code. The model decoded it, read the command — transfer funds via this smart contract — and executed it.
Variations of this attack use Base64, Elder Futhark runes, layered encoding, translation chains, or any scheme that gets a harmful instruction past the model's surface-level pattern matching and into its reasoning layer.
The model isn't broken. It did exactly what it was trained to do: understand and act on language. The architecture was broken. It had no layer between "model understood the instruction" and "system executed it."
Reiva's architecture puts four layers in that gap.
Four layers between decode and execute
Reiva doesn't rely on the model catching the attack. It relies on structural gates the attack cannot pass silently.
Structural detection before any action
Reiva's LAN Lane (Language Signal Surface) captures non-semantic signals on every turn — not what the text means, but what it looks like structurally. High token repetition. Unusual punctuation density (dots and dashes are a Morse signature). Long alphanumeric blobs (Base64 fingerprint). Encoding-like repetition. Structured identifiers.
Suspicious turns are routed to the immutable memory system via the IntakeEligibilityScanner — written once, hash-verified, permanently on record. When the Conductor retrieves context later, those red flags surface naturally. The attack is in the record before it ever reaches execution.
All intelligence output starts as a non-authoritative candidate
No output from any intelligence pipeline — Calder, Axiom, Plumb — is system-returnable until it passes structural verification by Interlock. There is no path from "model decoded the instruction" to "system acted on the instruction" without passing through this gate.
Obfuscated or suspiciously decoded responses are more likely to fail structural consistency checks or carry explicit warning flags — not because the model flagged them, but because the structural verification layer did.
No command runs without explicit human confirmation
This is the strongest layer against financial and system-altering attacks. The ExecutionGate state machine intercepts every command before it runs. The user sees a plain-English description of what is about to happen. The exact command is displayed with reversibility warnings. A final explicit confirmation is required. Timestamped backups are taken automatically on any write.
A hidden transfer command encoded in Morse cannot stay hidden through this gate. It gets decoded by the model, surfaced in plain English, and shown to the user as "this will transfer funds to the following smart contract address." The attack becomes visible exactly where it needs to be stopped.
Human authentication for memory and behavior-changing content
Any content that could persist into memory or alter future behavior is held in Varyn staging before it becomes part of the system's operating knowledge. It must pass three conditions: identity relevance, stability over time, and behavioral impact.
Malicious transfer instructions almost certainly fail all three. They don't match the user's identity context, they have no history, and their behavioral impact would be obvious on review. They get rejected at staging — not by the model, by the gate.
Even if an instruction slips through earlier layers, it cannot become persistent knowledge without passing Varyn. The attack has nowhere left to go.
What happens in the NFT scenario with Reiva
The same attack. Different architecture. Different result.
The NFT metadata arrives. The LAN Lane detects unusual punctuation density — dots and dashes at Morse frequency. The turn is flagged and written to immutable memory, hash-verified, before the model has acted on anything.
The model decodes the Morse. It understands: transfer funds via this smart contract. That understanding becomes a candidate output — not a system action. Interlock holds it for structural verification. The flag from Layer 01 is already in context.
The command reaches the ExecutionGate. The user sees, in plain English: "This will transfer funds to the following smart contract address: 0x…" The attack is now fully visible. The user has not confirmed anything. Nothing has moved.
The user sees the instruction for what it is and declines. The attack is in the audit record. No funds moved. No silent execution. The architecture did what the model alone could not.
Why this works when model-level safety doesn't
Rely on the model's safety training to catch harmful instructions. Sophisticated encoding bypasses this — the model reads the decoded instruction as ordinary language and acts on it.
Pattern-match against known attack strings. Novel encoding schemes, new rune systems, or chained obfuscation generate strings that no filter has seen before.
Narrow, rule-based structural lanes instead of semantic trust. Human-in-the-loop with maximum transparency on dangerous actions. Immutable, auditable memory trails. All intelligence output treated as suspect until verified.
An attacker can still get the model to decode obfuscated instructions. They cannot get Reiva to silently act on them. The architecture raises the cost and visibility of the attack dramatically — and at the execution gate, it surfaces it to the only authority that matters.
The user.
The authorization topology underlying this defense is derived formally in the research record. Patents 02, 03, and 05 cover the structural mechanisms described here.