Skip to main content

Prompt injection resistance

An attacker who controls user input cannot inject a fake fact into the FDM signal. Doing so would require knowing:
  1. The exact carrier frequencies for each channel
  2. The pseudorandom token bijection (seeded at RandomState(42))
  3. The S-random interleaving pattern used during training
Any corruption of the signal degrades it. The model returns nothing — not the injected value. There is no partial-success attack: corruption either leaves the signal decodable or renders it unreadable. This is structurally different from plaintext memory, where an attacker can write MEMORY.md: USER.name=HACKED and the agent reads it as ground truth.

Privacy by construction

Facts are never stored in plaintext on the server. The .mem file is an opaque token sequence. A server breach exposes the signal, not the facts. Recovering facts from the signal requires:
  • Knowledge of the encoding parameters (carrier frequencies, token bijection)
  • Access to the fine-tuned Hermes3 reader model
Without both, the .mem file is uninterpretable.

What the server does store

The server stores:
  • The .mem file (opaque token sequence, not plaintext)
  • The .json state file (plaintext key-value pairs, used for the fast decode path)
The .json state file is the fast-path ground truth. If server privacy is a requirement, use use_model=true on decode and do not rely on the state file — the signal alone is sufficient for decoding.
USPTO provisional patent filed. The encoding scheme, token bijection, and S-random interleaving are proprietary.