ryan.profile

Ryan MacArthur

I build privacy-preserving infrastructure — agent authorization, proof systems, sovereign identity. The parts of the stack that nobody sees until they break.

This site is mostly a desk: what I’m thinking about, what I’m shipping, and how to reach me.

Munich
↔
San Francisco
GitHub
mac@secure.build

tls 1.3 · h2 / h3 · brotli secure.build

reading · writing

Reading & writing

Long-horizon agentic memory. The replayable-vs-summary problem across weeks of agent activity — how to keep policy provable when the context window can’t hold the proof. (writing about this on x)
Defense in depth, not defense-by-design. Why single-layer mitigations — including Google DeepMind’s CaMeL dual-LLM capability gates — keep losing to prompt-injection chains the capability model never modeled. Reading the three follow-ups that landed since:
1. Nasr et al. — The Attacker Moves Second (Oct 2025): adaptive search bypasses 12 static defenses at >90% — the rhetorical hammer.
2. Tallam & Miller — Operationalizing CaMeL (May 2025): three structural gaps — initial prompt trust, output manipulation, side-channels CaMeL doesn’t track.
3. Foerster et al. — CaMeLs Can Use Computers Too (Jan 2026): branch-steering coerces the privileged planner down attacker-chosen branches of its own pre-approved plan.
Capability isolation is necessary, not sufficient.
On-device security primitives (inherent line of work). How fast is a modern Pixel Tensor TPU for the small attention models a wake-gate actually needs, and what does Android’s AOC (Always-On Compute) island give you for free vs. what still needs the big core to wake? Where does StrongBox / Keystore attestation buy you a real trust root vs. theater?
Foundation work I keep returning to. WebAuthn 3, WebGPU, IPFS, TLS Notary.

Open to talking with security / privacy infra teams — particularly anything sitting at the intersection of regulated data and ML.

projects

Projects

vet · Deterministic agentic memory shoebox of receipts, not summaries

Imagine an accountant who throws away the receipts and writes you a weekly summary instead. Until April that’s fine. When the IRS asks why a $4,200 payment went out on March 12, the summary’s a guess.

AI agents today are that accountant. Their memory is a paragraph the model rewrites itself every turn. When the agent does something wrong, you can’t replay why — there’s no shoebox.

vet is the shoebox. Every event the agent saw, in order, in cement. Replay any moment, get the same answer. Same input, same output. The agent stops being a black box.

same in, same out

resumable at any tick

shared truth, not a brief

byte for byte

v9 · Node.js, in this tab. No machine. wasm · Linux syscalls · no kernel touched

WALI exposes ~370 real Linux syscalls as WASM imports. Wasmer Edge.js packs Node into one WASM blob (V8 / JSC / QuickJS pluggable). v9 stitches them: edge.js in a tab, WALI-style syscalls, bVisor’s sandbox-per-call contract. No kernel touched. Trust boundary: the browser tab.

→ Where’s the bug? Not the WASM sandbox. Look at T4.

v9 architecture: browser tab trust boundary; napi-bridge → WALI thin-kernel ABI → WASIX shims atop Wasmer Edge.js (V8/JSC/QuickJS pluggable) with MEMFS; outbound traffic falls through T1 gvisor-tap-vsock, T2 Wisp tunnel, T3 fetch-proxy, T4 raw fetch + CORS (attack surface)

v9 — recorded session

runcards · proof before privilege one envelope, every TEE vendor

Trusted Execution Environments are hardware-fragmented — Intel TDX, AMD SEV-SNP, NVIDIA H100 CC, ARM CCA, Apple Secure Enclave: every vendor ships its own attestation quote format. Before runcards, verifying agent work across mixed hardware meant writing a separate verifier per TEE. Runcards introduces a single quote envelope that wraps any vendor’s quote, plus an embeddable SVG card so a project can show at a glance what attestation level it actually shipped at. Three card profiles below; the middle one is live-verifiable in this page.

passport · identity
signal · live (verifiable)
tokenstream · evidence
pocket · compact
team · aggregate
team · terminal
team · ledger
team · relay
team · scoreline

nine profiles · one universal envelope

inherent on device

Best-in-class on-device speech. A custom-trained BERT routes every utterance to one of 12 local buckets. Mic frames stay in the tab.

WebAudioONNXon-device

→

webkitium research

The only multiplatform web engine that isn’t Chromium. Because the open web shouldn’t collapse to one vendor.

C++WebGPUWebAuthn

→

TLS Notary EF · 2024

A year on EF’s MPC team. Two-party crypto around a TLS session so a third party can trust what someone saw on the wire.

MPCRustcryptography

→

IPFS pipelines infra

Content-addressed delivery for agent payloads. Pin once, prove what a remote process actually loaded. CDN-independent.

libp2pGoCIDv1

→

Kontext.dev 2025–26

Co-founded. Mobile sovereign identity for autonomous agents — the “who am I and what am I allowed to do” layer. Pieces continue as vet.

KotlinAndroid KeystoreOIDC

→

Crypto wallet @ Alpaca 2022–23

Led the team that shipped Bitcoin + Solana custody and broker-dealer wallet infra on a US-regulated platform. On time, on spec, no incidents.

GoHSMbroker-dealer

→

desk

On the desk

Reading

Attestation gaps — practical limits of Play Integrity
Cryptographic agility in post-quantum mailbox protocols
Confidential computing in the open: real numbers

Writing

What an agent can prove vs what it should
Capabilities for autonomous systems
TLSN beyond exchanges

Building

vet v0.x — verifier primitive
Own mail server — running, signed, MTA-STS
This site — hand-written, cached, optimised

last update: 2026-05 auto-refresh: off

elsewhere

Reach me

Mail mac@secure.build PGP WKD GitHub @maceip MCP send a note

This page: hand-written HTML, ~22 KB gzipped, year-long immutable cache on static assets, service-worker offline, brotli + zstd over h2/h3, full-site web bundle at /bundle/secure.build.wbn.