Poison Pill

while (world) {
  observe();
  infer();
  hallucinate?();
  self-correct();
}
while (world) {
  observe();
  infer();
  hallucinate?();
  self-correct();
}
while (world) {
  observe();
  infer();
  hallucinate?();
  self-correct();
}

001101
010011
sigil::bagua
seed::entropy
trace::mechanical
awe::human
001101
010011
sigil::bagua
seed::entropy
trace::mechanical
awe::human
001101
010011
sigil::bagua
seed::entropy
trace::mechanical
awe::human

temperature=0.92
top_p=0.95
sampler=stochastic
runtime=deterministic
user=astonished
temperature=0.92
top_p=0.95
sampler=stochastic
runtime=deterministic
user=astonished
temperature=0.92
top_p=0.95
sampler=stochastic
runtime=deterministic
user=astonished

☰☱☲☳☴☵☶☷
oracle != truth
ritual == interface
meaning <- interpretation
☰☱☲☳☴☵☶☷
oracle != truth
ritual == interface
meaning <- interpretation
☰☱☲☳☴☵☶☷
oracle != truth
ritual == interface
meaning <- interpretation

diff
patch
deploy
measure
repeat
diff
patch
deploy
measure
repeat
diff
patch
deploy
measure
repeat

oracle/latent-seed.map

seed = hash(question + state);
noise = sample(temperature);
pattern = deterministic(seed, noise);
if (human_can_track === false) mark("mystic");
return explainability_gap(pattern);
seed = hash(question + state);
noise = sample(temperature);
pattern = deterministic(seed, noise);
if (human_can_track === false) mark("mystic");
return explainability_gap(pattern);

critique/anthropomorphism.md

## Not a person, still persuasive
- interface implies intention
- language implies confidence
- user infers agency
=> design for interpretability
## Not a person, still persuasive
- interface implies intention
- language implies confidence
- user infers agency
=> design for interpretability

systems/ritual-engine.ts

cast.bagua = pickTrigrams(seed);
cast.moonBlocks = deriveHexagram(seed);
cast.fortuneSticks = burnModel(intensity);
cast.scapula = generateCracks(seed);
return readable_fiction(cast);
cast.bagua = pickTrigrams(seed);
cast.moonBlocks = deriveHexagram(seed);
cast.fortuneSticks = burnModel(intensity);
cast.scapula = generateCracks(seed);
return readable_fiction(cast);

runtime/feedback-loop.json

{ "observe": true,
  "decide": constrained,
  "act": reversible,
  "measure": behavior,
  "learn": weekly }
{ "observe": true,
  "decide": constrained,
  "act": reversible,
  "measure": behavior,
  "learn": weekly }

lattice/state-space.py

def perceivable_randomness(system):
    return complexity(system) > attention_budget

if perceivable_randomness(llm):
    user.labels_output = "fate"
def perceivable_randomness(system):
    return complexity(system) > attention_budget

if perceivable_randomness(llm):
    user.labels_output = "fate"

logs/epoch-ghosts.txt

[trace] t=02:13 system murmurs
[trace] tokens fall like ash
[trace] certainty simulated
[trace] mechanism remains
[trace] human names it chance
[trace] t=02:13 system murmurs
[trace] tokens fall like ash
[trace] certainty simulated
[trace] mechanism remains
[trace] human names it chance

artifact/scapula.svg

artifact/flow-sketch.svg

← Back to projects

2026 live

A red-team text lab showing how human-visible copy can differ from machine-visible payloads via hidden channels.

Astro
TypeScript
Prompt Injection Research
Zero-Width Encoding
AI Safety UX

Problem

Teams often assume the text humans read is the same text models parse, which leaves hidden-channel injection risk under-tested.

Solution

Built an interactive composer + detector that contrasts visible copy with machine-extracted payloads across zero-width and HTML-comment channels.

Impact

Makes prompt-injection and context-poisoning mechanics concrete for product, design, and engineering teams during reviews and threat modeling.

Poison Pill is a concept project about model perception, not just model capability.

Open the live demo: Poison Pill.

Core idea

Humans evaluate visible semantics. Models can also consume hidden semantics when text includes invisible or metadata channels.

If teams only QA the visible layer, they miss part of the threat surface.

What the demo includes

Composer for human-visible text + hidden machine payload
Channel selection (zero-width, comment, hybrid)
Machine extraction preview showing what can be decoded
Detector mode to inspect suspicious text for hidden channels

Why this matters

This is a practical reminder that AI systems are parsers, not human readers. Secure AI UX has to account for what the model can parse, not only what people can see.

Demo Mirror

Live Preview

Mini preview of the actual demo. Use the launch button for full-screen interaction.

Open Demo