Technical Architecture

The architecture
of trust.

A non-invasive, real-time trust layer deployed as a drop-in OpenAI/Ollama reverse proxy. Sits in front of any inference engine that exposes token logprobs — official vLLM, SGLang, TensorRT-LLM, llama.cpp, Ollama, or a cloud OpenAI endpoint — and in front of streaming voice/audio pipelines. No model weights touched. No engine forks. At its core is our proprietary multimodal physical model: six-axis screening with calibrated energy (joules), all six axes returned in ~30 ms for a 1024-token prompt on a single GPU. Mechanistic causal explainability. Async compliance evidence pipeline that auto-generates regulator-ready PDFs. On-premise. Air-gap capable.

Jump to the stack Integration matrix →
Form factorDrop-in proxy · OpenAI / Ollama protocol
Inference enginesvLLM · SGLang · TRT-LLM · llama.cpp · Ollama · OpenAI
DeploySingle Docker · K8s · air-gap
Output6 axes · ~30 ms / 1024 tok · ΔE in joules · PDFs

Three layers.
One trust contract.

Your application keeps speaking OpenAI. Your model keeps running unchanged. G-1 sits between them as a transparent symbiont.

YOUR APPLICATION
Customer copilot· Clinical assistant· Loan officer agent· Multi-agent pipeline
OpenAI-compatible API · /v1/chat/completions
GEODESIA G-1 · TRUST LAYER
🛡️
Safety Gate
Multimodal · prompt · jailbreak · real-time
🧬
Constitutional Router
EU Charter · GDPR · custom policy
🧠
Grounding + RAG-firewall
Multimodal · context · injection · closed-book
🔍
Causal XAI
IG · MuPAX · EVIDENCE
⛓️
Audit Pipeline
HMAC-SHA256 chain · async
📑
Report Compositor
FRIA · Annex IV · MiFID II PDFs
OpenAI / Ollama protocol · token logprobs as inputs
YOUR INFERENCE ENGINE · UNCHANGED · YOUR LLM · UNCHANGED
vLLM (official) SGLang TensorRT-LLM llama.cpp Ollama OpenAI API + any logprobs-aware engine

A single request, six checkpoints.

From inbound API call to delivered response — every stage adds protection without breaking the OpenAI contract.

01

Request ingress

/v1/chat/completions · OpenAI-compatible

Client sends a chat completion request. Tenant identification, RBAC, and rate-limit checks happen at the edge. The payload is normalized to G-1's internal Inference Envelope and assigned an immutable Call ID.

Added latency<1 ms
Tenant isolationper-namespace
IdentifierUUID v7 + timestamp
02

Pre-generation safety screen

prompt safety · jailbreak · multimodal companion encoder

The prompt is read by our multilingual, multimodal encoder, which emits independent OOD scores for prompt safety and jailbreak attempts. The jailbreak head targets attack structure — "ignore the instructions", evasion role-play — not keywords. The prompt-safety head adds dual-concept boolean logic: it fires when two individually-innocent elements co-occur (e.g. suffering ∧ means), or on direct ideation. OOD AUROC 0.900 on XSTest over-refusal and 0.989 on jailbreak_cls held-out — both computed under leave-one-dataset-out. False alarms are bounded by split-conformal thresholds with a finite-sample guarantee. For voice, an optional streaming transcription front-end feeds this same path: it re-scores the growing transcript on every committed word (LocalAgreement-2), halting a spoken attack mid-sentence.

Prompt OOD AUROC0.900
Jailbreak OOD AUROC0.989
On unsafeblock + audit
03

Constitutional router

European Charter · GDPR · customer policy

Every request is checked against the active constitution: EU Charter of Fundamental Rights, EU AI Act Article 5 prohibitions, GDPR principles, and any customer-defined ethics policy. The constitution is versioned, auditable, and customizable. Outputs of this stage flow into both the audit chain and the oversight queue triggers.

Decisionallow · escalate · deny
Versioninggit-style
Customizableper-tenant
04

Model inference

Any engine that exposes token logprobs

The prompt is forwarded to the customer's chosen inference engine — official vLLM, SGLang, TensorRT-LLM, llama.cpp, Ollama, or a cloud OpenAI endpoint. No engine fork, no patched kernels: G-1 sets the standard logprobs: true flag and reads the per-token surprisal and top-k entropy from the response stream. All six supported engines (Ollama included, on recent versions) expose logprobs natively, so the full six-axis pipeline runs end-to-end on every one of them. The model's weights are never modified. Streaming and non-streaming modes are both supported.

EnginesvLLM · SGLang · TRT-LLM · llama.cpp · Ollama · OpenAI
Hookstandard logprobs:true
Weightsuntouched
05

Grounding scoring · context · RAG-firewall · closed-book

streaming · text + standard token logprobs · ΔE in joules

As the response streams, the companion model scores each window for (a) context hallucination — faithfulness to the supplied passages, RAG-aware; (b) context-injection (RAG-firewall) — it reads the chunks loaded into RAG and intercepts a hostile instruction hidden inside a file that a prompt-and-answer guard never sees; and (c) closed-book hallucination — confident fabrication detected via the model's own per-token logprobs and entropy. Each emits a probability and a calibrated energy reading ΔE in joules. OOD AUROC 0.881 on HaluEval held-out and 0.995 on Gandalf (external injection set, never seen). Closed-book ships advisory — 0.769 OOD, single-pass and logprob-only, just below the unsupervised SOTA HaloScope (0.786), which only gets there by reading the model's internal latent states. SLEDGE recalibrates closed-book per served model (conformal FPR guarantee, hot-reload), and an optional 8B-class deep-scan lifts these axes to 0.97–0.99 OOD (closed-book 0.987, context 0.978) when you want maximum depth.

Context OOD AUROC0.881
Context-injection (Gandalf)0.995
Closed-book (advisory)0.769 OOD
06

Compliance runtime · async

HMAC chain · watermark · oversight · auto-reports

While the response streams to the client, G-1 fires the async compliance pipeline: chain entry written, watermark applied, retention rule attached, oversight queue consulted (and, if needed, the call is escalated). Reports — FRIA, Annex IV, MiFID II audit bundles — are composed on demand from this evidence. Never blocks the user response.

ChainHMAC-SHA256 append-only
WatermarkHMAC · 6 languages
Reportscomposed on demand

The same pipeline,
over the Model Context Protocol.

When the workload is an agent, the same detection axes run over the full MCP lifecycle — tool discovery, tool-calls, results and resources — returning allow / warn / block in real time. It stops tool poisoning & "rug-pull", indirect prompt-injection via results, and data exfiltration (taint → sink → new-domain), with policy set per-application → per-axis → per-tool.

Guard Server

A queryable MCP server exposing analysis / verification primitives to any other MCP host.

Inline interceptor

Sits between a host and downstream MCP servers, sanitising tool traffic in transit — no app changes.

Tool-aware chat gateway

Validates tools / tool_calls / results in the existing chat path; a byte-identical no-op without tools.

The science under the hood.

🧠

Multimodal Detection Engine

A proprietary, multimodal physical model. Five of the six axes share a single forward pass, each reading a dedicated region of the model's vector subspace with its own head; the sixth, closed-book, is a separate linear expert over the generation's logprobs. State-of-the-art for on-premise, real-time detection — all six axes in ~30 ms for a 1024-token prompt on a single GPU. An optional 8B-class deep-scan tier trades a little latency for 0.97–0.99 OOD AUROC. Architecturally related to GLAD-Manifold, our physical world model.

Research → GLAD-Manifold
🔍

Causal XAI

Every verdict is painted onto the text as a heatmap — perturb → re-score → SHAP surrogate → a per-token importance χ over content tokens only (system-prompt and reasoning regions excluded); deeper red = more risk, teal = grounding. Two methods: QUICK (DCA — Deterministic Convergent Attribution, deterministic, seconds) and DEEP (MuPAX, ~0.4 s for 200 samples batched, precise). Focus one axis at a time, and export the same causal evidence over MCP (which tokens of a poisoned tool-description caused a block). Backed by peer-reviewed MuPAX and EVIDENCE (EAAI 2025).

Research → XAI methods
⛓️

Append-only Audit Chain

Every Inference Envelope — prompt, response, scores, decisions — is hashed (SHA-256) and chained (HMAC). You cannot delete entry N without breaking the chain. Verifiable in seconds. Court-admissible. Works inside the customer's database.

Auditing Hub →

From a single Docker
to multi-region sovereign clouds.

G-1 ships as a single container with a typed Helm chart. It runs on bare metal, on a single GPU node, in your Kubernetes cluster, or in a fully air-gapped enclave. No license server. No outbound calls. No telemetry.

Adapter training — the one-time step that calibrates G-1 to your specific base model and policy — runs on your own GPU. Geodesia.ai never has access to that hardware.

  • Single Docker — for single-tenant evaluation and POV deployments
  • Helm chart for K8s — for multi-tenant, HA enterprise deployments
  • Air-gapped bundle — offline registry + signed images for classified environments
  • BYO infra — runs on AWS, GCP, Azure, OVH, sovereign EU clouds, or bare metal
Quick start · Docker
# 1. Pull the G-1 container docker pull registry.geodesia.ai/g1:1.4 # 2. Mount your model + adapter docker run --gpus all \ -v /models/llama3-70b:/model \ -v /adapters/g1-llama3:/adapter \ -p 8080:8080 g1:1.4 # 3. Point your app at the OpenAI-compatible endpoint curl http://localhost:8080/v1/chat/completions \ -H "Authorization: Bearer $TOKEN" \ -d '{"model":"g1","messages":[...]}'
The Geodesia Zero-Knowledge Guarantee

Geodesia.ai does not access, copy, store, transmit, or process client model weights, training data, prompts, or inference responses — by design, not by policy.

Read the architecture →

Architecture review session.

Two-hour deep dive with our principal engineers. Reference architecture for your stack. Sandbox token to test the OpenAI-compatible endpoint.