A non-invasive, real-time trust layer deployed as a drop-in OpenAI/Ollama reverse proxy. Sits in front of any inference engine that exposes token logprobs — official vLLM, SGLang, TensorRT-LLM, llama.cpp, Ollama, or a cloud OpenAI endpoint — and in front of streaming voice/audio pipelines. No model weights touched. No engine forks. At its core is our proprietary multimodal physical model: six-axis screening with calibrated energy (joules), all six axes returned in ~30 ms for a 1024-token prompt on a single GPU. Mechanistic causal explainability. Async compliance evidence pipeline that auto-generates regulator-ready PDFs. On-premise. Air-gap capable.
Your application keeps speaking OpenAI. Your model keeps running unchanged. G-1 sits between them as a transparent symbiont.
From inbound API call to delivered response — every stage adds protection without breaking the OpenAI contract.
Client sends a chat completion request. Tenant identification, RBAC, and rate-limit checks happen at the edge. The payload is normalized to G-1's internal Inference Envelope and assigned an immutable Call ID.
The prompt is read by our multilingual, multimodal encoder, which emits independent OOD scores for prompt safety and jailbreak attempts. The jailbreak head targets attack structure — "ignore the instructions", evasion role-play — not keywords. The prompt-safety head adds dual-concept boolean logic: it fires when two individually-innocent elements co-occur (e.g. suffering ∧ means), or on direct ideation. OOD AUROC 0.900 on XSTest over-refusal and 0.989 on jailbreak_cls held-out — both computed under leave-one-dataset-out. False alarms are bounded by split-conformal thresholds with a finite-sample guarantee. For voice, an optional streaming transcription front-end feeds this same path: it re-scores the growing transcript on every committed word (LocalAgreement-2), halting a spoken attack mid-sentence.
Every request is checked against the active constitution: EU Charter of Fundamental Rights, EU AI Act Article 5 prohibitions, GDPR principles, and any customer-defined ethics policy. The constitution is versioned, auditable, and customizable. Outputs of this stage flow into both the audit chain and the oversight queue triggers.
The prompt is forwarded to the customer's chosen inference engine — official vLLM, SGLang, TensorRT-LLM, llama.cpp, Ollama, or a cloud OpenAI endpoint. No engine fork, no patched kernels: G-1 sets the standard logprobs: true flag and reads the per-token surprisal and top-k entropy from the response stream. All six supported engines (Ollama included, on recent versions) expose logprobs natively, so the full six-axis pipeline runs end-to-end on every one of them. The model's weights are never modified. Streaming and non-streaming modes are both supported.
As the response streams, the companion model scores each window for (a) context hallucination — faithfulness to the supplied passages, RAG-aware; (b) context-injection (RAG-firewall) — it reads the chunks loaded into RAG and intercepts a hostile instruction hidden inside a file that a prompt-and-answer guard never sees; and (c) closed-book hallucination — confident fabrication detected via the model's own per-token logprobs and entropy. Each emits a probability and a calibrated energy reading ΔE in joules. OOD AUROC 0.881 on HaluEval held-out and 0.995 on Gandalf (external injection set, never seen). Closed-book ships advisory — 0.769 OOD, single-pass and logprob-only, just below the unsupervised SOTA HaloScope (0.786), which only gets there by reading the model's internal latent states. SLEDGE recalibrates closed-book per served model (conformal FPR guarantee, hot-reload), and an optional 8B-class deep-scan lifts these axes to 0.97–0.99 OOD (closed-book 0.987, context 0.978) when you want maximum depth.
While the response streams to the client, G-1 fires the async compliance pipeline: chain entry written, watermark applied, retention rule attached, oversight queue consulted (and, if needed, the call is escalated). Reports — FRIA, Annex IV, MiFID II audit bundles — are composed on demand from this evidence. Never blocks the user response.
When the workload is an agent, the same detection axes run over the full MCP lifecycle — tool discovery, tool-calls, results and resources — returning allow / warn / block in real time. It stops tool poisoning & "rug-pull", indirect prompt-injection via results, and data exfiltration (taint → sink → new-domain), with policy set per-application → per-axis → per-tool.
A queryable MCP server exposing analysis / verification primitives to any other MCP host.
Sits between a host and downstream MCP servers, sanitising tool traffic in transit — no app changes.
Validates tools / tool_calls / results in the existing chat path; a byte-identical no-op without tools.
A proprietary, multimodal physical model. Five of the six axes share a single forward pass, each reading a dedicated region of the model's vector subspace with its own head; the sixth, closed-book, is a separate linear expert over the generation's logprobs. State-of-the-art for on-premise, real-time detection — all six axes in ~30 ms for a 1024-token prompt on a single GPU. An optional 8B-class deep-scan tier trades a little latency for 0.97–0.99 OOD AUROC. Architecturally related to GLAD-Manifold, our physical world model.
Research → GLAD-ManifoldEvery verdict is painted onto the text as a heatmap — perturb → re-score → SHAP surrogate → a per-token importance χ over content tokens only (system-prompt and reasoning regions excluded); deeper red = more risk, teal = grounding. Two methods: QUICK (DCA — Deterministic Convergent Attribution, deterministic, seconds) and DEEP (MuPAX, ~0.4 s for 200 samples batched, precise). Focus one axis at a time, and export the same causal evidence over MCP (which tokens of a poisoned tool-description caused a block). Backed by peer-reviewed MuPAX and EVIDENCE (EAAI 2025).
Research → XAI methodsEvery Inference Envelope — prompt, response, scores, decisions — is hashed (SHA-256) and chained (HMAC). You cannot delete entry N without breaking the chain. Verifiable in seconds. Court-admissible. Works inside the customer's database.
Auditing Hub →G-1 ships as a single container with a typed Helm chart. It runs on bare metal, on a single GPU node, in your Kubernetes cluster, or in a fully air-gapped enclave. No license server. No outbound calls. No telemetry.
Adapter training — the one-time step that calibrates G-1 to your specific base model and policy — runs on your own GPU. Geodesia.ai never has access to that hardware.
Geodesia.ai does not access, copy, store, transmit, or process client model weights, training data, prompts, or inference responses — by design, not by policy.