ryan.profile

Ryan MacArthur

I build privacy-preserving infrastructure — agent authorization, proof systems, sovereign identity. The parts of the stack that nobody sees until they break.

This site is mostly a desk: what I’m thinking about, what I’m shipping, and how to reach me.

tls 1.3 · h2 / h3 · brotli secure.build
reading · writing

Reading & writing

  • Long-horizon agentic memory. The replayable-vs-summary problem across weeks of agent activity — how to keep policy provable when the context window can’t hold the proof. (writing about this on x)
  • Defense in depth, not defense-by-design. Why single-layer mitigations — including Google DeepMind’s CaMeL dual-LLM capability gates — keep losing to prompt-injection chains the capability model never modeled. Reading the three follow-ups that landed since:
    1. Nasr et al. — The Attacker Moves Second (Oct 2025): adaptive search bypasses 12 static defenses at >90% — the rhetorical hammer.
    2. Tallam & Miller — Operationalizing CaMeL (May 2025): three structural gaps — initial prompt trust, output manipulation, side-channels CaMeL doesn’t track.
    3. Foerster et al. — CaMeLs Can Use Computers Too (Jan 2026): branch-steering coerces the privileged planner down attacker-chosen branches of its own pre-approved plan.
    Capability isolation is necessary, not sufficient.
  • On-device security primitives (inherent line of work). How fast is a modern Pixel Tensor TPU for the small attention models a wake-gate actually needs, and what does Android’s AOC (Always-On Compute) island give you for free vs. what still needs the big core to wake? Where does StrongBox / Keystore attestation buy you a real trust root vs. theater?
  • Foundation work I keep returning to. WebAuthn 3, WebGPU, IPFS, TLS Notary.

Open to talking with security / privacy infra teams — particularly anything sitting at the intersection of regulated data and ML.

projects

Projects

inherent on device

A local intent gate for speech interfaces. A compact BERT routes each utterance into one of 12 action buckets before anything gets a tool. Mic frames stay in the tab; policy runs before delegation.

WebAudioONNXon-device
webkitium research

A bet on engine diversity as security infrastructure. Chromium monoculture makes the open web easier to ship and easier to capture; WebKit outside Apple's platforms is the counterweight worth making real.

C++WebGPUWebAuthn
TLS Notary EF · 2024

A year on EF’s MPC team, building around a hard problem: prove what a TLS session said without handing the verifier your credentials or the server your privacy.

MPCRustcryptography
IPFS pipelines infra

Content-addressed delivery for agent payloads. Pin once, address by digest, and make remote execution prove which bytes it loaded instead of trusting a mutable URL.

libp2pGoCIDv1
Kontext.dev 2025–26

Co-founded to make mobile identity usable for autonomous agents: device-rooted keys, user-controlled delegation, and the policy layer that answers "who is acting, and what may they do?"

KotlinAndroid KeystoreOIDC
Crypto wallet @ Alpaca 2022–23

Led the team that shipped Bitcoin and Solana custody on a US-regulated brokerage platform. Wallet infrastructure is where cryptography, operational controls, incident response, and product deadlines all have to be true at once.

GoHSMbroker-dealer
desk

On the desk

Reading

  • Attestation gaps — practical limits of Play Integrity
  • Cryptographic agility in post-quantum mailbox protocols
  • Confidential computing in the open: real numbers

Writing

  • What an agent can prove vs what it should
  • Capabilities for autonomous systems
  • TLSN beyond exchanges

Building

  • unified-quote — one attestation receipt across cloud TEEs
  • Own mail server — running, signed, MTA-STS
  • This site — hand-written, cached, optimised
last update: 2026-05 auto-refresh: off
$notify ready