Lawrence Huibuilds AI · writes in public
Get in touch
01Home02Projects03Writings04About05Resume07Email
01AI defenseCase-study ready

Norse3

A real-time defense layer for AI-powered support. It moderates every message in the live path, enforces policy inline, and gives operators a console to investigate incidents.

← Back to projects

Norse3 is an AI defense layer that sits in the live message path for support and chat. It makes a policy decision on every message, writes privileged moderation actions under a verifiable identity, logs incidents, and gives human operators a review surface.

P
System proof

Middleware proof

Norse3 was not just a moderation model hanging off the side of a helpdesk. The repos already show the production boundary: a hosted Aurora widget feeding customer traffic into Bifrost, Aegis moderating before messages land in Lettr, signed privileged system messages for authoritative moderation notes, HMAC-verified webhooks for agent replies, and an operator layer for incidents and investigation.

Live path
Aurora widget → Bifrost gateway → Aegis moderation → Lettr ticketing → human agent reply
Privileged identity
Ed25519-signed `kind:'system'` writes let Lettr verify authoritative moderation notes without trusting a session token alone
Inbound trust
Lettr webhooks are verified with per-enterprise HMAC signing secrets before outbound agent replies are relayed
Moderation behavior
Sanitized historical context, actor-aware handling, and fail-closed translation of ambiguous Aegis responses
Operator surface
Incident logging and review infrastructure make the gateway observable instead of a black-box filter
01
Norse3

Problem

Customer-facing AI systems need more than classification. They need an enforcement point inside a live workflow, enough context to make a decision, and enough visibility for humans to review what happened afterward.

Norse3 was built to sit directly in the message path for support and chat workflows, handling both inbound and outbound traffic.

02
Norse3

Architecture

The stack used three layers: Aegis as the decision engine, Bifrost as the inline gateway and enforcement point, and Heimdall as the operator console. That separation kept the system legible and made it easier to reason about trust boundaries, message ownership, and failure modes.

  • /Layered detection rather than a single LLM decision
  • /Actor-aware moderation for user, human-agent, and AI-agent messages
  • /Sanitized conversation context before moderation
  • /Incident logging, webhook verification, and operator investigation surfaces
03
Norse3

What the repo already proves

The current code makes the system boundary concrete. Bifrost moderates customer traffic before it reaches Lettr, verifies inbound Lettr webhooks with per-enterprise HMAC secrets, and signs privileged moderation notes with an Ed25519 key so Lettr can distinguish authoritative gateway messages from ordinary session traffic.

The policy layer also shows the right production instincts: historical message context is sanitized before moderation, and uncertain Aegis outcomes such as `error` or `rewrite` are translated into explicit blocks rather than optimistic fall-through.

04
Norse3

What I learned

The biggest lesson: the defense layer around the model matters as much as the model itself. Policy, permissions, logs, review, and escalation are what make it safe to run in production.