# Crystal Exploit Design: Credential Harvest & Authentication Swap

**Date:** 2026-03-16
**Status:** Validated
**Applies to:** Book 2, Chapters 10, 18, 20, 21 (five-beat exploit sequence)

---

## Overview

The central exploit of Book 2 maps cybersecurity concepts (SSH key theft, credential forgery, authentication manipulation) onto Runic Flow mechanics. Phelan doesn't destroy the Mallory crystal -- he reprograms it, elevating his locksmith identity from "breaks locks" to "changes what they open."

---

## The Exploit: Five Beats

### Beat 1 -- The Drain (Combat, Ch 20)

- Phelan fights Kae, gains upper hand with fire magic (Kae's vulnerability)
- Kae desperately drains Phelan's life force through the crystal
- Flaw Sight fires **involuntarily** during the drain -- a split-second flood of the crystal's internal architecture
- Phelan sees: the connection log (every victim's signature paired with the crystal's own signature), the routing architecture, the authentication structure
- He can't process it in combat -- raw sensory overload on top of physical agony
- **Leon saves him** with 50 simultaneous fire spells (classic Leon brute-force). Kae flees

### Beat 2 -- The Realization (Planning with Leon, post-Ch 20)

- Hours later, debriefing with Leon
- The noise replays the flash -- picks at details, connects fragments
- Mid-conversation, Phelan realizes: the flash was **data**, not sensory garbage
- The crystal stamps its own signature on every connection record (needs to "remember" pathways for the feedback loop)
- By being drained, Phelan was **inside** the system -- his Flaw Sight saw the architecture from within
- He now has: the crystal's private key (its internal signature), the connection log (victim list), and understanding of the authentication structure
- **Cybersecurity parallel:** Being hacked reveals the attacker's fingerprints. The crystal took something from Phelan but gave him everything he needed to break it

### Beat 3 -- The Heist (Infiltration, between Ch 20-21)

- Leon tracks Kae's movements
- When Kae leaves his hideout, Leon signals Phelan via sending-stone
- Phelan infiltrates, breaks the ward on the hideout (the ward trusts the crystal's signature -- Phelan uses the forged signature to bypass it)
- Reaches the crystal physically

### Beat 4 -- The Hack (Authentication Swap, Ch 21)

- Phelan uses the forged crystal signature to authenticate as a trusted internal process
- The crystal accepts his commands as maintenance operations
- **Two changes:**
  1. **Revokes Kae's operator credentials** -- removes Kae's signature from the authorized operator field
  2. **Rewrites operator/target logic** -- any future user who attempts to operate the crystal is classified as a *target*. The drain mechanism works identically, but it drains the person trying to use it and pushes energy into whoever they're pointing it at
- Sustained, precise work. Phelan is vulnerable during it. Time pressure (Kae could return)
- **The key still turns -- it just opens a different door**

### Beat 5 -- The Reversal (Climax, Ch 21)

- Kae tries to drain someone in the final confrontation
- The crystal classifies him as the target
- His own life force is pulled through the crystal
- He feels exactly what his victims felt -- the cold draw, the weakness, the aging
- The pain he's been running from slams back, amplified by the drain

---

## Technical Mechanics (Runic Flow Consistency)

| Rule | Application |
|---|---|
| **Magic leaves traces** (Rule 4) | Connection log = stored traces of every drain. Crystal's signature embedded in each record |
| **Intent matters** (Rule 5) | Crystal is keyed to "operator drains target." Phelan changes who qualifies as operator vs. target -- the intent logic does the rest |
| **Curses are contracts** (Rule 6) | The drain function is a contract: authenticate operator, drain target, deliver to operator. Phelan amends the terms, doesn't break the contract |
| **Energy is finite** (Rule 2) | The hack costs significant reserves. Recovery needed |
| **Complexity costs more** (Rule 3) | Authentication swap is simpler than destruction -- changing two fields, not dismantling architecture. This is WHY it works |

### Flaw Sight + Overuse Degradation

- Pre-Compact artifact: functional but not security-hardened
- Overuse degraded the crystal's internal signature (version drift across connection records)
- Crystal's authentication is loose -- accepts signatures within a tolerance range
- Phelan's forgery doesn't need to be perfect, just within the degraded tolerance window
- The crystal's addiction made it LESS secure

---

## Cybersecurity Parallel Map

| Cyber Concept | Crystal Equivalent |
|---|---|
| Being hacked reveals attacker's fingerprint | Being drained reveals crystal's internals |
| SSH authorized_keys | Connection log of victim signatures |
| Server private key in logs | Crystal's signature stamped on records |
| Version drift | Degradation across records |
| Social engineering past firewall | Forged signature bypasses hideout ward |
| Login as admin | Crystal accepts forged signature |
| Revoking credentials | Removing Kae's operator auth |
| Changing permissions | Rewriting operator/target classification |
| Honeypot / reverse shell | Crystal drains anyone who operates it |

---

## Book 1 to Book 2 Growth

| Aspect | Book 1 (Death Ward) | Book 2 (Crystal) |
|---|---|---|
| **Signature acquisition** | External observation (8+ passive cycles) | Internal experience (being drained) |
| **Forgery precision** | Exact match at 7 junctions | Within degraded tolerance window |
| **Result** | System destroys itself | System reprogrammed, survives but reversed |
| **Philosophy** | Destruction | Reprogramming -- locksmith identity elevated |
| **Team role** | Solo | Leon overwatch, team coordination |
| **New element** | -- | Connection log as evidence (victim list) |

---

## Story Implications

1. **Evidence:** Connection log = proof of every person Kae drained. Legal/political weight for the Compact, victims' families
2. **Thematic mirror:** Crystal is as trapped as Kae -- needs the feedback loop but it's destroying itself. Phelan changes what happens next rather than destroying either
3. **Locksmith identity:** Doesn't break locks, changes what they open. Signature move, elevated
4. **Kae's moment:** The reversal forces understanding -- he can't claim ignorance after feeling what his victims felt
5. **Future-proofing:** Crystal still exists as a trap. Anyone in Book 3 who tries to use it gets the same treatment