Crystal Exploit Design: Credential Harvest & Authentication Swap

Date: 2026-03-16 Status: Validated Applies to: Book 2, Chapters 10, 18, 20, 21 (five-beat exploit sequence)

Overview

The central exploit of Book 2 maps cybersecurity concepts (SSH key theft, credential forgery, authentication manipulation) onto Runic Flow mechanics. Phelan doesn't destroy the Mallory crystal -- he reprograms it, elevating his locksmith identity from "breaks locks" to "changes what they open."

The Exploit: Five Beats

Beat 1 -- The Drain (Combat, Ch 20)

Phelan fights Kae, gains upper hand with fire magic (Kae's vulnerability)
Kae desperately drains Phelan's life force through the crystal
Flaw Sight fires involuntarily during the drain -- a split-second flood of the crystal's internal architecture
Phelan sees: the connection log (every victim's signature paired with the crystal's own signature), the routing architecture, the authentication structure
He can't process it in combat -- raw sensory overload on top of physical agony
Leon saves him with 50 simultaneous fire spells (classic Leon brute-force). Kae flees

Beat 2 -- The Realization (Planning with Leon, post-Ch 20)

Hours later, debriefing with Leon
The noise replays the flash -- picks at details, connects fragments
Mid-conversation, Phelan realizes: the flash was data, not sensory garbage
The crystal stamps its own signature on every connection record (needs to "remember" pathways for the feedback loop)
By being drained, Phelan was inside the system -- his Flaw Sight saw the architecture from within
He now has: the crystal's private key (its internal signature), the connection log (victim list), and understanding of the authentication structure
Cybersecurity parallel: Being hacked reveals the attacker's fingerprints. The crystal took something from Phelan but gave him everything he needed to break it

Beat 3 -- The Heist (Infiltration, between Ch 20-21)

Leon tracks Kae's movements
When Kae leaves his hideout, Leon signals Phelan via sending-stone
Phelan infiltrates, breaks the ward on the hideout (the ward trusts the crystal's signature -- Phelan uses the forged signature to bypass it)
Reaches the crystal physically

Beat 4 -- The Hack (Authentication Swap, Ch 21)

Phelan uses the forged crystal signature to authenticate as a trusted internal process
The crystal accepts his commands as maintenance operations
Two changes:
1. Revokes Kae's operator credentials -- removes Kae's signature from the authorized operator field
2. Rewrites operator/target logic -- any future user who attempts to operate the crystal is classified as a target. The drain mechanism works identically, but it drains the person trying to use it and pushes energy into whoever they're pointing it at
Sustained, precise work. Phelan is vulnerable during it. Time pressure (Kae could return)
The key still turns -- it just opens a different door

Beat 5 -- The Reversal (Climax, Ch 21)

Kae tries to drain someone in the final confrontation
The crystal classifies him as the target
His own life force is pulled through the crystal
He feels exactly what his victims felt -- the cold draw, the weakness, the aging
The pain he's been running from slams back, amplified by the drain

Technical Mechanics (Runic Flow Consistency)

Rule	Application
Magic leaves traces (Rule 4)	Connection log = stored traces of every drain. Crystal's signature embedded in each record
Intent matters (Rule 5)	Crystal is keyed to "operator drains target." Phelan changes who qualifies as operator vs. target -- the intent logic does the rest
Curses are contracts (Rule 6)	The drain function is a contract: authenticate operator, drain target, deliver to operator. Phelan amends the terms, doesn't break the contract
Energy is finite (Rule 2)	The hack costs significant reserves. Recovery needed
Complexity costs more (Rule 3)	Authentication swap is simpler than destruction -- changing two fields, not dismantling architecture. This is WHY it works

Flaw Sight + Overuse Degradation

Pre-Compact artifact: functional but not security-hardened
Overuse degraded the crystal's internal signature (version drift across connection records)
Crystal's authentication is loose -- accepts signatures within a tolerance range
Phelan's forgery doesn't need to be perfect, just within the degraded tolerance window
The crystal's addiction made it LESS secure

Cybersecurity Parallel Map

Cyber Concept	Crystal Equivalent
Being hacked reveals attacker's fingerprint	Being drained reveals crystal's internals
SSH authorized_keys	Connection log of victim signatures
Server private key in logs	Crystal's signature stamped on records
Version drift	Degradation across records
Social engineering past firewall	Forged signature bypasses hideout ward
Login as admin	Crystal accepts forged signature
Revoking credentials	Removing Kae's operator auth
Changing permissions	Rewriting operator/target classification
Honeypot / reverse shell	Crystal drains anyone who operates it

Book 1 to Book 2 Growth

Aspect	Book 1 (Death Ward)	Book 2 (Crystal)
Signature acquisition	External observation (8+ passive cycles)	Internal experience (being drained)
Forgery precision	Exact match at 7 junctions	Within degraded tolerance window
Result	System destroys itself	System reprogrammed, survives but reversed
Philosophy	Destruction	Reprogramming -- locksmith identity elevated
Team role	Solo	Leon overwatch, team coordination
New element	--	Connection log as evidence (victim list)

Story Implications

Evidence: Connection log = proof of every person Kae drained. Legal/political weight for the Compact, victims' families
Thematic mirror: Crystal is as trapped as Kae -- needs the feedback loop but it's destroying itself. Phelan changes what happens next rather than destroying either
Locksmith identity: Doesn't break locks, changes what they open. Signature move, elevated
Kae's moment: The reversal forces understanding -- he can't claim ignorance after feeling what his victims felt
Future-proofing: Crystal still exists as a trap. Anyone in Book 3 who tries to use it gets the same treatment

6.4 KiB Raw Blame History