An update on Vyre, and what shipping keyhog taught us.

What Vyre is.

Vyre compiles ordinary Rust state machines into shaders that run on NVIDIA, AMD, Intel, and Apple GPUs. The same source runs on the same CPU as a reference. The output is the same bytes either way. We call that the conformance gate. Anything that passes the gate is safe to dispatch to the GPU with no behavioural difference.

Most GPU stacks force you to choose: write CUDA and lock yourself to NVIDIA, or write WGSL by hand and chase portability bugs. Vyre is the third option. Write a Rust state machine once. Compile it to CUDA, WGSL, or SPIR-V via the same compiler. The runtime picks the right driver per host. The fast path on a 4090 and the laptop integrated GPU run the same code.

Why keyhog first.

Secret scanning is a good first workload. It is bandwidth-bound, embarrassingly parallel, has a well-defined ground truth (the credential is either valid or it is not), and rewards GPU dispatch above a known throughput floor. We could compare CPU and GPU output byte-for-byte and notice if anything was wrong.

It is also a place where a Rust security tool with strong correctness guarantees has real audience overlap with developers who already care about reproducibility. The feedback loop on keyhog is shorter and louder than it would have been on a less visible first tool.

What we learned.

• The dispatch threshold matters more than the kernel. A 5x faster kernel that you only fire on 5% of files is a 0.2x speedup overall. keyhog routes per file, per backend, with a per-tier breakeven cap. RTX 50-class GPUs cross over at ~2 MiB. Most source files never reach that. The CPU SIMD path stayed the hot path for the median workload, and that is correct.
• Conformance is a discipline, not a debug step. Every Vyre primitive ships with a property test that runs the GPU and CPU paths over the same fuzzed input and asserts byte-for-byte equivalence. Anything that fails the property test never makes it into the substrate. The Vyre AC implementation passed its property gate before keyhog ever called into it.
• The fallback path is the product. If GPU init fails, keyhog must still scan correctly on the CPU. We invest as much engineering in the fallback as in the fast path. Telemetry on what the host actually selected (CPU, SIMD, GPU) ships with every binary so we can tell when a host falls back silently and why.
• Driver fragmentation is real, even with WGPU. WGPU smooths over a lot of vendor differences, but adapter naming is still a mess and tier classification matters. We classify GPUs into High / Mid / Low tiers from the adapter name string and use that to pick crossover thresholds. The table is hand-tuned and visible in hw_probe/tier.rs.
• The GPU path is not always the fast path on tiny inputs. A 2 KiB JSON file is faster on SIMD than on the GPU because the dispatch overhead dominates. The router knows this. We measured it.

What's next.

Vyre v0.5 stabilises the WGPU + CUDA backends and the conformance gate. The next milestones:

• Metal backend for Apple Silicon, no WGPU intermediary. Cuts dispatch latency on M-series significantly and unlocks the unified-memory zero-copy path.
• SPIR-V emit direct to Vulkan, skipping the WGPU compile step on Linux NVIDIA hosts when the CUDA toolkit isn't installed but Vulkan is.
• More primitives. Aho-Corasick + regex NFA are in. Next up: parallel scan, sort, segmented reductions. These come out of the libraries already vendored under vyre-libs.
• More consumers. The next Santh tools to land - Gossan, Wafrift, TrueStack - all use the same substrate. Each one ships its own conformance gate against a CPU reference.

Try the proof point.

The clearest way to see what Vyre does is to run keyhog. It is the first production tool built on the substrate and it ships today.

curl -fsSL https://raw.githubusercontent.com/santhsecurity/keyhog/main/install.sh | sh
keyhog scan .

Showcase post for the tool itself: 891 detectors, GPU-accelerated, contract-tested. Meet keyhog.

Vyre source: github.com/santhsecurity/vyre. Releases: github.com/santhsecurity/vyre/releases.