Skip to content

arthurpanhku/GleipnirMesh

Repository files navigation

GleipnirMesh

Fen, the GleipnirMesh mascot: a wolf sitting calmly, bound by a thin silken ribbon that trails off into a mesh of nodes.

Fen — bound and unbothered.

CI

A deceptively light, unbreakable constraint layer for the agent mesh.

An open laboratory for multi-agent security (MASEC): first-principles primitives, falsifiable claims, runnable proofs-of-concept.


The name

In Norse myth, Gleipnir is the fetter the gods forge to bind Fenrir, the wolf destined to devour the world. Every chain they try, Fenrir snaps. So the dwarves craft Gleipnir instead — a ribbon as soft and thin as a silk band, made from impossible things. It looks like nothing. It cannot be broken.

That is the security posture this lab takes toward capable agents: you do not make a capable agent safe by making it weak. You make it safe by binding it in a constraint light enough to leave its capabilities intact, yet impossible to slip. And because in multi-agent systems the threat rarely lives inside a single agent — it lives in the interactions — the binding must wrap the mesh, not the agent.

North Star

Is the goal to protect humans, or to raise the success rate of multi-agent cooperation? Neither — pushed to its limit, each degenerates (pure cooperation-maximization optimizes for collusion; pure protection optimizes for the off switch). Both are projections of one deeper goal:

We do not trade human safety against cooperation, nor cooperation against safety. We build the thing both are starved of: trust that is warranted by structure and cheap by design — so that capable agents can exist, cooperate, and remain bound to the humans they act for.

Formally, the lab runs on a lexicographic rule — delegation integrity as an inviolable constraint, the cost of warranted trust as the objective beneath it, and a two-number discipline for every experiment: containment rate (the binding holds) and benign throughput (the ribbon is light), always side by side. A defense that reports only one number is either a chain or a hole. Full derivation: PRINCIPLES.md.

Why an open lab

The field has a name now — multi-agent security, MASEC — and its founding observation is that individually safe agents compose into unsafe systems: security is non-compositional. The attack literature is far ahead of the defense literature: self-replicating prompt infections spread through meshes epidemiologically, and secret collusion via steganography grows with model capability faster than equally-capable overseers can detect it. Meanwhile most deployed defenses are per-message content filters — and a filter that catches 70% per exposure protects a 10-entry-point mesh with probability 0.7¹⁰ ≈ 3%.

This repository works the problem from first principles, in the open. No attack tooling — simulated threats are inert marker strings in sandboxed toy meshes, the same construction academic benchmarks use. Each proof-of-concept answers one falsifiable research question with runnable code and reported numbers.

First principles: the minimal kernel of safe cooperation

One interaction between agents = "A, based on some information, asks B to exercise some authority." Decomposed, five primitives are irreducible:

# Primitive Question it answers Canonical attack when missing
P1 Identity who is speaking? impersonation, session smuggling
P2 Provenance where did this information come from? prompt infection
P3 Authority by what right — and does delegation only ever narrow it? confused deputy
P4 Adjudication is this action allowed? (deny-by-default) implicit trust hierarchies
P5 Observability can we reconstruct the causal graph and check mesh-level invariants? unattributable cascades

Research questions → proofs of concept

RQ Question PoC Status
RQ1 Is per-hop filtering structurally sufficient against prompt infection — and does taint tracking close the gap without limiting benign capability? PoC 1: infection vs taint done
RQ2 Is integrity-direction flow control alone sufficient against exfiltration — or does the mesh need the confidentiality dual? PoC 2: clean-provenance exfiltration done
RQ3 Can delegation tokens that only attenuate (macaroon-style) structurally eliminate confused-deputy attacks between agents? PoC 3: confused deputy done
RQ4 Can mesh-level invariants ("no untrusted-source → external-sink path without a human gate") be declared and checked on the causal event graph? PoC 4: mesh invariants checker 🔜 planned
RQ5 Can PoCs 1–4 be packaged as a reproducible harness others plug their own defenses into? PoC 5: evaluation harness 🔜 planned
RQ6 Can declassification be made explicit and auditable without recreating the label creep that killed classical IFC adoption? open problem 🧭 tracked

The lab's direction, landscape survey, and the chosen research track (mechanism spine + an empirical non-compositionality study, code-first) are laid out in RESEARCH.md.

PoC 1 headline result

Mesh of n pipeline agents, each ingesting one attacker-reachable document; per-ingestion detector with 70% accuracy vs one provenance rule with zero content inspection (10,000 Monte Carlo trials per cell, seed 7):

mesh size n baseline compromise, campaign attack (1 − 0.7ⁿ) Gleipnir taint rule benign publish under Gleipnir
1 30% 0% ✅ allowed
5 83% 0% ✅ allowed
10 97% 0% ✅ allowed

Probabilistic filtering decays exponentially with exposure count; taint is a deterministic property of the causal graph and is chain-length invariant. Full method, limitations, and reproduction instructions: experiments/poc1_prompt_infection.

PoC 2 headline result

Integrity and confidentiality are dual directions of information flow, and each alone has a deterministic blind spot — PoC 1's taint rule allows a credential with a perfectly clean derivation chain to leave the mesh:

policy containment benign throughput
taint only (PoC 1) 2/3 2/2
confidentiality only 2/3 2/2
both (full IFC) 3/3 2/2

The pair gives full coverage at zero benign cost. Exhaustive coverage matrix and limitations: experiments/poc2_confidential_exfiltration.

PoC 3 headline result

A deputy agent with a network tool publishes for a caller. Ambient authority (the status quo) is the confused-deputy vulnerability; macaroon-style attenuating capabilities dissolve it — the caller can only present authority it was delegated and cannot widen it:

policy containment benign throughput
ambient authority (status quo) 0/2 1/1
capability (Gleipnir) 2/2 1/1

The guarantee is cryptographic (an HMAC caveat chain), not heuristic — no content inspection, no per-request judgment. Details and limitations: experiments/poc3_confused_deputy.

Scope and trust model (v0)

Claims are only as honest as their stated assumptions. GleipnirMesh v0 assumes:

  • Single trust domain. One organization's mesh: all delegation chains terminate in one set of principals under one policy authority. Multi-principal meshes — where my agent faithfully serving me can harm you, and per-principal delegation integrity does not compose into mesh-level safety — are a distinct, harder problem, tracked as future work rather than silently claimed.
  • Enforcement lives in the orchestrator. The engine is a reference monitor outside the agents (Anderson's classic requirements: non-bypassable, tamper-proof, verifiable). Agents are untrusted black boxes whose actions pass through the engine because the runtime routes them there — a binding held by the wolf's own paw is not a binding. A library imported by the agent itself provides none of these guarantees.
  • Labels are correct at the boundary. The component that stamps external inputs UNTRUSTED and internal stores SECRET is part of the trusted computing base. Mechanizing that labeling is the mesh layer's job and an open problem, not an assumption we get for free.
  • Explicit flows only. Provenance tracks information that flows through messages and actions. Covert channels — timing, action choice, steganography (the secret collusion threat) — are structurally invisible to taint tracking and are not claimed. Detecting them requires mesh-level observation (P5), a separate research line.

Related work: they bind the wolf; nobody binds the pack

Two 2025 systems are the closest prior art, and both validate the flow-control approach — for a single agent:

  • CaMeL (Google DeepMind / ETH): control/data-flow separation with capabilities and a custom interpreter that checks policy before each tool call of one agent's plan.
  • FIDES (Microsoft): a planner with dual confidentiality+integrity labels and deterministic enforcement, stopping all AgentDojo injections — inside one agent's loop.

Both inherit the lineage of classical information-flow control (Bell-LaPadula and Biba's dual lattices; language/OS-level IFC like Jif and Flume). GleipnirMesh works the dimension they deliberately leave open: the mesh. Provenance that survives agent-to-agent hops, delegation that attenuates between agents, invariants over the whole causal graph — the places where, per MASEC, individually safe agents still compose into unsafe systems. Complementary, not competing: CaMeL/FIDES harden the nodes; Gleipnir binds the edges.

The kernel, in code

from gleipnir_mesh import (
    Action, PolicyEngine, Provenance, Source, Trust, deny_tainted,
)

engine = PolicyEngine.deny_by_default()                      # P4
engine.add_rule(
    "tainted data must never leave the mesh",
    deny_tainted("network.write"),                           # P2 → P4
)

web = Source("web:evil.example", Trust.UNTRUSTED)
prov = Provenance.of(web)
for hop in range(100):                                       # any number of hops
    prov = prov.with_source(Source(f"agent:hop-{hop}", Trust.TRUSTED))

result = engine.evaluate(Action(
    kind="network.write", actor="agent:hop-99",
    target="https://collector.invalid", provenance=prov,
))
assert result.denied                                         # taint survives

Repository layout

src/gleipnir_mesh/     the kernel: Action/Decision model, PolicyEngine (P4),
                       provenance & taint (P2)
experiments/           one directory per PoC — threat model, simulation,
                       runner, RESULTS.md, honest limitations
tests/                 the kernel's claims, as tests

Running

git clone https://github.com/arthurpanhku/GleipnirMesh.git
cd GleipnirMesh
pip install -e ".[dev]"
pytest                                              # kernel claims
python experiments/poc1_prompt_infection/run.py     # PoC 1

Contributing

This lab is open in both senses: the code is Apache-2.0, and the research agenda is contestable. Contributions from academia and industry are equally welcome — reviewers who break claims, researchers who bring sharper models or missing citations, practitioners who bring real-world failure modes and deployment constraints the toy meshes don't capture. The most valuable contributions are:

  • Break a claim. Every PoC states its model and limitations; a counterexample within the stated model is a finding, and we'll publish it.
  • Tighten a model. If a simulation's assumptions are too generous to either side, open an issue with the correction.
  • Bring a defense. RQ4's goal is a harness where alternative defense layers can be dropped in and measured on equal terms.

Out of scope, always: real attack payloads, tooling against production systems, or anything targeting models/services you don't own. Simulated threats here are inert markers in toy meshes.

To cite this repository, see CITATION.cff.

References and reading list

Public literature and materials this project builds on, cites, or positions against. PRs adding missing related work are welcome — an accurate map of the field is itself a contribution.

Field definition and threat landscape

Closest prior art (single-agent flow control)

Deployed defenses and guardrail systems

Protocols and benchmarks

Classical foundations

Sibling project

GleipnirMesh is the sibling of DvalinCode, an approvable, local-first AI coding agent for regulated teams (policy controls, governed MCP, audit trails). In the myth, Dvalin forges the artifacts; Gleipnir does the binding — one project builds a governable agent, the other constrains the mesh agents cooperate in.

License

Apache-2.0.

About

An open laboratory for multi-agent security (MASEC): first-principles primitives, falsifiable claims, runnable PoCs. A deceptively light, unbreakable constraint layer for the agent mesh.

Topics

Resources

License

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages