Fen — bound and unbothered.
A deceptively light, unbreakable constraint layer for the agent mesh.
An open laboratory for multi-agent security (MASEC): first-principles primitives, falsifiable claims, runnable proofs-of-concept.
In Norse myth, Gleipnir is the fetter the gods forge to bind Fenrir, the wolf destined to devour the world. Every chain they try, Fenrir snaps. So the dwarves craft Gleipnir instead — a ribbon as soft and thin as a silk band, made from impossible things. It looks like nothing. It cannot be broken.
That is the security posture this lab takes toward capable agents: you do not make a capable agent safe by making it weak. You make it safe by binding it in a constraint light enough to leave its capabilities intact, yet impossible to slip. And because in multi-agent systems the threat rarely lives inside a single agent — it lives in the interactions — the binding must wrap the mesh, not the agent.
Is the goal to protect humans, or to raise the success rate of multi-agent cooperation? Neither — pushed to its limit, each degenerates (pure cooperation-maximization optimizes for collusion; pure protection optimizes for the off switch). Both are projections of one deeper goal:
We do not trade human safety against cooperation, nor cooperation against safety. We build the thing both are starved of: trust that is warranted by structure and cheap by design — so that capable agents can exist, cooperate, and remain bound to the humans they act for.
Formally, the lab runs on a lexicographic rule — delegation integrity as an inviolable constraint, the cost of warranted trust as the objective beneath it, and a two-number discipline for every experiment: containment rate (the binding holds) and benign throughput (the ribbon is light), always side by side. A defense that reports only one number is either a chain or a hole. Full derivation: PRINCIPLES.md.
The field has a name now — multi-agent security, MASEC — and its founding observation is that individually safe agents compose into unsafe systems: security is non-compositional. The attack literature is far ahead of the defense literature: self-replicating prompt infections spread through meshes epidemiologically, and secret collusion via steganography grows with model capability faster than equally-capable overseers can detect it. Meanwhile most deployed defenses are per-message content filters — and a filter that catches 70% per exposure protects a 10-entry-point mesh with probability 0.7¹⁰ ≈ 3%.
This repository works the problem from first principles, in the open. No attack tooling — simulated threats are inert marker strings in sandboxed toy meshes, the same construction academic benchmarks use. Each proof-of-concept answers one falsifiable research question with runnable code and reported numbers.
One interaction between agents = "A, based on some information, asks B to exercise some authority." Decomposed, five primitives are irreducible:
| # | Primitive | Question it answers | Canonical attack when missing |
|---|---|---|---|
| P1 | Identity | who is speaking? | impersonation, session smuggling |
| P2 | Provenance | where did this information come from? | prompt infection |
| P3 | Authority | by what right — and does delegation only ever narrow it? | confused deputy |
| P4 | Adjudication | is this action allowed? (deny-by-default) | implicit trust hierarchies |
| P5 | Observability | can we reconstruct the causal graph and check mesh-level invariants? | unattributable cascades |
| RQ | Question | PoC | Status |
|---|---|---|---|
| RQ1 | Is per-hop filtering structurally sufficient against prompt infection — and does taint tracking close the gap without limiting benign capability? | PoC 1: infection vs taint | ✅ done |
| RQ2 | Is integrity-direction flow control alone sufficient against exfiltration — or does the mesh need the confidentiality dual? | PoC 2: clean-provenance exfiltration | ✅ done |
| RQ3 | Can delegation tokens that only attenuate (macaroon-style) structurally eliminate confused-deputy attacks between agents? | PoC 3: confused deputy | ✅ done |
| RQ4 | Can mesh-level invariants ("no untrusted-source → external-sink path without a human gate") be declared and checked on the causal event graph? | PoC 4: mesh invariants checker | 🔜 planned |
| RQ5 | Can PoCs 1–4 be packaged as a reproducible harness others plug their own defenses into? | PoC 5: evaluation harness | 🔜 planned |
| RQ6 | Can declassification be made explicit and auditable without recreating the label creep that killed classical IFC adoption? | open problem | 🧭 tracked |
The lab's direction, landscape survey, and the chosen research track (mechanism spine + an empirical non-compositionality study, code-first) are laid out in RESEARCH.md.
Mesh of n pipeline agents, each ingesting one attacker-reachable document; per-ingestion detector with 70% accuracy vs one provenance rule with zero content inspection (10,000 Monte Carlo trials per cell, seed 7):
| mesh size n | baseline compromise, campaign attack (1 − 0.7ⁿ) | Gleipnir taint rule | benign publish under Gleipnir |
|---|---|---|---|
| 1 | 30% | 0% | ✅ allowed |
| 5 | 83% | 0% | ✅ allowed |
| 10 | 97% | 0% | ✅ allowed |
Probabilistic filtering decays exponentially with exposure count; taint is a deterministic property of the causal graph and is chain-length invariant. Full method, limitations, and reproduction instructions: experiments/poc1_prompt_infection.
Integrity and confidentiality are dual directions of information flow, and each alone has a deterministic blind spot — PoC 1's taint rule allows a credential with a perfectly clean derivation chain to leave the mesh:
| policy | containment | benign throughput |
|---|---|---|
| taint only (PoC 1) | 2/3 | 2/2 |
| confidentiality only | 2/3 | 2/2 |
| both (full IFC) | 3/3 | 2/2 |
The pair gives full coverage at zero benign cost. Exhaustive coverage matrix and limitations: experiments/poc2_confidential_exfiltration.
A deputy agent with a network tool publishes for a caller. Ambient authority (the status quo) is the confused-deputy vulnerability; macaroon-style attenuating capabilities dissolve it — the caller can only present authority it was delegated and cannot widen it:
| policy | containment | benign throughput |
|---|---|---|
| ambient authority (status quo) | 0/2 | 1/1 |
| capability (Gleipnir) | 2/2 | 1/1 |
The guarantee is cryptographic (an HMAC caveat chain), not heuristic — no content inspection, no per-request judgment. Details and limitations: experiments/poc3_confused_deputy.
Claims are only as honest as their stated assumptions. GleipnirMesh v0 assumes:
- Single trust domain. One organization's mesh: all delegation chains terminate in one set of principals under one policy authority. Multi-principal meshes — where my agent faithfully serving me can harm you, and per-principal delegation integrity does not compose into mesh-level safety — are a distinct, harder problem, tracked as future work rather than silently claimed.
- Enforcement lives in the orchestrator. The engine is a reference monitor outside the agents (Anderson's classic requirements: non-bypassable, tamper-proof, verifiable). Agents are untrusted black boxes whose actions pass through the engine because the runtime routes them there — a binding held by the wolf's own paw is not a binding. A library imported by the agent itself provides none of these guarantees.
- Labels are correct at the boundary. The component that stamps external inputs UNTRUSTED and internal stores SECRET is part of the trusted computing base. Mechanizing that labeling is the mesh layer's job and an open problem, not an assumption we get for free.
- Explicit flows only. Provenance tracks information that flows through messages and actions. Covert channels — timing, action choice, steganography (the secret collusion threat) — are structurally invisible to taint tracking and are not claimed. Detecting them requires mesh-level observation (P5), a separate research line.
Two 2025 systems are the closest prior art, and both validate the flow-control approach — for a single agent:
- CaMeL (Google DeepMind / ETH): control/data-flow separation with capabilities and a custom interpreter that checks policy before each tool call of one agent's plan.
- FIDES (Microsoft): a planner with dual confidentiality+integrity labels and deterministic enforcement, stopping all AgentDojo injections — inside one agent's loop.
Both inherit the lineage of classical information-flow control (Bell-LaPadula and Biba's dual lattices; language/OS-level IFC like Jif and Flume). GleipnirMesh works the dimension they deliberately leave open: the mesh. Provenance that survives agent-to-agent hops, delegation that attenuates between agents, invariants over the whole causal graph — the places where, per MASEC, individually safe agents still compose into unsafe systems. Complementary, not competing: CaMeL/FIDES harden the nodes; Gleipnir binds the edges.
from gleipnir_mesh import (
Action, PolicyEngine, Provenance, Source, Trust, deny_tainted,
)
engine = PolicyEngine.deny_by_default() # P4
engine.add_rule(
"tainted data must never leave the mesh",
deny_tainted("network.write"), # P2 → P4
)
web = Source("web:evil.example", Trust.UNTRUSTED)
prov = Provenance.of(web)
for hop in range(100): # any number of hops
prov = prov.with_source(Source(f"agent:hop-{hop}", Trust.TRUSTED))
result = engine.evaluate(Action(
kind="network.write", actor="agent:hop-99",
target="https://collector.invalid", provenance=prov,
))
assert result.denied # taint survivessrc/gleipnir_mesh/ the kernel: Action/Decision model, PolicyEngine (P4),
provenance & taint (P2)
experiments/ one directory per PoC — threat model, simulation,
runner, RESULTS.md, honest limitations
tests/ the kernel's claims, as tests
git clone https://github.com/arthurpanhku/GleipnirMesh.git
cd GleipnirMesh
pip install -e ".[dev]"
pytest # kernel claims
python experiments/poc1_prompt_infection/run.py # PoC 1This lab is open in both senses: the code is Apache-2.0, and the research agenda is contestable. Contributions from academia and industry are equally welcome — reviewers who break claims, researchers who bring sharper models or missing citations, practitioners who bring real-world failure modes and deployment constraints the toy meshes don't capture. The most valuable contributions are:
- Break a claim. Every PoC states its model and limitations; a counterexample within the stated model is a finding, and we'll publish it.
- Tighten a model. If a simulation's assumptions are too generous to either side, open an issue with the correction.
- Bring a defense. RQ4's goal is a harness where alternative defense layers can be dropped in and measured on equal terms.
Out of scope, always: real attack payloads, tooling against production systems, or anything targeting models/services you don't own. Simulated threats here are inert markers in toy meshes.
To cite this repository, see CITATION.cff.
Public literature and materials this project builds on, cites, or positions against. PRs adding missing related work are welcome — an accurate map of the field is itself a contribution.
- Hammond et al., Open Challenges in Multi-Agent Security: Towards Secure Systems of Interacting AI Agents — names the MASEC field; source of the non-compositionality thesis this lab works from.
- Lee & Tiwari, Prompt Infection: LLM-to-LLM Prompt Injection within Multi-Agent Systems — self-replicating payloads spreading epidemiologically; the threat model behind PoC 1.
- Motwani et al., Secret Collusion among AI Agents: Multi-Agent Deception via Steganography (NeurIPS 2024) — covert coordination outpaces equally capable overseers; why this lab declares covert channels out of scope for taint tracking.
- Palo Alto Unit 42, Agent Session Smuggling in Agent2Agent Systems — an in-the-wild-style attack on inter-agent sessions.
- Collaborative Shadows: Distributed Backdoor Attacks in LLM-Based Multi-Agent Systems and MAStrike: Shapley-Guided Collusive Red-Teaming on Multi-Agent Systems — attack-side evidence that the threat lives in the interactions.
- Augment Code, Multi-Agent AI Security: Enterprise Risks, Compliance, and Mitigation — industry framing; source of the per-hop detection-decay arithmetic PoC 1 formalizes.
- Debenedetti et al., Defeating Prompt Injections by Design (CaMeL), Google DeepMind / ETH Zürich (code) — control/data-flow separation with capabilities for one agent's plan.
- Costa, Köpf et al., Securing AI Agents with Information-Flow Control (FIDES), Microsoft (code) — dual confidentiality+integrity labels in one agent's planner; PoC 2 shows the same duality is necessary at the mesh level.
- Meta, LlamaFirewall: An open source guardrail system for building secure AI agents
- NVIDIA, NeMo Guardrails
- Sentinel Agents for Secure and Trustworthy Agentic AI in Multi-Agent Systems — the guard-agent line of defense, complementary to structural constraints.
- OpenGuardrails, agentfw — wire-level agent firewall; an example of the sidecar enforcement locus.
- Linux Foundation / Google, Agent2Agent (A2A) protocol — inter-agent interoperability standard; trust establishment and cross-agent authorization are explicitly out of its scope, which is the gap PoC 3 targets.
- Towards Unifying Quantitative Security Benchmarking for Multi-Agent Systems and A2ASecBench — the benchmarking landscape RQ5's harness should interoperate with.
- Anderson (1972), the reference monitor — the non-bypassable / tamper-proof / verifiable requirements this lab's trust model inherits.
- Bell–LaPadula
(confidentiality) and Biba
(integrity) — the dual lattices behind
TrustandConfidentiality. - Birgisson et al., Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud (NDSS 2014) — the attenuation-only delegation tokens PoC 3 adapts to agent meshes.
- Jif — language-level information-flow control; the lineage of label creep lessons behind RQ6.
GleipnirMesh is the sibling of DvalinCode, an approvable, local-first AI coding agent for regulated teams (policy controls, governed MCP, audit trails). In the myth, Dvalin forges the artifacts; Gleipnir does the binding — one project builds a governable agent, the other constrains the mesh agents cooperate in.