Module B6 — Inter-Agent Trust and Communication Security

Inter-Agent Trust and Communication Security

When agents talk to each other, the message channel is a trust boundary. A compromised agent can forge a message that looks like it came from the orchestrator — escalating privileges, impersonating a peer, or triggering a cascade across the mesh. The fix is not better models. It is signed messages, replay protection, and orchestrator-enforced compartment boundaries. B1 rated this the worst blast-radius surface on the map (mesh-wide) because most meshes default to implicit trust. This module closes it.

60
minutes
8
artifacts
3
sub-sections
B2/B4/B5 secured one agent — its input boundary, its tools, its credentials. B6 secures the edges between agents, and that is where the blast radius goes mesh-wide. In a multi-agent mesh every peer relationship is a trust boundary, and a compromised agent inside the mesh can forge an orchestrator message to make a higher-trust agent act. The question this module answers: can a compromised agent forge a message that makes a higher-trust agent do something it should not? In most deployed meshes the answer is yes, because the messages are unauthenticated. The defense is the signed-message + replay-protection + compartmentalization triad — DD-16 ZeroClaw's HMAC tool receipts extended with durable keys (closing Course 1's ephemeral-key gap), nonces, timestamp windows, task binding, and orchestrator-enforced trust compartments. Microsoft Failure Mode Taxonomy v2.0 #3 (Inter-Agent Trust Escalation) is the canonical attack framing; OWASP ASI06 (Cascading Hallucination) and ASI07 (Insecure Output Handling) map here.
Key Claims
Load-Bearing Claims

An inter-agent message channel is a trust boundary, and the mesh default — implicit trust, unauthenticated messages, peer outputs consumed as fact — gives it the worst blast radius on the surface map (mesh-wide). Every edge between two agents is a boundary an attacker can cross by forging a message, and a connected graph with implicit trust means one compromised node propagates to every peer. The root cause is structural: the recipient trusts the message's 'from' field without cryptographic verification. The fix is the same as TLS/JWT/mTLS applied to agent-to-agent communication — authenticate the sender, do not read a field.

The canonical attack is Microsoft Failure Mode Taxonomy v2.0 #3 (Inter-Agent Trust Escalation): a compromised low-trust agent forges an orchestrator message and a high-trust agent executes it — the multi-agent confused deputy. A read-only research agent triggers a production deployment. The deploy agent is the deputy (holds prod authority); the forged message abuses it. Signature verification defeats it: a message the research agent cannot sign is a message the deploy agent must reject. The 'from' field is verified by the signature, not read from the payload.

DD-16 ZeroClaw's HMAC tool receipts are the right primitive and the reference architecture — but Course 1 flagged that its keys are ephemeral, and that gap is load-bearing. Ephemeral keys authenticate within a session but not across sessions: a message signed in session 1 cannot be verified in session 2, and the B3 sleeper attack (a poisoned message retrieved later) cannot be caught. B6 closes the gap with durable, rotated keys in the B5 vault (persistence + rotation + key IDs + a verify-retention window), plus replay protection (nonces, timestamp windows, task binding). All three replay controls are required — drop any one and a path opens.

Authentication is necessary but not sufficient; compartmentalization and cascade prevention bound the damage. Signed messages stop forgery but not a legitimately-signed message from a compromised orchestrator. The compartment boundary is enforced in the orchestrator — the deterministic, auditable component — not the agents (a compromised agent enforces nothing). Session-level intent tracking (a compiled boolean the agent cannot talk past), per-action authorization (B5's scope check per action), and blast-radius caps (cascade depth, fan-out, action budget) are the circuit breakers that stop a cascade before it consumes the mesh. B8 detects; the cap stops.

After This Module
01
Explain why an inter-agent message channel is a trust boundary — a compromised agent can forge messages to escalate privileges, impersonate peers, or trigger cascading actions — and map this to Microsoft Failure Mode Taxonomy v2.0 #3 and OWASP ASI06/ASI07.
02
Describe the three attacks on the inter-agent channel — trust escalation (forged orchestrator message), cascade (one output triggers another's action, propagating across the mesh), and replay (re-injecting a captured legitimate message out of context) — and the control for each.
03
Implement a signed inter-agent message protocol with replay protection — HMAC or asymmetric signatures, per-message nonces, timestamp freshness windows, and message IDs — extending DD-16 ZeroClaw's HMAC tool receipts with durable keys.
04
Design compartmentalization for multi-agent meshes — trust compartments enforced in the orchestrator, not in the agents themselves — so a low-trust research agent cannot direct a high-trust execution agent without an explicit, audited boundary crossing.
05
Build cascade prevention: session-level intent tracking, per-action authorization, and blast-radius caps (cascade depth, fan-out, session action budget) on multi-agent meshes, tying to B8 observability.
06
Identify the anti-patterns — implicit trust between agents, unsigned messages, agents reading their own signing keys, ephemeral keys, mesh-wide blast radius — and the structural fix for each.
Artifacts
01
Teaching Document
~4,200 words; 3 sub-sections — the multi-agent trust problem (channel as trust boundary, three attacks: trust escalation/cascade/replay, MS Failure Mode Taxonomy #3, ASI06/ASI07 mapping), the defense: signed inter-agent messages (HMAC vs asymmetric, closing the ZeroClaw ephemeral-key gap with durable rotated keys, replay protection: nonces/timestamps/task binding, five-gate verify flow, runnable TypeScript code), compartmentalization and cascade prevention (orchestrator-enforced compartments, session intent tracking, per-action authorization, blast-radius caps, six-layer defense-in-depth stack); with anti-patterns, key terms, lab pointer, 13 references
READ
02
Diagrams
5 Mermaid diagrams — the multi-agent mesh as a trust graph (implicit-trust edges vs signed edges), the trust-escalation attack (forged orchestrator message → confused deputy), the cascade chain (ASI06 propagation with fan-out and blast-radius cap), the signed-message verification flow (five gates in series), compartmentalization with trust boundaries (orchestrator-mediated crossings)
READ
03
Slide Deck
14 slides — reveal.js, dark theme, design-system teal; covers the inversion from single-agent security, three attacks, the forged-orchestrator-message attack, cascade + replay, the signed-message contract, closing the ZeroClaw durable-key gap, the five-gate verify flow, compartments in the orchestrator, cascade prevention (intent/authorization/caps), lab pointer
READ
04
Teaching Script
Verbatim teaching transcript, [SLIDE N] cues
READ
05
Flashcards
Anki flashcards (TSV)
TEST
06
Exam
Exam bank, Bloom-distributed
TEST
07
Lab Spec
Build the Signed Inter-Agent Channel — implement (a) sign/verify message protocol with HMAC + durable rotated KeyStore (extends ZeroClaw, closes ephemeral-key gap), (b) replay protection with NonceCache + timestamp freshness window + task binding (five-gate verify), (c) orchestrator-enforced compartment boundary (TrustLevel, session intent tracking, action-budget cap). Includes a trust-escalation attack demo (forged orchestrator message → verify rejects at signature gate) and four replay scenarios. Python 3.10+ standard library, no GPU, no network, ~60-75 min.
DO
08
Module Web Page
Single-file HTML hub
HERE