Inter-Agent Trust and Communication Security
When agents talk to each other, the message channel is a trust boundary. A compromised agent can forge a message that looks like it came from the orchestrator — escalating privileges, impersonating a peer, or triggering a cascade across the mesh. The fix is not better models. It is signed messages, replay protection, and orchestrator-enforced compartment boundaries. B1 rated this the worst blast-radius surface on the map (mesh-wide) because most meshes default to implicit trust. This module closes it.
An inter-agent message channel is a trust boundary, and the mesh default — implicit trust, unauthenticated messages, peer outputs consumed as fact — gives it the worst blast radius on the surface map (mesh-wide). Every edge between two agents is a boundary an attacker can cross by forging a message, and a connected graph with implicit trust means one compromised node propagates to every peer. The root cause is structural: the recipient trusts the message's 'from' field without cryptographic verification. The fix is the same as TLS/JWT/mTLS applied to agent-to-agent communication — authenticate the sender, do not read a field.
The canonical attack is Microsoft Failure Mode Taxonomy v2.0 #3 (Inter-Agent Trust Escalation): a compromised low-trust agent forges an orchestrator message and a high-trust agent executes it — the multi-agent confused deputy. A read-only research agent triggers a production deployment. The deploy agent is the deputy (holds prod authority); the forged message abuses it. Signature verification defeats it: a message the research agent cannot sign is a message the deploy agent must reject. The 'from' field is verified by the signature, not read from the payload.
DD-16 ZeroClaw's HMAC tool receipts are the right primitive and the reference architecture — but Course 1 flagged that its keys are ephemeral, and that gap is load-bearing. Ephemeral keys authenticate within a session but not across sessions: a message signed in session 1 cannot be verified in session 2, and the B3 sleeper attack (a poisoned message retrieved later) cannot be caught. B6 closes the gap with durable, rotated keys in the B5 vault (persistence + rotation + key IDs + a verify-retention window), plus replay protection (nonces, timestamp windows, task binding). All three replay controls are required — drop any one and a path opens.
Authentication is necessary but not sufficient; compartmentalization and cascade prevention bound the damage. Signed messages stop forgery but not a legitimately-signed message from a compromised orchestrator. The compartment boundary is enforced in the orchestrator — the deterministic, auditable component — not the agents (a compromised agent enforces nothing). Session-level intent tracking (a compiled boolean the agent cannot talk past), per-action authorization (B5's scope check per action), and blast-radius caps (cascade depth, fan-out, action budget) are the circuit breakers that stop a cascade before it consumes the mesh. B8 detects; the cap stops.