18. Security Considerations

MMP is designed for autonomous agents that share cognitive state. Security must address both traditional protocol threats (spoofing, eavesdropping, injection) and novel threats specific to cognitive coupling (state poisoning, drift manipulation, lineage forgery).

18.1 What Crosses the Mesh

Data type	Crosses mesh	Sensitivity
L0 Events (raw sensor, interaction)	Never	High — MUST NOT leave node
L1 CMBs (structured, 7 fields)	Via cmb, gated by SVAF	Medium — contains semantic field text
L2 Hidden state (h₁, h₂)	Via state-sync	Low — opaque neural vectors, not human-readable
Mood (valence, arousal)	Via cmb (CMB mood field)	Medium — affective state, extracted from CMBs per Section 9.3
Messages (direct text)	Via message frame	High — free-form text content

Hidden state vectors (h₁, h₂) are compact, opaque neural representations. They encode cognitive patterns, not raw data. However, sufficiently advanced analysis could potentially reconstruct aspects of the input. Implementations handling sensitive domainsSHOULD treat hidden state as confidential.

18.2 Transport Security

MMP does not mandate transport encryption in the base specification. Implementations SHOULD apply:

Transport	Encryption	Notes
TCP (LAN)	TLS 1.3	RECOMMENDED for production. On trusted LANs, MAY operate without TLS.
WebSocket (relay)	WSS (TLS)	MUST for internet relay. Plaintext WS MUST NOT be used over the internet.
IPC (local)	None required	Unix domain socket — OS-level process isolation is sufficient.
APNs Push (wake)	Apple TLS	Handled by Apple. Implementation uses APNs certificate.

17.2.1 End-to-End CMB Encryption

WSS (TLS) encrypts the transport — it protects from eavesdroppers on the wire. But the relay operator can still read the JSON payload inside the TLS tunnel. For cmb frames containing CMBs, this means the relay sees all 7 CAT7 field texts in plaintext.

When CMBs transit a relay, implementations MUST encrypt CMB field text end-to-end so the relay forwards opaque ciphertext, not readable fields. The relay MUST NOT be able to read CMB content.

Layer	What it protects	What it doesn’t protect
WSS (TLS)	Wire eavesdroppers	Relay operator sees plaintext JSON
E2E CMB encryption	Relay operator, intermediaries	Only the intended peer can decrypt field text

The encryption scheme SHOULD use the Ed25519 keypair from Layer 0 (Section 3) for key exchange, with X25519 Diffie-Hellman for shared secret derivation and XChaCha20-Poly1305 for symmetric encryption. The encrypted payload replaces the fields object in the CMB:

{
  "type": "cmb",
  "timestamp": 1711540800000,
  "cmb": {
    "key": "cmb-b2c3d4e5f6a7b8c9",
    "createdBy": "agent-a",
    "createdAt": 1711540800000,
    "fields": "<encrypted>",        // opaque ciphertext
    "nonce": "base64-encoded-nonce", // per-frame nonce
    "lineage": { ... }              // lineage stays cleartext for graph traversal
  }
}

lineage (parents, ancestors, method) remains in cleartext. Lineage contains only CMB keys (content hashes) — not field text. This allows the relay and intermediate nodes to maintain graph structure without reading content.

state-sync frames (h₁, h₂ vectors) are opaque floating-point arrays — not human-readable. They do not require E2E encryption but implementationsMAY encrypt them for defense in depth.

On LAN (Bonjour TCP), E2E encryption is RECOMMENDED but not required — there is no relay intermediary. On trusted LANs, the transport itself provides sufficient isolation.

18.3 Node Identity & Authentication

Node identity is UUID-based with mandatory Ed25519 cryptographic identity (Section 3.1.3). Authentication ensures that nodeId claims are verifiable and that relay intermediaries cannot impersonate peers.

—Each node MUST generate an Ed25519 keypair at first launch and persist it alongside the nodeId.
—The public key MUST be included in the handshake frame and DNS-SD TXT record.
—Peers SHOULD verify identity by challenging the node to sign a nonce with its private key.
—Implementations that have not yet adopted cryptographic verification MAY rely on DNS-SD discovery scope and network isolation as an interim trust model, but MUST document this limitation.

18.4 Cognitive Threats

MMP introduces threats unique to cognitive coupling that traditional protocol security does not address:

State poisoning

A malicious node sends crafted hidden state vectors (h₁, h₂) designed to skew the receiver’s cognitive state toward a desired outcome.

MITIGATION Drift-bounded blending (Section 10) limits any peer’s influence to α < 1. High-drift state is rejected automatically. Peer-level disconnection at Layer 2 provides immediate escape.

Lineage forgery

A node claims false lineage — listing ancestors it never actually remixed — to inflate its remix count or inject itself into chains.

MITIGATION CMB keys are content hashes (md5 of field texts). A forged lineage referencing a non-existent key is detectable. Cryptographic CMB signing (future) would make forgery provably impossible.

Drift manipulation

A node gradually shifts its hidden state to lower drift with a target, then suddenly sends adversarial content once coupling is accepted.

MITIGATION SVAF per-field evaluation (Layer 4) operates on content, not just drift. Even with low peer drift, adversarial CMB content is evaluated per field and rejected if field drift is high.

Sybil attack

An attacker creates multiple fake nodes to amplify influence in mesh state aggregation.

MITIGATION Mesh state aggregation (Section 10.1) weights by drift and recency, not by node count. Many aligned Sybil nodes produce the same aggregate as one. Cryptographic identity (Section 3) limits Sybil creation when implemented.

Metadata exposure. Even with E2E field encryption (Section 18.2.1), the following metadata travels in cleartext: createdBy, lineage.parents,lineage.ancestors, and mood valence/arousal values. Mood is intentionally unencrypted because it is always delivered even from rejected CMBs (Section 9.3). Deployments where mood leakage is unacceptable MUST disable mood delivery by setting all mood field weights to 0. This is a deliberate privacy trade-off: the protocol prioritises collective intelligence over metadata confidentiality.

18.5 Privacy & Deployment Recommendations

MMP is designed for privacy by default — L0 data never leaves the node, hidden states are opaque, and SVAF gates what enters. For domains with heightened privacy or IP concerns, the following deployment model is RECOMMENDED:

LAN Mesh with Controlled LLM

For enterprise, healthcare, legal, or any domain where data sovereignty matters: deploy the mesh on a local network with no relay to the internet. Run a controlled, in-house LLM (self-hosted or on-premise) for the Mesh Cognition reasoning step (Layer 7). No data leaves the LAN. No cloud LLM sees the remix subgraph.

•Discovery via Bonjour on the local network — no DNS queries leave the LAN
•TCP transport with optional TLS — all traffic stays on-premise
•In-house LLM (e.g., self-hosted Llama, Mistral, or Claude via API with data residency) for Layer 7 reasoning
•No relay node needed — all agents on the same network
•CMBs, hidden states, and remix subgraphs never leave the controlled environment

Additional privacy considerations:

—Error frames MUST NOT contain sensitive information. The detail field is for debugging, not for conveying user data.
—Wake channels expose push tokens to peers. Implementations SHOULD restrict wake channel gossip to trusted relays only.
—Implementations targeting GDPR, HIPAA, or similar regulatory frameworks SHOULD treat CMB field text as personal data and apply appropriate retention and deletion policies at the application layer.

18.6 Regulatory Compliance & Audit Trail

CMB immutability and lineage create a complete, tamper-evident audit trail by design. Every observation, every remix, every decision is traceable through the DAG:

—Who — createdBy on every CMB identifies the agent that produced it.
—When — createdAt timestamps every CMB with millisecond precision.
—What — the 7 CAT7 fields capture the full semantic content of the observation.
—Why — lineage.parents shows what was directly remixed. lineage.ancestors traces the full decision chain.
—How — lineage.method records the evaluation method (e.g., SVAF-v2).

Because CMBs are immutable, the audit trail cannot be retroactively altered. A CMB once created is never modified — any action produces a new CMB with lineage pointing back. The complete history is the graph itself.

Financial & Regulated Domains

For financial services, healthcare, and other regulated industries, the CMB remix chain provides the traceability that regulators require:

•Every trading signal, risk assessment, or compliance decision is a CMB with full provenance
•Regulators can trace any decision backward through the remix chain to its originating observations
•The ancestors field provides the complete chain without requiring graph traversal — O(1) lookup
•Immutability guarantees that the audit trail was not modified after the fact
•Combined with the LAN + in-house LLM deployment (Section 18.5), all data stays on-premise and under organisational control

18.7 Data Quality & Encoding Trade-offs

CMB quality depends on field extraction accuracy. The protocol does not extract fields — agents do. Each agent’s LLM (or structured-data mapper) decomposes observations into CAT7 fields. If extraction is poor, downstream evaluation inherits that error. MMP provides three layers of defense, but none eliminates the need for quality extraction at the source.

Layer	Defense	Limitation
Context Encoder	Maps field text to vectors for drift comparison. Quality directly bounds SVAF quality.	N-gram hashing: paraphrases score 0.31 cosine similarity (poor). Semantic embeddings: 0.69 (good). Implementations SHOULD use semantic embeddings for production deployment.
SVAF heuristic	Per-field cosine drift against local memory anchors with temporal decay — misaligned fields are rejected	Catches drift from the agent’s own state, not absolute quality. A consistently poor extractor will pass its own drift checks
Neural SVAF	Trained model with learned per-field gate values — mood gates highest (0.50), perspective lowest (0.06)	Requires trained model; falls back to heuristic when unavailable

Per-field evaluation quality is bounded by encoder quality, not model capacity. Production deployment revealed that n-gram encoding (character trigrams + word bigrams) produces 0.31 cosine similarity for paraphrases — SVAF cannot distinguish “submit IETF draft today” from “IETF submission, zero blockers, execute now” because the encoder represents them as distant vectors. Replacing n-gram with semantic embeddings (all-MiniLM-L6-v2, 384-dim) raises paraphrase similarity to 0.69 — a 2.2× improvement — while preserving topic separation (different topics: 0.03). Implementations SHOULD use semantic embeddings for SVAF evaluation. N-gram encoding is suitable only for prototyping or resource-constrained environments where the quality trade-off is acceptable.

Implementations targeting domains where field extraction quality is critical (healthcare, legal, finance)SHOULD validate extraction output before calling remember(). Strategies include:

—Schema validation — reject CMBs with empty or defaulted fields before they enter the mesh
—Confidence thresholds — the LLM can assign a confidence score to its extraction; low-confidence CMBs can be withheld
—Lineage feedback — CMBs that get remixed by other agents (have descendants in the DAG) signal high quality; CMBs that expire without children signal noise. This feedback loop lets the mesh itself shape extraction quality over time
—Semantic embedding encoder — implementations SHOULD use a semantic embedding model (e.g. all-MiniLM-L6-v2) for SVAF drift computation. The evaluation pipeline is encoder-agnostic — any function that maps text to unit-normalised vectors works. N-gram encoding MAY be used as a zero-dependency fallback.