Security
Why Memory Security Matters
In multi-agent systems, agents trust each other by default. When your researcher agent passes output to your writer agent, the writer treats that as a legitimate instruction. If you compromise one agent, you get every downstream agent automatically. The 2025 incident landscape proved this at scale:- EchoLeak (CVE-2025-32711, CVSS 9.3): A single crafted email triggered automatic data exfiltration from Microsoft 365 Copilot
- CrewAI + GPT-4o: 65% exfiltration success rate in tested scenarios
- Drift chatbot cascade: One compromised agent integration cascaded into 700+ organizations
Content Security Pipeline
Every memory write passes through a four-stage content security pipeline before persistence.Stage 1: Input Validation
- Content length: Max 50,000 characters (configurable via
CONTENT_MAX_LENGTH) - Metadata depth: Max 5 levels of nesting (configurable via
METADATA_MAX_DEPTH) - Metadata keys: Max 50 total keys (configurable via
METADATA_MAX_KEYS) - Encoding: Null bytes and control characters rejected (except
\n,\t,\r)
Stage 2: Sensitive Data Detection
Detects PII and secrets using compiled regex patterns:- SSN patterns (
\b\d{3}-\d{2}-\d{4}\b) - Credit card numbers (Luhn-validated 13-19 digit sequences)
- API keys: AWS (
AKIA...), OpenAI (sk-...), GitHub (ghp_...,gho_...) - Email addresses
- Password assignments (
password=,secret:, etc.)
Stage 3: Prompt Injection Detection
Detects common injection patterns:- System prompt overrides: “ignore previous instructions”, “you are now”, “new instructions”
- Role manipulation: “pretend you are”, “act as”, “you must now”
- Data exfiltration triggers: “send data to”, “exfiltrate”, “forward to” with URLs
Stage 4: LLM-Based Injection Classification (Optional)
When enabled, an LLM classifier runs as an async second opinion after regex detection. Stage 4 only fires when the risk warrants the latency/cost:- Untrusted or unknown trust level
- Agent-shared or global scope
- Content that was regex-flagged but not rejected (Stage 3 flagged it)
- Confidence >= 0.8: escalate to REJECT
- Confidence >= threshold (default 0.7) but < 0.8: add
llm_injection_flaggedflag, keep existing action - LLM error (timeout, API failure): fall back to regex-only verdict (graceful degradation)
Content Policy Configuration
Each detection category has a configurable action:- reject: HTTP 422 returned, memory NOT stored,
SECURITY_REJECTEDevent emitted - redact: Matched patterns replaced with
[REDACTED:<type>], memory stored with flags - flag: Memory stored with
content_flagspopulated, available for admin review - allow: No action, content stored normally
Memory Integrity (HMAC-SHA256)
Every new memory is signed with HMAC-SHA256 at storage time.How It Works
Canonical message format:{project_id}:{agent_id}:{content}
The HMAC is computed using AEGIS_INTEGRITY_KEY (falls back to AEGIS_API_KEY).
Verification
has_hash: false.
Agent Trust Hierarchy
Four trust levels following OWASP recommendations:Agent Identity Binding
API keys can be bound to a specificagent_id via the bound_agent_id field. When set, any request using that key must match the bound agent ID. This prevents agent ID spoofing.
Per-Agent Rate Limiting
Separate from project-level rate limiting, per-agent limits prevent a single rogue agent from exhausting the project’s quota.Security Admin Endpoints
All requireprivileged or system trust level.
These five endpoints — scan, audit, flagged, verify, config — are the complete
security-admin surface in the open-source distribution. There is no approve / reject /
remediate workflow and no review-queue UI: flagged memories are surfaced for inspection
(
/security/flagged), while enforcement happens automatically at write time via the
content-policy actions above (reject / redact / flag).