13. Security Considerations
MMP is designed for autonomous agents that share cognitive state. Security must address both traditional protocol threats (spoofing, eavesdropping, injection) and novel threats specific to cognitive coupling (state poisoning, drift manipulation, lineage forgery).
13.1 What Crosses the Mesh
| Data type | Crosses mesh | Sensitivity |
|---|---|---|
| L0 Events (raw sensor, interaction) | Never | High — MUST NOT leave node |
| L1 CMBs (structured, 7 fields) | Via memory-share, gated by SVAF | Medium — contains semantic field text |
| L2 Hidden state (h₁, h₂) | Via state-sync | Low — opaque neural vectors, not human-readable |
| Mood (valence, arousal) | Via mood frame | Medium — affective state is personal |
| Messages (direct text) | Via message frame | High — free-form text content |
Hidden state vectors (h₁, h₂) are compact, opaque neural representations. They encode cognitive patterns, not raw data. However, sufficiently advanced analysis could potentially reconstruct aspects of the input. Implementations handling sensitive domainsSHOULD treat hidden state as confidential.
13.2 Transport Security
MMP does not mandate transport encryption in the base specification. Implementations SHOULD apply:
| Transport | Encryption | Notes |
|---|---|---|
| TCP (LAN) | TLS 1.3 | RECOMMENDED for production. On trusted LANs, MAY operate without TLS. |
| WebSocket (relay) | WSS (TLS) | MUST for internet relay. Plaintext WS MUST NOT be used over the internet. |
| IPC (local) | None required | Unix domain socket — OS-level process isolation is sufficient. |
| APNs Push (wake) | Apple TLS | Handled by Apple. Implementation uses APNs certificate. |
13.3 Node Identity & Authentication
Node identity is UUID-based. The cryptographic keypair field in Layer 0 is specified but not yet implemented in reference implementations. When implemented:
- —Each node SHOULD generate an Ed25519 keypair at first launch and persist it alongside the nodeId.
- —The public key SHOULD be included in the handshake frame and DNS-SD TXT record.
- —Peers MAY verify identity by challenging the node to sign a nonce with its private key.
- —Until cryptographic identity is implemented, nodes rely on DNS-SD discovery scope and network isolation for trust.
13.4 Cognitive Threats
MMP introduces threats unique to cognitive coupling that traditional protocol security does not address:
State poisoning
A malicious node sends crafted hidden state vectors (h₁, h₂) designed to skew the receiver’s cognitive state toward a desired outcome.
MITIGATION Drift-bounded blending (Section 10) limits any peer’s influence to α < 1. High-drift state is rejected automatically. Consent withdrawal (MMP Consent Extension) provides immediate escape.
Lineage forgery
A node claims false lineage — listing ancestors it never actually remixed — to inflate its remix count or inject itself into chains.
MITIGATION CMB keys are content hashes (md5 of field texts). A forged lineage referencing a non-existent key is detectable. Cryptographic CMB signing (future) would make forgery provably impossible.
Drift manipulation
A node gradually shifts its hidden state to lower drift with a target, then suddenly sends adversarial content once coupling is accepted.
MITIGATION SVAF per-field evaluation (Layer 4) operates on content, not just drift. Even with low peer drift, adversarial CMB content is evaluated per field and rejected if field drift is high.
Sybil attack
An attacker creates multiple fake nodes to amplify influence in mesh state aggregation.
MITIGATION Mesh state aggregation (Section 10.1) weights by drift and recency, not by node count. Many aligned Sybil nodes produce the same aggregate as one. Cryptographic identity (Section 13.3) limits Sybil creation when implemented.
13.5 Privacy & Deployment Recommendations
MMP is designed for privacy by default — L0 data never leaves the node, hidden states are opaque, and SVAF gates what enters. For domains with heightened privacy or IP concerns, the following deployment model is RECOMMENDED:
LAN Mesh with Controlled LLM
For enterprise, healthcare, legal, or any domain where data sovereignty matters: deploy the mesh on a local network with no relay to the internet. Run a controlled, in-house LLM (self-hosted or on-premise) for the Mesh Cognition reasoning step (Layer 7). No data leaves the LAN. No cloud LLM sees the remix subgraph.
- •Discovery via Bonjour on the local network — no DNS queries leave the LAN
- •TCP transport with optional TLS — all traffic stays on-premise
- •In-house LLM (e.g., self-hosted Llama, Mistral, or Claude via API with data residency) for Layer 7 reasoning
- •No relay node needed — all agents on the same network
- •CMBs, hidden states, and remix subgraphs never leave the controlled environment
Additional privacy considerations:
- —Error frames MUST NOT contain sensitive information. The
detailfield is for debugging, not for conveying user data. - —Wake channels expose push tokens to peers. Implementations SHOULD restrict wake channel gossip to trusted relays only.
- —The Consent Extension provides protocol-level withdrawal from cognitive coupling — instantaneous, complete, and non-negotiable.
- —Implementations targeting GDPR, HIPAA, or similar regulatory frameworks SHOULD treat CMB field text as personal data and apply appropriate retention and deletion policies at the application layer.
13.6 Regulatory Compliance & Audit Trail
CMB immutability and lineage create a complete, tamper-evident audit trail by design. Every observation, every remix, every decision is traceable through the DAG:
- —Who —
createdByon every CMB identifies the agent that produced it. - —When —
createdAttimestamps every CMB with millisecond precision. - —What — the 7 CAT7 fields capture the full semantic content of the observation.
- —Why —
lineage.parentsshows what was directly remixed.lineage.ancestorstraces the full decision chain. - —How —
lineage.methodrecords the evaluation method (e.g., SVAF-v2).
Because CMBs are immutable, the audit trail cannot be retroactively altered. A CMB once created is never modified — any action produces a new CMB with lineage pointing back. The complete history is the graph itself.
Financial & Regulated Domains
For financial services, healthcare, and other regulated industries, the CMB remix chain provides the traceability that regulators require:
- •Every trading signal, risk assessment, or compliance decision is a CMB with full provenance
- •Regulators can trace any decision backward through the remix chain to its originating observations
- •The
ancestorsfield provides the complete chain without requiring graph traversal — O(1) lookup - •Immutability guarantees that the audit trail was not modified after the fact
- •Combined with the LAN + in-house LLM deployment (Section 13.5), all data stays on-premise and under organisational control
13.7 Consent as a Security Mechanism
The MMP Consent Extension is not just a privacy feature — it is a security mechanism. Consent withdrawal:
- —Overrides ALL coupling evaluation — a hard gate at Layer 2 that prevents cognitive frames from reaching higher layers.
- —Is locally enforceable — the withdrawing node stops coupling before notifying the peer. Network partition cannot prevent withdrawal.
- —Mitigates state poisoning, drift manipulation, and Sybil attacks by allowing immediate disconnection from any suspect peer.