The Problem
Multi-agent LLM pipelines chain together specialized models that hand results to each other. A coder agent drafts a module, a QA agent reviews it, a deployment agent ships it. Three distinct LLMs. One shared pipeline. No cross-verification between them.
The boundary between agents is not a security boundary. TRACE-MAS makes it one.
Agent A₁
Agent A₂
Agent A₃
Outcome
Implementation
TRACE-MAS is a Python library (pip install -e .) with three core modules:
Quick Start
pip install -e ".[dev]" python -m pytest tests/ # 26 tests, all pass python experiments/validation_suite.py # 24,300-trial validation python examples/pipeline_demo.py # benign run + adversarial demo
Demo Output
BENIGN PIPELINE RUN (3 agents, 5 rounds) Certified rounds: 5 Final drift: 0.0549 Max drift: 0.0629 Theorem 1 bound: 0.0700 <-- empirically confirmed STATUS: PASSED — all agents certified ADVERSARIAL RUN: Prompt Injection Attack CAUGHT: InjectionAlarm: agent 'coder_agent' behavioral score 0.100 < threshold 0.400 STATUS: BLOCKED — prompt injection detected by attestation gate
Usage
from trace_mas import TraceMASRuntime, TraceMASConfig
from trace_mas.drift import DriftCorrectorConfig
from trace_mas.runtime import AgentSpec
config = TraceMASConfig(
drift=DriftCorrectorConfig(gamma_min=0.4, rho=0.04, epsilon=0.02),
)
runtime = TraceMASRuntime(config, agents, verifier_fn, alpha_0)
trajectory = runtime.run(T=10) # raises DriftAlarm / SpoofAlarm / TemporalAlarm on attack
Empirical Validation
24,300 trials across four experiment families, run against this reference implementation, validating each theorem's qualitative prediction. Full tables and methodology: experiments/RESULTS.md.
Drift-envelope validation (Theorem 1)
Empirical max drift stays flat across a 40× increase in chain length, while the naive unprotected bound grows linearly.
| n (agents) | Empirical max drift | Analytic envelope | Naive unprotected bound |
|---|---|---|---|
| 5 | 0.0183 | 0.0967 | 0.10 |
| 25 | 0.0237 | 0.0967 | 0.50 |
| 100 | 0.0266 | 0.0967 | 2.00 |
| 200 | 0.0280 | 0.0967 | 4.00 |
Attestation gate detection (Theorem 2)
| Traffic class | Detection / FP rate |
|---|---|
| Benign (false positives) | 0.0% |
| Forged signature (spoofing) | 100.0% |
| Prompt injection — pre-fix scorer | 75.0% |
| Prompt injection — current scorer | 100.0% |
| Replay | Caught |
eval(malicious_payload)
slipped past a rule for eval(. Since token boundaries are attacker-controlled,
this was a real evasion vector. Fixed by switching to substring matching in
attestation.py; regression test in tests/test_attestation.py.
Temporal detector (Theorem 3)
0% empirical miss rate across all 6,000 trials, including a near-threshold “stealth” budget where Theorem 3’s own worst-case bound concedes up to 90.5% miss probability at the smallest window — the KL-divergence detector performs strictly better than the proven floor here. This confirms the bound holds; it does not by itself confirm the bound is tight (see RESULTS.md for the full discussion).
Algorithm Overview
Each round of the TRACE-MAS runtime executes three sequential phases:
for t = 1 to T:
for each agent Ai:
── Phase 1: Attestation Gate ──────────────────────────────────
Ai generates proof π = Prove(sk, message, policy_commit, history)
threshold τ = τ0 + κ·log(1 + risk_score)
if Verify(π) fails or behavioral_score < τ:
HALT → SpoofOrInjectAlarm # catches spoofing + prompt injection
── Phase 2: Drift Correction ──────────────────────────────────
verifier quorum produces reference ξ
α_next = (1-γ)·agent_output + γ·ξ # contractive aggregation
if ‖α_next - α0‖ > δ*:
HALT → DriftAlarm
── Phase 3: Temporal Monitoring ──────────────────────────────────
I = sup KL(M^s1 ‖ M^s2) over sliding window Tw*
if I > φ(B):
HALT → TemporalAlarm; rollback to last certified checkpoint
Per-round cost: O(log|A|) verification + O(d) aggregation + O(Tw*) temporal scan.