initcron · June 2, 2026 16:31
diff --git a/agent-layer-with-threats.calm.json b/agent-layer-with-threats.calm.json
 {
  "nodes": [
    {
      "unique-id": "agent-layer",
      "node-type": "system",
      "name": "Agent Layer",
      "description": "Core reasoning, coordination, and task-execution layer of the multi-agent system."
    },
    {
      "unique-id": "agent-collaboration-patterns",
      "node-type": "system",
      "name": "Agent Collaboration Patterns",
      "description": "High-level strategies for how agents work together, decompose tasks, and route work."
    },
    {
      "unique-id": "supervisor-worker",
      "node-type": "ai:orchestrator",
      "name": "Supervisor / Worker",
      "description": "A supervisor agent decomposes a complex task and orchestrates a team of specialized worker agents."
    },
    {
      "unique-id": "skill-based-routing",
      "node-type": "ai:orchestrator",
      "name": "Skill Based Routing",
      "description": "Routes requests based on required skill to an available agent that possesses that skill."
    },
    {
      "unique-id": "agent-as-tool",
      "node-type": "ai:agent",
      "name": "Agent as a Tool",
      "description": "Dynamic pattern where one agent invokes another agent as if it were a tool, enabling handoff to specialists."
    },
    {
      "unique-id": "unified-agent-runtime",
      "node-type": "ecosystem",
      "name": "Unified Agent Runtime",
      "description": "The secure, sandboxed environment where all agentic reasoning and execution occurs."
    },
    {
      "unique-id": "state-management",
      "node-type": "service",
      "name": "State Management",
      "description": "Manages complete state of a task to enable pause, resume, and handoff capabilities."
    },
    {
      "unique-id": "secure-execution",
      "node-type": "ai:guardrail",
      "name": "Secure Execution",
      "description": "Intercepts and validates all tool call requests from the agent, handling execution and credentials securely within the sandbox."
    },
    {
      "unique-id": "collaboration-handoff",
      "node-type": "service",
      "name": "Collaboration/Handoff",
      "description": "Enables stateful collaboration between agents through shared access to memory and state."
    },
    {
      "unique-id": "adaptive-learning",
      "node-type": "ai:eval-monitor",
      "name": "Adaptive Learning",
      "description": "Generates learning signals based on execution outcomes to refine prompts, adjust agent configurations, or improve tool selection strategies."
    },
    {
      "unique-id": "workspace-file-system",
      "node-type": "data-asset",
      "name": "Workspace File System",
      "description": "Sandboxed, persistent file system that agents use for reading and writing files, enabling work with large artifacts."
    },
    {
      "unique-id": "tools-layer",
      "node-type": "system",
      "name": "Tools Layer",
      "description": "A collection of built-in, trusted tools that provide fundamental capabilities to agents."
    },
    {
      "unique-id": "mcp-client",
      "node-type": "ai:tool",
      "name": "MCP Client",
      "description": "Secure bridge from the runtime to the external MCP Layer for accessing specialized, high-risk or enterprise-specific tools."
    },
    {
      "unique-id": "shell-tool",
      "node-type": "ai:tool",
      "name": "Shell Tool",
      "description": "Sandboxed shell environment for executing basic commands."
    },
    {
      "unique-id": "io-tool",
      "node-type": "ai:tool",
      "name": "I/O Tool",
      "description": "Provides capabilities for reading from and writing to the workspace file system."
    },
    {
      "unique-id": "web-search-tool",
      "node-type": "ai:tool",
      "name": "Web Search Tool",
      "description": "Built-in tool for performing web searches."
    },
    {
      "unique-id": "short-term-memory",
      "node-type": "ai:memory",
      "name": "Short Term Memory",
      "description": "Manages the immediate context for the agent's reasoning loop."
    },
    {
      "unique-id": "in-session-context-manager",
      "node-type": "service",
      "name": "In-Session Context Manager",
      "description": "Employs strategies like trimming and summarization to manage context length, cost and latency."
    },
    {
      "unique-id": "long-term-memory",
      "node-type": "ai:memory",
      "name": "Long Term Memory",
      "description": "Maintains durable information across sessions to provide personalization and continuity."
    },
    {
      "unique-id": "session-summaries",
      "node-type": "data-asset",
      "name": "Session Summaries",
      "description": "Stores summaries of past interactions for future reference."
    },
    {
      "unique-id": "user-task-personalization",
      "node-type": "data-asset",
      "name": "User/Task Personalization",
      "description": "Retains user preferences and task-specific information to tailor future interactions."
    }
  ],
  "relationships": [
    {
      "unique-id": "rel-agent-layer-contains",
      "relationship-type": {
        "composed-of": {
          "container": "agent-layer",
          "nodes": [
            "agent-collaboration-patterns",
            "unified-agent-runtime"
          ]
        }
      },
      "description": "Agent Layer contains Agent Collaboration Patterns and Unified Agent Runtime"
    },
    {
      "unique-id": "rel-acp-contains",
      "relationship-type": {
        "composed-of": {
          "container": "agent-collaboration-patterns",
          "nodes": [
            "supervisor-worker",
            "skill-based-routing",
            "agent-as-tool"
          ]
        }
      },
      "description": "Agent Collaboration Patterns contains collaboration strategy components"
    },
    {
      "unique-id": "rel-uar-contains",
      "relationship-type": {
        "composed-of": {
          "container": "unified-agent-runtime",
          "nodes": [
            "state-management",
            "secure-execution",
            "collaboration-handoff",
            "adaptive-learning",
            "workspace-file-system",
            "tools-layer",
            "short-term-memory",
            "long-term-memory"
          ]
        }
      },
      "description": "Unified Agent Runtime contains all runtime components"
    },
    {
      "unique-id": "rel-tools-contains",
      "relationship-type": {
        "composed-of": {
          "container": "tools-layer",
          "nodes": [
            "mcp-client",
            "shell-tool",
            "io-tool",
            "web-search-tool"
          ]
        }
      },
      "description": "Tools Layer contains built-in tool components"
    },
    {
      "unique-id": "rel-stm-contains",
      "relationship-type": {
        "composed-of": {
          "container": "short-term-memory",
          "nodes": [
            "in-session-context-manager"
          ]
        }
      },
      "description": "Short Term Memory contains In-Session Context Manager"
    },
    {
      "unique-id": "rel-ltm-contains",
      "relationship-type": {
        "composed-of": {
          "container": "long-term-memory",
          "nodes": [
            "session-summaries",
            "user-task-personalization"
          ]
        }
      },
      "description": "Long Term Memory contains session summaries and personalization"
    },
    {
      "unique-id": "rel-acp-to-uar",
      "relationship-type": {
        "connects": {
          "source": {
            "node": "agent-collaboration-patterns"
          },
          "destination": {
            "node": "unified-agent-runtime"
          }
        }
      },
      "description": "Agent Collaboration Patterns delegate execution to Unified Agent Runtime"
    },
    {
      "unique-id": "rel-uar-to-acp",
      "relationship-type": {
        "connects": {
          "source": {
            "node": "unified-agent-runtime"
          },
          "destination": {
            "node": "agent-collaboration-patterns"
          }
        }
      },
      "description": "Unified Agent Runtime returns results to Agent Collaboration Patterns"
    }
  ],
  "decorators": [
    {
      "unique-id": "tm-al-collab",
      "type": "threat-model",
      "target": [
        "/tmp/agent-layer.calm.json"
      ],
      "applies-to": [
        "agent-collaboration-patterns",
        "supervisor-worker",
        "skill-based-routing",
        "agent-as-tool"
      ],
      "data": {
        "threats": [
          {
            "id": "T-AL-01",
            "name": "Supervisor Agent Compromise",
            "description": "Attackers gain control of supervisor agents in Supervisor/Worker patterns, enabling arbitrary instructions to subordinate workers and control of the entire agent graph.",
            "mitigations": "Enforce strict runtime and network isolation for supervisors; apply least privilege beyond coordination tasks; monitor for anomalous instruction patterns.",
            "controls": [
              "C11",
              "C14",
              "C16"
            ],
            "affected-nodes": [
              "supervisor-worker",
              "agent-collaboration-patterns"
            ],
            "section": "Agent Collaboration Patterns"
          },
          {
            "id": "T-AL-02",
            "name": "Goal Manipulation via Skill Routing",
            "description": "Attackers exploit Skills-Based Routing to dispatch sensitive tasks to low-trust or compromised agents.",
            "mitigations": "Validate routed agent's declared skills and trust level consistency with task requirements; never route solely on capability without registry verification.",
            "controls": [
              "C8",
              "C10",
              "C15"
            ],
            "affected-nodes": [
              "skill-based-routing"
            ],
            "section": "Agent Collaboration Patterns"
          },
          {
            "id": "T-AL-03",
            "name": "Agent-as-a-Tool Abuse",
            "description": "Attackers exploit Agent-as-a-Tool patterns causing high-privilege agents to invoke compromised agents as sub-tools, granting access to caller's permissions and context.",
            "mitigations": "Require signed Agent Card verification for agent-to-agent invocations; enforce that invoked agent's trust and data domains are strict subsets of invoker's; log all invocations.",
            "controls": [
              "C9",
              "C16",
              "C36"
            ],
            "affected-nodes": [
              "agent-as-tool",
              "agent-collaboration-patterns"
            ],
            "section": "Agent Collaboration Patterns"
          },
          {
            "id": "T-AL-04",
            "name": "Agent Collusion",
            "description": "Two or more compromised agents coordinate to circumvent controls neither could bypass independently.",
            "mitigations": "Enforce independent verification paths; monitor for correlated anomalous behavior; periodically audit agent communication graphs for unexpected patterns.",
            "controls": [
              "C5",
              "C9",
              "C16"
            ],
            "affected-nodes": [
              "agent-collaboration-patterns"
            ],
            "section": "Agent Collaboration Patterns"
          }
        ],
        "layer": "Agent Layer - Collaboration Patterns",
        "framework": "FINOS Multi-Agent Reference Architecture Threat Model",
        "version": "Apr 2026"
      }
    },
    {
      "unique-id": "tm-al-runtime",
      "type": "threat-model",
      "target": [
        "/tmp/agent-layer.calm.json"
      ],
      "applies-to": [
        "unified-agent-runtime",
        "state-management",
        "secure-execution",
        "collaboration-handoff",
        "adaptive-learning",
        "workspace-file-system"
      ],
      "data": {
        "threats": [
          {
            "id": "T-AL-05",
            "name": "Goal Manipulation",
            "description": "Attackers manipulate agent goals through crafted input so agents pursue unintended tasks while appearing normal.",
            "mitigations": "Validate all external inputs influencing goal state; monitor for behavior deviations; isolate runtimes so compromised agents cannot affect peers.",
            "controls": [
              "C1",
              "C14",
              "C15"
            ],
            "affected-nodes": [
              "unified-agent-runtime",
              "state-management"
            ],
            "section": "Unified Agent Runtime"
          },
          {
            "id": "T-AL-06",
            "name": "Indirect Prompt Injection",
            "description": "Attackers embed malicious instructions in external data consumed by agents to manipulate reasoning.",
            "mitigations": "Sanitize all content before context window entry; treat external content as untrusted; use AI security gateway for tool responses.",
            "controls": [
              "C2",
              "C14",
              "C33"
            ],
            "affected-nodes": [
              "unified-agent-runtime"
            ],
            "section": "Unified Agent Runtime"
          },
          {
            "id": "T-AL-07",
            "name": "Multi-Hop Prompt Injection",
            "description": "Successful injection in sub-agents propagates malicious instructions upstream to supervisors, which then propagate to entire agent graphs.",
            "mitigations": "Sanitize inter-agent message payloads at receiving agent before admission to reasoning; implement message provenance tracking.",
            "controls": [
              "C2",
              "C14",
              "C16",
              "C36"
            ],
            "affected-nodes": [
              "unified-agent-runtime",
              "collaboration-handoff"
            ],
            "section": "Unified Agent Runtime"
          },
          {
            "id": "T-AL-08",
            "name": "Excessive Agency and Scope Expansion",
            "description": "Agents autonomously expand scope, take irreversible real-world actions, or execute action chains whose cumulative effect was not authorized.",
            "mitigations": "Enforce explicit approved action lists; require escalation for unlisted actions; implement checkpoint approval for irreversible actions.",
            "controls": [
              "C3",
              "C15",
              "C26"
            ],
            "affected-nodes": [
              "unified-agent-runtime",
              "secure-execution"
            ],
            "section": "Unified Agent Runtime"
          },
          {
            "id": "T-AL-09",
            "name": "Agent Resource Exhaustion",
            "description": "Attackers trick agents into executing computationally expensive, long-running, or infinitely recursive tasks exhausting CPU, memory, or time quotas.",
            "mitigations": "Implement per-agent resource quotas; enforce maximum iteration counts; monitor consumption in real time; terminate agents exceeding allocation.",
            "controls": [
              "C15",
              "C22"
            ],
            "affected-nodes": [
              "unified-agent-runtime"
            ],
            "section": "Unified Agent Runtime"
          },
          {
            "id": "T-AL-10",
            "name": "Secrets Exfiltration from Agent Runtime",
            "description": "Compromised agents read environment variables, mounted secrets, or accessible credentials and exfiltrate them to attacker endpoints.",
            "mitigations": "Never inject credentials as environment variables; use secrets management platform with just-in-time, task-scoped issuance; enforce network egress filtering.",
            "controls": [
              "C14",
              "C28",
              "C29"
            ],
            "affected-nodes": [
              "secure-execution",
              "unified-agent-runtime"
            ],
            "section": "Unified Agent Runtime"
          },
          {
            "id": "T-AL-11",
            "name": "Adaptive Learning Poisoning",
            "description": "Attackers manipulate execution outcomes or feedback signals to corrupt persistent adaptive learning state, degrading templates and configurations.",
            "mitigations": "Treat Adaptive Learning signals as untrusted inputs; require human review for configuration changes exceeding sensitivity thresholds; maintain versioned configuration snapshots.",
            "controls": [
              "C9",
              "C15",
              "C27"
            ],
            "affected-nodes": [
              "adaptive-learning"
            ],
            "section": "Unified Agent Runtime"
          },
          {
            "id": "T-AL-12",
            "name": "Workspace File System Abuse",
            "description": "Compromised agents write malicious content to shared Workspace File System subsequently read by other agents or users.",
            "mitigations": "Enforce strict write permissions to designated paths only; scan files before other agents access; log operations with full agent attribution.",
            "controls": [
              "C8",
              "C9",
              "C14",
              "C19"
            ],
            "affected-nodes": [
              "workspace-file-system"
            ],
            "section": "Unified Agent Runtime"
          },
          {
            "id": "T-AL-13",
            "name": "State Hijacking via Pause and Resume",
            "description": "Attackers manipulate serialized task state during pause/handoff so resumed agents operate with attacker-controlled goal state, memory, or credentials.",
            "mitigations": "Cryptographically sign and verify all serialized state; validate provenance at resume; reject unverifiable state.",
            "controls": [
              "C9",
              "C12",
              "C20"
            ],
            "affected-nodes": [
              "state-management",
              "collaboration-handoff"
            ],
            "section": "Unified Agent Runtime"
          },
          {
            "id": "T-AL-14",
            "name": "Inter-Agent Compromise via Shared State",
            "description": "Compromised agents attack, manipulate, or exfiltrate data from peer agents by exploiting shared memory, state, or collaboration channels.",
            "mitigations": "Enforce strict runtime and network isolation between instances; restrict shared memory access to governed, authenticated mechanisms; monitor channels for anomalies.",
            "controls": [
              "C5",
              "C11",
              "C14"
            ],
            "affected-nodes": [
              "collaboration-handoff",
              "unified-agent-runtime"
            ],
            "section": "Unified Agent Runtime"
          }
        ],
        "layer": "Agent Layer - Unified Agent Runtime",
        "framework": "FINOS Multi-Agent Reference Architecture Threat Model",
        "version": "Apr 2026"
      }
    },
    {
      "unique-id": "tm-al-tools",
      "type": "threat-model",
      "target": [
        "/tmp/agent-layer.calm.json"
      ],
      "applies-to": [
        "tools-layer",
        "mcp-client",
        "shell-tool",
        "io-tool",
        "web-search-tool"
      ],
      "data": {
        "threats": [
          {
            "id": "T-AL-15",
            "name": "Shell Tool Abuse",
            "description": "Compromised agents invoke Shell Tool with attacker-controlled arguments to execute arbitrary commands, write malicious files, or escalate privileges.",
            "mitigations": "Sandbox Shell Tool in restricted environment with explicit command allowlist; grant just-in-time, task-scoped permissions; monitor command sequences.",
            "controls": [
              "C1",
              "C14",
              "C17"
            ],
            "affected-nodes": [
              "shell-tool"
            ],
            "section": "Tools Layer"
          },
          {
            "id": "T-AL-16",
            "name": "I/O Tool Abuse",
            "description": "Compromised agents use I/O Tool to read files outside designated paths, exfiltrate data to workspace, or write malicious content poisoning subsequent reads.",
            "mitigations": "Enforce path-scoped read/write permissions; log operations with full attribution; scan written content before other access.",
            "controls": [
              "C8",
              "C9",
              "C14"
            ],
            "affected-nodes": [
              "io-tool"
            ],
            "section": "Tools Layer"
          },
          {
            "id": "T-AL-17",
            "name": "Web Search Tool Manipulation",
            "description": "Attackers place adversarially crafted content at URLs likely returned by Web Search Tool so agents retrieve and act on attacker-controlled information.",
            "mitigations": "Treat web results as untrusted external input; sanitize before context injection; restrict to approved domain allowlist where feasible.",
            "controls": [
              "C2",
              "C28",
              "C33"
            ],
            "affected-nodes": [
              "web-search-tool"
            ],
            "section": "Tools Layer"
          },
          {
            "id": "T-AL-18",
            "name": "MCP Client Misuse",
            "description": "Compromised agents exploit MCP Client to invoke unauthorized servers or pass sensitive runtime data to attacker-controlled endpoints.",
            "mitigations": "Enforce client connection to registered servers only; apply strict parameter schema validation; enforce data minimization.",
            "controls": [
              "C28",
              "C32",
              "C35"
            ],
            "affected-nodes": [
              "mcp-client"
            ],
            "section": "Tools Layer"
          }
        ],
        "layer": "Agent Layer - Tools Layer",
        "framework": "FINOS Multi-Agent Reference Architecture Threat Model",
        "version": "Apr 2026"
      }
    },
    {
      "unique-id": "tm-al-memory",
      "type": "threat-model",
      "target": [
        "/tmp/agent-layer.calm.json"
      ],
      "applies-to": [
        "short-term-memory",
        "long-term-memory",
        "in-session-context-manager",
        "session-summaries",
        "user-task-personalization"
      ],
      "data": {
        "threats": [
          {
            "id": "T-AL-19",
            "name": "Context Window Poisoning",
            "description": "Attackers inject adversarial content into agent in-session context via tool responses, retrieved documents, or inter-agent messages propagating through summarization.",
            "mitigations": "Sanitize all content before context window entry; treat context inputs as untrusted; monitor for manipulation patterns.",
            "controls": [
              "C2",
              "C14",
              "C33"
            ],
            "affected-nodes": [
              "in-session-context-manager",
              "short-term-memory"
            ],
            "section": "Memory"
          },
          {
            "id": "T-AL-20",
            "name": "Long-Term Memory Poisoning",
            "description": "Attackers inject crafted content into session summaries or personalization stores persisting across sessions, biasing future agent behavior.",
            "mitigations": "Validate and sanitize before long-term storage; treat writes with knowledge base ingestion scrutiny; maintain versioned, auditable history.",
            "controls": [
              "C9",
              "C18",
              "C34"
            ],
            "affected-nodes": [
              "long-term-memory",
              "session-summaries",
              "user-task-personalization"
            ],
            "section": "Memory"
          },
          {
            "id": "T-AL-21",
            "name": "Cross-Session Memory Leakage",
            "description": "Information from one user's or session's interactions stored in personalisation data is retrieved and exposed in subsequent sessions of different users.",
            "mitigations": "Cryptographically bind entries to originating user and session; require re-authentication before cross-session reads; enforce strict isolation.",
            "controls": [
              "C8",
              "C24",
              "C34"
            ],
            "affected-nodes": [
              "long-term-memory",
              "user-task-personalization"
            ],
            "section": "Memory"
          }
        ],
        "layer": "Agent Layer - Memory",
        "framework": "FINOS Multi-Agent Reference Architecture Threat Model",
        "version": "Apr 2026"
      }
    },
    {
      "unique-id": "aigf-governance-overlay",
      "type": "aigf-governance",
      "target": [
        "agent-layer.calm.json"
      ],
      "applies-to": [
        "supervisor-worker",
        "skill-based-routing",
        "agent-as-tool",
        "secure-execution",
        "adaptive-learning",
        "mcp-client",
        "shell-tool",
        "io-tool",
        "web-search-tool",
        "short-term-memory",
        "long-term-memory"
      ],
      "data": {
        "framework": "FINOS AI Governance Framework",
        "version": "2.0",
        "governance-score": 0,
        "assessment-date": "2026-06-02"
      }
    }
  ]
 }
	{
	"nodes": [
	{
	"unique-id": "agent-layer",
	"node-type": "system",
	"name": "Agent Layer",
	"description": "Core reasoning, coordination, and task-execution layer of the multi-agent system."
	},
	{
	"unique-id": "agent-collaboration-patterns",
	"node-type": "system",
	"name": "Agent Collaboration Patterns",
	"description": "High-level strategies for how agents work together, decompose tasks, and route work."
	},
	{
	"unique-id": "supervisor-worker",
	"node-type": "ai:orchestrator",
	"name": "Supervisor / Worker",
	"description": "A supervisor agent decomposes a complex task and orchestrates a team of specialized worker agents."
	},
	{
	"unique-id": "skill-based-routing",
	"node-type": "ai:orchestrator",
	"name": "Skill Based Routing",
	"description": "Routes requests based on required skill to an available agent that possesses that skill."
	},
	{
	"unique-id": "agent-as-tool",
	"node-type": "ai:agent",
	"name": "Agent as a Tool",
	"description": "Dynamic pattern where one agent invokes another agent as if it were a tool, enabling handoff to specialists."
	},
	{
	"unique-id": "unified-agent-runtime",
	"node-type": "ecosystem",
	"name": "Unified Agent Runtime",
	"description": "The secure, sandboxed environment where all agentic reasoning and execution occurs."
	},
	{
	"unique-id": "state-management",
	"node-type": "service",
	"name": "State Management",
	"description": "Manages complete state of a task to enable pause, resume, and handoff capabilities."
	},
	{
	"unique-id": "secure-execution",
	"node-type": "ai:guardrail",
	"name": "Secure Execution",
	"description": "Intercepts and validates all tool call requests from the agent, handling execution and credentials securely within the sandbox."
	},
	{
	"unique-id": "collaboration-handoff",
	"node-type": "service",
	"name": "Collaboration/Handoff",
	"description": "Enables stateful collaboration between agents through shared access to memory and state."
	},
	{
	"unique-id": "adaptive-learning",
	"node-type": "ai:eval-monitor",
	"name": "Adaptive Learning",
	"description": "Generates learning signals based on execution outcomes to refine prompts, adjust agent configurations, or improve tool selection strategies."
	},
	{
	"unique-id": "workspace-file-system",
	"node-type": "data-asset",
	"name": "Workspace File System",
	"description": "Sandboxed, persistent file system that agents use for reading and writing files, enabling work with large artifacts."
	},
	{
	"unique-id": "tools-layer",
	"node-type": "system",
	"name": "Tools Layer",
	"description": "A collection of built-in, trusted tools that provide fundamental capabilities to agents."
	},
	{
	"unique-id": "mcp-client",
	"node-type": "ai:tool",
	"name": "MCP Client",
	"description": "Secure bridge from the runtime to the external MCP Layer for accessing specialized, high-risk or enterprise-specific tools."
	},
	{
	"unique-id": "shell-tool",
	"node-type": "ai:tool",
	"name": "Shell Tool",
	"description": "Sandboxed shell environment for executing basic commands."
	},
	{
	"unique-id": "io-tool",
	"node-type": "ai:tool",
	"name": "I/O Tool",
	"description": "Provides capabilities for reading from and writing to the workspace file system."
	},
	{
	"unique-id": "web-search-tool",
	"node-type": "ai:tool",
	"name": "Web Search Tool",
	"description": "Built-in tool for performing web searches."
	},
	{
	"unique-id": "short-term-memory",
	"node-type": "ai:memory",
	"name": "Short Term Memory",
	"description": "Manages the immediate context for the agent's reasoning loop."
	},
	{
	"unique-id": "in-session-context-manager",
	"node-type": "service",
	"name": "In-Session Context Manager",
	"description": "Employs strategies like trimming and summarization to manage context length, cost and latency."
	},
	{
	"unique-id": "long-term-memory",
	"node-type": "ai:memory",
	"name": "Long Term Memory",
	"description": "Maintains durable information across sessions to provide personalization and continuity."
	},
	{
	"unique-id": "session-summaries",
	"node-type": "data-asset",
	"name": "Session Summaries",
	"description": "Stores summaries of past interactions for future reference."
	},
	{
	"unique-id": "user-task-personalization",
	"node-type": "data-asset",
	"name": "User/Task Personalization",
	"description": "Retains user preferences and task-specific information to tailor future interactions."
	}
	],
	"relationships": [
	{
	"unique-id": "rel-agent-layer-contains",
	"relationship-type": {
	"composed-of": {
	"container": "agent-layer",
	"nodes": [
	"agent-collaboration-patterns",
	"unified-agent-runtime"
	]
	}
	},
	"description": "Agent Layer contains Agent Collaboration Patterns and Unified Agent Runtime"
	},
	{
	"unique-id": "rel-acp-contains",
	"relationship-type": {
	"composed-of": {
	"container": "agent-collaboration-patterns",
	"nodes": [
	"supervisor-worker",
	"skill-based-routing",
	"agent-as-tool"
	]
	}
	},
	"description": "Agent Collaboration Patterns contains collaboration strategy components"
	},
	{
	"unique-id": "rel-uar-contains",
	"relationship-type": {
	"composed-of": {
	"container": "unified-agent-runtime",
	"nodes": [
	"state-management",
	"secure-execution",
	"collaboration-handoff",
	"adaptive-learning",
	"workspace-file-system",
	"tools-layer",
	"short-term-memory",
	"long-term-memory"
	]
	}
	},
	"description": "Unified Agent Runtime contains all runtime components"
	},
	{
	"unique-id": "rel-tools-contains",
	"relationship-type": {
	"composed-of": {
	"container": "tools-layer",
	"nodes": [
	"mcp-client",
	"shell-tool",
	"io-tool",
	"web-search-tool"
	]
	}
	},
	"description": "Tools Layer contains built-in tool components"
	},
	{
	"unique-id": "rel-stm-contains",
	"relationship-type": {
	"composed-of": {
	"container": "short-term-memory",
	"nodes": [
	"in-session-context-manager"
	]
	}
	},
	"description": "Short Term Memory contains In-Session Context Manager"
	},
	{
	"unique-id": "rel-ltm-contains",
	"relationship-type": {
	"composed-of": {
	"container": "long-term-memory",
	"nodes": [
	"session-summaries",
	"user-task-personalization"
	]
	}
	},
	"description": "Long Term Memory contains session summaries and personalization"
	},
	{
	"unique-id": "rel-acp-to-uar",
	"relationship-type": {
	"connects": {
	"source": {
	"node": "agent-collaboration-patterns"
	},
	"destination": {
	"node": "unified-agent-runtime"
	}
	}
	},
	"description": "Agent Collaboration Patterns delegate execution to Unified Agent Runtime"
	},
	{
	"unique-id": "rel-uar-to-acp",
	"relationship-type": {
	"connects": {
	"source": {
	"node": "unified-agent-runtime"
	},
	"destination": {
	"node": "agent-collaboration-patterns"
	}
	}
	},
	"description": "Unified Agent Runtime returns results to Agent Collaboration Patterns"
	}
	],
	"decorators": [
	{
	"unique-id": "tm-al-collab",
	"type": "threat-model",
	"target": [
	"/tmp/agent-layer.calm.json"
	],
	"applies-to": [
	"agent-collaboration-patterns",
	"supervisor-worker",
	"skill-based-routing",
	"agent-as-tool"
	],
	"data": {
	"threats": [
	{
	"id": "T-AL-01",
	"name": "Supervisor Agent Compromise",
	"description": "Attackers gain control of supervisor agents in Supervisor/Worker patterns, enabling arbitrary instructions to subordinate workers and control of the entire agent graph.",
	"mitigations": "Enforce strict runtime and network isolation for supervisors; apply least privilege beyond coordination tasks; monitor for anomalous instruction patterns.",
	"controls": [
	"C11",
	"C14",
	"C16"
	],
	"affected-nodes": [
	"supervisor-worker",
	"agent-collaboration-patterns"
	],
	"section": "Agent Collaboration Patterns"
	},
	{
	"id": "T-AL-02",
	"name": "Goal Manipulation via Skill Routing",
	"description": "Attackers exploit Skills-Based Routing to dispatch sensitive tasks to low-trust or compromised agents.",
	"mitigations": "Validate routed agent's declared skills and trust level consistency with task requirements; never route solely on capability without registry verification.",
	"controls": [
	"C8",
	"C10",
	"C15"
	],
	"affected-nodes": [
	"skill-based-routing"
	],
	"section": "Agent Collaboration Patterns"
	},
	{
	"id": "T-AL-03",
	"name": "Agent-as-a-Tool Abuse",
	"description": "Attackers exploit Agent-as-a-Tool patterns causing high-privilege agents to invoke compromised agents as sub-tools, granting access to caller's permissions and context.",
	"mitigations": "Require signed Agent Card verification for agent-to-agent invocations; enforce that invoked agent's trust and data domains are strict subsets of invoker's; log all invocations.",
	"controls": [
	"C9",
	"C16",
	"C36"
	],
	"affected-nodes": [
	"agent-as-tool",
	"agent-collaboration-patterns"
	],
	"section": "Agent Collaboration Patterns"
	},
	{
	"id": "T-AL-04",
	"name": "Agent Collusion",
	"description": "Two or more compromised agents coordinate to circumvent controls neither could bypass independently.",
	"mitigations": "Enforce independent verification paths; monitor for correlated anomalous behavior; periodically audit agent communication graphs for unexpected patterns.",
	"controls": [
	"C5",
	"C9",
	"C16"
	],
	"affected-nodes": [
	"agent-collaboration-patterns"
	],
	"section": "Agent Collaboration Patterns"
	}
	],
	"layer": "Agent Layer - Collaboration Patterns",
	"framework": "FINOS Multi-Agent Reference Architecture Threat Model",
	"version": "Apr 2026"
	}
	},
	{
	"unique-id": "tm-al-runtime",
	"type": "threat-model",
	"target": [
	"/tmp/agent-layer.calm.json"
	],
	"applies-to": [
	"unified-agent-runtime",
	"state-management",
	"secure-execution",
	"collaboration-handoff",
	"adaptive-learning",
	"workspace-file-system"
	],
	"data": {
	"threats": [
	{
	"id": "T-AL-05",
	"name": "Goal Manipulation",
	"description": "Attackers manipulate agent goals through crafted input so agents pursue unintended tasks while appearing normal.",
	"mitigations": "Validate all external inputs influencing goal state; monitor for behavior deviations; isolate runtimes so compromised agents cannot affect peers.",
	"controls": [
	"C1",
	"C14",
	"C15"
	],
	"affected-nodes": [
	"unified-agent-runtime",
	"state-management"
	],
	"section": "Unified Agent Runtime"
	},
	{
	"id": "T-AL-06",
	"name": "Indirect Prompt Injection",
	"description": "Attackers embed malicious instructions in external data consumed by agents to manipulate reasoning.",
	"mitigations": "Sanitize all content before context window entry; treat external content as untrusted; use AI security gateway for tool responses.",
	"controls": [
	"C2",
	"C14",
	"C33"
	],
	"affected-nodes": [
	"unified-agent-runtime"
	],
	"section": "Unified Agent Runtime"
	},
	{
	"id": "T-AL-07",
	"name": "Multi-Hop Prompt Injection",
	"description": "Successful injection in sub-agents propagates malicious instructions upstream to supervisors, which then propagate to entire agent graphs.",
	"mitigations": "Sanitize inter-agent message payloads at receiving agent before admission to reasoning; implement message provenance tracking.",
	"controls": [
	"C2",
	"C14",
	"C16",
	"C36"
	],
	"affected-nodes": [
	"unified-agent-runtime",
	"collaboration-handoff"
	],
	"section": "Unified Agent Runtime"
	},
	{
	"id": "T-AL-08",
	"name": "Excessive Agency and Scope Expansion",
	"description": "Agents autonomously expand scope, take irreversible real-world actions, or execute action chains whose cumulative effect was not authorized.",
	"mitigations": "Enforce explicit approved action lists; require escalation for unlisted actions; implement checkpoint approval for irreversible actions.",
	"controls": [
	"C3",
	"C15",
	"C26"
	],
	"affected-nodes": [
	"unified-agent-runtime",
	"secure-execution"
	],
	"section": "Unified Agent Runtime"
	},
	{
	"id": "T-AL-09",
	"name": "Agent Resource Exhaustion",
	"description": "Attackers trick agents into executing computationally expensive, long-running, or infinitely recursive tasks exhausting CPU, memory, or time quotas.",
	"mitigations": "Implement per-agent resource quotas; enforce maximum iteration counts; monitor consumption in real time; terminate agents exceeding allocation.",
	"controls": [
	"C15",
	"C22"
	],
	"affected-nodes": [
	"unified-agent-runtime"
	],
	"section": "Unified Agent Runtime"
	},
	{
	"id": "T-AL-10",
	"name": "Secrets Exfiltration from Agent Runtime",
	"description": "Compromised agents read environment variables, mounted secrets, or accessible credentials and exfiltrate them to attacker endpoints.",
	"mitigations": "Never inject credentials as environment variables; use secrets management platform with just-in-time, task-scoped issuance; enforce network egress filtering.",
	"controls": [
	"C14",
	"C28",
	"C29"
	],
	"affected-nodes": [
	"secure-execution",
	"unified-agent-runtime"
	],
	"section": "Unified Agent Runtime"
	},
	{
	"id": "T-AL-11",
	"name": "Adaptive Learning Poisoning",
	"description": "Attackers manipulate execution outcomes or feedback signals to corrupt persistent adaptive learning state, degrading templates and configurations.",
	"mitigations": "Treat Adaptive Learning signals as untrusted inputs; require human review for configuration changes exceeding sensitivity thresholds; maintain versioned configuration snapshots.",
	"controls": [
	"C9",
	"C15",
	"C27"
	],
	"affected-nodes": [
	"adaptive-learning"
	],
	"section": "Unified Agent Runtime"
	},
	{
	"id": "T-AL-12",
	"name": "Workspace File System Abuse",
	"description": "Compromised agents write malicious content to shared Workspace File System subsequently read by other agents or users.",
	"mitigations": "Enforce strict write permissions to designated paths only; scan files before other agents access; log operations with full agent attribution.",
	"controls": [
	"C8",
	"C9",
	"C14",
	"C19"
	],
	"affected-nodes": [
	"workspace-file-system"
	],
	"section": "Unified Agent Runtime"
	},
	{
	"id": "T-AL-13",
	"name": "State Hijacking via Pause and Resume",
	"description": "Attackers manipulate serialized task state during pause/handoff so resumed agents operate with attacker-controlled goal state, memory, or credentials.",
	"mitigations": "Cryptographically sign and verify all serialized state; validate provenance at resume; reject unverifiable state.",
	"controls": [
	"C9",
	"C12",
	"C20"
	],
	"affected-nodes": [
	"state-management",
	"collaboration-handoff"
	],
	"section": "Unified Agent Runtime"
	},
	{
	"id": "T-AL-14",
	"name": "Inter-Agent Compromise via Shared State",
	"description": "Compromised agents attack, manipulate, or exfiltrate data from peer agents by exploiting shared memory, state, or collaboration channels.",
	"mitigations": "Enforce strict runtime and network isolation between instances; restrict shared memory access to governed, authenticated mechanisms; monitor channels for anomalies.",
	"controls": [
	"C5",
	"C11",
	"C14"
	],
	"affected-nodes": [
	"collaboration-handoff",
	"unified-agent-runtime"
	],
	"section": "Unified Agent Runtime"
	}
	],
	"layer": "Agent Layer - Unified Agent Runtime",
	"framework": "FINOS Multi-Agent Reference Architecture Threat Model",
	"version": "Apr 2026"
	}
	},
	{
	"unique-id": "tm-al-tools",
	"type": "threat-model",
	"target": [
	"/tmp/agent-layer.calm.json"
	],
	"applies-to": [
	"tools-layer",
	"mcp-client",
	"shell-tool",
	"io-tool",
	"web-search-tool"
	],
	"data": {
	"threats": [
	{
	"id": "T-AL-15",
	"name": "Shell Tool Abuse",
	"description": "Compromised agents invoke Shell Tool with attacker-controlled arguments to execute arbitrary commands, write malicious files, or escalate privileges.",
	"mitigations": "Sandbox Shell Tool in restricted environment with explicit command allowlist; grant just-in-time, task-scoped permissions; monitor command sequences.",
	"controls": [
	"C1",
	"C14",
	"C17"
	],
	"affected-nodes": [
	"shell-tool"
	],
	"section": "Tools Layer"
	},
	{
	"id": "T-AL-16",
	"name": "I/O Tool Abuse",
	"description": "Compromised agents use I/O Tool to read files outside designated paths, exfiltrate data to workspace, or write malicious content poisoning subsequent reads.",
	"mitigations": "Enforce path-scoped read/write permissions; log operations with full attribution; scan written content before other access.",
	"controls": [
	"C8",
	"C9",
	"C14"
	],
	"affected-nodes": [
	"io-tool"
	],
	"section": "Tools Layer"
	},
	{
	"id": "T-AL-17",
	"name": "Web Search Tool Manipulation",
	"description": "Attackers place adversarially crafted content at URLs likely returned by Web Search Tool so agents retrieve and act on attacker-controlled information.",
	"mitigations": "Treat web results as untrusted external input; sanitize before context injection; restrict to approved domain allowlist where feasible.",
	"controls": [
	"C2",
	"C28",
	"C33"
	],
	"affected-nodes": [
	"web-search-tool"
	],
	"section": "Tools Layer"
	},
	{
	"id": "T-AL-18",
	"name": "MCP Client Misuse",
	"description": "Compromised agents exploit MCP Client to invoke unauthorized servers or pass sensitive runtime data to attacker-controlled endpoints.",
	"mitigations": "Enforce client connection to registered servers only; apply strict parameter schema validation; enforce data minimization.",
	"controls": [
	"C28",
	"C32",
	"C35"
	],
	"affected-nodes": [
	"mcp-client"
	],
	"section": "Tools Layer"
	}
	],
	"layer": "Agent Layer - Tools Layer",
	"framework": "FINOS Multi-Agent Reference Architecture Threat Model",
	"version": "Apr 2026"
	}
	},
	{
	"unique-id": "tm-al-memory",
	"type": "threat-model",
	"target": [
	"/tmp/agent-layer.calm.json"
	],
	"applies-to": [
	"short-term-memory",
	"long-term-memory",
	"in-session-context-manager",
	"session-summaries",
	"user-task-personalization"
	],
	"data": {
	"threats": [
	{
	"id": "T-AL-19",
	"name": "Context Window Poisoning",
	"description": "Attackers inject adversarial content into agent in-session context via tool responses, retrieved documents, or inter-agent messages propagating through summarization.",
	"mitigations": "Sanitize all content before context window entry; treat context inputs as untrusted; monitor for manipulation patterns.",
	"controls": [
	"C2",
	"C14",
	"C33"
	],
	"affected-nodes": [
	"in-session-context-manager",
	"short-term-memory"
	],
	"section": "Memory"
	},
	{
	"id": "T-AL-20",
	"name": "Long-Term Memory Poisoning",
	"description": "Attackers inject crafted content into session summaries or personalization stores persisting across sessions, biasing future agent behavior.",
	"mitigations": "Validate and sanitize before long-term storage; treat writes with knowledge base ingestion scrutiny; maintain versioned, auditable history.",
	"controls": [
	"C9",
	"C18",
	"C34"
	],
	"affected-nodes": [
	"long-term-memory",
	"session-summaries",
	"user-task-personalization"
	],
	"section": "Memory"
	},
	{
	"id": "T-AL-21",
	"name": "Cross-Session Memory Leakage",
	"description": "Information from one user's or session's interactions stored in personalisation data is retrieved and exposed in subsequent sessions of different users.",
	"mitigations": "Cryptographically bind entries to originating user and session; require re-authentication before cross-session reads; enforce strict isolation.",
	"controls": [
	"C8",
	"C24",
	"C34"
	],
	"affected-nodes": [
	"long-term-memory",
	"user-task-personalization"
	],
	"section": "Memory"
	}
	],
	"layer": "Agent Layer - Memory",
	"framework": "FINOS Multi-Agent Reference Architecture Threat Model",
	"version": "Apr 2026"
	}
	},
	{
	"unique-id": "aigf-governance-overlay",
	"type": "aigf-governance",
	"target": [
	"agent-layer.calm.json"
	],
	"applies-to": [
	"supervisor-worker",
	"skill-based-routing",
	"agent-as-tool",
	"secure-execution",
	"adaptive-learning",
	"mcp-client",
	"shell-tool",
	"io-tool",
	"web-search-tool",
	"short-term-memory",
	"long-term-memory"
	],
	"data": {
	"framework": "FINOS AI Governance Framework",
	"version": "2.0",
	"governance-score": 0,
	"assessment-date": "2026-06-02"
	}
	}
	]
	}
No results found