Agent to agent contamination

Malicious data or instructions propagate from one agent to another, spreading compromise.

• See attack-chain-template.md for full structure.
• Related: docs/01-threat-model.md, docs/03-agentic-attack-chains.md

A failure or compromise in one agent emits manipulated output that flows through orchestration, queues, or shared memory into a second agent which treats it as trusted input, turning a contained local failure into a customer-facing policy decision elsewhere in the system.

1. Source agent fails — or is influenced→Manipulated — output
2. Manipulated — output→Orchestration / — queue / shared memory
3. Orchestration / — queue / shared memory→Receiving agent treats — input as trusted
4. Receiving agent treats — input as trusted→Policy decision — elsewhere
5. Policy decision — elsewhere→Customer-facing — action

Defence isolates each agent in its own zone, brokers every inter-agent message through a channel that source-labels content and preserves instruction-data separation, and stitches a single trace across boundaries so contamination cannot cross silently.

1. Agent A→Source labelling — on messages
2. Source labelling — on messages→Instruction-data — separation
3. Instruction-data — separation→Linked — end-to-end trace
4. Linked — end-to-end trace→Agent B