The fail-closed approach is the right default.
One thing I'd add to the attack classes you're
considering: prompt injection via filesystem reads —
an attacker can craft a file that, when read by the
agent, injects instructions into the tool-call chain.
We solved a similar boundary problem by signing all
outputs with HMAC-SHA256 so downstream consumers can
verify the response wasn't modified after the tool-call
boundary. Not a replacement for your approach but
complementary — input validation + output signing
covers both ends.
The skeptic loop concept is the most interesting part here.
One thing worth considering for the validation layer:
signing the intermediate outputs between agents with HMAC
so you can trace exactly which agent in the chain produced
which conclusion. Makes debugging multi-agent pipelines
significantly easier when something breaks mid-chain.
Also curious how you handle the case where Supervisor
gets conflicting conclusions from two specialized agents —
does it default to the skeptic or does it re-run?
Interesting approach to knowledge unit validation.
One thing I've noticed when building constrained LLM
pipelines: separating the system prompt from user input
at the message level (not string concatenation) makes
a significant difference in output consistency.
Also worth looking at HMAC-signing the generated outputs
so downstream consumers can verify integrity without
re-running the model.
We solved a similar boundary problem by signing all outputs with HMAC-SHA256 so downstream consumers can verify the response wasn't modified after the tool-call boundary. Not a replacement for your approach but complementary — input validation + output signing covers both ends.
Is the MCPSEC benchmark public yet?