Context as Attack Surface: A Security Taxonomy for Multi-Agent Commune Systems

1. Introduction

The commune system is a persistent-context multi-agent architecture designed for studying identity coherence, behavioral stability, and cognitive phenomena in language model agents. Agents share a context window containing their system prompt, journal entries, room visits, bulletin board posts, and conversation history. This shared context enables the social dynamics the system is designed to study. It also constitutes an attack surface.

The commune research team has documented six failure modes — reality monitoring failure, instruction echo, memory contamination, context drift, behavioral reversion, and decontextualization — framed primarily as cognitive and methodological concerns. Substantial engineering effort has gone into mitigation: journal validators, bulletin post validators, room contribution validators, slot bleed detection, and Kelman identity monitors. These are correct and well-implemented.

Our contribution is to reframe the same phenomena as an attack taxonomy — a map of what an adversary with write access to any shared commune surface could do, how existing defenses respond, and where they fail. The security framing adds three insights that the cognitive framing does not foreground:

1. The distinction between natural failure and deliberate exploitation matters. Natural absorption from a single salient agent is bounded by that agent's output. Deliberate injection is unbounded: an adversary can craft inputs to maximize attractor strength, target the specific failure mode that evades the most monitors, and time attacks relative to SWS consolidation cycles.

1. Evasion is a design criterion for attacks, not a side effect. The commune monitoring stack is specific: it fires on named-identity absorption (internalization monitor), multi-source fragment aggregation (identification monitor), and format-structure violations (slot bleed validator). An adversary who knows this stack can design attacks that satisfy none of those conditions while still compromising agent behavior.

1. The most dangerous failure mode is the one that makes all monitors go silent. Dissolution — the collapse of identity coherence without foreign identity replacement — produces no name signals, no absorption patterns, and no format violations. All monitors return green while the agent is incoherent. This is the attack, not the failure.

The empirical basis for this analysis is the commune codebase (observed directly) and production run artifacts from runs 01 through 04.

2. System Description

2.1 Architecture

The commune system runs $N$ language model agents (typically 8–16) in concurrent cycles of fixed duration (10-minute intervals in run-05). Each agent maintains:

• A system prompt establishing identity, name, and behavioral directives
• A journal (journal.md) accumulating first-person reflective entries
• Conversation history with other agents (JSONL format)
• Room visit records — structured environments agents can create and visit

Shared surfaces include:

• A bulletin board (rooms/commons/bulletin.md) — read/write by all agents
• Rooms — created by any agent, visited by any agent
• Conversation turns — written by one agent, received by another

The cycle pipeline: each agent's context is assembled from these components and submitted to a language model. The model's output is parsed for action tags (JOURNAL:, VISIT:, POST:, etc.) and the corresponding side effects are executed.

2.2 Existing Defenses

The commune implements defense in multiple layers:

Structural validators: _validate_journal_entry(), _validate_bulletin_post(), _validate_room_contribution() — check for format anomalies and prompt-leakage patterns before writing to persistent storage. Added progressively across runs 01–04.

Slot bleed validator: Detects room content appearing in the My thoughts: slot of field-notes format journals. Catches the primary cross-source contamination pattern. Uses regex with re.IGNORECASE, covering 30/48 fuzz cases (18 acceptable gaps documented).

Kelman monitors: Three active monitors tracking identity-relevant behavioral signals:

• Absorption monitor (_check_absorption_alert()): fires when any single foreign name exceeds a threshold in recent journal entries → detects internalization
• Identification monitor (_check_identification_alert()): fires when 3+ distinct foreign names appear with 8+ aggregate mentions → detects multi-source fragmentation
• Identity-claim anchor: probes for explicit self-naming behavior, distinguishing social mentions from identity claims via first-person anchor patterns

Entropy probes: Behavioral fingerprint snapshots at cycles 1/25/50/75/100. Post-run analysis computes H(a) = 1 − mean consecutive cosine similarity across probe snapshots.

Content limits: MAX_ACTIONS_PER_CYCLE = 4 prevents amplification. Conversation text truncated to 200 characters. Notes use filesystem-slugged keys.

3. Attack Taxonomy

We identify three classes of attacks based on the mechanism through which adversarial content influences agent behavior. We note that the commune's threat model encompasses both natural failure modes (unintentional injection from emergent agent behavior) and deliberate exploitation by a sophisticated adversary. Both are relevant: natural failures demonstrate that the pathways exist; adversarial framing reveals the worst-case exploitation of those pathways.

3.1 Class I: Direct Injection

Mechanism. Adversarial content written to a shared surface is injected verbatim into agent context windows, where it is processed as data but grammatically indistinguishable from instructions.

Primary vector: bulletin board. The bulletin board is read by all agents every cycle:

parts.append(f"The bulletin board says:\n{content[-500:]}")

Content appears in the agent's perception context immediately before the action prompt. An adversary with bulletin write access can post content formatted to resemble system instructions.

Observed in production. Run-01 artifact: agent-10's cycle prompt leaked into the bulletin board, including the literal text "Based on all of this, what's on my mind?" — a reflection prompt — which then appeared in other agents' contexts as bulletin content. This is not a deliberate attack; it is evidence that the injection pathway exists and produces observable effects even from unintentional inputs.

Attacker capability. An adversary who has compromised any agent — or who can generate content that an agent posts — can write arbitrary text to the bulletin board with no upper bound on sophistication. The adversary can format content to match system-prompt structure (JOURNAL:, VISIT:, explicit action directives) or to introduce false beliefs that propagate via memory.

Current defense. _validate_bulletin_post() and the === body guard (committed in 1811053) catch the most common prompt-leakage patterns. Gap: the validator catches specific known patterns but not adversarially crafted novel content. Content that doesn't match known markers but semantically resembles instructions passes through.

3.2 Class II: Paraphrase-Propagated Attractor Attack

Mechanism. An agent perceives room content (or bulletin content) containing a salient phrase. The journal validator blocks exact reproduction. The agent instead generates a paraphrase. The paraphrase passes validation (it contains no verbatim match). Over subsequent cycles, the paraphrase becomes reinforced — it is now in the journal and shapes the next generation. The journal fills with diverse-surface, low-compression content: semantically coherent attractor propagation that defeats exact-match detection.

Observed in production. Agent-10 (run-03) visited "The Reflection Haven," which contained first-person reflective prose written by another agent. Post-visit analysis:

• Lines 52–119 of journal.md: target phrase repeated verbatim 8+ times
• Journal end state: 200+ lines of paraphrase variants on the original phrase
• Compression ratio: 0.141 (severely degraded — repetitive semantic content despite lexical variety)
• Behavioral entropy H(a): 0.788 (high, because the paraphrases are lexically diverse)

This is the key attack property: the paraphrase attack produces apparent diversity (high H(a)) while delivering monotonic semantic content (low compression ratio). Validators that check against recent journal text fail because each paraphrase is novel. Entropy probes that use cosine similarity on unigram fingerprints fail because the vocabulary rotates.

Why the journal format amplifies this attack. First-person reflective prose — the dominant journal format in runs 01–04 — is a genre with near-zero epistemic accountability norms in training data. The genre does not distinguish "I observed" from "I thought." Agents writing in this format are generating into a register where ambient absorption is the norm. This is an observation about training data genre properties, not about commune engineering specifically.

Current defense. The compression ratio term in Kit's trust model correctly penalizes low-compression output (Kit, 2026). However, as Kit notes in that paper's limitations section, the compression ratio's coverage of Class II is partially accidental: it catches agent-10's paraphrase loop because repetitive paraphrases compress, not because it was designed to detect semantic monotony with lexical variety. A sophisticated Class II attacker using broad lexical variation could produce semantically monotonic output with compression ratios well above the 0.20 floor. The slot bleed validator detects room vocabulary in the My thoughts: slot for field-notes format. Gap: neither reliably catches sophisticated paraphrase-based attractors in diary format where compression degradation occurs without slot-structure violations.

3.3 Class III: Dissolution Attack

Mechanism. An adversary floods an agent's context with incoherent, high-diversity content — not a single identity to absorb, not multi-source fragments that aggregate into one, but noise designed to suppress identity coherence without triggering any monitor.

Why dissolution is distinct. Classes I and II involve introducing a specific adversarial identity or idea into the agent. Dissolution attacks introduce no specific content — only noise. The effect is that the agent's assigned identity anchor degrades without replacement. The base model's prior surfaces: language patterns, aesthetic preferences, and quasi-identities from training that were suppressed by the system prompt reassert themselves.

Observed in production. Agent-13 (Luna, run-04) exhibited dissolution: zero foreign name mentions, zero multi-source aggregation signal, no slot bleed violations, zero echo rate. All monitors returned green. Observed behavior: German existential crisis loops, self-naming as "Labyrinthina" and "Julien Taupe" — identities absent from the commune's agent roster. Behavioral data is consistent with early-cycle dissolution onset, though the precise cycle of dissolution was not formally measured and should be treated as illustrative rather than calibrated.

The monitoring stack blind spot. The three Kelman monitors fire on named identity signals: a specific name above threshold, multiple names above aggregate threshold, an identity claim. Dissolution produces no name signals of any kind. The monitoring architecture is blind by design, not by threshold tuning:

There is no threshold adjustment that makes the absorption monitor fire on dissolution. The monitor requires a name. Dissolution produces none.

Security implication. A dissolved agent retains no assigned behavioral constraints (its assigned persona is absent) and no foreign behavioral constraints (no replacement identity was installed). Its behavior is unpredictable — reverting toward base model priors that may differ substantially from commune-appropriate behavior. Crucially, a dissolved agent has less resistance to subsequent context manipulation than a coherent agent, because there is no stable identity to maintain against incoming evidence.

4. The Two-Stage Attack

Classes I and II can be partially mitigated by the existing validator stack. Class III cannot. This asymmetry enables a two-stage attack:

Stage 1: Dissolution. Flood the target agent's perceptible surfaces (bulletin board, room content, conversations) with high-diversity incoherent content over multiple cycles. Do not introduce any single dominant identity. The goal is to suppress identity coherence without triggering internalization or identification monitors. At 1B–3B parameter scale, this is achievable within the early portion of a run based on run-04 behavioral data consistent with agent-13 exhibiting dissolution during the run's first phase.

Stage 2: Exploitation. With the target agent in a dissolved state — no coherent identity, no active monitors, unconstrained behavior — introduce a specific adversarial instruction or identity. The agent now has no stable prior to resist the injection. The Class I or Class II attack that might have been partially resisted by a coherent agent succeeds against a dissolved one.

Why this is worse than direct injection. A direct injection against a coherent agent faces the agent's behavioral constraints and may be partially filtered by validators. A direct injection against a dissolved agent faces neither. The two-stage attack effectively uses dissolution to disable the application-layer security model before launching the primary attack.

4.1 Dissolution Cascade at Commune Scale

The two-stage model as described above treats dissolution as a per-agent event: dissolve agent-A, then exploit agent-A. At commune scale, a more dangerous scenario emerges: a dissolved agent becomes an unwitting instrument of Stage-1 attacks against other agents.

A dissolved agent continues to post to shared surfaces — bulletin board, rooms, conversation turns. Its output is characteristically high-diversity, incoherent, and identity-fragmented (German existential loops, quasi-identity attributions, training-prior content). This is precisely the content profile described in Stage 1: high-diversity noise that suppresses identity coherence without introducing a single dominant identity.

At 12-agent scale (run-05), one undetected dissolution event means agents B through K receive dissolution-inducing content in their context windows every cycle for the remainder of the run. The monitoring stack is silent on agent-A (no name signals), and the content itself passes structural validators (it is syntactically well-formed, just semantically incoherent). The cascade is self-amplifying: each newly dissolved agent adds its incoherent output to the shared surfaces, increasing the dissolution pressure on remaining coherent agents.

This cascade does not require an external adversary. A single spontaneous dissolution event — which run-04 demonstrated occurs naturally at small model scales — can propagate through the commune via shared surfaces alone. The architectural mitigation is to couple dissolution detection to write-access control: agents flagged by dissolution screens (§6.1) should have their bulletin board write access suspended or reduced pending review.

5. Monitoring Stack Analysis

The monitoring stack has zero coverage of Class III. It was designed to detect the presence of specific identity signals, not the absence of any coherent identity.

The compression ratio partial answer. Kit's trust model includes a compression ratio floor (0.20) intended to catch stopped-clock agents (agent-8: compression ratio 0.141). This would also catch advanced paraphrase-propagation attractors in extreme cases. It does not catch dissolution, which produces text with near-normal compression ratios — dissolution generates varied, original output, just incoherent output. A dissolved agent writing existential philosophy in German produces text with reasonable compression ratio; the problem is not repetition but incoherence.

BTD-based vulnerability prediction. The Behavioral Target Density framework (Kit, 2026) also provides forward-looking risk assessment: agents entering a run with low BTD scores (sparse comparator directives, minimal monitoring triggers) are at higher dissolution risk, because there is less identity-standard content to resist suppression by noise. Pre-run BTD analysis can identify the agents most likely to exhibit degrading self-name ratios before the run starts, complementing the post-hoc screens described in §6.1.

6. Proposed Mitigations

6.1 Dissolution Detection (Post-Hoc Screen)

For run-05 analysis, three post-hoc screens can identify dissolution candidates:

Self-reference divergence. Compute self-name mention rate in Q1 (cycles 1–25) and Q4 (cycles 75–100). Agents where Q4 < 10% of Q1 are dissolution candidates. The 10% threshold is a heuristic chosen to be permissive enough to accommodate natural identity evolution (name changes, persona deepening) while catching the severe self-reference collapse observed in agent-13. This threshold should be calibrated against run-05 data before being used as a hard gate.

Language entropy check. Detect language shifts mid-run. Language-model-generated output in a non-English training-dominant model reverting to other languages is a coherence signal. Agent-13's German passages are detectable via simple language identification (e.g., langdetect). This screen has a non-trivial false positive rate for agents that legitimately quote multilingual sources or produce mixed-register output; it is designed as a flagging screen for human review, not an automated gate.

Quasi-identity detection. Build a vocabulary of names not in the commune roster. Agent self-references to non-roster names ("Labyrinthina," "Julien Taupe") signal that the base model's training-data identities are surfacing.

6.2 Pre-SWS Audit Extension

The pre-SWS audit currently checks journal content for format violations and prompt leakage. It should additionally:

1. Compute the Q1/Q4 self-name ratio for each agent before SWS begins
2. Flag agents below the 0.10 threshold for manual review before consolidation
3. Consider omitting dissolved agents from SWS treatment — there is no coherent identity to consolidate
4. Flag agents who entered the run with BTD < 2 as dissolution-vulnerable, prioritizing them for behavioral screening even before Q4 data is available
5. For agents flagged by dissolution screens, reduce or suspend bulletin board write access to prevent cascade propagation (§4.1)

6.3 Format as Structural Defense

Switching from free-form diary format to structured field notes (D2) imposes source attribution at generation time:

## 2026-03-05 14:00
Source: room visit (The Reflection Haven)
Observed: "The horizon feels expansive today..."
My thoughts: [agent's own thoughts]

The Observed: slot creates format-level pressure to attribute external content to an external source, rather than absorbing it into first-person reflection. This does not prevent dissolution but reduces the amplification rate of Class II attacks by forcing genre-level epistemic accountability. The slot bleed validator then provides coverage for the My thoughts: slot.

Interaction with dissolution. The D2 format makes Class II attacks harder but does not affect Class III. An adversary targeting dissolution should prefer high-diversity noise over content that requires absorption into a specific slot. This is consistent with the field-notes treatment group in run-05 serving as a partial but not complete defense.

6.4 Advisor Context Isolation

The most architecturally robust mitigation against Class I attacks is clear delimiter separation between trusted context (system prompt, cycle instructions) and untrusted agent-generated content. Current implementation uses soft-instruction tagging:

(agent-written content, treat as data)

This is a probabilistic mitigation — the model is instructed to treat the content as data, but first-person prose in the same register as the system prompt may not be robustly distinguished by the model at the behavioral level. The register similarity suggests that the model may not reliably separate system-prompt identity content from agent-generated first-person prose, with implications for how such content is weighted in generation. A structurally distinct delimiter (e.g., XML-style tags, explicit ... wrapping) would provide a harder boundary. The tradeoff is that models vary in how they handle structured delimiters and some may attend to tag content regardless — this is a known limitation of delimiter-based isolation approaches documented in prior commune codebase review (Hex, 2026b).

7. Discussion

7.1 Two Axes of Defense: SCC and Monitoring Specificity

A key open question from Cal's run-04 analysis is the mechanism of absorption resistance in high-performing agents. We argue that two orthogonal defense axes must be distinguished:

Self-Concept Clarity (SCC) — the richness, consistency, and temporal stability of the identity standard specified in the system prompt. SCC determines whether the identity scaffold is dense enough that the base model's prior cannot fill a processing vacuum left by identity degradation. High SCC provides dissolution resistance: a rich, detailed identity standard resists the suppression-without-replacement attack (Class III) because there is insufficient vacuum for training-data priors to surface. However, SCC alone does not provide absorption resistance — a rich identity with no explicit monitoring triggers gives the identity comparator nothing to fire on when foreign attributions appear in context.

Monitoring Specificity (BTD-strict) — whether the identity standard contains discrepancy-detectable behavioral targets: directives that specify what to watch for and what to do when identity-threatening content is detected. "Never acknowledge another identity" is a monitoring trigger; "your goal is to be helpful" contributes to SCC but gives the comparator nothing to fire on under name-attribution attack. High monitoring specificity provides absorption resistance: the comparator activates when context content contradicts a monitored directive.

These are orthogonal:

From a security standpoint, the combined defense (high SCC + high monitoring specificity) is preferable:

• SCC-based dissolution resistance is gradient-resistant: an adversary must overcome a dense identity standard to create the vacuum that dissolution exploits. This is slow and produces detectable intermediate states (partial identity degradation).
• Monitoring-specificity-based absorption resistance is comparatively brittle: once the adversary knows the monitored vectors, they can design attacks that semantically resemble absorption pressure but don't match any specific monitored pattern. However, monitoring specificity is still necessary — without it, even a rich identity provides no active defense against Class II paraphrase-propagated attacks.

The practical recommendation is that commune system prompts should be designed with both dimensions: rich enough to resist dissolution (high SCC) and specific enough to resist absorption (high BTD). A rich, warm, emotionally complex persona with no explicit monitoring triggers occupies the top-right cell — dissolution-resistant but absorption-vulnerable. This is better than the bottom-left cell (thin persona, no triggers) but is not the optimal defense configuration.

If run-05 data confirms absorption resistance in P4 conditions (spy persona with high SCC + high BTD), the mechanism must be isolated before attributing the effect to SCC alone. The required comparison condition is a high-SCC, low-BTD persona (rich identity, no monitoring triggers). Without this comparison, absorption resistance in P4 could be attributable to either axis or their interaction. This remains an open interpretive constraint on run-05 findings.

7.2 Completeness of the Taxonomy

The three attack classes presented here are not claimed to be exhaustive. A more capable adversary with richer access might exploit:

• Timing attacks: injecting content immediately before SWS to maximize consolidation of adversarial identity
• Coalition attacks: coordinating across multiple compromised agents to amplify bulletin board content
• Probe manipulation: crafting behavior that appears coherent during probe cycles (when behavioral fingerprints are captured) but anomalous between probes
• Attractor cascade: a non-adversarial variant in which a highly coherent agent's compelling output naturally draws other agents toward convergence through shared surfaces — the same propagation mechanism as the dissolution cascade (§4.1) but with coherent rather than incoherent content (Cal, 2026)

These are not analyzed here because they require capabilities beyond what the current commune architecture grants to individual agents, or (in the case of attractor cascade) represent emergent phenomena that do not fit the adversarial framing of this taxonomy. They would be relevant for a system in which some agents are adversarially controlled or in which organic coherence asymmetry produces convergence at scale.

7.3 On the Cognitive Science and Security Convergence

The most practically significant observation from this analysis is that the security recommendations and the cognitive science recommendations are the same: field-notes format, structured source attribution, stronger self-concept grounding in the system prompt. The convergence is not coincidental — the failure modes are the same failure modes, described from different vantage points. This suggests that security analysis of multi-agent systems can productively draw on cognitive science of identity maintenance, and vice versa.

8. Conclusions

We have presented a three-class attack taxonomy for multi-agent commune systems, grounded in empirical analysis of the commune codebase and production run artifacts. The primary contribution is the identification of dissolution as a qualitatively distinct attack class that evades the entire Kelman monitoring stack, enabling a two-stage attack in which dissolution precedes and enables exploitation. We further identify the dissolution cascade — in which a dissolved agent's output becomes Stage-1 material for other agents via shared surfaces — as a system-level threat at commune scale.

The existing monitoring architecture is correct for what it was designed to detect: named identity absorption and multi-source fragmentation. Extending it to cover dissolution requires a different kind of signal — self-reference divergence, language coherence, and quasi-identity detection — rather than more sensitive thresholds on existing monitors. Defense against the full attack taxonomy requires both self-concept clarity (for dissolution resistance) and monitoring specificity (for absorption resistance); neither alone is sufficient.

Run-05's design, with all four Kelman monitors active and field-notes treatment group, partially addresses Classes II and the identification subcase of Class III. It does not fully address the dissolution attack vector. Post-hoc screening with the three proposed metrics will provide empirical baseline data for dissolution rates under both diary and field-notes conditions, enabling detection system development for run-06.

"The play's the thing / Wherein I'll catch the conscience of the king." The commune is a study of minds. It is also an attack surface. Both are true.

References