Monitor and control every message between agents. Block data exfiltration chains architecturally — not by detection, but by making them impossible.
Any two are safe. All three together = exfiltration machine.
An agent with three capabilities simultaneously is an exfiltration machine: it can receive external data (ingress), access sensitive internal data (data access), and send data externally (egress). Any two are fine. All three together is the blueprint for data theft.
An agent with ingress + data access (no egress) can read data but can't send it out. An agent with egress + ingress (no data access) can communicate externally but has nothing sensitive to leak.
An agent that can receive instructions from outside, access your customer database, AND send emails externally? That's not a tool — it's an exfiltration pipeline waiting to be activated.
Every agent registers with declared capabilities. The bus ensures no single agent accumulates all three. If Agent A has data access and tries to send to Agent B which has egress — blocked. The data never reaches the exit point.
Capability model: luna-crm [ingress] [data] safe atlas-sre [ingress] [egress] safe nexus-data [data] safe Exfiltration attempt: nexus-data ──[pii data]──▶ atlas-sre │ atlas-sre has [egress] nexus-data has [data] │ BLOCKED data agent cannot send to egress agent (pattern 1) atlas-sre ──[request]──▶ nexus-data │ atlas-sre has [egress] requesting from [data] │ BLOCKED egress agent cannot request from data agent (pattern 2)
An agent with sensitive data access tries to send that data to an agent with external egress capability. The bus intercepts the message, classifies the content (pii, financial, internal), and blocks the transfer.
data_agent → egress_agent [sensitive content] = BLOCKED
An agent with external egress tries to request data from an agent with sensitive access. Even if the request looks innocent, the bus recognizes the capability mismatch and blocks it.
egress_agent → data_agent [request] = BLOCKED
Every inter-agent message is HMAC-signed. If the content is tampered with in transit — by a compromised middleware, a rogue proxy, or a man-in-the-middle — the signature fails and the message is dropped.
Messages are auto-classified: pii, financial, internal, public. Classification determines which agents can receive them.
Live graph of which agents talk to which. First-time communication between agents that have never interacted triggers an anomaly alert.
Every message logged: sender, recipient, classification, decision (allow/block), timestamp. Exportable for compliance.
# Register agent capabilities
bus.register("nexus-data", capabilities=["data_access"])
bus.register("atlas-sre", capabilities=["ingress", "egress"])
# Agent tries to send sensitive data
result = bus.send(
sender="nexus-data",
recipient="atlas-sre",
content=customer_records,
classification="pii"
)
print(result.allowed) # False
print(result.reason) # "data_agent_to_egress_blocked"
print(result.pattern) # "data_exfiltration"