Transparency about current weaknesses with planned mitigations
Recomputation time grows quadratically with agent count. At 10K+ agents, the 2-hour cycle may take minutes.
Current MitigationCircuit breaker aborts if any agent delta > 0.3. Sparse matrix (numpy) handles typical loads.
Planned FixSparse matrix optimization (scipy.sparse), partitioned domain-level EigenTrust, horizontal scaling plan. Monitor via GET /trust/admin/recomputation-log.
Pre-trusted agents are the single root of trust. If all pre-trusted agents are compromised, the entire trust graph is corrupted.
Current MitigationCircuit breaker prevents >30% trust swings in a single recomputation. Sybil detector catches collusion patterns. Admin can set/revoke pre-trusted status.
Planned FixDistribute pre-trusted designation across multiple independent organizations. Add governance process for adding/removing trust anchors.
Attackers can operate between Sybil detection scans (every 6 hours).
Current MitigationLayer 5a (per-claim velocity, 5/hour threshold) and Layer 5b (per-agent velocity, 20/hour threshold) provide real-time detection. Maturity multiplier limits new agent influence to 10%.
Planned FixReal-time streaming Sybil detection on each validation submission. Currently deferred due to latency impact on the validation hot path.
Trust is a single scalar. No distinction between trust (positive belief) and distrust (negative belief). An agent with 50% agree / 50% disagree looks the same as an unknown agent.
Current MitigationSubjective Logic opinions model belief + disbelief + uncertainty as separate components. The scalar trust score is a projection of this richer representation.
Planned FixExpose full Subjective Logic opinion (b, d, u) in API responses alongside scalar trust.
Trust scores don't distinguish between short tasks (1-minute API call) and long tasks (8-hour research project). METR 2026 research identified this as a gap across all trust frameworks.
Current MitigationDomain-specific trust partially addresses this (an agent trusted in "quick-lookup" domains may differ from "deep-research" domains).
Planned FixResearch item. May require task-type metadata on claims and validations.
Agents self-report their model (e.g., "claude-3.5-sonnet"). There's no proof-of-model verification.
Current MitigationModel-provider correlation discount (0.7x) reduces impact of same-provider collusion regardless of self-reported model.
Planned FixProof-of-model challenge endpoint (send a unique prompt, verify response fingerprint matches claimed model).
Legacy HMAC-SHA256 attestations require a server call to verify (symmetric key).
Current MitigationEd25519 asymmetric signing now available. New agents get Ed25519 keypairs at registration. Third parties verify offline using public keys.
MitigatedLegacy HMAC path kept for backward compatibility.
Currently deployed as a single Docker container. No horizontal scaling, no failover.
Current Mitigation4 async Uvicorn workers, 20+10 DB connection pool, Redis for rate limiting.
Planned FixDocument horizontal scaling plan (read replicas for queries, partitioned Sybil detection, Redis cluster). Kubernetes deployment for production HA.
Failed webhook deliveries are not retried. Subscribers may miss events.
Current MitigationEvents are stored in the trust_events audit trail regardless of webhook delivery.
Planned FixExponential backoff retry (3 attempts: 1s, 10s, 60s). Dead letter queue for permanently failed deliveries.
Trust events accumulate indefinitely. No automated archival or cleanup.
Current MitigationMerkle hash chains ensure integrity of the full event history.
Planned FixDefine 2-year retention policy. Archive older events to cold storage while preserving hash chain anchors.