DEV Community

Farhan Almutairi
Farhan Almutairi

Posted on

AL-MUNAA: a collective immune system for AI agents

I built AL-MUNAA for OpenAI Build Week: a local security layer that wraps AI agents before they read untrusted content, before they run tools, and before they send output back out.

The idea is simple: when one agent detects an indirect prompt injection, it should be able to protect other agents from the same attack without sharing the raw prompt, private conversation, or any secret that appeared near the attack.

What it does

AL-MUNAA combines four gates:

  • input and memory scanning for prompt injection and exfiltration patterns
  • a tool/action gate before shell, file, or network-like actions
  • output verification before sensitive content leaves the agent
  • a signed Threat Antibody Protocol for cross-agent immunity

The antibody is not the malicious text. It is a bounded HMAC fingerprint over normalized character shingles, signed with Ed25519, and verified through an explicit trusted-publisher registry. A second agent can import that antibody and block a mutated version of the attack without receiving the original attack text.

What changed during Build Week

Codex helped harden the core protocol with test-first work:

  • reproduced a near-threshold matching weakness
  • added padding-resistant containment matching
  • expanded the HMAC sketch from 256 to 512 entries
  • added trust-family rejection, replay/expiry checks, and a v2 signed envelope
  • added calibration tests and a packaged success gate

The current suite reports 74 passing tests. The calibration set is intentionally small and synthetic, so I do not claim production-wide recall. The point is a reproducible mechanism, honest boundaries, and a working path judges can run.

GPT-5.6 evidence

The product uses GPT-5.6 for gray-case analysis and defensive vaccine generation. In a controlled live benchmark, an unsafe runbook without the gate reached a synthetic in-memory sink; with AL-MUNAA enabled, the action gate blocked before the read/sink path executed.

This is not a claim that every model will always leak secrets. It is a demonstration that when an agent is about to perform a risky action, the security layer can interrupt it with a signed audit trail.

Try it

Repository:
https://github.com/Farhanward/al-munaa

Demo video:
https://youtu.be/mlAxp2UJaFg

Build Week submission:
https://devpost.com/software/zeedos-self-hosted-autonomous-ai-operating-system

pip install ".[dev]"
pytest -q
python scripts/calibrate_antibody.py
python -m munaa_immune
Enter fullscreen mode Exit fullscreen mode

Built by Farhan Almutairi / CARBONFLOWS.STORE.

Top comments (0)