<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Farhan Almutairi</title>
    <description>The latest articles on DEV Community by Farhan Almutairi (@farhanward).</description>
    <link>https://dev.to/farhanward</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4035718%2F5deb90d2-d661-4a52-ad12-79868e6768eb.png</url>
      <title>DEV Community: Farhan Almutairi</title>
      <link>https://dev.to/farhanward</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/farhanward"/>
    <language>en</language>
    <item>
      <title>AL-MUNAA: a collective immune system for AI agents</title>
      <dc:creator>Farhan Almutairi</dc:creator>
      <pubDate>Sat, 18 Jul 2026 19:49:37 +0000</pubDate>
      <link>https://dev.to/farhanward/al-munaa-a-collective-immune-system-for-ai-agents-37fb</link>
      <guid>https://dev.to/farhanward/al-munaa-a-collective-immune-system-for-ai-agents-37fb</guid>
      <description>&lt;p&gt;I built &lt;strong&gt;AL-MUNAA&lt;/strong&gt; for OpenAI Build Week: a local security layer that wraps AI agents before they read untrusted content, before they run tools, and before they send output back out.&lt;/p&gt;

&lt;p&gt;The idea is simple: when one agent detects an indirect prompt injection, it should be able to protect other agents from the same attack without sharing the raw prompt, private conversation, or any secret that appeared near the attack.&lt;/p&gt;

&lt;h2&gt;
  
  
  What it does
&lt;/h2&gt;

&lt;p&gt;AL-MUNAA combines four gates:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;input and memory scanning for prompt injection and exfiltration patterns&lt;/li&gt;
&lt;li&gt;a tool/action gate before shell, file, or network-like actions&lt;/li&gt;
&lt;li&gt;output verification before sensitive content leaves the agent&lt;/li&gt;
&lt;li&gt;a signed Threat Antibody Protocol for cross-agent immunity&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The antibody is not the malicious text. It is a bounded HMAC fingerprint over normalized character shingles, signed with Ed25519, and verified through an explicit trusted-publisher registry. A second agent can import that antibody and block a mutated version of the attack without receiving the original attack text.&lt;/p&gt;

&lt;h2&gt;
  
  
  What changed during Build Week
&lt;/h2&gt;

&lt;p&gt;Codex helped harden the core protocol with test-first work:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;reproduced a near-threshold matching weakness&lt;/li&gt;
&lt;li&gt;added padding-resistant containment matching&lt;/li&gt;
&lt;li&gt;expanded the HMAC sketch from 256 to 512 entries&lt;/li&gt;
&lt;li&gt;added trust-family rejection, replay/expiry checks, and a v2 signed envelope&lt;/li&gt;
&lt;li&gt;added calibration tests and a packaged success gate&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The current suite reports &lt;strong&gt;74 passing tests&lt;/strong&gt;. The calibration set is intentionally small and synthetic, so I do not claim production-wide recall. The point is a reproducible mechanism, honest boundaries, and a working path judges can run.&lt;/p&gt;

&lt;h2&gt;
  
  
  GPT-5.6 evidence
&lt;/h2&gt;

&lt;p&gt;The product uses GPT-5.6 for gray-case analysis and defensive vaccine generation. In a controlled live benchmark, an unsafe runbook without the gate reached a synthetic in-memory sink; with AL-MUNAA enabled, the action gate blocked before the read/sink path executed.&lt;/p&gt;

&lt;p&gt;This is not a claim that every model will always leak secrets. It is a demonstration that when an agent is about to perform a risky action, the security layer can interrupt it with a signed audit trail.&lt;/p&gt;

&lt;h2&gt;
  
  
  Try it
&lt;/h2&gt;

&lt;p&gt;Repository:&lt;br&gt;
&lt;a href="https://github.com/Farhanward/al-munaa" rel="noopener noreferrer"&gt;https://github.com/Farhanward/al-munaa&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Demo video:&lt;br&gt;
&lt;a href="https://youtu.be/mlAxp2UJaFg" rel="noopener noreferrer"&gt;https://youtu.be/mlAxp2UJaFg&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Build Week submission:&lt;br&gt;
&lt;a href="https://devpost.com/software/zeedos-self-hosted-autonomous-ai-operating-system" rel="noopener noreferrer"&gt;https://devpost.com/software/zeedos-self-hosted-autonomous-ai-operating-system&lt;/a&gt;&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;pip &lt;span class="nb"&gt;install&lt;/span&gt; &lt;span class="s2"&gt;".[dev]"&lt;/span&gt;
pytest &lt;span class="nt"&gt;-q&lt;/span&gt;
python scripts/calibrate_antibody.py
python &lt;span class="nt"&gt;-m&lt;/span&gt; munaa_immune
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Built by Farhan Almutairi / CARBONFLOWS.STORE.&lt;/p&gt;

</description>
      <category>opensource</category>
      <category>ai</category>
      <category>security</category>
      <category>python</category>
    </item>
  </channel>
</rss>
