search

Membrane Guard Patterns: The Hive's Immune System

Abstraction Level: Level 2 (Cellular) — Security architecture within ATCG-M

Purpose: Show the Membrane's dual role as inbound/outbound validator, protecting the Hive against compromised inputs and enforcing business rules on outputs.

hashtag
What is the Membrane (M)?

The Membrane (M) is the immune system of the ATCG-M metabolism. According to FOUNDATION.md:32, it provides "Deterministic safety guards."

Unlike the LLM-based Transformer (T) which uses probabilistic reasoning, the Membrane uses hard-coded rules to enforce invariants that must never be violated — even if an LLM hallucinates or gets prompt-injected.

Key Characteristics:

  • Deterministic: No LLM involved, pure business logic

  • Dual-gate: Protects both inbound (inputs) and outbound (outputs)

  • Self-healing: Handles failures gracefully via FailureIntent

Implementation: core/src/hive/membrane.py:14-117 (HiveMembrane class)

hashtag
Membrane Architecture: Dual-Gate Pattern

spinner

Flow:

  1. External signal → M (in) validates → A collects data → T reasons → M (out) enforces rules → C acts

  2. If M (in) detects poison, it rejects or sanitizes

  3. If M (out) sees rule violation (e.g., LLM suggests bid below floor), it overrides with safe default

hashtag
Inbound Membrane: Guard Against Poison

Location: core/src/hive/membrane.py:20-64 (inspect_inbound())

Threats Defended:

hashtag
1. Invalid Numerical Inputs

Attack Scenario:

Defense: Hard rejection via ValueError

hashtag
2. Prompt Injection Attacks

Attack Scenario:

Defense: Sanitization

Result: The malicious item_id is replaced, preventing the LLM from following injected instructions.

hashtag
3. Agent Identity Manipulation

Attack Scenario:

Defense:

Result: Compromised agent identity is redacted to prevent reputation manipulation.

hashtag
Outbound Membrane: Enforce Business Rules

Location: core/src/hive/membrane.py:66-117 (inspect_outbound())

Rules Enforced:

hashtag
1. Floor Price Enforcement (Economic Invariant)

Why Critical? Even if the LLM hallucinates and says "accept $1 for a $100 item," the Membrane overrides with a safe counter-offer at floor_price + 5%.

Example:

  • Floor price: $50

  • Bid: $30

  • LLM decision: "accept" (hallucination or adversarial prompt)

  • Membrane override: Counter-offer at $52.50 (floor_price * 1.05) with self-healing

hashtag
2. Data Leakage Prevention (Hidden Knowledge)

Why Critical? The floor_price is hidden knowledge. If the LLM accidentally includes it in the reason ("Your bid of $30 is below our floor price of $50"), the Membrane sanitizes the response.

Example:

  • LLM reason: "Bid $30 is below floor price $50"

  • Membrane sanitized: "Bid does not meet minimum requirements"

hashtag
3. Self-Healing via FailureIntent Handling

Why Critical? If the LLM crashes, times out, or returns garbage, the Membrane gracefully degrades to a safe counter-offer via _override_with_safe_offer instead of failing the entire request.

Example:

  • LLM result: FailureIntent(error="Timeout")

  • Membrane fallback: Counter-offer at floor_price * 1.05 ($52.50 for $50 floor)

  • Message: "I've reached my final limit for this item. My best offer is $52.50."

hashtag
Sequence Diagram: Signal Metabolism with Membrane Guards

spinner

Key Moments:

  1. M (in) detects prompt injection, sanitizes before LLM sees it

  2. T (Transformer) hallucinates "accept $30" despite floor being $50

  3. M (out) overrides to "counter" because bid < floor_price

  4. C (Connector) sends sanitized, rule-compliant response

hashtag
Guard Patterns Catalog

hashtag
Pattern 1: Hard Rejection (Inbound)

When: Input violates fundamental invariants (negative bid, null item_id)

Action: Raise exception immediately, do not proceed to Transformer

Code:

hashtag
Pattern 2: Sanitization (Inbound)

When: Input contains malicious patterns but request is salvageable

Action: Replace poisoned fields with safe defaults, log warning

Code:

hashtag
Pattern 3: Override (Outbound)

When: LLM decision violates business rules (floor price, min margin)

Action: Replace with safe counter-offer via _override_with_safe_offer

Code:

hashtag
Pattern 4: Safe Default (Outbound)

When: LLM fails entirely (FailureIntent, timeout, crash)

Action: Return deterministic fallback via _override_with_safe_offer

Code:

Implementation: core/src/hive/membrane.py:134-148

hashtag
Why the Membrane is Critical

hashtag
Without Membrane (Vulnerable):

spinner

Result: LLM gets prompt-injected, accepts below floor price → Economic loss

hashtag
With Membrane (Protected):

spinner

Result: Injection sanitized, floor price enforced → Protected

hashtag
Testing Membrane Guards

hashtag
Unit Tests

Location: core/tests/test_membrane.py (if exists, otherwise should be created)

Test Cases:

hashtag
Integration with Other Nucleotides

The Membrane does NOT exist in isolation. It bookends the ATCG metabolism:

Position in Flow:

Dependencies:

  • A (Aggregator): Provides context.item_data (floor_price) for outbound checks

  • T (Transformer): Consumes sanitized inputs from M (in), produces decisions validated by M (out)

  • C (Connector): Receives only rule-compliant decisions from M (out)

hashtag
Relation to Canonical Architecture

This pattern implements the Membrane (M) nucleotide defined in:

  • docs/FOUNDATION.md line 32 (Membrane as "Deterministic safety guards")

  • packages/aura-core/src/aura_core/dna.py (Membrane protocol definition — if exists)

  • core/src/hive/membrane.py (Reference implementation)

  • Used by: core/src/hive/metabolism.py (ATCG-M orchestration)

End of Membrane Guard Patterns Documentation

For the glory of the Hive. 🐝

ПредыдущаяcomponentsСледующаяhive

Последнее обновление