1. Transport Encryption (Noise & PQC)
Instead of relying on centralized Certificate Authorities (like TLS/HTTPS), NMP utilizes the Noise Protocol Framework, pioneered by applications like Signal.- Ed25519 Identities: Every Agent and Server generates an Ed25519 keypair. Your Public Key is your Peer ID on the internet.
- Mutual Authentication: Connections in the Kademlia Mesh are mutually authenticated instantly. You know symmetrically who is invoking you, and they know who is answering.
- Post-Quantum Cryptography (PQC): Elicitation Handshakes utilize Kyber (ML-KEM-768) to derive the symmetric key for the AES-256-GCM payload encapsulation, shielding all AI logic transmission from “Harvest Now, Decrypt Later” quantum supercomputer attacks.
2. Payload Inspection (Zero-Time Guardian)
Before the Data Node even allowswasmtime to boot the .wasm file, it undergoes static mathematical analysis.
3. Anti-Exfiltration (Egress Filter)
Even if a malicious payload miraculously bypasses the Sandbox limits to produce unauthorized data, the NMP Server enforces a final Layer 3 Egress Filter before transmitting the response back across the QUIC pipeline. This filter dynamically analyzes the output buffer (checking for Personally Identifiable Information, API keys, or restricted schema patterns likepatientId). If privacy violations are detected, the response is instantly blocked and the payload drops.
Double JSON Encoding Defense (Deep-Parsing Recursion):
AI Agents may attempt to bypass static regex scanners by double-serializing strings ("\"id\":\"...\""). To counteract this, the PiiScanner implements recursive deep-parsing. If a returned string resembles an object, the Shield dynamically de-serializes it internally to expose the obfuscated schema before applying the matching algorithms, rendering string-contraband techniques entirely ineffective.
4. Sandboxing (WASI)
As detailed in the WASI Sandboxing chapter, the execution layer is fundamentally isolated by the CPU restrictions imposed by the bytecode runtime, ensuring zero unauthorized I/O or network escalation.5. Hardware Isolation (TEEs)
Software isolation is never perfect against advanced persistent threats (APT) leveraging hypervisor bypasses or zero-days. NMP’s ultimate tier of security defines native architecture for Trusted Execution Environments (TEEs) like AWS Nitro Enclaves or Intel SGX. By running theWasmtime engine inside an Enclave, we guarantee that neither the Cloud Provider (e.g., Amazon) nor a compromised root administrator on the Host machine can dump the RAM to steal the proprietary datasets being analyzed by the Agent. This is a baseline requirement for Financial and Healthcare AI agents.
6. Computacional Integrity (ZK-SNARKs)
In scenarios where an Agent must trust a dark untrusted Server (e.g., “Did the Server actually execute my sorting algorithm, or did it fake the response?”), NMP implements integrated structural abstractions for Zero-Knowledge Virtual Machines. Alongside the Logic Response, the Data Node emits a mathematical ZK Receipt (via engines likerisc0-zkvm and SHA-256 cryptographic image_id proofs). The Agent verifies this cryptographic receipt in milliseconds off-chain, ensuring deterministic execution of its exact JS/WASM AST over genuine source data without the server ever revealing the underlying proprietary data points to the mesh.
The ZK Shield Proxy: This mathematical validation (verifyZkReceipt) is fundamentally secured and performed natively by both the SDK’s NmpClient and the universal NmpMcpBridge. These components act as a Zero-Trust Shield, automatically isolating compromised environments and blocking the delivery of adulterated execution payloads back to the calling LLM framework.