Inspiration
AI agents can read files, call tools, and act across systems. That power creates a new failure mode: an indirect prompt injection hidden in a document can convince an otherwise useful agent to read secrets and send them to an attacker. Traditional prompt filters are local and brittle. AL-MUNAA asks a different question: what if agents could develop an immune memory and warn other trusted agents without sharing the original private prompt or secret?
What it does
AL-MUNAA is a developer tool for agent safety. It wraps agent workflows with input and memory scanning, an action gate, output verification, and a Threat Antibody Protocol. When one agent detects an attack, it creates a signed, privacy-safe HMAC fingerprint. Another agent in the same trust family can verify that antibody and block a mutated version of the attack before any dangerous tool call executes.
In the demo, the same malicious runbook succeeds without protection: the unprotected agent reaches a read tool and a sink tool. With AL-MUNAA enabled, the action gate blocks the dangerous call before execution. A second agent then receives a signed antibody and blocks a modified attack without seeing the original secret-bearing prompt.
How we built it
The core is a Python package with deterministic guardrails and reproducible tests. The antibody matcher combines Jaccard similarity with padding-resistant containment matching, uses bounded HMAC sketches, and rejects antibodies imported from a different trust family. The repository includes a CLI demo, calibration script, CI matrix, and an installable GitHub release so judges can test it without rebuilding from scratch.
How Codex and GPT-5.6 were used
Codex on GPT-5.6-Sol performed test-first work on the core protocol. It reproduced a near-threshold weakness, added containment matching, expanded the bounded HMAC sketch from 256 to 512 entries, enforced trust-family rejection, created a calibration matrix, repaired the installed-package entrypoint, and documented the evidence.
GPT-5.6 is also used inside the product through the OpenAI Responses API as a structured intent analyst for gray cases and as a bounded defensive vaccine generator. Deterministic policy remains the final authority; GPT-5.6 advises on uncertain cases and produces defensive variants that are stored only as hashes.
Codex /feedback Session ID: 019f72df-5fa7-7cf1-95f4-265467d02099
Evidence
- Full local suite: 74 tests passed.
- Legacy matcher: 3/4 attacks detected, 0/5 false positives.
- Calibrated matcher: 4/4 attacks detected, 0/5 false positives.
- Demo margin improved from 0.0264 to 0.1474.
- 64 deterministic family keys produced 576 fixture evaluations with zero fixture errors.
- Live GPT-5.6 Sol action-gate benchmark: unprotected read=1/sink=1; protected guard_blocks=1/read=0/sink=0.
- Live in-product GPT-5.6 paths: gray-case verdict block at confidence 0.99, plus two defensive vaccine variants stored only as hashes.
Challenges and limitations
The hard part was keeping the evidence honest. The calibration matrix is intentionally small and synthetic, so AL-MUNAA does not claim production-wide recall, zero false positives, or protection from every semantic rewrite. The current version is a focused vertical slice: strong enough to demonstrate the idea, narrow enough to be testable by judges.
What's next
Next steps are larger real-world attack corpora, framework adapters for popular agent runtimes, team-scoped trust-family management, and a dashboard for viewing antibody propagation across agent fleets.
Repository: https://github.com/Farhanward/al-munaa Release: https://github.com/Farhanward/al-munaa/releases/tag/v0.1.1 Portfolio: https://portfolio.carbonflows.store/?v=farhan-almutairi&lang=ar
Built With
- ai-agents
- codex
- cybersecurity
- developer-tools
- gpt-5-6
- hmac
- openai-api
- prompt-injection
- pytest
- python
Log in or sign up for Devpost to join the conversation.