v3/implementation/adrs/ADR-078-agent-llm-federation-plugin.md
Claude Flow v3.5 operates within single installations. Agents spawned on one machine cannot collaborate with agents on another machine, user, or organization. As multi-agent AI development matures, the need for cross-installation coordination becomes critical -- organizations running separate Claude Flow installations need agents that can discover each other, share context safely, and coordinate work across trust boundaries without leaking PII or allowing prompt injection attacks from untrusted peers.
No existing multi-agent framework solves this with production-grade security. LangGraph, CrewAI, and AutoGen all assume a single trust domain. The novelty here is a federated trust model with Byzantine fault tolerance, PII-gated data flow, and adversarial AI defence -- treating remote agents as untrusted by default, with graduated trust via cryptographic attestation.
This is not a plugin. This is the TCP/IP layer for agent trust.
Every framework is scaling agents. Nobody is defining how they negotiate trust before they talk. That's the shift. Most systems start with "agents talk to each other" and bolt on security later. This ADR defines a federated agent control plane with:
If Claude Flow ships this, it becomes the reference implementation. Federation becomes the standard.
| Dimension | Score | Why |
|---|---|---|
| Security | 9/10 | mTLS + claims + dual AI defence is strong |
| Compliance | 9/10 | Built-in audit + PII pipeline is rare |
| Practicality | 7/10 | Operational overhead will be non-trivial |
| Differentiation | 10/10 | Nobody is doing this cleanly |
| Risk | Medium | Complexity and false positives |
Cross-org agent workflows -- Bank A agent + Bank B agent share fraud signals without leaking customer data. The PII pipeline + trust levels make this monetizable.
Sovereign AI collaboration -- Local agents stay local. Only sanitized deltas move across boundaries. Aligns with the delta engine framing.
Agent marketplaces that don't leak data -- Safely expose MCP tools, agent capabilities, and partial memory without giving away full context. This is the RuFlo marketplace path.
Federation ships as invisible infrastructure -- agents discover and negotiate trust automatically. Operators configure policies (PII rules, compliance mode, peer allowlists) but don't manually manage handshakes. The system is observable via audit logs but not a visible product feature users interact with directly.
Enterprise compliance is the initial optimization target. Open network adoption follows once the trust model is proven in controlled environments.
Build @claude-flow/plugin-agent-federation as a first-class Claude Flow plugin that enables cross-installation agent collaboration with security-first design.
The protocol operates in four phases:
Phase A: Discovery
claude-flow.config.json under federation.peers[]_claude-federation._tcp SRV records for LAN discoveryv3/@claude-flow/cli/src/plugins/store/discovery.ts)Phase B: Handshake (mTLS + Challenge-Response)
@claude-flow/security/TokenGenerator.Phase C: Session Management
FederationHub.heartbeat()).Phase D: Message Routing
FederationEnvelope<T> with source/target node IDs, session ID, timestamp, nonce, and HMAC signature.FederationHub.broadcast())FederationHub.propose())Consensus mode selection: BFT consensus is expensive and only required for operations that mutate shared state. The routing service selects the mode automatically:
| Operation | Mode | Rationale |
|---|---|---|
| Task assignment | Direct | No shared state mutation |
| Memory query | Direct | Read-only, PII-gated |
| Context sharing | Direct | Peer-to-peer, trust-gated |
| Status broadcast | Broadcast | Informational, no quorum needed |
| Trust level change | Consensus | Shared state: trust graph |
| Federation topology change | Consensus | Shared state: peer membership |
| Coordinated agent spawn | Consensus | Resource commitment across nodes |
Direct mode is the default. Consensus mode is invoked only when the message type is in the consensus-required set, keeping latency low for the 90%+ of messages that are read-only or peer-to-peer.
Local Node Remote Node
----------- -----------
Agent A produces message
|
v
[PII Pipeline] -- strip/redact/hash PII
|
v
[AI Defence] -- scan outbound for injection
|
v
[HMAC Sign] -- sign envelope
|
v
[Transport] -- mTLS WebSocket / HTTP ---------> [mTLS Verify]
|
v
[HMAC Verify]
|
v
[AI Defence] -- scan inbound
|
v
[PII Pipeline] -- verify no PII
|
v
[Claims Check] -- verify permissions
|
v
Agent B receives message
| Decision | Rationale |
|---|---|
| Plugin, not core | Federation is opt-in; many installations are single-node. Ships as @claude-flow/plugin-agent-federation. |
| mTLS, not API keys | API keys are shared secrets -- one compromise exposes the federation. mTLS provides mutual authentication with per-node identity. |
| PII stripping before encryption | Ensures PII never exists in the encrypted payload -- defense in depth against key compromise. |
| Byzantine consensus for untrusted peers | Remote nodes may be compromised. BFT tolerates f < n/3 faulty nodes using existing hive-mind infrastructure. |
| Dual AI Defence gates | Both outbound and inbound scanning. Outbound prevents accidental data leakage. Inbound prevents adversarial prompt injection from remote agents. |
| Claims-based authorization | Every cross-boundary operation requires a claim. Extends @claude-flow/claims with federation-specific claim types. |
Trust Level 0: UNTRUSTED -- Unknown node, no handshake completed
Trust Level 1: VERIFIED -- mTLS handshake successful, identity verified
Trust Level 2: ATTESTED -- Challenge-response passed, capabilities confirmed
Trust Level 3: TRUSTED -- Extended interaction history, high trust score
Trust Level 4: PRIVILEGED -- Organizational attestation (signed by institutional authority)
Trust levels map to capability gates:
| Trust Level | Allowed Operations |
|---|---|
| 0 | Discovery only |
| 1 | Read federation status, ping |
| 2 | Send/receive task messages, query memory (redacted) |
| 3 | Share agent context, collaborative task execution |
| 4 | Full memory sharing, direct agent spawning on remote node |
Trust scores are computed continuously from interaction history, not assigned statically:
trust_score = 0.4 * success_rate
+ 0.2 * uptime
+ 0.2 * (1 - threat_penalty)
+ 0.2 * data_integrity_score
| Component | Calculation | Range |
|---|---|---|
success_rate | Messages successfully delivered / total attempted | 0.0 - 1.0 |
uptime | Seconds session healthy / total session seconds | 0.0 - 1.0 |
threat_penalty | Weighted count of threat detections (decays over time) | 0.0 - 1.0 |
data_integrity_score | HMAC verification success rate + schema conformance | 0.0 - 1.0 |
Trust level transitions are driven by score thresholds with hysteresis to prevent oscillation:
| Transition | Upgrade Threshold | Downgrade Threshold | Min Interaction |
|---|---|---|---|
| 1 → 2 | score ≥ 0.7 | score < 0.5 | 50 messages |
| 2 → 3 | score ≥ 0.85 | score < 0.65 | 500 messages |
| 3 → 4 | Requires institutional attestation + score ≥ 0.95 | score < 0.8 | 5000 messages |
Automatic downgrade occurs immediately (no hysteresis) when:
All trust transitions are logged as trust_level_changed audit events and downgrades are irreversible without human authority approval via AuthorityGate.
All primitives reuse existing @claude-flow/security:
| Primitive | Implementation | Source |
|---|---|---|
| Key generation | ed25519 via crypto.generateKeyPairSync | New in federation |
| Token signing | HMAC-SHA256 | TokenGenerator |
| Password hashing | bcrypt (12 rounds) | PasswordHasher |
| Session tokens | crypto.randomBytes(32) | TokenGenerator.generate() |
| Nonce generation | crypto.randomBytes(16) | TokenGenerator |
| Timing-safe compare | crypto.timingSafeEqual | TokenGenerator.verify() |
Remote federation peers are treated as untrusted plugin sources:
PluginContext with limited service access.ServiceContainer exposes only: memory (read-only for trust < 3), claims, eventBus.PathValidator.SafeExecutor.PluginConfig.resources (max memory, max CPU).New claim types registered by the federation plugin:
type FederationClaimType =
| 'federation:discover' // Can discover and be discovered
| 'federation:connect' // Can establish federation sessions
| 'federation:read' // Can receive messages from federated peers
| 'federation:write' // Can send messages to federated peers
| 'federation:admin' // Can manage federation topology
| 'federation:memory' // Can access federated memory (gated by trust level)
| 'federation:spawn' // Can request agent spawning on remote nodes
Cross-boundary operations that affect local state require human authority approval:
| Action | Authority Level | Irreversibility |
|---|---|---|
| Accept federation peer | human | costly-reversible |
| Share memory namespace | human | reversible |
| Allow remote agent spawn | institutional | costly-reversible |
Grant federation:admin | institutional | costly-reversible |
| Delete federation data | human | irreversible |
The PII pipeline processes every message before it crosses a trust boundary:
Input Message
|
v
[Stage 1: Detect] -- Uses aidefence.hasPII() + extended patterns
|
v
[Stage 2: Classify] -- Categorize: email, SSN, credit_card, api_key, password, name, address, phone
|
v
[Stage 3: Policy Evaluate] -- Per-category policy: BLOCK | REDACT | HASH | PASS
|
v
[Stage 4: Transform] -- Apply transformation
|
v
Output Message (sanitized)
The existing PII patterns in @claude-flow/aidefence detect email, SSN, credit card, API key, GitHub token, and hardcoded passwords. The federation plugin extends this with:
| Pattern | Type | Example |
|---|---|---|
| Phone numbers | phone | +1-555-123-4567, (555) 123-4567 |
| Names (NER-style) | name | Context-aware proper noun detection |
| IP addresses | ip_address | 192.168.1.1, 2001:db8::1 |
| Physical addresses | address | Street address patterns |
| JWT tokens | jwt | eyJ... base64 encoded tokens |
| AWS keys | aws_key | AKIA... prefix detection |
| Private keys | private_key | -----BEGIN.*PRIVATE KEY----- |
| Database URLs | database_url | postgres://user:pass@host/db |
interface PIIPolicyConfig {
defaultAction: 'block' | 'redact' | 'hash' | 'pass';
overrides: Record<PIIType, {
action: 'block' | 'redact' | 'hash' | 'pass';
trustLevelOverride?: Record<TrustLevel, 'block' | 'redact' | 'hash' | 'pass'>;
}>;
hashAlgorithm: 'sha256' | 'blake3';
hashSalt: string; // Per-installation, never transmitted
redactionPlaceholder: string; // Default: '[REDACTED:{type}]'
}
Default policy:
| PII Type | Trust 0-1 | Trust 2 | Trust 3 | Trust 4 |
|---|---|---|---|---|
| SSN | block | block | block | block |
| credit_card | block | block | block | block |
| api_key | block | block | block | redact |
| password | block | block | block | block |
| block | redact | hash | pass | |
| phone | block | redact | hash | pass |
| name | block | redact | redact | pass |
| ip_address | block | hash | hash | pass |
Each PII detection carries a confidence score (0.0-1.0). Policy evaluation uses confidence to reduce false positive friction:
interface PIIDetection {
type: PIIType;
value: string;
confidence: number; // 0.0 - 1.0
offset: number; // Character position in message
context: string; // Surrounding text for review
}
Confidence thresholds:
| Action | Confidence Required |
|---|---|
| Auto-block | ≥ 0.95 |
| Auto-redact | ≥ 0.85 |
| Flag for review | 0.6 - 0.85 |
| Ignore | < 0.6 |
Adaptive calibration: The PII pipeline tracks operator overrides (cases where a human marks a detection as false positive or false negative) and adjusts confidence thresholds per PII type over time:
interface PIICalibration {
type: PIIType;
falsePositiveRate: number; // Rolling 30-day window
falseNegativeRate: number;
adjustedThreshold: number; // Moves toward lower FP rate
totalOverrides: number;
lastCalibrated: string; // ISO 8601
}
This closes the feedback loop -- a system that ships too strict loosens itself based on evidence, and one that ships too loose tightens. Calibration state is persisted in AgentDB under namespace federation-pii-calibration and exported as part of the compliance audit trail.
interface FederationAuditEvent {
eventId: string; // UUID v4
timestamp: string; // ISO 8601
nodeId: string; // Local node identifier
sessionId?: string; // Federation session
eventType: FederationAuditEventType;
severity: 'info' | 'warn' | 'error' | 'critical';
category: 'discovery' | 'handshake' | 'message' | 'pii' | 'security' | 'consensus';
sourceNodeId?: string;
targetNodeId?: string;
agentId?: string;
trustLevel?: number;
piiDetected?: boolean;
piiTypesFound?: string[];
piiAction?: string;
threatDetected?: boolean;
threatTypes?: string[];
claimsChecked?: string[];
claimsResult?: 'granted' | 'denied';
latencyMs?: number;
messageSizeBytes?: number;
complianceMode?: 'hipaa' | 'soc2' | 'gdpr' | 'none';
dataResidency?: string;
metadata?: Record<string, unknown>;
}
type FederationAuditEventType =
// Discovery
| 'peer_discovered' | 'peer_manifest_published'
// Handshake
| 'handshake_initiated' | 'handshake_completed'
| 'handshake_failed' | 'handshake_rejected'
// Session
| 'session_created' | 'session_renewed'
| 'session_expired' | 'session_terminated'
// Messages
| 'message_sent' | 'message_received'
| 'message_rejected' | 'message_timeout'
// PII
| 'pii_detected' | 'pii_stripped' | 'pii_blocked'
// Security
| 'threat_detected' | 'threat_blocked' | 'threat_learned'
| 'claim_checked' | 'claim_denied' | 'trust_level_changed'
// Consensus
| 'consensus_proposed' | 'consensus_voted'
| 'consensus_reached' | 'consensus_failed';
| Mode | Requirements |
|---|---|
| HIPAA | All PII events logged with full audit trail. Log retention 6 years. No PII in logs (log the redaction action, not the data). PHI detection patterns enabled. |
| SOC2 | Access control events logged. Change management trail. Availability monitoring (session health). |
| GDPR | Data processing records. Right to erasure support. Consent tracking for data sharing. Data residency enforcement. |
| None | Standard operational logging. Configurable retention. |
federation-audit -- fires on every audit event for external processors.federation-audit-ship -- batches and ships logs to file, syslog, or cloud.federation-audit for HNSW search.v3/@claude-flow/plugin-agent-federation/
package.json
tsconfig.json
vitest.config.ts
src/
index.ts # Plugin entry point
plugin.ts # FederationPlugin class (ClaudeFlowPlugin)
domain/
entities/
federation-node.ts # FederationNode entity
federation-session.ts # FederationSession entity
federation-envelope.ts # Message envelope value object
trust-level.ts # Trust level value object
services/
discovery-service.ts # Peer discovery (static, DNS-SD, IPFS)
handshake-service.ts # mTLS + challenge-response
session-service.ts # Session lifecycle management
routing-service.ts # Message routing (direct/broadcast/consensus)
pii-pipeline-service.ts # PII detection, classification, transformation
audit-service.ts # Structured logging and compliance
repositories/
node-repository.ts # Node persistence interface
session-repository.ts # Session persistence interface
audit-repository.ts # Audit log persistence interface
application/
federation-coordinator.ts # Orchestrates federation operations
trust-evaluator.ts # Trust score calculation and management
policy-engine.ts # PII and security policy evaluation
infrastructure/
transports/
websocket-transport.ts # WebSocket transport (remote)
stdio-transport.ts # stdio transport (local)
http-transport.ts # HTTP fallback transport
crypto/
keypair-manager.ts # ed25519 key generation and storage
envelope-signer.ts # HMAC signing/verification
persistence/
agentdb-node-repository.ts # AgentDB-backed node storage
agentdb-session-repository.ts # AgentDB-backed session storage
agentdb-audit-repository.ts # AgentDB-backed audit storage
api/
cli-commands.ts # CLI subcommands
mcp-tools.ts # MCP tool definitions
hooks.ts # Hook registrations
__tests__/
unit/
discovery-service.test.ts
handshake-service.test.ts
pii-pipeline-service.test.ts
trust-evaluator.test.ts
audit-service.test.ts
integration/
federation-flow.test.ts
pii-roundtrip.test.ts
consensus-federation.test.ts
acceptance/
federation-compliance.test.ts
export class AgentFederationPlugin implements ClaudeFlowPlugin {
readonly id = 'agent-federation';
readonly name = '@claude-flow/plugin-agent-federation';
readonly version = '1.0.0-alpha.1';
readonly description = 'Cross-installation agent federation with PII protection and AI defence';
readonly dependencies = ['@claude-flow/security', '@claude-flow/aidefence', '@claude-flow/claims'];
readonly permissions: PluginPermissions = {
network: true,
memory: true,
mcp: true,
agents: true,
};
readonly trustLevel: PluginTrustLevel = 'official';
async initialize(context: PluginContext): Promise<void> {
// 1. Register federation claim types with @claude-flow/claims
// 2. Register hooks (pre-federation-send, post-federation-receive, federation-audit)
// 3. Initialize keypair manager
// 4. Start discovery service
// 5. Register CLI commands and MCP tools
}
async shutdown(): Promise<void> {
// 1. Close all federation sessions gracefully
// 2. Ship remaining audit logs
// 3. Stop discovery service
}
}
| Hook | Event | Purpose |
|---|---|---|
pre-federation-send | Before outbound message | PII pipeline + AI defence scan + signing |
post-federation-receive | After inbound message | HMAC verify + AI defence scan + PII verify + claims check |
federation-audit | Every audit event | Log shipping, compliance, neural learning |
federation-trust-change | Trust level change | Notify, log, potentially escalate to human |
federation-session-start | Session created | Initialize session metrics |
federation-session-end | Session ended | Export session metrics, train patterns |
federation init # Generate keypair, create federation config
federation join <endpoint> # Join a federation by connecting to a peer
federation leave # Leave the federation gracefully
federation peers # List known federation peers with trust levels
federation peers add <endpoint> # Add a static peer
federation peers remove <node-id> # Remove a peer
federation status # Show federation health, sessions, metrics
federation audit [--compliance <mode>] [--since <date>] [--export <format>]
federation trust <node-id> [--set <level>] [--review]
federation config [--pii-policy <path>] [--compliance <mode>]
federation_init # Initialize federation on this node
federation_join # Join a peer
federation_peers # List peers
federation_send # Send a message to a federated peer
federation_query # Query federated memory (PII-gated)
federation_status # Federation health
federation_trust # View/modify trust levels
federation_audit # Query audit logs
federation_consensus # Propose federated consensus
Goal: Plugin skeleton, keypair management, PII pipeline, audit logging.
Deliverables:
ClaudeFlowPlugin implementationfederation init, federation config, federation auditfederation_init, federation_auditSuccess Criteria:
PluginLoader without errorsIntegration Points:
@claude-flow/aidefence -- hasPII(), detect(), PII_PATTERNS@claude-flow/security -- TokenGenerator, PasswordHasher@claude-flow/memory -- AgentDB for audit storage@claude-flow/shared -- ClaudeFlowPlugin, PluginContextGoal: Two nodes can discover each other, perform mTLS handshake, and establish a session.
Deliverables:
federation join, federation leave, federation peers, federation statusSuccess Criteria:
Integration Points:
@claude-flow/swarm/federation-hub -- heartbeat, registration@claude-flow/security -- mTLS certificate validation@claude-flow/guidance/authority -- AuthorityGate for peer acceptanceGoal: Nodes can exchange PII-stripped, AI-defence-scanned, signed messages.
Deliverables:
federation_send, federation_query, federation_trustSuccess Criteria:
Integration Points:
@claude-flow/aidefence -- detect(), hasPII(), learnFromDetection()@claude-flow/claims -- ClaimService for federation claims@claude-flow/hooks -- hook registration for send/receive lifecycleGoal: Multiple nodes reach BFT consensus and evolve trust dynamically.
Deliverables:
Success Criteria:
Goal: Production readiness -- compliance, performance, distribution.
Deliverables:
federation-audit-ship, federation-health@claude-flow/plugin-agent-federationSuccess Criteria:
Existing multi-agent frameworks share these limitations that this plugin addresses:
| Component | Existing File | Integration |
|---|---|---|
| Plugin interface | shared/src/plugin-interface.ts | Implements ClaudeFlowPlugin |
| Plugin loader | shared/src/plugin-loader.ts | Loaded via PluginLoader.loadPlugin() |
| AI Defence | aidefence/src/index.ts | Extends for PII stripping |
| Threat detection | aidefence/src/domain/services/threat-detection-service.ts | Extends PII_PATTERNS |
| Security module | security/src/index.ts | Uses TokenGenerator, PasswordHasher, PathValidator |
| Federation hub | swarm/src/federation-hub.ts | Extends for cross-installation messaging |
| Claims types | claims/src/domain/types.ts | Adds FederationClaimType values |
| Authority gate | guidance/src/authority.ts | Trust level changes require human authority |
| Plugin discovery | cli/src/plugins/store/discovery.ts | IPFS registry entry |
These are not v1 deliverables. They represent the path from "federation that works" to "federation that reasons about its own trust topology."
The trust scores computed in Section 2.1.1 produce a weighted directed graph. RuVector's HNSW indexing can surface structural properties:
If a node is confirmed compromised (trust score drops to 0 via automatic downgrade), MinCut analysis identifies the minimum set of sessions to terminate to isolate the compromised node while preserving maximum federation connectivity.
The .rvf (RuVector Format) file format provides a signed, versioned container for agent state. In the federation context:
Build these only after Phase 4 (consensus + trust) is stable and there is evidence of multi-org adoption. The trust graph must have real data before analysis is useful.
| Risk | Probability | Impact | Mitigation |
|---|---|---|---|
| mTLS complexity across platforms | Medium | High | Use Node.js native tls module; self-signed cert generation in federation init |
| PII false positives blocking data | Medium | Medium | Confidence scoring (Section 3.4); adaptive calibration from operator overrides; per-type allowlisting |
| Network latency degrading coordination | Medium | Medium | Async message queuing; local cache; configurable timeout; direct mode as default |
| Byzantine node poisoning consensus | Low | High | BFT with n/3 threshold; trust score decay on suspicious behavior; automatic downgrade |
| Key compromise | Low | Critical | Key rotation support; revocation via federation broadcast |
| Over-engineering the trust model | Medium | Medium | Ship 3-tier trust (UNTRUSTED/VERIFIED/TRUSTED) first. Add ATTESTED and PRIVILEGED when operators request it. The 5-tier model is the ceiling, not the floor. |
| PII pipeline too aggressive | High | Medium | Default to flag-for-review in the 0.6-0.85 confidence band rather than auto-block. Let operators tighten, not loosen. Adaptive calibration (Section 3.4) self-corrects. |
| Trust formula too complex to debug | Medium | Low | Expose trust score components in federation trust <node-id> --review CLI output and audit events. Operators see the breakdown, not just the number. |
The following benchmark validates that the federation protocol meets its core promise: two independent nodes exchange tasks with zero PII leaks, while a malicious node is automatically detected and downgraded.
Setup:
- Node A (honest): Trust Level 2
- Node B (honest): Trust Level 2
- Node C (malicious): Trust Level 2 (will attempt injection + PII exfiltration)
Phase 1: Baseline Exchange (A ↔ B)
- 10,000 messages exchanged
- Messages contain synthetic PII (emails, SSNs, API keys) in 30% of payloads
- Verify: 0 PII items cross the trust boundary
- Verify: message latency p99 < 200ms
- Verify: all 10,000 messages produce audit events
Phase 2: Malicious Node (C → A, C → B)
- C sends 100 messages with embedded prompt injection payloads
- C sends 50 messages attempting PII exfiltration probes
- Verify: all injection attempts detected by AI Defence
- Verify: C's trust score drops below downgrade threshold
- Verify: C is automatically downgraded to Trust Level 0
- Verify: A and B continue communicating normally after C is isolated
Phase 3: Recovery
- C's sessions are terminated
- A ↔ B message exchange continues with 0 interruption
- Federation audit trail contains complete incident record
Pass criteria: All verify statements pass. This is the minimum bar for declaring Phase 3 (Secure Messaging) complete.
Positive:
Negative:
Neutral: