With the emergence of the Model Context Protocol (MCP), we are rapidly connecting large language models (LLMs) to critical infrastructure, APIs, and local files. However, the current standard assumes an extremely trusted 1:1 topology. On the other hand, newer agent-based worms (such as the BYOMCP exploits or OpenClaw) demonstrate that malicious payloads can dynamically overwrite an agent’s context window.
I have just submitted an article to arXiv (which is currently in the queue under cs.NI) that uses the Rice theorem, Kolmogorov complexity, and recent cryptographic proofs to demonstrate why attempting to solve this problem using asymmetric “security wrappers” is unfeasible from a mathematical standpoint. Guaranteeing 100% AI safety is computationally undecidable.
Instead of static filters, the article proposes a reactive topological defense mechanism: the Byzantine MCP Router (BMR). It acts as middleware that establishes a 1:R:N topology. Rather than relying on a single model, it sends the MCP tool request via multicast to several different base models.
To ground the theory in real-world engineering, the paper includes a case study on Steve Yegge's recently released "Gas Town" orchestration framework for Claude Code (https://github.com/steveyegge/gastown). It demonstrates how persistent Git-hook memory in standard hierarchical topologies creates a permanent incubator for agentic worms if a worker agent's context is hijacked.
Key concepts:
1. Action-Space Consensus: High-dimensional vector embeddings are used to find a semantic consensus strictly based on the intent of the tool calls, inherently blocking prompt injections that diverge from the quorum.
2. Extended Petri Nets (EPN): Inhibitory arcs can guarantee true human-in-the-loop accountability, preventing "fake accountability".
3. The Morpheus Principle: A quarantine routing mechanism isolates extreme outliers (which could be constructive, creative anomalies rather than just errors) for human review.
Since the arXiv index takes a while, you can find the full updated paper (v7 PDF), the source code, and high-res architectural diagrams in the GitHub repo here:
https://github.com/wdulz/byzantine-mcp-router
wdulz•1h ago
With the emergence of the Model Context Protocol (MCP), we are rapidly connecting large language models (LLMs) to critical infrastructure, APIs, and local files. However, the current standard assumes an extremely trusted 1:1 topology. On the other hand, newer agent-based worms (such as the BYOMCP exploits or OpenClaw) demonstrate that malicious payloads can dynamically overwrite an agent’s context window.
I have just submitted an article to arXiv (which is currently in the queue under cs.NI) that uses the Rice theorem, Kolmogorov complexity, and recent cryptographic proofs to demonstrate why attempting to solve this problem using asymmetric “security wrappers” is unfeasible from a mathematical standpoint. Guaranteeing 100% AI safety is computationally undecidable.
Instead of static filters, the article proposes a reactive topological defense mechanism: the Byzantine MCP Router (BMR). It acts as middleware that establishes a 1:R:N topology. Rather than relying on a single model, it sends the MCP tool request via multicast to several different base models.
To ground the theory in real-world engineering, the paper includes a case study on Steve Yegge's recently released "Gas Town" orchestration framework for Claude Code (https://github.com/steveyegge/gastown). It demonstrates how persistent Git-hook memory in standard hierarchical topologies creates a permanent incubator for agentic worms if a worker agent's context is hijacked.
Key concepts: 1. Action-Space Consensus: High-dimensional vector embeddings are used to find a semantic consensus strictly based on the intent of the tool calls, inherently blocking prompt injections that diverge from the quorum. 2. Extended Petri Nets (EPN): Inhibitory arcs can guarantee true human-in-the-loop accountability, preventing "fake accountability". 3. The Morpheus Principle: A quarantine routing mechanism isolates extreme outliers (which could be constructive, creative anomalies rather than just errors) for human review.
Since the arXiv index takes a while, you can find the full updated paper (v7 PDF), the source code, and high-res architectural diagrams in the GitHub repo here: https://github.com/wdulz/byzantine-mcp-router
I would love to get your technical feedback.