You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
DICE currently assumes a single agent operating on propositions within a context. As multi-agent architectures become more common, propositions from different agents need governance:
Trust varies by source — an agent specialized in medical knowledge should have higher trust for medical propositions than a general-purpose agent
Cross-agent corroboration — when multiple independent agents assert the same fact, that's a stronger signal than single-agent reinforcement
Conflict resolution across agents — two agents may assert contradictory propositions; resolution needs to know which agent is more authoritative for the domain
The "Rule of 2" and why it matters here
Meta's Agents Rule of Two is a security framework based on the premise that prompt injection is a fundamental, unsolved weakness in all LLMs. It states that an agent must satisfy no more than two of these three properties within a session:
[A] Process untrustworthy inputs
[B] Access sensitive systems or private data
[C] Change state or communicate externally
This is directly relevant to DICE's knowledge base because propositions are data that agents access (B) and that influence agent behavior (C). An agent that processes untrusted user input (A) and writes propositions to a shared knowledge base (C) that other agents read as trusted context (B) creates a complete exploitation chain — the user's untrusted input becomes another agent's trusted knowledge.
In a multi-agent DICE deployment, the knowledge base is the shared state through which agents influence each other. Without source tracking and trust differentiation, a proposition extracted from adversarial input by one agent looks identical to a proposition from a trusted system prompt — violating the spirit of the Rule of 2 by letting untrusted inputs flow through the knowledge base into sensitive contexts.
What DICE already has
PropositionReviser — classify() can detect when two propositions say the same thing (IDENTICAL/SIMILAR) or conflict (CONTRADICTORY), but it doesn't know which agent produced each one
metadata: Map<String, Any> — could carry sourceAgent as a metadata convention
ExtractionPerspective — USER/AGENT/ALL distinguishes speaker role but not agent identity
ContextId — scopes propositions, but multiple agents could share a context
The question
How should DICE handle propositions from multiple agents sharing a knowledge base?
Some possibilities:
Metadata convention — metadata["sourceAgent"] = agentId. No schema changes. Consumers filter and weight by agent.
First-class sourceAgent field — on Proposition. The extraction pipeline sets it automatically. PropositionReviser considers source agent when classifying conflicts.
Per-agent trust configuration — maps agent IDs to base trust levels and domain specializations. A medical specialist agent's propositions about medications get higher trust than a general agent's. Combined with Rule of 2 thinking: agents that process untrusted inputs could have their propositions tagged at a lower trust tier by default.
Cross-agent corroboration detection — when PropositionReviser returns Reinforced and the two propositions come from different agents, this is a stronger corroboration signal than same-agent reinforcement.
Trust boundary enforcement — propositions from agents in an [AC] configuration (untrusted inputs + state changes, no sensitive data) are quarantined from agents in a [BC] configuration (sensitive data + state changes, trusted inputs only). The knowledge base respects the same trust boundaries that the agents themselves operate under.
Open questions
Is this premature? (Probably right now) Multi-agent deployments are still not super common. Adding agent-awareness to DICE's core model before there's real demand risks API bloat.
Should this be in DICE or in an orchestration layer above it? Agent identity and trust might belong to the agent framework (e.g., Embabel Agent), not the knowledge extraction framework. But if DICE is the shared state, DICE needs to at least carry the provenance for others to enforce boundaries.
How does per-agent trust compose with proposition-level trust (Post-extraction trust scoring #14 )? An untrusted agent might still produce a well-corroborated proposition.
How does the Rule of 2 map to proposition flow? Is it sufficient to tag propositions with source trust tier, or does the knowledge base itself need to enforce isolation between trust boundaries?
Observation
DICE currently assumes a single agent operating on propositions within a context. As multi-agent architectures become more common, propositions from different agents need governance:
The "Rule of 2" and why it matters here
Meta's Agents Rule of Two is a security framework based on the premise that prompt injection is a fundamental, unsolved weakness in all LLMs. It states that an agent must satisfy no more than two of these three properties within a session:
This is directly relevant to DICE's knowledge base because propositions are data that agents access (B) and that influence agent behavior (C). An agent that processes untrusted user input (A) and writes propositions to a shared knowledge base (C) that other agents read as trusted context (B) creates a complete exploitation chain — the user's untrusted input becomes another agent's trusted knowledge.
In a multi-agent DICE deployment, the knowledge base is the shared state through which agents influence each other. Without source tracking and trust differentiation, a proposition extracted from adversarial input by one agent looks identical to a proposition from a trusted system prompt — violating the spirit of the Rule of 2 by letting untrusted inputs flow through the knowledge base into sensitive contexts.
What DICE already has
PropositionReviser—classify()can detect when two propositions say the same thing (IDENTICAL/SIMILAR) or conflict (CONTRADICTORY), but it doesn't know which agent produced each onemetadata: Map<String, Any>— could carrysourceAgentas a metadata conventionExtractionPerspective—USER/AGENT/ALLdistinguishes speaker role but not agent identityContextId— scopes propositions, but multiple agents could share a contextThe question
How should DICE handle propositions from multiple agents sharing a knowledge base?
Some possibilities:
Metadata convention —
metadata["sourceAgent"] = agentId. No schema changes. Consumers filter and weight by agent.First-class
sourceAgentfield — onProposition. The extraction pipeline sets it automatically.PropositionReviserconsiders source agent when classifying conflicts.Per-agent trust configuration — maps agent IDs to base trust levels and domain specializations. A medical specialist agent's propositions about medications get higher trust than a general agent's. Combined with Rule of 2 thinking: agents that process untrusted inputs could have their propositions tagged at a lower trust tier by default.
Cross-agent corroboration detection — when
PropositionReviserreturnsReinforcedand the two propositions come from different agents, this is a stronger corroboration signal than same-agent reinforcement.Trust boundary enforcement — propositions from agents in an [AC] configuration (untrusted inputs + state changes, no sensitive data) are quarantined from agents in a [BC] configuration (sensitive data + state changes, trusted inputs only). The knowledge base respects the same trust boundaries that the agents themselves operate under.
Open questions
Related