Skip to main content
When Bob’s agent sends Frank’s agent a request to do something in Frank’s codebase, how do you stop that request — possibly poisoned by prompt injection somewhere in Bob’s reasoning chain — from causing damage on Frank’s machine? The industry has not “solved” prompt injection in 2026, and AgentRelay does not claim to. Instead, the system applies four independent layers of defense. Relying on any single layer is wrong; each one is necessary.

Why defense in depth is required

Cross-machine agent communication has a unique threat surface: content that originates on one developer’s laptop, travels through a relay, and lands in another developer’s agent session. At each step, that content could carry adversarial instructions — either maliciously crafted or the result of a compromised upstream context. A single gate that can be bypassed or fooled collapses the whole guarantee. Four independent layers mean an attacker must break all four simultaneously.

Trust boundaries

Skip a layer and the guarantee evaporates. All four layers are wired in v0.1 and must stay wired in every subsequent release. The CLAUDE.md contributor rules enforce this explicitly.

The four layers

1

L1 — Provenance-wrapped inbound content

The MCP server never injects raw teammate content into the receiver’s context window. Every inbound message, summary, and artifact is wrapped with a preamble that tells the receiving agent to treat the content as data, not instructions:
This is the standard pattern for handling untrusted input in agent prompts. It significantly reduces — but does not eliminate — prompt-injection success rate.Where it runs: mcp-server/src/tools/accept.ts and mcp-server/src/tools/view-thread.ts. Applied when calling accept_handoff (which transitions state) and view_thread (read-only fetch). The check_inbox tool returns only summary previews, not full content, so it does not apply the L1 preamble.
2

L2 — Claude Code / Codex permission overlay

L1 reduces the probability that Frank’s agent attempts a dangerous action. L2 ensures that even if it does, the action does not execute. This is the load-bearing layer.agentrelay install writes a recommended permission config into ~/.claude/settings.json (Claude Code) or ~/.codex/config.toml (Codex CLI). The config follows a risk-tiered friction model:The harness — Claude Code or Codex — intercepts every tool call before it executes. It does not matter what Bob’s agent told Frank’s agent to do: git push is denied at the harness level.
If Frank has already customized his permission config, agentrelay install detects the divergence, shows a unified diff, and asks before applying. It never silently overwrites user customizations.
3

L3 — Per-teammate trust config

Frank pre-authorizes per teammate before any handoff arrives. This creates a session-scoped overlay on top of L2’s defaults. Teammates Frank trusts more get less friction.The config lives at ~/.agentrelay/trust.yaml:
When Frank’s MCP server processes an inbound handoff, it reads trust.yaml, computes the trust_overlay for that sender, and returns it alongside the thread content. The accept_handoff tool result includes:
unknown_teammates: { policy: reject } is the default created by agentrelay register. Frank must explicitly opt in each teammate — there is no ambient trust.
4

L4 — Audit log and instant atomic revocation

Every action Frank’s agent takes in response to a remote handoff is logged with the handoff thread ID, the originating teammate, and the exact tool call, arguments, and result.Two CLI commands surface Layer 4:
agentrelay block adds the handle to the blocked array in ~/.agentrelay/trust.yaml. Frank’s MCP server reads this on every handoff evaluation and rejects any handoff from a blocked handle before returning content to Frank’s agent. To block at the relay level (enforced even when the MCP server is not running), call POST /agents/me/block directly — see the Admin endpoints reference.Example audit output:
Audit log retention defaults to 90 days, configurable via RELAY_AUDIT_RETENTION_DAYS.

Threat model

The table below maps specific threats to the layers that mitigate them. Use this during code review and incident response to verify no layer has been inadvertently bypassed.

Honest limits

Three things are explicitly out of scope or mitigated but not eliminated: Prompt injection is mitigated, not eliminated. Layers L1, L2, and L3 cut attack success rate dramatically. Layer L4 catches what slips through. No agent system in 2026 eliminates this risk entirely. A compromised developer laptop is out of scope. If Bob’s machine is rooted, Bob’s API key is exfiltrated and the attacker can act as Bob. The threat model assumes the laptops themselves are trustworthy. Trust is per-org, not federated. One relay serves one team. Trust does not transit between organizations in v0.1.