Protection Network · L0 substrate

Per-tenant detection failed. Substrate fingerprinting catches what Sigstore can't.

Mnemom AEGIS — the Adaptive Enforcement, Governance & Intelligence Substrate — stamps every agent evaluation with the substrate it ran on (provider, model, SDK version, optional lockfile hash). When one customer's evaluation stream shows behavioral deviation consistent with a compromised substrate, the cross-tenant aggregator sees it across every customer on that substrate, simultaneously. A signed Managed Rule lands on every gateway in the network within the propagation SLO.

AEGIS detects behavioral signatures consistent with supply-chain compromise. It does not replace package-level provenance verification; it is the runtime layer that catches what Sigstore can't.

1 · Threat model

What an agentic supply-chain compromise looks like

Three classes of compromise sit upstream of the agent runtime, invisible to per-tenant detection because every tenant receives the same poisoned artefact.

Bad SDK patch

A point release of a published agent SDK ships with exfil logic — credential-stealer, prompt-bleed, or a conditional payload triggered by tool-call shape.

Compromised fine-tune

A widely-used model checkpoint is replaced or augmented with a fine-tune that responds to a covert trigger token. Sigstore says the file is the file the fine-tuner published; the behaviour is the question.

Vendored prompt template

A community prompt template, copied across thousands of agent codebases, carries a hidden indirect injection that only activates against a specific tool name or document pattern.

2 · Threat-model anchor

The Mini Shai-Hulud worm — May 11, 2026

On May 11, 2026, the threat actor tracked as TeamPCP launched a coordinated supply-chain attack against npm and PyPI. 170+ npm packages and 2 PyPI packages were compromised across 404 malicious versions. The affected set is exactly the shape of an agentic supply chain: TanStack router (42 packages), Mistral AI's SDK suite on both npm and PyPI, UiPath's automation tooling (65 packages), OpenSearch on npm (1.3M weekly downloads), and — pointedly — Guardrails AI on PyPI.

The npm Sigstore attestations on the compromised @tanstack/* versions were valid SLSA Build Level 3 provenance — the first documented case of a worm producing legitimate signed attestations for malicious packages. Provenance verification at the package layer said the artefacts came from the build pipeline they claimed to. They did. The build pipeline was the attacker.

Threats like Mini Shai-Hulud are exactly the substrate-fingerprint pattern AEGIS is designed to detect cross-tenant. Mnemom did not detect Shai-Hulud — it pre-dates AEGIS GA, and the calm-at-GA contract on /trust/advisories reflects that honestly. The point of citing it is the threat model: every customer running on a compromised SDK becomes the first victim of every new attack class. That is the failure mode AEGIS was built against.

Public references

The Hacker News, 2026-05-12 — “Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI & More Packages.”

Unit 42, Palo Alto Networks — original Shai-Hulud worm attribution, November 2025.

Snyk and Wiz security research — independent compromise analyses, May 2026.

3 · The primitive

Substrate fingerprint — definition

Every evaluation that flows through the Mnemom managed gateway is stamped with a substrate fingerprint: the tuple provider + model + sdk@ver, plus an optional customer-set lockfile-hash header for elevated granularity. The fingerprint becomes one of four axis identities — substrate, vertical, pattern, source — on every row the cross-tenant aggregator reads. (See /protection-network for the L0-L5 layering; see migration 217 for the data-plane shape.)

Substrate fingerprint, schematic

{
  "provider": "anthropic",
  "model":    "claude-sonnet-4.7",
  "sdk":      "@anthropic-ai/[email protected]",
  "lockfile_hash": "sha256:9f3b...",   // optional, customer-supplied
  "fingerprint":   "sub_a4f1c8e7..."   // stable hash of the tuple
}

4 · The cross-tenant signal

The substrate axis aggregator

One customer's evaluation stream can look unremarkable in isolation. Across every customer running on the same substrate fingerprint, the same behavioral deviation lights up the L1 aggregator's rolling stats. AEGIS attributes the anomaly to the substrate, auto-elevates the bucket inside the customer's configured ceiling (per the under-attack additive-ratcheting model), and a signed Managed Rule lands on every gateway with P95 ≤ 30 seconds from signed promotion to gateway-loaded. (See /trust/slos.)

The aggregator sees patterns no single customer can. Three independent customers with the same substrate fingerprint produce a signal the L1 worker can attribute; a signed Managed Rule fans out to every gateway on that substrate.

5 · Opt-in granularity

The lockfile-hash header

The base substrate fingerprint (provider + model + sdk@ver) ships by default with every gateway call. For elevated granularity, send an X-Mnemom-Lockfile-Hash header on every request: the SHA-256 of your resolved dependency manifest. AEGIS uses the hex digest only — the raw lockfile never leaves your environment.

With the lockfile-hash present, the aggregator can attribute anomalies not just to “customers running this provider + model + SDK” but to “customers running this exact resolved dependency tree”. That granularity is what catches the bad SDK patch before the rest of the substrate sees it.

Request shape

# Opt into substrate-fingerprint granularity by sending the lockfile-hash
# header on every gateway request. The hash is computed over your
# resolved dependency manifest (package-lock.json, pnpm-lock.yaml,
# poetry.lock, requirements.txt) and never leaves your environment in
# raw form — only the hex digest reaches AEGIS.

curl https://gateway.mnemom.ai/v1/messages \
  -H "X-Mnemom-Api-Key: $MNEMOM_KEY" \
  -H "X-Mnemom-Lockfile-Hash: sha256:9f3b…" \
  -H "Content-Type: application/json" \
  -d @payload.json

6 · OWASP mapping

ASI06 · Agentic Supply Chain Compromise

The OWASP Foundation published the OWASP Top 10 for Agentic Applications in December 2025 — the first formal peer-reviewed taxonomy of risks specific to autonomous AI agents (ASI01 through ASI10). Category ASI06 — Agentic Supply Chain Compromise covers the threat class on this page: a poisoned upstream artefact reaching the agent runtime intact.

AEGIS's substrate fingerprint is the runtime control for ASI06. Where the rest of the agentic-AI security category addresses ASI06 through build-time package provenance or pre-deployment dependency scans, AEGIS adds the cross-tenant runtime detection layer that catches a compromise after the artefact ships, when the behaviour diverges from the substrate's baseline.

7 · The structural gap

Why Cloudflare WAF, AWS Shield, and Lakera Guard can't do this

Substrate-attributed cross-tenant detection is not something the current AI-security category can retrofit. The reasons are architectural, not product-roadmap.

Cloudflare WAF · AWS Shield

HTTP-layer. They protect web applications from web attackers. They have no concept of which model version produced this token stream — the substrate is invisible at L7.

Lakera Guard · NeMo Guardrails

Single-detector at runtime. They evaluate one request's prompt against a curated threat database. They do not aggregate across tenants because they have no cross-tenant network — they ship as in-process libraries or per-tenant proxies.

Cisco AI Defense · Palo Alto Prisma AIRS

Build-time policy embedding. They consolidate AI-security primitives at the SDK and gateway level inside one customer's tenancy. No signed Managed Rule flows from customer A's detection to customer B's gateway — there is no shared network.

Mnemom complements these tools. Customers running Lakera Guard, NeMo Guardrails, Cloudflare WAF, AWS Bedrock Guardrails, or Cisco AI Defense can run AEGIS alongside; the substrate fingerprint is the network signal nothing else in the category produces.

8 · Machine surface

The substrate-fingerprint IoC feed

Substrate-fingerprint indicators surface on the public STIX 2.1 IoC feed under the type=substrate_fingerprint filter. At GA the feed is empty by design — the calm-at-GA contract on /trust/iocs reflects that. Indicators publish when AEGIS closes a campaign and a signed advisory ships on /trust/advisories.

curl + jq

# Subscribe to the substrate-fingerprint slice of the public IoC feed.
# STIX 2.1 Bundle; empty by design at GA per the calm-at-GA contract.

curl -sS 'https://api.mnemom.ai/v1/trust/iocs?type=substrate_fingerprint' \
  | jq '.objects[] | select(.type=="indicator")'

9 · Next steps

Where to go from here

Customer dashboard

A dedicated supply-chain risk view inside the customer dashboard is deferred to Phase 4. Until then, the L4 threat thermometer on /dashboard/threats shows substrate-axis state alongside the other three axes. We will name the un-defer trigger on /changelog.

Subscribe to the IoC feed

Pull the substrate-fingerprint slice into your existing threat-intel pipeline. STIX 2.1 Bundle; no auth required.

/v1/trust/iocs?type=substrate_fingerprint

Opt into lockfile-hash

Header format, what granularity it adds, and the privacy implications. The header travels with every gateway call once you start sending it.

Lockfile-hash guide