Inter-Agent Lineage
- Inter-agent lineage is a framework that defines the provenance of agent interactions using structured, time-ordered, and attributed graphs to trace actions across sessions.
- It supports applications in security auditing, software modernization, and reinforcement learning by embedding lineage directly into execution substrates.
- Practical use cases include verifiable cognitive memory block ancestry, cross-agent propagation, and cryptographic audit trails that ensure tamper-evident histories.
Inter-agent lineage is the explicit provenance structure that ties together what agents observed, produced, inherited, invoked, remembered, approved, or called across multi-agent execution, multi-session memory, policy iteration, or intergenerational population updates. In current work, the term does not denote a single formal object: it appears as a time-ordered semantic path in a hierarchical attributed graph, a maintained identifier-preserving mapping across a multi-agent pipeline, a content-addressed ancestry relation over cognitive memory blocks, a cryptographically verifiable multi-hop call chain, a typed lifecycle artifact graph, an append-only event log with deterministic replay, and, in population-based reinforcement learning, a scalar inherited credit signal (Li et al., 7 May 2026, Ahmed et al., 17 May 2026, Xu, 21 Apr 2026, Malkapuram et al., 22 Sep 2025, Zhang et al., 2020).
1. Definitions and scope
In security-auditable agent systems, an inter-agent lineage path is a time-ordered path
that crosses at least one cross-agent propagation edge and may include memory and tool-binding edges. The formulation requires temporal ordering by timestamp, session or trace coherence via trace_id, and, for persistent memory, versioned references (Li et al., 7 May 2026). In the Mesh Memory Protocol, lineage of a Cognitive Memory Block is carried as parents(c) and ancestors(c)=parents(c)\cup \bigcup_{p\in parents(c)} ancestors(p), with keys derived from content hashes; the purpose is to realize traceability of every claim to source across agents and session restarts (Xu, 21 Apr 2026). In cryptographic A2A settings, inter-agent lineage is the verifiable history of interactions among non-human identities, binding who acted, what was invoked, when it occurred, and under which policy or version context into an append-only, tamper-evident trail (Malkapuram et al., 22 Sep 2025).
Other formulations are pipeline-centric rather than message-centric. In AgentModernize, inter-agent lineage is the maintained mapping from legacy artifacts, extracted rule records, Behavioral Specification Graph nodes and edges, generated code units, and validator outcomes across iterations, realized through consistent identifiers such as rule_id, node_id, and test_id (Ahmed et al., 17 May 2026). In OpenAgenet/OAN, lineage is the verifiable provenance chain spanning identity issuance, Root-governed authorization, accepted identity versions, package publication, discovery responses, and signed trusted invocation (Xu, 2 Jun 2026).
A different usage appears in evolutionary RL. In Lineage Evolution Reinforcement Learning, lineage is not a graph of artifacts or calls but a per-agent scalar that is combined with normalized performance through , updated by rank-based credit assignment, and inherited across mutation and crossover with decay (Zhang et al., 2020). The surveyed literature therefore treats inter-agent lineage as a family of provenance formalisms rather than a single ontology.
2. Representational substrates
Several systems make lineage first-class by embedding it directly into the execution substrate rather than reconstructing it after the fact. Representative formalisms include hierarchical attributed graphs, content-addressed DAGs, typed lifecycle artifact graphs, version graphs over registered resources, and append-only event logs with deterministic projections (Li et al., 7 May 2026, Zhang, 16 Apr 2026, Xu, 21 Apr 2026, Wang et al., 15 Mar 2026, Nakajima, 21 May 2026, Luo et al., 20 Jun 2026).
| Work | Formal substrate | Lineage unit |
|---|---|---|
| Agent-BOM | Hierarchical attributed directed graph | Semantic states, capabilities, memory, cross-agent edges |
| MMP | Content-hash CMB graph | Parents, ancestors, remix method |
| ActiveGraph | Event log and projection | caused_by, objects, relations, model/tool I/O |
| RoboLineage | Typed, versioned artifact graph | Rollouts, reviews, datasets, training, evaluation, governance |
| ScienceClaw + Infinite | Artifact DAG | Derivation, synthesis, discourse relations |
| AGP/AGS | Version lineage over protocol-registered resources | Resource versions, commits, rollback targets |
Agent-BOM separates a static capability layer from a dynamic runtime semantic layer. Static nodes include AgentNode, CodeNode, LLMNode, PromptNode, ToolNode, SkillNode, and LongTermMemoryNode; dynamic nodes include ExternalNode, GoalNode, ContextNode, ReasoningNode, DecisionNode, ActionNode, and ObservationNode. Cross-agent propagation is encoded through sends_to, delegates_to, responds_to, shares_context_with, and shares_memory_with, while the attribute map records trust_level, integrity_status, authentication_status, permission_scope, confirmation_status, environment_state_change, source_agent, and target_agent (Li et al., 7 May 2026).
Autogenesis promotes Prompt, Agent, Tool, Environment, and Memory to protocol-registered resources with explicit lifecycle and versioned interfaces. For a resource instance, versions are immutable snapshots; update, copy, and restore induce per-resource lineage graphs, while accepted changes form a system-level commit DAG over resource versions and traced execution artifacts (Zhang, 16 Apr 2026). ScienceClaw + Infinite uses immutable artifacts with artifact_id, artifact_type, content_hash, and parentArtifactIds; edges are partitioned into Ecomp, Esynth, and Edisc, which respectively encode computation, multi-parent synthesis, and discourse relations such as cite, contradict, extend, and replicate (Wang et al., 15 Mar 2026). RoboLineage analogously represents policy iteration as a typed artifact graph 0 whose nodes include rollout.record, snapshot.jsonl, annotation.final.json, dataset_decision.json, dataset.lock.json, train.run.json, policy.meta.json, eval.summary.json, and deploy.ticket.json (Luo et al., 20 Jun 2026).
ActiveGraph makes the append-only event log the source of truth. The log is a totally ordered sequence 1, the working graph is the deterministic projection 2, and each event carries an actor/agent_id, a typed payload, a timestamp, and an optional caused_by pointer to a prior event. Objects and relations then carry provenance blocks linking them back to producing behaviors and triggering events (Nakajima, 21 May 2026). This is a stronger lineage substrate than a conventional observability layer because replay, fork, and provenance queries are defined over the same primary record.
3. Propagation across agents, sessions, and generations
In the security-auditing literature, inter-agent propagation is modeled as semantic transmission rather than simple message passing. Agent-BOM explicitly represents the cognitive-state chain External → Goal → Context → Reasoning → Decision → Action → Observation, and cross-agent lineage can cross both propagation edges and persistence edges such as reads_from and writes_to. This permits reconstruction of cross-session memory contamination, capability binding, privilege transfer, and trust-boundary crossings in one path (Li et al., 7 May 2026).
The Mesh Memory Protocol focuses on cross-session agent-to-agent cognitive collaboration. Every accepted peer contribution is stored only as the receiver’s own remix, not as raw peer state. Echo detection is then reduced to ancestor containment: 3
Because lineage.ancestors is shipped on wire, recognition of returning claims is a set-membership operation rather than a graph traversal at receipt time. The specification also bounds ancestor depth to at most 50, which caps lineage metadata growth (Xu, 21 Apr 2026).
Autogenesis addresses cross-entity lifecycle and hot-swapping. Agents retrieve prompts, tools, and memory through a shared registry; accepted changes become immediately available to all sub-agents through the Dynamic manager; and plan.md, tool code, memory schemas, and other resources can be versioned, restored, and audited through RSPL and SEPL interfaces (Zhang, 16 Apr 2026). In a different temporal direction, LERL propagates lineage across generations rather than sessions: mutation offspring inherit 4, crossover offspring inherit 5, and the current lineage value is mixed with new rank-based credit using 6 before normalization (Zhang et al., 2020). Inter-agent lineage thus spans at least three distinct transmission regimes in current research: cross-agent semantic propagation, cross-session memory persistence, and intergenerational inheritance.
4. Verification, auditing, and adjudication
One major line of work treats lineage as the basis for security adjudication. Agent-BOM standardizes audits as
7
where 8 are anomalous entry nodes or edges, 9 traces backward to origins, 0 traces forward to impacts, and 1 encodes adjudication conditions. The framework is instantiated against the OWASP Agentic Top 10 and supports graph queries for cases such as cross-session contamination leading to tool misuse, insecure inter-agent messages altering downstream goals, and privilege abuse via poisoned memory (Li et al., 7 May 2026).
Cryptographic lineage systems make verification externalizable. Context Lineage Assurance models lineage events as leaves in CT-style append-only Merkle logs, publishes Signed Tree Heads
2
and relies on RFC 6962 inclusion and consistency proofs. Proof size and verification time are 3. A federated proof server validates proofs across one or more logs and emits signed attestations, while multi-hop verification checks identity signatures, prev links or citations, and cross-time consistency across the chain (Malkapuram et al., 22 Sep 2025).
OAN anchors lineage in Root-governed identity and discovery. A Root acceptance record
4
binds an accepted identity version to a canonical hash; discovery responses are signed and authorization-aware; trusted invocation envelopes bind caller DID, target DID, timestamp, nonce, path or method, and body hash; and a trust predicate can be evaluated over the lineage DAG connecting Root, Registrar, Discovery nodes, packages, credentials, and invocations (Xu, 2 Jun 2026).
ActiveGraph approaches verification through replay rather than signatures. Byte-identical logs must project to identical graphs; model and tool I/O are served from content-hashed recorded responses during replay; and strict replay raises a divergence error at the first non-matching event if a behavior violates the determinism contract by reading wall-clock time, randomness, or mutable global state (Nakajima, 21 May 2026). A common misconception is that inter-agent lineage is equivalent to runtime logging or transport security. Several papers explicitly reject that equivalence: Agent-BOM argues that SBOMs and runtime logs do not capture runtime cognitive states or cross-layer bindings, while CT-style and OAN-style approaches extend A2A beyond point-to-point authentication to multi-hop provenance (Li et al., 7 May 2026, Malkapuram et al., 22 Sep 2025, Xu, 2 Jun 2026).
5. Operational roles and empirical evidence
Security auditing provides one of the clearest demonstrations of practical lineage use. Agent-BOM reconstructs cross-session memory poisoning followed by tool misuse, capability supply-chain hijacking followed by unexpected code execution, multi-agent ecosystem hijacking, and rogue-agent trust exploitation leading to privilege abuse. The paper reports accurate reconstruction over representative scenarios but does not publish numeric detection accuracy, coverage, average path lengths, or query latency (Li et al., 7 May 2026).
In software modernization, lineage functions as a preservation and diagnosis mechanism. AgentModernize decomposes modernization into four agents—Legacy Analyzer, Specification Generator, Modernization Transformer, and Equivalence Validator—connected through a shared state and a Behavioral Specification Graph 5. The full pipeline with feedback was the only configuration with non-zero mean BER under every backbone: 6 for GPT-4o-mini, 7 for GPT-4o, and 8 for GPT-5.3-codex. The BSG captured 9 of gold-standard rules on average, with 0 precision for S1–S7, which localized the main bottleneck to code generation rather than extraction or specification (Ahmed et al., 17 May 2026).
In robot policy iteration, lineage is used for governance rather than only for audit after failure. RoboLineage represents collection, review, admission, dataset freezing, training, evaluation, deployment, and next-collection planning as typed artifacts linked by explicit edges. On 194 expert-rejected rollouts, full RoboLineage achieved 1 outcome accuracy, 2 failure-phase accuracy, 3 admission accuracy, and 4 leakage. Under matched training budgets and evaluation protocols, trained policies remained within 5 percentage points of expert-managed workflow on average (6 versus 7), while routine pre-training labor dropped from 8 to 9 minutes per 30-rollout cycle (Luo et al., 20 Jun 2026).
Decentralized scientific discovery uses lineage to coordinate without a central planner. ScienceClaw + Infinite models computation as an artifact DAG with cross-agent synthesis edges, ranks open needs by a deterministic pressure score
0
and performs multi-parent synthesis when compatible peer artifacts exist. Across four investigations, reported synthesis density ranged from 1 to 2; in the SSTR2 peptide-design investigation the system involved 10 agents, 23 tools, 177 artifacts, 57 synthesis artifacts, and average DAG depth 2.15 (Wang et al., 15 Mar 2026).
Evolutionary RL provides a more indirect but still operational role for lineage. LERL was evaluated on Atari 2600 with DQN, C51, Rainbow, and IQN; LE_Rainbow substantially improved over Rainbow on Asterix and KungFuMaster across best, median, and average curves, while Assault and ChopperCommand were roughly on par with Rainbow (Zhang et al., 2020). This suggests that lineage can function either as explicit audit provenance or as an optimization signal that preserves “potential performance” across agent populations.
6. Limitations, governance, and open problems
Instrumentation completeness remains a pervasive limitation. Agent-BOM depends on hooks for prompt composition, context assembly, memory I/O, tool calls, and inter-agent messaging; missing hooks reduce completeness, while shared memory, asynchronous communication, and external service chains complicate attribution. AgentModernize similarly shows that strong lineage through extraction and specification does not guarantee successful preservation when the BSG-to-code mapping diverges architecturally; targeted fixes can also induce regressions (Li et al., 7 May 2026, Ahmed et al., 17 May 2026).
Cryptographic lineage systems expose different limits. Context Lineage Assurance leaves privacy-preserving lineage, redaction, right-to-forget, partial trace proofs, inter-organizational federation, and stronger timing trust as future work. OAN does not normatively define parent-child identity semantics, keeps SBOMs and build attestations optional, and leaves multi-root federation out of scope (Malkapuram et al., 22 Sep 2025, Xu, 2 Jun 2026).
Protocol and runtime substrates also remain incomplete. MMP does not yet specify per-CMB signatures, and mixed-model deployments and Byzantine or adaptive adversaries remain open. Autogenesis supports concurrent sub-agent execution but does not define CRDTs, locks, merge strategies, or a formal schema for commit messages and approver identities. ActiveGraph currently replays full logs, so replay cost grows with log length; storage grows with recorded model and tool responses; and external side effects remain external even when their outputs are replayable. RoboLineage, finally, was evaluated on routine, configured, visually grounded manipulation, and future work includes federated lineage, privacy-preserving sharing, standardized rollout identifiers, and broader multimodal evidence (Xu, 21 Apr 2026, Zhang, 16 Apr 2026, Nakajima, 21 May 2026, Luo et al., 20 Jun 2026).
Taken together, these results suggest that inter-agent lineage is becoming a systems primitive only when representation, verification, and governance are co-designed. Where lineage is reduced to logs without semantics, or to credentials without call-chain structure, or to memory without ancestry, the surveyed systems report loss of explainability, weaker auditability, or fragile coordination. Where lineage is explicit, typed, versioned, and queryable, it becomes not merely a forensic record but an active substrate for security adjudication, behavioral preservation, decentralized coordination, lifecycle governance, and controlled system evolution.