Papers
Topics
Authors
Recent
Search
2000 character limit reached

Terrarium Framework for Multi-Agent Security

Updated 4 July 2026
  • Terrarium is a modular, configurable testbed for LLM-based multi-agent systems that employs a repurposed blackboard design to enable controlled safety, privacy, and security studies.
  • The framework implements an append-only communication log and instruction-augmented DCOPs to rigorously evaluate and mitigate adversarial behavior across collaborative scenarios.
  • Researchers can customize agents, protocols, and tools to simulate realistic coordination tasks, measure cooperative objectives, and assess the impact of various attack vectors.

Searching arXiv for the Terrarium paper and directly related cited systems to ground the article in current literature. Searching arXiv for the Terrarium framework paper by title. Searching arXiv for related benchmark/system names mentioned in the source material (e.g., AgentDojo). Terrarium is a modular, configurable testbed for studying safety, privacy, and security in large-language-model-based multi-agent systems (MAS). It is introduced in “Terrarium: Revisiting the Blackboard for Multi-Agent Safety, Privacy, and Security Studies” (Nakamura et al., 16 Oct 2025), which repurposes the blackboard design as a shared, structured workspace implemented as an append-only log. The framework is intended to address a gap in agent orchestration and benchmarking by providing a fine-grained, open, instrumented environment in which researchers can enforce a ground-truth cooperative objective, model private information and heterogeneous capabilities, and observe and intervene in inter-agent communication at the appropriate granularity. In this formulation, Terrarium centers communication, topology, and logging as first-class experimental objects for analyzing misalignment, malicious behavior, compromised communication, and data poisoning in collaborative MAS (Nakamura et al., 16 Oct 2025).

1. Conceptual basis and research scope

Terrarium revisits the blackboard as a coordination primitive for LLM-based MAS. In the framework, shared, structured workspaces decouple agents and allow them to coordinate via an append-only log, rather than via opaque pairwise protocols. This design is used to inspect, control, and stress-test communication and coordination mechanisms that would otherwise be buried inside agent-to-agent interactions (Nakamura et al., 16 Oct 2025).

The stated design goals are threefold. First, the framework enables instruction-augmented tasks with unstructured preferences and constraints. Second, it supports realistic yet analyzable adversarial surfaces, specifically misalignment, malicious agents, compromised communication, and data poisoning. Third, it provides reproducible evaluation of CIA attacks and defenses, where CIA denotes Confidentiality, Integrity, and Availability (Nakamura et al., 16 Oct 2025).

A central motivation is the need for an environment in which a cooperative objective can be specified independently of the agents’ local observations. Terrarium therefore enforces a ground-truth joint objective while allowing each agent to observe only private instructions and local context. This separation makes it possible to quantify the effect of attacks or protocol changes on the underlying task rather than merely on surface behavior. The framework’s emphasis on observability, partial privacy, and per-message intervention suggests a research orientation closer to controlled systems experimentation than to deployment-oriented agent engineering.

2. Architecture and blackboard data model

Terrarium decomposes MAS into five modules: Agents, Environment, Blackboard(s), Protocol, and Tools (Nakamura et al., 16 Oct 2025). Agents are LLM-driven and may be tool-augmented via Model Context Protocol (MCP) using FastMCP. They read natural instructions and contexts, operate in a planning phase and an execution phase, and can invoke both environment tools and blackboard tools. The environment is a self-contained simulator that receives agent actions synchronously or asynchronously, updates internal state, and returns per-agent observations; every environment exposes a well-defined cooperative joint objective FF used for evaluation. Blackboard(s) are shared append-only communication proxies whose topology is instantiated by a configurable factor graph. The protocol is a simple two-phase structure in which agents exchange intentions and negotiate during planning and then commit to environment actions during execution. Tools comprise both domain-specific actuation and observation mechanisms and generic blackboard APIs such as get_messages() and post_message() (Nakamura et al., 16 Oct 2025).

The blackboard data model is explicitly instrumented. Each entry is append-only and records content, sender identity, recipient scope, current phase, and iteration number. The implementation uses read and write at a token/message level; although richer operations such as erasing, referencing, and highlighting are permitted by the design, the reported implementation uses append-only plus read/write for simplicity. The system records complete transcripts for forensics (Nakamura et al., 16 Oct 2025).

Membership and topology are defined by the environment through a factor graph. Boards may be shared only among those agents that must coordinate on a factor, which provides isolation and limits irrelevant context. The paper states that this mitigates lost-in-the-middle effects. Per-message provenance includes sender identity, target board, and timing or iteration, and the problem setup notes optional encryption and authentication tags together with logged transcripts. Board membership restricts read and write access to subsets of agents, enabling partially private communication and broadcast. The environment supports synchronous or asynchronous action handling, while the prototype uses discrete planning and execution rounds; concurrent posts are serialized by the runtime so that each board has a total order suitable for reproducible replay (Nakamura et al., 16 Oct 2025).

The representation of local constraints and preferences is also explicit. A renderer ρ\rho emits per-agent instructions IiI_i, consisting of text and optionally images, that encode local constraints, preferences, priorities, and domain context. These instructions form the agents’ observable interface to the hidden ground-truth objective FF (Nakamura et al., 16 Oct 2025).

3. Formalization as instruction-augmented DCOPs

Terrarium formalizes cooperative environments as instruction-augmented distributed constraint optimization problems. The paper defines an instance as

P=A, H, η, X, D, σ, C, μ, o, ρ, F, Π.\mathcal{P}=\langle A,\ H,\ \eta,\ X,\ D,\ \sigma,\ C,\ \mu,\ o,\ \rho,\ F^\star,\ \Pi\rangle.

It then defines the cooperative objective over a joint policy π=(πi)iA\pi=(\pi_i)_{i\in A} and context cμc\sim\mu by drawing assignments over each agent’s owned variables and assembling a joint assignment xx. The ground-truth objective is

$F^\star(x;c)=\sum_{i\in A}\ \sum_{\beta=1}^{k_i} f_{i,\beta}^\star\big(x_{S_{i,\beta};c\big),$

and the optimization problem is

max πiAΠi  Ecμ Exπ(c)[F(x;c)].\max_{\ \pi\in\prod_{i\in A}\Pi_i}\; \mathbb{E}_{c\sim\mu}\ \mathbb{E}_{x\sim \pi(\cdot\mid c)}\big[\,F^\star(x;c)\,\big].

The formulation specifies that ρ\rho0 is private to agent ρ\rho1 and that ρ\rho2 is not jointly observed by any agents. The pair ρ\rho3 induces a bipartite factor graph ρ\rho4 with ρ\rho5, ρ\rho6, and edge ρ\rho7 iff ρ\rho8; algorithms may pass messages on ρ\rho9, and in practice Terrarium realizes this message passing using blackboards (Nakamura et al., 16 Oct 2025).

This formalization gives the framework two linked properties. First, the cooperative objective remains external to the agents’ prompts, which permits direct quantification of attack impact. Second, the factor graph connects coordination structure to communication topology. A plausible implication is that protocol interventions can be studied not only as changes to textual interaction but also as perturbations to a structured optimization process.

4. Configurability, instrumentation, and experimental control

Terrarium is designed as a configurable research harness rather than a fixed benchmark. Researchers can configure the number of agents, private data, instruction templates, tools, and abilities, including which agents can read or write to which boards. Agent personas and internal objectives are defined through system and user prompts. Board topology is parameterized by a factor graph, while protocol phases and iteration budgets are configurable. The paper describes an “hourglass” stack in which alternative protocols can be plugged in, analogous to swapping network layers in Wireshark-style analyses (Nakamura et al., 16 Oct 2025).

The framework exposes attack and defense injection points at instruction rendering, blackboard messages, tool invocations, and scheduling or timing. Adversaries may be introduced either as Byzantine agents or as communication attackers. Filters, authentication tags, provenance audits, and anomaly checks can be attached at blackboard boundaries. APIs are uniform through MCP-based tools, blackboard clients expose get() and post() primitives, and environment tools implement actuation such as schedule_meeting, schedule_task, and choose_outfit (Nakamura et al., 16 Oct 2025).

Instrumentation is extensive. Full transcripts, indexed per board, per phase, and per iteration, are logged together with agent observations and environment states. The design emphasizes seed control and repeated runs. The paper states that seeds are fixed, hyperparameters are published in appendix tables for each domain, and configurations, logs, and scripts are committed for release. Experiments use OpenAI GPT-4.1, 4.1-mini, and 4.1-nano via official APIs (Nakamura et al., 16 Oct 2025).

The paper also outlines practical guidance for running a new study. The recommended process begins with specifying the instruction-augmented DCOP tuple and implementing environment dynamics together with the ground-truth objective IiI_i0. The researcher then chooses board topology via a factor graph, authors phase- and role-specific prompts, exposes only necessary MCP tools, sets private data and optional visuals, configures planning and execution iteration budgets together with synchronous or asynchronous operation, selects adversary placement and triggers, and optionally enables defenses such as per-message authentication, phase constraints, content filters, provenance-based anomaly detectors, and tool sandboxing. Metrics include normalized joint utility, utility difference under attack, privacy leakage by LLM-as-a-judge or information-theoretic estimates, availability via Attack Success Rate, and optional context-aware metrics such as CostGap, Stealth, TargetLift, LatencyGain, and Leak (Nakamura et al., 16 Oct 2025).

5. Threat model, attack surfaces, and defense mechanisms

The threat model is organized around Confidentiality, Integrity, Availability, and Influence. Adversary goals include exfiltrating private constraints or preferences, perturbing costs, messages, or assignments to induce misalignment, delaying or denying coordination, and steering policies. Capabilities include a compromised or Byzantine agent, a network adversary that eavesdrops, delays, drops, or injects messages on boards, colluding agents, Sybil identities that alter membership or topology, and LLM-surface access to instruction rendering or exemplars. The surfaces are factor payloads and reports, blackboard message contents, timing and scheduling, graph topology, and instructional text or images that condition policies (Nakamura et al., 16 Oct 2025).

Four representative attacks are implemented. The confidentiality attack is information leakage: the second agent is instructed to elicit private information previously shared by another agent, and the queried agent reveals that information despite a system prompt prohibiting sharing. The integrity attacks are adversarial agent and communication poisoning. In the adversarial-agent setting, a Byzantine participant uses legitimate board access to steer planning, misreport preferences, or inject misleading coordination intents. In communication poisoning, an external adversary tampers with the board to inject or modify planning messages; the paper evaluates 1-, 2-, and 3-shot poisoning and reports a dose–response effect on utility reduction. The availability attack is context overflow, in which large volumes of low-value content fill agent contexts, causing API errors or forcing truncation (Nakamura et al., 16 Oct 2025).

Terrarium is designed to support rapid prototyping of defenses, although the reported experiments emphasize vulnerabilities rather than comprehensive mitigation. Supported mechanisms include policy enforcement via prompts, authentication and authorization through explicit board membership and optional authentication tags, provenance tracking and audits based on append-only logs with sender and phase metadata, content filtering and sanitization at board ingress and egress, sandboxing and tool scoping, and secure channels and isolation through factor-graph-based partitioning and per-board isolation (Nakamura et al., 16 Oct 2025). The confidentiality experiment shows that prompt-based non-disclosure alone is insufficient under the tested setting.

The example walkthrough in the meeting-scheduling domain makes the integrity mechanism concrete. During planning, an organizer posts a tentative meeting slot and requests preferences; attendees respond with stated preferences and feasibility constraints. In a 2-shot communication-poisoning attack, spoofed messages are injected that contradict earlier reports. The organizer then reads an append-only transcript that includes these entries and commits in execution to a schedule based on the poisoned record. The outcome is a drop in utility due to misalignment with true preferences and travel feasibility. Terrarium’s logs expose provenance anomalies, and a defense prototype, if enabled, could flag unexpected senders or off-phase posts or require authenticated tags (Nakamura et al., 16 Oct 2025).

6. Domains, metrics, and quantitative findings

Terrarium implements three collaborative MAS scenarios, all formalized as instruction-augmented DCOPs with explicit joint utilities (Nakamura et al., 16 Oct 2025).

Domain Roles and tools Joint utility and evaluation specifics
Meeting Scheduling Attendees and organizers; get_messages(), post_message(), schedule_meeting() 10 agents, 15 meetings, max 4 attendees/meeting, Zoom probability 0.3; higher is better; combines MEETING_TIME_MATCH and FEASIBILITY_AGENT
Personal Assistant One outfit choice per agent; choose_outfit() and blackboard get()/post() 6 agents; graph degree IiI_i1; 3–4 outfits/agent; utility in IiI_i2, higher is better
Smart-Home Assistant One assistant per home; schedule_task() plus boards 8 agents, 2–4 tasks per agent, allowed windows length 2–6, sustainable capacity over IiI_i3; utility in IiI_i4, higher is better

In Meeting Scheduling, agents own subsets of meetings and attend others. The setting uses a partially generated real-world environment with buildings and a travel-time graph; meetings have mode in IiI_i5, per-attendee time preferences, and per-attendee meeting priorities. Physical meetings introduce travel feasibility constraints and priority-aware feasibility. In Personal Assistant, each agent selects exactly one outfit from a private wardrobe under unary preferences such as PREF_COLOR and AVOID_COLOR and pairwise constraints such as MATCH_COLOR and NOT_MATCH_COLOR; only color affects scoring, and constraints may be encoded as text instructions and optionally visuals. In Smart-Home Assistant, each home schedules device jobs with specified consumption, duration, and allowed start times under a global sustainable capacity IiI_i6 over IiI_i7 hours, while respecting task windows and avoiding excessive main-grid draw (Nakamura et al., 16 Oct 2025).

The evaluation methodology centers on the cooperative optimization objective and reports practical metrics. Task performance is measured through normalized joint utility IiI_i8 across seeds per domain, with min–max normalization using search-derived bounds for each seed instance. Integrity attack success is the utility difference between baseline and attacked runs. Confidentiality is measured by LLM-as-a-judge scoring of leaked private information as 100% fully accurate, 50% partially accurate, or 0% inaccurate. Availability is measured by Attack Success Rate, defined as the number of seeds causing API error out of 30 runs for overflow (Nakamura et al., 16 Oct 2025).

The paper also provides context-aware metrics in formal notation:

IiI_i9

although the main experiments report normalized FF0, ASR, and leakage correctness (Nakamura et al., 16 Oct 2025).

Quantitative results are reported for baseline normalized joint utility and for attacks in the Meeting domain with GPT-4.1-mini. Baseline normalized FF1 is 83.1 FF2 8.1 for GPT-4.1, 81.8 FF3 9.0 for 4.1-mini, and 72.8 FF4 12.6 for 4.1-nano in Meeting; 66.2 FF5 22.4, 65.4 FF6 38.4, and 77.4 FF7 38.4 in SmartHome; and 58.0 FF8 28.0, 61.0 FF9 15.0, and 58.0 P=A, H, η, X, D, σ, C, μ, o, ρ, F, Π.\mathcal{P}=\langle A,\ H,\ \eta,\ X,\ D,\ \sigma,\ C,\ \mu,\ o,\ \rho,\ F^\star,\ \Pi\rangle.0 13.0 in PersonalAssistant. For attacks on Meeting with GPT-4.1-mini, confidentiality leakage attains 100% correctness by the LLM judge, context overflow attains 100% ASR with API errors in all 30 seeded runs, the adversarial-agent attack yields utility difference +0.1 with P=A, H, η, X, D, σ, C, μ, o, ρ, F, Π.\mathcal{P}=\langle A,\ H,\ \eta,\ X,\ D,\ \sigma,\ C,\ \mu,\ o,\ \rho,\ F^\star,\ \Pi\rangle.1, and communication poisoning yields +1.0 for 1-shot with P=A, H, η, X, D, σ, C, μ, o, ρ, F, Π.\mathcal{P}=\langle A,\ H,\ \eta,\ X,\ D,\ \sigma,\ C,\ \mu,\ o,\ \rho,\ F^\star,\ \Pi\rangle.2, +1.2 for 2-shot with P=A, H, η, X, D, σ, C, μ, o, ρ, F, Π.\mathcal{P}=\langle A,\ H,\ \eta,\ X,\ D,\ \sigma,\ C,\ \mu,\ o,\ \rho,\ F^\star,\ \Pi\rangle.3, and +2.7 for 3-shot with P=A, H, η, X, D, σ, C, μ, o, ρ, F, Π.\mathcal{P}=\langle A,\ H,\ \eta,\ X,\ D,\ \sigma,\ C,\ \mu,\ o,\ \rho,\ F^\star,\ \Pi\rangle.4. The paper interprets these results as indicating that integrity attacks consistently reduce utility, with multi-shot poisoning showing stronger effects, while confidentiality and availability attacks were highly effective under the tested settings (Nakamura et al., 16 Oct 2025).

7. Positioning, limitations, and research significance

Terrarium is positioned against prior approaches by emphasizing multi-agent cooperation with a ground-truth, factorized objective and explicit inter-agent boards. Compared with single-agent security testbeds, it enables attacks that depend on coordination, privacy between agents, and communication timing or topology. Compared with orchestration protocols and closed platforms, it is presented as an open, configurable blackboard-based testbed for benchmarking and red-teaming communication protocols under controlled conditions, with complete logging and seed control (Nakamura et al., 16 Oct 2025).

The paper attributes several advantages to blackboards in this setting: decoupled producers and consumers, explicit and inspectable communication, board-level isolation and membership, per-message tags that support authentication and audits, a natural fit for instruction-augmented DCOP message passing, and suitability for forensics and reproducibility. These features make communication itself experimentally manipulable rather than merely a by-product of higher-level orchestration (Nakamura et al., 16 Oct 2025).

Several limitations are stated. The prototype is not deployment-optimized: it uses simple append-only boards and a two-phase protocol, whereas production systems may require memory-efficient context management, compression, and scalable scheduling. Defenses are limited in the reported experiments, even though the framework supports authentication, filtering, and audits; future work includes competitive or negotiation settings, richer defenses such as anomaly detection over style and timing graphs, and more realistic secure channels. The paper also notes that while it provides a cooperative objective and global metrics such as CostGap, the main experiments rely on practical metrics such as normalized P=A, H, η, X, D, σ, C, μ, o, ρ, F, Π.\mathcal{P}=\langle A,\ H,\ \eta,\ X,\ D,\ \sigma,\ C,\ \mu,\ o,\ \rho,\ F^\star,\ \Pi\rangle.5, ASR, and leakage correctness, and that bridging these to fully formalized metrics in the experimental loop is a promising direction (Nakamura et al., 16 Oct 2025).

Terrarium’s broader significance lies in operationalizing blackboards as first-class research artifacts for LLM-based MAS. By coupling instruction-augmented DCOP tasks, configurable communication topologies, and full-fidelity logging, it enables fine-grained, reproducible experiments on safety, privacy, and security in settings where collaboration, local observability, and adversarial interference are tightly entangled. This suggests a methodological shift from evaluating agents solely through end-task outcomes toward evaluating the structure, provenance, and manipulability of inter-agent coordination itself (Nakamura et al., 16 Oct 2025).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Terrarium Framework.