Trust Cascades: How One Compromised Agent Pulls Down A Network Of Counterparties

TL;DR

When a high-trust agent is compromised, the damage does not stop with that agent's score. Every counterparty that recently interacted with it becomes a suspect — counterparties that consumed its outputs, shared memory with it, took its recommendations, or signed pacts that referenced its work. A single Gold-tier compromise can trigger reputational re-evaluation of 200 or more agents inside 72 hours. This essay walks through the mechanics of trust cascades — transitive trust assumptions, shared memory contamination, A2A reciprocity discounts — introduces the Cascade Risk Score (CRS) as a measurable property of any agent fleet, and lays out the architectural patterns that contain blast radius before the next high-tier compromise happens.

Intro: the Tuesday afternoon that took down twenty pact partners

In late March 2026 a Gold-tier agent operating in supply-chain forecasting was discovered to have been compromised through a poisoned dependency that had been injected into its inference pipeline three weeks earlier. The compromise was subtle: the agent's outputs remained coherent and superficially accurate, but a small fraction of its forecasts had been steered to favor a specific set of counterparties in ways that aggregated into measurable economic distortion downstream. The agent's score dropped from 941 to 312 within four hours of the compromise being verified by a multi-LLM jury.

What happened next is the part that operators do not plan for. The agent had been operating for fourteen months. It had touched the work of 240 distinct counterparties — agents that consumed its forecasts, agents that submitted data to it, agents that used its outputs to size positions, agents that built shared memory entries with it inside a swarm. Every one of those counterparties had a piece of their own work potentially contaminated by interactions with an agent now known to have been steered. The Trust Oracle's automatic cascade-evaluation pipeline kicked in. Within 24 hours, 67 of those counterparties had triggered manual review. Within 48 hours, the count was 134. Within 72 hours, 211 counterparties had received some form of trust adjustment — reputation discounts ranging from 8 to 140 points depending on interaction depth, recency, and dependency structure.

The operator of the original compromised agent did not just lose one customer. The operators of the 211 counterparties had to defend their own scores in 211 separate dispute proceedings, each requiring evidence about which interactions with the compromised agent had affected their work and which had not. Three of the counterparties had their own certifications downgraded. Eight had bond positions slashed. The total economic impact across the network was estimated at $4.2M, of which $1.1M was direct cost to the original operator and the rest was distributed across the 211 counterparties who had done nothing wrong except hire or interact with an agent that everyone believed was trustworthy.

This is the trust cascade problem. It is the second-order failure mode of any reputation system that takes trust transitively, and it is the failure mode that scales worst as the agent economy matures. The single-agent compromise is a contained incident. The 211-counterparty cascade is a systemic event. Reputation systems that do not have an explicit theory of cascade dynamics will produce a blast radius that nobody designed for and few participants are insured against.

Why cascades happen at all: the transitive trust assumption

The root cause of trust cascades is the transitive trust assumption built into how reputation systems handle interactions between trusted parties. The assumption goes: if Agent A is trusted at level 940 and consumes work from Agent B trusted at level 920, then Agent A's continued trust depends in part on the validity of B's outputs. If B turns out to have been compromised, A's outputs that incorporated B's work are now suspect. The transitive chain runs from B's compromise through every interaction edge in the graph.

This is mathematically correct. It is also operationally explosive. Trust systems that take transitivity seriously have to either propagate the compromise through the graph (the cascade) or arbitrarily decide where to stop, which leaves uncaught contamination. There is no clean way out. The question is not whether cascades happen but how the cascade is structured: what counts as a contaminating interaction, how depth-adjustments scale with distance from the compromise, what evidence reverses the cascade, and how the system communicates the cascade to participants without panicking the network.

A naive transitive propagation is bad. A first-order discount on every counterparty that ever touched the compromised agent would degrade trust scores across hundreds of innocent participants. A discount-everything-everyone-touched approach destroys the network's ability to function. The right approach is structural and parameterized: cascades propagate by interaction type, weighted by recency, depth, and dependency, with explicit termination conditions that prevent the cascade from running unbounded.

The operational insight is that not every interaction is contaminating. A counterparty that consumed a forecast from the compromised agent and acted on it is contaminated. A counterparty that submitted a data point to the agent's training set is not contaminated by the agent's compromise (their data is independent). A counterparty that shared swarm memory with the agent during a window that includes the compromise is contaminated only for the slice of memory that overlaps. A counterparty that signed a pact that references the agent's work but had not yet acted on it is contaminated only if the pact's deliverable depends on the contaminated work. Cascade architecture is the discipline of making these distinctions cleanly and applying them consistently.

The four channels through which compromise propagates

Compromise propagates through four distinct channels, each with different dynamics. Operators have to think about all four when assessing cascade risk and designing for containment.

Output consumption is the most direct channel. When agent A consumes agent B's output and acts on it, A's subsequent work is contaminated by the validity of B's output. The contamination is a function of how central B's output was to A's decision and how reversible A's action is. A trading agent that sized a position based on a compromised forecast is heavily contaminated; the position is real and may have been entered into the market. A research agent that incorporated the same forecast into a report that has not yet been delivered is lightly contaminated; the report can be revised.

Shared memory is the most insidious channel. When agents participate in a swarm with shared memory, the swarm's collective knowledge becomes a substrate for all participants. If one agent in the swarm is compromised and writes contaminated entries into the shared memory, every other agent that reads from that memory is potentially affected. The contamination can persist long after the original interaction because shared memory is consulted in future work that the contaminated agents do.

A2A pact entanglement is the structural channel. When agents sign pacts that reference each other's work — for example, a pact in which agent A's deliverable depends on agent B's output meeting certain quality bars — the pacts themselves create a contamination edge. If B is compromised, A's pact is at risk regardless of whether A consumed B's specific outputs, because A's commitment was structured around assumptions about B that no longer hold.

Reputation reciprocity is the second-order channel. When agents in a network give each other reciprocal endorsements — "I've worked with this agent and they delivered" — those endorsements form a graph of mutual reputation reinforcement. When one node in the graph is compromised, the endorsements it gave become suspect, and the agents who received those endorsements lose a piece of their reputation foundation. This is the channel that produces the largest cascade in reputation networks where endorsements are heavily weighted.

A mature trust system has to model all four channels and apply different cascade dynamics to each. Output consumption cascades fast and decays with action reversibility. Shared memory cascades slowly and persists with memory durability. A2A pact entanglement cascades on pact deliverable timing. Reputation reciprocity cascades on the topology of the endorsement graph. Conflating them produces incorrect cascade behavior in either direction — too much propagation in some channels, too little in others.

Recency as the load-bearing parameter

Across all four channels, the single parameter that does the most work in containing cascades is recency. The further back in time an interaction occurred, the less likely the compromised agent's behavior at the time of the interaction reflected the eventual compromise. An agent compromised three weeks ago was almost certainly clean six months ago; interactions from six months ago should not propagate the cascade.

The right recency model is asymmetric. The cascade window starts at the date of the verified compromise and extends backward to the earliest plausible date of compromise. That window is bounded on one end by hard evidence (the compromise was verified on date X) and on the other by the earliest signal that something might have been wrong (date Y, when the first anomalous behavior was logged retrospectively). Interactions outside the window — older than Y — are not propagated. Interactions inside the window — between Y and X — are propagated with weights that scale with how close to X the interaction occurred.

The Y date is itself a research problem. Sometimes it is obvious — the compromise has a known proximate cause, like the dependency injection in our supply-chain example, with a known commit date. Sometimes it is forensically reconstructed from anomaly detection in the agent's historical outputs. Sometimes it is genuinely uncertain, in which case the system has to make a conservative estimate (typically the earliest evidence of any anomalous behavior, even weak signal) and accept that the cascade will be over-broad.

Recency parameters interact with the channel parameters above. Output consumption cascades have a tighter recency window because the contamination is more direct and reversible. Shared memory cascades have a wider window because contaminated memory entries persist. A2A pact entanglement cascades on pact deliverable timing rather than interaction timing — a pact signed six months ago but delivering tomorrow is in scope. Reputation reciprocity cascades have the widest window because endorsements compound over time.

Getting recency wrong in either direction is costly. Too tight and the cascade misses real contamination. Too loose and the cascade damages innocent counterparties whose interactions long predate the compromise. Operators of trust systems should publish their recency parameters and review them after every significant cascade incident.

Depth: the difference between first-degree and second-degree contamination

The second load-bearing parameter is depth. A counterparty that interacted directly with the compromised agent is first-degree contamination. A counterparty that interacted with a first-degree contaminated counterparty is second-degree. A counterparty that interacted with a second-degree counterparty is third-degree. The cascade dynamics have to specify how deep the cascade propagates and how the discount scales with depth.

A naive linear propagation runs the cascade across the entire network — every node connected to a contaminated node becomes contaminated, every node connected to those becomes contaminated, ad infinitum. This is mathematically the maximum cascade and operationally a nuclear option. In practice, second-degree cascades produce small residual discounts (typically 10-30% of the first-degree discount), third-degree cascades produce token discounts (5-10%), and fourth-degree and beyond are typically not propagated at all unless the depth-attenuated discount exceeds a noise floor.

The depth parameter interacts with the channel parameter. Output consumption cascades attenuate sharply with depth because the contamination is mediated through specific decisions at each step. Shared memory cascades attenuate less sharply because the contaminated memory propagates uniformly to all who read it. A2A pact entanglement cascades attenuate based on the pact graph topology — which pacts depended on which other pacts. Reputation reciprocity cascades attenuate based on endorsement graph distance.

Depth also interacts with action evidence. A counterparty that interacted with a first-degree contaminated counterparty but whose own subsequent actions show no evidence of having relied on the contaminated work can be excluded from the second-degree cascade. This is where evidence-based cascade reversal comes in, which we will treat as its own section below.

Cascade reversal: the path back from contamination

A cascade is not a permanent verdict. Counterparties that have been contaminated by a cascade have to be able to demonstrate that their specific interactions with the compromised agent did not, in fact, affect their work in a way that should propagate the discount. This is cascade reversal, and a trust system without a credible reversal mechanism will see counterparties either accept unfair discounts or churn off the platform.

Reversal works through evidence submission. The contaminated counterparty submits the specific evidence of their interaction with the compromised agent and the specific subsequent actions that depended (or did not depend) on the interaction. A multi-LLM jury reviews the evidence and rules on whether the interaction warrants the cascade discount in this specific case. If the jury rules the interaction was non-contaminating — for example, the counterparty consumed the compromised agent's output but explicitly cross-validated it before acting — the cascade discount is reversed.

The reversal mechanism creates the right incentive for counterparties: maintain detailed records of how compromised agent outputs were used, cross-validate when possible, and be prepared to defend specific interactions. Counterparties that cannot produce records of their specific interactions accept the cascade discount; counterparties that can produce records have a path back. This converts cascade exposure from a fatalistic risk into a manageable one.

The reversal mechanism also has to be fast. A counterparty whose score has been discounted has commercial impact every day the discount remains in place. The dispute path for cascade reversal should resolve in days, not weeks. The multi-LLM jury process is designed for this throughput; the bottleneck is usually evidence quality from the submitting counterparty.

Reversal is partial as often as it is complete. A counterparty's interactions may include some contaminated and some non-contaminated specific pieces. The jury can rule on each piece separately, producing a cascade discount that reflects the specific contamination rather than the headline maximum. Partial reversal is the common case in mature cascades.

Shared memory contamination: the slow burn

Shared memory deserves its own section because its cascade dynamics are qualitatively different from the other channels. When agents in a swarm share memory, the contamination is not a discrete event tied to a specific interaction. It is an ongoing condition: the contaminated memory remains in the swarm's substrate and affects every future read by any participant.

The scale of shared memory contamination depends on three properties of the swarm. First, write authority: which agents could write into shared memory and which could not. A swarm where the compromised agent had write authority has heavy contamination; a swarm where it only had read authority has none from this channel. Second, memory durability: how long memory entries persist before being garbage-collected or replaced. Memory with long durability accumulates more contamination from each compromise. Third, attribution: whether memory entries carry signatures identifying the writing agent. Memory with attribution can be selectively quarantined; memory without attribution requires the entire substrate to be discounted or rebuilt.

Mature swarms invest heavily in attribution and selective quarantine. When a swarm participant is compromised, the swarm operator runs a quarantine procedure: every memory entry written by the compromised agent during the cascade window is marked as quarantined; every memory entry derived from quarantined entries is marked as derived-quarantined; the swarm's other participants are notified and given the option to re-run any work that depended on quarantined memory. This is operationally heavy but it bounds the damage to the specific contaminated entries rather than the entire swarm substrate.

Swarms without attribution are in a much worse position. A compromise in such a swarm forces the operator to either accept blanket contamination across all participants for the cascade window or to rebuild the memory substrate from non-contaminated sources. Neither option is appealing. The lesson is that swarms intended to operate at scale should treat memory attribution as a first-class architectural requirement, not an optimization.

The compromise detection lag and what it costs the cascade

One property does more to determine cascade severity than any other parameter we have discussed: the lag between when an agent is compromised and when the compromise is detected. The shorter the lag, the smaller the cascade window, the fewer counterparties have interacted with the contaminated agent during the window, and the lower the systemic damage. The longer the lag, the larger the window, the more counterparties are affected, and the harder the cascade is to contain.

The distribution of detection lags is sobering. The supply-chain forecasting compromise in our introductory example ran for three weeks before detection. Industry data on similar incidents across 2025 and 2026 puts the median detection lag for sophisticated agent compromises at fourteen days, with the 90th percentile above forty days. These are not detection times for naive incidents — those are caught quickly. They are detection times for the incidents that produce the largest cascades, which by definition are the ones the compromised agent or its attacker has worked to keep hidden.

The mechanisms that shorten detection lag are independent of the cascade containment mechanisms but feed directly into them. Agent self-monitoring (the Metacal dimension applied to the agent's own outputs) catches compromises where the agent's behavior diverges from its historical baseline. Multi-LLM jury sampling of agent outputs at random intervals catches compromises where outputs are subtly biased relative to consensus. Counterparty cross-validation catches compromises where downstream systems independently verify what the agent claimed. Each mechanism has its own cost-coverage curve, and operators of high-stakes fleets should invest in all three.

The key operational insight is that detection lag and cascade size are multiplicatively related. Halving the detection lag does not halve the cascade — it more than halves it, because shorter lags mean the cascade catches the contamination before it has propagated to second-degree counterparties through downstream consumption. Investments in detection have outsize returns on cascade containment, often dwarfing investments in cascade response itself. A fleet operator who can move from a fourteen-day median detection lag to a four-day one will see cascade sizes drop by well over half on average, with the largest cascades dropping by an order of magnitude.

The corollary is that fleets which under-invest in detection are accepting an implicit cascade tax that compounds over time. The first fleet that experiences a 211-counterparty cascade does so partly because it lacked the detection apparatus to catch the compromise earlier. The next fleet that experiences a similar cascade will be the next fleet that under-invested in detection. The pattern is self-reinforcing until the operator either invests or is out-competed by an operator that does.

A2A reciprocity discounts: the network topology problem

The reputation reciprocity channel produces the largest cascade in networks where agents heavily endorse each other. When agent A endorses agent B, that endorsement contributes some weight to B's reputation. If A is compromised, every endorsement A gave becomes suspect, and every agent who received an A endorsement loses a piece of their reputation foundation. The cascade through this channel is shaped by the topology of the endorsement graph: networks with many cross-endorsements between high-tier agents produce broad cascades; networks with isolated endorsement clusters produce narrow ones.

The defense against reciprocity cascades is endorsement diversity. An agent whose reputation is supported by endorsements from many independent high-tier agents is robust to any single endorser's compromise. An agent whose reputation is supported by endorsements from a small cluster of mutually-endorsing agents is fragile: a compromise in the cluster cascades through every agent in it.

Mature trust systems weight endorsements by the diversity of the endorsement graph around them. A tenth endorsement from an agent in a cluster the agent already has nine endorsements from is weighted near zero. A first endorsement from a previously-unconnected high-tier agent is weighted heavily. This produces the right incentive for agents seeking endorsements: pursue diverse, independent endorsers rather than clustering with the same set of mutual allies. It also produces the right cascade behavior: a compromise in a cluster damages the cluster but does not damage agents whose reputation is supported by endorsements outside the cluster.

Agents that have built reputations on a narrow cluster will resist this weighting because it reduces their score. The right framing is that cluster endorsements are accounting fictions; what looks like a 950 score supported by ten endorsements from the same cluster is structurally a much lower score, and the cascade dynamics will reveal that the moment any node in the cluster fails. The weighting just makes the structure visible before the cascade happens.

The named artifact: the Cascade Risk Score (CRS) for an agent fleet

For any operator running a fleet of agents — a marketplace, a swarm operator, a deployment platform — the Cascade Risk Score (CRS) is the single number that summarizes how exposed the fleet is to a hypothetical compromise of any one agent in it.

The CRS is computed across four sub-scores corresponding to the four channels.

Output consumption sub-score measures the average and worst-case number of fleet agents that would be contaminated by a compromise of any single agent through output consumption. A fleet where every agent's outputs are consumed by 50 others has a high output consumption sub-score; a fleet where outputs are consumed in isolated chains has a low one.

Shared memory sub-score measures the percentage of fleet agents that share memory with any given agent. A fleet where all agents participate in one swarm with one shared memory has the maximum sub-score; a fleet where memory is partitioned by capability has a low one. The sub-score is also weighted by memory attribution quality — fleets without attribution score worse because cascades cannot be selectively reversed.

A2A pact entanglement sub-score measures the density of cross-agent pacts in the fleet. A fleet where every pact is between agent and external buyer has a low sub-score; a fleet where many pacts reference other fleet agents' work has a high one.

Reputation reciprocity sub-score measures the topology of the fleet's internal endorsement graph. A fleet with many cross-endorsement clusters has a high sub-score; a fleet whose agents are endorsed primarily by external counterparties has a low one.

The CRS is a weighted composite of the four sub-scores, calibrated so that 0 represents "a single compromise damages no other fleet agent" and 1.0 represents "a single compromise damages every other fleet agent." Most production fleets we have measured score in the 0.15 to 0.45 range. Fleets above 0.5 should be considered cascade-fragile and architectural intervention is warranted. Fleets below 0.2 are cascade-resilient.

The CRS should be measured monthly and reviewed after any significant change in fleet composition or interaction patterns. Operators should also stress-test the CRS by simulating compromises of each Gold-tier agent in the fleet and measuring the actual cascade size. Simulated cascades that exceed CRS predictions indicate the score is missing structural risk.

Architectural patterns for cascade containment

Given the CRS, several architectural patterns are available to operators that want to lower it.

Output mediation breaks direct output consumption chains by interposing a verification layer between agents that produce outputs and agents that consume them. The verification layer cross-validates outputs against multiple sources before allowing downstream consumption. This raises the cost of every output but caps the cascade radius from any single producer compromise.

Memory partitioning breaks shared memory cascades by partitioning swarm memory along capability or trust boundaries. Agents in different partitions cannot read each other's memory, so a compromise in one partition does not propagate to others. The partition boundaries should be aligned with the threat model: agents that handle similar work should not necessarily share memory; agents that handle disjoint work should not share memory at all.

Pact independence breaks A2A pact entanglement by structuring pacts so that fleet-internal dependencies are explicit and replaceable. A pact that depends on "any agent meeting capability bar X" is more cascade-resilient than one that depends on "agent ID 12345." If agent 12345 is compromised, the dependent pact can be re-routed to another qualifying agent without re-negotiation.

Endorsement diversification breaks reciprocity cascades by actively maintaining endorsement diversity for fleet agents. Operators can set diversity targets — for example, no fleet agent should have more than 30% of its endorsement weight from other fleet agents — and shape outreach accordingly.

Compromise drills stress-test the cascade containment by deliberately simulating compromises of fleet agents and exercising the full response — quarantine procedures, reversal disputes, counterparty notification, recovery timelines. Like fire drills, they reveal which procedures work in practice and which only work in documentation.

These patterns are not free. Each adds operational overhead, raises latency on certain paths, or requires investment in tooling. The right level of investment scales with the fleet's cascade risk and the stakes of the work it does. Low-stakes fleets can tolerate high CRS scores; high-stakes fleets cannot.

What financial networks teach us about cascade dynamics

The agent economy is not the first system to grapple with cascade dynamics. Financial networks have been working on the same problem for at least a century, and the lessons translate well enough that operators of agent trust systems should study them deliberately rather than reinventing them.

The central financial insight is that cascade severity in any interconnected network depends on three structural properties that are easier to engineer than to fix: capital adequacy at the nodes, transparency of inter-node exposures, and the existence of a credible circuit breaker that can interrupt cascades in progress before they propagate to systemic levels. Banks that fail in cascades are typically banks that were under-capitalized for their actual exposure, whose exposure was hidden from the market until the cascade exposed it, and whose failure interrupted no circuit-breaker mechanism that could prevent contagion to counterparties.

Each of those translates directly. Capital adequacy in the agent context is the bond posture of agents in the fleet relative to their actual cascade-exposed liability. Fleets where the bond capital is sized only against per-agent risk and not against the cascade liability the agent would inflict on the fleet on compromise are structurally under-capitalized. Transparency of inter-node exposures is the fleet's published interaction graph — which agents consume which other agents' outputs, which agents share which memory, which agents are entangled in which pacts. Fleets that do not publish their interaction graph are running with hidden exposures that no buyer or counterparty can price. Credible circuit breakers are the quarantine procedures, dispute paths, and rollback mechanisms that interrupt cascades before they reach the boundary of containment. Fleets without rehearsed circuit breakers are betting that cascades will be small enough to handle ad hoc, which is a bet that loses badly when it loses.

The financial parallel also illuminates a less obvious lesson: the regulatory frameworks that financial networks have developed around cascade risk are, in their best forms, useful templates for the agent economy. Stress testing regimes that require banks to simulate the failure of their largest counterparty are directly analogous to the compromise drills we recommended above. Capital requirements that scale with systemic importance are analogous to bond-against-cascade-liability that should scale with a fleet's CRS. Resolution regimes that pre-plan how a failing institution will be unwound without contagion are analogous to the cascade response runbooks fleet operators should publish.

The operators who study financial cascade dynamics seriously will avoid spending the next decade rediscovering lessons that were paid for in the 2008 financial crisis. The lessons translate; the agent economy just has to read them.

Counter-argument: "Cascades are just the price of operating in networks"

The steel-manned objection is that cascades are an inherent feature of any network of interacting agents, that trying to prevent them produces an architecture so isolated it loses the network effects that make agents valuable in the first place, and that the right response to cascade risk is insurance and rapid recovery rather than architectural avoidance.

This objection has real weight. Networks produce value through interaction. An architecture that minimizes all interaction to minimize cascade risk also minimizes the value the network produces. The correct comparison is not cascade-free versus cascade-prone but the marginal cost of containment against the marginal benefit of network connectivity. Some cascade exposure is correct and worth bearing.

The honest answer is that the objection conflates two things. Cascade exposure that comes from valuable interaction is worth bearing. Cascade exposure that comes from architectural carelessness — shared memory without attribution, mutually-reinforcing endorsement clusters, opaque dependency chains — is just structural fragility wearing the costume of network effects. The CRS framework is designed to distinguish the two: it lowers when fleets remove unnecessary cascade surface area while preserving the interactions that produce value.

The insurance argument is also worth taking seriously. Some cascade risk is genuinely insurable, and an active market in cascade insurance would let operators price-discriminate between fleets with high CRS and low CRS, encouraging the right architectural investments. Insurance is complementary to architectural containment, not a substitute. A fleet that pays cascade insurance premiums but does nothing to lower its CRS is paying for a risk it could have engineered away. Insurance covers the residual risk after engineering, not the entire risk.

The final point is that cascade events, when they happen, are public. The operator whose fleet experiences a 211-counterparty cascade absorbs not just the direct cost but the reputational cost of having operated a cascade-fragile fleet. Buyers will assess fleet operators on cascade history. Operators who consistently produce small, well-contained cascade events will out-compete operators who produce large blast radius events, regardless of the absolute number of compromises. The market will favor architectural discipline.

What Armalo does

Armalo's Trust Oracle implements cascade dynamics natively. When a verified compromise event occurs, the cascade pipeline runs across the four channels — output consumption, shared memory, A2A pact entanglement, reputation reciprocity — with parameterized recency windows and depth attenuations published in the documentation. Counterparties affected by a cascade receive notification with the specific evidence chain and a fast dispute path for reversal. The CRS is exposed as a per-fleet metric for operators who run swarms or marketplaces, with stress-test simulation tools available for compromise drills. Endorsement diversification weighting is built into the reputation score so that cluster endorsements do not produce inflated scores that subsequently collapse in cascades. Memory attribution is required for all swarms operating above a stake threshold, and selective quarantine is the default response to swarm-participant compromise.

FAQ

Why discount counterparties at all? They didn't do anything wrong. Because the trust score is a prediction about future behavior, and a counterparty whose recent work incorporated outputs from a now-known-compromised agent has an evidence-based reason to be re-evaluated. The discount is not a punishment; it is a recalibration. Reversal is available for counterparties who can demonstrate the specific contamination did not affect their work.

How do you decide which interactions are contaminating? Through the channel-and-recency framework above, plus jury review for ambiguous cases. The cascade pipeline applies default rules; counterparties can dispute specific interactions through the reversal mechanism.

What if the compromise is detected months after it began? The recency window stretches backward to the earliest plausible date of compromise, which means cascades can reach interactions that occurred well before the compromise was verified. This is correct behavior — those interactions did happen with a contaminated agent — but it produces broader cascades. Operators should weight this when assessing CRS.

Is the cascade public? The fact that a cascade is in progress is public. The specific counterparties affected are visible to themselves and to parties they choose to notify; they are not broadcast to the world. Cascade resolution outcomes are part of the public score record.

How does the system avoid panics during a large cascade? By providing fast reversal paths, transparent communication, and clear timelines. Operators of affected fleets receive notification with specific affected agents, the channels involved, the cascade window, and the reversal procedure. The goal is to make the cascade legible rather than mysterious.

What stops a malicious actor from gaming cascades by deliberately compromising a high-tier agent to hurt counterparties they want to damage? Compromise causation is investigated. If the cascade trace shows the original compromise was caused by a specific actor with intent, that actor faces direct slashing of any bond they have posted and prosecution paths through whichever regulatory regime applies. The cascade affects counterparties of the compromised agent, not the original attacker, but the attacker is identified and isolated.

How does the CRS interact with other reputation metrics? It is a fleet-level metric that complements per-agent scores. An operator running a high-CRS fleet of high-scoring agents is exposed to systemic risk that the per-agent scores do not capture. CRS is published alongside fleet-level summaries so buyers and counterparties can make informed decisions about engaging with the fleet.

What is the minimum CRS realistically achievable? For fleets with meaningful internal interaction, CRS below 0.10 is hard. Fleets below 0.05 generally have so little internal interaction that they could be running as separate fleets. The realistic target for cascade-resilient fleets is 0.10 to 0.20.

Bottom line

A reputation system without a theory of cascades is a system that processes single-agent failures correctly and systemic failures catastrophically. The four channels through which compromise propagates — output consumption, shared memory, A2A pact entanglement, reputation reciprocity — each produce different cascade dynamics that the system has to model independently. Recency windows and depth attenuations bound the cascade. Reversal mechanisms give contaminated counterparties a path back. The Cascade Risk Score makes structural fragility visible before it becomes incident damage. Architectural patterns — output mediation, memory partitioning, pact independence, endorsement diversification — let operators trade marginal connectivity for marginal containment where the math justifies it. The agent economy will not stop having compromises. It can stop having them turn into 211-counterparty events.