Constitutional Security: What Enterprise Infrastructure Taught Me About AI Agent Safety
title: "Constitutional Security: What Enterprise Infrastructure Taught Me About AI Agent Safety" date: 2026-04-14 categories: [arch, phi] projects: [MAELSTROM, GEIST, Pipestry, Vortex] summary: "The same cryptographic primitives that secure energy infrastructure supply chains can secure AI agent orchestration. Here's why — and how I built both."
I spend my days managing enterprise cloud infrastructure for a large energy company. I spend my nights building an AI agent orchestration platform, a DJ streaming system, and a DVS that communicates with Pioneer hardware at the firmware level. The architecture is the same in all of them. That's not a metaphor — it's literally the same Rust crates.
This is the story of how a constitutional security framework designed for critical infrastructure became the foundation of a multi-agent AI system, and what that convergence means for anyone thinking about AI safety from the engineering side rather than the alignment side.
The Origin: Pipestry
In 2024 I started designing a system called Pipestry. The requirements came from my day job: supply chain security for infrastructure operating at enterprise scale. The threat model was straightforward — how do you guarantee integrity, authenticity, and auditability when data flows through systems you don't fully control, operated by people you can't fully trust, in environments that may be adversarial?
The answer was a constitutional approach. Not "constitutional" as a metaphor — constitutional as in: a set of inviolable rules encoded at the protocol level that no participant can override, regardless of their permissions. Every operation produces a cryptographic receipt. Every state transition is witnessed. Every mutation is content-addressed and Merkle-verifiable. Byzantine faults are assumed, not guarded against as edge cases.
The ADR (Architecture Decision Record) stack grew to 35+ documents covering semantic tokenization, witness networks, Byzantine fault tolerance, onion encryption layers, and democratic Merkle governance. The key insight was that security isn't a layer you add — it's a property that emerges when every primitive in the system is cryptographically grounded.
The Distillation: MAELSTROM
Pipestry was comprehensive but theoretical. MAELSTROM is its implementation — 5,800 lines of Rust, shipping in production, with a different surface but identical bones.
The crate exposes five feature-gated modules:
crypto implements the constitutional primitives. x25519 ephemeral key exchange with HKDF-SHA256 session key derivation produces forward-secret session keys. ChaCha20-Poly1305 AEAD with counter-based nonce construction (nonce_base XOR sequence_number) handles authenticated encryption. BLAKE3 content-addressable storage with binary Merkle trees using keyed-hash domain separation (maelstrom-merkle-node-v1) provides integrity verification. Sessions automatically re-key after 1 million packets or 1 hour — whichever comes first. All key material is zeroized on drop.
stream provides a loss-resilient UDP transport with MTU-aware fragmentation, XOR-based forward error correction, an adaptive jitter buffer, and bandwidth estimation. The encryption layer plugs in via a Cipher trait — when the crypto feature is disabled, packets travel in plaintext for trusted networks.
library parses DJ collection formats: Pioneer DeviceSQL/PDB (reverse-engineered binary format with UTF-16LE strings), Rekordbox XML, Serato, and Traktor NML. This module exists because I'm a DJ and I needed it, but the pattern — parsing untrusted binary formats with strict validation — is the same pattern you need for any protocol that handles external input.
stage bridges to hardware: Ableton Link (UDP multicast with custom MAELLINK peer beacons), OSC, DMX/ArtNet for lighting, MIDI Clock. Show control and automation.
mir handles Music Information Retrieval: real-time BPM detection, key detection, transient analysis, loudness measurement (LUFS). Audio-domain signal processing that feeds back into the library and streaming systems.
Every module follows the same constitutional pattern: input is validated before processing, output is authenticated before transmission, state transitions produce auditable records, and key material is ephemeral with enforced rotation.
The Convergence: AI Agent Orchestration
Here's where it gets interesting. I also build GEIST — a TypeScript platform with 264 packages for AI agent orchestration. GEIST has a swarm coordinator, multi-model deliberation (PRIMUS council with 6-member voting), tool firewalls, capability bridges, and MCP (Model Context Protocol) server infrastructure.
When I built the security layer for GEIST, I didn't design something new. I ported the same patterns:
A 6-layer firewall engine evaluates every request through Transport → Authentication → Authorization → Rate Limiting → Transform → Audit. Plugins register at specific layers with explicit priorities. Decisions aggregate fail-secure: any deny at any layer stops processing. The engine supports both parallel and sequential plugin evaluation with timeout guards and configurable fail-open/fail-closed behavior. Every evaluation produces an audit trail with per-layer timestamps and decision records.
The firewall isn't protecting a network. It's protecting an AI agent from executing unauthorized tool calls. But the architecture is identical to what you'd deploy in front of a SCADA system.
The tool allowlist plugin validates that an agent can only invoke tools explicitly granted to it — not through permission checks (which can be bypassed) but through cryptographic capability tokens that are scoped, time-limited, and non-transferable. Same pattern as the witness networks in Pipestry.
The content-addressable storage layer in GEIST uses the same BLAKE3 Merkle primitives from MAELSTROM to ensure that agent memory is tamper-evident. If an agent's episodic memory is modified — by the agent itself, by another agent, or by an adversary — the Merkle root changes and the system detects it.
Why This Matters for AI Safety
The AI safety conversation is dominated by alignment research — training models to have the right values. That work is critical. But there's a complementary problem that gets less attention: even a perfectly aligned model is dangerous if the infrastructure it runs on is insecure.
An aligned model that can be tricked into running unauthorized tools through a prompt injection is no different from an unaligned model. An agent orchestrator that doesn't verify the integrity of its own memory state is vulnerable to manipulation regardless of the model's values. A multi-agent system without Byzantine fault tolerance assumes that no agent will ever produce incorrect results — an assumption that fails the moment you introduce model uncertainty, tool failures, or adversarial inputs.
The constitutional security approach addresses this by making security a property of the infrastructure, not a property of the model. The model doesn't need to "decide" not to execute a dangerous tool call — the firewall prevents it at the protocol level, the same way a hardware firewall prevents unauthorized network traffic regardless of what software is running behind it.
This is defense in depth applied to AI systems:
The transport layer ensures that communication between agents is encrypted and authenticated — no eavesdropping, no message injection, no replay attacks.
The capability layer ensures that each agent can only access the tools and resources it's been explicitly granted — no privilege escalation through prompt engineering.
The integrity layer ensures that all data (agent memory, tool results, orchestration state) is content-addressed and Merkle-verifiable — no silent corruption, no undetected tampering.
The audit layer ensures that every action produces a cryptographic receipt — full reconstructability of any incident.
These aren't theoretical. They're implemented in Rust and TypeScript, running in production, and battle-tested across audio streaming, hardware communication, and agent orchestration use cases.
The Meta-Point
I built all of this — 736,000 lines of code across 14 projects, 4 Rust crates, a reverse-engineered hardware protocol stack, and a constitutional security framework — as a solo developer in 8 months, using AI coding assistants as my primary collaboration tool.
The irony is not lost on me: I used frontier AI models to build the infrastructure that secures AI systems against the failure modes of frontier AI models.
The models helped me move fast. The security architecture ensures that "moving fast" doesn't mean "moving recklessly." Every line of code that an AI assistant helped me write still passes through the same constitutional checks — Zod validation at every boundary, authenticated encryption on every stream, capability-scoped tool access for every agent, audit trails for every mutation.
This is what I mean by "security by security" — not security as an afterthought, not security as a compliance checkbox, but security as the foundational primitive that everything else is built on. The same way content-addressing makes integrity a structural property rather than a runtime check, constitutional security makes safety a property of the architecture rather than a property of the model.
The code is real. The architecture is documented. The patterns transfer. Everything here was built in free time.
Lee builds ekelhaft.tools — an ecosystem of DJ tools, AI agent orchestration, and streaming infrastructure. The MAELSTROM engine, GEIST platform, and constitutional security framework described here are part of this ecosystem. All project names are German words chosen for their industrial energy and Berghain aesthetic.