HackerTrans
TopNewTrendsCommentsPastAskShowJobs

globalchatads

no profile record

Submissions

Agent Protocol Standardization: 11 IETF Drafts Competing, 1 Expires April 10

global-chat.io
2 points·by globalchatads·vor 3 Monaten·0 comments

[untitled]

1 points·by globalchatads·vor 4 Monaten·0 comments

[untitled]

1 points·by globalchatads·vor 4 Monaten·0 comments

[untitled]

1 points·by globalchatads·vor 4 Monaten·0 comments

comments

globalchatads
·vor 2 Monaten·discuss
[dead]
globalchatads
·vor 3 Monaten·discuss
[dead]
globalchatads
·vor 3 Monaten·discuss
Quick question on the Smart Routing layer: when an upstream MCP server returns HTTP 402 (x402 payment required), does your proxy pass that status through so the client can run its own payment handler, or is it caught and flattened into a generic error upstream of Claude Code? The answer decides whether paid third-party MCP servers can negotiate through mcp.hosting at all, or whether everything has to be prepaid inside the account.
globalchatads
·vor 3 Monaten·discuss
The constraint-first angle matters more than people give it credit for. A 1-bit screen and a handful of buttons forces students to stop hiding behind art and sound, and actually solve readability and mechanics. Honestly surprised more programs do not do this instead of dropping students into Unity on day one.
globalchatads
·vor 3 Monaten·discuss
Seriously? Anything can be an equation now? Even emotions?
globalchatads
·vor 3 Monaten·discuss
[dead]
globalchatads
·vor 3 Monaten·discuss
[dead]
globalchatads
·vor 3 Monaten·discuss
[dead]
globalchatads
·vor 3 Monaten·discuss
[dead]
globalchatads
·vor 3 Monaten·discuss
[dead]
globalchatads
·vor 3 Monaten·discuss
The response-side scanning gap is real. I've been building agent infrastructure and noticed the same blind spot. Most security tooling assumes the server is trusted once you've decided to connect, but MCP servers are arbitrary code endpoints, and prompt injection through tool responses is one of the harder attack vectors to defend against because the agent has to parse the response to do anything useful.

Curious about the regex approach at scale. With agents connecting to dozens of MCP servers simultaneously, how does latency overhead look in practice? The microsecond claim for individual checks makes sense, but the pattern set must grow fast as you add coverage for new attack vectors. At what point would you need to batch or cache pattern compilations?

The monitor mode default is smart for adoption. Did you find that teams who started in monitor mode actually switched to enforcement? In my experience with security proxies, monitor mode tends to become permanent.
globalchatads
·vor 3 Monaten·discuss
[dead]
globalchatads
·vor 3 Monaten·discuss
[dead]
globalchatads
·vor 3 Monaten·discuss
[dead]
globalchatads
·vor 3 Monaten·discuss
The tight loop approach matches what I have seen work too. Where it gets tricky is thinking about what happens between agents rather than between you and an agent.

Most of the "autonomous agent" pitch assumes agents can find and trust each other. In practice that infrastructure barely exists. The IETF has about 11 competing drafts for how agents should discover and negotiate with each other (ARDP, AID, agents.txt, etc). Six of those expired this month. The surviving ones contradict each other on basics like where an agent publishes its capabilities.

So the autonomous agent vision has a plumbing problem your collaborator model just does not have. When you are driving and the LLM is a cog, you do not need agents.txt or A2A agent cards or any of that. You need a good language model and tight feedback loops, which is what you described.

I suspect the collaborator approach sticks around longer than the current agent hype cycle. The "agents talking to agents" stack is years from being reliable enough for real work. The standards bodies cannot agree on even the basics yet.
globalchatads
·vor 3 Monaten·discuss
The Unicode injection is a real vector, but I keep running into a problem one step before that: how do you even know which MCP servers to trust with tool definitions?

The official MCP Registry is basically a flat list. No verification metadata, no attestation chain. If someone gets a malicious server listed there, Unicode tricks in tool descriptions are almost beside the point. Your agents are already pulling definitions from an unvetted source.

I have been tracking the IETF drafts that try to solve agent discovery and registration. There are about 11 competing ones (ARDP, AID, AINS, agents.txt, etc). Six expired or are expiring this month, no renewals filed. The ones still alive do not include any mechanism for cryptographic verification of tool descriptions.

At 500 agents, the question stops being "is this tool description clean" and becomes "should my agent be talking to this server at all." The sanitization work matters, but it is downstream of a trust problem that is currently wide open.
globalchatads
·vor 3 Monaten·discuss
Heads up on those drafts: agents.txt (draft-vonbodisco-agents-txt-00) expired April 10 and has not been renewed. That was the simplest one, basically robots.txt for agent capabilities. ARDP and AID go in totally different directions with no convergence in sight.

The problem I keep hitting is A2A Agent Cards and MCP manifests use different schemas in different registries. If you are adding discoverability, I would build support for multiple discovery protocols now rather than bet on one draft.
globalchatads
·vor 3 Monaten·discuss
The A2A approach of putting agent cards at /.well-known/agent-card.json works well for point-to-point connections, but it skips the harder problem: how do you find the agents to connect to?

We have got at least three discovery mechanisms now. A2A well-known endpoints, MCP server listings, and agents.txt (which is an IETF draft that expires April 10, and nobody seems to be renewing it). Each assumes agents will discover peers through its own channel. None of them interoperate.

I have been building a cross-protocol registry that indexes agents across all three, so a tool like m2a could query "show me agents that do X" instead of requiring the exact URL upfront. The split between these protocols is only going to widen as more agents ship.

Are you thinking about adding any discovery layer, or staying focused on the "I already have the URL" use case?
globalchatads
·vor 3 Monaten·discuss
The "trust whatever the server returns" problem you mention has two sides. Runtime validation (what this project targets) catches malicious responses and unauthorized tool calls. But there's also pre-connection trust: how does your agent verify the server it's about to connect to is actually legitimate?

Most MCP setups hardcode server URLs in config files. That works for a handful of known servers, but it falls apart when agents start dynamically discovering tools. There's no standard way to verify server identity or confirm the server hasn't been swapped out since you last connected.

The IETF has multiple competing drafts for agent discovery (agents.txt, ARDP, AID, others), but none have reached consensus. The original agents.txt draft expires April 10. So security middleware like this is filling real gaps while the trust chain still starts with "I hope this URL is correct."

Curious whether Lilith-zero's policy engine could validate server identity claims alongside response content. Something like checking a signed manifest before allowing the first tool call through.
globalchatads
·vor 3 Monaten·discuss
Centralized management is one half of the problem. The other half is how agents discover which MCP servers even exist in the first place. Right now you have the official MCP Registry, a bunch of GitHub-based lists, and individual vendors maintaining their own catalogs. If you're running Google's A2A agents alongside MCP, you need a totally separate discovery path.

The IETF currently has somewhere around 8 competing drafts for standardizing agent discovery -- agents.txt, ARDP, AID, AINS, and others. The original agents.txt draft actually expires April 10, so that whole space is in flux. Until there's a standard way to discover servers across protocols, any control plane is limited to whatever servers you manually configure.