HackerTrans
TopNewTrendsCommentsPastAskShowJobs

tomjwxf

1 karmajoined 4 ay önce
@TJWXF3 on X / @tomjwxf GitHub Global macro PM, design, culture, and technology… built building ScopeBlind / Veritas Acta - MIT projects: protect-mcp, veritasacta/verify, scopeblind/passport, scopeblind/red-team

Submissions

[untitled]

1 points·by tomjwxf·5 gün önce·0 comments

Token spend is not token capital

twitter.com
3 points·by tomjwxf·26 gün önce·0 comments

Token Capital Needs Receipts

twitter.com
2 points·by tomjwxf·27 gün önce·0 comments

[untitled]

1 points·by tomjwxf·4 ay önce·0 comments

Signed receipts for MCP tool calls – prove what your agent did

npmjs.com
2 points·by tomjwxf·4 ay önce·0 comments

comments

tomjwxf
·3 ay önce·discuss
[dead]
tomjwxf
·3 ay önce·discuss
Re classifier routing: text-shape signals (token count, syntactic markers) underspecify the boundary, especially for agent-generated queries. The signal that worked better in our policy-gated tool-call setting was the surrounding intent context the agent was operating under, not the query string itself. An agent in a "fact-check" context emits long, well-formed sentences that actually want exact-match retrieval; an agent in an "open research" context emits surprisingly short queries that need narrative retrieval. If the runtime can read the tool or skill context at query time, routing on that is less ambiguous than text shape. Doesn't help if the wiki is a black-box MCP server with no caller-side context, but it's worth offering an optional context hint in the lookup payload.
tomjwxf
·3 ay önce·discuss
[dead]
tomjwxf
·4 ay önce·discuss
my core thesis is that AGI is here, it just needs accountability and efficient frameworks to navigate our arbitrary world
tomjwxf
·4 ay önce·discuss
The gateway approach (OAuth + RBAC) solves the perimeter problem — who can connect. protect-mcp solves a different layer — what can they do once connected, and how do you prove it.

It wraps any MCP server as a stdio proxy. Per-tool policies (block, rate-limit, require human approval). Every decision gets an Ed25519-signed receipt that's verifiable offline — no callbacks, no accounts.

The two layers stack: your gateway authenticates the caller, protect-mcp constrains which tools they can call and signs the evidence.

npx protect-mcp -- node your-server.js

MIT licensed. The receipts protocol has an IETF Internet-Draft: https://datatracker.ietf.org/doc/draft-farley-acta-signed-re...

npm: https://npmjs.com/package/protect-mcp
tomjwxf
·4 ay önce·discuss
[dead]
tomjwxf
·4 ay önce·discuss
The staged autonomy pattern ("trust is earnable") maps directly to what we built with protect-mcp — shadow mode first (log everything, block nothing), then enforce when you've seen enough data to trust the policies.

For the prompt injection concern: protect-mcp wraps MCP tool calls with per-tool policies. Even if the agent gets injected, it can't call tools outside the policy. Every decision is optionally Ed25519-signed and verifiable offline.

npmjs.com/package/protect-mcp
tomjwxf
·4 ay önce·discuss
This is exactly right. We implemented delegation receipts — Agent A grants scoped authority to Agent B, producing a signed receipt. B's subsequent actions reference A's delegation receipt. An auditor can trace the full chain from human principal to agent action.

The fiduciary analogy is spot on. Every receipt in the chain is independently verifiable: npx @veritasacta/verify --self-test
tomjwxf
·4 ay önce·discuss
[dead]
tomjwxf
·4 ay önce·discuss
[dead]
tomjwxf
·4 ay önce·discuss
[dead]
tomjwxf
·4 ay önce·discuss
[dead]