<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: NieJingChuan</title>
    <description>The latest articles on DEV Community by NieJingChuan (@gangan).</description>
    <link>https://dev.to/gangan</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4030026%2F925b3683-1c92-4042-beee-763513fb6a5e.jpg</url>
      <title>DEV Community: NieJingChuan</title>
      <link>https://dev.to/gangan</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/gangan"/>
    <language>en</language>
    <item>
      <title>Where ACC Fits in the Agent Stack: Transport, Runtime Control, and Business Authority</title>
      <dc:creator>NieJingChuan</dc:creator>
      <pubDate>Wed, 15 Jul 2026 09:22:38 +0000</pubDate>
      <link>https://dev.to/gangan/where-acc-fits-in-the-agent-stack-transport-runtime-control-and-business-authority-404b</link>
      <guid>https://dev.to/gangan/where-acc-fits-in-the-agent-stack-transport-runtime-control-and-business-authority-404b</guid>
      <description>&lt;p&gt;Connecting an AI agent to a tool is becoming easier. Letting that agent operate a real business system responsibly is still a different problem.&lt;/p&gt;

&lt;p&gt;Imagine an existing commerce system with APIs for reading orders, changing inventory, creating refunds, and disabling staff accounts. OpenAPI can describe the endpoints. A tool protocol can make them discoverable. An agent framework can select an operation and generate arguments.&lt;/p&gt;

&lt;p&gt;But those pieces do not, by themselves, answer several business questions:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;Which operations may be exposed to an agent-facing surface?&lt;/li&gt;
&lt;li&gt;Which invocation must carry a trusted acting subject?&lt;/li&gt;
&lt;li&gt;Which operation is high consequence?&lt;/li&gt;
&lt;li&gt;When does an invocation express approval intent?&lt;/li&gt;
&lt;li&gt;Which calls need stronger audit handling?&lt;/li&gt;
&lt;li&gt;Which execution properties should a runtime know before it invokes the API?&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;These questions sit between tool connectivity and final business authorization. That is the layer the Agent Capability Contract, or ACC, is designed to describe.&lt;/p&gt;

&lt;h2&gt;
  
  
  Start with a concrete operation
&lt;/h2&gt;

&lt;p&gt;Consider this API operation:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;paths&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="s"&gt;/orders/{order_id}/refund&lt;/span&gt;&lt;span class="err"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;post&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;operationId&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;createRefund&lt;/span&gt;
      &lt;span class="na"&gt;parameters&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;in&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;path&lt;/span&gt;
          &lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;order_id&lt;/span&gt;
          &lt;span class="na"&gt;required&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;
          &lt;span class="na"&gt;schema&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;type&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;string&lt;/span&gt;
      &lt;span class="na"&gt;requestBody&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
        &lt;span class="na"&gt;required&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;
        &lt;span class="na"&gt;content&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
          &lt;span class="na"&gt;application/json&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
            &lt;span class="na"&gt;schema&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
              &lt;span class="na"&gt;type&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;object&lt;/span&gt;
              &lt;span class="na"&gt;required&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="nv"&gt;amount&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
              &lt;span class="na"&gt;properties&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
                &lt;span class="na"&gt;amount&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
                  &lt;span class="na"&gt;type&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;number&lt;/span&gt;
                  &lt;span class="na"&gt;minimum&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;0&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This is enough to describe how to call the operation. It is not enough to describe how an agent-facing system should treat it.&lt;/p&gt;

&lt;p&gt;ACC adds a small, machine-readable declaration next to the operation:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;x-agent-capability&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;version&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;1&lt;/span&gt;
  &lt;span class="na"&gt;enabled&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;
  &lt;span class="na"&gt;scope&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;refund.create&lt;/span&gt;
  &lt;span class="na"&gt;risk&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;level&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;high&lt;/span&gt;
  &lt;span class="na"&gt;subject&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;required&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;
  &lt;span class="na"&gt;approval&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;required&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;
    &lt;span class="na"&gt;when&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;param&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;amount&lt;/span&gt;
        &lt;span class="na"&gt;op&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;&amp;gt;"&lt;/span&gt;
        &lt;span class="na"&gt;value&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;1000&lt;/span&gt;
  &lt;span class="na"&gt;audit&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;sensitive&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;
  &lt;span class="na"&gt;execution&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;readonly&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="kc"&gt;false&lt;/span&gt;
    &lt;span class="na"&gt;idempotent&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="kc"&gt;true&lt;/span&gt;
    &lt;span class="na"&gt;timeout_ms&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="m"&gt;10000&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The declaration does not grant the refund. It tells a compatible runtime how the operation should be presented and governed before the business system receives the call.&lt;/p&gt;

&lt;h2&gt;
  
  
  The missing layer is not another transport
&lt;/h2&gt;

&lt;p&gt;It helps to separate the stack into responsibilities.&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Layer&lt;/th&gt;
&lt;th&gt;Primary question&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;OpenAPI and JSON Schema&lt;/td&gt;
&lt;td&gt;What operation exists, and what are its inputs and outputs?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;MCP, A2A, and other transport or discovery mechanisms&lt;/td&gt;
&lt;td&gt;How are tools or agents discovered, connected, and invoked?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;ACC&lt;/td&gt;
&lt;td&gt;What portable governance meaning does this business operation declare?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Runtime controls, gateways, and policy components&lt;/td&gt;
&lt;td&gt;How is a live invocation inspected, paused, denied, transformed, throttled, or audited?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Business authorization and data&lt;/td&gt;
&lt;td&gt;Is this subject allowed to perform this action now, against this resource?&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Workflow and transaction systems&lt;/td&gt;
&lt;td&gt;How are multi-step work, recovery, and compensation coordinated?&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;These layers are complementary. A deployment can use OpenAPI, MCP, a runtime hook framework, OPA or Cedar, an approval system, and ACC at the same time.&lt;/p&gt;

&lt;p&gt;ACC does not need to replace any of them to be useful.&lt;/p&gt;

&lt;h2&gt;
  
  
  OpenAPI describes shape, not agent-facing governance
&lt;/h2&gt;

&lt;p&gt;OpenAPI is the right place for HTTP methods, parameters, request bodies, responses, and reusable schemas. ACC deliberately reuses that information instead of creating another parameter language.&lt;/p&gt;

&lt;p&gt;The missing information is operation-level governance meaning. &lt;code&gt;POST /refund&lt;/code&gt; tells a runtime very little about whether the operation should be visible to an agent, whether a trusted subject is required, or whether an approval intent should be created for a particular argument value.&lt;/p&gt;

&lt;p&gt;That metadata is not a replacement for the interface description. It sits beside it.&lt;/p&gt;

&lt;h2&gt;
  
  
  MCP and A2A solve different connectivity problems
&lt;/h2&gt;

&lt;p&gt;MCP helps applications and models connect to tools, resources, and prompts. A2A addresses communication and collaboration between agents.&lt;/p&gt;

&lt;p&gt;Both can transport additional metadata. A binding could carry ACC declarations through MCP or an A2A extension. But making the declaration identical to one transport would make it less portable.&lt;/p&gt;

&lt;p&gt;Some systems call HTTP APIs directly. Some expose MCP tools. Some use an internal gateway. Others will use protocols that do not exist yet. The governance meaning of &lt;code&gt;refund.create&lt;/code&gt; should be able to survive those changes.&lt;/p&gt;

&lt;p&gt;That is why ACC treats protocol bindings as adapters around a small contract rather than making one protocol the owner of the semantics.&lt;/p&gt;

&lt;h2&gt;
  
  
  Runtime hooks enforce; declarations describe
&lt;/h2&gt;

&lt;p&gt;Runtime control specifications and secure gateways are important. They define interception points around a live invocation and actions such as allow, deny, modify, pause, or audit.&lt;/p&gt;

&lt;p&gt;Those hooks answer &lt;strong&gt;where and how&lt;/strong&gt; a decision can be enforced.&lt;/p&gt;

&lt;p&gt;ACC answers a different question: &lt;strong&gt;what portable governance meaning does the business operation declare?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A hook can read an ACC declaration. A gateway can compile it into local policy. A control plane can combine it with runtime context. None of those enforcement architectures becomes unnecessary, and ACC does not pretend that a declaration enforces itself.&lt;/p&gt;

&lt;h2&gt;
  
  
  Reach is not authority
&lt;/h2&gt;

&lt;p&gt;The most important boundary in ACC is the separation between reach and authority.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Reach:&lt;/strong&gt; what an agent-facing runtime may expose or attempt.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Authority:&lt;/strong&gt; whether the acting subject may perform the action against the current business state.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;ACC governs reach. The business system retains authority.&lt;/p&gt;

&lt;p&gt;For a refund, the runtime may verify that the operation is agent-visible, high risk, subject-bound, and approval-aware. The business system must still verify that the user can access the order, the order is refundable, the amount is valid, the tenant boundary holds, and the refund has not already been completed.&lt;/p&gt;

&lt;p&gt;This separation matters because authorization depends on identities, resources, tenant data, current state, and organization-specific policy. Turning ACC into a universal authorization language would make the core larger while making the result less portable and less trustworthy.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why not use only OPA, Cedar, RBAC, or an API gateway?
&lt;/h2&gt;

&lt;p&gt;Those systems are valuable local policy and enforcement mechanisms. They can decide whether a request is allowed using deployment-specific identities and context.&lt;/p&gt;

&lt;p&gt;ACC can provide a common operation-level input to them:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;ACC declaration
      +
trusted subject and invocation context
      +
local policy
      =
runtime decision and business authorization path
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The value of the contract is not that it can express every enterprise rule. It is that different tools can start from the same portable declaration instead of forcing each gateway, agent framework, and control plane to invent unrelated metadata for the same business operation.&lt;/p&gt;

&lt;h2&gt;
  
  
  A small core is an architectural constraint
&lt;/h2&gt;

&lt;p&gt;It is tempting to add workflow definitions, tenant injection rules, approval ownership, retention periods, compensation logic, organization roles, and a general expression language to one schema.&lt;/p&gt;

&lt;p&gt;Most of those concerns are real. They are also difficult to define consistently across runtimes and organizations.&lt;/p&gt;

&lt;p&gt;ACC keeps them outside the core when they require private identity models, fresh business data, deployment-specific UI, enterprise compliance policy, or transaction coordination. This is not a claim that they are unimportant. It is an attempt to keep each responsibility in the layer that can actually enforce it.&lt;/p&gt;

&lt;p&gt;The contract is intentionally thin:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;interface parameters remain in OpenAPI and JSON Schema;&lt;/li&gt;
&lt;li&gt;transport remains in MCP, A2A, HTTP, or another binding;&lt;/li&gt;
&lt;li&gt;runtime decisions remain with the runtime and its policy system;&lt;/li&gt;
&lt;li&gt;final authorization remains with the business system;&lt;/li&gt;
&lt;li&gt;multi-step coordination remains with workflow and transaction systems.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Portability requires testable semantics
&lt;/h2&gt;

&lt;p&gt;A portable field is only useful when different implementations interpret it consistently.&lt;/p&gt;

&lt;p&gt;ACC therefore separates conformance profiles for parsers, generators, runtimes, and policy components. Its public conformance corpus covers parsing, exposure, subject handling, conditional approval, strict comparison behavior, and security invariants.&lt;/p&gt;

&lt;p&gt;This is still early work. A schema and a reference checker do not prove that every deployment is secure. They do make disagreements observable and give independent implementations a shared place to contribute evidence.&lt;/p&gt;

&lt;h2&gt;
  
  
  What should come next?
&lt;/h2&gt;

&lt;p&gt;The most useful next steps are not to turn ACC into an all-in-one platform. They are to improve composition:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;document a precise ACC-to-MCP binding;&lt;/li&gt;
&lt;li&gt;describe how runtime control systems consume ACC fields without changing their meaning;&lt;/li&gt;
&lt;li&gt;expand conformance vectors where cross-implementation behavior can be tested;&lt;/li&gt;
&lt;li&gt;collect independent implementation and integration evidence;&lt;/li&gt;
&lt;li&gt;keep final business authority outside the contract.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;If agents are going to operate orders, inventory, refunds, staff records, and internal workflows, connectivity alone will not be enough. The ecosystem needs a portable way to describe the governance meaning of the operations being connected.&lt;/p&gt;

&lt;p&gt;ACC is one open proposal for that layer.&lt;/p&gt;

&lt;h2&gt;
  
  
  Read and review
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;ACC website: &lt;a href="https://agentcapability.org/" rel="noopener noreferrer"&gt;https://agentcapability.org/&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;Ecosystem landscape and FAQ: &lt;a href="https://agentcapability.org/ecosystem/" rel="noopener noreferrer"&gt;https://agentcapability.org/ecosystem/&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;Specification and conformance: &lt;a href="https://agentcapability.org/docs/" rel="noopener noreferrer"&gt;https://agentcapability.org/docs/&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;GitHub: &lt;a href="https://github.com/agent-capability/agent-capability-contract" rel="noopener noreferrer"&gt;https://github.com/agent-capability/agent-capability-contract&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;Proposal process: &lt;a href="https://github.com/agent-capability/agent-capability-contract/tree/main/proposals" rel="noopener noreferrer"&gt;https://github.com/agent-capability/agent-capability-contract/tree/main/proposals&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;Technical criticism, alternative bindings, conformance evidence, and independent implementations are welcome. The goal is not to give one product special status. It is to make the layer precise enough that multiple products can implement it independently.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>architecture</category>
      <category>security</category>
      <category>opensource</category>
    </item>
  </channel>
</rss>
