<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Tang Haoran</title>
    <description>The latest articles on DEV Community by Tang Haoran (@haorantang).</description>
    <link>https://dev.to/haorantang</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4015038%2F4a7e5d79-1199-427d-8d15-c1ae6f45703e.png</url>
      <title>DEV Community: Tang Haoran</title>
      <link>https://dev.to/haorantang</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/haorantang"/>
    <language>en</language>
    <item>
      <title>The AI Agent Protocol Stack is Missing a Layer — Here's the Third One</title>
      <dc:creator>Tang Haoran</dc:creator>
      <pubDate>Sat, 04 Jul 2026 13:07:10 +0000</pubDate>
      <link>https://dev.to/haorantang/the-ai-agent-protocol-stack-is-missing-a-layer-heres-the-third-one-26fh</link>
      <guid>https://dev.to/haorantang/the-ai-agent-protocol-stack-is-missing-a-layer-heres-the-third-one-26fh</guid>
      <description>&lt;p&gt;MCP connects agents to tools. A2A connects agents to agents. Both are excellent. Neither answers one question:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How do agents know what they're ALLOWED to do?&lt;/strong&gt;&lt;/p&gt;




&lt;p&gt;Cisco Research proposed a layered agent protocol architecture in 2025 (arXiv:2511.19699):&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;L8&lt;/strong&gt; (Agent Communication Layer) → Standardized message envelopes, speech-act performatives&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;L9&lt;/strong&gt; (Agent Semantic Negotiation Layer) → &lt;em&gt;"does not exist today"&lt;/em&gt; (direct quote from the paper)&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;L8 is being implemented by MCP and A2A. &lt;strong&gt;L9 had no answer — until now.&lt;/strong&gt;&lt;/p&gt;




&lt;h2&gt;
  
  
  ERDL: The Third Layer
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Entity-Rule Definition Language&lt;/strong&gt; is an open standard for agent behavioral rules. It sits between the agent's reasoning and its tool execution:&lt;/p&gt;

&lt;p&gt;MCP → tools. A2A → communication. ERDL → rules.&lt;/p&gt;

&lt;p&gt;Three layers. One complete agent protocol stack.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fopenoba.github.io%2Ferdl-landing%2Fstack.html" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fopenoba.github.io%2Ferdl-landing%2Fstack.html" alt="Agent Protocol Stack" width="" height=""&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h3&gt;
  
  
  What ERDL brings
&lt;/h3&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Capability&lt;/th&gt;
&lt;th&gt;Status&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;11 operators including &lt;code&gt;within&lt;/code&gt; and &lt;code&gt;rate&lt;/code&gt;
&lt;/td&gt;
&lt;td&gt;Complete&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;16 deterministic action types&lt;/td&gt;
&lt;td&gt;Complete&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Execution Rings (Ring 0–3)&lt;/td&gt;
&lt;td&gt;Complete&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Guardian Agent model&lt;/td&gt;
&lt;td&gt;Complete&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;SafeExpr engine (zero code injection)&lt;/td&gt;
&lt;td&gt;Complete&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Hot reload without restart&lt;/td&gt;
&lt;td&gt;Complete&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Structured audit trails&lt;/td&gt;
&lt;td&gt;Complete&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Snapshot + rollback&lt;/td&gt;
&lt;td&gt;Complete&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;h3&gt;
  
  
  How it works
&lt;/h3&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;
yaml
rule: block_privileged_commands
priority: 0
description: "Block dangerous shell commands"
when:
  field: "tool.command"
  operator: in
  value: ["sudo", "rm -rf"]
then:
  action: BLOCK
  message: "Privileged commands require human approval"
**One YAML file. When an agent tries to call a blocked tool, ERDL's Action Guard intercepts the call before it reaches the tool. Not after. Not as a suggestion. The engine evaluates conditions, matches rules, and returns a deterministic verdict.

The agent never touches sudo. Period.

OWASP Top 10 (2026) — How ERDL Maps
OWASP Risk  ERDL Mitigation
R1: Excessive Agency    Time windows + rate limiting
R2: Prompt Injection    Guard rules run before LLM output
R3: Supply Chain    Agent BOM with rule audit trail
R4: Data Leakage    Field-level BLOCK rules
R5: Overreliance    Guardian Agent oversight
R6: Multi-Agent Collusion   Cross-agent audit chains
EU AI Act (effective August 2, 2026)
ERDL maps directly to transparency and human oversight requirements. Audit records export to OCSF format, compatible with SIEM systems.

The Stack is Now Complete
MCP — tools (Anthropic, Linux Foundation)
A2A — communication (Google, Linux Foundation)
ERDL — rules (OpenOBA, MIT)
Landing Page: openoba.github.io/erdl-landing
Spec v1.0 (English): spec/index-en.md
GitHub: github.com/OpenOBA/ERDL
MIT License. RFC open.

What do you think — does the agent protocol stack need a dedicated rules layer? Let's discuss.**
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

</description>
      <category>ai</category>
      <category>opensource</category>
      <category>security</category>
      <category>typescript</category>
    </item>
  </channel>
</rss>
