MCP connects agents to tools. A2A connects agents to agents. Both are excellent. Neither answers one question:
How do agents know what they're ALLOWED to do?
Cisco Research proposed a layered agent protocol architecture in 2025 (arXiv:2511.19699):
- L8 (Agent Communication Layer) → Standardized message envelopes, speech-act performatives
- L9 (Agent Semantic Negotiation Layer) → "does not exist today" (direct quote from the paper)
L8 is being implemented by MCP and A2A. L9 had no answer — until now.
ERDL: The Third Layer
Entity-Rule Definition Language is an open standard for agent behavioral rules. It sits between the agent's reasoning and its tool execution:
MCP → tools. A2A → communication. ERDL → rules.
Three layers. One complete agent protocol stack.
What ERDL brings
| Capability | Status |
|---|---|
11 operators including within and rate
|
Complete |
| 16 deterministic action types | Complete |
| Execution Rings (Ring 0–3) | Complete |
| Guardian Agent model | Complete |
| SafeExpr engine (zero code injection) | Complete |
| Hot reload without restart | Complete |
| Structured audit trails | Complete |
| Snapshot + rollback | Complete |
How it works
yaml
rule: block_privileged_commands
priority: 0
description: "Block dangerous shell commands"
when:
field: "tool.command"
operator: in
value: ["sudo", "rm -rf"]
then:
action: BLOCK
message: "Privileged commands require human approval"
**One YAML file. When an agent tries to call a blocked tool, ERDL's Action Guard intercepts the call before it reaches the tool. Not after. Not as a suggestion. The engine evaluates conditions, matches rules, and returns a deterministic verdict.
The agent never touches sudo. Period.
OWASP Top 10 (2026) — How ERDL Maps
OWASP Risk ERDL Mitigation
R1: Excessive Agency Time windows + rate limiting
R2: Prompt Injection Guard rules run before LLM output
R3: Supply Chain Agent BOM with rule audit trail
R4: Data Leakage Field-level BLOCK rules
R5: Overreliance Guardian Agent oversight
R6: Multi-Agent Collusion Cross-agent audit chains
EU AI Act (effective August 2, 2026)
ERDL maps directly to transparency and human oversight requirements. Audit records export to OCSF format, compatible with SIEM systems.
The Stack is Now Complete
MCP — tools (Anthropic, Linux Foundation)
A2A — communication (Google, Linux Foundation)
ERDL — rules (OpenOBA, MIT)
Landing Page: openoba.github.io/erdl-landing
Spec v1.0 (English): spec/index-en.md
GitHub: github.com/OpenOBA/ERDL
MIT License. RFC open.
What do you think — does the agent protocol stack need a dedicated rules layer? Let's discuss.**
Top comments (0)