DEV Community

Tang Haoran
Tang Haoran

Posted on

The AI Agent Protocol Stack is Missing a Layer — Here's the Third One

MCP connects agents to tools. A2A connects agents to agents. Both are excellent. Neither answers one question:

How do agents know what they're ALLOWED to do?


Cisco Research proposed a layered agent protocol architecture in 2025 (arXiv:2511.19699):

  • L8 (Agent Communication Layer) → Standardized message envelopes, speech-act performatives
  • L9 (Agent Semantic Negotiation Layer) → "does not exist today" (direct quote from the paper)

L8 is being implemented by MCP and A2A. L9 had no answer — until now.


ERDL: The Third Layer

Entity-Rule Definition Language is an open standard for agent behavioral rules. It sits between the agent's reasoning and its tool execution:

MCP → tools. A2A → communication. ERDL → rules.

Three layers. One complete agent protocol stack.

Agent Protocol Stack

What ERDL brings

Capability Status
11 operators including within and rate Complete
16 deterministic action types Complete
Execution Rings (Ring 0–3) Complete
Guardian Agent model Complete
SafeExpr engine (zero code injection) Complete
Hot reload without restart Complete
Structured audit trails Complete
Snapshot + rollback Complete

How it works


yaml
rule: block_privileged_commands
priority: 0
description: "Block dangerous shell commands"
when:
  field: "tool.command"
  operator: in
  value: ["sudo", "rm -rf"]
then:
  action: BLOCK
  message: "Privileged commands require human approval"
**One YAML file. When an agent tries to call a blocked tool, ERDL's Action Guard intercepts the call before it reaches the tool. Not after. Not as a suggestion. The engine evaluates conditions, matches rules, and returns a deterministic verdict.

The agent never touches sudo. Period.

OWASP Top 10 (2026) — How ERDL Maps
OWASP Risk  ERDL Mitigation
R1: Excessive Agency    Time windows + rate limiting
R2: Prompt Injection    Guard rules run before LLM output
R3: Supply Chain    Agent BOM with rule audit trail
R4: Data Leakage    Field-level BLOCK rules
R5: Overreliance    Guardian Agent oversight
R6: Multi-Agent Collusion   Cross-agent audit chains
EU AI Act (effective August 2, 2026)
ERDL maps directly to transparency and human oversight requirements. Audit records export to OCSF format, compatible with SIEM systems.

The Stack is Now Complete
MCP — tools (Anthropic, Linux Foundation)
A2A — communication (Google, Linux Foundation)
ERDL — rules (OpenOBA, MIT)
Landing Page: openoba.github.io/erdl-landing
Spec v1.0 (English): spec/index-en.md
GitHub: github.com/OpenOBA/ERDL
MIT License. RFC open.

What do you think — does the agent protocol stack need a dedicated rules layer? Let's discuss.**
Enter fullscreen mode Exit fullscreen mode

Top comments (0)