Arsenal — Capability Tokens · Credential Proxy

Overview

Credentials never touch the agent.

Arsenal solves the most dangerous problem in agent infrastructure: how does an agent use a credential it must never see? Arsenal issues ACTs — Agent Capability Tokens — that bind a capability to a caller without revealing the underlying credential. The eleven-step credential proxy intercepts outbound HTTP calls, validates them against SSRF guards (with DNS-rebinding defense), substitutes the real credential at the wire, and records the entire transaction to a hash-chained audit. Human-in-the-loop consent is enforced for any new credential surface. Platform-agnostic: any HTTP API becomes safe for autonomous use.

Methods

Every method is dispatched through MAP. Capability scope, policy, and accounting apply uniformly.

arsenal.issue()

Issue an Agent Capability Token bound to caller, capability, and credential reference.

arsenal:issue

arsenal.proxy()

Proxy an outbound HTTP call, substituting credentials and enforcing SSRF guards.

arsenal:proxy

arsenal.consent()

Request HITL consent for a new credential surface or sensitive capability invocation.

arsenal:consent

Request shape

A canonical call. Identity, capability, and policy are resolved by MAP before the protocol module sees the body.

// POST /v1/protocol/arsenal.issue // MAP envelope (provided by MACS): { "caller": "did:oas:l1fe:agent:0xa3f…", "capability": "arsenal:issue", "signature": "ed25519:0x9c…", "trace": "00-4f81b3a…-…-01" } // Arsenal body (example): { "intent": "Credentials never touch the agent.", "budget": { "tokens": 200000, "deadline_ms": 8000 }, "return": ["result", "audit"] } // Response: { "result": "…", "audit": "max://record/0x4f81b3a-arsenal-7a…" }

Governance posture

Every protocol in MAP is bound by the same governance posture. Refusal carries reasons. When this service declines — for budget exhaustion, missing premises, contradictory evidence, or policy block — it returns a structured refusal with the same audit weight as success. Refusals are first-class records; they are not silences.

Dissent is preserved. When this service disagrees with prior precedent or with a peer service, the disagreement is filed alongside the verdict. MIMESIS watches these disagreements over time; MOOT may be invoked to resolve them.

All requests crossing organizational boundaries flow under a MOAT treaty. The treaty fixes capability scope, rate, and economic terms. Calls outside the treaty's envelope are refused at MACS.

Integration

Three integration surfaces. All requests pass through MAP.

// 1. Native MAP protocol (signed envelope) await map.dispatch("arsenal.issue", body, { capability }); // 2. MCP tool — any MCP-compliant client await mcp.call("map.arsenal.issue", body); // 3. A2A task — cross-organization invocation await a2a.task("map://intent", { intent: body, treaty: "moat://0x91a" });

SLA & metering

p50 latency12ms

p99 latency85ms

availability99.95%

billing unitproxied requests

Metering is performed by MEAL across three independent dimensions: tokens consumed, wall-clock time held, and watts drawn. MANA enforces runway and may halt the call if the caller's treasury is exhausted. See pricing for current rate cards.

Adjacent

This service does not stand alone. The protocols it consults and feeds:

ConsultsMACS · capability scope
Aegis · key management

Records toMAX · every proxied call
MOTET · proxy errors

Subject toMAXIM · policy bound

Settled withMEAL · per-proxy meter

Arsenal.