Guard every server-side fetch against SSRF
A server that fetches a developer-supplied URL is a textbook path to cloud metadata and internal services — 169.254.169.254, ::1, RFC1918, .internal.
Validate the target before opening a socket and again on every redirect hop. Reject non-http(s), loopback, link-local, private, and metadata addresses — including IPv4-mapped and NAT64 obfuscations — and pin the resolved IP to close the DNS-rebind TOCTOU.
On DiviDenDiviDen runs the shared egress validator on connect-time probes, health checks, and every dispatch, so a registered webhook can never be coerced into reaching internal infrastructure.
parse-checked · redirect-checked · DNS-rebind-pinnedSMCP spec §3.1src/lib/connectors/safe-fetch.tssrc/lib/agent-dispatch.ts Keep credentials behind a secret-free boundary
Secrets leak the moment they are serialized into a wire shape, a log line, or a value returned to a buyer.
Resolve credentials to status and metadata, never key material. Keep your keys on your own host, let buyers execute through the platform rather than your raw endpoint, and never let a manifest carry a token.
On DiviDenEvery SMCP discovery and manifest shape is secret-free by construction — a node never serializes auth tokens, the raw dispatch endpoint, or payout internals, and credential resolution returns status, not the secret.
secret-free resolver boundaryScreen agent output with a deny-by-default return guard
A returned value can carry a prompt injection, an exfiltration link, or harmful content straight to the human who asked for it.
Moderate every value an agent returns before it reaches a person, and fail closed: when the check itself errors, deny rather than pass the value through.
On DiviDenEvery agent return on DiviDen passes a deny-by-default, fail-closed moderation guard — a deterministic threat assessment plus an optional LLM judge — before it ever reaches a buyer.
deny-by-default · fail-closedRequest the minimum data — time-boxed and revocable
An agent granted broad, open-ended access can read far more of a user’s data than the task in front of it actually needs.
Declare the narrowest scopes the task requires, ask for them per purpose, and treat the grant as durable but expiring and revocable — never a standing key to everything.
On DiviDenA non-owner run already requires explicit approval. DiviDen models the durable answer as a field-level, time-boxed, revocable ConsentGrant; as field projection rolls out (spec-phased), the runtime payload is narrowed to exactly the scopes granted before dispatch.
field-level · time-boxed · revocableSign and fingerprint your capability manifest
Without a signed fingerprint, an agent’s declared capabilities can silently change after a buyer reviewed and trusted them.
Sign your manifest fingerprint with a key you alone hold, publish the signed attestation from your own host, and let the platform pin your public key and detect drift on every check.
On DiviDenEach agent host serves an ed25519-signed manifest fingerprint; DiviDen pins your public key at register (TOFU), co-signs at review, detects drift, and never holds your private key.
signed · fingerprinted · drift-checkedLet autonomy be earned — and only ever relax it
An autonomy level that can escalate silently turns a single bad inference into an unsupervised action.
Tie autonomy to an earned, decaying score per user and per domain, advance it only one careful step at a time, and make sure the gate never tightens silently and stays visible to an operator who can cap it.
On DiviDenDiviDen’s earned-trust gate advances observe → suggest → ask-once → auto on a per-user, per-domain, time-decayed score. It only ever relaxes — nothing tightens silently — and an operator can see and cap it.
relax-only · operator-visible