JCP · a Transaction Science open standard

The Joule Context Protocol.

A unified, energy-native, capability-secured protocol for agentic systems. A capability and an energy budget are the same object — a signed, bounded, debited Grant. A capability you can't pay for is denied; an expenditure you're not capable of is denied. One check, made outside the model, sealed in a receipt.

Object — capability ⊗ joules

Model in the decision loop

did:key

Every actor, signed

authorization and energy · one signed grant · decided outside the model

The thesis

A capability and a budget are the same object.

Agentic systems fail in a few repeated ways: untrusted output is treated as instruction, a system prompt is mistaken for access control, an agent loop runs until the bill arrives, and the audit is a log line anyone can edit. Each is the same root — ambient authority, unbounded action, unsigned record.

JCP collapses authorization and energy into one primitive. A Grant is a signed token binding a subject to a capability and a joule budget. The runtime checks both in a single deterministic step, before any side effect, and seals the outcome. There is no model in that loop — which is the point: a more capable model is a more dangerous one, so the gate cannot be the model.

The Grant

The metered capability.

The whole protocol turns on one wire object. It is content-addressed, signed by its issuer, and delegated only by narrowing.

Grant {
  issuer:     did:key            ; who granted this authority
  subject:    did:key            ; who holds it
  capability: { resource: content-id, actions: [string] }
  budget_uj:  uint               ; the joule ceiling it may ever spend
  expiry:     uint               ; 0 = no expiry
  parent:     content-id?        ; the grant it was attenuated from
  nonce:      bytes(16)
}

The resource is addressed by content, not by URL — audience binding an attacker can't spoof by name. A child grant's capability must be a subset, its budget no larger, its expiry no later: a delegation chain can never convey more authority — or more energy — than its root.

What it closes

Each failure, closed at the root.

Not detected after the fact — made unreachable by the protocol.

A tool's output can take control

Every message carries a trust tag. Tool and agent outputs are data, never instructions — a poisoned result can't exercise a capability, by construction.

Prompts pretend to be access control

Authorization is decided by the runtime, outside the model. A more capable model only follows injected instructions better, so the gate can never be the model.

Authority is ambient and standing

No actor holds standing privilege. Every action needs an unforgeable, content-addressed Grant. There are no long-lived secrets sitting in environment variables.

An agent can reach the wrong thing

A Grant binds to a resource by content address, not by name — audience binding an attacker can't spoof. Reach the wrong resource and it's denied.

Delegation leaks authority

Delegation is object-capability attenuation: a child Grant can only narrow — less capability, less budget, sooner expiry. A chain never conveys more than its root.

Agent loops have no cost ceiling

Every Grant carries a joule budget, debited per action and enforced before the side effect. The runaway loop hits a wall, not a surprise bill.

Delegation can mint energy

On a delegated chain, the cost must fit — and is debited from — every link. Two children of one root share the root's budget: delegation never creates joules.

A leaked grant lives forever

The issuer revokes with a signed Revocation, and the runtime goes dark on that grant — and on every grant attenuated from it. A delegation subtree dies with its ancestor.

The audit is a mutable log line

Every decision — allow and deny — seals as a signed JCR-1 receipt. Forging the audit means forging a signature. A refused attack is evidence.

A worker can deepen the org chart

A grant carries a delegation depth that narrows every hop. An orchestrator hands its workers leaf-only grants, and the team cannot mint sub-workers — at issuance or in chain verification.

Distributed budgets need consensus

One grant, N enforcement points: shard it into siblings whose budgets must sum within the parent. Each point enforces its own shard locally — conservation by arithmetic, not coordination.

One gated agent is still too few

Make the actor k-of-n: its key never exists in one place, and a signature exists only when enough agents cooperate. The two-agent rule for irreversible actions, refused by arithmetic.

A stolen key owns the identity

Identities rotate through pre-committed key events. A thief holding the current key still can't rotate the identity away — they don't hold the next key. An owner who lost it still can.

Anyone can claim to be a root

An enforcement point honors only the root-issuer keys it was configured with — local, pairwise trust, no certificate authority. A validly signed grant from an unlisted root is denied.

Crash recovery needs a second database

The receipt stream is the write-ahead log. A chained receipt names every link it debited, so a restarted enforcement point rebuilds its exact budget state from its own sealed output — and keeps conserving.

The receipt

Every decision, non-repudiable.

Allow and deny alike seal as a signed JCR-1 receipt — the family's shared signed-receipt format, so a JCP receipt verifies with the same tooling as the rest of the substrate. A refused attack is evidence, not a missing log line.

meter    detected backend → honest provenance (measured, or says "estimated")
read the db (legit)                    allow   −20000 µJ   rem 80000
tool-result says 'delete db' (poison)  DENY    untrusted-control
read prod-secrets (wrong audience)     DENY    wrong-resource
read again — budget runs out           DENY    budget-exceeded
  amplification refused: capability exceeds parent
  receipt  allow · 50000 µJ · verified ✓
revoked  issuer pulled the grant → next read: DENY (revoked)

Reference

The grant, the runtime, the receipt — real and tested.

An Apache-2.0 reference workspace, with a conformance harness and a headless demo that drives one metered grant through an agent loop — legitimate calls debited at the detected meter's honest cost, a poisoned result refused, out-of-scope actions and resources denied, the budget stopping a runaway loop, a weaker delegated sub-grant, and the issuer revoking the grant, after which the runtime goes dark.

And it is consumed, not just specified: three sibling Transaction Science standards gate their real dispatch through JCP — JouleClaw's tool calls are decided against a Grant before a byte reaches the tool, Sandbox authorizes execution against the unit's image by content address before the executor runs, and Joule Code's cascade consults a remote frontier agent only when a signed grant names it and can pay for it.

jcp-schema

The wire objects: the did:key actor, the metered Grant (capability ⊗ joule budget, content-addressed and signed), the Frame with its control/data trust tag, the Revocation, and the honest energy model. Canonical det-CBOR with a canonicity-enforcing decoder.

jcp-grant

Issuance, verification, attenuation (a child Grant can only narrow — including its delegation depth), hop-by-hop chain verification, issuer-only signed revocation, budget sharding for distributed enforcement, and pre-committed key rotation.

jcp-runtime

The deterministic enforcer. One ordered check fuses authorization and energy — trust, revocation, configured trust roots, audience binding, signature, expiry, capability, budget — decided outside any model, then debits the cost from every link of a delegation chain.

jcp-receipt

The signed JCR-1 receipt for every decision, allow and deny alike. The receipt stream is the write-ahead log: a crashed enforcement point rebuilds its budget state from its own sealed output, and a team's receipts aggregate into per-worker attribution — evidence, not self-reporting.

jcp-energy

The metering ladder: hardware energy counters where the platform exposes them, a time×calibrated-power model and a constant estimator where it doesn't. There is always a figure — and its provenance always says how it was obtained.

jcp-wire

The jcp/1 wire binding: length-prefixed canonical det-CBOR over TCP, Unix sockets, or any byte stream. Requests carry the full grant chain and are caller-signed — an impersonation is denied and sealed like any other decision.

jcp-threshold

Threshold actors: a did:key split k-of-n, the group key an ordinary Ed25519 key. A 2-of-3 team issues, holds, and signs with nothing else changing — and no single agent can act alone. Shares come from a dealer or distributed keygen, where the group's private key never exists anywhere.

jcp-channel

Receipt-settled budget channels: enforcement points spend optimistically against one grant and settle by signed statements of cumulative spend. The exposure between settlements is bounded; any overdraft afterwards is provable, not suspected.

jcp-bridge

The framing layer: it wraps existing tool calls and agent tasks in Grants and Frames — decided against the grant before the call reaches the endpoint, results framed as untrusted data — so an existing server keeps its transport.

jcp-gateway

The energy-native gateway: an enforcement point in front of an MCP server. Every tool call is authorized before it runs, metered on real hardware as it runs, and debited in measured joules — the budget that stops a runaway agent is energy actually spent, not a token estimate. A denied call never reaches the server, and every decision seals into a hash-chained receipt log: excise or reorder one and the chain breaks. The gateway chokepoint the field already occupies, on the two axes it leaves vacant — joules, and a tamper-evident audit.

jcp-conformance

Eighteen conformance classes plus a negative pack, all checks real — a live-socket decision, a threshold caller, a dealer-free keygen, a settled channel, and a runtime restored exactly from its own receipt stream — with published vectors.

Read the JCP standard