The Borrowed Leash: Determinism as a Service for the Agentic Web¶
Yesterday's post ended with an architectural claim: the model belongs at the edge, on a leash, and the vibes-based agent era deserves to end. The obvious objection arrived on schedule: "Nice. But I already have an agent. I'm not rewriting it around your planner."
Good. You don't have to.
kcp-agent 0.3.0 ships the answer as one command:
That line hands any MCP-capable agent — Claude Code, an IDE, your homegrown orchestrator, somebody else's swarm — a deterministic knowledge navigator as a set of tools. The borrowing agent stays exactly as probabilistic as it was this morning. But every knowledge decision it delegates across that boundary comes back planned, gated, budgeted, and reproducible.
Your agent doesn't have to become deterministic. It just has to ask someone who is.

Two protocols, one seam¶
MCP solved the hands problem: a standard way for any model to call any tool. What it deliberately didn't solve is the judgment problem — which knowledge to trust, what it costs, when it expires, who may read it. Every MCP client answers those questions the same way: the model improvises, mid-flight, with your token budget.

KCP is the missing declaration layer: publishers describe their knowledge in a knowledge.yaml — intents, validity windows, trust requirements, prices, audiences, federation. And kcp-agent is the pure function that turns those declarations into an inspectable plan.

KCP is to knowledge what MCP is to tools — and kcp-agent mcp is the seam where they meet. Four tools cross it:
| Tool | What crosses the boundary |
|---|---|
kcp_plan |
the deterministic load plan — selections in order, skips with written reasons, federation and budget decisions. No content moved, no model called. |
kcp_load |
the plan plus the content of load-eligible units — the caller's own model synthesizes; kcp-agent never spends the caller's tokens and needs no API key |
kcp_validate |
lint for a knowledge.yaml — structural errors, navigation-weakening warnings |
kcp_replay |
the cross-examination: hand back a plan artifact and get identical or drifted, per manifest, with the fields that moved |

The first three shipped in 0.2.0. What 0.3.0 adds is the part that makes the bridge load-bearing rather than decorative — and it's the part worth a post.
What 0.3.0 uncovered: identity and economics cross the boundary¶
In 0.2.0, the MCP surface took the planner's basic knobs — task, manifest, date, budget. Useful, but the interesting gates were unreachable: a knowledge web that demands attestation or credentials would simply plan closed for every MCP caller.
0.3.0 gives kcp_plan/kcp_load the CLI's full capability surface: role, methods (payment methods), credentials, attest (attestation provider). Which means an MCP client can now present who it is and what it can settle — and the planner answers with exactly the gates a command-line agent would get.
This sounds like a feature list. It's actually a claim about the agentic web: identity, trust, and economics are properties of the knowledge boundary, not of the agent's prompt. The publisher declared require_attestation and access: restricted in the manifest; the planner enforces it; the MCP transport just carries the capabilities across. No system-prompt diplomacy, no "please only read documents you are authorized to read."
Watch it work. The scenario is the 03:00 incident world — a zero-day in a fictional energy company's broker software, four federated parties: the internal hub, a national CERT with a signed manifest, the vendor, and a commercial intel feed where TLP:AMBER is an enforced gate, not a courtesy label. This is the shipping demo (node examples/demos.js leash), a scripted foreign JSON-RPC client with no SDK, and CI asserts this output:
$ kcp-agent mcp # a foreign agent connects over stdio
server: kcp-agent 0.3.0 · tools: kcp_plan, kcp_load, kcp_validate, kcp_replay
$ tools/call kcp_plan {as_of: 2026-07-08} # 03:00 — the borrowing agent is unprovisioned
○ incident-runbook — restricted: requires attestation the agent cannot present;
access 'restricted': agent holds no credentials
$ tools/call kcp_plan {as_of: 2026-07-09, attest, credentials: [mtls],
methods: [free,x402], budget: 0.5}
● incident-runbook — gates open, same reasons ledger
committed 0.4/0.5 USDC · 0.1 remaining
The unprovisioned caller doesn't get an error, and doesn't get quietly served a degraded answer either. It gets a plan with the closed gates written down — attestation it cannot present, credentials it does not hold. Provision the responder and the same question opens the runbook, buys 0.40 USDC of intel under a 0.50 ceiling, and writes the arithmetic into the ledger. Same manifest, same task, two honest answers.

Evidence that survives a process boundary¶
Here's the deeper thing the bridge uncovers, and it took kcp_replay to see it.
When agent A calls agent B for knowledge, the artifact that comes back is normally just… prose. A claims B said something; B has logs; nobody can verify anything without trusting everybody. The agentic web is currently being built on this — chains of agents vouching for each other with vibes.
A kcp plan artifact is different in kind. It pins the sha256 of every manifest it planned over and echoes every input that shaped it. So when the artifact crosses the MCP boundary, the caller — or an auditor, or a different agent, six months later — can hand it back:
$ tools/call kcp_replay {artifact} # a second session, later — cross-examination
✓ nordlys-energi-hub: identical
✓ fjellcert-advisories: identical
✓ quaymaster-broker: identical
✓ ravnwatch-intel: identical
ok: true
Four federated manifests, re-fetched, re-hashed, re-planned from the echoed inputs, reproduced byte-identically. And because the demo suite is contractually paranoid, the scripted client then does what a real borrowing agent might: it edits its own evidence, zeroing the spend ledger before handing the artifact on.
$ tools/call kcp_replay {artifact*} # * the client zeroed its own spend ledger
✗ ravnwatch-intel: drifted — plan differs in: budget
ok: false
Caught, with the field named. A plan is evidence; replay is the cross-examination — and 0.3.0 makes the cross-examination available to any MCP client, across any process boundary, against an artifact produced by somebody else's session. Multi-agent systems have talked about "audit trails" for two years. This is what one looks like when it can defend itself.

What this opens up¶
Once deterministic navigation is a service rather than an architecture commitment, several doors open at once.
1. The fleet problem becomes a manifest problem. An organization running twenty MCP-capable agents currently governs knowledge access twenty times, in twenty system prompts, none of which are enforced. Put the policy where it belongs — in signed manifests, behind one kcp-agent mcp — and every agent in the fleet gets the same gates, the same skip-reasons, the same budget arithmetic. Governance stops being a prompt-engineering genre and becomes configuration. When the policy changes, you change a manifest, not N prompts — and the change is versioned, signed, and temporal (valid_from did the rollout for you).

2. Provisioning maps to organizations, not prompts. In the 03:00 story, the SOC provisions the responder — attestation from soc.nordlys.example, an mTLS credential, a funded wallet with a ceiling. The agent borrows authority the way an employee does: from the institution, scoped, revocable, on the record. That's the shape enterprises actually work in. The alternative — pasting credentials into context windows and hoping — is the shape breaches work in.
3. A real knowledge economy gets an enforcement point. We built the first till on the agentic web — publishers pricing knowledge per-request over x402. The bridge means the buyer side is now installable into any agent: ceilings enforced in the plan, spend committed before a byte moves, unaffordable units skipped with the arithmetic shown. Agents that shop need budgets that hold. methods: [free,x402], budget: 0.5 over MCP is what that looks like.

4. Zero-token navigation, zero API keys. kcp-agent never calls a model when serving MCP — planning is a pure function, and kcp_load returns content for the caller's model to synthesize. The navigator adds no inference cost, holds no API key, and can't leak one. For anyone doing the economics of agent deployments, an entire class of cost and secret-handling just left the building.
5. Federation means one socket, every knowledge web. The mcp command takes no flags — the manifest location is a parameter of every call. One server instance serves the company hub, the vendor's manifest, the national CERT, a partner's federation — walking follow chains fail-closed, verifying ed25519 signatures where declared, threading one budget across the whole tree. The agent's entire knowledge landscape hangs off a single stdio socket.

The honest version of the multi-agent story¶
The industry's multi-agent narrative is currently additive: more agents, more autonomy, more improvisation, the swarm will sort it out. Our experience keeps pointing the other way: the systems that survive contact with compliance, procurement, and incident review are the ones that subtract — that take entire categories of decision away from the model and give them to something that can testify.
The KCP/MCP bridge is that subtraction, packaged as an addition. Nothing about your agent changes. It gains four tools. But the knowledge decisions flowing through those tools acquire properties no prompt can grant: reproducibility, written refusals, enforced ceilings, verifiable provenance, and artifacts that catch their own tampering.
The borrowed leash is still a leash. That's the value.

# your agent, five seconds from now
claude mcp add kcp -- npx -y kcp-agent mcp
# the whole bridge, narrated, no mocks
git clone https://github.com/Cantara/kcp-agent && cd kcp-agent
npm ci && npm run build && node examples/demos.js leash
- The Arena (match ⑤ is the 03:00 incident, live in your browser): cantara.github.io/kcp-agent
- npm: npmjs.com/package/kcp-agent — 0.3.0, trusted publishing, provenance
- Source (Apache-2.0): github.com/Cantara/kcp-agent
→ github.com/Cantara/kcp-agent
Series: Knowledge Context Protocol
← The Vibes-Based Agent Era Deserves to End · Part 38 of 39 · Hiring by the Book: A Defendable HR Agent on a Regulatory Knowledge Web →