Skip to content

Knowledge Infrastructure

Hiring by the Book: A Defendable HR Agent on a Regulatory Knowledge Web

The question lands in every organization sooner or later, usually from HR, usually on a Friday: "Can we use an AI tool to screen and rank job applicants?"

It looks like a yes/no question. It is actually a stack of them. Is candidate ranking a high-risk AI system under the EU AI Act's Annex III? What does GDPR Article 22 say about automated decisions on people? Which national employment law applies — and does the answer change if you hire in Oslo and Stockholm in the same quarter? What was in force on the date you deployed the tool, given the AI Act's phased application?

The Friday question: one innocent-looking prompt — can we use an AI tool to screen job applicants? — fans out into a blueprint of interlocked regulatory circuits: EU AI Act Annex III high-risk classification, GDPR Article 22 automated decision-making, national employment law with Oslo-versus-Stockholm variations, and phased enforcement dates asking what is in force today

Most organizations answer this with a meeting, a memo, and a hope. Some paste the question into a chatbot and get back something confident, uncited, and unreproducible. Neither version survives the follow-up question that matters: "Show me how you decided that."

The immutable blueprint: side by side, the human way — a pile of meetings, memos and hope — and the chatbot way — confident, uncited, unreproducible synthesis; a warning banner declares that neither survives the auditor's question: show me how you decided that

Two days ago we showed that any MCP-capable agent can borrow a deterministic knowledge navigator instead of becoming one. This post takes that bridge somewhere concrete: a regulated knowledge-worker scenario, built on infrastructure that actually exists — and an honest account of where it broke when we tried it.

The Borrowed Leash: Determinism as a Service for the Agentic Web

Yesterday's post ended with an architectural claim: the model belongs at the edge, on a leash, and the vibes-based agent era deserves to end. The obvious objection arrived on schedule: "Nice. But I already have an agent. I'm not rewriting it around your planner."

Good. You don't have to.

kcp-agent 0.3.0 ships the answer as one command:

claude mcp add kcp -- npx -y kcp-agent mcp

That line hands any MCP-capable agent — Claude Code, an IDE, your homegrown orchestrator, somebody else's swarm — a deterministic knowledge navigator as a set of tools. The borrowing agent stays exactly as probabilistic as it was this morning. But every knowledge decision it delegates across that boundary comes back planned, gated, budgeted, and reproducible.

Your agent doesn't have to become deterministic. It just has to ask someone who is.

The Vibes-Based Agent Era Deserves to End

Every agent demo you've seen this year works the same way: stuff the context window, let the model improvise, applaud the output. Ask the obvious follow-up questions and the whole edifice wobbles. Why did it read those files? It seemed relevant. Will it do the same thing tomorrow? Probably not. What happens when a document it reads contains instructions? Please don't ask that one.

We've been building agents where the model decides everything — what to load, what to trust, what to believe, what to spend — and then acting surprised that the result can't be audited, can't be reproduced, and can't be defended in front of anyone who signs things for a living.

Today kcp-agent 0.2.0 ships to npm, and it's not really a release. It's a counter-argument. It inverts the agent stack: determinism at the core, the model at the edge — on a leash. Its slogan is a falsifiable engineering claim, and CI falsifies it daily, and fails to:

The most deterministic agents in the world. Every decision defensible.

npx kcp-agent plan "how does the planner score units?" \
  --manifest https://raw.githubusercontent.com/Cantara/kcp-agent/main/knowledge.yaml

Selling News to Robots

Yesterday's tour of the whole protocol ended with a loose thread: "A knowledge economy ends with a payment — and RFC-0005 is still sitting at the RFC stage, waiting."

It didn't wait long. v0.25 landed on main the same day: Economic Metadata, the full promotion of RFC-0005. payment.methods[] — free, x402 micropayments, metered billing, subscriptions — plus per-tier rate_limits, all at manifest and unit level. Nothing of RFC-0005 remains RFC-only.

Which means something new is possible on the agentic web this weekend that wasn't possible last weekend: you can open a shop. So let's open one — a newswire that sells to agents — and then play the customer: an agent with a funded wallet, a briefing to write, and a budget. Step by step, both sides of the counter.

The Agentic Web Has No Login Page

Think about what makes the human web economically viable. Not the browser. Not HTML. It's the login page — and everything it implies. Paywalls, licenses, subscriptions, terms of access. The mundane machinery that lets someone publish valuable knowledge without giving it away. Remove that machinery and the web would contain only what people are willing to publish for free.

Now look at the agentic web. Agents consume knowledge from manifests, MCP servers, and context files across organisational boundaries — and there is no equivalent machinery. A knowledge source is either open to every agent that finds it, or it's locked behind a bespoke API that no standard agent can negotiate. Nothing in between. No standard way for a publisher to say "this knowledge is for certified consumers only — prove who you are."

The consequence is quiet but enormous: the knowledge layer of the agentic web contains only what publishers are willing to give away. Authoritative sources — legal data providers, regulatory interpreters, standards bodies, paid research — stay off it entirely. So agents answer compliance questions from scraped blog posts instead of authoritative guidance, because the authoritative guidance has no way to come online on terms its publisher can accept.

KCP v0.22 and v0.23, both shipping today, are the missing machinery.

One Agent's Journey Through the Whole Protocol

This morning the Knowledge Context Protocol got its login page — v0.22 and v0.23, the consumer half of the trust model. This afternoon, v0.24 landed on main: Org-Federation, from RFC-0011. The enterprise front door.

That's twenty-four versions in six months — v0.1 shipped January 10th. And with the front door in place, something has quietly become true: an agent can now traverse the entire protocol, from "I know nothing but a company domain" to "I hold a signed receipt for the restricted knowledge I just consumed", and every step of that traversal is declared, verifiable, and standard.

So instead of another release note, let's take the tour. One agent, one traversal, every layer annotated with the release that built it.

Sixteen Versions of Metadata Nobody Read

Practitioner notes on shipping a feature that was already a no-op, in two different ways.

The Mynder regulatory knowledge base has 63 fragment manifests covering 101 units of EU regulation — GDPR, NIS2, the EU AI Act, DORA, Norwegian and Swedish data protection law. Every unit carries temporal validity (valid_from, valid_until, superseded_by), per-unit content hashes (sha256), not_for audience filtering, content structure declarations, and Ed25519 JWS signatures. All of it declared in KCP v0.21.

Synthesis — the workspace intelligence tool that indexes and searches this corpus — was reading it at v0.5 feature level.

Sixteen spec versions of metadata, sitting in the files, being dutifully indexed and completely ignored by the tool whose job was to understand them. The corpus was "searchable" but not "knowledge-aware." You could find GDPR articles by keyword. You could not ask what was in effect in 2022 and get a time-correct answer.

Sixteen Versions of Metadata Nobody Read: a circuit board blueprint showing KCP v0.21, Temporal Validity, and Ed25519 JWS Signatures as three input connectors feeding into a central processor — but the connection is broken with an X. Diagnostic: the gap between organized data and intelligent infrastructure.

Stale Knowledge Is Worse Than No Knowledge: KCP v0.19 and v0.20 Close the Temporal Gap

Closing the Temporal Gap: the problem with timeless knowledge (compliance risk, deprecated-vs-temporal), v0.19's bi-temporal model (valid time vs transaction time, superseded_by link, manifest-level defaults), v0.20's as_of query parameter (audit mode vs production mode, critical use cases), and the new four-step search flow (semantic scoring → not_for filter → temporal evaluation → final selection).

The previous post ended with a list of gaps still visible after v0.18: federated trust delegation, transport integrity, digest cost budgets. The one I left off the list, because it was already in progress, was time.

Not performance. Not latency. Actual calendar time — the question that turns out to matter enormously for knowledge that agents load into context: when is this unit valid?

v0.19 and v0.20 answer that question. v0.19 lets manifest authors declare temporal validity. v0.20 lets agents query against it.

2026 06 12 kcp 0.18 unit integrity

Signing the Map, Not the Territory: KCP v0.18 Adds Unit Content Integrity and Origin Evidence

KCP v0.18 — Signing the Map, Not the Territory: a JWS signature covers the manifest YAML, but not the files the units point to. v0.18 adds per-unit content hashes and origin evidence classes to close the gap.

The previous post showed how KCP v0.16 gives manifests a trust model: cryptographic signing, trust tiers, a render pipeline that fails closed. The signature covers the manifest -- the YAML bytes that describe your knowledge units. It does not cover the files those units point to. The signature says "this map is authentic." It says nothing about the territory.

That gap has a name: T9, the manifest relocation attack. v0.18 closes it.