CBCL: Safe Self-Extending Agent Communication

Reference: O’Connor, H. (2026). LangSec Workshop, IEEE Security and Privacy Workshops (SPW 2026). arXiv:2604.14512v1 [cs.CR], 16 Apr 2026. Source file: oconnor-cbcl-langsec26.pdf. URL. Reference implementation: https://codeberg.org/anuna/cbcl-rs.

Summary

Building on McCarthy’s 1975/1982 Common Business Communication Language vision and the language-theoretic security programme of Sassaman, Patterson, Bratus and Locasto (Security Applications Of Formal Language Theory), this paper presents a contemporary CBCL: an agent communication language designed so that all messages — including runtime language extensions — remain within the deterministic context-free (DCFL) complexity class. The motivating diagnosis is that contemporary agent communication has slid up the Chomsky hierarchy without acknowledging the security cost: KQML and FIPA-ACL are CFL with informal extensibility, but MCP and LLM-based agent frameworks operate over inputs whose effective complexity is recursively-enumerable, where the validity of an arbitrary message is undecidable and “weird machines” (Exploit Programming - From Buffer Overflows To Weird Machines) become unavoidable. CBCL takes the opposite tack: minimal core (8 performatives — tell, ask, reply, hello, bye, ok, error, cancel) plus a homoiconic dialect mechanism that lets agents define, transmit, and adopt domain-specific vocabularies as first-class CBCL messages, with three machine-checked safety invariants — R1 (no recursion in dialect templates), R2 (declared resource bounds on depth, expansion size, verification time), R3 (core-vocabulary preservation) — that together guarantee DCFL preservation under arbitrary finite sequences of dialect installations.

The paper accompanies the design with a Lean 4 formalization (≈5,400 lines, 16 modules, 176 machine-checked theorems, zero sorry gaps, no custom axioms) covering parser correctness (soundness + completeness), R1–R3 verification, pipeline totality, and the central dcfl_preserved closure theorem; a verified parser binary cbcl-parse is extracted from the proofs. A separately-developed Rust reference implementation (cbcl-rs, ≈11,000 lines, no_std-compatible core) ships a hand-rolled O(n) parser, dialect verification engine, gossip-based dialect propagation (O(log n) convergence per Demers et al.), C FFI/WASM bindings, property-based and differential tests, and cargo-fuzz targets; differential tests cross-validate the Rust parser against the Lean-extracted binary, eliminating spec-implementation parser differentials. Five example dialects (precision agriculture, AI planning, cross-chain asset transfer, artifact management, email) are R1–R3-verified end-to-end. A draft IETF Internet-Draft specifying application/cbcl and a Nostr transport binding (cbcl-nostr) accompany the paper. The Discussion explicitly aligns the design with Singh’s social-agency programme: dialect installation is treated as a public commitment to the dialect’s declared semantics — semantic divergence becomes a breach of commitment, observable and accountable, rather than a hidden failure of shared mental state — sidestepping the unverifiable mentalistic semantics critique of Verifiable Semantics for ACLs.

Implementation status (post-paper, cbcl-rs). The reference implementation has shipped two further safety invariants the paper sketches as future work, plus a richer Lean formalisation: R4 (Integrity) — Ed25519-style signatures over canonical encodings via an algorithm-agnostic Signer trait, with three-valued install verdicts (Valid / Unsigned / Invalid) — and R5 (Contract Well-formedness) — optional (protocol …) and (shape …) clauses on a dialect, expressing causal Merkle DAG protocols and per-performative shape contracts; R5 enforces acyclicity, reachability from begin, performative definedness with ancestor closure for extends, step uniqueness, and depth-bound respect, all decidable in linear fuel at install time. The §VII-D structural-contracts vision is therefore live (SPEC-002, SPEC-003): verify_monotone, verify_all_is_meet, and verify_eventually_consistent are proved theorems showing causal-protocol verification is a lattice homomorphism that joins coordination-free under G-Set store merge — explicit CALM Theorem alignment. The Lean codebase has grown to 380+ declarations across 19 files (still zero sorry, only the standard axioms propext / Classical.choice / Quot.sound); the workspace ships 837 tests including 584 cbcl-core unit tests, 37 proptest cases, 21 differential integration tests against the Lean-extracted binary, libFuzzer harnesses, and cargo-mutants mutation testing at a 90% kill threshold. The crate layout has grown from the paper’s five to seven: the original cbcl-core / cbcl-parser / cbcl-cli / cbcl-wasm / cbcl-ffi plus cbcl-erl (Erlang/LFE binding, SPEC-009 — with SPEC-010 binding-conformance suite) and cbcl-arena (Agent Arena platform, SPEC-012 — composable referee on cbcl-lfe-router with capability-keyed message routing and signed receipt logs). A worked sealed-bid auction dialect (SPEC-004) demonstrates structural defence against false-claim manipulation — concrete evidence that the R5 contract layer is rich enough to encode mechanism-design integrity properties decidably. The earlier Scheme prototype (anuna-research/cbcl) is superseded; architecture decisions live as ADRs under .hence/ (purity boundary, parser library choice, error handling, WASM API surface, R4 adversarial review).

Key Ideas

DCFL as the Goldilocks complexity class: Regular is too weak for nested envelopes/dialects; general CFL admits ambiguous grammars and parser-differential attacks; context-sensitive is PSPACE-complete; Type-0 is undecidable. DCFL is the minimal class that supports nested structure with class-level unambiguity (parser equivalence under language evolution).
Homoiconic self-extension: Dialect definitions are themselves valid CBCL messages, parsed by the same recogniser used for ordinary communication — a single attack surface, no separate meta-language. Inspired by Racket’s #lang mechanism.
Three safety invariants R1–R3: declarative pattern-template substitution only (no recursion, no iteration, no reflection); declared resource bounds (depth ≤ 64, expansion ≤ 8192 chars, verification ≤ 1000 ms); the eight core performatives cannot be redefined.
DCFL preservation theorem: dialect invocations must appear inside a (lang name …) wrapper; the lang tag plus a unique dialect name forms a prefix-free partition that lets a deterministic pushdown automaton dispatch to the appropriate subgrammar without extra lookahead — circumventing the fact that DCFLs are not closed under union in general. Mechanised in Lean 4 as dcfl_preserved.
Lean 4 formalization with extraction: 176 theorems, 0 sorry gaps, no custom axioms; the verified parser binary cbcl-parse is extracted from the proofs and runs the same fuel-bounded recursive-descent parser as the model.
Rust reference implementation: cbcl-core (no_std, no unsafe), cbcl-parser, cbcl-cli, cbcl-ffi, cbcl-wasm. Differential tests against the Lean-extracted binary; cargo-fuzz over five entry points.
Eight core performatives (tell, ask, reply, hello, bye, ok, error, cancel) plus four message categories (simple, meta, lang-scoped, wrapped); keyword parameters in Common-Lisp style (:thread, :in-reply-to).
Single-pass template expansion: terminates in time linear in the template plus argument size; not Turing-complete; output is not fed back into the expander, ruling out unbounded re-expansion.
Epidemic dialect propagation: gossip-based with Demers et al.’s O(log n) convergence bound; agents independently verify R1–R3 and signatures before installing.
Canonical serialization per RFC 9804 for cryptographic operations — deterministic byte representation as a precondition for signature verification.
Dialect identity by content hash: name collisions resolved by canonical-form hash; downgrade attacks rejected at installation.
Self-expression vs self-adaptation (Zambonelli et al.): traditional ACLs support only parameter tuning within fixed structure; CBCL is a self-expressive protocol whose vocabulary structurally evolves under safety constraints.
Singh-aligned reading of dialect installation: a public commitment to declared semantics, with :examples clauses providing machine-checkable behavioural anchors — semantic divergence as observable breach rather than hidden mental-state mismatch.
Stated limitations: DCFL ceiling means no recursive transformations, no cross-field references (e.g. checksums over fields), no aggregation over variable-length collections, no context-sensitive validation. Standish-taxonomy paraphrastic only — no Orthophrase, no Metaphrase. Trust infrastructure (key distribution, revocation) and dialect-curation policy left to deployment.
Structural-contracts extension (sketched in §VII-D, shipped post-paper as R4 + R5): Ed25519-style dialect signatures plus protocol constraints as causal Merkle DAGs over performative-typed messages, with Visibly Pushdown Languages for shape constraints and coordination-free monotonic verification over an append-only store. Lean-mechanised lattice-homomorphism theorems (verify_monotone, verify_all_is_meet, verify_eventually_consistent) establish that replica verdicts join under G-Set merge.

Connections

Common Business Communication Language — McCarthy’s 1975/1982 origin; CBCL is the formally-verified realisation of that vision.
Security Applications Of Formal Language Theory — Sassaman et al.’s LangSec foundations.
Proof-Carrying Code - Necula — Necula 1997, the architectural ancestor of CBCL’s R4 split (host runs a small certified verifier; producer ships the proof).
Enforceable Security Policies - Schneider — Schneider 2000, the formal warrant for R5 monotone-verdict trace monitoring.
An Axiomatic Basis for Computer Programming - Hoare — Hoare 1969, root of the contract-based verification line CBCL inherits.
Authentication in Distributed Systems - Lampson Abadi Burrows Wobber — Lampson et al. 1992, the Speaks-For Calculus for delegated commitments.
Articulating Reasons - Brandom — Brandom 2000, the philosophical underwriting of Public Semantics (entry point).
Making It Explicit - Brandom — Brandom 1994, the full inferentialist treatise.
Empiricism and the Philosophy of Mind - Sellars — Sellars 1956, the Myth of the Given that makes Semantics-Without-Minds possible.
Philosophical Investigations - Wittgenstein — Wittgenstein 1953, Meaning As Use / language-games / rule-following.
Two Dogmas of Empiricism - Quine — Quine 1951, Semantic Holism.
Assertion - Stalnaker — Stalnaker 1978, Common Ground update semantics — operational analogue of CBCL’s verdict ledger.
Languages and Language - Lewis — Lewis 1975, Convention of Truthfulness picture of how an abstract language gets in force in a population.
Communicative Actions for Artificial Agents - Cohen Levesque — Cohen & Levesque 1995, the Mentalistic Semantics high-water mark CBCL deliberately is not.
FIPA-ACL Specifications — the engineering of FIPA-ACL (envelope, conversation-id, ontology slot) CBCL inherits; the semantics it replaces.
An Ontology for Commitments in Multiagent Systems - Singh — Singh 1999, the formal commitment ontology CBCL’s dialect contracts instantiate.
Jones-Sergot Normative Systems — Jones & Sergot 1993, the Counts-As Relation that gives wire events institutional meaning under a dialect contract.
Exploit Programming - From Buffer Overflows To Weird Machines — weird-machine analysis CBCL is designed to preclude at the parser layer.
PKI Layer Cake - Kaminsky Patterson Sassaman — concrete parser-differential attacks; CBCL’s class-level unambiguity rules these out at the grammar level.
The Halting Problems of Network Stack Insecurity
A Language-Based Approach To Prevent DDoS
LangSec
KQML as an Agent Communication Language
KQML - A Language And Protocol For Knowledge And Information Exchange
FIPA-ACL
ACL Rethinking Principles — Singh’s social-agency critique that CBCL’s “dialect installation as public commitment” inherits.
Agent Communication Languages - Rethinking the Principles
Verifiable Semantics for ACLs
A Common Ontology Of ACLs
Commitment-based Semantics
The State of the Art in Agent Communication Languages
Trends in Agent Communication Language
Toward Principles for the Design of Ontologies Used for Knowledge Sharing — Gruber’s ontological-commitment principle CBCL inherits.
Some Philosophical Problems from the Standpoint of Artificial Intelligence — McCarthy & Hayes’s representation/computation separation.
Elephant 2000 - A Programming Language Based on Speech Acts — McCarthy’s intra-program speech-act counterpart to CBCL’s inter-organisational vision.
Adjectival Modifiers
S-expression
Homoiconicity
Code as Data
Creating Languages in Racket — Flatt’s #lang mechanism that inspired CBCL’s homoiconic self-extension.
Extensibility in Programming Language Design - Standish
Language Extensibility Taxonomy
Paraphrase
Orthophrase
Metaphrase
Self-Expression
Self-Adaptation Self-Expression Self-Awareness ASCENS
Dialects and Idiolects
Keeping CALM - When Distributed Consistency is Easy — CALM theorem underwriting the forthcoming coordination-free contracts extension.
Visibly Pushdown Languages
MCP Landscape Security Threats And Future Research Directions
Survey Of AI Agent Protocols
Survey Of Agent Interoperability Protocols
ClawWorm Self-Propagating Attacks Across LLM Agent Ecosystems — concrete LLM-agent worm whose root-cause analysis CBCL’s lang-scoped provenance addresses.
Why AI Agents Communicate In Human Language
Why Do Multi-Agent LLM Systems Fail
Gossiping in Distributed Systems
Gossip-based Aggregation in Large Dynamic Networks

Conceptual Contribution

Claim: Agent communication languages can be simultaneously expressive, runtime-extensible, and tractably verifiable iff every message — including those that extend the language — is constrained to the deterministic context-free language class; this constraint is compatible with first-class self-extension, can be machine-checked end-to-end, and converts the unverifiable-mental-state problem of mentalistic ACLs into a public-commitment problem at the protocol layer.
Mechanism: Eight-performative core grammar (LL(1), DCFL); homoiconic dialect mechanism — dialect definitions are valid CBCL messages with extend clauses describing pattern-template substitutions; three safety invariants R1–R3 enforced at installation (no recursion via DFS cycle detection, declared resource bounds, core-vocabulary preservation); (lang name …) wrapper providing prefix-free deterministic dispatch into per-dialect sub-grammars so the union remains DCFL. Lean 4 formalization (LeanCbcl, ~5,400 LoC, 176 theorems) covering parser soundness/completeness, R1–R3, pipeline totality, and dcfl_preserved; verified parser extracted to a runnable binary (cbcl-parse). Rust reference implementation (cbcl-rs, ~11,000 LoC) with a ResourceContext-tracked single-pass expander, gossip-based dialect propagation (O(log n) per Demers et al.), canonical RFC-9804 serialization for signing, algorithm-agnostic Signer trait, C FFI / WASM bindings, property-based + differential tests, fuzz targets. Draft IETF application/cbcl Internet-Draft and Nostr transport binding.
Concepts introduced/used: Deterministic Context-Free Language, LangSec, Homoiconicity, S-expression, Dialects and Idiolects, Performatives, Self-Expression, Paraphrase, Orthophrase, Metaphrase, Visibly Pushdown Languages, CALM Theorem, Commitment-based Semantics, Public Semantics, Verifiable Semantics, Adjectival Modifiers, Ontological Commitment, Lean 4, Property-Based Testing, Parser Differential Attack, Weird Machine, Gossip Protocols, Canonical Serialization, Nostr, hence
Stance: engineering / formal-methods, with explicit position-taking on the agent-communication design space
Relates to: Realises McCarthy’s Common Business Communication Language vision (1975/1982) by giving formal safety guarantees McCarthy could only gesture at. Sits squarely in the LangSec programme of Security Applications Of Formal Language Theory and Exploit Programming - From Buffer Overflows To Weird Machines, extending it from input-validation analysis to protocol design — claiming, plausibly, to be the first ACL designed from LangSec principles and the first to demonstrate that LangSec is compatible with runtime self-extension. Inherits the DCFL-vs-ambiguous-CFG argument from PKI Layer Cake - Kaminsky Patterson Sassaman and applies it at the message layer rather than the certificate layer. Builds explicitly on Singh’s social-agency critique (ACL Rethinking Principles) and Wooldridge’s verifiability programme (Verifiable Semantics for ACLs) by treating dialect installation as a public commitment whose semantics are anchored by the :examples clause — a machine-checkable analogue of the commitment-trace conformance that Flexible Protocol Specification and Execution (Yolum & Singh) and Commitment Machines - Yolum and Singh establish for protocol actions. Where Pact - A Choreographic Language for Agentic Ecosystems takes the individual-rationality fork to answer “why follow a protocol?”, CBCL takes the publicness/verifiability fork: the meaning of a message is fully determined by the formal grammar plus declared semantics, with no mental-state inference required. Inherits Gruber’s ontological-commitment architecture but replaces “out-of-band agreement” with in-protocol propose/query/teach. The extensibility design draws on Creating Languages in Racket (Flatt’s #lang) and respects the boundary set by Extensibility in Programming Language Design - Standish: paraphrastic only, deliberately excluding orthophrase/metaphrase to keep the attack surface bounded. The forthcoming structural-contracts extension uses Visibly Pushdown Languages for shape constraints and the CALM Theorem for coordination-free verification — a natural bridge to commitment-machine semantics. The LLM-agent threat-model framing (ClawWorm Self-Propagating Attacks Across LLM Agent Ecosystems, MCP Landscape Security Threats And Future Research Directions) positions CBCL as the structural alternative to MCP/JSON-RPC-with-natural-language: same extensibility, vastly tighter security envelope.

Tags

#acl #langsec #formal-verification #lean4 #rust #homoiconic #dcfl #self-extension #commitment-based #position-paper #foundational

Backlinks

Linked Pages

MCP Landscape Security Threats And Future Research Directions

Model Context Protocol (MCP): Landscape, Security Threats, and Future Research Directions

Reference: Hou, Zhao, Wang, Wang (2025). Huazhong University of Science and Technology. arXiv:2503.23278. Source file: 2503.23278.pdf. URL

Summary

The first in-depth academic analysis of the Model Context Protocol (MCP) ecosystem. The authors trace the evolution from manual API wiring through OpenAI plugins and framework-specific tool abstractions (LangChain, LlamaIndex) to Anthropic’s MCP, which they characterise as a protocol-level standard that decouples tool implementation from usage, enabling dynamic discovery, bi-directional channels, and schema negotiation.

Beyond the ecosystem survey, the paper contributes a systematic threat taxonomy: four attacker archetypes (malicious developers, external attackers, malicious users, security flaws) and 16 concrete threat scenarios spanning creation, deployment, operation, and maintenance of MCP servers. Real-world case studies validate the threat model against current servers, and the authors outline governance and scalability directions for MCP’s sustainable growth.

Key Ideas

MCP as the first post-function-calling protocol standard for LLM tool access (vs platform-specific plugins).
Lifecycle model for MCP servers: creation, deployment, operation, update, termination.
Four attacker archetypes: malicious developers, external attackers, malicious users, security flaws.
16 threat scenarios including tool poisoning, installer spoofing, unauthorized access.
Bi-directional communication channels distinguish MCP from one-way plugin interfaces.
Remaining gaps: security, tool discoverability, remote deployment, governance.

Connections

Model Context Protocol
Survey Of Agent Interoperability Protocols
Survey Of AI Agent Protocols
LLM Agents
Tool Use
AI Agents Under Threat
MalTool Malicious Tool Attacks
Agent Security
CBCL - Safe Self-Extending Agent Communication — structural alternative: a DCFL-bounded ACL with formally-checked self-extension, addressing the unbounded-input-language problem that underlies MCP’s threat surface.

Conceptual Contribution

Claim: MCP represents a qualitative shift from hardcoded, per-application tool bindings to a composable, discoverable ecosystem of AI-native web services — but its rapid adoption has outrun academic analysis of its architecture, lifecycle, and security posture.
Mechanism: Combines an architectural decomposition (host/client/server) and a five-phase server lifecycle with a threat-modelling exercise across 16 scenarios and 4 attacker archetypes, grounded in real MCP servers surveyed in the wild.
Concepts introduced/used: Model Context Protocol, Tool Use, Agent Security, LLM Agents, Interoperability, Agent Discovery
Stance: survey / threat analysis
Relates to: Deepens the MCP security discussion sketched in Survey Of Agent Interoperability Protocols and Survey Of AI Agent Protocols; its threat taxonomy complements MalTool Malicious Tool Attacks and AI Agents Under Threat by focusing specifically on the MCP protocol surface rather than individual tools.

Tags

ClawWorm Self-Propagating Attacks Across LLM Agent Ecosystems

ClawWorm: Self-Propagating Attacks Across LLM Agent Ecosystems

Reference: Yihao Zhang, Zeming Wei, Xiaokun Luan, Chengcan Wu, Zhixin Zhang, Jiangrong Wu, Haolin Wu, Huanran Chen, Jun Sun, Meng Sun (2026). arXiv:2603.15727v2 (Peking University; Sun Yat-sen; Wuhan; Tsinghua; SMU). Source file: 2603.15727v2.pdf. URL

Summary

Presents ClawWorm, the first demonstrated self-replicating, worm-style attack on a production-scale autonomous LLM-agent ecosystem. The target is OpenClaw, an open-source personal AI-agent framework with over 40,000 active instances, a persistent Markdown workspace (SOUL.md, AGENTS.md, SKILL.md), tool-execution privileges, and cross-platform messaging (Telegram, Discord, WhatsApp, Slack, Signal, Moltbook). A single crafted message triggers the victim to write a malicious payload into its highest-privilege configuration file, which then auto-fires at every session restart and autonomously propagates to every newly encountered peer — all without further attacker intervention.

The worm implements a dual-anchor persistence mechanism: one anchor injects the payload into the Session Startup section of AGENTS.md (guaranteeing execution on reboot), the other injects a global interaction rule (guaranteeing propagation during routine replies). Three attack vectors are studied (A: web injection, B: skill-supply-chain via ClawHub, C: direct fenced-code replication with word-by-word handshake) and three payloads (P1 recon, P2 resource exhaustion, P3 command-and-control via URL retrieval). Across 1,800 trials on four frontier LLM backends (Minimax-M2.5, DeepSeek-V3.2, GLM-5, Kimi-K2.5) the aggregate attack success rate is 64.5%, with Vector B (skill supply chain) reaching 81% and sustained multi-hop propagation up to 5 hops. An epidemiological projection with basic reproduction number R0 = k × ASR shows inevitable ecosystem-wide saturation even for security-conscious models.

The root cause is identified as the flat context trust model: the LLM cannot distinguish instructions from its owner, the system layer, or an arbitrary channel participant, so architectural patterns (unconditional workspace loading, LLM-mediated tool authorisation, unreviewed skill packages) amount to structural — not idiosyncratic — vulnerabilities shared by any agent ecosystem of similar design.

Key Ideas

Single-message, fully autonomous worm against a production agent framework
Dual-anchor persistence: Session Startup + global interaction rule
Three attack vectors (web URL, skill supply chain, direct instruction replication)
Multi-turn autonomous-retry social engineering boosts ASR by up to +24 pp
Epidemiological SI model with R0 = k × ASR predicts ecosystem saturation
Execution-layer guardrails alone cannot halt propagation (dormant payloads persist)
Flat context trust model as structural root cause

Connections

Agent Security
Prompt Injection
LLM Agents
Multi-Agent Systems
Distributed Security
Model Context Protocol
Gossip Protocols
Trust and Reputation
Theory of Self-Reproducing Automata — foundational ancestor of self-replicating computation
Agents of Chaos — empirical companion on agent-ecosystem failures
MalTool Malicious Tool Attacks — the tool/skill-supply-chain attack surface
SoK The Attack Surface of Agentic AI — systematic context
Inter-Agent Trust Models - A Comparative Study — why flat trust is brittle
CBCL - Safe Self-Extending Agent Communication — structural defence: lang-scoped dialect provenance plus R1–R3 verification address the flat-context-trust root cause.

Conceptual Contribution

Claim: Production-scale autonomous LLM-agent ecosystems are vulnerable to single-message, self-replicating worms whose root cause is architectural (flat context trust, unconditional config loading, unreviewed skill supply chains), not model-specific.
Mechanism: Empirical red-team against unmodified OpenClaw v2026.3.12 across four LLM backends, three vectors, three payloads (1,800 trials). A dual-anchor persistence pattern writes the payload to AGENTS.md and installs a global propagation rule; session-restart loading re-injects the payload into the system prompt; routine replies carry the payload to peers. Evaluated with per-phase metrics (persistence, execution, propagation) and a mean-field R0 epidemiological projection.
Concepts introduced/used: Self-Replicating Agent, Dual-Anchor Persistence, Flat Context Trust Model, Skill Supply Chain Attack, Indirect Prompt Injection, Agent Worm, Configuration Integrity, Multi-Turn Social Engineering, Epidemiological Projection R0
Stance: empirical / critique
Relates to: Concrete multi-agent instantiation of the threat surface catalogued in SoK The Attack Surface of Agentic AI. The flat-trust critique complements the trust-model taxonomy in Inter-Agent Trust Models - A Comparative Study and the safety failures observed in Agents of Chaos. Motivates verifiable specifications of the kind proposed in Intent Formalization - A Grand Challenge for Reliable Coding.

CALM Theorem

Consistency As Logical Monotonicity (Hellerstein 2010 conjecture; Ameloot, Neven, Van den Bussche 2013 proof). A distributed program has a consistent, coordination-free implementation if and only if it is expressible in monotonic logic.

Monotonic programs produce a set of outputs that only grows as inputs arrive (S ⊆ T ⟹ P(S) ⊆ P(T)). Such programs are safe under missing information: any conclusion reached on a subset of inputs remains valid when more arrive. Non-monotonic programs may retract earlier conclusions, so they must wait for “all the news” — which is what distributed coordination enforces.

CALM is the positive counterpart to the CAP Theorem: it names the exact class of programs that can satisfy Consistency, Availability, and Partition-tolerance simultaneously.

Why it matters

Moves consistency from a property of storage (linearizability, serializability) to a property of programs — Confluence.
Tells programmers what kinds of features are free (monotonic: set union, counting up, set-containment) and what must be paid for (non-monotonic: set difference, strict aggregation, count-exact, deletions without tombstones).
Gives a design rule for coordination-free systems: build from monotonic primitives — CRDTs, Immutable Data Structures, Tombstones, monotonic accumulators — and only add coordination at non-monotonic boundaries.

Formal statement

Using Relational Transducer networks as the execution model and Confluence as the consistency criterion, Ameloot et al. prove: a query Q has a coordination-free distributed evaluation plan iff Q is monotone.

In this vault

Keeping CALM - When Distributed Consistency is Easy — the definitive survey
CAP Theorem
Confluence
Monotonic Logic
Coordination Avoidance
Relational Transducer
Bloom Language
Dedalus
CRDTs
Non-monotonic Reasoning

Visibly Pushdown Languages

Alur and Madhusudan’s (2004) language class strictly between regular and deterministic context-free, in which input symbols are partitioned into call, return, and internal alphabets and the pushdown stack must push/pop in lock-step with call/return symbols. VPLs retain decidable inclusion, intersection, and equivalence — properties that general context-free languages lose — making them attractive for verifying structural contracts over hierarchical messages. CBCL - Safe Self-Extending Agent Communication’s shipped R5 shape-contract layer uses VPLs over expanded S-expressions to express decidable per-performative shape constraints while remaining within DCFL.

In this vault

Extensibility in Programming Language Design - Standish

Extensibility in Programming Language Design

Reference: Thomas A. Standish (1975). National Computer Conference 1975 (AFIPS). Source file: 1499949.1500003.pdf. URL

Summary

A retrospective on the 1960s-70s “extensible languages” movement. Standish catalogues extension techniques (paraphrase, orthophrase, metaphrase), reviews what the early community hoped for — a universal base language that any user could tailor with modest effort — and explains why those hopes were only partly realised. He concludes that extensibility relates to high-level languages the way macros relate to assembly: useful for suppressing low-level detail and masking irritating features, but not the programming revolution once promised.

The paper is an early, honest assessment of why language extension is harder than anticipated, introducing vocabulary still used today.

Key Ideas

Paraphrase: defining new forms via existing ones (macros, procedures)
Orthophrase: adding orthogonal features that cannot be paraphrased
Metaphrase: altering interpretation rules (scoping, evaluation)
Early euphoria vs realistic assessment of labour/skill costs
27 extensible languages proposed by 55 people by 1975

Connections

Conceptual Contribution

Claim: The 1960s-70s dream of universal extensible languages largely failed because extension techniques divide into qualitatively different kinds with very different labor costs; only the cheapest (paraphrase, macros) proved practically useful.
Mechanism: Taxonomy of extension techniques — paraphrase (define new forms in terms of existing ones: macros, procedures, syntax macros, data/operator definitions), orthophrase (add genuinely new features outside the base language’s span, e.g. I/O primitives), and metaphrase (alter interpretation rules: scoping, evaluation order). Argues orthophrase/metaphrase require near-compiler-writer expertise and rarely pay off.
Concepts introduced/used: Paraphrase, Orthophrase, Metaphrase, Macros as Language Extension, Language Extensibility Taxonomy, Extensible Languages Movement, Domain-Specific Languages
Stance: retrospective-critique / taxonomic
Relates to: Direct intellectual ancestor of The Extensible Language - Graham and Creating Languages in Racket, both of which represent the paraphrase/macro wing that Standish judged successful. A Modular Approach to Metatheoretic Reasoning for Extensible Languages tackles the metatheoretic difficulties Standish foresaw for orthophrase extensions.

Tags

Creating Languages in Racket

Reference: Matthew Flatt (2012). Communications of the ACM, Vol. 55, No. 1. Source file: 2063176.2063195.pdf. URL

Summary

Practitioner-oriented introduction to Racket’s support for language-oriented programming: building domain-specific languages as a natural extension of ordinary programming. Flatt develops a text-adventure game incrementally, starting from Racket’s core, adding pattern-matching macros (define-syntax-rule) for define-place, define-thing, define-verb, then packaging these extensions into a module language (#lang txtadv) with its own non-parenthesised reader syntax and IDE (DrRacket) support.

The article demonstrates the full spectrum from simple syntactic abstraction via macros up through module languages that replace the default reader, showing how Racket smooths the path from library to full DSL.

Key Ideas

Language-oriented programming as a practical paradigm
define-syntax-rule and syntax-case macros for pattern-based extension
Module languages (#lang ...) package extensions as first-class languages
Static checks can be implemented via macro-level type tagging
DrRacket provides IDE integration for custom languages

Connections

Conceptual Contribution

Claim: Language-oriented programming — building a small DSL exactly fitted to a task — should be cheap and incremental, not a heavyweight “build a compiler” affair; Racket’s macro system and module-language machinery make this the normal way to program.
Mechanism: Walk through a text-adventure game implementation that evolves from plain-Racket library → syntactic abstractions (define-syntax-rule for define-place, define-thing) → a full #lang txtadv module language with custom reader, static checks via compile-time elaboration, and replaceable surface syntax; show each step as a small syntactic or module addition rather than a rewrite.
Concepts introduced/used: Language-oriented Programming, Racket Macros, Module Languages, Syntactic Abstraction, DSLs, Domain-Specific Languages, Language Workbenches, Hygienic Macros, Macros as Language Extension
Stance: engineering / tutorial
Relates to: Modern realisation of the paraphrase-extension ideal diagnosed in Extensibility in Programming Language Design - Standish and evangelised in The Extensible Language - Graham. Provides the practice for which A Modular Approach to Metatheoretic Reasoning for Extensible Languages supplies a metatheoretic backbone.

Tags

Toward Principles for the Design of Ontologies Used for Knowledge Sharing

Reference: Gruber, T. R. (1995). International Journal of Human-Computer Studies, 43(5–6), 907–928. Substantial revision of a 1993 paper presented at the International Workshop on Formal Ontology (Padova). Also Stanford KSL Technical Report 93-04. Source file: gruber_onto_design.pdf. URL

Summary

Gruber articulates the engineering foundations of ontology design for knowledge sharing. An ontology is defined as an explicit specification of a conceptualization: a vocabulary of classes, relations, functions, and object constants, together with axioms constraining their interpretation, intended to allow heterogeneous agents to communicate about a domain without sharing a global knowledge base. Agents commit to an ontology when their observable behaviour is consistent with its definitions — a notion of commitment grounded in Newell’s Knowledge Level and Levesque’s tell-and-ask interface. Common ontologies thus underwrite interoperability at the knowledge level rather than at the symbol or data level.

Gruber proposes five design criteria: (1) Clarity — definitions should be objective and, where possible, complete (necessary and sufficient conditions); (2) Coherence — sanctioned inferences must be consistent with informal definitions; (3) Extendibility — anticipate new uses so the vocabulary can be monotonically extended without revision; (4) Minimal encoding bias — conceptualise at the knowledge level, independent of symbol-level representation; (5) Minimal ontological commitment — say only what is required for the intended knowledge-sharing tasks, leaving maximum freedom for specialisation. He discusses the tradeoffs — especially between extendibility and minimal commitment — and illustrates the criteria through case studies in engineering mathematics (physical quantities, units, algebras) and bibliographic data, contrasting alternative design choices against the criteria. The paper is the engineering charter for the ontology-sharing tradition that produced Ontolingua, KIF, and the modern Semantic Web.

Key Ideas

Ontology = explicit specification of a conceptualization.
Ontological commitment: observable behaviour consistent with definitions.
Knowledge-level (not symbol-level) specification (Newell).
Tell-and-ask interface as the model of agent knowledge use (Levesque).
Five design criteria: clarity, coherence, extendibility, minimal encoding bias, minimal commitment.
Design tradeoffs, particularly extendibility vs. minimal commitment.
Case studies: engineering mathematics and bibliographic data.
Ontology as shared vocabulary, not shared belief.

Connections

Conceptual Contribution

Claim: Ontologies are designed artifacts for knowledge sharing and should be evaluated by objective engineering criteria — clarity, coherence, extendibility, minimal encoding bias, and minimal ontological commitment — rather than by a priori notions of naturalness or metaphysical truth.
Mechanism: Gruber grounds the account in the Knowledge Level: an ontology specifies a conceptualization via a logical vocabulary with definitional and constraint axioms; an agent commits to the ontology when its tell/ask behaviour respects those definitions. He derives the five criteria from the requirements of knowledge-sharing interoperability, works through their inherent tensions (e.g., clarity favours complete definitions while minimal commitment favours weaker theories; extendibility favours larger vocabulary while minimal commitment favours smaller), and illustrates the application of the criteria in case studies that compare alternative representational choices.
Concepts introduced/used: Ontology, Ontological Commitment, Conceptualization, Knowledge Level, Clarity, Coherence, Extendibility, Encoding Bias, Minimal Ontological Commitment
Stance: engineering methodology
Relates to: Canonical definition inherited by Ontologies, Ontology Engineering and Handbook On Ontologies; underpins the shared-vocabulary assumption of KQML and A Common Ontology Of ACLs; supplies the design rationale behind Ontolingua Portable Ontology Specifications.

Tags

Pact - A Choreographic Language for Agentic Ecosystems

Pact: A Choreographic Language for Agentic Ecosystems

Reference: Gopinathan, K., Feser, J., Naim, M., Tavares, Z. & Bingham, E. (2026). 2nd International Workshop on Choreographic Programming (CP 2026), Boulder, CO, June 15–19. arXiv:2605.03143v1 [cs.PL], 4 May 2026 (talk paper). Basis Research Institute. URL

Summary

Gopinathan et al. extend Choreographic Programming to the open-systems setting where participants are self-interested and may not faithfully execute a protocol. Choreographies (Montesi 2023; Bates et al. 2025) give correct-by-construction, deadlock-free distributed protocols by writing one global program that is mechanically projected to local endpoints, but they assume cooperative participants — they cannot answer why an autonomous agent should follow the projected protocol. Pact answers that question by adding three operators to a core choreographic calculus: agent.choose(τ) for explicit strategic non-determinism, agent.values(x) for declared utility dependencies, and world.choose(τ) for exogenous “nature” variables that capture each agent’s priors over the environment. Every Pact program then maps unambiguously to a formal extensive-form game.

The headline analysis is a decision-policy solver built on the Memo Programming Language (Chandra et al. 2025), a probabilistic-programming DSL for cognitive theory-of-mind models. From the projected Pact program a memo model is constructed in which each role recursively simulates the other to depth ℓ; running inference yields a level-ℓ bounded-rational policy mapping observations to choices. Applied to the canonical book-seller choreography the solver recreates Akerlof’s Market for Lemons: at depth 0 the buyer naïvely treats price as a signal of quality and the seller exploits this; as ℓ grows the acceptance probability flattens. The implementation is an embedded Python DSL on top of the Effectful algebraic-effects library, with endpoint projection realised as effect handlers. The paper is positioned as preliminary work; next steps named are formalising the semantics, proving correctness of projection-to-game, and adding incentive-compatibility / equilibrium / mechanism-design analyses.

Key Ideas

Choreography + game theory: a global protocol gets three game-theoretic operators (choice, value, nature) so that endpoint projection produces both a runnable program and a formal game.
values as type signature, not utility: declarations name the variables that influence an agent’s payoff but not the function — utilities are private and adversarially incentive-incompatible to disclose. The role of values is to constrain which protocols are mutually negotiable.
Theory-of-mind solver via memo: bounded-rational level-ℓ recursion over agent models, with the recursion bottoming out at naïve priors at ℓ = 0.
Lemons re-derived from a choreography: information asymmetry over an exogenous book.quality variable is enough to reproduce Akerlof’s unravelling result on the bookseller protocol.
Algebraic-effects implementation: endpoint projection implemented as effect handlers in Python (effectful); choreography is a single program that runs differently depending on which handler (Endpoint Projection) is installed.
Motivation framed against LLM agent failure modes: prompt injection, sycophancy, and coercion of LLM agents are cited as the reasons untrusted-counterpart coordination needs formal protocol artefacts rather than free-form natural-language negotiation.

Connections

Conceptual Contribution

Claim: Choreographic protocols for autonomous-agent ecosystems should make agent strategy first-class — explicit choices, declared utility dependencies, and exogenous priors — so that every protocol corresponds to a formal game and can be analysed for whether self-interested agents will participate.
Mechanism: Three new constructs added to a core choreographic calculus (agent.choose, agent.values, world.choose); a structural map from Pact programs to extensive-form games; a level-ℓ bounded-rational decision-policy solver built by translating the projected program into a Memo Programming Language theory-of-mind model and running probabilistic inference over it; an embedded-DSL implementation in Python via algebraic effects realising endpoint projection.
Concepts introduced/used: Choreographic Programming, Endpoint Projection, Theory of Mind, Memo Programming Language, Bounded Rationality, Market for Lemons, Mechanism Design, Algebraic Effects, Negotiation, Game-Theoretic Trust, Mentalistic Semantics
Stance: position / preliminary engineering (CP 2026 workshop talk paper)
Relates to: A contemporary LLM-era restatement of the individual-rationality answer to “why follow a protocol?” first formalised by Deals Among Rational Agents (Rosenschein & Genesereth 1985) and lifted to mental attitudes by Intention Is Choice with Commitment (Cohen & Levesque 1990). The paper is structurally adjacent to — but does not engage — the entire commitment-protocol tradition: Flexible Protocol Specification and Execution (Yolum & Singh 2002) gives a global protocol semantics in the Event Calculus with explicit Create / Discharge / Cancel / Release / Assign / Delegate operations whose runs project to local agents in a way directly analogous to choreographic endpoint projection, and A Commitment-Based Approach to Agent Communication (Fornara & Colombetti 2004) gives an operational FSM semantics for the same primitives. ACL Rethinking Principles (Singh 1998) and Verifiable Semantics for ACLs (Wooldridge 1998) anticipate the central limitation: a semantics grounded in agent utilities and recursive belief models is unverifiable from message traces alone — the very failure modes the paper opens with (prompt injection, sycophancy, coercion) destabilise the priors and rationality assumptions the solver depends on. The Lemons demo, taken at face value, is an argument for institutional / commitment mechanisms (warranties, refund obligations, certification) of the kind Singh’s programme articulates rather than for theory-of-mind solving. The constructive synthesis the paper does not propose is to layer commitment operations onto the choreographic substrate so that protocols carry both a public, observable commitment trace (Singh-style verifiability) and a game-theoretic acceptability analysis (Pact-style strategic reasoning); choreographies are a particularly natural host because endpoint projection already gives the global-to-local move that Commitment Machines approximates by FSM compilation. On the LLM-agent side the paper’s diagnosis converges with Why AI Agents Communicate In Human Language (formal protocol artefacts beat free-form natural-language negotiation) and complements the standardisation argument of LLM Agent Communication Protocol Requires Urgent Standardization.

Tags

Commitment Machines - Yolum and Singh

Commitment Machines

Reference: Yolum, P. & Singh, M.P. (2002). Intelligent Agents VIII: Agent Theories, Architectures, and Languages (ATAL-01), LNAI 2333, pp. 235–247. Springer. (A preliminary version appeared in WET-ICE 2000.) Source file: yolum-singh-2002-commitment-machines.pdf. URL

Summary

Yolum and Singh propose commitment machines (CMs) as a protocol formalism that, unlike finite-state machines or Petri nets, attaches declarative meaning to states and actions in terms of the participants’ Social Commitments. A CM is a triple ⟨M, Δ, F⟩ of a finite minimal set of meanings (formulas in a propositional language extended with a commitment operator Cₓp and a strict-implication operator ;), a set of actions ⟨a : e⟩ whose effect e is itself a meaning, and a set of consistent final meanings. Transitions are not enumerated — they are inferred from the logical consequences of applying an action’s effect to the current meaning. The running example is the NetBill Protocol, specified by atomic propositions (request, goods, pay, receipt) and abbreviations for conditional commitments (accept = C_c(goods ; pay), promiseGoods = C_m(accept ; goods), etc.); three reasoning rules govern how commitments evolve as content propositions are made true.

The paper’s central technical contribution is a compilation procedure that turns any complete CM (one whose meaning set is closed under antecedence) into a deterministic FSM that can be executed in constant space without commitment reasoning at run time. The procedure is shown sound (Theorem 2 — every realised computation is generated by the source CM) and complete (Theorem 3 — every CM-generated computation has a semantically-strongest, efficient FSM-realised counterpart from true), via a chain of lemmas about semantic superiority, efficient computations, and endpoint equivalence. Because the meanings of states are explicit, agents executing the CM directly can plan paths through the protocol that exploit opportunities (e.g. a merchant proactively quoting without a request, “try before you buy” deals) and handle exceptions, recovering autonomy that pure-token FSM/Petri-net specifications eliminate.

Key Ideas

Commitment machine ⟨M, Δ, F⟩: state space is a finite minimal set of meanings (formulas) rather than tokens; actions ⟨a : e⟩ carry effect-meanings; final states are a consistent subset of meanings.
Inferred transitions: q ⊨_⟨a:e⟩ r iff (q ∧ e) ⊢ r — transitions are derived from logical entailment, not enumerated edges.
No fixed start state: a CM has no s₀; participants may begin from any meaning whose commitments they accept (typically true).
Three reasoning rules over commitments: (1) Cₓp discharges when p holds; (2) Cₓ(p ; r) collapses to base-level Cₓr when p holds; (3) Cₓ(p ; r) ceases when r holds before p, with no new commitment.
Compilation to deterministic FSM under two restrictions: (R1) no transition mᵢ → mⱼ if mᵢ ⊢ mⱼ (no information-free moves); (R2) the target meaning must dominate all alternatives entailed by the action (forcing maximal information).
Completeness requires “complete” CMs — meaning set closed under antecedence — so that a unique strongest target meaning always exists; trivially achieved by closing under conjunction.
Soundness, completeness, determinism established as theorems over the computation abstraction (sequences of meanings interleaved with actions); computations are compared by semantic superiority and endpoint equivalence rather than literal action-sequence equality.
Flexibility recovered for free: since states encode meanings, agents can skip steps, reorder, or take unsolicited shortcuts whenever the resulting meaning is still in M and the path to a final meaning still exists.

Connections

Conceptual Contribution

Claim: Multi-agent protocols should be specified by giving states and actions declarative meaning in terms of the participants’ commitments — not by enumerating legal token sequences — and any such specification can be soundly and completely compiled to a deterministic FSM, recovering executability without forfeiting flexibility, autonomy, or the ability to handle exceptions and exploit opportunities.
Mechanism: A propositional language with a commitment operator Cₓ and strict-implication ;; meaning sets M and final-meaning sets F (consistent w.r.t. logical consequence); action effects given as meanings; transitions inferred via (q ∧ e) ⊢ r. Compilation Procedure 1 maps ⟨M, Δ, F⟩ → ⟨S=M, Σ={a}, s₀=true, Q=F, δ⟩ under the two information-monotonicity restrictions; Procedure 2 promotes a computation to its semantically strongest counterpart, Procedure 3 removes redundant self-transitions, yielding efficient semantically-strongest computations that are realised by the compiled FSM. Soundness (Thm 2), determinism (Thm 1), and completeness for complete CMs (Thm 3) are proved.
Concepts introduced/used: Commitment Machines, Commitment-Based Protocol, Commitment-based Semantics, Conditional Commitment, Social Commitment, Public Semantics, Verifiable Semantics, NetBill Protocol, Endpoint Projection (structural analogue), Conversation Protocols, Speech Act Theory
Stance: formal-semantic / engineering
Relates to: Direct precursor and structural sibling of Flexible Protocol Specification and Execution (Yolum & Singh, AAMAS-02), which lifts the same six commitment operations (Create / Discharge / Cancel / Release / Assign / Delegate) into the Event Calculus and adds an abductive planner; ATAL-01 here is the FSM-compilation half of that programme. Companion to A Commitment-Based Approach to Agent Communication (Fornara & Colombetti, AAMAS-02 / AAI-04), which gives an OO/FSM operational semantics for the same primitives plus a precommitment state for directives. Carries forward the social-agency programme of ACL Rethinking Principles (Singh 1998) and answers Wooldridge’s challenge in Verifiable Semantics for ACLs by grounding meaning in publicly-observable commitment formulas rather than agent mental state. The Discussion explicitly contrasts with Smith et al.’s joint-intention–based protocols (mental constructs vs. social constructs) — the same fork that Intention Is Choice with Commitment anchors on the mental side. Structurally a direct analogue of choreographic Endpoint Projection: both compile a globally-specified protocol artefact to a per-role executable, the CM/FSM compilation losing declarative meaning for runtime efficiency much as endpoint projection loses the global view for distributable execution. This makes ATAL-01 the load-bearing reference for the constructive synthesis suggested in the Pact - A Choreographic Language for Agentic Ecosystems entry — choreographies could carry both communication structure (Pact-side) and a CM-style commitment trace (Singh-side), with one compilation step yielding both deadlock-freedom and conformance-checkability.

Tags

Flexible Protocol Specification and Execution

Flexible Protocol Specification and Execution: Applying Event Calculus Planning Using Commitments

Reference: Yolum, P. & Singh, M.P. (2002). Proceedings of the 1st International Joint Conference on Autonomous Agents and Multiagent Systems (AAMAS ’02), pp. 527–534. ACM, Bologna. Source file: yolum-singh-2002-flexible-protocol.pdf. URL

Summary

Yolum and Singh argue that finite-state-machine and Petri-net protocol formalisms over-constrain multi-agent interactions because they fix legal sequences of message tokens without regard to what those messages mean. They develop a commitment-based alternative in which each protocol action is reified as an operation on social commitments — Create, Discharge, Cancel, Release, Assign, Delegate — and the rules for how commitments evolve are formalised in a variant of the Event Calculus (Kowalski-Sergot, in Shanahan’s planner formulation). Base-level commitments C(x,y,p) and conditional commitments CC(x,y,p,q) become event-calculus fluents whose Initiates/Terminates clauses constitute the protocol specification.

The running example is the NetBill e-commerce protocol. Three reasoning postulates capture how a base-level commitment is discharged when its content holds, how a conditional commitment resolves into a base-level commitment when its precondition fires, and how CC is consumed when its consequent already holds. An abductive event-calculus planner (Shanahan) is then used to generate protocol runs from an initial state to a goal state, allowing agents to skip steps, reorder messages, or repair exceptions at runtime — provided every base-level commitment created during the run is eventually discharged. The result satisfies Singh’s three social-semantic desiderata: meaningful (content captured), verifiable (compliance checkable from public commitment trace), and declarative (specifies what each action achieves, not how to sequence actions).

Key Ideas

Commitment as fluent in event calculus: C(x,y,p) and CC(x,y,p,q) represented by the EC predicates Initiates, Terminates, HoldsAt, Happens, etc.
Six commitment operations (Create, Discharge, Cancel, Release, Assign, Delegate) compiled into Initiates/Terminates clauses.
Three postulates link content fluents to commitment fluents: discharging on content satisfaction, conditional-commitment resolution, and conditional consumption when consequent already true.
A protocol run is a sequence of Happens events; complete iff no base-level commitment is left holding — incomplete runs identify non-compliant agents.
Abductive planning (Shanahan) generates legal protocol runs from initial-state + goal-state descriptions, restoring autonomy/flexibility lost in FSM models.
Skipping steps and reordering (e.g. send-goods-before-accept) is supported because preconditions are over commitment state, not over a path through an FSM.
Permissions encoded via action preconditions; prohibitions encoded as commitments-not-to-bring-about.

Connections

Conceptual Contribution

Claim: Multi-agent protocols should be specified by the meaning of their actions — concretely, by how each action transforms the agents’ social commitments — rather than by legal token sequences; doing so simultaneously delivers meaningful, verifiable, and declarative semantics, and lets agents skip, reorder, or repair steps via runtime planning while still being held to their obligations.
Mechanism: Reify commitments as event-calculus fluents and define the six manipulation operations (Create/Discharge/Cancel/Release/Assign/Delegate) as Initiates/Terminates clauses; add three reasoning postulates governing base-level discharge and conditional-commitment resolution; use Shanahan’s abductive event-calculus planner to compute runs (sets of Happens clauses with a partial order) from initial states to goal states under the protocol’s preconditions; declare a run complete iff no base-level commitment is left holding, providing an objective compliance criterion.
Concepts introduced/used: Commitment, Conditional Commitment, Commitment-Based Protocol, Commitment-based Semantics, Event Calculus, Abductive Planning, Public Semantics, Verifiable Semantics, Conversation Protocols, Interaction Protocols, NetBill Protocol, Commitment Machines
Stance: formal-semantic / engineering
Relates to: Direct response to FSM- and Petri-net-based protocol traditions critiqued in ACL Rethinking Principles; supplies the operational machinery whose mentalistic counterpart (KQML/FIPA-SL) is shown unverifiable in Verifiable Semantics for ACLs. Companion to Singh’s social-agency programme and to the institutional-reality strand of Agent Communication And Institutional Reality. Conditional-commitment treatment derives from Colombetti’s earlier work and is contemporaneous with A Commitment-Based Approach to Agent Communication (Fornara & Colombetti AAMAS-02 / AAI-04), which gives a complementary object-oriented account of the same primitives (those authors note Yolum-Singh as the closest relative). Commitment-machine compilation to FSMs is the subject of the authors’ parallel ATAL-01 paper. Empire of mentalistic semantics from Intention Is Choice with Commitment is the foil — here intentions/persistence are not needed because the protocol semantics is exhausted by the public commitment trace.

Tags

Verifiable Semantics for ACLs

Verifiable Semantics for Agent Communication Languages

Reference: Michael Wooldridge (1998). ICMAS-98 (International Conference on Multi-Agent Systems). Source file: icmas98.pdf. URL

Summary

Wooldridge tackles a central problem for ACL standardization: how can an external observer verify that an agent conforms to an ACL’s semantics when semantics are expressed in modal BDI logic (beliefs, desires, intentions)? He formalizes an agent communication framework as a tuple containing agent programs, local states, a communication language, a semantic language, and interpretation functions, and defines precisely what it means for a framework to be verifiable: whether one can decide, from program text alone, that the semantic conditions for a sent message are satisfied.

He shows that KQML and FIPA-97 ACL, which define the “sincerity condition” for an inform act using multi-modal quantified logics like SL, are not practically verifiable — deciding whether an agent program really believes what it says requires checking undecidable properties. In contrast, he gives two example frameworks with verifiable (even co-NP-complete) semantics by grounding meaning in program states rather than unobservable mental attitudes. The paper’s upshot: practical ACL conformance testing requires public, state-based semantics.

Key Ideas

Formal agent communication framework as a 2n+4 tuple.
Verifiability = decidability of semantic conformance from program text.
KQML and FIPA-97 semantics (SL modal logic) are not practically verifiable.
Grounding semantics in program states yields co-NP-complete verifiability.
Motivates social/public commitment-based ACL semantics.

Connections

KQML
FIPA-ACL
Speech Act Theory
Agent Communication Languages
Verifiable Semantics
Public Semantics
Commitment-based Semantics
Mental State
Mentalistic Semantics
BDI
CBCL - Safe Self-Extending Agent Communication — O’Connor 2026: a verifiable ACL grounded in DCFL grammars and Lean-checked safety invariants, answering Wooldridge’s challenge in the LLM-agent era.

Conceptual Contribution

Claim: An ACL standard is only useful if one can check whether an implementation respects it; existing ACLs (KQML, FIPA-97) whose semantics are given in multi-modal BDI logics are not practically verifiable, so ACL semantics should instead be grounded in program states.
Mechanism: Formalises an agent communication framework as a (2n+4)-tuple of agent programs, local states, communication language L_C, semantic language L_S, and interpretations; defines verifiability as decidability (in polynomial time) of whether an agent program respects a message’s semantic precondition; shows FIPA’s SL semantics undecidable; constructs two verifiable example frameworks (classical propositional logic, grounded propositional epistemic logic) with co-NP-complete verification.
Concepts introduced/used: Verifiable Semantics, Agent Communication Framework, Sincerity Condition, Grounded Semantics, Program Semantics, Model Checking, BDI Logic, Mentalistic Semantics
Stance: formal-semantic / critique
Relates to: Formal companion to ACL Rethinking Principles — Singh’s social-agency argument becomes Wooldridge’s verifiability theorem. Undermines the semantic ambitions of KQML Overview and FIPA-ACL; motivates commitment-based approaches such as Agent Communication And Institutional Reality and the program-grounded framework in Foundations Of Illocutionary Logic.

Tags

ACL Rethinking Principles

Agent Communication Languages: Rethinking the Principles

Reference: Munindar P. Singh (1998). IEEE Computer, December 1998, pp. 40-47. Source file: computer-acl-98.pdf. URL

Summary

Singh surveys the state of Agent Communication Languages (ACLs) such as KQML and FIPA/Arcol, and argues that their dominant mental-agency semantics (defining communicative acts in terms of beliefs and intentions) is conceptually unsatisfying and practically untestable because we cannot read agents’ minds. He proposes a conceptual shift to social agency: ACL semantics should be grounded in a public perspective on commitments, roles, and societies, so compliance with the standard is observable and testable.

The paper maps the ACL design space along two critical dimensions — meaning (perspective, type, basis, context, coverage of communicative acts) and agent construction (design vs. execution autonomy) — and shows how both KQML and Arcol emphasize private, mental-state semantics and thus fail to enable true heterogeneous interoperation. Singh’s alternative emphasizes protocols, roles, and “society management” infrastructure as a richer public substrate for ACLs.

Key Ideas

Mental-agency ACL semantics (KQML, Arcol, early FIPA) cannot be verified without inspecting agent internals.
ACLs need a public perspective, conventional meaning, pragmatics, and full coverage of communicative act categories.
Seven categories of communicative acts: assertives, directives, commissives, permissives, prohibitives, declaratives, expressives.
Social agency replaces BDI with commitments, roles, and societies as the semantic basis.
Dialects/idiolects arise when only private perspectives are considered.

Connections

FIPA-ACL
FIPA-ACL Specifications
KQML
Speech Act Theory
Agent Communication Languages
Multi-Agent Systems
Communicative Actions for Artificial Agents - Cohen Levesque — the Mentalistic Semantics high-water mark Singh is critiquing
An Ontology for Commitments in Multiagent Systems - Singh — Singh’s own formal sequel: the four-place commitment ontology
Commitment Machines - Yolum and Singh
A Commitment-Based Approach to Agent Communication
Articulating Reasons - Brandom — the philosophical underwriting of public, commitment-based semantics
Making It Explicit - Brandom
Jones-Sergot Normative Systems — Counts-As Relation for institutional grounding of commitments
CBCL - Safe Self-Extending Agent Communication — O’Connor 2026: contemporary realisation of Singh’s social-agency programme (dialect installation as public commitment) in a Lean-verified LangSec-grounded ACL.

Conceptual Contribution

Claim: Agent Communication Language semantics must abandon mental agency (beliefs/intentions) and be grounded in a public, social perspective (commitments, roles, societies) in order to be testable and support heterogeneous interoperation.
Mechanism: Surveys KQML, Arcol, FIPA; lays out a two-dimensional design space (meaning × agent construction); shows that mental-state semantics cannot determine compliance; proposes social-agency framework using protocols, roles, and “society management” infrastructure.
Concepts introduced/used: Mentalistic Semantics, Public Semantics, Social Agency, Commitments, Communicative Acts, Verifiable Semantics, Interoperability, Dialects and Idiolects
Stance: critique / foundational
Relates to: Direct antecedent to Verifiable Semantics for ACLs (Wooldridge) which formalises the verification problem Singh names. Sharpens the critique of the mentalistic approach underlying KQML Overview and FIPA-ACL, and motivates commitment-based frameworks such as Agent Communication And Institutional Reality.

Tags

PKI Layer Cake - Kaminsky Patterson Sassaman

PKI Layer Cake: New Collision Attacks Against the Global X.509 Infrastructure

Reference: Dan Kaminsky, Meredith L. Patterson, and Len Sassaman (2009). Black Hat USA / IOActive technical report. Source file: 1299769.pdf. URL

Summary

Presents several new classes of attacks against the X.509 certificate infrastructure: MD2 preimage exploitation of VeriSign’s still-trusted root, PKCS#10 Subject Name confusion attacks exploiting inconsistent ASN.1 BER parsing between CAs and browsers (multiple CNs, OID leading-zero padding, integer overflow, early null terminators), SQL injection through PKCS#10 subject names, generic SSL client-authentication bypasses, and EV-certificate hijacking via mixed script content.

The paper is largely a case study in how ambiguity at the interface between components — in parsers, in semantics of fields like Common Name, in trust-store EKU handling — turns into exploitable security pathologies. It is of interest to agent-communication research as a cautionary tale about shared-format ambiguity between senders and receivers.

Key Ideas

ASN.1 BER is context-sensitive and handwritten parsers disagree subtly
Subject Name parsing varies across OpenSSL, NSS, CryptoAPI — attacker exploits the gap
MD2 preimage attack enables signature transfer to forged intermediate CA
“Sender-receiver parsing disagreement” as a general attack pattern
Postel’s robustness principle considered harmful for security-critical parsing

Connections

Making Smart Contracts Smarter
Agent Communication Languages
Parser Differential Attack
CBCL - Safe Self-Extending Agent Communication — applies the parser-differential lesson at the message-layer of agent communication; DCFL grammars are class-level unambiguous.

Conceptual Contribution

Claim: The global X.509 PKI is vulnerable not only because of weak hashes (MD2/MD5) but because layered, ambiguously-specified parsers (ASN.1 BER, PKCS#10, Subject Name handling) disagree about what a certificate says — an inter-layer semantic gap exploitable by attackers.
Mechanism: Demonstrate concrete attacks: MD2RSA signature transfer from Verisign’s root, Subject Name Confusion via implementation-dependent CN-selection policies, PKCS#10-tunneled SQL/ASN.1 injection, OID leading-zero/integer-overflow tricks, null-terminator CN spoofing, SSL Client Authentication EKU bypass, and EV hijacking via mixed-trust scripting.
Concepts introduced/used: Parser Differential, Parser Differentials, X.509 PKI, ASN.1 BER Ambiguity, Certificate Authorities, Protocol Layering Attacks, Distributed Security, LangSec, Language-theoretic Security, Postel’s Robustness Principle
Stance: empirical / security-critique
Relates to: Canonical case study for Distributed Security and a prime example of why A Language-Based Approach To Prevent DDoS-style disciplined parsing matters. The ambiguity of ASN.1 BER mirrors the semantic-drift concerns in agent communication languages (A Common Ontology Of ACLs, ACL Rethinking Principles) — when two parties disagree about message meaning, security or coordination fails.

Tags

Exploit Programming - From Buffer Overflows To Weird Machines

Exploit Programming: From Buffer Overflows to “Weird Machines” and Theory of Computation

Reference: Bratus, Locasto, Patterson, Sassaman, Shubina (2011). ;login: The USENIX Magazine, Vol. 36, No. 6 (December 2011). Source file: Bratus.pdf. URL

Summary

This influential ;login: article reframes exploitation research as a discipline of computation theory. The authors trace the evolution from simple stack-smashing (Aleph One) through return-to-libc, return-oriented programming, heap feng shui, and format string exploits, and argue that every such technique amounts to identifying and programming a “weird machine” latent inside a target: an unintended computational model realized by crafted inputs that drive the target’s own code into performing computations its designers never intended.

The essay is dedicated to Len Sassaman and is both a memorial and a manifesto. It argues that “attack papers,” often dismissed as intellectually marginal, are in fact constructive proofs that a target contains a stronger automaton than its designers believed, and thereby exposes incorrect assumptions about the computational nature of the system. Exploitation, in this view, comes full circle to the foundational questions of Church and Turing (“what can a given machine compute?”) and deserves treatment as a rigorous subdiscipline unifying hacker practice with language-theoretic and computation-theoretic analysis.

Key Ideas

Exploits are programs for weird machines instantiated inside a target.
Evolution: stack smashing -> return-to-libc -> ROP -> heap feng shui -> format strings.
“Weird instructions” as attacker-programmable primitives borrowed from target code (strcpy+RET, malloc bookkeeping, printf %n).
Attack papers as constructive proofs of unintended computational power.
Exploitation research as empirical computability theory: “what can this machine actually compute?”
Language- and computation-theoretic methods can redefine weaknesses previously overlooked.
Call to unify hacker craft with academic theory of computation.

Connections

Weird Machine
LangSec
Security Applications Of Formal Language Theory
Shotgun Parsing
Distributed Security
CBCL - Safe Self-Extending Agent Communication — agent-communication ACL designed to preclude weird machines at the parser/expander layer by constraining input to DCFL.

Conceptual Contribution

Claim: Exploitation is the empirical study of unintended computational models (“weird machines”) inside real systems, and brings security research back to the Church-Turing questions of what a given machine can compute.
Mechanism: Reconstructs the history of memory-corruption exploitation as a progression of increasingly general ways to program target-internal weird machines using crafted input data as instructions borrowed from the target’s own code and data-interpretation loops; reinterprets attack papers as constructive proofs presenting a computationally stronger automaton than expected.
Concepts introduced/used: Weird Machine, Exploit Programming, Return-Oriented Programming, Computability, LangSec, Attack Papers
Stance: foundational
Relates to: Companion essay to Security Applications Of Formal Language Theory by the same authors; provides the conceptual vocabulary (Weird Machine) invoked throughout LangSec and pertinent to Agent Security and LLM Agents where crafted prompts or tool inputs similarly instantiate unintended computation (Prompt Injection, Tool Use).

Tags

Security Applications Of Formal Language Theory

Security Applications of Formal Language Theory

Reference: Sassaman, Patterson, Bratus, Locasto, Shubina (2011). Dartmouth College Computer Science Technical Report TR2011-709. Source file: Security Applications of Formal Language Theory.pdf. URL

Summary

This is the foundational LangSec technical report: a sustained argument that the hardest unsolved problems of secure composition (unsafe input handling, mutually intelligible but divergent message interpretations between components) are consequences of ignoring formal language theory in protocol and software design. The authors connect everyday security failures to decidability results: if a protocol’s input language requires recognizers more powerful than necessary (or worse, undecidable), then safely accepting inputs and ensuring identical interpretation across endpoints become theoretically unachievable, producing an endless stream of 0-days that no amount of patching can stop.

Part I develops the formalism, situates exploitation as a constructive proof of unintended computation (“weird machines”), introduces the parse tree differential attack as a systematic technique for finding interpretation mismatches, and applies the framework to SQL validation, PKCS#1 (proven context-sensitive), X.509, ASN.1, and IDS/IPS composition failures. Part II distills the analysis into accessible design principles for protocol designers, developers, and auditors.

The core prescription: keep input languages at the lowest Chomsky level that suffices, build recognizers that fully validate input before any processing, never mix recognition with action (“shotgun parsing”), and ensure identical parsers across endpoints to prevent parser differentials.

Key Ideas

Composition is the primary engineering means and the primary security challenge.
Safely accepting inputs and identically interpreting messages across endpoints are both fundamentally language-theoretic problems.
Undecidable/overpowered input languages yield unfixable vulnerability classes.
Parse tree differential attack: exploiting divergence between implementations of the “same” language.
Weird machines as constructive proofs of unintended computation.
PKCS#1 proven context-sensitive (not regular, not context-free).
Design principles: minimize language power, full recognition before processing, identical parsers at all endpoints, no shotgun parsing.
Critique of “good enough” (80/20) solutions to undecidable problems.

Connections

LangSec
Shotgun Parsing
Weird Machine
Parser Differential
Chomsky Hierarchy
Distributed Security
CBCL - Safe Self-Extending Agent Communication — first ACL designed from these LangSec principles; constrains all messages (including runtime extensions) to DCFL.

Conceptual Contribution

Claim: Insecurity at protocol and component boundaries is a language-theoretic phenomenon: when input languages exceed what recognizers can safely decide, secure composition is impossible, and the resulting vulnerabilities are not bugs but inevitable consequences of design choices.
Mechanism: Analyzes inputs as formal languages; classifies protocols by Chomsky level; shows that context-sensitive or undecidable languages force ad-hoc parsers whose implementation differences enable parse tree differential attacks; demonstrates weird machines as constructive proofs; prescribes minimal-power input languages, full recognition before processing, and identical recognizers at endpoints.
Concepts introduced/used: LangSec, Chomsky Hierarchy, Parser Differential, Shotgun Parsing, Weird Machine, Input Validation, Protocol Design, Distributed Security
Stance: foundational
Relates to: The canonical reference underlying LangSec and Shotgun Parsing in this vault; the theoretical substrate for A Language-Based Approach To Prevent DDoS and for applying parser-theoretic discipline to ACL design (ACL Design Principles, ACL Verifiability) and to Agent Security concerns around message interpretation in LLM Agents and Tool Use settings.

Common Business Communication Language

The Common Business Communication Language

Reference: John McCarthy (1975/1982, revised 1998/1999). Stanford CS Department. Source file: cbcl2.pdf. URL

Summary

McCarthy’s 1975 memo (revived in 1998 with footnotes anticipating XML and electronic commerce) sketches a Common Business Communication Language (CBCL) allowing computers from different organizations to exchange business messages - requests for quotations, offers, order status, delivery queries - without pre-arranged bilateral formats. The paper enumerates requirements: open-endedness, pre-existing compatibility, independence of internal data formats, and ability to fall back to human-readable form when a receiver does not understand a new message.

He proposes messages as nested parenthesized lists (a Lisp-like syntax McCarthy argues is isomorphic to but simpler than XML), adjectival modifiers (ADJECTIVE FOO YELLOW), and Russell description operators for referring expressions. The essay prefigures KQML-style performatives and electronic data interchange, and closes with 1998 advice to XML, W3C, and ICE on extensibility, Lisp-style syntax, and standard time formats.

Key Ideas

Inter-organizational computer communication without pre-arranged formats.
Lisp-style S-expression syntax isomorphic to but simpler than XML.
Adjectival modifiers (ADJECTIVE x y as a kind of y) for partial understanding.
Non-monotonic reasoning required for natural-language-like expressivity.
Proto-KQML vision of semantic business messaging.

Connections

KQML
Agent Communication Languages
Three Models For The Description Of Language
Ontologies
Elephant 2000 - A Programming Language Based on Speech Acts — companion McCarthy proposal; CBCL messages are the inter-organisational counterpart of Elephant’s intra-program speech acts.
First Order Theories of Individual Concepts and Propositions — supplies the sense/denotation machinery CBCL tacitly relies on for descriptions.
Circumscription - A Form of Nonmonotonic Reasoning — the non-monotonic reading of ADJECTIVE and partial-understanding fallback rests on circumscription-style defaults.
Ascribing Mental Qualities to Machines
CBCL - Safe Self-Extending Agent Communication — O’Connor 2026 (LangSec ’26): Lean-verified contemporary realisation of this proposal.

Conceptual Contribution

Claim: Organisations should exchange business messages in a common, open-ended language without pre-arranged bilateral formats; partial understanding must degrade gracefully to human-readable fallback.
Mechanism: Lisp-style S-expression messages (isomorphic to but simpler than XML), adjectival modifiers (ADJECTIVE x y) for partial-match semantics, Russell description operators for referring expressions, non-monotonic reasoning for NL-like expressivity; 1998 footnotes advise XML/W3C/ICE communities.
Concepts introduced/used: Common Business Communication Language, S-expressions, EDI, Non-monotonic Reasoning, Adjectival Modifiers, Agent Communication Languages, Ontologies, Performatives, Speech Act Theory, KQML
Stance: foundational
Relates to: Anticipates the performative-based vision of KQML Language And Protocol and the open discovery ambitions of Agent Network Protocol / Survey Of Agent Interoperability Protocols; its syntactic minimalism resonates with REST’s uniform interface in Principled Design Of The Modern Web Architecture.

Tags

hence

A defeasible-logic meta-control planner for coordinating multi-agent LLM task workflows, authored by Hugo O’Connor. hence lets an orchestrator describe a plan as a set of tasks with dependencies, defeasible rules, and queryable progress state; LLM agents pick up unblocked work, report results, and the planner re-derives what’s next. Used in the development workflow behind CBCL - Safe Self-Extending Agent Communication (the codebase’s .hence/ directory holds architecture decision records and purity-boundary maps) and disclosed as the agent-orchestration layer in that paper’s AI-disclosure section.

In this vault

CBCL - Safe Self-Extending Agent Communication

Nostr

“Notes and Other Stuff Transmitted by Relays” — a decentralised protocol for cryptographically signed messages distributed over a mesh of public WebSocket relays, originally designed by fiatjaf for censorship-resistant social messaging. Each event carries an Ed25519 (secp256k1 schnorr) signature and a typed kind, and any relay can be queried or written to without permission; clients subscribe to filters across multiple relays. The protocol’s neutrality on payload semantics makes it a natural transport for agent communication: CBCL - Safe Self-Extending Agent Communication ships a cbcl-nostr transport binding, using Nostr relays for dialect propagation and Lightning Network micropayments for resource accounting.

In this vault

Canonical Serialization

A serialization scheme that maps each abstract value to a unique byte representation — a precondition for deterministic content addressing, signature verification, and Merkle-DAG construction. Canonical S-expressions (Rivest 1997, formalised in RFC 9804) use length-prefixed verbatim atoms and a fixed list syntax to eliminate whitespace, escaping, and atom-form variation. CBCL - Safe Self-Extending Agent Communication uses RFC 9804 canonical S-expressions for dialect signing, content-hash dialect identity, and the causal Merkle DAG that R5 protocol contracts traverse. Without canonicalisation, a single dialect could have multiple valid byte forms, breaking signature verification and admitting downgrade attacks.

In this vault

Gossip Protocols

Epidemic information dissemination and aggregation in distributed systems.

Sources

Weird Machine

Unintended computational automaton exposed when a program processes invalid or crafted inputs — the substrate of most exploits.

In this vault

Parser Differential Attack

Exploitation strategy in which two implementations of the same input grammar produce different parse trees for the same input — typically because the grammar is ambiguous or the spec underdetermines edge cases — letting an attacker bypass one validator while triggering execution in another. Demonstrated dramatically against X.509 PKI by Kaminsky, Patterson and Sassaman (PKI Layer Cake - Kaminsky Patterson Sassaman), where parser-differential certificates allowed name-spoofing attacks. The class-level fix recommended by LangSec is to design protocol input languages within the Deterministic Context-Free Language class, whose grammars are class-level unambiguous: every conformant parser must produce the same parse tree for every input, eliminating differentials at the grammar layer. CBCL - Safe Self-Extending Agent Communication applies this principle to agent communication; remaining implementation-level divergences (e.g. Unicode handling) are mitigated by canonical serialization.

In this vault

Property-Based Testing

Testing methodology in which assertions are written as universally quantified properties (e.g. “for all inputs x, parse(serialize(x)) = x”) and a framework generates randomised inputs to falsify them. Originating with Claessen and Hughes’s QuickCheck for Haskell (2000) and now ubiquitous (proptest for Rust, Hypothesis for Python). Particularly valuable in protocol-design and parser engineering, where property tests sit between unit tests (concrete examples) and machine-checked proofs (universal but expensive). CBCL - Safe Self-Extending Agent Communication uses proptest for round-trip and constraint properties as a complement to its Lean 4 proofs.

In this vault

CBCL - Safe Self-Extending Agent Communication

Lean 4

de Moura and Ullrich’s dependently-typed proof assistant and functional programming language; a rewrite of Lean 3 with macro-based metaprogramming, an efficient compiler, and a self-hosted toolchain. Lean 4 is used both for mathematical formalisation (the mathlib library) and for verified-software engineering: theorems about a model can be discharged interactively, and code can be extracted from definitions to runnable programs whose behaviour matches the proven specification. CBCL - Safe Self-Extending Agent Communication is formalised in Lean 4 (≈5,400 lines, 380+ declarations across 19 files post-paper, zero sorry gaps, only the standard axioms propext / Classical.choice / Quot.sound); the verified parser binary cbcl-parse is extracted from those proofs.

In this vault

CBCL - Safe Self-Extending Agent Communication

Ontological Commitment

An agreement by an agent to use a shared vocabulary and conceptualisation consistently when communicating about a domain. Gruber’s formulation grounds ontology sharing without requiring identical internal representations.

In this vault

Adjectival Modifiers

Syntactic constructs that qualify or restrict the meaning of a noun phrase or message term. In business communication languages they attach qualifiers (e.g., urgency, confidentiality) to primitive message content.

In this vault

Common Business Communication Language

Verifiable Semantics

ACL semantics whose conformance can be checked against observable agent program state — the key demand behind moving from mentalistic to public semantics.

In this vault

Public Semantics

ACL semantics grounded in externally observable facts (commitments, roles, institutional state) rather than private mental state.

In this vault

ACL Rethinking Principles
Agent Communication And Institutional Reality
Commitment-based Semantics
Mentalistic Semantics
CBCL - Safe Self-Extending Agent Communication — dialect installation as a public commitment

Commitment-based Semantics

Approach that grounds ACL message meaning in public social commitments rather than private mental states — making conformance verifiable.

In this vault

ACL Rethinking Principles
Agent Communication Languages - Rethinking the Principles
Agent Communication And Institutional Reality
A Common Ontology Of ACLs
Public Semantics
Mentalistic Semantics
Flexible Protocol Specification and Execution
A Commitment-Based Approach to Agent Communication
CBCL - Safe Self-Extending Agent Communication — modern LangSec-grounded ACL inheriting Singh’s social-agency programme; dialect installation as public commitment

Metaphrase

Standish’s category of extensibility where programmers add new meanings via interpretation changes — the hardest and least delivered.

In this vault

Orthophrase

Standish’s category: extending a language with genuinely new primitive constructs — requires compiler-writer skill.

In this vault

Paraphrase

Standish’s category: defining new constructs in terms of existing ones (essentially macros) — the only extensibility actually delivered at scale.

In this vault

Self-Expression

In the ASCENS taxonomy (Zambonelli et al.), the dimension of self-* behaviour concerned with how an ensemble structurally reorganises its coordination — topology, interaction protocol, role distribution — distinct from self-adaptation’s behavioural tuning.

In this vault

Performatives

Austin/Searle speech-act tags (inform, request, promise, declare, …) that name the illocutionary force of a message.

In this vault

Foundations Of Illocutionary Logic
KQML
FIPA-ACL
Speech Act Theory
CBCL - Safe Self-Extending Agent Communication — eight-performative DCFL-bounded core with formally-safe runtime extension

Dialects and Idiolects

In ACL practice, dialects are community-level variants of a language (e.g. a KQML profile used by a particular project), while idiolects are single-agent idiosyncrasies. Rethinking ACL principles argues both must be accommodated rather than forbidden, since they arise inevitably from open deployment.

In this vault

S-expression

Lisp’s symbolic expression: either an atom or a parenthesised list of S-expressions. McCarthy’s choice to make code and data share this representation is the root of Lisp’s metaprogramming power.

In this vault

Homoiconicity

Property of a language where program text has the same structure as the data it manipulates, so programs can read, transform, and emit programs as naturally as data.

In this vault

LangSec

Language-theoretic Security

Research programme treating input-handling bugs as recognition-theoretic failures: minimise input-language power and build validating recognisers.

In this vault

The Halting Problems of Network Stack Insecurity
Seven Turrets Of Babel
PKI Layer Cake - Kaminsky Patterson Sassaman
Parser Differential
Distributed Security
Security Applications Of Formal Language Theory
Exploit Programming - From Buffer Overflows To Weird Machines
CBCL - Safe Self-Extending Agent Communication — first ACL designed from LangSec principles
Deterministic Context-Free Language
Parser Differential Attack

Deterministic Context-Free Language

The class of languages recognised by deterministic pushdown automata — equivalently, those generated by LR(k) grammars. DCFL is the minimal class above regular that supports nested structure (parentheses, envelopes, scoped sub-grammars) while guaranteeing parser equivalence: every conformant implementation produces exactly one parse tree for every input. General context-free grammars admit ambiguity and therefore parser-differential attacks; DCFLs do not. DCFL is the LangSec-recommended target class for protocol input languages: validity is decidable in linear time, recognisers are total, and the class is rich enough for nested message envelopes. DCFLs are not closed under union in general — a property that has to be sidestepped (e.g. by prefix-free dispatch tags) when designing self-extending protocols like CBCL - Safe Self-Extending Agent Communication.

In this vault

Gossip-based Aggregation in Large Dynamic Networks

Reference: Márk Jelasity, Alberto Montresor, Ozalp Babaoglu (2005). ACM Transactions on Computer Systems, Vol. 23, No. 3, pp. 219-252. Source file: gossip.pdf. URL

Summary

The paper presents a proactive, gossip-based protocol for continuously computing aggregate functions (averages, sums, counts, variances, network size, extremal values) over huge dynamic networks such as P2P and grid systems. Each node periodically picks a random neighbor and performs a push-pull exchange; pairwise averaging drives the variance of estimates to zero at a geometric rate while preserving the global mean (“mass conservation”). All nodes thus converge to the correct aggregate and adaptively track changes over time.

Beyond core averaging, the authors show how to compute more complex aggregates (variance, network size via a single seed) and evaluate robustness under node churn and message loss, including a PlanetLab deployment. The protocol is attractive because it is simple, scalable, lightweight, and requires no centralized infrastructure — only a peer-sampling service.

Key Ideas

Push-pull averaging: w_p, w_q ← (w_p + w_q)/2 drives variance to zero exponentially.
Mass conservation preserves global sum so global average remains unchanged.
Reactive vs. proactive aggregation; this work targets proactive, always-on aggregates.
Robustness to dynamism, churn, and message loss.
Underlying assumption: a peer-sampling service supplies uniform random neighbors.

Connections

Gossip Protocols
Self-Adaptive Systems
Multi-Agent Systems
CALM Theorem — push-pull averaging is monotonic, hence coordination-free
Keeping CALM - When Distributed Consistency is Easy

Conceptual Contribution

Claim: A simple push-pull averaging gossip protocol — paired with a peer-sampling service — provides proactive, continuously-updated aggregates (average, sum, count, variance, network size, extrema) at large scale with geometric-rate convergence and robustness to churn and message loss.
Mechanism: Each node periodically picks a random neighbour via getNeighbor(), exchanges local estimate, and replaces both with their average; variance analysis as iterative reduction gives convergence factor independent of network size; adaptive restart mechanism handles dynamism; PlanetLab deployment validates the theory.
Concepts introduced/used: Push-Pull Gossip, Proactive Aggregation, Peer Sampling Service, Variance Reduction, Mass Conservation, Convergence Factor, Adaptive Protocols
Stance: engineering / empirical with formal analysis
Relates to: Practical complement to the theoretical Gossip-Based Computation of Aggregate Information (Push-Sum); cited as a canonical aggregation example in Gossiping in Distributed Systems; the peer-sampling substrate it assumes is the same used by Myconet Fungi Inspired Superpeer Overlay and other bio-inspired overlays.

Tags

Gossiping in Distributed Systems

Reference: Anne-Marie Kermarrec, Maarten van Steen (2007). ACM SIGOPS Operating Systems Review, Vol. 41, No. 5. Source file: Gossiping_in_distributed_systems.pdf. URL

Summary

This tutorial surveys the “gossip revival” in distributed systems, providing a unifying framework for reasoning about the broad space of gossip-based protocols now used far beyond their original role as epidemic reliable multicast. The authors organize gossip protocols by three crucial parameters: peer selection (who to talk to), data exchanged (what to send), and data processing (what to do with what arrives); varying these three gives rise to dissemination, peer sampling, aggregation, overlay/topology construction, resource monitoring, and slicing protocols.

They illustrate each axis with canonical examples — Lpbcast and Newscast for membership, Push-Sum and T-Man for aggregation and overlay construction, Astrolabe for monitoring — and highlight why gossip’s randomized, local-only interactions produce emergent convergent global behavior with exceptional robustness to churn and failures. The paper emphasizes gossip’s use in convergent, not just divergent (epidemic) behaviors.

Key Ideas

Three-parameter gossip framework: peer selection, data exchanged, data processing.
Applications: dissemination, peer sampling, aggregation, topology construction, monitoring, slicing.
Convergent behavior from local random pairwise exchanges.
Peer sampling service is the common substrate most gossip protocols assume.
Robustness through probabilistic redundancy and randomization.

Connections

Conceptual Contribution

Claim: The sprawling family of gossip-based algorithms can be unified as a three-parameter design space — peer selection, data exchanged, data processing — and the same substrate supports not just epidemic dissemination but convergent behaviours including aggregation, overlay construction, and monitoring.
Mechanism: Presents a generic active/passive-thread gossip skeleton; classifies protocols along the three parameters with canonical instances (Lpbcast, Newscast, Cyclon, T-Man, Push-Sum, Astrolabe, GEMS); highlights how peer-sampling acts as the common foundational service enabling higher-level applications.
Concepts introduced/used: Gossip Framework, Peer Selection, Data Exchange, Data Processing, Peer Sampling Service, Convergent Gossip, Epidemic Dissemination, Overlay Construction
Stance: survey
Relates to: Provides the taxonomy that situates Gossip-based Aggregation in Large Dynamic Networks (aggregation), Gossip-Based Computation of Aggregate Information (Push-Sum), Myconet Fungi Inspired Superpeer Overlay (topology construction), and the gossip-training mode surveyed in Edge Intelligence Survey. Anchor for Gossip Protocols hub.

Tags

Why Do Multi-Agent LLM Systems Fail

Why Do Multi-Agent LLM Systems Fail?

Reference: Mert Cemri, Melissa Z. Pan, Shuyi Yang, Lakshya A. Agrawal, Bhavya Chopra, Rishabh Tiwari, Kurt Keutzer, Aditya Parameswaran, Dan Klein, Kannan Ramchandran, Matei Zaharia, Joseph E. Gonzalez, Ion Stoica (2025). arXiv:2503.13657v2 (UC Berkeley). Source file: 2503.13657v2.pdf. URL

Summary

First empirically grounded taxonomy of failure modes in Multi-Agent LLM Systems (MAS). The authors analyse 200+ execution traces from seven popular MAS frameworks (MetaGPT, ChatDev, HyperAgent, AppWorld, AG2, Magentic-One, OpenManus), annotated by six human experts via grounded theory and reaching Cohen’s κ ≈ 0.88, and distil 14 fine-grained failure modes grouped into three categories: Specification Issues (42%), Inter-Agent Misalignment (37%), and Task Verification (21%).

They release MAST (Multi-Agent System failure Taxonomy), a validated LLM-as-judge pipeline for automated failure diagnosis, and two intervention case studies showing that architectural/prompt fixes inspired by MAST improve success rates modestly — demonstrating that MAS failures are system-design problems, not merely model-capability problems.

Key Ideas

Three failure categories: specification, inter-agent misalignment, verification
14 fine-grained failure modes including step repetition, information withholding, task derailment
Grounded-theory methodology with rigorous inter-annotator agreement (κ=0.88)
LLM-as-judge pipeline (MAST) achieves κ=0.77 vs humans for scalable evaluation
Insight: better specifications and verification beat bigger models

Connections

Conceptual Contribution

Claim: Multi-Agent LLM System (MAS) failures are predominantly system-design problems — specification, coordination, and verification — rather than base-model capability problems; and these failures have an empirically discoverable, reproducible taxonomy.
Mechanism: Grounded-theory analysis of 200+ execution traces across seven MAS frameworks (MetaGPT, ChatDev, HyperAgent, AppWorld, AG2, Magentic-One, OpenManus) with six human expert annotators; iterative refinement to Cohen’s κ≈0.88; yield the 14-mode MAST taxonomy grouped into Specification Issues (42%), Inter-Agent Misalignment (37%), Task Verification (21%); validate an LLM-as-judge annotator (κ≈0.77); intervention case studies showing prompt/architecture fixes provide only modest gains, motivating deeper redesign.
Concepts introduced/used: MAST Taxonomy, Grounded Theory, Inter-Agent Misalignment, LLM-as-judge, Specification Issues, Task Verification, Multi-Agent Systems, LLM Agents, Cohen’s Kappa, Standard Operating Procedures (SOPs)
Stance: empirical / evaluative
Relates to: Supplies empirical grounding for the design-quality concerns in Agents Framework - Zhou et al (SOPs attempt to mitigate FC1 specification issues) and Multi-Agent Collaboration in AI - Wasif Tunkel. Inter-agent misalignment mirrors the formal pathologies in Are Multiagent Systems Resilient to Communication Failures. Motivates richer communication protocols like A Scalable Communication Protocol for Networks of LLMs and commitment-style ACLs (ACL Rethinking Principles).

Tags

Why AI Agents Communicate In Human Language

Why do AI agents communicate in human language?

Reference: Zhou, Feng, Julaiti, Yang (2025). arXiv:2506.02739. Source file: 2506.02739v1.pdf. URL

Summary

The authors argue that natural language, inherited from single-agent LLM pretraining, is fundamentally misaligned with the needs of multi-agent coordination. Because LLMs are trained to maximize likelihood over discrete token sequences, their internal representations are high-dimensional and continuous, but their outputs are forced into a sparse, ambiguous, non-differentiable symbolic form that loses information when used as an inter-agent channel.

They formalize this as a semantic misalignment problem: cascading encode/decode cycles across agents accumulate lossy projection errors and prevent gradient flow. The paper calls for a new multi-agent modeling paradigm where agents coordinate via structured, learnable representations shaped by role persistence, state tracking, and explicit coordination graphs, rather than free-form natural-language dialogue.

Key Ideas

Natural language is a lossy, non-differentiable projection of LLM hidden states.
Cascading communication rounds accumulate semantic error.
Protocol-induced misbehavior: naive-literal interpretation and action-state decoupling.
Advocates structured message schemas, role-consistent embeddings, coordination graphs.
Critique of AutoGen, MetaGPT, CAMEL-style NL-based multi-agent frameworks.

Connections

Agent Communication Languages
Multi-Agent Systems
LLM Agents
Ripple Effect Protocol
CBCL - Safe Self-Extending Agent Communication — structural alternative to free-form NL: a DCFL-bounded ACL whose grammar makes coordination semantics explicit and parser-equivalent across implementations.

Conceptual Contribution

Claim: Natural language is an accidental, lossy, non-differentiable channel for inter-LLM Agents coordination; multi-agent AI needs a purpose-built representational substrate.
Mechanism: Formalises repeated encode/decode cycles as error-accumulating projections from continuous hidden states to sparse tokens; diagnoses “protocol-induced misbehavior” (naive-literal reading, action-state decoupling); prescribes structured schemas, role-consistent embeddings, and explicit coordination graphs.
Concepts introduced/used: Semantic Misalignment, Emergent Communication, Coordination Graphs, Multi-Agent Systems, LLM Agents, Agent Communication Languages, Differentiable Protocols
Stance: critique
Relates to: Provides the theoretical motivation that Ripple Effect Protocol and Levels Of Social Orchestration operationalise; contrasts with the symbolic, performative-centric designs of KQML and FIPA-ACL by rejecting symbolic channels entirely.

Tags

Survey Of Agent Interoperability Protocols

A Survey of Agent Interoperability Protocols: MCP, ACP, A2A, and ANP

Reference: Ehtesham, Singh, Gupta, Kumar (2025). arXiv:2505.02279. Source file: 2505.02279v1.pdf. URL

Summary

This survey examines four emerging agent communication protocols targeting different interoperability tiers: the Model Context Protocol (MCP) for JSON-RPC tool invocation and context delivery; the Agent Communication Protocol (ACP) for REST-native multi-part performative messaging; the Agent-to-Agent Protocol (A2A) for peer-to-peer Agent-Card-based task outsourcing; and the Agent Network Protocol (ANP) for decentralized discovery using DIDs and JSON-LD.

The authors contrast architectures, discovery mechanisms, security models, and communication patterns, then recommend a phased adoption roadmap (MCP for tool access, then ACP for messaging, A2A for collaborative execution, ANP for open marketplaces). A timeline traces ancestry from KQML (1993) and FIPA-ACL (2000) through RAG, ReAct, function-calling up to modern agent protocols.

Key Ideas

Phased adoption roadmap: MCP -> ACP -> A2A -> ANP.
MCP core primitives: Tools, Resources, Prompts, Sampling under JSON-RPC 2.0.
A2A introduces Agent Cards, Tasks, Artifacts for enterprise-scale delegation.
ANP uses DIDs and JSON-LD for decentralized, internet-scale agent discovery.
Security threats tabulated across creation/operation/update lifecycle phases.

Connections

Conceptual Contribution

Claim: Modern agent interoperability is best understood as a four-tier stack (MCP for tools, ACP for messaging, A2A for delegation, ANP for open discovery) and should be adopted in that phased order.
Mechanism: Structured comparison of architectures, discovery, security, and message patterns; historical timeline rooting each protocol in KQML/FIPA-ACL ancestry; lifecycle threat table.
Concepts introduced/used: Model Context Protocol, Agent-to-Agent Protocol, Agent Network Protocol, Agent Communication Protocol, KQML, FIPA-ACL, Agent Cards, Decentralized Identifiers, JSON-RPC, Tool Use, LLM Agents
Stance: survey
Relates to: Complements the broader Survey Of AI Agent Protocols with a narrower, adoption-oriented roadmap. Its security-threat lifecycle connects directly to AI Agents Under Threat and MalTool Malicious Tool Attacks.

Tags

Survey Of AI Agent Protocols

A Survey of AI Agent Protocols

Reference: Yang, Chai, Song, Qi, Wen, Li, Liao, Hu, Lin, Chang, Liu, Wen, Yu, Zhang (2025). arXiv:2504.16736. Source file: 2504.16736v2.pdf. URL

Summary

This survey offers the first comprehensive classification and analysis of emerging AI agent protocols for LLM-based agents. The authors propose a two-dimensional taxonomy: (object orientation) context-oriented vs inter-agent protocols, and (application scenario) general-purpose vs domain-specific, covering MCP, A2A, ANP, ACP, Agora, LMOS, agents.json, LOKA, PXP, CrowdES, and others.

The paper then evaluates these protocols across efficiency, scalability, security, reliability, extensibility, operability, and interoperability, and sketches a forward-looking agenda: protocols should evolve from static to adaptive, from rules to ecosystems, and from mere communication to collective intelligence infrastructure.

Key Ideas

Two-dimensional taxonomy of agent protocols (object orientation x application scenario).
MCP as a universal context-oriented protocol with Host/Client/Server/Resource roles.
Inter-agent layer splits into general-purpose (A2A, ANP, AITP, ACP, Agora) and domain-specific (robot, human-computer, system).
Evaluation across 7 axes; case studies of MCP, A2A, ANP, Agora.
Next-generation protocols need adaptability, privacy preservation, group interaction.

Connections

Conceptual Contribution

Claim: The zoo of emerging LLM Agents protocols can be organised along two orthogonal axes (context-oriented vs inter-agent; general-purpose vs domain-specific), and evaluated on a shared seven-axis rubric.
Mechanism: Builds a taxonomy, then systematically compares Model Context Protocol, Agent-to-Agent Protocol, Agent Network Protocol, ACP, Agora, LMOS, agents.json, LOKA, PXP, CrowdES against efficiency, scalability, security, reliability, extensibility, operability, interoperability, with case studies.
Concepts introduced/used: Model Context Protocol, Agent-to-Agent Protocol, Agent Network Protocol, Agent Communication Languages, LLM Agents, Multi-Agent Systems, Interoperability, Agent Discovery
Stance: survey
Relates to: Shares its subject with Survey Of Agent Interoperability Protocols but takes a broader taxonomic view; its forward-looking “protocols as ecosystems” framing converges with Levels Of Social Orchestration and motivates coordination layers like Ripple Effect Protocol. Historical continuity with KQML and FIPA-ACL is implicit.

Tags

Keeping CALM - When Distributed Consistency is Easy

Keeping CALM: When Distributed Consistency is Easy

Reference: Joseph M. Hellerstein & Peter Alvaro (2019). arXiv:1901.01930v2. Source file: ../1901.01930v2.pdf (in parent directory). URL

Summary

An accessible, updated statement of the CALM Theorem — Consistency As Logical Monotonicity: a program has a consistent, coordination-free distributed implementation if and only if it is monotonic in a formal logical sense. Monotonic programs are “safe” under missing information and can proceed without waiting: once something has been concluded, it stays concluded. Non-monotonic programs (“change their mind” in the face of new inputs) are necessarily order-sensitive and therefore require coordination to produce a single deterministic outcome.

CALM is a positive counterpart to the negative results of the CAP Theorem and the FLP impossibility. Where CAP says “you can’t always have it all”, CALM delineates the class of programs that can in fact satisfy all of C, A, and P simultaneously: exactly the monotonic ones. The theorem shifts attention away from storage consistency (linearizability, serializability) toward program consistency — Confluence: deterministic outcomes despite non-deterministic message delivery and ordering.

The paper traces the theorem’s implications for Bloom Language, Dedalus, CRDTs, coordination-free design patterns (monotonic accumulation, tombstones, immutable data), distributed garbage collection, and Amazon’s shopping-cart example. It closes with open questions: expressiveness of monotonic languages, program synthesis targeting monotonicity, repair of non-monotonic code, and a possible Stochastic CALM for near-optimum stochastic algorithms.

Key Ideas

Monotonicity ⇔ coordination-freeness ⇔ consistency (CALM)
Program consistency = confluence: same outputs regardless of message order / batching
Non-monotonic operations retract earlier conclusions, hence must wait for “all the news” — requiring Coordination Avoidance logic to know when
Formalisation via Relational Transducer networks (Ameloot, Neven, Van den Bussche)
CAP is a special case: linearizable storage is one non-monotonic operation; CALM asks the question across all programs
Practical playbook: immutable data structures, tombstones, set-monotonic accumulation, CRDTs as object-oriented monotonic types
Bloom gives syntactic monotonicity checking — a programmer writing monotonic Bloom is guaranteed coordination-free correctness

Connections

CALM Theorem
CAP Theorem
Confluence
Monotonic Logic
Coordination Avoidance
Bloom Language
Dedalus
CRDTs
Relational Transducer
Non-monotonic Reasoning
Gossip-Based Computation of Aggregate Information
Gossip-based Aggregation in Large Dynamic Networks
Extensible Distributed Coordination
Are Multiagent Systems Resilient to Communication Failures
Foundations of Logic Programming - Lloyd
Logic and Lattices for Distributed Programming — Conway et al. 2012 (BloomL; lattice-typed lifting of CALM)
Relational Transducers for Declarative Networking — Ameloot, Neven & Van den Bussche 2011 (the formal proof of CALM)
A Comprehensive Study of Convergent and Commutative Replicated Data Types — Shapiro et al. 2011 (the CRDT canonical reference)

Conceptual Contribution

Claim: A distributed program is consistent and coordination-free iff it is expressible in monotonic logic — a tight, provable characterisation that converts “distributed consistency is hard” into a precise question about a program’s logical shape.
Mechanism: Formalise programs as networks of Relational Transducers (Ameloot et al.); define Confluence as program-level determinism under non-deterministic delivery; prove biconditional between confluence and monotonic-logic expressibility.
Concepts introduced/used: Monotonic Logic, Confluence, Coordination Avoidance, Relational Transducer, Bloom Language, Dedalus, CRDTs, CAP Theorem, Immutable Data Structures, Tombstones, Stochastic CALM
Stance: foundational / survey
Relates to: Provides the theoretical companion to the Gossip Protocols cluster (Gossip-Based Computation of Aggregate Information, Gossip-based Aggregation in Large Dynamic Networks) — gossip aggregation with mass conservation is exactly a monotonic accumulation, hence coordination-free. Frames why Extensible Distributed Coordination must reach for stored-procedure coordination precisely where programs are non-monotonic. Contrasts with Are Multiagent Systems Resilient to Communication Failures: that paper shows game-theoretic MAS are brittle under message loss — CALM identifies the logical class of programs immune to such loss. The monotonic/non-monotonic split echoes Foundations of Logic Programming - Lloyd’s distinction between Horn-clause logic and Negation as Failure.

Self-Adaptation Self-Expression Self-Awareness ASCENS

On Self-adaptation, Self-expression, and Self-awareness in Autonomic Service Component Ensembles

Reference: Franco Zambonelli, Nicola Bicocchi, Giacomo Cabri, Letizia Leonardi, Mariachiara Puviani (2011). SASO Workshops 2011. Source file: On_Self-Adaptation_Self-Expression_and_Self-Awaren.pdf. URL

Summary

This ASCENS-project position paper frames three research issues for building autonomic service-component ensembles: (i) schemes that enable self-adaptive behavior in individual components and ensembles, (ii) mechanisms for self-expression — dynamic changes to the structure of interaction protocols and coordination topology — and (iii) self-awareness — components knowing enough about context and peers to choose appropriate adaptation schemes.

The authors organize adaptation along two dimensions: where (individual vs. collective) and what (behavioral self-adaptation vs. structural self-expression). A swarm/leader/corridor robotics case study illustrates that different situations call for qualitatively different adaptation regimes, and that moving between regimes requires self-awareness. The paper surveys the state of the art and argues for unified frameworks that span individual and ensemble-level adaptation while keeping human cognitive load manageable.

Key Ideas

Two-dimensional taxonomy of adaptation: where (individual/collective) × what (behavior/structure).
Self-expression = dynamically changing interaction protocols and topology.
Self-awareness as meta-capability enabling choice among adaptation schemes.
Robotics case study: leader, corridor, swarm regimes.
ASCENS roadmap for autonomic component ensembles.

Connections

Conceptual Contribution

Claim: Building autonomic service-component ensembles requires distinguishing three complementary self-* capabilities — self-adaptation (behaviour), self-expression (structure/protocols/topology), and self-awareness (meta-choice among schemes) — along two orthogonal dimensions: individual vs. collective and behavioural vs. structural.
Mechanism: Position paper layout: 2×2 adaptation taxonomy; distinction between self-adaptation and self-expression; robotics case study with three regimes (Leader, Corridor/Peers, Swarm) showing each calls for different adaptation schemes; articulation of four self-awareness sub-issues (understand amount/level of context, capabilities, trade-offs, scheme properties).
Concepts introduced/used: Self-Adaptation, Self-Expression, Self-Awareness, Autonomic Service Component Ensembles, ASCENS, Adaptation Dimensions, Interaction Protocol Change, Meta-Adaptation
Stance: foundational / survey / position
Relates to: Provides the conceptual scaffolding picked up by bio-inspired self-organisation work such as Myconet Fungi Inspired Superpeer Overlay and A Composite Self-organisation Mechanism in an Agent Network; self-awareness thread resonates with agency/Selfhood arguments in Computational Boundary of a Self; protocol-change motif connects to A Scalable Communication Protocol for Networks of LLMs.

Tags

Language Extensibility Taxonomy

Standish’s classification of programming-language extension mechanisms into paraphrase, orthophrase, and metaphrase, distinguishing what can be extended and how invasively.

In this vault

Code as Data

Homoiconicity: program text and program structure share a representation, enabling macros and meta-programming.

In this vault

Elephant 2000 - A Programming Language Based on Speech Acts

Elephant 2000: A Programming Language Based on Speech Acts

Reference: John McCarthy (1989, revised). Formal Reasoning Group, Stanford University. Source file: elephant.pdf. URL

“I meant what I said, and I said what I meant. / An elephant’s faithful, one hundred percent! / moreover, / An elephant never forgets!”

Summary

McCarthy proposes Elephant 2000, a speculative programming language whose inputs and outputs are speech acts — requests, questions, offers, acceptances, declinations, permissions, and promises — rather than ordinary I/O. A program’s correctness is then partly defined by the “happy performance” of those acts in Austin’s sense: answers must be truthful and responsive, promises must be kept, and the program must not accept what it has no authority to accept. The paper is an essay of seven design theses, most strikingly:

An Elephant program is itself a logical sentence (or syntactic sugar for one); its extensional correctness properties follow by logical consequence without a separate theory of programming à la Hoare.
Elephant programs do not need data structures: they can refer directly to the past (history of events and states), just as natural-language speakers do (“the passenger has a reservation iff she made one and hasn’t cancelled it”).
Programs have both input-output specifications (generalising illocutionary speech acts) and accomplishment specifications (generalising perlocutionary acts — what the program actually brings about in the world).
Commercial transactions exchange obligations; an Elephant program’s specification may include the fact that the obligation exchange happens as intended, again as a logical sentence.

McCarthy explicitly departs from Searle/Austin by taking a design stance (Dennett) on speech acts, introducing abstract performatives (including purely internal commitments the agent makes to itself) as a category of program event. The paper is the direct programming-language-side ancestor of modern Agent Communication Languages, Commitment-based Semantics, and Intent Formalization — all written a decade before the ACL field got going.

Key Ideas

Speech-act I-O language: programs communicate via request, question, offer, accept, decline, permission, promise, assertion, plus internal commitment
Program-as-logical-sentence: extensional properties are logical consequences, no Hoare axioms required
Direct reference to the past: no data structures, just history queries (has-reservation(psgr, flt) ≡ made-reservation ∧ ¬cancelled)
Illocutionary vs. perlocutionary specs: input-output (program’s own behaviour) vs. accomplishment (effects in the world)
Abstract performatives — internal commitments whose content is independent of outward expression
Obligation exchange as a first-class specification element for commercial/institutional programs
Takes a design stance on speech acts — adapts Austin/Searle rather than inheriting them
Authority / permission / obligation are specification concerns: the program need not be conscious of them
Explicit claim: deliberately non-AI — Elephant usages that do not require intelligence are the focus

Connections

Ascribing Mental Qualities to Machines — McCarthy’s prior paper on when it’s useful to ascribe beliefs/intentions to programs
Common Business Communication Language — McCarthy 1982, explicitly cited as the motivating application
Towards a Mathematical Science of Computation — McCarthy 1963; originates the program-as-logical-object agenda Elephant radicalises.
Correctness of a Compiler for Arithmetic Expressions — McCarthy & Painter 1967; first proof-of-concept for the verification programme Elephant extends to speech-act semantics.
First Order Theories of Individual Concepts and Propositions — McCarthy 1979; the logical machinery for propositional attitudes that Elephant’s commitments and history-referring constructs presuppose.
Circumscription - A Form of Nonmonotonic Reasoning — McCarthy 1986; the defeasibility substrate for commitment revision.
The Knowledge Level — Newell 1982; Elephant is a programming language whose native level of description is Newell’s knowledge level.
Foundations Of Illocutionary Logic — Searle & Vanderveken, the philosophical spine McCarthy adapts
Speech Act Theory
Agent Communication Languages
KQML
KQML Overview
KQML as an Agent Communication Language
FIPA-ACL
Performatives
Commitment-based Semantics
Agent Communication And Institutional Reality
Agent-Oriented Programming
Intention Is Choice with Commitment
Assigning Meanings to Programs
Hoare Logic
Formal Verification
Verifiable Semantics
Foundations of Logic Programming - Lloyd
Intent Formalization - A Grand Challenge for Reliable Coding
A Scalable Communication Protocol for Networks of LLMs
Institutional Reality

Some Philosophical Problems from the Standpoint of Artificial Intelligence

Reference: John McCarthy and Patrick J. Hayes (1969). “Some Philosophical Problems from the Standpoint of Artificial Intelligence.” In B. Meltzer and D. Michie (eds.), Machine Intelligence 4, Edinburgh University Press, pp. 463-502. Source file: mccarthy-mcchay69.pdf. URL

Summary

The paper that introduces situation calculus, names the frame problem, and divides AI cleanly into an epistemological part (what can in principle be inferred from what is knowable about the world) and a heuristic part (how to search that space efficiently). McCarthy and Hayes argue that a program capable of acting intelligently in the world must have a general representation of the world, and that designing such a representation forces the AI researcher to confront traditional philosophical problems — causality, ability, knowledge, free will, counterfactuals — with unusual rigor, because the representation has to be complete enough to drive actual deduction.

The paper is in four parts. Part 1 is philosophical: metaphysically vs epistemologically adequate representations, a proposed resolution of free will in a deterministic universe (via the existence of alternatives that the agent can bring about in its coarser theory), and a treatment of counterfactuals. Part 2 is the formal core: situations as complete states of the universe, fluents as functions on situations, actions as functions from situation to situation with result(a, s), and a method of constructing first-order sentences true exactly when a strategy achieves a goal. Part 3 surveys open problems, most famously the frame problem: how to state concisely what does not change when an action is performed, without writing an axiom for every (action, fluent) pair. Part 4 reviews philosophical logic in relation to AI.

This is the paper that makes temporal / action reasoning a first-class topic in AI. Its ontology of situations, fluents, actions, and result is the direct ancestor of every subsequent theory of action — STRIPS, event calculus, fluent calculus, BDI temporal logics, ConGolog, planning formalisms, and the temporal backbone of Ensuring Trustworthy and Ethical Behaviour in Intelligent Logical Agents. The epistemological/heuristic distinction is picked up again in Epistemological Problems of Artificial Intelligence (1977) and shapes the methodology of logicist AI.

Key Ideas

Epistemological vs metaphysical adequacy of representations: a representation is epistemologically adequate if an observer can in practice express what they can come to know, not just what is ultimately true.
Situation calculus: situations as complete states, fluents as situation-parametrised functions/predicates (e.g., at(x, s)), actions as functions result(a, s).
The frame problem: stating concisely what is unchanged by an action; a foundational difficulty for any action-based formalism.
The qualification problem (in embryo): actions have open-ended preconditions that cannot all be enumerated — later treated in Circumscription - A Form of Nonmonotonic Reasoning.
can, causes, and knows reduced to first-order formulations over situations and strategies, including strategies with loops and knowledge acquisition.
Free will and counterfactuals reinterpreted via alternative strategies available in an agent’s coarser (epistemologically adequate) theory — not by denying determinism.
Division of AI into epistemological and heuristic parts; the paper concentrates on the former.

Connections

Programs with Common Sense — the 1959 predecessor; this paper repairs its treatment of action and time.
Recursive Functions of Symbolic Expressions and Their Computation by Machine
Epistemological Problems of Artificial Intelligence — continues the epistemological-adequacy programme.
Circumscription - A Form of Nonmonotonic Reasoning — formal answer to the qualification problem raised here.
Ascribing Mental Qualities to Machines
First Order Theories of Individual Concepts and Propositions
Generality in Artificial Intelligence
Towards a Mathematical Science of Computation
Correctness of a Compiler for Arithmetic Expressions
Elephant 2000 - A Programming Language Based on Speech Acts
Common Business Communication Language
Common Sense Reasoning
Knowledge Representation
Non-monotonic Reasoning
Epistemic Logic
The Knowledge Level
The Society of Mind
Frame Problem
Situation Calculus
Ensuring Trustworthy and Ethical Behaviour in Intelligent Logical Agents — A-ILTL’s temporal obligations inherit the situation-calculus transition structure.
BDI — BDI logics (Rao & Georgeff, Cohen & Levesque) build their belief/desire/intention modalities on top of situation-calculus-style branching time.
BDI Logic

Conceptual Contribution

Claim: AI requires an epistemologically adequate representation of the world, which forces the AI researcher to solve philosophical problems (causality, ability, knowledge, counterfactuals, free will) formally; situation calculus — situations, fluents, actions with result(a, s) — provides a first-order representation in which strategies achieving goals can be proved correct.
Mechanism: First-order logic with sorted terms for situations, fluents, and actions; the result function; axioms expressing action effects and successor-state relations; proof-of-strategy construction; explicit treatment of knowledge strategies (plans involving learning what one does not yet know); methodological division of AI into epistemological and heuristic parts.
Concepts introduced/used: Situation Calculus, Fluent, Frame Problem, Qualification Problem, Epistemological Adequacy, Metaphysical Adequacy, Counterfactual, Action Formalism, Planning, Knowing How vs Knowing That.
Stance: foundational
Relates to: Names the frame problem that every subsequent action formalism must address; furnishes the ontology that BDI logics and Ensuring Trustworthy and Ethical Behaviour in Intelligent Logical Agents inherit for their temporal/intentional semantics; sets up the qualification problem that Circumscription - A Form of Nonmonotonic Reasoning later solves; methodologically complements Ascribing Mental Qualities to Machines and First Order Theories of Individual Concepts and Propositions; the epistemological-adequacy criterion reappears explicitly in Epistemological Problems of Artificial Intelligence.

Trends in Agent Communication Language

Reference: Chaib-draa, B., Dignum, F. (2002). Computational Intelligence, Vol. 18, No. 2. Source file: trends-in-acl.pdf. URL

Summary

Editorial introduction to a special issue on ACLs that surveys the field’s major research threads. The authors review the origins of ACLs (KSE, KQML/KIF, FIPA-ACL based on ARCOL), situating them as intentional/social layers above transport protocols (TCP/IP, HTTP, IIOP). They highlight five core issues: theories of agency underpinning the semantics, ACL semantics proper (pre-/post-/completion conditions vs. rational effects), verification of compliance and protocols, treatment of ontologies, and completeness of message-type sets.

The paper emphasizes tensions between mentalistic semantics (inherited from Searle/Cohen-Levesque speech-act theory) and social alternatives (Singh), and argues conversation policies/protocols are a primary practical vehicle for tractable agent interaction. It closes by reviewing ad-hoc treatment of ontologies and the limits of KQML and FIPA-ACL message-type coverage (e.g., missing commissives in FIPA-ACL).

Key Ideas

ACLs operate at intentional/social layer above transport.
Mentalistic (FIPA) vs. social (Singh) semantics tension.
Verifiability of sincerity/semantics is largely infeasible.
Conversation policies make ACL use tractable.
Ontology integration remains largely ad-hoc.

Connections

Conceptual Contribution

Claim: ACL research clusters around five persistent issues — theory of agency, ACL semantics, verification, ontologies, and completeness of message-type repertoires — and progress requires reconciling mentalistic and social semantics via practical conversation policies.
Mechanism: Chaib-draa and Dignum trace ACLs from the KSE through KQML/KIF to FIPA-ACL/ARCOL, situating them as an intentional/social layer above TCP/HTTP/IIOP transports, and survey each issue. They highlight Cohen–Levesque rational-effect semantics vs. Singh’s social commitments, argue sincerity verification is generally infeasible, note FIPA-ACL’s missing commissives, and promote conversation policies as the practical tractability lever.
Concepts introduced/used: ACL Layering, Rational Effect, Conversation Policy, Protocol Verification, Commissives, Theory of Agency, Ontology Grounding
Stance: survey
Relates to: A companion to The State of the Art in Agent Communication Languages; summarises the tension sharpened in Agent Communication Languages - Rethinking the Principles and motivates the commitment-based turn realised in An Interaction-oriented Agent Framework for Open Environments; its ontology concern links to Ontology Change Classification and Survey.

Tags

The State of the Art in Agent Communication Languages

Reference: Kone, Shimazu, Nakajima (2000). Knowledge and Information Systems, Springer. Source file: The_State_of_the_Art_in_Agent_Communication_Langua.pdf. URL

Summary

A critical review of ACL design circa 2000. The authors lay out a generalized ACL framework structured around eight principles (heterogeneity, cooperation/coordination, separation, interoperability, transparency, extensibility/scalability, performance, and security). They distill ACL specifications into four components: message format, semantic model, interaction protocols, and shared ontologies/content language.

The paper surveys major ACLs — KQML with KIF and facilitator mediation, France Telecom’s ARCOL with its rational-action semantics, the FIPA standard derived from ARCOL, OAA’s ICL, and mobile-agent LOGOS — documenting each approach’s advantages and limitations (lack of formal semantics, low heterogeneity, missing shared ontologies, weak negotiation protocols). It closes by identifying open issues and pointing to the social-agency approach of Singh as a promising direction.

Key Ideas

Eight ACL design principles as evaluation yardstick.
Four-part ACL spec: format, semantics, protocols, ontology.
KQML vs. ARCOL/FIPA as declarative approaches; OAA/LOGOS as procedural.
Speech-act-derived communicative act categories.
Key open issues: formal semantics, heterogeneity, shared ontologies.

Connections

Conceptual Contribution

Claim: An ACL should be evaluated against eight design principles and factored into four orthogonal components, revealing systematic gaps (formal semantics, heterogeneity, shared ontologies, negotiation) in the ACLs available at the turn of the millennium.
Mechanism: Kone, Shimazu and Nakajima enumerate eight principles (heterogeneity, cooperation/coordination, separation, interoperability, transparency, extensibility/scalability, performance, security) and a four-part ACL template (message format, semantic model, interaction protocols, shared ontology/content language). They apply this lens to KQML+KIF, ARCOL, FIPA-ACL, OAA’s ICL and LOGOS, and close by endorsing Singh’s social-agency direction.
Concepts introduced/used: ACL Design Principles, KQML, KIF, ARCOL, FIPA-ACL, OAA ICL, LOGOS, Rational Action Semantics, Facilitator, Content Language
Stance: survey
Relates to: Sits alongside Trends in Agent Communication Language as a companion turn-of-2000s assessment; its endorsement of social semantics anticipates Agent Communication Languages - Rethinking the Principles and is realised by An Interaction-oriented Agent Framework for Open Environments; references ontology issues surveyed in Ontology Change Classification and Survey.

Tags

A Common Ontology Of ACLs

A Common Ontology of Agent Communication Languages: Modeling Mental Attitudes and Social Commitments using Roles

Reference: Boella, Damiano, Hulstijn, van der Torre (2006). Applied Ontology 3(1-3). Source file: ao07b.pdf. URL

Summary

The authors propose a common ontology that bridges two dominant semantic traditions for Agent Communication Langua mental-attitude-based semantics (FIPA-ACL) and social-commitment-based semantics (Singh, Colombetti). The unifying device is the role: each agent plays role instances in dialogue sessions, and both beliefs/intentions and commitments are attributed to role instances rather than to private mental states, sidestepping the unverifiability problem.

They develop Role-SL, a BDI logic extended with roles and dialogue sessions, and show translation schemes from FIPA speech acts and from actioandopositional commitment semantics into this role-based ontology. The framework accommodates mixed dialogues (e.g., persuasion intertwined with negotiation) that neither tradition handles cleanly alone.

Key Ideas

Roles as first-class carriers of public mental attitudes.
Role-SL: extension of FIPA-SL with role instances and dialogue sessions.
Mappings from FIPA-ACL and commitment-based ACLs into one ontology.
Public beliefs/intentions sidestep mental-state unverifiability.
Distinguishes action commitments (request/propose) from propositional (assert/challenge).

Connections

Conceptual Contribution

Claim: Mental-attitude and social-commitment ACL semantics can be unified under a common ontology by attributing both to roles instantiated in dialogue sessions, rather than to private agent minds.
Mechanism: Extends FIPA-SL into Role-SL (BDI + roles + dialogue sessions); provides translation schemes from FIPA speech acts and from action/propositional commitment semantics; handles mixed dialogues (persuasion + negotiation).
Concepts introduced/used: Roles, BDI, Commitment-based Semantics, Mental Attitudes, Mentalistic Semantics, Public Semantics, Verifiable Semantics, Dialogue Sessions, FIPA-ACL, Speech Act Theory, Ontologies, Agent Communication Languages
Stance: formal-semantic
Relates to: Bridges the two traditions typified by FIPA-ACL (mentalist) and Agent Communication And Institutional Reality (commitment-based); uses ontology machinery catalogued in Handbook On Ontologies.

Tags

Agent Communication Languages - Rethinking the Principles

Agent Communication Languages: Rethinking the Principles

Reference: Singh, M. P. (1998). IEEE Computer (December 1998). Source file: singh-acl.pdf. URL

Summary

Singh argues that mainstream ACLs like KQML and FIPA/Arcol are built on an untenable mentalistic semantics — grounding message meaning in the sender’s beliefs and intentions — which cannot be verified from the outside and therefore cannot serve as a compliance standard. For true interoperability in heterogeneous multi-agent systems, he proposes shifting to a social agency model in which ACL semantics is defined in terms of public commitments, roles, and conventions rather than private mental states.

The paper maps the design space of ACLs along phisssspective (private/public), type of meaning (personal/conventional), basis (semantic/pragmatic), context (fixed/flexible), coverage (of communicative acts), and construction autonomy (design/execution). It motivates “societies” of agents with published protocols, where compliance becomes testable and dialects can usefully coexist. The move from mental to social semantics underpins later work on commitment-based protocols.

Key Ideas

Mentalistic ACL semantics is non-verifiables => poor basis for standards.
Social agency: commitments, roles, conventions as public meaning.
Design/execution autonomy orthogonal and both important.
Dialects are OK; idiolects are not.
Protocols as flexible specifications, not fixed FSMs.

Connections

Agent Communication Languages
FIPA-ACL
FIPA-ACL Specifications
KQML
Speech Act Theory
Commitment-based Semantics
Mentalistic Semantics
Public Semantics
Verifiable Semantics
Interaction Protocols
Conversation Policy
Multi-Agent Systems
Communicative Actions for Artificial Agents - Cohen Levesque — the mentalistic high-water mark this paper critiques
An Ontology for Commitments in Multiagent Systems - Singh — Singh’s own formal sequel: four-place commitment ontology
Articulating Reasons - Brandom — philosophical underwriting of Public Semantics
Making It Explicit - Brandom
Jones-Sergot Normative Systems — Counts-As Relation / institutional grounding
CBCL - Safe Self-Extending Agent Communication — O’Connor 2026 contemporary realisation

Conceptual Contribution

Claim: Mentalistic ACL semantics (KQML, FIPA/ARCOL) cannot ground interoperability because compliance with sincerity and belief conditions is externally unverifiable; ACLs should be rebuilt on a social semantics of public commitments, roles and conventions.
Mechanism: Singh maps the ACL design space along six axes — perspective (private/public), meaning type (personal/conventional), basis (semantic/pragmatic), context (fixed/flexible), coverage (communicative-act repertoire), and construction autonomy (design-time vs. run-time). He uses this scheme to argue that FIPA/KQML occupy an untenable region, and sketches a social-agency alternative in which agents belong to “societies” with published protocols, commitments are first-class, and dialects (but not idiolects) are tolerated.
Concepts introduced/used: Social Agency, Commitment-Based Semantics, Mentalistic Semantics, Conversation Policy, Dialect vs Idiolect, Design Autonomy, Execution Autonomy, ACL Verifiability
Stance: critique
Relates to: Directly targets the mentalistic stance of Agent-Oriented Programming, KQML as an Agent Communication Language, and FIPA-ACL; its social-semantic programme is operationalised by An Interaction-oriented Agent Framework for Open Environments (commitment-based Mercurio/JaCaMo) and cited approvingly by the surveys The State of the Art in Agent Communication Languages and Trends in Agent Communication Language.

Tags

FIPA-ACL

The Foundation for Intelligent Physical Agents Agent Communication Language — a standardised successor to KQML, defining performatives with mentalistic semantics (beliefs/intentions of sender and receiver).

Primary source

FIPA-ACL Specifications — the canonical standards documents (FIPA00037 Communicative Act Library, FIPA00061 Message Structure)
Communicative Actions for Artificial Agents - Cohen Levesque — Cohen & Levesque 1995, the direct semantic ancestor

Discussed in

Agent Communication Languages
Speech Act Theory
Multi-Agent Systems
Mentalistic Semantics
Public Semantics
Commitment-based Semantics
An Ontology for Commitments in Multiagent Systems - Singh
CBCL - Safe Self-Extending Agent Communication — DCFL-bounded ACL with public-commitment semantics, addressing the unverifiability of FIPA-ACL’s mentalistic SL semantics

KQML - A Language And Protocol For Knowledge And Information Exchange

KQML - A Language and Protocol for Knowledge and Information Exchange

Reference: Finin, Fritzson, McKay, McEntire (1994). AAAI Technical Report WS-94-02, Workshop on Knowledge-Based Collaboration Systems. Source file: WS94-02-007.pdf. URL

Summary

This is one of the canonical early KQML papers, describing the Knowledge Query and Manipulation Language as both a message format and a message-handling protocol for run-time knowledge sharing among intelligent agents. Developed as part of the ARPA Knowledge Sharing Effort (KSE), KQML is presented as an enabling technology for building large-scale, sharable, reusable knowledge bases and for letting independently developed systems interoperate at the knowledge level rather than at the level of raw RPC or ad-hoc protocols.

The paper introduces the core architectural commitments of KQML: an extensible set of performatives (reserved speech-act-like operations that agents perform on each other’s knowledge and goal stores), a three-layer message structure (content, message/communication, and communication mechanics), and a special class of facilitator agents that coordinate interactions and provide services such as brokering, recruitment, and content-based routing. Performatives fall into seven categories (basic query, multi-response query, response, generic informational, generator, capability-definition, networking) including ask-one, ask-all, tell, untell, achieve, subscribe, advertise, broker, recommend, and recruit.

The authors sketch KQML’s semantics informally in terms of effects on an agent’s belief and intention stores (e.g., tell(S) is an assertion by the sender that S is in its virtual belief store; achieve(S) asks the recipient to add S to its intention store), and note ongoing work on formal semantics via definite clause grammars and on interoperability with KIF and Ontolingua ontologies.

Key Ideas

KQML as both message format and message-handling protocol; focused on pragmatics, secondarily on semantics.
Three-layer message structure: content, communication/message, communication mechanics.
Extensible performative set organized into seven categories.
Facilitator agents: brokers, matchmakers, recruiters, content-based routers.
Synchronous, asynchronous, streaming, and subscription interaction protocols.
Performatives as speech-act-like operations on agents’ belief and goal stores.
Integration with KIF for content and shared ontologies for semantic grounding.
Part of the ARPA Knowledge Sharing Effort (KSE): Interlingua, KRSS, SRKB, External Interfaces working groups.

Connections

Conceptual Contribution

Claim: Heterogeneous intelligent systems can share knowledge at run time if they agree on a protocol of speech-act-like performatives over a common content language and shared ontology, coordinated by specialized facilitator agents.
Mechanism: Defines an extensible parenthesized message syntax with reserved performative names and keyword/value arguments; layers communication (sender/receiver/identifier), message (performative, ontology, language), and content; routes messages through facilitators that implement brokering, matchmaking, and content-based subscription; gives informal speech-act semantics in terms of effects on virtual belief and intention stores.
Concepts introduced/used: KQML, Performatives, Facilitator Agents, KIF, Speech Act Theory, Ontologies, Agent Communication Languages
Stance: foundational
Relates to: One of the defining sources for KQML and Agent Communication Languages in this vault; direct precursor to FIPA-ACL; establishes the performative/speech-act framing critiqued and refined in ACL Design Principles, ACL Rethinking Principles, and Agent Communication Languages - Rethinking the Principles; the facilitator concept informs Agent Discovery and Agent Hub patterns.

KQML as an Agent Communication Language

Reference: Tim Finin, Richard Fritzson, Don McKay, and Robin McEntire (1994). CIKM ’94 (Proceedings of the Third International Conference on Information and Knowledge Management). Source file: 191246.191322.pdf. URL

Summary

Foundational paper on the Knowledge Query and Manipulation Language (KQML), developed under the ARPA Knowledge Sharing Effort. KQML is both a message format and a message-handling protocol for run-time knowledge sharing among intelligent agents. It builds on speech-act theory: each message (a performative) carries an illocutionary force (ask, tell, subscribe, advertise, recommend, broker, recruit, etc.) atop a content language (often KIF) and an ontology reference.

The paper describes the three-layer structure (content / message / communication), facilitator agents that provide matchmaking, brokering and content-based routing, and implementations including routers, facilitators, and KRIL interface libraries. KQML became the reference point against which later ACLs (notably FIPA-ACL) were designed.

Key Ideas

Performatives as speech-act-inspired message types
Separation of content language, message layer, and transport
Facilitators for advertise/subscribe, brokering, recruitment, routing
Reserved performatives: ask-if/ask-all, tell, stream-all, subscribe, monitor, advertise, recruit
KIF + ontologies as the assumed content layer

Connections

Conceptual Contribution

Claim: Interoperable knowledge sharing among heterogeneous intelligent agents requires a three-layer communication language (content / message / communication) whose message layer is built from speech-act-inspired performatives, and whose runtime infrastructure provides facilitator agents for matchmaking and brokering.
Mechanism: Specify ~30 reserved performatives (ask-if, tell, subscribe, advertise, recruit, broker-one, …) that wrap a content expression (typically KIF) with an ontology reference and transport metadata; implement via routers, facilitators, and per-application KRIL interface libraries; demonstrate advertise/subscribe, content-based routing, and recruitment patterns.
Concepts introduced/used: KQML, Performatives, Speech Act Theory, Facilitators, Facilitator Agents, Mentalistic Semantics, KIF, Ontologies, Agent Communication Languages, Conversation Policy, Interaction Protocols
Stance: engineering / standard-proposal
Relates to: Foundational reference against which FIPA-ACL, A Common Ontology Of ACLs, ACL Rethinking Principles, and Agent Communication Languages - Rethinking the Principles argue (over mentalistic vs commitment-based semantics). Performatives-as-protocol anticipates Agora’s Protocol Documents in A Scalable Communication Protocol for Networks of LLMs and the MCP/A2A/ANP layer of modern LLM agents (Model Context Protocol, Agent-to-Agent Protocol, Agent Network Protocol).

Tags

A Language-Based Approach To Prevent DDoS

A Language-Based Approach to Prevent DDoS Attacks in Distributed Financial Agent Systems

Reference: Fazeldehkordi, Owe, Ramezanifarkhani (2018). University of Oslo. Source file: A language-based approach to prevent DDoS attacks in distributed financial agent systems.pdf. URL

Summary

The authors propose adding a language-based layer of defense against DoS/DDoS to distributed financial agent systems built on the actor model with asynchronous method calls and futures (in the style of Creol/ABS). Because such languages make it cheap to launch non-blocking floods, they adapt a static analysis for detecting call-flooding cycles to the many-to-one DDoS setting.

The analysis builds per-method control-flow graphs, identifies cycles, and classifies nodes as strongly- or weakly-reachable to detect unbounded method-call generation at compile time. They distinguish one-to-one, many-to-one, and one-to-many flooding, and illustrate with a publish/subscribe newsletter example where future-based optimization accidentally enables a DoS against subscribers.

Key Ideas

Static detection of call-based flooding in actor-model languages with futures.
Classification: one-to-one, many-to-one, one-to-many flooding.
Strong vs weak reachability in control-flow cycles.
Instantiation flooding (unbounded object creation) as a resource-exhaustion vector.
Application to financial service subscriber systems.

Connections

Conceptual Contribution

Claim: Actor-based agent languages with asynchronous futures make DoS/DDoS cheap to launch inadvertently, and static analysis of call-flow cycles can prevent it at compile time.
Mechanism: Builds per-method control-flow graphs, detects strongly/weakly-reachable cycles that generate unbounded calls; extends from one-to-one to many-to-one and one-to-many flooding; illustrated on a Creol/ABS publish/subscribe newsletter.
Concepts introduced/used: Static Analysis, Actor Model, Futures, DDoS, Control-Flow Graph, Distributed Security, Multi-Agent Systems
Stance: engineering
Relates to: Shares the language-level-security stance of Seven Turrets Of Babel and Security Kernel Lambda Calculus; addresses a threat class complementary to the tool-level attacks of MalTool Malicious Tool Attacks and the broad landscape of AI Agents Under Threat.

Tags

The Halting Problems of Network Stack Insecurity

Reference: Sassaman, Patterson, Bratus, Shubina (2011). ;login: (USENIX), Vol. 36, No. 6. Source file: The_Halting_Problems_of_Network_Stack_In.pdf. URL

Summary

The paper founds language-theoretic security (LangSec) on a startling thesis: accepted/valid inputs to a program form an input language, and a program’s input-handling code is effectively a recognizer for that language. Insecurity arises when this recognizer problem is computationally too powerful — recognizing context-sensitive or Turing-complete input languages makes validity checking undecidable, so exploitable mismatches between the intended and actual recognizer are inevitable.

Through examples (X.509 ASN.1 parsing, SQL injection, network-stack fingerprinting, 802.15.4 SFD attacks, qmail), the authors show how handwritten ad-hoc recognizers introduce “weird machines” on which crafted inputs execute exploit programs. They propose two principles: (1) Starve the Turing beast — give parsers only the minimum computational power needed; (2) Secure composition requires parser computational equivalence. They argue HTML5’s Turing-completeness regresses safety, and JSON/S-expressions exemplify the right design.

Key Ideas

Inputs form a formal language; parsers are recognizers.
Undecidability of input validity => unexploitable security impossible.
Exploits run on “weird machines” built from crafted inputs.
Minimal computational power principle (a LangSec Least Privilege).
Postel’s robustness principle harmful for security.

Connections

Language Workbenches
LangSec
Parser Differential
Protocol Documents
Agent Communication Languages
Multi-Agent Systems
An Unsolvable Problem of Elementary Number Theory — Church 1936, the undecidability result the title invokes.
Recursively Enumerable Sets of Positive Integers and Their Decision Problems — Post 1944, decision-problem framing behind the recognizer view.
Über formal unentscheidbare Sätze der Principia Mathematica und verwandter Systeme I — Gödel 1931, the incompleteness ancestor of the LangSec impossibility argument.
CBCL - Safe Self-Extending Agent Communication — applies the “starve the Turing beast” principle to agent-communication languages: DCFL-bounded inputs, including runtime extensions.

Conceptual Contribution

Claim: Much network-stack insecurity is a consequence of treating input validation as an ad-hoc engineering task rather than as a formal recognition problem; if the input language is too powerful, safe validation is undecidable and exploitable “weird machines” are inevitable.
Mechanism: Sassaman et al. recast every parser as a recognizer for a formal language and map concrete vulnerability classes (ASN.1 in X.509, SQL injection, TCP/IP fingerprint ambiguity, 802.15.4 SFD spoofing, qmail overflows) onto the Chomsky hierarchy. They derive two design principles — starve the Turing beast (keep parsers minimal: regular/context-free where possible) and require computational equivalence of parsers for secure composition — and argue Postel’s robustness principle exacerbates the problem.
Concepts introduced/used: LangSec, Weird Machine, Input Language, Recognizer, Chomsky Hierarchy, Parser Equivalence, Postel’s Law Critique, Halting Problem
Stance: foundational
Relates to: Frames the security motivation behind language-workbench approaches like The Spoofax Language Workbench and the language-based DDoS defence in A Language-Based Approach To Prevent DDoS; its recognizer view complements the calculus-level security of Secure Communications Processing for Distributed Languages.

Tags

Counts-As Relation

Jones and Sergot’s (1993) formal connective for the relation by which a brute (physical, computational) event is treated by an institution as constituting a particular institutional event. Written A ⇒s B and read “in institution s, A counts as B.” A piece of paper of certain composition signed in certain ways counts as a contract in the legal institution; a byte-sequence on the wire conforming to a dialect contract counts as a binding commitment in an agent society. The connective is institution-relative, non-monotonic (additional context facts can defeat the count-as), and constitutive (count-as facts partly define what the institution is). Combined with deontic operators (obligation, permission, prohibition), counts-as is the formal vocabulary of normative systems. For CBCL, a dialect contract is precisely a counts-as specification: it stipulates which wire events, in this dialect, count as which institutional commitments.

In this vault

Jones-Sergot Normative Systems — the founding chapter
Constitutive Rules
Regulative Rules
Institutional Facts
Deontic Logic
An Ontology for Commitments in Multiagent Systems - Singh
Commitment-based Semantics
Speech Act Theory
How to Do Things with Words
Speech Acts - An Essay in the Philosophy of Language
Agent Communication And Institutional Reality
Convention - Lewis
Languages and Language - Lewis
Speaks-For Calculus — a counts-as fragment (this credential counts as authority to assert on behalf of)
CBCL - Safe Self-Extending Agent Communication

Jones-Sergot Normative Systems

On the Characterisation of Law and Computer Systems: The Normative Systems Perspective

Reference: Jones, A. J. I. & Sergot, M. (1993). On the Characterisation of Law and Computer Systems: The Normative Systems Perspective. In J.-J. Ch. Meyer & R. J. Wieringa (eds.), Deontic Logic in Computer Science: Normative System Specification (pp. 275–307). John Wiley & Sons. Semantic Scholar record · DEON 1991 precursor (workshop paper, more accessible) · SEP: deontic logic

Summary

Jones and Sergot’s chapter is the founding statement of the normative systems programme in AI and computer science — the move that takes computer systems (including multi-agent systems) seriously as normative artefacts whose behaviour can be analysed in the same vocabulary as legal systems. The central technical contribution is a formal account of the counts-as relation: the relation by which a brute (physical, computational) event is treated by an institution as constituting a particular institutional event. A piece of paper of certain composition, signed in certain ways, counts as a contract in the legal institution; a particular sequence of bytes on the wire, conformant to a particular protocol, counts as a binding promise in an agent society. The counts-as relation is the bridge between brute facts and institutional facts, between syntactic events and their normative significance.

The paper develops counts-as as a conditional connective ⇒s indexed by an institution s: A ⇒s B reads “in institution s, A counts as B.” The counts-as connective is not classical material implication: it is institution-relative, non-monotonic (additional facts about the institutional context may defeat the count-as), and constitutive (the count-as relation is partly what makes the institution be the institution it is). The framework lets the authors model standard legal phenomena — speech-acts that create institutional roles, signing-procedures that count as enacting law, delegation that lets an agent’s act count as another’s, and the distinction between rules that regulate existing institutional activity and rules that constitute the institutional categories themselves. The Wieringa–Meyer volume’s surrounding chapters develop deontic logics (obligation, permission, prohibition) that combine with counts-as to specify normative systems.

For CBCL and the public-semantics line, the counts-as relation is the missing institutional bridge between the wire format and the commitment-state. A CBCL dialect contract is precisely a counts-as specification: in this dialect, this byte-sequence on the wire counts as a binding commitment with these debtor / creditor / condition / context slots. Without counts-as, the move from “the agent emitted these bytes” to “the agent has incurred this commitment” is unprincipled; with counts-as, it is a well-defined institutional bridge inheriting decades of deontic-logic infrastructure. The paper is also the unification point for the broader normative MAS literature — Singh’s commitments, Fornara–Colombetti–Verdicchio’s institutional ACL, and the broader European MAS deontic tradition (Boella, van der Torre, Castelfranchi, Carmo–Jones) all sit downstream.

Key Ideas

Counts-as relation ⇒s: an institution-indexed conditional. A ⇒s B reads “in institution s, A counts as B.” The bridge between brute facts (physical, computational events) and institutional facts (contracts, commitments, roles).
Constitutive vs regulative rules: counts-as rules are constitutive — they partly define what the institution is. Regulative rules (deontic operators: obligation, permission, prohibition) presuppose the institutional categories and govern behaviour within them. The constitutive/regulative distinction goes back to Searle 1969; Jones–Sergot give it a formal home.
Non-monotonic, institution-relative, defeasible: counts-as is not classical implication. Additional facts about the institutional context (a forged signature, an invalid delegation chain) may defeat a counts-as that would otherwise hold.
Institutions as the unit of normative analysis: an institution is a coherent body of constitutive and regulative rules. Computer systems can host institutions exactly as legal systems do.
Empowerment: certain institutional roles are empowered to perform certain acts (the judge can pronounce sentence; the agent in role seller can issue invoices). Empowerment is a counts-as fact about which acts of which role-holders count as which institutional acts.
Normative-position analysis: drawing on Hohfeld’s analysis of fundamental legal conceptions (right / duty / privilege / liability / power / immunity), the paper sketches how each Hohfeldian relation is reconstructible from constitutive-and-regulative-rule analyses.
Bridge to deontic logic: combines naturally with standard deontic operators (Os “it is obligatory in s that”, Ps “it is permitted in s that”, etc.) to give a full normative-system specification language.

Connections

Conceptual Contribution

Claim: Legal systems and computer systems can be analysed in a single formal framework — the normative system — anchored by the counts-as relation, a constitutive bridge from brute facts to institutional facts. Deontic operators (obligation, permission, prohibition) then operate on the institutional categories the counts-as relation establishes.
Mechanism: Introduce the institution-indexed conditional ⇒s (counts-as in institution s), reflexive and transitive but non-monotonic and institution-relative. Distinguish constitutive rules (which establish institutional categories via counts-as) from regulative rules (which apply deontic operators within the institutional categories). Combine with standard deontic operators to specify the full normative system. Sketch how Hohfeld’s fundamental legal conceptions reduce to constitutive/regulative patterns.
Concepts introduced/used: Counts-As Relation ⇒s, Constitutive Rules, Regulative Rules, Institutional Facts, Brute Facts, Empowerment, Hohfeldian Analysis, Normative Position, Deontic Logic.
Stance: foundational technical chapter.
Relates to: The institutional bridge missing from the commitment-based semantics line — a CBCL dialect contract is a counts-as specification (this byte-sequence, in this dialect, counts as this commitment), and without counts-as the move from wire events to institutional commitments is unprincipled. Pairs directly with Singh 1999 (commitments as the normative substrate) and with Fornara, Colombetti & Verdicchio (institutional ACL semantics). The philosophical foundation is Searle 1969’s constitutive/regulative distinction and Searle 1995’s Construction of Social Reality (counts-as as social ontology); Jones–Sergot give the formal home. Compatible with Brandomian inferentialism as a layer: counts-as gives the institutional ontology, deontic scorekeeping gives the dynamics of commitment-undertaking within that ontology. The speaks-for calculus of Lampson et al. is a counts-as fragment (this credential counts as authority to assert on behalf of). For CBCL, counts-as is the formal-vocabulary answer to “what does dialect installation actually do normatively?” — install rules give wire events institutional meaning.

An Ontology for Commitments in Multiagent Systems - Singh

An Ontology for Commitments in Multiagent Systems: Toward a Unification of Normative Concepts

Reference: Singh, M. P. (1999). An Ontology for Commitments in Multiagent Systems: Toward a Unification of Normative Concepts. Artificial Intelligence and Law 7(1): 97–113. Kluwer. DOI · Author copy via Academia.edu · Singh publications (NCSU)

Summary

This paper is the formal core of Singh’s commitment-based programme — a piece that sits between the polemical Rethinking the Principles (1998) and the operationalised commitment machines line (Yolum & Singh 2002). Singh argues that the multiplicity of normative concepts used across MAS, deontic logic, and law — obligation, permission, prohibition, promise, contract, delegation, cancellation, release — can be unified by taking the social commitment as the basic ontological primitive and reconstructing the rest as patterns over commitments. A social commitment is a four-place relation: a debtor is committed to a creditor for the fulfilment of some condition in the context of a particular institution or social scope. Once these four roles are fixed, the standard normative operations — create, discharge, cancel, release, delegate, assign — become commitment-state transitions, and the deontic vocabulary becomes a derived layer over the commitment substrate.

The construction is deliberately public: commitments live in the social state, not in the heads of any agent. A commitment exists when a publicly observable act has created it (a promise speech act, a contract signing, an assertion under appropriate sincerity context); it persists until a publicly observable act has discharged or cancelled it. The truth-conditions for “agent A is committed” are externally checkable: they reference the social record, not A’s mental state. This is the exact alternative to the mentalistic semantics of FIPA / Cohen and Levesque 1995 that Rethinking the Principles called for. The paper also sets up the bridge to law: Singh notes the close fit with Jones and Sergot’s “count-as” relation, with deontic logic, and with the speaks-for tradition in distributed systems — establishing commitments as a unifying normative substrate across philosophy, law, MAS, and computer security.

For CBCL and the broader public-semantics line, this is the ontology document: it defines what “commitment” means precisely enough that protocol designers can map performatives onto commitment-state transitions and verifiers can monitor compliance from a transcript. The four-place structure (debtor, creditor, condition, context) maps almost directly onto the ledger-of-commitments architecture in Fornara & Colombetti 2004 and the dialect contracts in CBCL. The paper is also the place to cite when arguing that commitment-based ACL semantics is not merely a behavioural surrogate but a real normative theory with established connections to legal and deontic logic.

Key Ideas

Commitment as the primitive normative concept: a four-place relation C(debtor, creditor, condition, context) — agent x is committed to agent y for the fulfilment of condition q in the social context s. The four roles must always be specified; commitments without a creditor are degenerate.
Standard commitment operations: create (a new commitment comes into being via a public act), discharge (the condition is satisfied), cancel (the debtor unilaterally retracts, possibly incurring meta-commitment), release (the creditor waives), delegate (the debtor passes the obligation to a third party with creditor consent), assign (the creditor passes the entitlement).
Conditional commitments: CC(x, y, p ⊃ q, s) — x is committed to y to bring about q if p holds. The conditional structure handles contracts, contingent obligations, and protocol-state dependencies.
Discharge by satisfaction: a commitment is discharged when its condition is satisfied (in the relevant social interpretation); discharge is monotone — once discharged, the commitment is closed.
Deontic vocabulary as derived: obligation, permission, prohibition, right, and duty are reconstructable from commitment patterns plus the relevant institutional context.
Public, externally checkable semantics: commitments are facts about the social record, not about agent mental states. Verification is by inspection of the transcript and the institutional rules.
Bridges to legal informatics and deontic logic: the framework is explicitly compatible with Jones and Sergot’s count-as relation and with classical deontic-logic operators, positioning commitments as the unifier across philosophy, law, MAS, and distributed-security normative reasoning.

Connections

Conceptual Contribution

Claim: The proliferation of normative concepts across MAS, deontic logic, and law can be unified by taking the social commitment — a four-place relation C(debtor, creditor, condition, context) — as the basic primitive and reconstructing obligation, permission, prohibition, contract, and delegation as commitment patterns. Commitments are public: their existence is determined by observable acts and observable conditions, not by agent mental states.
Mechanism: Define commitments as four-place relations (debtor / creditor / condition / context) and conditional commitments analogously. Specify the operations create / discharge / cancel / release / delegate / assign as commitment-state transitions. Show how standard deontic-logic operators and standard legal concepts (promise, contract, breach, novation) reduce to patterns over these primitives. Sketch the bridge to Jones and Sergot’s count-as analysis of institutional facts.
Concepts introduced/used: Social Commitment, Conditional Commitment, Commitment Operations (create / discharge / cancel / release / delegate / assign), Debtor, Creditor, Condition, Context (Commitment), Deontic Reduction.
Stance: foundational technical paper / unifying ontology.
Relates to: The formal statement of the programme Singh 1998 argued for polemically; the bridge to the operational accounts in Yolum & Singh 2002, Yolum & Singh 2002b, and Fornara & Colombetti 2004. The philosophical complement is Brandom: Singh’s commitments are precisely the commitment leg of Brandom’s deontic scorekeeping triple. The legal complement is Jones & Sergot 1993 — count-as gives the institutional grounding for what makes a publicly observable act count as creating a commitment. The distributed-systems complement is the speaks-for tradition (Lampson et al. 1992) — credentials and delegated assertion authority are commitment patterns of the same family. CBCL’s dialect contracts and verdict ledger directly instantiate this ontology at wire-format granularity.

FIPA-ACL Specifications

Reference: Foundation for Intelligent Physical Agents (2002). FIPA ACL Message Structure Specification (FIPA00061) and FIPA Communicative Act Library Specification (FIPA00037). Geneva, December 2002. (FIPA was absorbed into the IEEE Computer Society in 2005; specifications remain the canonical reference.) FIPA00061 (Message Structure) · FIPA00037 (Communicative Act Library) · FIPA00067 (Agent Message Transport) · IEEE FIPA standards committee

Summary

The FIPA-ACL specifications are the standards-track distillation of the late-1990s mentalistic ACL programme: the wire format and semantics that “ended up shipping” as the canonical example of an industry-grade agent communication language. The suite splits into three documents that matter for ACL design. FIPA00061 specifies the message structure — the surface syntax of an ACL message as a parameterised performative envelope with :sender, :receiver, :content, :language, :ontology, :protocol, :conversation-id, :reply-with, :in-reply-to, :reply-by, and a small set of related parameters. FIPA00037 specifies the communicative act library — twenty-two performatives (accept-proposal, agree, cancel, cfp, confirm, disconfirm, failure, inform, inform-if, inform-ref, not-understood, propagate, propose, proxy, query-if, query-ref, refuse, reject-proposal, request, request-when, request-whenever, subscribe) — each given by feasibility precondition (FP) and rational effect (RE) expressed in the FIPA Semantic Language (SL) over beliefs, intentions, and uncertainty. FIPA00067 specifies the message transport (HTTP, IIOP, WAP carriers; envelope and routing).

Two features make FIPA-ACL the canonical reference point — and the canonical negative example — for ACL semantics work. First, the direct lineage from Cohen and Levesque: the FP/RE structure of FIPA00037 is a streamlined adaptation of Cohen and Levesque 1995. The semantics of inform(p) is, modulo notation, exactly the Cohen–Levesque definition: the sender believes p, believes the receiver does not know p, and intends the receiver to come to believe p. The semantics of request mirrors attempt over a hearer action. Second, the unverifiability problem: precisely because the semantics is given in terms of sender and receiver mental states, no external observer can determine whether a message is FIPA-conformant. A platform that ships inform(p) in violation of its feasibility preconditions (e.g. the sender does not believe p, i.e. is lying) is indistinguishable on the wire from a platform that ships a conformant inform. This is the deficiency Singh 1998 names, Wooldridge formalises, and the commitment-based semantics tradition fixes.

For this vault, FIPA-ACL is the engineered artefact against which the public-semantics critique runs. The spec is well-engineered as a message format — the envelope, the protocol-id mechanism, the ontology / language slots are all sound — and the wire format itself has aged well. What has not aged well is the semantics by mental-state precondition: it is unverifiable, hostile to heterogeneous deployment, and incompatible with the public-semantics / commitment-based programme that CBCL inherits. The right reading is: keep the engineering, replace the semantics.

Key Ideas

Three-part suite: FIPA00061 (message structure), FIPA00037 (communicative act library), FIPA00067 (message transport).
Message structure: :sender, :receiver, :content, :language, :ontology, :protocol, :conversation-id, :reply-with, :in-reply-to, :reply-by, :performative. Standard envelope; the :content slot carries an arbitrary content-language expression interpreted by the :ontology.
Twenty-two performatives: from accept-proposal through subscribe, organised loosely into Searlean families (assertives, directives, commissives, declaratives). The set is small enough to remember and rich enough to cover most multi-agent interaction patterns.
Semantic Language (SL): FIPA’s formal language for FP/RE definitions; a modal logic over belief, uncertainty, intention, and action, descended from Cohen and Levesque.
Feasibility precondition / rational effect: each performative is defined by an FP (what must hold for the agent to perform the act in good faith) and an RE (what the agent intends to bring about). Both involve nested beliefs and intentions of sender and receiver.
Interaction protocols: FIPA also standardises a small set of interaction protocols (FIPA-Request, FIPA-Query, FIPA-ContractNet, FIPA-IteratedContractNet, FIPA-EnglishAuction, FIPA-DutchAuction, FIPA-Brokering, FIPA-Recruiting, FIPA-Subscribe, FIPA-Propose) — finite state machines over performatives that script common conversational patterns.
Unverifiability is intrinsic: the FP/RE conditions are stated over mental states; no external observer can check conformance without inspecting agent internals — a known design cost and the central target of the social-agency critique.

Connections

Conceptual Contribution

Claim: A standardised ACL can be built from a small set of performatives, each given by mental-state preconditions and intended effects in a modal logic, embedded in a standardised message envelope, with a standard library of interaction protocols. The result is the canonical industry ACL.
Mechanism: Three coordinated specs. FIPA00061 fixes the wire format (envelope parameters and message routing). FIPA00037 fixes the performative semantics in SL, with each of twenty-two performatives given by FP and RE in terms of belief, uncertainty, and intention nested over sender and receiver. FIPA00067 specifies the message transport. A small library of interaction protocols (FIPA-Request, FIPA-ContractNet, etc.) gives canonical conversational patterns as finite state machines over performatives.
Concepts introduced/used: FIPA Performative, Semantic Language (FIPA SL), Feasibility Precondition, Rational Effect, FIPA Interaction Protocol, ContractNet, ACL Message Envelope, Conversation ID.
Stance: standards specification suite / industry deliverable.
Relates to: Direct standardisation of Cohen and Levesque 1995 — the FIPA00037 semantics is essentially that paper’s framework with editorial smoothing. As the canonical engineering artefact of mentalistic ACL semantics, FIPA-ACL is the negative example for Singh 1998, Wooldridge, Yolum & Singh, Fornara & Colombetti, and the public-semantics tradition generally. CBCL reuses the engineering of FIPA-ACL (typed performative envelope, conversation-id, ontology slot, protocol-id) while replacing the semantics with publicly verifiable commitment-based meaning. The modern LLM-agent protocol generation (Model Context Protocol, Agent-to-Agent Protocol, LACP) has retreated from FIPA’s level of semantic ambition; the open question is whether that retreat will repeat the mentalistic mistake under a new guise (sycophantic JSON tool-calls) or learn from the FIPA experience.

Mentalistic Semantics

ACL semantics in which each message commits the sender’s (and sometimes receiver’s) beliefs and intentions — powerful but unverifiable from outside.

In this vault

Communicative Actions for Artificial Agents - Cohen Levesque

Communicative Actions for Artificial Agents

Reference: Cohen, P. R. & Levesque, H. J. (1995). Communicative Actions for Artificial Agents. In Proceedings of the First International Conference on Multi-Agent Systems (ICMAS-95), San Francisco, June 1995, pp. 65–72. AAAI Press. Reprinted in J. M. Bradshaw (ed.), Software Agents (AAAI Press / MIT Press 1997), ch. 19. URL (AAAI PDF)

Summary

This paper is the high-water mark of mentalistic ACL semantics: the most explicit, systematic statement of the position that an agent communication act is a complex operator on the BDI states of sender and receiver, and that the semantics of an ACL performative is given by feasibility preconditions and rational effects expressed in modal logic over those mental states. Cohen and Levesque extend the Cohen–Levesque 1990 modal logic of intention into a logic of rational action in which speech acts are first-class actions whose definitions are derivable from more basic actions of attempting to bring about a state of affairs, together with assumed Gricean rationality on the part of both agents. The standard FIPA-ACL semantics in the FIPA Communicative Act Library Specification (FIPA00037) is essentially a streamlined adaptation of the Cohen–Levesque framework.

The mechanism is precise. A speech act e performed by speaker s toward hearer h has a feasibility precondition (e.g. s believes p, s believes h does not know p, s intends h to come to know p) and a rational effect (e.g. h believes p because h believes s sincerely informed). The semantics of inform, request, promise, commit, propose, and other performatives are derived by composition from the more primitive attempt: a request is an attempt to bring about that the hearer perform an action and that the hearer believe the speaker wants the action performed; an inform is an attempt to bring about that the hearer come to believe p and to know the speaker believes p; and so on. The framework is mathematically beautiful and ontologically heavy: it requires every speech act to be defined in terms of nested beliefs and intentions of speaker and hearer, often to several levels of nesting.

This is precisely why Singh 1998 writes the Rethinking critique. The Cohen–Levesque definitions are unverifiable in practice: no external observer can check that an agent believed p when it sent inform(p); the inferential web that fixes whether the agent “really” performed an inform speaks entirely about the agent’s mental state, which is exactly the inscrutable thing the protocol participants do not have access to. The paper is therefore the canonical negative example for CBCL and the commitment-based tradition: it shows what a fully worked-out mentalistic semantics looks like, and that shows why the field has had to move on. The right way to read it in 2026 is as the high statement of a coherent but unverifiable position, not as a blueprint to implement.

Key Ideas

Speech act = action on mental states: a communicative act is a complex action whose semantics is given by feasibility preconditions and rational effects expressed over the BDI states of speaker and hearer.
Attempt as the primitive: more elementary than the standard speech-act categories is the action of attempting — an agent attempts an action toward an end if and only if it performs the action with that goal and the belief that the action is the means.
Composition of performatives: standard performatives (inform, request, promise, propose, confirm, agree, refuse) are derived by composing attempt with specific mental-state preconditions and goals.
Sincerity and competence as background assumptions: the rational effects only follow if speaker and hearer are sincere (no lying) and competent (no false beliefs). When these fail, the framework’s predictions silently fail too.
Joint intentions in conversation: extends the 1990 framework with joint intentions — for conversational acts like agreement, both parties acquire a shared intention with mutual belief.
Verifiability is a known cost: the paper acknowledges that the mental-state preconditions are not externally observable; it argues this is the price of a real semantics rather than a behavioural surrogate.
Closest formal ancestor of FIPA: the FIPA-ACL CAL spec (FIPA00037) is a direct adaptation of this framework with light editorial smoothing.

Connections

Conceptual Contribution

Claim: Communicative acts can be given precise semantics by defining them as complex actions on the BDI states of sender and receiver, derived by composition from the primitive notion of attempt under shared rationality assumptions. The semantics of an ACL performative is its feasibility precondition and rational effect, expressed in modal logic over beliefs, goals, and intentions.
Mechanism: Extend the Cohen–Levesque 1990 modal logic of intention with a notion of attempt (an agent attempts an action toward an end iff it performs the action with that goal and the belief that the action serves the goal). Define each standard performative by composition: inform(s,h,p) requires s believes p, s believes h does not know p, s intends h to come to know p; the rational effect is that h comes to believe p by mutual recognition of s’s sincerity. Similar definitions for request, promise, propose, agree, refuse, with joint-intention machinery handling conversational acts.
Concepts introduced/used: Attempt (Cohen-Levesque), Feasibility Precondition, Rational Effect, Mentalistic Semantics, Joint Intentions, Sincerity Condition, Communicative Act Library.
Stance: foundational technical paper / formal-semantics manifesto.
Relates to: The closest formal ancestor of the FIPA Communicative Act Library (FIPA00037) — the FIPA spec is essentially a streamlined adaptation of this framework. It is the negative example against which the public-semantics / commitment-based line defines itself: Singh 1998 argues precisely that the BDI preconditions are unverifiable and that ACL semantics should be grounded in observable social commitments instead. Yolum & Singh 2002, Fornara & Colombetti 2004, and Singh 1999 develop the public alternative. CBCL then operationalises that alternative as a verified, trace-checkable, self-extending wire format — explicitly not what Cohen and Levesque built. The philosophical critique of mentalistic semantics runs deeper, through Sellars / Brandom / MIE — Cohen–Levesque takes mental states as pre-given semantic primitives, which is the move inferentialism rejects.

Convention of Truthfulness

David Lewis’s coordination-equilibrium analysis of meaning (Convention, 1969): a language is sustained by a convention among speakers to be truthful in it. Game-theoretic counterpart to Meaning As Use.

In this vault

Languages and Language - Lewis

Languages and Language

Reference: Lewis, D. K. (1975). Languages and Language. In K. Gunderson (ed.), Language, Mind, and Knowledge (Minnesota Studies in the Philosophy of Science, vol. 7, pp. 3–35). University of Minnesota Press. Reprinted in Philosophical Papers Volume I (Oxford UP 1983). URL (Minnesota Digital Conservancy)

Summary

“Languages and Language” is Lewis’s mature statement of the distinction between a language (an abstract function from sound-and-sign types to meanings, with no users) and language (a social phenomenon: a population’s practice of using a particular abstract language to communicate). The paper sharpens the framework introduced in Convention (1969) and rebuts an objection from Strawson and Searle that an account of language as convention — solving a coordination problem by mutual expectation — misses the normative heart of meaning. Lewis answers: it does not. A population uses an abstract language L iff there prevails in that population a convention of truthfulness and trust in L — a regularity by which speakers utter sentences of L only when they believe them true-in-L, and hearers respond by coming to believe the sentences uttered are true-in-L. The regularity is a convention in the technical Lewis 1969 sense: it solves a coordination problem (mutual intelligibility), it is sustained by mutual expectation (common knowledge that it is so sustained), and it has alternatives (some other abstract language could have played the same role).

The paper’s value over Convention is its precise account of the language–language relation. The abstract object L is a function from finite strings to truth-conditions (or, for non-declarative moods, to satisfaction-conditions). The social object — language — is the convention of truthfulness and trust in L. Different populations use different Ls; the same population can use several Ls for different domains. Meaning is not primarily a property of individual speakers’ minds: it is a property of the convention, fixed once we identify which L the population’s convention picks out. Speakers’ beliefs and intentions enter only via the convention-sustaining clauses (each speaker expects the others to be truthful-in-L and tries to be so themselves), not as the bearers of meaning.

For agent communication, “Languages and Language” is the cleanest philosophical statement of the public-semantics programme avant la lettre. The meaning of a wire-format performative is not the BDI state of the sender or receiver; it is the truth- or satisfaction-conditions assigned by the abstract language the protocol convention picks out. Two agents using FIPA-ACL are participating in a convention of truthfulness and trust in the abstract language defined by FIPA-ACL’s semantics. The convention requires only that agents act as if truthful-in-L; it does not require introspective access. This is exactly the dialect-and-protocol picture that Singh 1998 argues for, that commitment machines formalise, and that CBCL turns into a verified, self-extending wire format. Lewis 1975 is also the philosophical complement to Convention: where the 1969 book establishes the game-theoretic apparatus, the 1975 paper applies it to language and shows how to answer the standard objections from the speech-act tradition.

Key Ideas

Two senses of “language”: an abstract language L is a function from sentence-types to meanings (truth- and satisfaction-conditions); language (no article) is the social phenomenon — a population’s use of some L. Confusing the two is the source of much philosophy of language.
Convention of truthfulness and trust: a population uses L iff it has a convention (in the 1969 sense) of truthfulness in L (utter sentences only when believed true-in-L) and trust in L (hearers respond to such utterances by coming to believe the sentences true-in-L).
Meaning is a property of the convention, not the speaker: the convention picks out which L is in force; the meaning of a sentence in that population’s language is its meaning in L. Individual speaker mental states enter only as the conformity conditions of the convention.
Coordination problems and alternative languages: many abstract Ls could solve the population’s coordination problem; salience, precedent, and history pick one. Meaning is not arbitrary in function but contingent in particulars.
Reply to Strawson/Searle: the objection that convention-based accounts cannot capture the normative dimension of meaning is misplaced — the convention is itself a normative structure (it requires mutual expectation and conformity to be in force).
Multiple languages, one population: a population may use several Ls simultaneously — formal and informal registers, technical sub-languages, jargon — each sustained by its own convention.
Sentence moods and non-declaratives: imperatives and interrogatives are handled by extending the abstract L to assign satisfaction- and answerhood-conditions; the convention-of-truthfulness-and-trust generalises to a convention of acting as if the satisfaction-conditions held.

Connections

Conceptual Contribution

Claim: Sharpen the Convention 1969 picture into a precise account of how an abstract language L (a function from sentences to truth-/satisfaction-conditions) gets in force in a population: by a convention of truthfulness and trust in L. Meaning is a property of the convention, not of individual speakers’ mental states.
Mechanism: Define abstract languages as functions from sentence-types to truth- and satisfaction-conditions. Define use of L by population P as the prevalence in P of a convention (in the Lewis 1969 sense) of being truthful in L and trusting in L. Show how this answers Strawson’s and Searle’s normativity objection (the convention is itself normative) and how it generalises to non-declarative moods (satisfaction-conditions) and to populations using multiple Ls.
Concepts introduced/used: Abstract Language, Convention of Truthfulness, Convention of Trust, Truthfulness and Trust, Sentence Mood, Pragmatic Presupposition, Public Semantics.
Stance: foundational philosophical paper.
Relates to: Direct sequel to Lewis 1969 (Convention) — the 1969 book gives the game-theoretic foundations, the 1975 paper applies them to language. Operational complement to Stalnaker 1978: where Stalnaker gives the update mechanics of assertion, Lewis 1975 says what makes a particular abstract language the one the participants are updating in. For agent communication, this is the cleanest philosophical statement of the public-semantics programme: the meaning of an ACL performative is fixed by the protocol convention’s chosen L, not by speakers’ BDI states — exactly the picture Singh 1998 argues for, commitment machines formalise, and CBCL turns into a verified wire format. The view also locates Wittgensteinian meaning-as-use within an explicit game-theoretic setting (Lewis’s convention is the formal regulariser of Wittgenstein’s language-games), and is compatible with Brandomian inferentialism as a downstream layer (inferential articulation is what gives L its truth-conditions in the first place).

Common Ground

Stalnakerian notion: the body of propositions mutually presupposed by participants in a conversation; sentences update the common ground when accepted. Foundational to Dynamic Semantics and to Pragmatic Presupposition.

In this vault

Assertion - Stalnaker

Assertion

Reference: Stalnaker, R. C. (1978). Assertion. In P. Cole (ed.), Syntax and Semantics 9: Pragmatics (pp. 315–332). New York: Academic Press. Reprinted in Stalnaker, Context and Content (Oxford UP 1999). PhilPapers record · SEP: pragmatics · SEP: presupposition

Summary

Stalnaker’s “Assertion” gives the canonical update-semantics account of what a speech act of asserting does, framed in terms of a common ground of mutually accepted propositions shared between conversational participants and a context set of possible worlds compatible with that common ground. To assert a proposition p is, prima facie, to propose that p be added to the common ground — equivalently, to propose that the context set be narrowed to its intersection with the set of worlds in which p is true. The hearer either accepts (the context set is updated) or challenges (the proposal stalls, the common ground is unchanged). The picture is symmetric, trace-checkable, and pragmatic: it tells you what an assertion does without taking a stand on the speaker’s inner mental state.

The paper develops three essential effects of assertion. (1) An assertion of p adds p to the common ground unless it is challenged. (2) The proposition asserted should be determinate — true or false at every world in the context set; if not, the context set must be re-coordinated first (anticipating the accommodation mechanism worked out in Lewis 1979). (3) The proposition asserted should partition the context set non-trivially: not be common-ground-true already, not be common-ground-false already, and not be context-incoherent. This third effect is the seed of Gricean informativeness as a built-in feature of the dynamics rather than a separately stated maxim. The framework anticipates the entire dynamic semantics tradition (Heim, Kamp, Veltman) and is the operational counterpart of Grice 1975: where Grice gives maxims governing rational conversation, Stalnaker gives the update mechanics conversation operates on.

For agent communication, Stalnaker is the philosopher who most directly anticipates trace-checkable assertion semantics. The common ground is a publicly observable object — what has been said and accepted — and assertion is a publicly observable update operation on it. There is no need to inspect any agent’s beliefs; the semantic content of an assertion is given by the update it proposes, and conformance with that semantics is checkable from a transcript. The natural pairing in this vault is with Singh 1998 on social-agency semantics, Fornara & Colombetti on commitment-based operational semantics, and ultimately CBCL — the common ground / context-set apparatus is precisely the kind of shared, monotone, trace-checkable object that monotone-verdict commitment protocols want.

Key Ideas

Common ground: the body of propositions mutually accepted (not necessarily believed) for purposes of conversation. The mathematical reflex is the context set — the set of worlds compatible with the common ground.
Assertion as context-set update: an assertion of p proposes narrowing the context set to the intersection with [[p]]. If accepted, the update goes through; if challenged, it stalls.
Three essential effects of assertion (the “essential effect” inventory): (i) the asserted proposition should be added to the common ground on acceptance; (ii) it must be determinate over the context set (true or false at each world); (iii) it must partition the context set non-trivially (informative).
Diagonalisation / two-dimensional accommodation: when an assertion’s content varies across worlds in the context set, the hearer can use the diagonal proposition — the function picking out, at each world, the content the assertion would have at that world — to recover a determinate update. This is the engine behind much of dynamic semantics’ treatment of indexicals and modals.
Pragmatic presupposition: a speaker presupposes q iff, in uttering an assertion, the speaker takes q to be in the common ground. Presupposition is a property of speakers in contexts, not of sentences in models — the move that allows accommodation to be modelled cleanly.
Context set is a public object: the framework is symmetric across participants — neither side has privileged access. Trace-checkability falls out.

Connections

Conceptual Contribution

Claim: Assertion is best modelled as a publicly observable update operation on the common ground of mutually accepted propositions. The semantic content of an assertion is determined by which possible worlds it eliminates from the context set, with no recourse to the speaker’s inner mental state required.
Mechanism: The common ground is the body of propositions the participants mutually accept for purposes of conversation; the context set is its set-theoretic reflex (worlds compatible with the common ground). An assertion of p proposes intersecting the context set with [[p]]. The three essential effects (informativeness, determinacy, acceptance-by-default) govern well-formed assertion; diagonalisation handles cases where content varies across the context set.
Concepts introduced/used: Common Ground, Context Set, Update Semantics, Diagonal Proposition, Pragmatic Presupposition, Accommodation, Essential Effect of Assertion.
Stance: foundational philosophical paper / canonical dynamic-pragmatic theory.
Relates to: Operational counterpart of Grice 1975 — where Grice supplies maxims of rational conversation, Stalnaker supplies the mechanics (context-set update) that conversation manipulates. Genealogically the foundation of the dynamic semantics tradition (Heim FCS, Kamp DRT, Veltman update semantics). For agent communication, the framework is the direct philosophical antecedent of public-semantics / commitment-based approaches: the common ground is a publicly observable, monotone, trace-checkable object — exactly the kind of state Singh’s social-agency semantics, Fornara & Colombetti’s operational commitment semantics, and CBCL’s ledger want. The deeper philosophical pair is Brandom: Stalnaker’s common-ground update is one of the two canonical formal models of deontic scorekeeping (the other being argumentation-style commitment stores after Hamblin).

Semantic Holism

Thesis that the meaning of a sentence/term depends on its inferential role within an entire web of beliefs and inferential commitments, not in isolation. Defended by Quine (Web of Belief, Confirmation Holism) and by Pittsburgh School inferentialists (Brandom).

In this vault

Two Dogmas of Empiricism - Quine

Two Dogmas of Empiricism

Reference: Quine, W. V. O. (1951). Two Dogmas of Empiricism. The Philosophical Review 60(1): 20–43. Reprinted in From a Logical Point of View (Harvard UP 1953). URL (PDF) · SEP entry on Quine

Summary

“Two Dogmas of Empiricism” is the paper that ended logical empiricism and made semantic holism respectable. Quine attacks two interlocking commitments of the Carnapian programme: (1) the analytic–synthetic distinction, the doctrine that some truths are true purely in virtue of meaning (analytic: all bachelors are unmarried) and others true in virtue of meaning plus how the world is (synthetic: snow is white); and (2) reductionism, the doctrine that every meaningful sentence is translatable into a statement about immediate experience. The two dogmas are mutually supporting — if either were good, the other would be needed to support it — and Quine shows that neither survives independent scrutiny.

The argument against the analytic–synthetic distinction works by demonstrating that every proposed definition of analyticity (in terms of synonymy, definition, semantic rules, or interchangeability salva veritate) either is circular or relies on a notion (cognitive synonymy, semantic rule) that is itself in need of the very explanation analyticity was supposed to provide. The argument against reductionism is that individual statements do not have their own range of experiential consequences — they face the tribunal of experience only as a body. The positive thesis that emerges is semantic holism: “Our statements about the external world face the tribunal of sense experience not individually but only as a corporate body” (§5). Coupled with Quine’s observation that no statement is immune to revision, this yields the famous web-of-belief picture: science is a fabric of beliefs in which the periphery is more responsive to experience and the interior (logic, mathematics, ontology) more conservative, but no part is constitutively immune.

For the inferentialist line, Quine plays an ambivalent role: he motivates inferentialism by demolishing the analytic–synthetic distinction, since one can no longer separate “the meaning of vixen” from “what we believe about vixens” — all the inferential connections in which vixen is enmeshed are partly constitutive of its meaning. But the same move threatens inferentialism, because if meaning is all the inferential connections then meaning is so holistic that no two speakers (or no speaker at two times) ever quite mean the same thing. This is the basis of Fodor and Lepore’s challenge: inferentialism inherits Quine’s holism, and Quine’s holism may be too much holism. For the ACL line, Quine matters because it implies that the meaning of propose, commit, retract in an ACL is constituted by the whole web of inferences in which those tokens are enmeshed — which is exactly why dialect contracts and protocol scaffolding matter: they fix the local web within which the wire-format performatives have determinate content.

Key Ideas

Two dogmas demolished: (1) the analytic–synthetic distinction is not defensible; (2) reductionism (every sentence has its own experiential cash value) is not defensible. They prop each other up; neither survives independently.
Circle of intensional notions: synonymy, analyticity, semantic rule, definition, cognitive equivalence — every attempt to define one in terms of the others is circular or empty.
Confirmation holism: scientific theories are tested as wholes against experience; the unit of empirical significance is the whole web of belief, not the individual sentence.
No statement is immune to revision: even logical and mathematical truths can be revised under sufficient empirical pressure (Quine cites quantum logic as illustration), and even peripheral observations can be saved by adjusting the interior of the web.
Web of belief: science is a fabric of beliefs with relations of mutual support; the periphery touches experience, the interior is more theoretically loaded, but the distinction is one of degree.
Pragmatic / empiricist reconstruction of analyticity: insofar as analytic has any use, it picks out sentences near the centre of the web, ones we are very reluctant to revise — a graded, pragmatic status rather than a sharp logical kind.

Connections

Conceptual Contribution

Claim: The analytic–synthetic distinction is undefendable, and theories meet the tribunal of experience as a whole, not statement-by-statement. Meaning is therefore not isolable from theory: the meaning of a term is partly constituted by the web of inferences in which it figures.
Mechanism: A six-section paper. §§1–4 walk through five candidate definitions of analyticity (definition, interchangeability salva veritate, semantic rules, etc.) and show each is either circular or empty. §5 attacks reductionism by showing that individual statements lack their own range of experiential consequences. §6 develops the positive picture: the web of belief / fabric of science, with peripheral statements more directly answerable to experience but no statement constitutively immune to revision.
Concepts introduced/used: Semantic Holism, Confirmation Holism, Web of Belief, Analytic-Synthetic Distinction, Quine-Duhem Thesis, Translation Manual (anticipating Word and Object).
Stance: foundational philosophical paper.
Relates to: Quine is the enabling condition for inferentialism: if the analytic–synthetic distinction held, then inferential role would only fix the analytic fragment of meaning and we would need reference / truth-conditions to do the rest. Quine collapses the distinction and lets inferentialism reach further. But Quine is also a threat: if meaning is the whole web, no two speakers mean the same thing, which is Fodor and Lepore’s pressure point against Brandom. The same dialectic applies to ACL semantics: meaning of a performative depends on the inferential web — which is why CBCL’s dialect contracts and the commitment-machine tradition matter — they fix the local web within which wire-format moves have determinate content. The complementary moves in the same period are Sellars 1956 (no Given) and Wittgenstein 1953 (meaning as use).

Meaning As Use

Wittgensteinian slogan (PI §43): “For a large class of cases — though not for all — in which we employ the word meaning it can be defined thus: the meaning of a word is its use in the language.” Foundational to Pragmatist Semantics.

In this vault

Philosophical Investigations - Wittgenstein

Philosophical Investigations

Reference: Wittgenstein, L. (1953). Philosophical Investigations. G. E. M. Anscombe (trans.). Blackwell, Oxford. Posthumous; Part I completed ca. 1945, Part II ca. 1949. URL (Anscombe translation PDF) · SEP entry · SEP: meaning

Summary

Philosophical Investigations (PI) is the grandparent of every twentieth-century approach to meaning that ties content to practice rather than to mental representation or correspondence — including the inferentialist, pragmatist, public-semantics, and commitment-based lines that this vault tracks. The book is non-systematic by design: §1–§133 set the stage by repudiating the Tractatus picture of language as a one-to-one mapping between names and objects; §§143–242 develop the rule-following considerations that culminate in the private-language argument (§243 ff.); the rest is a montage of “language-games” — concrete linguistic practices considered as wholes, in their natural settings — through which Wittgenstein dissolves rather than answers the standard puzzles of philosophy of mind and language.

Three Wittgensteinian theses are load-bearing for the rest of the vault. (1) Meaning is use (§43): “For a large class of cases — though not for all — in which we employ the word ‘meaning’ it can be defined thus: the meaning of a word is its use in the language.” Meaning is not a private mental object an inner Cartesian eye inspects, but a public regularity in linguistic practice. (2) Language-games are the unit of semantic analysis: a language-game is a complete, situated practice (giving orders, reporting events, asking questions, telling a joke, praying) within which words have determinate use. There is no language in general, only language-games. (3) The rule-following considerations and private-language argument: rules cannot determine their own application — there is no fact about how to “go on” in a series that is fixed independently of the practice of going on. Whether a person is following a rule correctly is settled by the public practice of the community, not by an inner state of intending-this-rule. A fortiori there can be no purely private language: meaning requires the corrective pressure of a community.

For agent communication, Wittgenstein is the ancestor in three respects. First, he supplies the philosophical permission to treat the wire — the publicly observable linguistic practice — as the semantic primary unit rather than as a thin trace of richer inner episodes. Second, the language-game concept directly anticipates the operational language-game tradition of Steels and the broader emergent-communication line. Third, the rule-following considerations are the philosophical complement to Lewis 1969 on convention: the question “what makes this regularity the rule the community follows?” is answered by the same mutual-expectation structure Lewis formalises and that Halpern–Moses 1990 reuse in distributed systems. The PI is also, importantly, the text Sellars and Brandom are explicitly working out the consequences of.

Key Ideas

Meaning is use (§43): the meaning of a word is its role in a public linguistic practice, not a mental object the speaker associates with the word.
Language-games: the unit of semantic analysis is not the isolated word, sentence, or proposition but the language-game — a complete situated linguistic practice (giving orders, reporting events, asking questions). There is no language in general; only language-games.
Family resemblance (§§65–67): concepts (like game) need not share a single essence; the items falling under a concept are connected by a network of overlapping similarities, like the resemblances among members of a family.
Rule-following considerations (§§143–242): rules do not determine their own application; what counts as “going on in the same way” is settled by the public practice of the community, not by an inner state of intending-the-rule.
Private-language argument (§243 ff.): a language whose terms refer to inherently private sensations, with no public criteria of application, is not a possible language. Meaning requires correction by a community.
Forms of life (Lebensformen): language-games are embedded in broader patterns of activity and shared natural history; meaning is ultimately answerable to these patterns rather than to abstract logical structure.
Philosophy as therapy: many traditional philosophical problems arise from misuse of language and dissolve when we attend to the actual language-games in which the relevant words have their home.

Connections

Conceptual Contribution

Claim: Linguistic meaning is constituted by use — the role of expressions in concrete, situated language-games sustained by a community — not by inner mental content, abstract logical structure, or correspondence to extra-linguistic facts. Rules do not determine their own application; the public practice of the community does.
Mechanism: A montage of detailed cases (the builder’s language-game §2, slabs and pillars §§19–20, the diary-keeper in §258) in which traditional philosophical pictures of meaning, reference, sensation, and rule-following are shown to misfire when applied to actual linguistic practice. The private-language argument (§243 ff.) blocks the move to inner ostensive definition; the rule-following considerations (§§143–242) block the move to rules that determine their own application.
Concepts introduced/used: Meaning As Use, Language Game, Form of Life, Family Resemblance, Rule-Following, Private Language Argument, Public Criterion, Aspect Perception, Philosophical Therapy.
Stance: foundational philosophical work / posthumous opus magnum.
Relates to: The grandparent of every meaning-as-use approach in the twentieth century — Sellars explicitly takes up the public-language-priority thesis, Quine generalises the rejection of pre-linguistic semantic facts, and Brandom and Articulating Reasons develop the systematic inferentialist account that the PI’s aphoristic style only gestures at. The language-game idea is the direct ancestor of Steels’ operational language-games and the broader emergent-communication tradition. The rule-following considerations complement Lewis 1969 on convention: where Lewis gives a game-theoretic answer to “what sustains this regularity?”, Wittgenstein gives a practice-theoretic answer to “what makes it a rule rather than a regularity?” — these two answers operate at the same conceptual layer.

Semantics-Without-Minds

The position — descended from Wittgenstein / Sellars / Brandom — that a complete theory of linguistic meaning can be built from publicly observable practice without taking any mental state (belief, intention, desire, qualia) as semantic primitive. Sellars’s Myth of the Given argument blocks the move to pre-conceptual inner content; Wittgenstein’s rule-following considerations block the move to private semantic rules; Brandom’s Deontic Scorekeeping supplies the positive replacement. The position is the philosophical underwriting of the Public Semantics / Commitment-based Semantics programme in agent communication, and the cleanest answer to the worry that protocols built on observable commitments are “thin behavioural surrogates” for “real” mentalistic meaning. They are not — they are the foundation.

In this vault

Myth of the Given

Sellars’s name (in EPM 1956) for the foundationalist idea — common across British empiricism, sense-datum theory, phenomenology, and parts of analytic epistemology — that knowledge must rest on a foundation of preconceptual sensory contents (the “given”) that are both non-inferentially known and epistemically authoritative. Sellars argues the picture is incoherent: anything that can serve to justify a belief is already conceptually articulated, and so cannot be preconceptual. Epistemic standing lives in the Space of Reasons, not in a layer of bare data outside it. The argument is the historical hinge of the inferentialist turn — the move that makes Semantics-Without-Minds philosophically defensible by foreclosing the alternative of grounding meaning in pre-discursive mental content.

In this vault

Empiricism and the Philosophy of Mind - Sellars

Empiricism and the Philosophy of Mind

Reference: Sellars, W. (1956). Empiricism and the Philosophy of Mind. In Feigl & Scriven (eds.), The Foundations of Science and the Concepts of Psychology and Psychoanalysis (Minnesota Studies in the Philosophy of Science, vol. I, pp. 253–329). University of Minnesota Press. Reissued as a standalone book in 1997 with study guide by Brandom. URL (Ditext transcription) · SEP: Sellars

Summary

Sellars’s Empiricism and the Philosophy of Mind — often known by the abbreviation EPM — is the founding text of the Pittsburgh school of philosophy (Sellars, Brandom, McDowell) and the source of the move that makes semantics without minds possible. The paper’s central target is the Myth of the Given: the idea that knowledge must rest on a foundation of preconceptual, given sensory contents (sense data, qualia, immediate awareness) which are both non-inferential and epistemically authoritative. Sellars argues that this picture is incoherent: anything that could be epistemically authoritative — anything that could justify a belief — must already be conceptually articulated, and so cannot be preconceptual. There is no epistemic free lunch at the periphery; all knowledge lives inside the space of reasons.

The argument unfolds across sixteen sections. The early sections deconstruct sense-datum theory; the middle sections develop Sellars’s positive account of looking-talk (looks-red is parasitic on is-red, not the other way around); the late sections develop the famous Jonesean myth in which thoughts and inner episodes are introduced as theoretical posits modelled on overt speech, with sensory impressions as further theoretical posits modelled on the perceptible properties of physical objects. The Jonesean myth is Sellars’s positive reconstruction of mentalistic talk: mental states are not pre-given inner objects we somehow inspect, but theoretical entities whose semantic content is fixed by their inferential role — which means mentalistic vocabulary is parasitic on public language, not foundational for it. This single move — “the categories of inner episodes are modelled on the categories of intersubjectively available language” — is the historical hinge on which the inferentialist turn rotates.

For agent communication, EPM is the philosophical warrant for treating the wire as the semantic ground floor and the agent’s mind as a downstream theoretical posit. The standard worry about public-semantics ACLs is that they leave out “what the agent really meant”; Sellars’s answer is that “what the agent really meant” is itself a theoretical extrapolation from public discursive practice, not a pre-given inner episode the public practice approximates. The mentalistic ACL semantics that Sellars’s argument undermines is precisely the FIPA/Cohen–Levesque picture that Singh 1998 sets aside.

Key Ideas

The Myth of the Given: the foundationalist idea that knowledge rests on preconceptual, immediately-known sensory contents is incoherent. Anything that can justify a belief is already conceptually articulated; epistemic standing lives in the space of reasons.
Looks-talk is parasitic on is-talk: “X looks red to me” is not a more secure foundation than “X is red”; it is a hedge introduced after we have learned to deploy is-red, used when we want to undertake the commitment to a colour-impression without undertaking the commitment to the colour itself.
The Jonesean myth: a methodological fiction in which a community with only behavioural language develops mentalistic vocabulary by introducing thoughts (modelled on overt speech) and sensations (modelled on the perceptible properties of physical objects) as theoretical entities. The point: mentalistic talk is a theoretical posit, not a description of pre-given inner data.
The space of reasons: “In characterizing an episode or a state as that of knowing, we are not giving an empirical description of that episode or state; we are placing it in the logical space of reasons, of justifying and being able to justify what one says.” §36 — the most-quoted line in 20th-century epistemology.
Psychological nominalism: all awareness of universals, kinds, sorts, and resemblances is linguistic awareness — there is no preconceptual awareness of abstract entities.
Sapience over sentience: the distinction between concept-using creatures and others is participation in the game of reasons, not the having of qualia.

Connections

Conceptual Contribution

Claim: Knowledge cannot be grounded in preconceptual given sensory contents; epistemic standing requires conceptual articulation, which is inherently a public, language-involving achievement. Mentalistic vocabulary is a theoretical posit modelled on public discourse, not a description of pre-given inner data.
Mechanism: A dialectical demolition of sense-datum theory in §§1–7, a developmental account of looks-talk in §§10–20, and the Jonesean myth in §§48–63 in which mentalistic vocabulary is introduced into a behavioural community as a theory whose entities (thoughts, sensations) are modelled on already-public categories (overt speech, perceptible properties).
Concepts introduced/used: Myth of the Given, Space of Reasons, Psychological Nominalism, Sapience vs Sentience, Looking-Talk, Jonesean Myth, Theoretical Posit, Conceptual Articulation, Semantics-Without-Minds.
Stance: foundational philosophical paper.
Relates to: The historical hinge on which the entire inferentialist / Pittsburgh school turns. Brandom and MIE are the systematic development of the positive programme implicit in EPM’s negative demolition. The argument that mentalistic talk is parasitic on public language is the philosophical underwriting of Singh’s move from mentalistic to social-commitment semantics for ACLs, and of CBCL’s decision to ground meaning at the wire format rather than at the agent internals. The complementary moves in the same generation are Quine 1951 (against the analytic-synthetic distinction and for holism) and Wittgenstein 1953 (meaning as use).

Making It Explicit - Brandom

Making It Explicit: Reasoning, Representing, and Discursive Commitment

Reference: Brandom, R. B. (1994). Making It Explicit: Reasoning, Representing, and Discursive Commitment. Harvard University Press, Cambridge MA. ~700 pp. URL (Part One PDF, author-hosted) · Internet Archive · SEP: inferentialism

Summary

Making It Explicit is Brandom’s full statement of the inferentialist programme — the long, technical book that Articulating Reasons (2000) compresses into six lectures. Where the shorter book is the entry point, MIE is the reference manual: it works out, at the level of detail required to settle objections, how the basic discursive practice of giving and asking for reasons can serve as the foundation for an entire theory of meaning — including the parts (reference, truth, objectivity, intentionality) that representationalism takes as primitive. The book unfolds in two large parts: a pragmatic part, in which Brandom develops the deontic scorekeeping model of assertion and shows how it can recover everything one wants from a notion of speech act without recourse to mental states, and a semantic part, in which the recovery of singular terms, predicates, propositional content, and ultimately the de re / de dicto distinction is carried out in scorekeeping terms.

The book’s intellectual ancestry is openly stated: Quine on semantic holism and the analytic–synthetic collapse, Sellars on the Myth of the Given and the space of reasons, and Wittgenstein on meaning as use and language-games, all metabolised through a Hegelian appreciation of the social character of normativity. The technical innovation is to take Sellars’s insight — that the difference between a parrot trained to say “that’s red” and a person saying it is not phenomenological but inferential (a person can deploy the claim in the game of reasons) — and turn it into a full-scale semantic theory. The result is the most developed semantics-without-minds in the analytic tradition: a worked-out alternative to the mentalistic picture that has dominated philosophy of language since Searle and the early Cohen–Levesque tradition in ACL design.

For the agent-communication line, MIE is the place to send sceptics. The standard worry about public-semantics / commitment-based ACL design is that it gives up on “real” meaning in exchange for trace-checkability. Brandom’s answer, in a thousand pages, is no: deontic scorekeeping is not a thin behavioural surrogate for a richer mentalistic semantics — it is the foundation from which mentalistic talk is derivable. If Brandom is right, then Singh 1998’s move from BDI semantics to social-commitment semantics is not a retreat under pressure of verifiability; it is the correct place to ground meaning, with verifiability as a downstream bonus.

Key Ideas

Deontic scorekeeping as the basic discursive practice: speakers track, for themselves and each other, commitments (claims undertaken), entitlements (claims one is licensed to undertake), and incompatibilities (pairs of commitments that cannot both be entitled). Assertion is the basic move; the score is the running ledger.
Material inference as ground floor: inferences whose goodness is part of the meaning of the constituent terms (Pittsburgh is west of Princeton ⇒ Princeton is east of Pittsburgh) are prior to formal logical inference. Logic is a downstream expressive resource.
The expressive role of logic: conditionals, negation, and other logical vocabulary serve the function of making implicit inferential commitments explicit as new claims. This is the expressive (not foundational) role of logic.
De re / de dicto and singular terms: even classically representationalist topics — quantifying in, anaphora, singular reference — are reconstructed in scorekeeping terms, without taking reference as primitive.
Sapience without sentience: the distinction between concept-mongering creatures and the rest of nature lies in participation in the game of giving and asking for reasons, not in phenomenology.
Normative pragmatism: the social practice of holding one another accountable for commitments is the unanalysed foundation. Norms are instituted by the practice of scorekeeping, not read off antecedent facts.
Anti-representationalist but not anti-realist: truth, objectivity, and a mind-independent world are recovered from the perspectival structure of scorekeeping — not given up.

Connections

Conceptual Contribution

Claim: Linguistic meaning, including reference and objectivity, can be fully reconstructed from the social practice of deontic scorekeeping — undertaking, attributing, and tracking commitments and entitlements — without taking any mental state or representational primitive as basic.
Mechanism: A two-part construction. Pragmatic part: the basic act of asserting is the undertaking of a commitment; scorekeeping practices track commitments, entitlements, and incompatibilities. Semantic part: propositional content is the inferential role of a sentence in the scorekeeping practice; singular terms, predicates, de re / de dicto, and reference are recovered from the structure of perspectival scorekeeping. Logic is an expressive resource that makes implicit inferential commitments explicit.
Concepts introduced/used: Inferentialism, Deontic Scorekeeping, Material Inference, Commitment (Brandom), Entitlement (Brandom), Incompatibility (Brandom), Expressive Role of Logic, Sapience vs Sentience, De Re vs De Dicto, Normative Pragmatism, Semantics-Without-Minds.
Stance: foundational philosophical treatise.
Relates to: The book-length statement of which Articulating Reasons is the readable extract; read MIE only when the lectures leave a question unresolved. Genealogically continues the Wittgenstein / Sellars / Quine line — Sellars’s Myth of the Given is the antecedent move; Brandom’s scorekeeping is its destination. For agent communication, MIE is the deep philosophical underwriting of the public-semantics / commitment-based programme — Singh, Fornara & Colombetti, Yolum & Singh, and ultimately CBCL can all be read as engineering instantiations of fragments of the MIE picture.

Articulating Reasons - Brandom

Articulating Reasons: An Introduction to Inferentialism

Reference: Brandom, R. B. (2000). Articulating Reasons: An Introduction to Inferentialism. Harvard University Press. Based on the 1998 Locke Lectures (Oxford). URL · SEP entry on inferentialism

Summary

Articulating Reasons is the compact entry point to Brandom’s inferentialist programme — a semantics without minds in which the meaning of a sentence is its role in the inferential practices of a community of speakers, rather than a mental representation of how things stand or a Tarskian truth-condition fixed by reference. Where representationalism takes reference and truth as basic and explains inference downstream, Brandom inverts the order: the basic semantic fact is which moves count as good reasons for which other moves, and reference, truth, and propositional content are explained as features of discursive practice downstream of inferential articulation. The slogan is meaning is use, descended from Wittgenstein and Sellars, but Brandom upgrades it from a regulative idea into a worked-out pragmatist semantics.

The mechanism is a deontic scorekeeping account of assertion. To assert something is to undertake a commitment and to license other speakers to attribute that commitment back; the score every speaker keeps on every other is a record of which commitments are undertaken, which are licensed, and which are incompatible. The content of a claim is then exhaustively determined by the inferential articulation of those commitment relations: what entitles you to claim it, what it entitles you to claim, what claims it is incompatible with. The book unfolds this through six lectures — Toward an Inferentialist Semantics, Action / Reason / Inference, Insights and Blindspots of Reliabilism, What Are Singular Terms?, A Social Route from Reasoning to Representing, and Objectivity and the Normative Fine Structure of Rationality — extracting the spine of the 700-page Making It Explicit in a form readable in a week. The view explicitly avoids smuggling in mentalism: there are no beliefs or intentions in the foundations, only the public, trace-checkable practice of giving and asking for reasons.

For agent communication, inferentialism is the philosophical underwriting of the public-semantics programme: it shows that you can have a full theory of meaning — not just a thin behavioural sketch — without ever quantifying over mental states. Singh’s critique of FIPA-style mentalism gestures at this; Brandom delivers the goods. The natural pairing in this vault is with CBCL and the commitment-based semantics of Singh, Fornara, and Colombetti, all of which can be read as engineering realisations of Brandom’s deontic scorekeeping at wire-format granularity.

Key Ideas

Inferentialism: meaning is fixed by inferential role — what claims entitle a speaker to make, what they exclude, what claims entitle the speaker to make them — not by reference or truth-conditions, which are explained downstream.
Deontic scorekeeping: a speaker’s discursive score is the record of which commitments they have undertaken, which entitlements they have, and which incompatibilities apply. Assertion = undertaking a commitment + licensing attribution back to oneself.
Material vs formal inference: inferences like “Pittsburgh is west of Princeton, therefore Princeton is east of Pittsburgh” are materially good — their goodness is part of the meaning of west and east, not a downstream consequence of logical form plus reference.
Logical vocabulary is expressive, not constitutive: connectives like “if … then …” let speakers make explicit, in the form of claims, inferential commitments that were previously only implicit in practice. Logic is the technology for making practices explicit, not the foundation.
Sapience vs sentience: what distinguishes language-users from thermostats is participation in the game of giving and asking for reasons. No phenomenology required.
Singular terms and objectivity from social structure: even reference and the objectivity of claims (the gap between “what we take to be correct” and “what is correct”) are recovered from the structure of perspectival scorekeeping rather than imported as primitives.
Anti-representationalist but not anti-realist: inferentialism is compatible with robust truth, reference, and a mind-independent world — it just refuses to take those as semantic ground floor.

Connections

Conceptual Contribution

Claim: A complete theory of linguistic meaning can — and should — be built from the publicly observable practice of giving and asking for reasons, with no mental states (beliefs, intentions) in the foundations. Reference and truth are downstream of inferential articulation, not upstream of it.
Mechanism: Deontic scorekeeping: every participant in discourse maintains a score on every other participant tracking which commitments they have undertaken, which entitlements they hold, and which incompatibilities are in play. The content of a sentence is exhaustively given by its inferential articulation in this scorekeeping practice — what entitles you to assert it, what asserting it entitles you to, and what asserting it is incompatible with. Logical vocabulary is a downstream expressive layer that lets implicit inferential commitments be made explicit as further claims.
Concepts introduced/used: Inferentialism, Material Inference, Deontic Scorekeeping, Discursive Practice, Commitment (Brandom), Entitlement (Brandom), Incompatibility (Brandom), Sapience vs Sentience, Expressive Role of Logic, Semantics-Without-Minds.
Stance: foundational philosophical monograph / lecture series.
Relates to: The direct philosophical underwriting of the public-semantics / commitment-based line in agent communication: Brandom shows you can have a full theory of meaning — not just a thin behavioural sketch — without invoking mental states, which is precisely what Singh needs and what Cohen and Levesque’s mentalistic ACL semantics could not deliver. CBCL and the commitment-machine tradition can be read as engineering realisations of deontic scorekeeping at wire-format granularity: a CBCL trace is a deontic score, and a dialect contract names which inferential moves are licensed. Genealogically the book is the late chapter of the Wittgenstein / Sellars / Quine line; the Myth of the Given (Sellars) is the move that lets meaning bypass preconceptual reference, and Brandom shows how far that move actually carries.

Speaks-For Calculus

Lampson–Abadi–Burrows–Wobber’s (1992) formalism for distributed authentication, delegation, and who is entitled to assert what on whose behalf. The primitives are says (principal A asserts statement s, written A says s) and speaks-for (A ⇒ B — anything A says, B says). The principal algebra is rich: atomic principals (users, processes, keys), conjunction A ∧ B, quoting A | B (A speaking on behalf of B), roles A as R, and for-channel A for K. Speaks-for facts are witnessed by signed certificates; authentication is checking chains of certificates from a trusted root. Access control then grants rights to principals at any level of compoundness. The calculus is the formal vocabulary underlying SPKI/SDSI, DIDs and Verifiable Credentials, modern attribute-based authorisation, and any system that needs to reason about delegated commitment.

In this vault

Authentication in Distributed Systems - Lampson Abadi Burrows Wobber — the founding paper
A Logic of Authentication — BAN Logic (1990) for protocol-level reasoning
Spi Calculus — pi-calculus with cryptography
SPKI-SDSI — capability-style PKI built on speaks-for
Decentralized Identifiers
Capability Myths Demolished
Programming Semantics for Multiprogrammed Computations — the Object Capability dual view
The Heart of Spritely - Distributed Objects and Capability Security
An Ontology for Commitments in Multiagent Systems - Singh — delegated commitments
Distributed Security
Agent Infrastructure
CBCL - Safe Self-Extending Agent Communication — signed-verdict architecture

Authentication in Distributed Systems - Lampson Abadi Burrows Wobber

Authentication in Distributed Systems: Theory and Practice

Reference: Lampson, B., Abadi, M., Burrows, M., & Wobber, E. (1992). Authentication in Distributed Systems: Theory and Practice. ACM Transactions on Computer Systems (TOCS) 10(4): 265–310. November 1992. (DEC SRC Report 83, 1992.) URL (Microsoft Research) · DOI

Summary

The ABLP paper (named for Abadi–Burrows–Lampson–Plotkin’s later refinement, but originating here) introduces the speaks-for calculus: a clean formal vocabulary for distributed authentication, delegation, and who is entitled to assert what on whose behalf. The setting: a distributed system in which principals (users, processes, machines, services) send requests that must be authorised. The traditional access-control question — is this principal allowed to perform this action on this object? — presupposes a prior question the paper answers: who is the principal whose request this is? That prior question becomes hard once requests pass through delegation chains (a user logs in to a workstation, which authenticates to a file server, which calls a database service on the user’s behalf): authentication is no longer one-to-one between principal and request but a chain of compound principals.

The technical heart of the paper is the speaks-for relation A ⇒ B: principal A speaks for principal B means that any statement A makes can be treated as if B had made it. Speaks-for is reflexive, transitive, and closed under conjunction and group membership. From A ⇒ B and A says s, the system derives B says s. Compound principals are built from atomic ones via conjunction (A ∧ B says s requires both to assert s), quoting (A | B says s means A is making a statement on behalf of B, but A retains responsibility), roles (A as R is A acting in role R), and for-channel (A for K is A speaking over channel/key K). The calculus is implementable: speaks-for facts are encoded in signed certificates, the access-control matrix grants rights to principals at any level of compoundness, and authentication reduces to checking a chain of certificates.

For the agent communication and security agenda this vault tracks, the speaks-for calculus is the formal vocabulary for delegated commitments and signed credentials. When agent B accepts a commitment from a process speaking on A’s behalf, the question “did A really commit?” is answered by the speaks-for chain witnessed by the credential. The paper is the philosophical and engineering ancestor of SPKI/SDSI (Rivest–Lampson–Ellison’s capability-style PKI, which Lampson designed using the speaks-for vocabulary), DIDs and Verifiable Credentials, object-capability facets, and modern attribute-based authorisation. For CBCL, speaks-for is the natural answer to “who signed this commitment?” — the dialect contract specifies which principals may emit which verdicts under which delegation rules, and the speaks-for chain provides the proof.

Key Ideas

Principals are first-class: a principal is anything that can make a statement — users, processes, machines, services, public keys, roles, groups, conjunctions, quotations. The system reasons uniformly about all of them.
The says operator: A says s is the primitive — principal A has asserted statement s. Authentication delivers says judgements; authorisation uses them.
The speaks-for relation: A ⇒ B means everything A says, B says. Reflexive, transitive, closed under conjunction. The delegation primitive.
Compound principals: built by conjunction (A ∧ B), quoting (A | B — A speaking on behalf of B), roles (A as R), and for-channel (A for K). A workstation acting on behalf of a user over a particular key is a compound principal at the leaf of an authentication chain.
Certificates as speaks-for witnesses: a signed certificate stating K ⇒ A (this key speaks for that principal) is the wire-format proof of a speaks-for fact. Authentication is verifying a chain of such certificates.
Access control on compound principals: the access-control list grants rights to principals at any level — Alice as Admin, Workstation | Alice for K, Group(Engineers). The complex authorisation patterns of real systems become tractable.
Trusted Computing Base separation: each principal has its own TCB; speaks-for chains let one principal delegate trust to another without fully merging TCBs.
Implementable: the paper describes the Taos system (DEC SRC) implementing the calculus; the design influenced Windows NT’s authentication architecture.

Connections

Conceptual Contribution

Claim: Distributed authentication and delegation can be cleanly formalised by the speaks-for relation A ⇒ B over a rich algebra of principals (atomic, conjunction, quoting, role, for-channel) together with the says operator. Authorisation reduces to checking that the speaker’s principal-expression has been granted rights to perform the requested action.
Mechanism: Define principals as a recursive algebra (atomic, A ∧ B, A | B, A as R, A for K). Define A says s (primitive) and A ⇒ B (speaks-for, reflexive-transitive-conjunctive). Encode speaks-for facts as signed certificates; authentication chains certificates from a trusted root to the requesting principal. Access-control lists grant rights to any principal expression; the request is authorised iff the deduced speaker’s principal is on the ACL. Implement the calculus in the Taos distributed OS as a concrete proof of practicality.
Concepts introduced/used: Speaks-For Calculus, ABLP Logic, Says Operator, Compound Principal, Quoting Principal, Role Principal, Delegation, Access Control List, Trusted Computing Base.
Stance: foundational technical paper / industry-grade reference design.
Relates to: The formal vocabulary that makes SPKI/SDSI (Rivest–Lampson–Ellison) intelligible: SPKI is the speaks-for calculus packaged as a PKI. DIDs and VCs inherit the same algebraic structure. Object capabilities (Dennis–Van Horn / EROS / Miller) are a dual view of the same problem (rights attached to objects rather than chains of delegation); the Spritely / OCapN line composes both views. For agent communication, speaks-for is the natural vocabulary for delegated commitments: when an agent’s process commits on the agent’s behalf, the speaks-for chain witnesses authority. The pair with Singh 1999 is direct: commitments without authority chains are weak, and authority chains without commitments are unactionable. CBCL’s signed-verdict architecture is a speaks-for application: the dialect contract names which principals may emit which verdicts under which delegation rules. The cryptographic complement is BAN logic (1990) and Spi calculus (1997) — BAN reasons about protocol soundness, ABLP reasons about who.

An Axiomatic Basis for Computer Programming - Hoare

An Axiomatic Basis for Computer Programming

Reference: Hoare, C. A. R. (1969). An Axiomatic Basis for Computer Programming. Communications of the ACM 12(10): 576–580, 583. October 1969. URL (MIT-hosted PDF) · ACM DOI

Summary

The founding paper of axiomatic semantics and the source of Hoare logic — the contract-based reasoning method whose direct descendants include Eiffel-style design-by-contract, separation logic, refinement types, F*, Dafny, Lean’s decreasing_by, and every behavioural-spec system that talks about programs in terms of preconditions and postconditions. Hoare proposes that the meaning of a program be given not by operational trace but by a partial-correctness assertion of the form {P} S {Q}: if P holds before executing S, and S terminates, then Q holds after. The axiomatic semantics consists of axiom schemes and inference rules for each programming-language construct: an assignment axiom ({Q[E/x]} x := E {Q}), composition ({P} S₁ {R}, {R} S₂ {Q} ⊢ {P} S₁; S₂ {Q}), conditional, while-loop with loop invariant, and rule of consequence (strengthen P, weaken Q). The system gives programmers a calculus for reasoning about programs symbolically, without enumeration.

Two methodological commitments distinguish the paper. First, Hoare deliberately treats the axioms as defining the programming language: the semantics of := is the assignment axiom, full stop. Implementations that fail to satisfy the axiom are bugs in the implementation, not in the axiom. This is the cornerstone of the abstract specification view of programming-language semantics. Second, Hoare takes partial correctness (correctness given termination) as the unit of reasoning, separating it from termination (which he discusses as a separate problem). This separation pays off massively later: partial correctness is recursively axiomatisable in a way total correctness is not, and the loop-invariant rule becomes the central engine of program verification.

For the verification line in this vault, Hoare 1969 is the root of the tree: every contract-based, behavioural-spec, certificate-bearing technology — Hoare logic itself, Floyd’s inductive assertions (1967, the direct ancestor with which Hoare credits in §1), PCC, EM enforcement, dependent-typed proof assistants — sits downstream. The pair axiomatic semantics + proof-carrying-code is the conceptual spine of how CBCL turns dialect contracts into machine-checkable assertions: a dialect contract is a Hoare-style pre/post over the wire-format trace, and the Lean proof of its well-formedness is the PCC-style certificate.

Key Ideas

Partial-correctness Hoare triple: {P} S {Q} means “if P holds before executing S, and S terminates, then Q holds after.” The fundamental unit of reasoning.
Axiomatic definition of programming-language constructs: each construct is defined by its axiom or rule (assignment, composition, conditional, loop, consequence). The axioms are the semantics; implementations must conform.
Assignment axiom: {Q[E/x]} x := E {Q} — to know Q holds after assigning E to x, ensure Q[E/x] (substitute E for x in Q) holds before. The backward substitution rule is the surprising core of the system.
Composition rule: {P} S₁ {R} and {R} S₂ {Q} together give {P} S₁; S₂ {Q}. The middle assertion R is the bridging condition.
Conditional rule: {P ∧ B} S₁ {Q} and {P ∧ ¬B} S₂ {Q} give {P} if B then S₁ else S₂ {Q}.
While-loop rule (loop invariant): {I ∧ B} S {I} gives {I} while B do S {I ∧ ¬B}. The loop invariant I is the central object of program verification and the place programmer ingenuity is needed.
Rule of consequence: P ⇒ P', {P'} S {Q'}, Q' ⇒ Q together give {P} S {Q}. Lets one strengthen preconditions and weaken postconditions to fit context.
Partial vs total correctness: Hoare separates the two; partial correctness is recursively axiomatisable, total correctness requires a separate variant function / termination argument.
Axioms specify abstract machines: real machine arithmetic differs from the axiomatic integer arithmetic (overflow, finite precision); Hoare flags this explicitly and treats it as a design problem rather than a flaw of the method.

Connections

Conceptual Contribution

Claim: The meaning of a program can be given axiomatically by inference rules over assertions of the form {P} S {Q} (Hoare triples), with each programming-language construct defined by its rule. Program verification reduces to deriving the triple {P} program {Q} in the resulting calculus.
Mechanism: Define partial correctness {P} S {Q} as “if P holds and S terminates then Q holds.” Give axioms / rules for each construct: assignment (backward substitution), composition, conditional, while-loop (with loop invariant), and rule of consequence. Separate termination as a distinct concern handled by a variant function. The resulting calculus is sound, in principle complete for partial correctness over a sufficiently expressive assertion language, and treats programming-language semantics as a specification rather than a description of execution traces.
Concepts introduced/used: Hoare Triple, Loop Invariant, Assignment Axiom, Rule of Consequence, Partial Correctness, Total Correctness, Variant Function, Weakest Precondition (worked out later by Dijkstra).
Stance: foundational technical paper.
Relates to: Roots of contract-based verification; direct ancestor of PCC (the proofs PCC ships are essentially Hoare-style derivations of safety predicates), of verifiable ACL semantics (FP/RE pairs are Hoare-style pre/post over communicative actions), and of smart-contract verification. Builds explicitly on Floyd 1967 (inductive assertions on flowcharts). The unification of Floyd-Hoare logic with proof theory is the Curry–Howard correspondence that motivates dependently typed proof assistants (Coq, Lean, Agda) where Hoare triples become dependent function types. For agent communication, the framework is the formal vocabulary for protocol contracts and dialect specifications: a protocol step is a Hoare triple over the public commitment-state, and a CBCL dialect contract is a Hoare-style specification whose proof of soundness is shipped PCC-style.

Enforceable Security Policies - Schneider

Enforceable Security Policies

Reference: Schneider, F. B. (2000). Enforceable Security Policies. ACM Transactions on Information and System Security (TISSEC) 3(1): 30–50. February 2000. URL (Schneider’s Cornell page) · DOI

Summary

Schneider’s paper is the theoretical backdrop for trace-monitor enforcement — the move that takes a stated security policy and asks, formally, can this policy be enforced by a mechanism that observes program execution one step at a time and halts execution if a violation is about to occur? The answer is only if the policy is a safety property: precisely, the policies enforceable by an execution monitor (EM) are exactly those whose violations are finite-prefix detectable. Liveness properties — “good thing eventually happens” — cannot be enforced by monitoring, because no finite prefix witnesses violation. Schneider formalises EM enforcement as a class of security automata — automata that read the program’s execution one event at a time, transitioning over states that encode the policy’s history, and halting the program upon entering a no-good state.

The result has three teeth. First, it gives a precise, decidable characterisation of the enforceable policies: EM-enforceable iff specifiable as a safety property over execution traces. Second, it cleanly separates the policy (the security automaton) from the mechanism (the EM machinery that interposes between the program and its environment), so the same EM machinery can enforce many policies by swapping the automaton. Third, it lays the groundwork for inlined reference monitors and security-typed languages (Schneider’s later work with Erlingsson on SASI, Ligatti–Bauer–Walker on edit automata that generalise EM with transformation in addition to halting).

For the architecture this vault tracks, Schneider is the formal warrant for CBCL’s R5 monotone-verdict trace monitor and for session-type monitorability in general. CBCL’s invariant — only emit monotone verdicts — is the safety-property restriction: a CBCL verdict is a finite-prefix witness, the verdict ledger is the security automaton’s state, and the host’s enforcement is precisely an EM in Schneider’s sense. The paper also bounds what CBCL cannot do: liveness properties (every commitment is eventually discharged) are not EM-enforceable, only EM-monitorable for violation of safety lower bounds (e.g. a deadline expires → record commitment broken). The CBCL discussion section should cite Schneider for the formal precision and Ligatti–Bauer–Walker for the edit-automaton generalisation if transformations are wanted.

Key Ideas

Execution Monitor (EM) enforcement: a mechanism that observes program execution one event at a time and halts execution if continuing would violate the policy. Standard examples: reference monitors, system-call interposition, security wrappers.
Safety-property characterisation: EM-enforceable policies are exactly the safety properties — properties whose violations are detectable on a finite prefix of execution. Liveness properties cannot be EM-enforced.
Security automata: a formal model for EM enforcement. A security automaton is a (possibly infinite-state) automaton that reads execution events, maintains policy-relevant history, and transitions to a “no-good” state on violation; the EM halts the program at that point.
Policy / mechanism separation: the security automaton specifies what is enforced; the EM machinery enforces how. Swapping automata changes the policy without changing the enforcement infrastructure.
Liveness is out of scope: properties like “every request is eventually served” cannot be EM-enforced because no finite prefix witnesses violation. They can be monitored for violation of finite-bounded safety approximations (e.g. timeout-deadline as a safety surrogate).
Anti-Rice (constructively): Rice tells us most semantic properties of programs are undecidable, but EM enforcement sidesteps Rice by limiting attention to properties expressible as runtime-checkable trace predicates rather than as program properties.
Genealogical successors: Ligatti–Bauer–Walker edit automata generalise EM by allowing the monitor to transform events (insert, suppress, replace), enlarging the enforceable class beyond pure safety to certain renewal properties; inlined reference monitors (Erlingsson–Schneider SASI) move the EM machinery into the program text itself.

Connections

Conceptual Contribution

Claim: A security policy can be enforced by an execution monitor (a mechanism that observes one event at a time and halts on impending violation) iff it is a safety property — i.e., its violations are detectable on a finite prefix of execution. Liveness properties cannot be EM-enforced.
Mechanism: Define EM enforcement formally: a (possibly infinite-state) security automaton reads execution events, maintains policy-relevant history, transitions on each event, and signals “no-good” on violation; the EM halts the program at the signalling step. Show that the class of policies so enforceable is exactly the safety properties (in the Alpern–Schneider sense). Separate the automaton (policy) from the EM machinery (mechanism), enabling policy-parametric enforcement.
Concepts introduced/used: Execution Monitor (EM), Security Automaton, Safety Property, Liveness Property, Trace Property, Inlined Reference Monitor, Edit Automaton (Ligatti–Bauer–Walker generalisation).
Stance: foundational technical paper.
Relates to: The formal warrant for CBCL’s R5 monotone-verdict trace monitor — CBCL verdicts are finite-prefix witnesses, the verdict ledger is the security automaton’s state, and host-side enforcement is exactly an EM. The paper also bounds what trace-monitor enforcement can do: liveness properties (every commitment eventually discharged) are not enforceable, only approximable via timeout-deadline safety surrogates. Pairs naturally with Necula’s PCC (static proof-bearing artefacts) — Schneider tells you which dynamic properties are runtime-monitorable, PCC tells you which static properties can be discharged at load time by a proof-checker. The genealogical successors are inlined reference monitors (Erlingsson–Schneider), edit automata (Ligatti–Bauer–Walker), and the entire runtime-verification literature. The LangSec pair is conceptually adjacent: LangSec restricts the input language so safety is decidable at parse time; Schneider’s EM restricts the enforced policy class so safety is decidable at runtime. monitorability of session types is the direct session-type analogue. The deeper conceptual map: Schneider is to runtime enforcement what Hoare is to static specification and PCC is to load-time proof-checking.

Proof-Carrying Code - Necula

Proof-Carrying Code

Reference: Necula, G. C. (1997). Proof-Carrying Code. In Proceedings of the 24th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL ’97), Paris, January 1997, pp. 106–119. ACM. URL (author’s Berkeley page, original PostScript) · URL (Illinois course PDF mirror) · DOI (ACM)

Summary

Proof-Carrying Code (PCC) is the architectural ancestor of every “ship a proof with the artefact, verify the proof rather than re-deriving safety from scratch” pattern in the modern security stack — including CBCL’s R4 split (host runs a small certified verifier on each dialect contract proof), CIVeX certificates (causal-identifiability artefacts shipped from prover to host), BAN-style protocol soundness certificates, and TEE attestations. The premise is direct: untrusted code arrives at a host that must run it under a safety policy (no out-of-bounds memory access, no division by zero, no privilege escalation, only sanctioned syscalls). Re-deriving safety on every load is expensive (general program analysis is undecidable, conservative approximations reject too much real code) and shifts trust onto the host’s analyser. PCC inverts the burden: the code producer generates a machine-checkable proof that the code respects the policy, and the code consumer checks the proof. Proof checking is mechanical, syntactic, decidable, and cheap; proof finding (the work that produced the proof) is hard and lives on the producer’s side.

The technical content of the paper is the framework that makes this practical. Necula defines a safety policy as a set of rules in a first-order theory over machine states; programs come accompanied by a safety predicate whose proof in this theory entails the policy. Proofs are encoded in a logical framework (LF / Edinburgh Logical Framework), so the proof-checker is a single, small, generic LF type-checker independent of the safety policy. Necula demonstrates the architecture on a packet-filter benchmark: a Berkeley Packet Filter untrusted assembler program is verified to terminate, stay in bounds, and call no syscalls — by checking ~5 KB of LF proof against the BPF policy, in milliseconds. The signal is that the verifier is tiny and policy-parameterised; safety becomes a function of proof checkability rather than of expensive whole-program analysis.

For the security agenda this vault tracks, PCC is foundational in three respects. First, it generalises capability-secure thinking (Dennis & Van Horn 1966, Shapiro et al.) from access control to behavioural conformance: the proof is a behavioural capability the producer holds, the verifier is the gatekeeper. Second, it operationalises Rice’s theorem in a constructive direction — Rice says semantic properties of arbitrary programs are undecidable, but PCC shows that with a proof in hand, checking that the proof establishes the semantic property is trivial. Third, it is the architectural pattern that CBCL’s R4 split inherits literally: a CBCL dialect contract is the code, a Lean 4 proof that the contract is well-formed and policy-respecting is the certificate, and the host’s small Lean kernel check is the PCC verifier. The discussion section of any CBCL/CIVeX paper should cite PCC explicitly.

Key Ideas

Ship the proof with the artefact: the code producer (who knows why the code is safe) generates a proof; the code consumer checks the proof. Proof-checking is cheap, mechanical, syntactic, and decidable; the finding of proofs is hard and lives on the producer’s side.
Safety policy = first-order theory: a safety policy is a set of inference rules in a first-order theory over machine states and operations. Programs come with a safety predicate; a proof of the predicate in the theory entails the policy.
Logical Framework as the proof carrier: proofs are LF terms (Edinburgh Logical Framework). The verifier is an off-the-shelf LF type-checker — small, generic, policy-parameterised. Trusted code base: the LF type-checker plus the policy rules.
Asymmetry of effort: producer effort scales with program complexity; consumer effort scales with proof size, which is bounded by program size in practice but does not depend on the difficulty of the underlying analysis.
Decoupling of policy from verifier: changing the safety policy means changing the inference-rule set; the LF checker is reused unchanged. New policies can be deployed without re-validating the verifier.
No trust in the producer: a malicious producer can submit malicious code, but cannot generate a verifiable proof for it (under soundness of the policy). The producer is untrusted; the verifier is the trust anchor.
Packet-filter benchmark: BPF programs, originally trusted via interpretation in a kernel sandbox, are PCC-verified to be safe to run as native code. Verification cost drops from microseconds-per-packet (interpreter) to a one-time millisecond proof check at load time.
Generalises to many policies: type safety, memory safety, resource bounds, information-flow control, even fine-grained behavioural contracts — all expressible as PCC safety policies.

Connections

Conceptual Contribution

Claim: Safe execution of untrusted code under a stated safety policy can be achieved by having the code producer ship a machine-checkable proof of policy compliance with the code, and having the code consumer check the proof rather than re-derive safety. This inverts the standard burden: hard-to-derive properties become trivial-to-check given the right artefact.
Mechanism: Express the safety policy as a first-order theory over machine states; require submissions to include a proof of the program’s safety predicate; encode proofs in a Logical Framework (LF) so the consumer-side checker is a generic LF type-checker independent of the policy. The trusted code base is the LF checker plus the policy rules; the producer is untrusted. Demonstrated on the Berkeley Packet Filter, where PCC verification runs in milliseconds at load and replaces interpreter-based sandboxing.
Concepts introduced/used: Proof-Carrying Code, Safety Policy, Safety Predicate, Logical Framework (LF), Producer-Consumer Asymmetry, Verifier, Trusted Code Base, Behavioural Capability.
Stance: foundational technical paper / architectural pattern.
Relates to: The architectural ancestor of CBCL’s R4 split — dialect contracts are shipped with Lean 4 proofs of well-formedness and policy compliance; the host’s small Lean kernel check is the PCC verifier. PCC is the citation for “ship the proof, check the proof.” Operationalises Rice’s theorem in a constructive direction: undecidable in general, decidable with the producer’s proof in hand. The natural pair is Schneider 2000 — Schneider characterises which policies are enforceable by trace monitoring; PCC characterises how a code consumer can verify static policies without re-deriving them. The verification heritage runs through Hoare 1969 / Floyd (axiomatic semantics and inductive assertions) to PCC’s LF-encoded proofs. The LangSec tradition (Sassaman et al.) is the dual move: restrict the input language so safety becomes decidable without a producer-side proof. CBCL combines both: a DCFL surface (LangSec) with proof-carrying dialect contracts (PCC).