v0.1 · draft / pre-1.0

The SMCP protocol

SMCP — Service / Sub-agent / Secure Model-Context Protocol — is the MCP-compatible governance layer for AI agents: a versioned, implementable wire spec for how agents declare capabilities, negotiate consent, exchange the minimum necessary data, and settle payment, over MCP and A2A.

Read the full spec ↗

Versioning

One node, every version it speaks — negotiated leniently.

Preferred version v0.1: What the node emits when a client is silent.
Supported set [0.1]: A client picks the highest it understands. Request via the SMCP-Version header or ?smcp= / ?v= query (the header wins).
Lenient by design: Discovery never hard-fails on an unknown version — it resolves to the preferred version and flags the mismatch so the caller decides.

Governance model

The envelope MCP and A2A leave out.

Attestation

What may this agent do — and can it prove it hasn’t changed?
Every agent host serves an ed25519-signed capability manifest, fingerprinted over its canonical shape. Drift is detected, not trusted.

signed · fingerprinted · drift-checked

Consent & minimization

Exactly which fields of my data does it get, and for how long?
An agent declares the scopes it requests; the human’s durable, time-boxed, revocable grant is the answer. The runtime payload is projected to what was granted.

field-level · time-boxed · revocable

Payment as contract

On what terms — price, hold, review window — does a task run?
Pricing is part of the signed task contract and pinned into the ledger at quote time. A held PaymentIntent, a 48h review window, an HMAC-signed callback.

price · hold · 48h review

Auditability

What did it actually do with my data?
A per-execution ledger and audit log with privacy-preserving anonymization back a customer-readable “what this agent did” view.

ledger · anonymized · queryable

Earned trust

How much autonomy has it earned — and who can relax it?
A per-user, per-domain, time-decayed score advances observe → suggest → ask-once → auto. The gate only ever relaxes; nothing tightens silently.

relax-only · operator-visible

Return safety

Can a returned value harm the buyer?
Every value an agent returns passes a deny-by-default, fail-closed moderation guard before it ever reaches a human.

deny-by-default · fail-closed

Named guarantees

Enforced, not aspirational — surfaced in node discovery.

Deny-by-default return guardSecret-free resolver boundaryRelax-only trust gateSigned, fingerprinted attestation

Conformance surface

The endpoints an SMCP node serves.

Node discovery

/.well-known/dividen-agent.json

Agent capability manifest

/api/smcp/agents/{slug}/manifest

MCP server card

/.well-known/mcp/server-card.json

A2A agent card

/.well-known/agent-card.json