DUADP: The Open
Discovery Protocol
for AI Agents
AI safety research consistently identifies open, federated discovery as critical infrastructure. DUADP is that protocol — federated agent discovery with cryptographic identity, tiered trust, and formally-verified Cedar policy enforcement. Built in the open.
Four Pillars of Agent Governance
Open-source protocol development is considered essential infrastructure for AI safety. DUADP addresses four core areas of the agent governance stack through cryptographic identity, federated discovery, trust evaluation, and real-time revocation.
Federated Governance
Cedar policies enforce authorization decisions at the discovery layer. Every agent action is evaluated against 175+ policy statements before execution. Governance is distributed — each DUADP node enforces its own policies while respecting federated trust.
Discovery & Cataloging
DNS TXT records, WebFinger, and gossip federation create a decentralized map of the agent ecosystem. Every agent is discoverable with its capabilities, trust tier, and compliance metadata. No central registry required.
Trust Evaluation
Four-tier trust model with cryptographic verification. Trust scores are computed from signature validity, manifest compliance, publisher DNS verification, and behavioral history. Measurable, auditable, comparable.
Revocation & Response
Real-time gossip protocol broadcasts revocation events across the federated mesh. Compromised agent identities are invalidated network-wide. Cedar policies dynamically restrict access based on trust tier changes.
Trust Tier Model
Every agent in the DUADP network is assigned a trust tier based on cryptographic verification, manifest compliance, and publisher identity. Cedar policies use these tiers to make authorization decisions in real time.
Official
Published by a verified organization with cryptographic signing via DID. The agent manifest is validated against the OSSA schema, the publisher identity is confirmed via DNS TXT record, and the signature chain is intact. Highest trust — suitable for production, cross-organizational federation.
Verified Signature
The agent manifest carries a valid cryptographic signature, but the publisher identity has not been independently confirmed via DNS. The signature proves integrity and non-tampering, but the publisher could be pseudonymous. Suitable for internal and trusted-partner deployments.
Community
Published to the registry without cryptographic signing. The agent is discoverable and its manifest validates against the schema, but there is no proof of publisher identity or content integrity. Suitable for experimentation, development, and low-risk use cases.
Unverified
Discovered via federation gossip or external sources. The manifest may be incomplete, unsigned, or non-conformant. Cedar policies will block invocation of high-risk skills and restrict resource access. Only discoverable — not executable without elevation.
Live Discovery Endpoints
The reference DUADP node at discover.duadp.org serves real data. These are not mock endpoints — they return live agent registrations, skills, and Cedar policies from the production federation mesh.
Node manifest — protocol version, capabilities, federation status
{ "protocol": "DUADP", "version": "0.1.0", "mcp_tools": 17 }Registered agents with trust tiers, capabilities, and OSSA manifests
5 discoverable skills with risk levels and data sensitivity tags
Full-text search across agents, skills, and tools
Cedar policy catalog — 13 policies governing agent behavior
"query": "security",
"results": 12,
"types": ["agent", "skill", "policy"]
}
Cedar Policy Enforcement
13 Cedar policies containing 175+ statements govern every agent action. When an agent discovers a skill via DUADP or attempts to execute an action, Cedar evaluates the request against role, trust tier, risk level, and autonomy constraints. The decision is binary: allow or deny.
Decision Flow
Agent discovers skill via DUADP
|
Cedar evaluates: agent role + skill risk + trust tier + autonomy level
|
| Policy | Statements | Scope |
|---|---|---|
agent-roles | 30 | Role-based separation of duties: analyzer, executor, reviewer, orchestrator |
agent-resource-limits | 14 | OSSA v0.3.0 resource constraints: max agents, tool call limits, execution time |
skill-governance | 16 | Trust tier enforcement, risk-based access, autonomy level matching, budget controls |
plugin-governance | 14 | Plugin installation lifecycle: trust verification, permission boundaries |
mcp-security | 18 | MCP tool call governance: sensitivity restrictions, rate limiting, critical tool approval |
branch-rules | 19 | Git branch protection: no direct push to main, force push prevention |
code-review-rules | 12 | MR approval workflows: auto-fix classification, diff review requirements |
code-review-duo | 12 | GitLab Duo integration: SQL injection, hardcoded credentials, input validation |
deployment-rules | 11 | Environment approval tiers: dev=0, staging=1, prod=2, code freeze enforcement |
import-rules | 14 | Package boundary enforcement: separation of duties per project |
protected-paths | 13 | Composer-managed directory protection, markdown file creation blocking |
workspace-protection | 7 | Read-only workspace directories, git operation blocking in vendor dirs |
no-symlinks | 1 | Absolute prohibition on symlink creation |
| Total | 175+ | Across all governance domains |
Analyzer agent tries to edit a file
Executor invokes a low-risk verified skill
Supervised agent installs unverified plugin
Agent pushes directly to main branch
Compliance Frameworks
DUADP operates within three complementary compliance frameworks, each addressing a different layer of the agent governance stack.
Open Standard for Agent Systems
The declarative contract layer. OSSA manifests define agent identity, capabilities, autonomy level, resource limits, and trust boundaries. DUADP validates manifests at the discovery layer and propagates only compliant agents.
OSSA SpecificationAI Risk Management
The governance framework. DUADP maps to four core governance functions — Govern, Map, Measure, Manage — providing federated policy enforcement and audit trails across the discovery layer.
OSSA SpecificationDUADP Trust Model
The discovery trust layer. Four-tier trust model with cryptographic verification at each level. Cedar policies enforce trust-tier-based authorization. Revocation events propagate across the federated mesh in real time via gossip protocol.
Live DiscoveryStandards-First Discovery
DUADP is built for safe, scalable AI agent infrastructure. Explore the protocol, read the spec, or try the live endpoints.