ASHE: A Universal Capability Mediation Protocol for the AI Agent Era

ASHE (Agent Capability Mediation Protocol) is a universal capability mediation protocol for the AI agent era, aiming to solve the fragmentation of current AI agent permission models and the lack of cross-vendor standards. Its core mechanism is time-limited and scope-limited capability leasing, which structurally constrains the actual operations of agents without restricting the model's reasoning capabilities. ASHE is positioned as a supplementary protocol above the Model Context Protocol (MCP), filling the gap in capability mediation standards and is expected to become a universal standard for agent capability governance.

By mid-2026, the complexity of permission models for AI coding agents varies significantly: Anthropic's Claude Code has a complex capability mediation system, while tools like OpenAI Codex and Cursor only implement simple vendor-specific models. The lack of cross-vendor standards leads to an N×M coordination problem for developers using multiple tools (permission models, audit formats, and sandbox solutions are all unique). Existing base layers (MCP, auth.md, OAuth 2.1) cover agent registration and tool execution, but lack a capability mediation protocol layer (including features like intent declaration, traceability construction, and phased execution trajectories).

ASHE adopts a three-surface architecture:

1. Agent-side execution: internally implement capability policies
2. Developer-side sealed workspace: isolate the development environment and control production boundaries
3. Web-side handshake: negotiate via the .well-known/ashe endpoint

Its four-phase execution model strengthens security from software to hardware in layers:

• Collaborative SDK: applications voluntarily integrate for declarative capability management
• Runtime hooks: dynamically instrument to enforce policies
• OS-level mediation: kernel participates in decision-making (e.g., Linux LSM)
• Hardware root of trust: based on hardware security modules/trusted execution environments

The core mechanism is capability leasing: dynamically generated (based on context, risk, and policy), time/scope-limited, determining operation authorization, visibility, and audit; follows the "frictionless principle" (standing capabilities, risk stratification automation, etc.).

ASHE inherits 50 years of capability-based security research results, including projects like KeyKOS (1980s), seL4 (2009, formally verified microkernel), and Apple App Sandbox. Its deep security attribute is: even if the code is fully compromised, attackers can only perform operations within the capabilities held by that code (e.g., a JPEG parser vulnerability only affects JPEG processing, not SSH keys or databases), achieving decoupling of vulnerabilities and impacts.

ASHE is clearly not a replacement for the following:

• MCP, auth.md, OAuth, or commercial agent authentication platforms (but a complementary combination)
• Sandbox runtime/development environments (combines with Bubblewrap, gVisor, etc.)
• Model capability limiters (does not censor cognition or reasoning)
• Model-level hallucination fixes (operates at scheduling boundaries)

ASHE is positioned as the next-layer protocol above MCP, filling the missing capability mediation standard in the current ecosystem.

ASHE uses a dual-surface model for promotion: sites add a /.well-known/ashe endpoint alongside existing HTML; agents prioritize using it when discovered, while human users continue to use HTML. The handshake endpoint adjusts its representation based on agent intent (user-oriented/task-oriented/autonomous cascading), enabling end-to-end line-level economics. This design ensures risk-free adoption: never force migration, coexist indefinitely; risks lie in non-adoption (continuing to use coarse-grained permission models, lack of audit trails).

ASHE represents a natural stage in the evolution of AI infrastructure, just as TLS became the universal standard for web security, ASHE is expected to become the universal standard for agent capabilities. It does not replace existing components but adds the missing coordination layer:

• For developers: consistent security experience across different agent tools
• For organizations: unified governance of multi-tool deployments
• For the ecosystem: from fragmentation to standardization, from vendor lock-in to open interoperability.