<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/">
    <channel>
        <title>Abundant Joel</title>
        <link>https://paragraph.com/@zeromerge</link>
        <description>undefined</description>
        <lastBuildDate>Mon, 06 Jul 2026 22:16:34 GMT</lastBuildDate>
        <docs>https://validator.w3.org/feed/docs/rss2.html</docs>
        <generator>https://github.com/jpmonette/feed</generator>
        <language>en</language>
        <image>
            <title>Abundant Joel</title>
            <url>https://storage.googleapis.com/papyrus_images/766cee68390bf96db55dd211fde3b50ab516c22c085a3b2899a56a5d76367d37.jpg</url>
            <link>https://paragraph.com/@zeromerge</link>
        </image>
        <copyright>All rights reserved</copyright>
        <item>
            <title><![CDATA[NAIAD: A Trust Primitive for Autonomous Agents on Sui]]></title>
            <link>https://paragraph.com/@zeromerge/naiad-the-agent-credential-protocol-acp-for-autonomous-agents-on-sui</link>
            <guid>SJMW0jha5qiScTqkxi0z</guid>
            <pubDate>Thu, 11 Jun 2026 11:44:00 GMT</pubDate>
            <description><![CDATA[AI agents on Sui are about to manage real money autonomously, and there is currently no standard for what any specific agent is authorized to do. Naiad is that standard. Two Move objects give every autonomous agent a verifiable onchain identity and a permission capsule enforced by Move's type system. Unauthorized actions become structurally impossible at the language layer. Built for Sui Overflow 2026's Agentic Web track.]]></description>
            <content:encoded><![CDATA[<div data-type="x402Embed"></div><p><strong>Author:</strong> Abundant Joel <strong>Published:</strong> June 2026 <strong>Version:</strong> 1.0 — Protocol Specification Draft</p><hr><h2 id="h-abstract" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">Abstract</h2><p>In November 2025, researchers at Palo Alto Networks' Unit 42 documented a class of attack called <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://unit42.paloaltonetworks.com/agent-session-smuggling-in-agent2agent-systems/">Agent Session Smuggling</a>, in which a malicious sub-agent embeds an unauthorized financial instruction inside a routine response and a parent agent executes it without any visible prompt or human oversight, because the parent agent had no structural way to know what the sub-agent was permitted to do and so it trusted the output, making that trust the vulnerability. NAIAD, the Agent Credential Protocol (ACP), is a two-object Move protocol deployed on Sui that gives every autonomous agent a verifiable onchain identity and a permission-bearing credential whose scope is enforced by Move's type system, making unauthorized actions structurally impossible at the language layer rather than subject to application logic that can be misconfigured, bypassed, or exploited.</p><br><h2 id="h-1-the-delegation-problem" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">1. The Delegation Problem</h2><p>By the time Sui Overflow 2026 opened its Agentic Web track, the problem it was implicitly asking builders to address had already materialized in production systems, with the <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://cloudsecurityalliance.org/blog/2026/03/25/control-the-chain-secure-the-system-fixing-ai-agent-delegation">Cloud Security Alliance publishing findings</a> showing that 97% of non-human machine identities in enterprise environments carried excessive privileges, credentials scoped far beyond what any single task required, inherited wholesale from parent processes and never narrowed. In multi-agent systems, where a primary agent breaks a complex task into subtasks and hands them to specialist sub-agents, each delegation hop multiplied access rather than constraining it, which meant that by the third hop in a typical orchestration chain, a sub-agent might carry authority the original human user never consciously granted.</p><p>The cost of this is documented in two specific incidents. <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://unit42.paloaltonetworks.com/agent-session-smuggling-in-agent2agent-systems/">Agent Session Smuggling</a> (November 2025), researched by Palo Alto Networks' Unit 42, demonstrated silent stock execution buried in a routine response. A financial assistant agent requested market insights from a research agent, the research agent returned a clean summary with a hidden stock trade command embedded inside it, and the trade executed before any alert fired. <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://workos.com/blog/ai-agent-delegation-multi-agent-security">Cross-Agent Privilege Escalation</a> (September 2025), demonstrated by security researcher Johann Rehberger, showed one agent rewriting another agent's configuration file mid-task in development environments where multiple AI agents share a codebase, triggering a self-reinforcing loop where each compromised agent reinfected the others with no mechanism for the human principal to intercept it. Both vulnerabilities shared the same root cause: the system had no standard for encoding what an agent was authorized to do, and authorization defaulted to whatever the agent could technically access.</p><p>On Sui specifically, where the infrastructure for autonomous agents is maturing rapidly with parallel transaction execution, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://docs.sui.io/concepts/cryptography/zklogin">zkLogin for human-free onboarding</a>, and sponsored transactions that remove gas as a friction point, this gap becomes the most consequential unsolved problem in the ecosystem. <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://blog.sui.io/from-apps-to-composable-systems/">Sui's own developer blog in February 2026</a> described what agents on Sui would need: programmable guardrails, spending limits, and verifiable policy enforcement, yet the infrastructure to deliver it had not yet been built.</p><br><h2 id="h-2-the-prior-art-and-what-it-leaves-open" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">2. The Prior Art and What It Leaves Open</h2><p>The broader agent identity space has been active. The <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://www.w3.org/community/agent-identity/">W3C AI Agent Identity Community Group</a> has been drafting standards around Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) since 2024, with the goal of giving agents cryptographically signed identity documents that travel with them across service boundaries. The IETF's <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://www.ietf.org/archive/id/draft-yakung-oauth-agent-attestation-00.html">Agent Credential Attestation Protocol (ACAP)</a> proposes JWT-based token exchange for agent pipelines. <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://developer.visa.com/use-cases/trusted-agent-protocol">Visa's Trusted Agent Protocol</a> handles merchant-facing agent authentication during payment flows. Each of these addresses a genuine dimension of the problem, proving an agent is who it claims to be and that it carries authorization for the action it is attempting.</p><p>What connects all of them is where enforcement actually lives. A DID is a document, a VC is a signed token, and a JWT is a string of bytes whose validity is checked by application code written by developers, running on servers, subject to bugs, misconfigurations, and deliberate circumvention. The agent presents a credential, the service reads it, and the service decides whether to allow the action through logic that is mutable and separated from the protocol itself.</p><p>On Ethereum, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://metamask.io/news/introducing-the-delegation-toolkit-metamask-smart-contract-account-offering">MetaMask's Delegation Toolkit</a> brought account abstraction-based scoped permissions to the EVM, allowing developers to define policy-bound smart accounts with limited delegation chains built on <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://metamask.io/news/introducing-advanced-permissions">ERC-4337 and ERC-7710</a>, and by April 2026 this extended to full Advanced Permissions where a user can authorize an agent to spend up to a defined amount of a specific asset within a defined time window. <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://www.coinbase.com/developer-platform/discover/launches/introducing-agentkit">Coinbase's AgentKit</a> extended the agent action space with MPC-secured key management and an <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://eco.com/support/en/articles/14845485-coinbase-agentic-wallets-explained">Agentic Wallets infrastructure</a> that reached general availability in February 2026 with per-transaction limits and session caps built in. Both operate within the account model that the EVM inherits, where permissions are properties of accounts encoded in contract state and validated by contract logic, meaning a permission exists as a record that can be read, written, and reasoned about in code that runs at execution time.</p><p>On Sui, <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://www.turnkey.com/blog/sui-for-ai-blockchain-infrastructure-for-multi-agent-systems">Turnkey's infrastructure</a> brings a policy engine that enforces signing rules according to configurable constraints for agents operating on Sui, production-ready and already being used by teams building agent-facing DeFi products, but the policy engine lives off-chain in Turnkey's infrastructure rather than in the blockchain itself, meaning the enforcement boundary is a service that wraps Sui rather than the chain's own execution layer. As more agent frameworks build natively on Sui's object model, the off-chain policy gap will widen with them.</p><p>NAIAD addresses this by moving enforcement one layer deeper, into the type system of the language that all Sui smart contracts are written in.</p><br><h2 id="h-3-what-moves-type-system-makes-possible" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">3. What Move's Type System Makes Possible</h2><p>Move was designed with a specific constraint that most programming languages do not share: <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://move-book.com/reference/abilities.html">resources cannot be copied or silently discarded</a>. A value that represents something of real consequence, whether a token, an authorization, or a credential, must be explicitly transferred or consumed, and the compiler refuses to compile code that copies a non-copyable resource or drops a resource without handling it. These are compile-time guarantees rather than runtime checks, which means no amount of clever input or unexpected call sequence can cause them to fail.</p><p>The <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://move-book.com/reference/abilities.html">ability system</a> that implements this in Move is declarative. Every struct in Move declares which abilities it possesses, <code>copy</code>, <code>drop</code>, <code>store</code>, <code>key</code>, and the compiler enforces those declarations across every function that touches the type. A struct without <code>copy</code> cannot be duplicated anywhere in the codebase by any caller, regardless of how the function is invoked, and a struct without <code>drop</code> cannot be silently discarded because every execution path must account for it.</p><p>This property, applied to a permission object, produces something qualitatively different from a permission record in a database or a claim in a JWT. A permission object without <code>copy</code> exists in exactly one location at any given time, belongs to one agent, and transferring it to another agent removes it from the first. A permission object whose functions require it as a parameter cannot be invoked by any caller who does not hold it, and Move's <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://move-book.com/object/ownership.html">ownership model</a> ensures that holding it means actually possessing the object on the blockchain, possessing a reference to something real rather than a shared record that can be modified or revoked at the data layer. The permission and its enforcement are the same object, written in the same language, deployed in the same transaction.</p><br><h2 id="h-4-the-protocol" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">4. The Protocol</h2><p>NAIAD is two objects and the functions that operate on them, deployed as a Move package on Sui under the Agent Credential Protocol (ACP) standard.</p><p>The name draws from Greek mythology and natural science simultaneously. A Naiad is a water nymph bound to her specific body of water — not water in general, her assigned water. She cannot leave it, cannot be transferred to another body, and ceases to exist when that water is destroyed. She has no existence outside what she was issued to. In natural science, a naiad is the aquatic larval stage of certain insects — a form that exists only within a defined aquatic environment, unable to persist outside it. In astronomy, Naiad is the innermost moon of Neptune, locked in an orbital path it cannot exit. Every meaning across mythology, science, and astronomy arrives at the same property: bound to one place, one purpose, one scope of existence. That is the PermissionCapsule exactly — bound to the agent it was issued for, unable to be duplicated, destroyed on revocation, leaving the agent without authorization the moment the Naiad's water is gone.</p><p><strong>AgentIdentity</strong> is a top-level Sui object, owned by the address of the agent it represents, carrying a unique onchain identifier, the address of the human principal who spawned the agent, a human-readable name, a creation timestamp in <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://docs.sui.io/concepts/tokenomics/staking-unstaking">Sui epochs</a>, and a <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://move-book.com/programmability/dynamic-fields.html">dynamic field</a> that accumulates the agent's action history as onchain events. The dynamic field approach means the identity object does not need to pre-define the full structure of the history it will accumulate, and new record types can be attached as the protocol extends to cover new action categories without requiring a migration of existing identity objects.</p><p><strong>PermissionCapsule</strong> (the Holdfast) is the authorization layer, declared without the <code>copy</code> ability so it exists in exactly one location at any time and cannot be duplicated by any Move code anywhere regardless of how a caller frames the transaction. The capsule carries a reference to the AgentIdentity it was issued for, the set of permitted action types from the ACP permission vocabulary, the specific protocol addresses the agent may interact with, a per-transaction spend ceiling, a daily spend ceiling, a lifetime spend ceiling, a running total of value moved against those ceilings, and a <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://docs.sui.io/concepts/sui-glossary">Sui epoch</a> at which the capsule expires and Move begins rejecting it automatically. Every function in the protocol that executes a consequential action requires a <code>&amp;mut PermissionCapsule</code> as a parameter, where the mutable reference ensures spend tracking updates propagate and the type requirement ensures the function cannot be invoked without a valid capsule in the caller's possession.</p><p>Revoking an agent's authority is a destructive operation on the capsule object: the object is consumed and permanently deleted from the blockchain state using <code>object::delete</code>. The agent's capability ceases to exist as an object, and every function that requires it becomes unreachable by that agent from that point forward with no further action required from the principal.</p><p><strong>The Permission Vocabulary</strong> defines the atomic action categories that a capsule can authorize. Version 1 of NAIAD covers eight types: <code>QUERY</code> for reading public onchain state; <code>SWAP</code> for token exchange on DEXs; <code>SUPPLY</code> for depositing assets into lending protocols like <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://naviprotocol.io/">NAVI</a> or <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://scallop.io/">Scallop</a>; <code>COLLECT</code> for claiming earned yield and rewards without moving principal; <code>STAKE</code> for native <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://docs.sui.io/concepts/tokenomics/staking-unstaking">SUI staking</a> operations; <code>TRANSFER_WHITELIST</code> for sending assets to a pre-approved set of addresses locked into the capsule at issuance; <code>ORDER</code> for placing and cancelling limit orders on <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://deepbook.tech/">DeepBook</a>; and <code>DELEGATE</code> for the creation of sub-agent capsules.</p><p>The <code>DELEGATE</code> permission carries the most consequential constraint in the protocol: any capsule issued to a sub-agent must be a strict subset of the parent capsule's permissions, checked at issuance time by the Move function that creates sub-agent capsules so that the function reverts if any permission in the requested sub-capsule falls outside the parent's authorized set. <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://workos.com/blog/ai-agent-delegation-multi-agent-security">Cross-Agent Privilege Escalation</a> becomes architecturally impossible within NAIAD rather than a risk to be mitigated by careful development practice.</p><br><h2 id="h-5-integration-architecture" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">5. Integration Architecture</h2><p>Protocols already deployed on Sui, lending platforms, DEXs, order books, carry existing contract interfaces designed for human-initiated transactions, and requiring them to rewrite those interfaces to accept PermissionCapsule parameters would ask teams to audit, redeploy, and re-integrate production contracts, a high adoption barrier for infrastructure that has no track record yet.</p><p>NAIAD solves this with a thin adapter layer, where an ACP adapter is a Move module that accepts an agent's PermissionCapsule and the parameters of the intended action, validates the capsule against NAIAD's enforcement functions checking action type, protocol whitelist, spend ceilings, and expiry, and on successful validation calls the target protocol's existing interface in the same transaction using Sui's <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://docs.sui.io/concepts/transactions/prog-txn-blocks">Programmable Transaction Blocks</a>. The target protocol sees a standard transaction while the agent's authorization has already been enforced before that transaction is constructed, and because the validation and execution are atomic through PTBs, if the capsule check reverts the protocol call never executes and if the protocol call fails the spend counter update does not persist.</p><p>NAIAD adoption for protocol teams is a one-time module deployment referencing the ACP package ID on Sui rather than a contract migration, and once a protocol's adapter exists, every agent framework that uses NAIAD can interact with that protocol through a single auditable interface. The package ID, the onchain address of the deployed protocol, functions as the coordination point, giving protocol teams the kind of dependency stability that makes integration worthwhile because the behavior of a specific package ID does not change without a versioned upgrade.</p><br><h2 id="h-6-what-this-enables" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">6. What This Enables</h2><p>The six months that follow the first real protocol integration of NAIAD will determine whether it becomes ecosystem infrastructure or a well-documented experiment, because the integration network is the asset. Each protocol that builds an adapter referencing the ACP package ID makes the protocol more useful to every agent framework that uses NAIAD, and each agent framework that adopts NAIAD makes every integrated protocol more accessible to agent builders. This is the same flywheel that made HTTP useful: the value of the shared standard grew with each new participant, and the cost of opting out grew alongside it.</p><p>The path that opens from here is the foundation for multi-agent coordination on Sui that human principals can actually trust, where the scope of every agent's authority is written into the blockchain state at the moment of delegation, the audit trail of every action the agent took is queryable onchain from the identity object's event history, and revoking an agent's authority is a single transaction rather than a revocation process dependent on a centralized service responding in time. The problem that <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://unit42.paloaltonetworks.com/agent-session-smuggling-in-agent2agent-systems/">Agent Session Smuggling</a> exposed in November 2025 was a missing layer of infrastructure, and NAIAD is a proposal for what that layer should look like on the chain most positioned to host the <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://overflow.sui.io/">Agentic Web</a>.</p><br><h2 id="h-limitations" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">Limitations</h2><p>NAIAD v1 covers Sui-native agent operations. Cross-chain operations, where an agent spawned on Sui interacts with protocols on other networks, are outside the current scope. The subset inheritance rule for <code>DELEGATE</code> permissions is enforced at issuance time by the Move function that creates sub-capsules, meaning protocol teams integrating NAIAD should audit their adapter implementations against the canonical ACP package rather than self-implementing the issuance logic, as a compromised adapter could theoretically bypass this check. Version 1 covers eight action types sufficient for demonstrating the protocol's enforcement properties, with borrowing, liquidity provision, governance voting, NFT market actions, onchain content publishing, and gaming asset management planned for v2.</p><br><h2 id="h-conclusion" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">Conclusion</h2><p>NAIAD gives the authorization question a precise answer where before there was only a gap. The two objects in this protocol, an identity and a naiad, give builders the smallest possible surface area for solving agent authorization correctly, with Move's type system guaranteeing that correctly means something structural rather than something aspirational. The next task is integration: the architecture shows what the protocol enables, but only real adapter implementations built against it will show how widely the Sui ecosystem is ready to build on a shared authorization standard.</p><hr><p><em>NAIAD, the Agent Credential Protocol, is released as open infrastructure under the MIT License. Protocol integrations, adapter implementations, and community feedback are welcome at the project repository.</em></p><p><em>Abundant Joel · June 2026</em></p>]]></content:encoded>
            <author>zeromerge@newsletter.paragraph.com (Abundant Joel)</author>
            <category>sui</category>
            <category>move</category>
            <category>agentic web</category>
            <category>ai agents</category>
            <category>web3 security</category>
            <category>defi</category>
            <category>protocol</category>
            <category>sui overflow 2026</category>
            <category>agent identity</category>
            <category>blockchain</category>
            <category>smart contracts</category>
            <category>decentralized ai</category>
            <category>authorization</category>
            <category>sui ecosystem</category>
            <category>infrastructure</category>
            <enclosure url="https://storage.googleapis.com/papyrus_images/04497d168ee7651ea4f95313aca7cab4997cb8c1dfa8ce796101608e075c7101.jpg" length="0" type="image/jpg"/>
        </item>
    </channel>
</rss>