v1.0 · Just Published

The Agent Protocol Stack
is Missing a Layer.
This is the Third One: Rules

MCP connects agents to tools. A2A connects agents to agents.
ERDL defines how agents should behave.

Read Spec v1.0 (EN) → 中文版 GitHub

The Three-Layer Protocol Stack

COMMUNICATION

A2A Protocol

Agent ↔ Agent communication standard.
Agent Card discovery · Task delegation · Streaming.

Google · Linux Foundation · 150+ orgs
RULES

ERDL

Agent behavioral rules standard.
Declarative when/then · Action Guard · Audit trails.

OpenOBA · MIT License
TOOLS

MCP Protocol

Agent ↔ Tool connection standard.
JSON-RPC 2.0 · Tool discovery · Resource exposure.

Anthropic · Linux Foundation · 97M dl/month

One File. Your Agent Has Rules.

# agent.erdl.yaml rules: - name: "no-dangerous-commands" when: logic: AND conditions: - field: "tool.name" operator: eq value: "exec" - field: "tool.args.command" operator: match value: "(rm -rf|sudo|chmod 777)" then: BLOCK message: "Dangerous command intercepted and corrected" - name: "loop-detection" when: logic: AND conditions: - field: "agent.consecutive_errors" operator: gte value: 3 then: STRATEGIZE message: "Loop detected - switching strategy"

Why ERDL

🧭 Translate + Guide + Correct Natural language → ERDL rules → Agent executes with real-time correction. Not just blocking - pointing the right way.
🛡️ Protocol-Level Enforcement Action Guard intercepts before every tool call. Not prompts - deterministic engine. The agent cannot bypass it.
🔍 Fully Auditable Every decision maps to a rule. Structured audit logs - not scrolling through chat history guessing what happened.
🔄 Hot Reload Change rules without restarting your agent. Rules are live. Not compile-time artifacts.
📐 11 Operators eq, ne, gt, gte, lt, lte, in, contains, match, exists, within. Arbitrary AND/OR nesting. Time-window and rate-limit support.
🔐 SafeExpr Engine Custom recursive-descent expression parser. Zero eval. Zero code injection. Safe computation - not just boolean checks.
💍 Execution Rings Ring 0-3 privilege model for agent actions. CPU-style security architecture for AI agents.
👁️ Guardian Agent Model One Guardian watches all Observed Agents. Emergency HALT in under 1 second. Reputation scoring (0-1000).

What ERDL Is Not

❌ Not Prompt Engineering Rules are executed by a deterministic engine. Not by hoping the LLM "understands" a system prompt.
❌ Not a Content Filter ERDL doesn't scan for PII or toxicity. It governs agent behavior - what tools can be called, with what parameters, under what conditions.
❌ Not an Agent Framework ERDL doesn't replace LangGraph, CrewAI, or OpenClaw. It integrates into them as the rules layer they're all missing.
❌ Not Competing with MCP/A2A Three complementary layers. MCP handles connections. A2A handles communication. ERDL handles rules.

Compliance Ready

✅ OWASP Top 10 for Agentic Apps (2026) Full alignment table in the spec. Every risk mapped to an ERDL rule pattern.
✅ EU AI Act (Aug 2, 2026) Transparency → audit logs. Human oversight → REQUEST_HUMAN. Risk management → Execution Rings.
✅ NIST AI RMF 1.0 Map → Measure → Manage → Govern. All four functions covered.
✅ Cross-Platform MCP Tool integration. A2A Agent Card extension. SKILL.md format. OpenTelemetry audit export.

Quick Start

  1. Create an agent.erdl.yaml file - use the template above, or define your own when/then rules
  2. Place it in your agent's workspace
  3. Load via MCP: openclaw mcp add erdl - or drop it into your skills/ directory
  4. Every tool call now passes through the ERDL engine. Intercepted calls show you why.