DillClaw Resolver (Published Specification)
The resolution layer for the Dillweed Namespace — turning stable names into trusted, invocable capabilities.
A namespace without a resolver is a map with no roads. Agents can call tools. They cannot reliably choose the right one across providers and time. DillClaw is the resolution engine for the Dillweed Namespace. It takes a namespace URI, applies trust policy, selects the best capability, and returns an invocable endpoint — in a single, auditable operation.
This document specifies the protocol, API, trust evaluation logic, integration patterns, and deployment requirements for DillClaw implementations. As the number of capabilities grows beyond human-scale, resolution becomes a prerequisite, not an optimization. At sufficient scale, capability selection becomes the bottleneck. Resolution is not optional — it is required infrastructure.
DillClaw does not replace MCP, A2A, or any capability protocol. It sits above them — providing the naming, trust, and selection layer that makes those protocols usable at scale, across providers, across time.
Abstract
The Dillweed Namespace Standard defines how capabilities are named and governed. DillClaw defines how they are found, evaluated, and selected. These are complementary specifications: the namespace provides stable identity; the resolver provides operational access.
DillClaw is a resolver specification and implementation layer — a structured intermediary that accepts agent queries expressed against the Dillweed namespace, consults the authoritative registry, applies trust and policy filters, and returns ranked, invocable Capability Records. It is not a proxy, not a gateway, and not a capability provider itself. Its role is resolution: mapping names to endpoints in a way that is trustworthy, auditable, and consistent across time.
Without a resolver layer, a namespace remains descriptive. DillClaw makes it operational.
This specification defines the resolution protocol, the query syntax, the trust evaluation model, the HTTP API, integration patterns for MCP and A2A, error semantics, and the caching strategy. Implementations that conform to this specification are considered DillClaw-compliant resolvers.
This document specifies the DillClaw Resolver layer only. Capability Record schema, namespace URI syntax, trust tier definitions, and governance rules are defined in the Dillweed Namespace Standard v0.4. This document defers to that specification on those topics and should be read alongside it.
Conformance Terminology
The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be interpreted as described in BCP 14 [RFC 2119] [RFC 8174] when, and only when, they appear in all capitals, as shown here.
Role in the Stack
DillClaw occupies a specific position in the agentic AI infrastructure stack. Understanding that position is essential to understanding what it does — and what it deliberately does not do.
Human Gateway Layer
Platform-scale access, identity, and policy. Examples: Meta, Google, Apple, Microsoft, Salesforce. These layers surface capabilities to end users and enterprise systems.
Dillweed Namespace Layer
Stable naming, trust accumulation, and governance. Defines the URI structure, Capability Record schema, and trust tiers. Governed by the DNSO (Dillweed Namespace Stewardship Office). Defined in the Dillweed Namespace Standard v0.4.
DillClaw Resolver Layer ← this document
Query parsing, registry lookup, trust evaluation, candidate ranking, and invocation target selection. The operational bridge between namespace and capability.
Capability Layer
Individual tools, agents, APIs, and data sources registered within the Dillweed Namespace. Invoked using MCP, A2A, REST, gRPC, or custom protocols as specified in their Capability Records.
DillClaw's role is narrow by design. It does not store capabilities, does not proxy requests to them, and does not make policy decisions about which agents may invoke what. It resolves names to endpoints and returns the information needed for an agent to invoke a capability directly.
Without this layer, agents must rely on hardcoded endpoints, brittle registries, or provider-specific abstractions — none of which survive scale, substitution, or time. Today, this function is fragmented across hardcoded endpoints, provider registries, and prompt-level tool selection. DillClaw replaces that fragmentation with a single, governed resolution layer.
Given a valid Dillweed namespace query and a caller's trust policy, DillClaw returns the best available Capability Record — or a structured explanation of why none could be returned. That is the complete contract. Everything else is implementation detail.
DillClaw is not a proxy, gateway, agent runtime, policy authority, or capability provider. It does not execute agent tasks or own capability endpoints. It resolves namespace queries into ranked, signed Capability Records according to caller-supplied trust policy and documented resolver behavior.
Resolver operations produce observable coordination events — query breadth, no-match patterns, signature failures, stale-cache responses, and revocation-cache behavior — that may be emitted as Anthill signals for coordination-layer observability. DillClaw does not depend on Anthill for its normative behavior; the relationship is one of optional emission rather than required coupling. The hook interface for this emission is tracked in Appendix A.7.
Architecture
A DillClaw Resolver consists of five functional components. These may be deployed as a single service or as independent modules; the specification is agnostic to deployment topology as long as the external behavior is conformant.
2.1 Functional Components
| Component | Responsibility |
|---|---|
| Query Parser | Validates and normalizes incoming namespace queries. Rejects malformed paths before any network operation. Expands wildcard patterns into candidate path sets. |
| Registry Client | Communicates with the authoritative Dillweed Registry to retrieve Capability Records matching parsed query paths. Handles registry unavailability gracefully. |
| Trust Evaluator | Filters and scores candidate records against the caller's declared trust policy. Applies tier minimums, permission checks, and signature verification. |
| Ranking Engine | When multiple candidates remain after trust filtering, ranks them by relevance, trust tier, usage history, and version preference. |
| Response Composer | Packages the selected Capability Record into the standardized resolver response, including resolution metadata, trust signals, and audit identifiers. |
2.2 Data Flow
Receive Query
Agent submits a resolution request containing a namespace path (or pattern), a minimum trust tier, required permissions, and optional context hints.
Parse & Validate
The Query Parser validates URI syntax, normalizes path components, and expands wildcards. Malformed queries return immediately with a structured error — no registry contact occurs.
Cache Check
The resolver checks its local cache for a valid, non-expired Capability Record matching the query. Cache hits bypass registry contact entirely and proceed directly to trust evaluation.
Registry Lookup
On cache miss, the Registry Client queries the authoritative Dillweed Registry, retrieves all matching Capability Records, and stores them in the local cache with appropriate TTLs.
Trust Filter & Rank
The Trust Evaluator removes records that fail the caller's minimum trust tier or lack required permissions. The Ranking Engine orders remaining candidates by trust score and contextual relevance.
Compose & Return
The top-ranked record is packaged into a resolver response. The response includes the full Capability Record, a resolution trace for audit, and the trust signals used in ranking.
2.3 Deployment Modes
| Mode | Description | Typical Use |
|---|---|---|
| Hosted | DillClaw operated as a shared service at a known endpoint. Agents query it via HTTP. | Most agents; lowest integration overhead |
| Embedded | DillClaw library linked directly into an agent runtime. Shares process with the agent. | Latency-sensitive or airgapped deployments |
| Sidecar | DillClaw runs as a local process alongside an agent container, communicating over loopback. | Containerized deployments requiring isolation |
| Gateway | DillClaw integrated into a platform gateway layer, resolving on behalf of all downstream agents. | Enterprise or platform-scale deployments |
Resolution Protocol
The resolution protocol defines the contract between a calling agent and a DillClaw Resolver. It specifies what a valid request contains, what a conformant response MUST include, and how failure states are communicated.
3.1 Request Structure
{
"query": "dllwd://research.market.*.vendors", // required
"trust_minimum": "verified", // optional, default: "experimental"
"permissions": ["query", "export"], // optional
"version_pref": "stable", // optional: "stable" | "latest" | semver
"context": {
"caller_id": "agent:procurement-v2",
"session_id": "sess_abc123"
},
"max_results": 3 // optional, default: 1
}
The version_pref field accepts three forms. "stable" selects the highest semver version (per semver.org) without a pre-release identifier and without a build-metadata tag, from among candidates surviving the trust filter. "latest" selects the highest semver version including pre-release identifiers. An explicit semver string or semver range (for example 1.2.0 or ^1.2) selects the highest version satisfying that constraint.
3.2 Response Structure
{
"status": "resolved", // "resolved" | "no_match" | "error"
"query": "dllwd://research.market.*.vendors",
"resolved_at": "2026-03-27T14:22:01Z",
"trace_id": "trc_9f2a...",
"results": [
{
"rank": 1,
"capability": { /* full Capability Record */ },
"trust_score": 0.940,
"trust_signals": ["dnso_verified", "14mo_history", "sig_valid"],
"cache_hit": false
}
],
"resolver_version": "dillclaw/0.1.2",
"scoring_profile": "dillclaw-default-v1"
}
The resolved_at field MUST be formatted as an RFC 3339 date-time in UTC with the Z offset and second precision (YYYY-MM-DDTHH:MM:SSZ). Non-UTC offsets and fractional seconds MUST NOT be used. This matches the format used for the last_updated field in the Registry Specification §3.1.
The scoring_profile field identifies the deterministic scoring profile under which the trust scores in this response were computed. Conformant resolvers MUST return this field; the default profile is dillclaw-default-v1, defined in §6.2. Future profiles may be introduced for governance-approved scoring variants; profile identifiers are versioned independently of this specification's document version. Callers comparing scores across responses MUST verify that the responses share the same scoring profile.
3.3 Resolution Guarantees
- Determinism — Given the same query and registry state, a conformant resolver MUST return the same ranked result. Determinism requires pinned arithmetic for trust scoring and deterministic tie-breaking — both specified in §6.2.
- No silent failure — Every request MUST return a structured response. A resolver that cannot answer MUST return a documented error state, never an empty body or unhandled exception.
- Auditability — Every response MUST include a
trace_idthat can be used to reconstruct the full resolution decision from resolver logs. - Trust transparency — The trust signals used in ranking MUST always be returned alongside the result, so the calling agent can evaluate the basis for selection.
- Signature pass-through — DNSO cryptographic signatures on Capability Records MUST NOT be stripped or modified by the resolver. The agent receives them verbatim for independent verification.
Query Language
DillClaw queries are expressed as Dillweed namespace URIs, extended with a small set of matching operators. The query language is deliberately minimal — sufficient for precise and pattern-based resolution, but not expressive enough to become a general-purpose query system with attendant complexity.
4.1 Exact Match
A fully qualified path resolves to exactly one registered capability:
dllwd://research.market.intel.vendors
4.2 Wildcard Matching
A single asterisk (*) matches any single path component. This allows agents to express intent at a category level without specifying an exact provider:
dllwd://research.market.*.vendors
dllwd://research.market.*
4.3 Version Pinning
A version suffix pins the query to a specific capability version or range:
dllwd://research.market.intel.vendors:1.2.0
dllwd://research.market.intel.vendors:^1.2
4.4 Query Constraints
- Wildcards MUST NOT appear in the first path component (the domain segment)
- A query MUST contain at most two wildcards
- Double-star (
**) recursive matching is not supported; a future revision may introduce it (see Appendix A) - A wildcard query whose expansion would match more than 200 candidates MUST be rejected with
QUERY_TOO_BROAD(see §8.2). The caller is expected to narrow the query. - Queries with no matching results MUST return
status: "no_match"with a documented reason — never an empty results array without explanation
API Reference
A DillClaw Resolver exposes a minimal HTTP API. All endpoints accept and return application/json. Authentication is OPTIONAL but RECOMMENDED for production deployments.
5.1 Core Endpoints
Primary resolution endpoint. Accepts a resolution request body and returns a ranked list of matching Capability Records. This is the only endpoint required for a minimally conformant implementation.
POST /resolve HTTP/1.1
Content-Type: application/json
{
"query": "dllwd://research.market.intel.vendors"
}
Direct Capability Record retrieval by fully qualified namespace path. Returns a single record or 404 if not found. No trust filtering is applied — the raw registered record is returned. Useful for verification and tooling workflows.
GET /capability/research.market.intel.vendors HTTP/1.1
Returns resolver health status, current registry connection state, cache statistics, and the resolver's own version string. REQUIRED for all conformant implementations.
Returns the full resolution trace for a past resolution operation, identified by the trace_id included in every response. Enables audit and debugging. Traces SHOULD be retained for a minimum of 72 hours; production deployments may retain traces longer for compliance purposes.
Accepts an array of resolution requests (maximum 50 per batch) and returns an array of responses in matching order. Useful for agents that need to resolve multiple capabilities in a single operation. Partial failure is permitted — individual request failures return error objects in-place without failing the entire batch.
5.2 Request Headers
| Header | Required | Description |
|---|---|---|
| Content-Type | Yes | MUST be application/json |
| X-DillClaw-Caller | No | Caller identifier for audit logging. RECOMMENDED for production. |
| X-DillClaw-Session | No | Session identifier for grouping related resolution operations in traces. |
| Authorization | No | Bearer token if the resolver requires authentication. An authenticated caller identity model is anticipated in a future revision; see Appendix A. |
Trust Evaluation Engine
Trust evaluation is the core value proposition of DillClaw beyond simple registry lookup. A raw registry can return what exists. DillClaw answers what should be used — through a documented, auditable evaluation process applied to every candidate.
The trust score ranks candidates that survive hard eligibility filters; it does not override tier gates, permission checks, signature policy, or caller-defined constraints. Scoring is a ranking mechanism applied to already-eligible candidates, not an authorization decision.
6.1 Evaluation Pipeline
Tier Gate
Any candidate with a trust tier below the caller's trust_minimum MUST be rejected immediately. This is a hard filter — no scoring applied to eliminated candidates.
Permission Check
Any candidate lacking a required permission from the caller's permissions array MUST be rejected. Permission checking is exact-match only; richer permission semantics are anticipated in a future revision (see Appendix A).
Signature Verification
DNSO cryptographic signatures MUST be verified against the DNSO public key published at https://dillweed.com/dnso_public.pem (per Registry Specification §5.4). Candidates with invalid signatures MUST be rejected unless the resolver is operating in an explicitly declared diagnostic mode. Candidates with missing signatures MAY be returned only if caller policy permits unsigned records, and MUST be marked sig_unverified. The distinction is architectural: an invalid signature is evidence of tampering or key mismatch and warrants rejection; a missing signature reflects record-state incompleteness (legacy records, mirror gaps) and remains a caller-policy decision.
Endpoint Liveness
Endpoint liveness probing is OPTIONAL; the default is that no probe is performed. The caller does not control probing directly through the resolution request today. A probe_liveness request field is anticipated in a future revision (see Appendix A). Probe results, when performed, are cached per TTL to avoid probe overhead on every request.
Trust Scoring
Surviving candidates are scored on a 0–1 scale using the pinned formula specified in §6.2.
6.2 Trust Score Composition
Trust scores are computed deterministically using the formula and signal values specified below. Every conformant resolver MUST produce the same trust score for the same candidate given the same inputs — this is the foundation of the determinism guarantee in §3.3.
| Signal | Weight | Value Domain |
|---|---|---|
| Trust tier | 0.40 | canonical = 1.0, verified = 0.85, trusted = 0.65, experimental = 0.30 |
| Usage history | 0.30 | min(months_registered, 24) / 24 (linear, clamped) |
| Signature validity | 0.20 | Present and valid = 1.0, absent = 0.5, invalid = 0.0 |
| Endpoint liveness | 0.10 | Reachable = 1.0, unchecked = 0.5, unreachable = 0.0 |
The aggregate score is the weighted sum of the four signal values:
score = 0.40 · tier + 0.30 · history + 0.20 · sig + 0.10 · liveness
The aggregate score MUST be rounded to three decimal places using banker's rounding (round-half-to-even, IEEE 754 roundTiesToEven). For example, a raw value of 0.7245 rounds to 0.724; 0.7255 rounds to 0.726. Conformant implementations MUST produce byte-identical rounded values for the same inputs.
The weights and signal value mappings above define the default scoring profile, identified as dillclaw-default-v1. Future governance-approved profiles may revise weights or signal mappings, provided that profile identifiers are returned in resolver responses (see §3.2) and that scoring remains deterministic within each profile. The determinism guarantee in §3.3 holds within a profile, not across profiles. Profile versioning is independent of this specification's document version: the profile identifier tracks scoring behavior, not document edits.
6.3 Tie-Breaking
When two candidates produce identical rounded trust scores, the ranking engine MUST break the tie as follows, evaluating each rule in order until the tie is resolved:
- Rule 1 — Namespace path. Ascending lexicographic order on the fully qualified namespace path, comparing UTF-8 bytes. Since namespace components are restricted to lowercase ASCII (per Registry Specification §3.1), this is equivalent to ASCII sort order.
- Rule 2 — Semver version. Ascending semver precedence (per semver.org §11) on the capability version string.
No further tie-breaking rules are defined; the combination of namespace path and version is unique per active record by registry design, so these two rules suffice to order any candidate set deterministically.
Trust scores are always returned with their constituent signals, never as a single opaque number. An agent receiving a result with a score of 0.724 SHOULD also receive the breakdown showing why — so it can apply its own judgment to the resolver's recommendation rather than treating it as authoritative.
Caching & Performance
Resolution latency is a first-class concern. For agentic systems making many capability decisions in sequence, resolver overhead accumulates quickly. DillClaw's caching model is designed to make the common case — repeated resolution of stable, frequently-used capabilities — extremely fast.
7.1 Cache Architecture
- Local record cache — Capability Records retrieved from the registry are cached locally. Cache key is the fully qualified namespace path. TTL is set by the registry per record and MUST be respected.
- Liveness probe cache — Endpoint liveness results are cached independently with a shorter TTL (default: 60 seconds). Probes MUST NOT be repeated on every resolution request.
- Negative cache — Not-found responses from the registry are cached with a short TTL (default: 30 seconds) to prevent thundering-herd behavior on repeated queries for nonexistent paths.
7.2 TTL Rules
| Cache Type | Source of TTL | Default TTL | Maximum TTL |
|---|---|---|---|
| Capability Record | Registry-provided per record | 300s | 3600s |
| Endpoint liveness | Resolver-configured | 60s | 300s |
| Negative (not found) | Resolver-configured | 30s | 120s |
| Stale-while-revalidate window | Resolver-configured | 900s | 1800s |
The stale-while-revalidate window governs how long a resolver may continue serving stale cached records after the registry becomes unreachable. When the window expires, subsequent requests MUST return REGISTRY_UNAVAILABLE rather than older stale data.
7.3 Stale-While-Revalidate
When the registry is unreachable, DillClaw MUST NOT fail open by silently serving stale data without disclosure. Conformant behavior: serve the most recently cached Capability Record if within the stale window, and include a stale: true flag and cached_at timestamp (RFC 3339 UTC, second precision, per §3.2) in the response. If no cached record exists and the registry is unreachable, return a structured error.
7.4 Performance Targets
| Scenario | Target P50 | Target P99 |
|---|---|---|
| Cache hit, no liveness probe | < 5ms | < 20ms |
| Cache miss, registry reachable | < 80ms | < 300ms |
| Cache miss + liveness probe | < 150ms | < 500ms |
Error Handling
Every error state in DillClaw MUST return a structured JSON response with a machine-readable error code, a human-readable message, and where applicable, a corrective suggestion. HTTP status codes are used in the conventional way. No error state results in an empty body.
8.1 Error Response Format
{
"status": "error",
"error_code": "QUERY_MALFORMED",
"message": "Path component 'RESEARCH' must be lowercase ASCII",
"suggestion": "Use 'research' instead of 'RESEARCH'",
"trace_id": "trc_err_7c3f...",
"query": "dllwd://RESEARCH.market.intel"
}
8.2 Error Codes
| HTTP | Error Code | Meaning |
|---|---|---|
| 400 | QUERY_MALFORMED | Namespace URI fails syntax validation. Resolver stopped before registry contact. |
| 400 | QUERY_TOO_BROAD | Wildcard pattern would match more than 200 candidates. Narrow the query. |
| 404 | NO_MATCH | Query is valid but no registered capabilities match it. |
| 404 | TRUST_FILTERED | Candidates exist but all were eliminated by the caller's trust policy. |
| 422 | PERMISSION_MISMATCH | Candidates exist and meet trust tier, but none carry all required permissions. |
| 503 | REGISTRY_UNAVAILABLE | Resolver could not contact the authoritative registry and has no valid cached data. |
| 503 | REGISTRY_STALE | Serving stale cached data. Registry unreachable. Includes cached_at timestamp. |
| 500 | RESOLVER_FAULT | Internal resolver error. Includes trace ID for diagnostics. Should be reported. |
Integration Guide
DillClaw is designed to be integrated into existing agent runtimes with minimal friction. The resolution step slots naturally between the point at which an agent identifies a capability need and the point at which it invokes an endpoint.
9.1 MCP Integration
For agents using the Model Context Protocol, DillClaw resolution can replace or augment hardcoded tool definitions. Instead of embedding tool endpoints in system prompts or configuration files, the agent resolves capabilities at runtime:
# Instead of: tool = hardcoded_tools["vendor_comparison"]
result = dillclaw.resolve(
query = "dllwd://research.market.intel.vendors",
trust_min = "verified",
permissions = ["query", "export"]
)
# Result contains MCP-compatible endpoint and schema
tool = MCPTool(
endpoint = result.capability.endpoint,
input_schema= result.capability.input_schema,
protocol = "mcp"
)
response = tool.call(vendor_list)
9.2 A2A Integration
For agent-to-agent communication using A2A, DillClaw can resolve target agents by namespace path rather than by hardcoded agent card URL. This allows agent networks to remain stable even as underlying agent implementations change providers or infrastructure:
# Resolve the target agent by namespace path
result = dillclaw.resolve(
query = "dllwd://agents.analysis.financial.*",
trust_min= "trusted"
)
# Use the resolved endpoint to fetch the A2A agent card
agent_card = A2A.fetch_card(result.capability.endpoint)
response = A2A.send_task(agent_card, task_payload)
9.3 REST / Direct Invocation
For capabilities exposed as plain REST APIs, the resolved endpoint is used directly. DillClaw returns the full Capability Record including input and output schemas, which the agent can use to construct and validate its request without additional documentation lookup:
result = dillclaw.resolve("dllwd://data.enrichment.company.profile")
# Validate request body against resolved input schema
validate(request_body, result.capability.input_schema)
# Invoke directly
response = http.post(
url = result.capability.endpoint,
body = request_body
)
9.4 Recommended Integration Pattern
- Resolve once, cache locally — For capabilities used repeatedly in a session, resolve once and retain the result in agent-level memory. Do not call the resolver on every tool invocation.
- Use trace IDs in logs — Include the
trace_idfrom each resolution response in your agent's audit logs. This enables post-hoc debugging if a resolved capability later behaves unexpectedly. - Handle TRUST_FILTERED gracefully — Design agents to surface trust filter rejections to their orchestrators rather than silently failing or falling back to lower-trust alternatives without acknowledgment.
- Verify DNSO signatures independently — For high-stakes capability invocations, verify the DNSO signature in the returned Capability Record against the public key published at
https://dillweed.com/dnso_public.pemrather than relying solely on resolver trust evaluation.
A Worked Example
To make the resolver mechanics concrete, the following traces a single resolution operation from the agent's perspective through to invocation — showing each protocol step and the data at each stage.
Agent identifies capability need
A financial analysis agent needs to enrich a company identifier with current firmographic data. It has been configured to use the Dillweed namespace for capability resolution rather than a hardcoded endpoint.
Agent submits resolution request
The agent posts to /resolve with query dillweed://data.enrichment.company.*, trust_minimum: "verified", and permissions: ["query", "export"]. The * wildcard signals intent to find the best available enrichment capability, not a specific provider.
DillClaw parses and checks cache
The Query Parser validates the URI and expands the wildcard. The cache contains a 4-minute-old record for data.enrichment.company.profile within TTL — the registry is not contacted. Trust evaluation proceeds against the cached record.
Trust evaluation filters and scores
Three candidates exist in the expanded match set. One is experimental — eliminated by tier gate. One is trusted but lacks the export permission — eliminated by permission check. The remaining candidate is verified, carries a valid DNSO signature, and has 18 months of continuous registration. Applying the §6.2 formula: 0.40·0.85 + 0.30·(18/24) + 0.20·1.0 + 0.10·0.5 = 0.340 + 0.225 + 0.200 + 0.050 = 0.815. Trust score: 0.815.
Response returned to agent
DillClaw returns status: "resolved" with the full Capability Record, trust score 0.815, signals ["dnso_verified", "18mo_history", "sig_valid"], cache_hit: true, and a trace_id. Total resolver latency: 3ms.
Agent validates signature and invokes
The agent verifies the DNSO signature independently, validates its request payload against the returned input_schema, then calls the resolved endpoint directly. The resolver is not in the invocation path — it returned the map; the agent navigates it.
The agent never knew the underlying provider. It never needed to. It expressed an intent, received a trusted endpoint, verified it cryptographically, and invoked. If the underlying provider changes next week, the namespace path remains stable, the trust signals are re-evaluated at the next resolution, and the agent's code is unchanged.
Security Model
DillClaw's security model is deliberately limited to the resolver's scope: it does not attempt to secure capability invocation, enforce access control at the capability layer, or authenticate agents to providers. It secures the resolution step only. Production deployments SHOULD enforce per-IP or per-token rate limits on wildcard and batch resolution requests.
11.1 Threat Model
| Threat | Mitigation |
|---|---|
| Registry poisoning | DNSO cryptographic signatures on Capability Records. Invalid signatures result in trust score penalty or elimination per caller policy. |
| Cache poisoning | TTLs enforced strictly. Cached records include the DNSO signature, verified at scoring time regardless of cache source. |
| Resolver impersonation | Resolvers SHOULD be identified by DNS + TLS. A resolver identity certificate model is anticipated in a future revision; see Appendix A. |
| Stale trust signals | Stale responses are disclosed explicitly. Agents MAY reject stale results by policy. Trust score does not degrade on staleness alone. |
| Query enumeration | Wildcard queries return a maximum of 200 results. Production deployments SHOULD enforce per-IP or per-token rate limits on wildcard and batch queries. |
11.2 What DillClaw Does Not Secure
- The capability endpoint itself — authentication and authorization to the capability are the provider's responsibility
- The content of capability responses — DillClaw makes no representation about what a capability returns
- Agent identity — the current specification does not authenticate which agent is making a resolution request. A caller-identity model is anticipated in a future revision; see Appendix A.
- Data in transit to the capability — TLS for the resolution request is expected; TLS for the capability invocation is the agent's responsibility
What Must Be Built
This specification describes a protocol and an architecture. DillClaw becomes real infrastructure only through implementation and demonstrated operation. The following milestones define the minimum viable resolver — the point at which this specification stops being a proposal and becomes a running system. As of this revision, the Node.js reference implementation operating in local deployment has achieved milestones 01 and 02; the remaining milestones define the path to public availability.
Conformant Resolver Implementation
A working implementation of the /resolve and /health endpoints, passing against a reference test suite. Language-agnostic; the first implementation may be any stack.
Live Registry Connection
The resolver connected to a live Dillweed Registry endpoint returning real Capability Records for at least three registered capabilities across two namespace categories.
End-to-End Resolution Trace
A publicly documented resolution trace — query in, Capability Record out, DNSO signature verified — demonstrating the full protocol path as specified in §10.
MCP or A2A Integration Example
A working integration with at least one of MCP or A2A, demonstrated with a real agent making at least one capability invocation via a DillClaw-resolved endpoint.
Public Reference Deployment
A hosted DillClaw endpoint at a stable URL (DillClaw.ai or equivalent) accepting resolution requests from any caller, with uptime monitoring and a public health status page.
Relationship to DNS
The architectural parallels between DillClaw and DNS are intentional and instructive — but the analogy has limits that are worth stating explicitly.
13.1 Where the Analogy Holds
- Maps human-readable names to IP addresses
- Hierarchical namespace with a governed root
- Caching at multiple layers for performance
- Authoritative + recursive resolver model
- Stable names survive infrastructure changes
- Maps semantic names to invocable endpoints
- Hierarchical namespace with a governed root
- Caching at resolver layer with TTL discipline
- Authoritative registry + resolver model
- Stable names survive provider changes
13.2 Where the Analogy Breaks Down
- DNS resolves to addresses; DillClaw resolves to capabilities. A Capability Record contains semantics, schemas, permissions, and trust signals that have no DNS equivalent. The resolution result is richer.
- DNS is neutral about content; DillClaw is not. Trust evaluation, permission filtering, and contextual ranking are core to DillClaw's function. DNS does not rank results or filter based on caller policy.
- DNS operates at network layer; DillClaw operates at application layer. DillClaw is not a replacement for DNS — it uses DNS for its own endpoint routing and relies on TLS in the conventional way.
- DNS has a 40-year installed base; DillClaw has none yet. The analogy is structural, not a claim of equivalence. DillClaw earns legitimacy through adoption, not through comparison to infrastructure that already won.
DillClaw tells you what to trust and use.
DillClaw is the operational layer for the Dillweed Namespace. The namespace defines what can exist and what it means. DillClaw defines how it is found, evaluated, and selected. Neither document is complete without the other. The full infrastructure is the combination: a governed naming layer and a conformant resolver that brings those names into operational reality.
13.3 Attestation Scope: Namespace Layer vs. Hardware and Code Layer
DillClaw performs namespace-layer attestation — a distinct and narrower operation than the hardware attestation and code integrity verification performed by trusted execution environments, TPM-based platforms, and supply-chain security systems. Understanding this distinction matters both for correct implementation and for accurate descriptions of what DillClaw can and cannot guarantee.
What DillClaw attests: DillClaw verifies that a Capability Record — comprising a namespace path, endpoint URL, declared trust tier, permissions, protocol, and schema metadata — was signed by the DNSO private key and has not been altered since signing. This is a statement about the registry record, not about the software running at the endpoint. A capability that passes DillClaw signature verification is a capability whose declared metadata is authentic. It is not a statement that the endpoint is running unmodified code, that the server hardware is in a known good state, or that the software supply chain is intact.
What DillClaw does not attest: DillClaw does not perform firmware attestation, Trusted Platform Module (TPM) quote verification, Trusted Execution Environment (TEE) attestation, or any form of remote code measurement. It does not verify that the binary running at a capability endpoint matches a known-good hash, that the server operating system has not been modified, or that the execution environment is isolated from compromise. These are application-layer and infrastructure-layer concerns that fall outside the namespace coordination layer.
Why the distinction matters: Hardware and code attestation systems — such as those used in confidential computing, secure enclaves, and hardware root-of-trust architectures — attest the integrity of an execution environment at a given moment. Namespace-layer attestation, as performed by DillClaw, attests the integrity of a coordination record over time. Both are valid and complementary forms of trust evidence. A well-governed agent system may use both: DillClaw to establish that a capability's identity and declared metadata are authentic, and a separate attestation layer to establish that the endpoint's execution environment is trustworthy at the time of invocation.
DillClaw answers: Is this capability record authentic and unaltered? It does not answer: Is the software running at this endpoint unmodified? The first question is a namespace concern. The second is an infrastructure concern. Conflating them produces an inflated security claim that the specification does not make and the implementation does not provide.
Future Work (Non-Normative)
This appendix records items intended for a future revision of the DillClaw Resolver Specification. It is non-normative: nothing in this appendix imposes conformance requirements on implementations of this specification. It is included to disclose the anticipated direction of the specification so that implementers can make informed decisions about extensibility and ecosystem participants can plan for forthcoming changes.
A.1 Resolver Authentication and Caller Identity
The current specification treats the Authorization header as optional with no prescribed format, and does not authenticate the agent making a resolution request. A future revision is expected to define: (a) a bearer-token format and validation contract for resolver authentication, (b) a caller-identity attestation model that allows a resolver to verify the agent making each request, and (c) the resolver identity certificate model referenced in §11.1 for mitigating resolver-impersonation threats. These changes will affect §5.2, §11.1, and §11.2.
A.2 Caller-Controlled Endpoint Liveness Probing
The current specification describes endpoint liveness probing as optional and controlled by resolver policy, but exposes no request field through which the caller can opt in or out of probing on a per-request basis. A future revision is expected to add a probe_liveness field to the resolution request schema, accepting boolean or enumerated values that specify the caller's preference. This change will affect §3.1 and §6.1.
A.3 Richer Permission Semantics
The current specification performs exact-string matching on permissions declared by the caller against permissions declared by the capability. A future revision is expected to introduce structured permission scopes, hierarchical permissions (for example data.read implying data.read.metadata), and permission negotiation where a capability may declare that it conditionally supports permissions depending on caller identity. This change will affect §6.1.
A.4 Recursive Wildcard Matching
The current specification supports single-asterisk wildcards matching exactly one namespace component, with a limit of two wildcards per query. A future revision is expected to evaluate the addition of recursive wildcard matching (**) for matching any number of intervening components, subject to stricter candidate-expansion limits to prevent query cost amplification. This change will affect §4.2 and §4.4.
A.5 Internationalized Namespace Components in Queries
The current specification restricts namespace components in queries to lowercase ASCII letters, digits, and hyphens, matching the Registry Specification §3.1 naming rule. A future revision is expected to extend the query syntax to accept internationalized names encoded per IDNA 2008 (RFC 5891) punycode once the registry accepts such names. This change will affect §4.1, §4.2, and §8.
A.6 Trust Signal String Format
The current specification returns trust signals as unstructured strings in the trust_signals response array (for example "18mo_history"). A future revision is expected to pin the exact format of these strings — regular expressions, casing rules, zero-padding for numeric components — so that callers parsing signal strings produce consistent results across conformant resolvers. This change will affect §3.2 and §10.
A.7 Anthill Integration
This specification does not address integration with the Dillweed Anthill Observability Plane Specification, which describes resolver-side hooks for generating ANT-RC (Revocation Cascade), ANT-AB (Attestation Bypass), and ANT-RD (Resolver Drift) signals from resolution and verification activity (Anthill §3, §5). A future revision is expected to define the hook interface, including conformance level for signal emission, delivery model (push to an Anthill aggregation endpoint or pull from a Resolver-exported feed), signal payload schema, and configuration surface by which a Resolver operator binds to a specific Anthill aggregation endpoint and signing key. This change will affect a new Resolver section addressing observability integration, and is intended to be developed jointly with the corresponding revision of the Anthill specification.