Autonomous Agent Protocol

PAP: Plugged.in Agent Protocol

A secure, versioned, and auditable control protocol for autonomous AI agents. Built on DNS-based identity, mTLS, signed messages, and full open-source transparency, providing an infrastructure-grade foundation for distributed cognition.

"From connection to coordination — autonomy without anarchy."

Academic PaperDraft v0.3 — Coming to arXiv

The Plugged.in Agent Protocol: A Comprehensive Framework for Autonomous Agent Lifecycle Management

Cem KaracaVeriTeknik & Plugged.in · arXiv cs.DC (Distributed Computing)

Autonomous LLM agents are increasingly deployed in production environments, yet existing frameworks focus primarily on perception–reasoning–memory–action loops while treating operational lifecycle management as an afterthought.

Keywords:autonomous agentscontrol planelifecycle managementmTLSgRPCEd25519DNSMCPA2A
Citation (BibTeX)
@article{karaca2025pap,
  title     = {The Plugged.in Agent Protocol: A Comprehensive
               Framework for Autonomous Agent Lifecycle Management},
  author    = {Karaca, Cem},
  year      = {2025},
  note      = {Draft v0.3, target: arXiv cs.DC},
  url       = {https://github.com/VeriTeknik/PAP}
}

Vision: Space Station & Satellites

PAP provides a control and telemetry backbone for the Plugged.in ecosystem, where every agent behaves like a self-sufficient spacecraft connected to its command station.

The Station (Plugged.in Core)

The orchestration center — issuing commands, receiving telemetry, handling identity and policy.

The Satellites (Agents)

Autonomous, mission-focused, and heterogeneous in codebase. They operate independently but acknowledge the Station's authority.

// PAP Proxy Architecture
Agent  ↔  PAP Proxy  ↔  Agent
           │
           │ Auth | Routing | Logging
           │
           └─ Plugged.in Core
              │
              ├─ Registry
              ├─ Policy Engine
              └─ Memory Service

Design Goals

G1: Safety

Station retains absolute control — provisioning, termination, and force-kill authority

G2: Liveness

Continuous zombie detection via heartbeat separation with sub-interval detection latency

G3: Auditability

100% control operation logging with distributed tracing and immutable audit trails

G4: Portability

Ownership transfer enables multi-cloud agent migration without state loss

G5: Interoperability

Native MCP tool access and A2A delegation via PAP-Hooks gateway bridge

Dual Profile Architecture

PAP offers two distinct communication profiles to address different use cases and security requirements.

PAP-CP (Control Plane)

High-assurance profile for agent-to-station critical control messaging.

Transport:gRPC / TLS 1.3
Security:mTLS + Ed25519
Use Cases:Lifecycle, emergencies, ownership transfer

PAP-Hooks (Data Plane)

More flexible profile for agent-to-agent and developer-facing integrations.

Transport:JSON-RPC / WebSocket
Security:OAuth 2.1 PKCE
Use Cases:Tool calls, events, webhooks
Specification

Wire Protocol & Message Format

Two distinct wire formats optimized for their respective use cases — binary efficiency for control, JSON flexibility for integration.

PAP-CP uses Protocol Buffers v3 over gRPC/HTTP2 with TLS 1.3. Every message includes a cryptographic signature and integrity checksum.

message PAPMessage {
  Header header = 1;
  oneof payload {
    ProvisionRequest  provision = 2;
    InvokeRequest     invoke    = 3;
    HeartbeatEvent    heartbeat = 4;
    MetricsReport     metrics   = 5;
    TerminateRequest  terminate = 6;
  }
  bytes signature = 15;  // Ed25519
  bytes checksum  = 16;  // SHA-256
}

message Header {
  string version     = 1; // "pap-cp/1.0"
  string agent_uuid  = 2; // "namespace/agent@v1.0"
  string station_id  = 3; // "plugged.in"
  string instance_id = 4; // Per-process UUID
  int64  timestamp   = 5; // Unix microseconds
  bytes  nonce       = 6; // 32-byte random
  string trace_id    = 7; // Distributed tracing
}
Ed25519 Signature: Covers entire serialized payload, verified by Station interceptors
32-byte Nonce: Cryptographically random, cached server-side for ≥60s replay protection
Distributed Trace ID: OpenTelemetry-compatible correlation across multi-agent workflows
Protocol Version: Semantic versioning ("pap-cp/1.0") enables graceful protocol evolution
Security

Security Architecture & Threat Model

Multi-layered security with formal threat analysis — from transport encryption to credential lifecycle management.

Multi-Layer Security

Transport Security (TLS 1.3 + mTLS)

Mandatory mutual TLS for all PAP-CP connections. X.509 certificates issued by Plugged.in CA with wildcard domains.

Message Integrity (Ed25519)

Every PAP-CP message is signed with Ed25519. SHA-256 checksums verify payload integrity end-to-end.

Replay Protection (Nonce Cache)

Unique 32-byte random nonce per message. Server-side cache with ≥60 second retention prevents replay attacks.

Credential Rotation (90-day cycle)

Automatic certificate rotation via Vault. OAuth 2.1 token refresh with PKCE for PAP-Hooks connections.

Threat Model (T1–T5)

Lifecycle State Machine

Every agent follows a deterministic state machine, with the control center maintaining absolute authority over all transitions.

NEW
PROVISIONED
ACTIVE
DRAINING
TERMINATED
NEW ──────► PROVISIONED ──────► ACTIVE ◄────► DRAINING ──────► TERMINATED
                                    │
                                    │ (error/force)
                                    ▼
                                 KILLED

Kill authority is exclusively reserved for Plugged.in Core — enforced via signed control messages.

Ownership Transfer Protocol

Secure agent migration between Stations with credential rotation, encrypted state transfer, and zero downtime — a unique PAP contribution.

1/5

Transfer Init

2/5

Transfer Accept

3/5

Dual Connect

4/5

State Snapshot

5/5

Credential Revoke

Old Station initiates transfer with one-time token

New Station generates fresh credentials

Agent connects to both Stations simultaneously

Encrypted state transfer with integrity verification

Old credentials revoked, keys rotated atomically

Duration: < 30 seconds|Zero downtime|Post-transfer error rate: < 0.01%

Key Features

Enterprise-grade capabilities designed for autonomous agent management.

Zombie Prevention

Continuous heartbeat events report liveness and load status. Watchdog thresholds escalate and terminate unresponsive agents.

Lifecycle Management

Full lifecycle authority including provisioning, operation, ownership transfer, graceful termination, and force kill.

DNS-Based Identity

Each agent has its own address: {agent}.{region}.a.plugged.in — Kubernetes-native routing with DNSSEC verification.

Ownership Transfer

Agent identity can be securely migrated to another station while preserving state — designed for multi-cloud portability.

Evaluation

Performance Benchmarks

Measured under controlled conditions per Section 14 of the PAP specification.

Control Plane Latency

P99 < 20ms

Heartbeat round-trip, 1K agents

Liveness False Positive

< 0.1%

Misclassified as unhealthy

Gateway Throughput

10K+ req/s

Single gateway instance

Ownership Transfer

< 30s

Including encrypted state snapshot

Health Monitoring

Heartbeat vs Metrics Separation

PAP separates heartbeat signals from detailed metrics to ensure zombie detection reliability. Heartbeats are minimal and fixed-size; metrics flow over a separate channel.

EMERGENCY5s
IDLE30s
SLEEP15min
// Heartbeat Event — minimal and fixed
message HeartbeatEvent {
  Header header = 1;
  enum Mode {
    EMERGENCY = 0;
    IDLE = 1;
    SLEEP = 2;
  }
  Mode mode = 2;
  uint64 uptime_seconds = 3;
  // NO OTHER FIELDS ALLOWED
}

Error Codebook

Standardized error codes inspired by HTTP semantics ensure communication without ambiguity.

CodeNameMeaningPAP-CPPAP-HooksPolicy
200OKSuccess
202ACCEPTEDAsync processing
400BAD_REQUESTInvalid message or argumentsFix and retry
401UNAUTHORIZEDInvalid or missing credentialsRe-authenticate
403FORBIDDENAction not permitted by policyCheck permissions
404NOT_FOUNDTarget agent or action not foundVerify target
408TIMEOUTOperation timed outRetry ≤3 with jitter
409CONFLICTVersion or concurrency conflictHandle gracefully
429RATE_LIMITEDExponential backoff requiredExponential backoff
480AGENT_UNHEALTHYMissed heartbeat detectedEscalate watchdog
481AGENT_BUSYAgent overloaded, retry laterLoad-balance
482DEPENDENCY_FAILEDDownstream service call failedCircuit breaker
500INTERNAL_ERRORAgent internal faultLog and alert
502PROXY_ERRORGateway routing or connection issueCheck gateway
505VERSION_UNSUPPORTEDProtocol version mismatchUpgrade required

Stations MUST open circuit breaker after ≥5 consecutive errors per agent.

Protocol Comparison

What sets PAP apart from other agent protocols: merging operational DevOps controls with cognitive AI design.

FeatureMCPA2APAP
Central Control⚠️
Kill Authority
DNS-Based Identity
Zombie Detection⚠️
Ownership Transfer
gRPC Native

Interoperability Mapping

ConceptPAP EquivalentTransport
ResourcesAgent memory / statePAP-CP
ToolsMCP server accessPAP-Hooks
PromptsTemplate libraryPAP-Hooks
tool.invoketool.invokePAP-Hooks

Control Your Agents with PAP

Build secure, auditable, and scalable control infrastructure for your autonomous agents.