Mission-Bound OAuth MVP on Control Plane by Karl McGuinness

Mission-Bound OAuth MVP on Control Plane by Karl McGuinnesshttps://notes.karlmcguinness.com/series/mission-bound-oauth-mvp/Recent content in Mission-Bound OAuth MVP on Control Plane by Karl McGuinnessHugoen-uspublic@karlmcguinness.com (Karl McGuinness)public@karlmcguinness.com (Karl McGuinness)Mon, 01 Jun 2026 18:00:00 -0700The Mission is the Missing OAuth Abstraction for Agentshttps://notes.karlmcguinness.com/notes/the-mission-is-the-missing-oauth-abstraction/Mon, 01 Jun 2026 18:00:00 -0700public@karlmcguinness.com (Karl McGuinness)https://notes.karlmcguinness.com/notes/the-mission-is-the-missing-oauth-abstraction/Five bodies of work converge on the same structural gap in OAuth for agents: the protocol has no durable object for the task the user approved. The Mission is that object. Part 1 frames the gap and introduces the two-layer spec proposal that closes it. The MVP and Runtime Enforcement Profile follow in Parts 2 and 3.Mission-Bound OAuth Runtime Enforcement Profilehttps://notes.karlmcguinness.com/notes/mission-bound-oauth-runtime-enforcement-profile/Mon, 01 Jun 2026 09:00:00 -0700public@karlmcguinness.com (Karl McGuinness)https://notes.karlmcguinness.com/notes/mission-bound-oauth-runtime-enforcement-profile/The MVP binds OAuth tokens to a durable Mission record. This profile adds the runtime layer: AS-side intent-to-policy compilation, mandatory escalation via AuthZEN, tool-and-action binding, mandatory actor chains, per-decision audit receipts, and a governed purpose registry. Modular by design: a Core enforcement contract plus Optional Modules that deployments adopt as their governance posture requires.Mission-Bound OAuth MVPhttps://notes.karlmcguinness.com/notes/mission-bound-oauth-mvp/Fri, 22 May 2026 14:00:00 -0700public@karlmcguinness.com (Karl McGuinness)https://notes.karlmcguinness.com/notes/mission-bound-oauth-mvp/The MVP adds five protocol surfaces on top of existing OAuth: a mission_intent RAR envelope, a resource_access RAR type, a Mission record at the AS, a mission claim on access tokens, and Mission-state enforcement across every derivation path. The result is durable task authority that survives token lifetimes, cross-AS fan-out, runtime escalation, and business-event termination.