https://notes.karlmcguinness.com/tags/captive-portal/Recent content in Captive Portal on Control Plane by Karl McGuinnessHugoen-uspublic@karlmcguinness.com (Karl McGuinness)public@karlmcguinness.com (Karl McGuinness)Mon, 01 Jun 2026 09:00:00 -0700https://notes.karlmcguinness.com/notes/a-blocked-agent-is-a-captive-client/Mon, 01 Jun 2026 09:00:00 -0700public@karlmcguinness.com (Karl McGuinness)https://notes.karlmcguinness.com/notes/a-blocked-agent-is-a-captive-client/Long-running agents discover mid-task that they need a destination their egress proxy does not allow, and the block comes back as an opaque connection failure with no machine-actionable way to ask for access and no human standing by. That block is a requestable denial, and the egress proxy is a policy enforcement point. RFC 8908, the Captive Portal API, already standardizes the recovery handshake for blocked clients on a network. Two early proposals put the requestable denial inside the captive portal response: one at the destination level on the AuthZEN Access Request profile, one at the operation level on AAuth and Mission-bound authority. They are siblings on different substrates, and the choice between them is altitude, not a winner.