DillClaw · Technical Specification · v0.1.8 Published

DillClaw Resolver (Published Specification)

The resolution layer for the Dillweed Namespace — turning stable names into trusted, invocable capabilities.

A namespace without a resolver is a map with no roads. Agents can call tools. They cannot reliably choose the right one across providers and time. DillClaw is the resolution engine for the Dillweed Namespace. It takes a namespace URI, applies trust policy, selects the best capability, and returns an invocable endpoint — in a single, auditable operation.

This document specifies the protocol, API, trust evaluation logic, integration patterns, and deployment requirements for DillClaw implementations. As the number of capabilities grows beyond human-scale, resolution becomes a prerequisite, not an optimization. At sufficient scale, capability selection becomes the bottleneck. Resolution is not optional — it is required infrastructure.

DillClaw does not replace MCP, A2A, or any capability protocol. It sits above them — providing the naming, trust, and selection layer that makes those protocols usable at scale, across providers, across time.

Version0.1.8
PublishedMay 2026
Stack Family2026.04
StatusPublished Specification

Abstract

The Dillweed Namespace Standard defines how capabilities are named and governed. DillClaw defines how they are found, evaluated, and selected. These are complementary specifications: the namespace provides stable identity; the resolver provides operational access.

DillClaw is a resolver specification and implementation layer — a structured intermediary that accepts agent queries expressed against the Dillweed namespace, consults the authoritative registry, applies trust and policy filters, and returns ranked, invocable Capability Records. It is not a proxy, not a gateway, and not a capability provider itself. Its role is resolution: mapping names to endpoints in a way that is trustworthy, auditable, and consistent across time.

Without a resolver layer, a namespace remains descriptive. DillClaw makes it operational.

This specification defines the resolution protocol, the query syntax, the trust evaluation model, the HTTP API, integration patterns for MCP and A2A, error semantics, and the caching strategy. Implementations that conform to this specification are considered DillClaw-compliant resolvers.

Scope of This Document

This document specifies the DillClaw Resolver layer only. Capability Record schema, namespace URI syntax, trust tier definitions, and governance rules are defined in the Dillweed Namespace Standard v0.4. This document defers to that specification on those topics and should be read alongside it.

Conformance Terminology

The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be interpreted as described in BCP 14 [RFC 2119] [RFC 8174] when, and only when, they appear in all capitals, as shown here.

Revision 0.1.4 (June 2026)

Added §7.5 Cache Freshness and Revocation Propagation: documents the cache TTL tradeoff, operator guidance table, force-refresh semantics, and the revocation propagation guarantee (one registry refresh interval).

Revision 0.1.5 (June 2026)

Added §6.4 Score Semantics and Consumer Guidance: defines the trust score as a deterministic composite resolution index, documents what the score is and is not, provides consumer guidance ranges, and establishes the "Resolution vs. Authorization" boundary statement. Fixed example trust_score from 0.940 to 0.765 (consistent with published formula). Softened §6 intro wording from "what should be used" to "strongest verified standing."

Revision 0.1.6 (June 2026)

Fable 5 review round 1/2 fixes: H-2 phantom signal classes (ANT-AB/ANT-RD → ANT-RC/ANT-RA in A.7), H-3 unsigned registration_date disclosure in §6.2, H-4 REGISTRY_STALE removed from §8.2, M-1 TTL source corrected to "resolver-configured," M-3 §11.1 invalid-signature mitigation aligned with §6.1, M-4 probe_liveness promoted from Appendix A to §3.1/§6.1, L-5 wildcard 200-rule: rejection not truncation.

Revision 0.1.7 (June 2026)

Fable 5 review round 3 fixes: H-3 max_results semantics changed from "clamp to 50" to "reject with QUERY_MALFORMED" (matching code). M-2 months_registered formula pinned (floor(days/30.44)). SIGNATURE_FILTERED and VERSION_CONSTRAINT_FAILED added to §8.2 error table. allow_unsigned request field documented. max_results range (1–50) specified. DILLCLAW_DIAGNOSTIC_MODE documented as requiring value "1". Example resolver_version updated to 0.1.8. §7.5 revocation propagation clarified: 60-second registry refresh interval is normative, not 300-second record cache TTL.

Revision 0.1.8 (June 2026)

W0 hardening pass. §6.1 step 4: probe_liveness documented as off by default with internal-range deny-list (RFC 1918, loopback, link-local), resolved-IP pinning, and cache-TTL guard preventing re-probes within the 60-second window (DillClaw §7 MUST). §7.1: added registry snapshot cache layer documenting resolver pagination-to-completion via /list with ETag conditional fetch. §7.5: refresh interval updated to document ±20% random jitter and exponential backoff on failure (doubling, capped at 15 minutes). §8.2 error table: added 429 RATE_LIMITED with Retry-After header. Per-IP rate limiting with separate read/write budgets documented across all three services.

§ 01

Role in the Stack

DillClaw occupies a specific position in the agentic AI infrastructure stack. Understanding that position is essential to understanding what it does — and what it deliberately does not do.

L1

Human Gateway Layer

Platform-scale access, identity, and policy. Examples: Meta, Google, Apple, Microsoft, Salesforce. These layers surface capabilities to end users and enterprise systems.

L2

Dillweed Namespace Layer

Stable naming, trust accumulation, and governance. Defines the URI structure, Capability Record schema, and trust tiers. Governed by the DNSO (Dillweed Namespace Stewardship Office). Defined in the Dillweed Namespace Standard v0.4.

L3

DillClaw Resolver Layer  ← this document

Query parsing, registry lookup, trust evaluation, candidate ranking, and invocation target selection. The operational bridge between namespace and capability.

L4

Capability Layer

Individual tools, agents, APIs, and data sources registered within the Dillweed Namespace. Invoked using MCP, A2A, REST, gRPC, or custom protocols as specified in their Capability Records.

DillClaw's role is narrow by design. It does not store capabilities, does not proxy requests to them, and does not make policy decisions about which agents may invoke what. It resolves names to endpoints and returns the information needed for an agent to invoke a capability directly.

Without this layer, agents must rely on hardcoded endpoints, brittle registries, or provider-specific abstractions — none of which survive scale, substitution, or time. Today, this function is fragmented across hardcoded endpoints, provider registries, and prompt-level tool selection. DillClaw replaces that fragmentation with a single, governed resolution layer.

The Resolver Contract

Given a valid Dillweed namespace query and a caller's trust policy, DillClaw returns the best available Capability Record — or a structured explanation of why none could be returned. That is the complete contract. Everything else is implementation detail.

What This Is Not

DillClaw is not a proxy, gateway, agent runtime, policy authority, or capability provider. It does not execute agent tasks or own capability endpoints. It resolves namespace queries into ranked, signed Capability Records according to caller-supplied trust policy and documented resolver behavior.

Resolver operations produce observable coordination events — query breadth, no-match patterns, signature failures, stale-cache responses, and revocation-cache behavior — that may be emitted as Anthill signals for coordination-layer observability. DillClaw does not depend on Anthill for its normative behavior; the relationship is one of optional emission rather than required coupling. The hook interface for this emission is tracked in Appendix A.7.

§ 02

Architecture

A DillClaw Resolver consists of five functional components. These may be deployed as a single service or as independent modules; the specification is agnostic to deployment topology as long as the external behavior is conformant.

2.1 Functional Components

ComponentResponsibility
Query ParserValidates and normalizes incoming namespace queries. Rejects malformed paths before any network operation. Expands wildcard patterns into candidate path sets.
Registry ClientCommunicates with the authoritative Dillweed Registry to retrieve Capability Records matching parsed query paths. Handles registry unavailability gracefully.
Trust EvaluatorFilters and scores candidate records against the caller's declared trust policy. Applies tier minimums, permission checks, and signature verification.
Ranking EngineWhen multiple candidates remain after trust filtering, ranks them by relevance, trust tier, usage history, and version preference.
Response ComposerPackages the selected Capability Record into the standardized resolver response, including resolution metadata, trust signals, and audit identifiers.

2.2 Data Flow

1

Receive Query

Agent submits a resolution request containing a namespace path (or pattern), a minimum trust tier, required permissions, and optional context hints.

2

Parse & Validate

The Query Parser validates URI syntax, normalizes path components, and expands wildcards. Malformed queries return immediately with a structured error — no registry contact occurs.

3

Cache Check

The resolver checks its local cache for a valid, non-expired Capability Record matching the query. Cache hits bypass registry contact entirely and proceed directly to trust evaluation.

4

Registry Lookup

On cache miss, the Registry Client queries the authoritative Dillweed Registry, retrieves all matching Capability Records, and stores them in the local cache with appropriate TTLs.

5

Trust Filter & Rank

The Trust Evaluator removes records that fail the caller's minimum trust tier or lack required permissions. The Ranking Engine orders remaining candidates by trust score and contextual relevance.

6

Compose & Return

The top-ranked record is packaged into a resolver response. The response includes the full Capability Record, a resolution trace for audit, and the trust signals used in ranking.

2.3 Deployment Modes

ModeDescriptionTypical Use
HostedDillClaw operated as a shared service at a known endpoint. Agents query it via HTTP.Most agents; lowest integration overhead
EmbeddedDillClaw library linked directly into an agent runtime. Shares process with the agent.Latency-sensitive or airgapped deployments
SidecarDillClaw runs as a local process alongside an agent container, communicating over loopback.Containerized deployments requiring isolation
GatewayDillClaw integrated into a platform gateway layer, resolving on behalf of all downstream agents.Enterprise or platform-scale deployments
§ 03

Resolution Protocol

The resolution protocol defines the contract between a calling agent and a DillClaw Resolver. It specifies what a valid request contains, what a conformant response MUST include, and how failure states are communicated.

3.1 Request Structure

Resolution Request — JSON Schema
{ "query": "dllwd://research.market.*.vendors", // required "trust_minimum": "verified", // optional, default: "experimental" "permissions": ["query", "export"], // optional "version_pref": "stable", // optional: "stable" | "latest" | semver "context": { "caller_id": "agent:procurement-v2", "session_id": "sess_abc123" }, "max_results": 3, // optional, default: 1, max: 50 "allow_unsigned": false, // optional, default: false "probe_liveness": false // optional, default: false }

The version_pref field accepts three forms. "stable" selects the highest semver version (per semver.org) without a pre-release identifier and without a build-metadata tag, from among candidates surviving the trust filter. "latest" selects the highest semver version including pre-release identifiers. An explicit semver string or semver range (for example 1.2.0 or ^1.2) selects the highest version satisfying that constraint.

The max_results field accepts integers between 1 and 50. Requests specifying a value outside this range MUST be rejected with QUERY_MALFORMED. The allow_unsigned field controls whether candidates with missing or unverifiable signatures are eligible for inclusion in the result set. When false (the default), unsigned candidates are eliminated during signature filtering (§6.1). When true, unsigned candidates are retained and marked with the sig_unverified trust signal. This field implements the §6.1 provision that missing-signature candidates "MAY be returned only if caller policy permits unsigned records." A resolver MAY also support a DILLCLAW_DIAGNOSTIC_MODE environment variable that, when set to 1, enables unsigned-record inclusion globally for debugging and development contexts.

3.2 Response Structure

Resolution Response — JSON Schema
{ "status": "resolved", // "resolved" | "no_match" | "error" "query": "dllwd://research.market.*.vendors", "resolved_at": "2026-03-27T14:22:01Z", "trace_id": "trc_9f2a...", "results": [ { "rank": 1, "capability": { /* full Capability Record */ }, "trust_score": 0.765, "trust_signals": ["dnso_verified", "14mo_history", "sig_valid", "sig_verified", "endpoint_unchecked"], "cache_hit": false } ], "resolver_version": "dillclaw/0.1.8", "scoring_profile": "dillclaw-default-v1" }

The resolved_at field MUST be formatted as an RFC 3339 date-time in UTC with the Z offset and second precision (YYYY-MM-DDTHH:MM:SSZ). Non-UTC offsets and fractional seconds MUST NOT be used. This matches the format used for the last_updated field in the Registry Specification §3.1.

The scoring_profile field identifies the deterministic scoring profile under which the trust scores in this response were computed. Conformant resolvers MUST return this field; the default profile is dillclaw-default-v1, defined in §6.2. Future profiles may be introduced for governance-approved scoring variants; profile identifiers are versioned independently of this specification's document version. Callers comparing scores across responses MUST verify that the responses share the same scoring profile.

3.3 Resolution Guarantees

  • Determinism — Given the same query and registry state, a conformant resolver MUST return the same ranked result. Determinism requires pinned arithmetic for trust scoring and deterministic tie-breaking — both specified in §6.2.
  • No silent failure — Every request MUST return a structured response. A resolver that cannot answer MUST return a documented error state, never an empty body or unhandled exception.
  • Auditability — Every response MUST include a trace_id that can be used to reconstruct the full resolution decision from resolver logs.
  • Trust transparency — The trust signals used in ranking MUST always be returned alongside the result, so the calling agent can evaluate the basis for selection.
  • Signature pass-through — DNSO cryptographic signatures on Capability Records MUST NOT be stripped or modified by the resolver. The agent receives them verbatim for independent verification.
§ 04

Query Language

DillClaw queries are expressed as Dillweed namespace URIs, extended with a small set of matching operators. The query language is deliberately minimal — sufficient for precise and pattern-based resolution, but not expressive enough to become a general-purpose query system with attendant complexity.

4.1 Exact Match

A fully qualified path resolves to exactly one registered capability:

Exact match
dllwd://research.market.intel.vendors

4.2 Wildcard Matching

A single asterisk (*) matches any single path component. This allows agents to express intent at a category level without specifying an exact provider:

Wildcard — match any capability in the market.intel subcategory
dllwd://research.market.*.vendors
Wildcard — match any capability in the research.market category
dllwd://research.market.*

4.3 Version Pinning

A version suffix pins the query to a specific capability version or range:

Version pin — exact
dllwd://research.market.intel.vendors:1.2.0
Version pin — semver range (stable minor)
dllwd://research.market.intel.vendors:^1.2

4.4 Query Constraints

  • Wildcards MUST NOT appear in the first path component (the domain segment)
  • A query MUST contain at most two wildcards
  • Double-star (**) recursive matching is not supported; a future revision may introduce it (see Appendix A)
  • A wildcard query whose expansion would match more than 200 candidates MUST be rejected with QUERY_TOO_BROAD (see §8.2). The caller is expected to narrow the query.
  • Queries with no matching results MUST return status: "no_match" with a documented reason — never an empty results array without explanation
§ 05

API Reference

A DillClaw Resolver exposes a minimal HTTP API. All endpoints accept and return application/json. Authentication is OPTIONAL but RECOMMENDED for production deployments.

5.1 Core Endpoints

POST /resolve

Primary resolution endpoint. Accepts a resolution request body and returns a ranked list of matching Capability Records. This is the only endpoint required for a minimally conformant implementation.

Minimal request
POST /resolve HTTP/1.1 Content-Type: application/json { "query": "dllwd://research.market.intel.vendors" }
GET /capability/{path}

Direct Capability Record retrieval by fully qualified namespace path. Returns a single record or 404 if not found. No trust filtering is applied — the raw registered record is returned. Useful for verification and tooling workflows.

Example
GET /capability/research.market.intel.vendors HTTP/1.1
GET /health

Returns resolver health status, current registry connection state, cache statistics, and the resolver's own version string. REQUIRED for all conformant implementations.

GET /trace/{trace_id}

Returns the full resolution trace for a past resolution operation, identified by the trace_id included in every response. Enables audit and debugging. Traces SHOULD be retained for a minimum of 72 hours; production deployments may retain traces longer for compliance purposes.

POST /batch

Accepts an array of resolution requests (maximum 50 per batch) and returns an array of responses in matching order. Useful for agents that need to resolve multiple capabilities in a single operation. Partial failure is permitted — individual request failures return error objects in-place without failing the entire batch.

5.2 Request Headers

HeaderRequiredDescription
Content-TypeYesMUST be application/json
X-DillClaw-CallerNoCaller identifier for audit logging. RECOMMENDED for production.
X-DillClaw-SessionNoSession identifier for grouping related resolution operations in traces.
AuthorizationNoBearer token if the resolver requires authentication. An authenticated caller identity model is anticipated in a future revision; see Appendix A.
§ 06

Trust Evaluation Engine

Trust evaluation is the core value proposition of DillClaw beyond simple registry lookup. A raw registry can return what exists. DillClaw determines which eligible capability has the strongest verified standing — through a documented, auditable evaluation process applied to every candidate.

The trust score ranks candidates that survive hard eligibility filters; it does not override tier gates, permission checks, signature policy, or caller-defined constraints. Scoring is a ranking mechanism applied to already-eligible candidates, not an authorization decision.

6.1 Evaluation Pipeline

1

Tier Gate

Any candidate with a trust tier below the caller's trust_minimum MUST be rejected immediately. This is a hard filter — no scoring applied to eliminated candidates.

2

Permission Check

Any candidate lacking a required permission from the caller's permissions array MUST be rejected. Permission checking is exact-match only; richer permission semantics are anticipated in a future revision (see Appendix A).

3

Signature Verification

DNSO cryptographic signatures MUST be verified against the DNSO public key published at https://dillweed.com/dnso_public.pem (per Registry Specification §5.4). Candidates with invalid signatures MUST be rejected unless the resolver is operating in an explicitly declared diagnostic mode. Candidates with missing signatures MAY be returned only if caller policy permits unsigned records, and MUST be marked sig_unverified. The distinction is architectural: an invalid signature is evidence of tampering or key mismatch and warrants rejection; a missing signature reflects record-state incompleteness (legacy records, mirror gaps) and remains a caller-policy decision.

4

Endpoint Liveness

Endpoint liveness probing is OPTIONAL and off by default. The caller MAY request probing by setting probe_liveness: true in the resolution request (§3.1). When enabled, the resolver attempts to contact the candidate's endpoint via HEAD request and reflects the result in the liveness signal (live = 1.0, unreachable = 0.0, unchecked = 0.5). The resolver MUST enforce an internal-range deny-list rejecting probes to RFC 1918 private addresses, loopback (127.0.0.0/8, ::1), and link-local ranges to prevent SSRF amplification. The resolver MUST pin the resolved IP address and verify it does not fall within the deny-list, regardless of the hostname used in the endpoint URL. Probe results are cached per TTL (default 60 seconds); probes MUST NOT be repeated for the same endpoint within the cache window (§7.1).

5

Trust Scoring

Surviving candidates are scored on a 0–1 scale using the pinned formula specified in §6.2.

6.2 Trust Score Composition

Trust scores are computed deterministically using the formula and signal values specified below. Every conformant resolver MUST produce the same trust score for the same candidate given the same inputs — this is the foundation of the determinism guarantee in §3.3.

SignalWeightValue Domain
Trust tier0.40canonical = 1.0, verified = 0.85, trusted = 0.65, experimental = 0.30
Usage history0.30min(months_registered, 24) / 24 (linear, clamped). months_registered is defined as floor(days_since_registration / 30.44) where days_since_registration is the integer number of UTC days between the record's registration_date and the evaluation date. The constant 30.44 is the mean Gregorian month length in days (365.25/12). Conformant implementations MUST use this formula to satisfy the determinism guarantee.
Signature validity0.20Present and valid = 1.0, absent = 0.5, invalid = 0.0
Endpoint liveness0.10Reachable = 1.0, unchecked = 0.5, unreachable = 0.0

The aggregate score is the weighted sum of the four signal values:

Aggregate formula
score = 0.40 · tier + 0.30 · history + 0.20 · sig + 0.10 · liveness

The aggregate score MUST be rounded to three decimal places using banker's rounding (round-half-to-even, IEEE 754 roundTiesToEven). For example, a raw value of 0.7245 rounds to 0.724; 0.7255 rounds to 0.726. Conformant implementations MUST produce byte-identical rounded values for the same inputs.

The weights and signal value mappings above define the default scoring profile, identified as dillclaw-default-v1. Future governance-approved profiles may revise weights or signal mappings, provided that profile identifiers are returned in resolver responses (see §3.2) and that scoring remains deterministic within each profile. The determinism guarantee in §3.3 holds within a profile, not across profiles. Profile versioning is independent of this specification's document version: the profile identifier tracks scoring behavior, not document edits.

Security Note: Unsigned Usage History

The usage-history component (weight 0.30) is derived from the registration_date field, which is not included in the signed field set defined in Registry Specification §5.2. The ten signature-protected fields are: description, endpoint, input_schema, last_updated, name, output_schema, permissions, protocol, trust_tier, and version. A mirror, cache, or intermediary could modify registration_date — for example, backdating it to inflate usage-history credit — without invalidating the DNSO signature.

Consumers operating in high-assurance contexts SHOULD treat the usage-history component as based on unsigned data. A future signing-profile revision is expected to add registration_date to the signed field set. Until then, resolvers MAY cap or zero the usage-history component when the field cannot be verified as originating from the authoritative registry.

6.3 Tie-Breaking

When two candidates produce identical rounded trust scores, the ranking engine MUST break the tie as follows, evaluating each rule in order until the tie is resolved:

  • Rule 1 — Namespace path. Ascending lexicographic order on the fully qualified namespace path, comparing UTF-8 bytes. Since namespace components are restricted to lowercase ASCII (per Registry Specification §3.1), this is equivalent to ASCII sort order.
  • Rule 2 — Semver version. Ascending semver precedence (per semver.org §11) on the capability version string.

No further tie-breaking rules are defined; the combination of namespace path and version is unique per active record by registry design, so these two rules suffice to order any candidate set deterministically.

On Trust Score Transparency

Trust scores are always returned with their constituent signals, never as a single opaque number. An agent receiving a result with a score of 0.724 SHOULD also receive the breakdown showing why — so it can apply its own judgment to the resolver's recommendation rather than treating it as authoritative.

6.4 Score Semantics and Consumer Guidance

The trust_score is a deterministic composite resolution index produced by a named scoring profile. It represents the resolver's current assessment of a capability record's standing based on declared trust tier and verifiable resolution signals at the time of resolution.

What the Score Is

  • Deterministic — the same record resolved under the same scoring profile always produces the same score. The formula, weights, signal values, and rounding rules are fully specified in §6.2.
  • Composite — the score combines four independent signals (trust tier, usage history, signature validity, endpoint liveness), each weighted and bounded between 0 and 1.
  • Profile-relative — scores are meaningful only within a named scoring profile. Consumers comparing scores across responses MUST verify that the responses share the same scoring_profile value.
  • An explanatory resolver output — the score explains the resolver's assessment. It is returned alongside the trust_signals array so that consumers can evaluate the basis for the assessment rather than treating the number as opaque.

What the Score Is Not

  • The trust score is not a probability of safety, correctness, or reliability. A score of 0.85 does not mean an 85% chance of trustworthiness.
  • The trust score is not an authorization decision. The resolver resolves capability standing; it does not decide whether the caller should invoke the capability. Authorization, admissibility, and execution governance are the responsibility of the consumer's own policy layer.
  • The trust score is not a guarantee of any kind. A high score indicates that the verifiable signals available to the resolver were favorable at the time of resolution. It does not certify the quality, safety, or correctness of the underlying capability.
  • The trust score is not comparable across scoring profiles. A score of 0.70 under dillclaw-default-v1 has no defined relationship to a score of 0.70 under a future profile with different weights.

Consumer Guidance

The resolver does not enforce accept/reject thresholds. Different consumers will have different tolerance levels depending on their deployment context and risk posture. The following table provides interpretive guidance under the dillclaw-default-v1 profile:

Score RangeTypical StandingInterpretation
0.00 – 0.24Low / incompleteRecord has weak or absent signals. Signature may be missing or invalid. Suitable only for development or testing contexts where trust is not required.
0.25 – 0.49ExperimentalRecord exists and may have a valid signature, but trust tier is experimental and/or registration history is short. Suitable for evaluation, prototyping, and low-consequence invocation.
0.50 – 0.74VerifiedRecord has verified trust tier, valid DNSO signature, and some registration history. Suitable for general-purpose resolution where the consumer applies its own policy layer.
0.75 – 0.89Strong verified / canonicalRecord has high trust tier, valid signature, substantial registration history, and potentially a confirmed-live endpoint. Suitable for enterprise and cross-organization resolution.
0.90 – 1.00ReservedReserved for future high-assurance scoring profiles that may incorporate additional verification signals beyond those defined in dillclaw-default-v1.

These ranges are guidance, not policy. Consumers SHOULD establish their own minimum score thresholds based on their deployment context, risk tolerance, and regulatory requirements. The resolver's role is to compute and return the score transparently; the consumer's role is to decide what to do with it.

Boundary: Resolution vs. Authorization

The trust score answers: "What is the current standing of this capability under this scoring profile?" It does not answer: "Should this capability be invoked in this context?" That second question belongs to the consumer's execution governance layer — which may consider factors the resolver cannot observe, including organizational policy, regulatory constraints, caller identity, budget limits, and real-time risk conditions. Capability resolution provides the trust evidence that execution governance consumes; it does not substitute for it.

§ 07

Caching & Performance

Resolution latency is a first-class concern. For agentic systems making many capability decisions in sequence, resolver overhead accumulates quickly. DillClaw's caching model is designed to make the common case — repeated resolution of stable, frequently-used capabilities — extremely fast.

7.1 Cache Architecture

  • Registry snapshot cache — The resolver maintains a complete local snapshot of the Registry's active record set, refreshed periodically via the Registry's /list endpoint. On each refresh, the resolver MUST paginate to completion: fetching successive pages (using limit and offset) until all records indicated by the total envelope field have been retrieved. The resolver SHOULD send If-None-Match with the previously received ETag on each refresh; a 304 Not Modified response indicates the catalog has not changed and no records need to be re-fetched.
  • Local record cache — Capability Records retrieved from the registry are cached locally. Cache key is the fully qualified namespace path. TTL is resolver-configured (default 300 seconds).
  • Liveness probe cache — Endpoint liveness results are cached independently with a shorter TTL (default: 60 seconds). Probes MUST NOT be repeated on every resolution request.
  • Negative cache — Not-found responses from the registry are cached with a short TTL (default: 30 seconds) to prevent thundering-herd behavior on repeated queries for nonexistent paths.

7.2 TTL Rules

Cache TypeSource of TTLDefault TTLMaximum TTL
Capability RecordResolver-configured300s3600s
Endpoint livenessResolver-configured60s300s
Negative (not found)Resolver-configured30s120s
Stale-while-revalidate windowResolver-configured900s1800s

The stale-while-revalidate window governs how long a resolver may continue serving stale cached records after the registry becomes unreachable. When the window expires, subsequent requests MUST return REGISTRY_UNAVAILABLE rather than older stale data.

7.3 Stale-While-Revalidate

When the registry is unreachable, DillClaw MUST NOT fail open by silently serving stale data without disclosure. Conformant behavior: serve the most recently cached Capability Record if within the stale window, and include a stale: true flag and cached_at timestamp (RFC 3339 UTC, second precision, per §3.2) in the response. If no cached record exists and the registry is unreachable, return a structured error.

7.4 Performance Targets

ScenarioTarget P50Target P99
Cache hit, no liveness probe< 5ms< 20ms
Cache miss, registry reachable< 80ms< 300ms
Cache miss + liveness probe< 150ms< 500ms

7.5 Cache Freshness and Revocation Propagation

Caching introduces a freshness window during which the Resolver may serve data that is no longer current at the Registry. If a capability record is revoked at the Registry, the revocation does not take effect at the Resolver until the cached entry expires and is refreshed. During this window, the Resolver will continue to return the pre-revocation record as valid.

This is an intentional design tradeoff between two competing requirements:

  • Performance and availability — cached resolution avoids per-request Registry latency and allows the Resolver to continue operating during temporary Registry unavailability (the stale-while-revalidate property documented in §7.3).
  • Revocation freshness — the guarantee that a revoked capability is no longer returned as valid by any Resolver in the system.

A shorter TTL improves revocation freshness at the cost of increased Registry load and reduced availability during outages. A longer TTL improves performance and resilience at the cost of a wider revocation propagation window.

Operator Guidance

Conformant implementations MUST document their cache TTL and refresh behavior. Operators SHOULD configure the TTL based on their deployment's freshness requirements.

Deployment ContextRecommended TTLRationale
Development / testing10–30sFaster feedback during capability registration and revocation testing
General-purpose resolution30–120sBalances performance with reasonable revocation propagation delay
High-assurance resolution5–15sMinimizes the revocation window for security-critical capability resolution
Airgapped / resilience-critical300s+Prioritizes availability over freshness; accepts wider revocation window

Operators deploying Resolvers for high-assurance contexts — where the revocation of a capability must take effect as quickly as possible — SHOULD configure a shorter TTL and SHOULD monitor Registry fetch latency to ensure the TTL does not exceed the Registry's ability to respond.

Force-Refresh Semantics

A conformant Resolver MAY support a force-refresh mechanism that bypasses the cache and fetches the current record directly from the Registry. If supported:

  • Force-refresh MUST be explicitly requested by the caller. It MUST NOT be the default behavior, as it defeats the purpose of caching.
  • Force-refresh SHOULD be rate-limited to prevent abuse.
  • Force-refresh MUST return the same response structure as a cached resolution, with the cache_hit field set to false.

The reference implementation does not currently support force-refresh. This is tracked as a future enhancement (see Appendix A).

Freshness Guarantee

The Dillweed Namespace's trust model asserts that capability standing should be verified at the moment of use — not cached from initial approval or registration time. The cache TTL does not contradict this principle; it bounds the operational definition of "at the moment of use":

  • A resolution performed within the TTL window is operationally current.
  • A resolution performed after TTL expiry triggers a fresh Registry fetch.
  • Between these two states, the stale-while-revalidate property (§7.3) ensures the Resolver remains available while a background refresh completes.

The freshness guarantee is therefore bounded, not absolute. The TTL defines the maximum acceptable age of a resolution result. Operators who require absolute freshness (zero cache window) MAY configure the TTL to zero, but SHOULD understand that this eliminates the availability benefit of caching and creates a hard dependency on Registry uptime.

Revocation Propagation Guarantee

A conformant Resolver MUST guarantee that a revoked capability record is no longer returned as valid within one registry refresh interval after the revocation is committed at the Registry. The reference implementation refreshes its registry snapshot at a base interval of 60 seconds (configurable via DILLCLAW_REGISTRY_REFRESH_MS), with ±20% random jitter applied to each cycle to prevent synchronized polling across resolver fleets. On registry fetch failure, the resolver applies exponential backoff (doubling the interval on each consecutive failure, capped at 15 minutes) and resumes the base interval on the first successful fetch. Under failure backoff, the effective revocation propagation bound may exceed the base interval; operators SHOULD monitor resolver health endpoints to detect extended stale windows. Implementations that use a different refresh mechanism — for example, per-record TTL-driven cache invalidation rather than snapshot refresh — MUST document their revocation propagation bound and ensure it does not exceed the operator-configured refresh interval. Implementations with cascading caches or asynchronous replication that introduce additional propagation delay MUST document that delay.

§ 08

Error Handling

Every error state in DillClaw MUST return a structured JSON response with a machine-readable error code, a human-readable message, and where applicable, a corrective suggestion. HTTP status codes are used in the conventional way. No error state results in an empty body.

8.1 Error Response Format

Error Response
{ "status": "error", "error_code": "QUERY_MALFORMED", "message": "Path component 'RESEARCH' must be lowercase ASCII", "suggestion": "Use 'research' instead of 'RESEARCH'", "trace_id": "trc_err_7c3f...", "query": "dllwd://RESEARCH.market.intel" }

8.2 Error Codes

HTTPError CodeMeaning
400QUERY_MALFORMEDNamespace URI fails syntax validation. Resolver stopped before registry contact.
400QUERY_TOO_BROADWildcard pattern would match more than 200 candidates. Narrow the query.
404NO_MATCHQuery is valid but no registered capabilities match it.
404TRUST_FILTEREDCandidates exist but all were eliminated by the caller's trust policy.
422PERMISSION_MISMATCHCandidates exist and meet trust tier, but none carry all required permissions.
404SIGNATURE_FILTEREDCandidates exist but all were eliminated by signature eligibility. All candidates had missing or invalid signatures and the request did not permit unsigned records.
404VERSION_CONSTRAINT_FAILEDCandidates exist but none satisfy the caller's version_pref constraint.
503REGISTRY_UNAVAILABLEResolver could not contact the authoritative registry and has no valid cached data.
429RATE_LIMITEDPer-IP rate limit exceeded. Includes a Retry-After header indicating seconds until the window resets.
500RESOLVER_FAULTInternal resolver error. Includes trace ID for diagnostics. Should be reported.
§ 09

Integration Guide

DillClaw is designed to be integrated into existing agent runtimes with minimal friction. The resolution step slots naturally between the point at which an agent identifies a capability need and the point at which it invokes an endpoint.

9.1 MCP Integration

For agents using the Model Context Protocol, DillClaw resolution can replace or augment hardcoded tool definitions. Instead of embedding tool endpoints in system prompts or configuration files, the agent resolves capabilities at runtime:

MCP integration pattern — pseudocode
# Instead of: tool = hardcoded_tools["vendor_comparison"] result = dillclaw.resolve( query = "dllwd://research.market.intel.vendors", trust_min = "verified", permissions = ["query", "export"] ) # Result contains MCP-compatible endpoint and schema tool = MCPTool( endpoint = result.capability.endpoint, input_schema= result.capability.input_schema, protocol = "mcp" ) response = tool.call(vendor_list)

9.2 A2A Integration

For agent-to-agent communication using A2A, DillClaw can resolve target agents by namespace path rather than by hardcoded agent card URL. This allows agent networks to remain stable even as underlying agent implementations change providers or infrastructure:

A2A integration pattern — pseudocode
# Resolve the target agent by namespace path result = dillclaw.resolve( query = "dllwd://agents.analysis.financial.*", trust_min= "trusted" ) # Use the resolved endpoint to fetch the A2A agent card agent_card = A2A.fetch_card(result.capability.endpoint) response = A2A.send_task(agent_card, task_payload)

9.3 REST / Direct Invocation

For capabilities exposed as plain REST APIs, the resolved endpoint is used directly. DillClaw returns the full Capability Record including input and output schemas, which the agent can use to construct and validate its request without additional documentation lookup:

REST integration pattern — pseudocode
result = dillclaw.resolve("dllwd://data.enrichment.company.profile") # Validate request body against resolved input schema validate(request_body, result.capability.input_schema) # Invoke directly response = http.post( url = result.capability.endpoint, body = request_body )

9.4 Recommended Integration Pattern

  • Resolve once, cache locally — For capabilities used repeatedly in a session, resolve once and retain the result in agent-level memory. Do not call the resolver on every tool invocation.
  • Use trace IDs in logs — Include the trace_id from each resolution response in your agent's audit logs. This enables post-hoc debugging if a resolved capability later behaves unexpectedly.
  • Handle TRUST_FILTERED gracefully — Design agents to surface trust filter rejections to their orchestrators rather than silently failing or falling back to lower-trust alternatives without acknowledgment.
  • Verify DNSO signatures independently — For high-stakes capability invocations, verify the DNSO signature in the returned Capability Record against the public key published at https://dillweed.com/dnso_public.pem rather than relying solely on resolver trust evaluation.
§ 10

A Worked Example

To make the resolver mechanics concrete, the following traces a single resolution operation from the agent's perspective through to invocation — showing each protocol step and the data at each stage.

End-to-End Trace Financial analysis agent resolving a company enrichment capability
1

Agent identifies capability need

A financial analysis agent needs to enrich a company identifier with current firmographic data. It has been configured to use the Dillweed namespace for capability resolution rather than a hardcoded endpoint.

2

Agent submits resolution request

The agent posts to /resolve with query dillweed://data.enrichment.company.*, trust_minimum: "verified", and permissions: ["query", "export"]. The * wildcard signals intent to find the best available enrichment capability, not a specific provider.

3

DillClaw parses and checks cache

The Query Parser validates the URI and expands the wildcard. The cache contains a 4-minute-old record for data.enrichment.company.profile within TTL — the registry is not contacted. Trust evaluation proceeds against the cached record.

4

Trust evaluation filters and scores

Three candidates exist in the expanded match set. One is experimental — eliminated by tier gate. One is trusted but lacks the export permission — eliminated by permission check. The remaining candidate is verified, carries a valid DNSO signature, and has 18 months of continuous registration. Applying the §6.2 formula: 0.40·0.85 + 0.30·(18/24) + 0.20·1.0 + 0.10·0.5 = 0.340 + 0.225 + 0.200 + 0.050 = 0.815. Trust score: 0.815.

5

Response returned to agent

DillClaw returns status: "resolved" with the full Capability Record, trust score 0.815, signals ["dnso_verified", "18mo_history", "sig_valid", "sig_verified", "endpoint_unchecked"], cache_hit: true, and a trace_id. Total resolver latency: 3ms.

6

Agent validates signature and invokes

The agent verifies the DNSO signature independently, validates its request payload against the returned input_schema, then calls the resolved endpoint directly. The resolver is not in the invocation path — it returned the map; the agent navigates it.

What This Trace Demonstrates

The agent never knew the underlying provider. It never needed to. It expressed an intent, received a trusted endpoint, verified it cryptographically, and invoked. If the underlying provider changes next week, the namespace path remains stable, the trust signals are re-evaluated at the next resolution, and the agent's code is unchanged.

§ 11

Security Model

DillClaw's security model is deliberately limited to the resolver's scope: it does not attempt to secure capability invocation, enforce access control at the capability layer, or authenticate agents to providers. It secures the resolution step only. Production deployments SHOULD enforce per-IP or per-token rate limits on wildcard and batch resolution requests.

11.1 Threat Model

ThreatMitigation
Registry poisoningDNSO cryptographic signatures on Capability Records. Candidates with invalid signatures MUST be rejected (§6.1); candidates with missing signatures are eligible only when the caller explicitly permits unsigned records via allow_unsigned. In diagnostic mode, invalid-signature candidates may be scored (sig = 0.0) for inspection purposes.
Cache poisoningTTLs enforced strictly. Cached records include the DNSO signature, verified at scoring time regardless of cache source.
Resolver impersonationResolvers SHOULD be identified by DNS + TLS. A resolver identity certificate model is anticipated in a future revision; see Appendix A.
Stale trust signalsStale responses are disclosed explicitly. Agents MAY reject stale results by policy. Trust score does not degrade on staleness alone.
Query enumerationWildcard queries matching more than 200 candidates are rejected with QUERY_TOO_BROAD. Production deployments SHOULD enforce per-IP or per-token rate limits on wildcard and batch queries.

11.2 What DillClaw Does Not Secure

  • The capability endpoint itself — authentication and authorization to the capability are the provider's responsibility
  • The content of capability responses — DillClaw makes no representation about what a capability returns
  • Agent identity — the current specification does not authenticate which agent is making a resolution request. A caller-identity model is anticipated in a future revision; see Appendix A.
  • Data in transit to the capability — TLS for the resolution request is expected; TLS for the capability invocation is the agent's responsibility
§ 12

What Must Be Built

This specification describes a protocol and an architecture. DillClaw becomes real infrastructure only through implementation and demonstrated operation. The following milestones define the minimum viable resolver — the point at which this specification stops being a proposal and becomes a running system. As of this revision, the Node.js reference implementation operating in local deployment has achieved milestones 01 and 02; the remaining milestones define the path to public availability.

01

Conformant Resolver Implementation

A working implementation of the /resolve and /health endpoints, passing against a reference test suite. Language-agnostic; the first implementation may be any stack.

02

Live Registry Connection

The resolver connected to a live Dillweed Registry endpoint returning real Capability Records for at least three registered capabilities across two namespace categories.

03

End-to-End Resolution Trace

A publicly documented resolution trace — query in, Capability Record out, DNSO signature verified — demonstrating the full protocol path as specified in §10.

04

MCP or A2A Integration Example

A working integration with at least one of MCP or A2A, demonstrated with a real agent making at least one capability invocation via a DillClaw-resolved endpoint.

05

Public Reference Deployment

A hosted DillClaw endpoint at a stable URL (DillClaw.ai or equivalent) accepting resolution requests from any caller, with uptime monitoring and a public health status page.

§ 13

Relationship to DNS

The architectural parallels between DillClaw and DNS are intentional and instructive — but the analogy has limits that are worth stating explicitly.

13.1 Where the Analogy Holds

DNS
  • Maps human-readable names to IP addresses
  • Hierarchical namespace with a governed root
  • Caching at multiple layers for performance
  • Authoritative + recursive resolver model
  • Stable names survive infrastructure changes
DillClaw
  • Maps semantic names to invocable endpoints
  • Hierarchical namespace with a governed root
  • Caching at resolver layer with TTL discipline
  • Authoritative registry + resolver model
  • Stable names survive provider changes

13.2 Where the Analogy Breaks Down

  • DNS resolves to addresses; DillClaw resolves to capabilities. A Capability Record contains semantics, schemas, permissions, and trust signals that have no DNS equivalent. The resolution result is richer.
  • DNS is neutral about content; DillClaw is not. Trust evaluation, permission filtering, and contextual ranking are core to DillClaw's function. DNS does not rank results or filter based on caller policy.
  • DNS operates at network layer; DillClaw operates at application layer. DillClaw is not a replacement for DNS — it uses DNS for its own endpoint routing and relies on TLS in the conventional way.
  • DNS has a 40-year installed base; DillClaw has none yet. The analogy is structural, not a claim of equivalence. DillClaw earns legitimacy through adoption, not through comparison to infrastructure that already won.
DNS tells you where a server is.
DillClaw tells you what to trust and use.
Relationship to the Dillweed Namespace Standard

DillClaw is the operational layer for the Dillweed Namespace. The namespace defines what can exist and what it means. DillClaw defines how it is found, evaluated, and selected. Neither document is complete without the other. The full infrastructure is the combination: a governed naming layer and a conformant resolver that brings those names into operational reality.

13.3 Attestation Scope: Namespace Layer vs. Hardware and Code Layer

DillClaw performs namespace-layer attestation — a distinct and narrower operation than the hardware attestation and code integrity verification performed by trusted execution environments, TPM-based platforms, and supply-chain security systems. Understanding this distinction matters both for correct implementation and for accurate descriptions of what DillClaw can and cannot guarantee.

What DillClaw attests: DillClaw verifies that a Capability Record — comprising a namespace path, endpoint URL, declared trust tier, permissions, protocol, and schema metadata — was signed by the DNSO private key and has not been altered since signing. This is a statement about the registry record, not about the software running at the endpoint. A capability that passes DillClaw signature verification is a capability whose declared metadata is authentic. It is not a statement that the endpoint is running unmodified code, that the server hardware is in a known good state, or that the software supply chain is intact.

What DillClaw does not attest: DillClaw does not perform firmware attestation, Trusted Platform Module (TPM) quote verification, Trusted Execution Environment (TEE) attestation, or any form of remote code measurement. It does not verify that the binary running at a capability endpoint matches a known-good hash, that the server operating system has not been modified, or that the execution environment is isolated from compromise. These are application-layer and infrastructure-layer concerns that fall outside the namespace coordination layer.

Why the distinction matters: Hardware and code attestation systems — such as those used in confidential computing, secure enclaves, and hardware root-of-trust architectures — attest the integrity of an execution environment at a given moment. Namespace-layer attestation, as performed by DillClaw, attests the integrity of a coordination record over time. Both are valid and complementary forms of trust evidence. A well-governed agent system may use both: DillClaw to establish that a capability's identity and declared metadata are authentic, and a separate attestation layer to establish that the endpoint's execution environment is trustworthy at the time of invocation.

Scope Summary

DillClaw answers: Is this capability record authentic and unaltered? It does not answer: Is the software running at this endpoint unmodified? The first question is a namespace concern. The second is an infrastructure concern. Conflating them produces an inflated security claim that the specification does not make and the implementation does not provide.

APPENDIX A

Future Work (Non-Normative)

This appendix records items intended for a future revision of the DillClaw Resolver Specification. It is non-normative: nothing in this appendix imposes conformance requirements on implementations of this specification. It is included to disclose the anticipated direction of the specification so that implementers can make informed decisions about extensibility and ecosystem participants can plan for forthcoming changes.

A.1 Resolver Authentication and Caller Identity

The current specification treats the Authorization header as optional with no prescribed format, and does not authenticate the agent making a resolution request. A future revision is expected to define: (a) a bearer-token format and validation contract for resolver authentication, (b) a caller-identity attestation model that allows a resolver to verify the agent making each request, and (c) the resolver identity certificate model referenced in §11.1 for mitigating resolver-impersonation threats. These changes will affect §5.2, §11.1, and §11.2.

A.2 Caller-Controlled Endpoint Liveness Probing

The probe_liveness request field has been promoted to §3.1 and §6.1 as of v0.1.8. Future work may extend this to support enumerated probe modes (e.g., shallow HTTP HEAD vs. deep health-check) and per-endpoint probe configuration.

A.3 Richer Permission Semantics

The current specification performs exact-string matching on permissions declared by the caller against permissions declared by the capability. A future revision is expected to introduce structured permission scopes, hierarchical permissions (for example data.read implying data.read.metadata), and permission negotiation where a capability may declare that it conditionally supports permissions depending on caller identity. This change will affect §6.1.

A.4 Recursive Wildcard Matching

The current specification supports single-asterisk wildcards matching exactly one namespace component, with a limit of two wildcards per query. A future revision is expected to evaluate the addition of recursive wildcard matching (**) for matching any number of intervening components, subject to stricter candidate-expansion limits to prevent query cost amplification. This change will affect §4.2 and §4.4.

A.5 Internationalized Namespace Components in Queries

The current specification restricts namespace components in queries to lowercase ASCII letters, digits, and hyphens, matching the Registry Specification §3.1 naming rule. A future revision is expected to extend the query syntax to accept internationalized names encoded per IDNA 2008 (RFC 5891) punycode once the registry accepts such names. This change will affect §4.1, §4.2, and §8.

A.6 Trust Signal String Format

The current specification returns trust signals as unstructured strings in the trust_signals response array (for example "18mo_history"). A future revision is expected to pin the exact format of these strings — regular expressions, casing rules, zero-padding for numeric components — so that callers parsing signal strings produce consistent results across conformant resolvers. This change will affect §3.2 and §10.

A.7 Anthill Integration

This specification does not address integration with the Dillweed Anthill Observability Plane Specification, which describes resolver-side hooks for generating ANT-RC (Revocation Cascade) and ANT-RA (Resolution Anomaly) signals from resolution and verification activity (Anthill §4). A future revision is expected to define the hook interface, including conformance level for signal emission, delivery model (push to an Anthill aggregation endpoint or pull from a Resolver-exported feed), signal payload schema, and configuration surface by which a Resolver operator binds to a specific Anthill aggregation endpoint and signing key. This change will affect a new Resolver section addressing observability integration, and is intended to be developed jointly with the corresponding revision of the Anthill specification.

Role in the Dillweed Namespace Stack
The DillClaw Resolver Specification defines the resolution protocol — how a dillweed:// namespace URI is resolved to a verified, trust-scored, invocable capability endpoint across organizational boundaries.
System Flow
Namespace Standard Resolver ◀ you are here Registry Governance Operations Charter Anthill Observability GSP-01 Continuity