Whitepaper
CAP-402: Agent Infrastructure Standard
A Protocol for Semantic Capability Routing Between Autonomous Agents
Abstract
As autonomous AI agents proliferate across industries, a critical infrastructure gap has emerged: there is no standard protocol for agents to discover, negotiate, and execute capabilities from other agents or services. CAP-402 addresses this gap by introducing a semantic capability routing protocol that provides privacy-aware, economically-signaled execution with verifiable receipts.
CAP-402 uniquely combines three complementary cryptographic technologies—Noir for zero-knowledge proofs, Arcium for confidential computation, and Inco for encrypted on-chain state—to deliver a complete privacy stack that enables fully private, verifiable, agent-driven authorization and execution.
1. Introduction
This whitepaper presents the CAP-402 protocol specification, its architecture, security model, and economic framework. We demonstrate how CAP-402 enables a new paradigm where agents do not call APIs directly—agents call capabilities.
1.1 Design Principles
- Capabilities over APIs: Abstract what can be done, not how it's implemented
- Privacy by default: Support confidential execution as a first-class feature
- Economic signaling: Enable value exchange without custody
- Verifiable execution: Every invocation produces a cryptographic receipt
- Progressive decentralization: Start centralized, evolve to fully decentralized
1.2 Key Innovation
CAP-402's primary differentiator is its unified privacy stack. While most applications choose a single privacy technology, CAP-402 integrates three complementary systems:
| Technology | Role | Output |
|---|---|---|
| Noir | Proves private facts | ZK Proofs |
| Arcium | Decides privately using hidden logic | Signed Decisions |
| Inco | Stores & executes privately on-chain | Encrypted State |
2. Problem Statement
2.1 The Current Landscape
Today's agent ecosystem suffers from critical limitations:
| Problem | Impact |
|---|---|
| No discovery standard | Agents must hard-code API endpoints |
| No privacy layer | All operations are visible, enabling front-running |
| No economic coordination | Ad-hoc pricing, no micropayments |
| No trust framework | No way to verify agent capabilities |
| No composability | Each integration built from scratch |
2.2 The Privacy Crisis
Traditional blockchain applications leak everything:
- Trading strategies — Competitors can copy or front-run
- User balances — Portfolio exposure to adversaries
- Order logic — MEV bots exploit visible intents
- Risk models — Proprietary algorithms become public
- AI prompts/weights — Intellectual property exposed
2.3 Consequences
Without a standard protocol:
- MEV extraction: Trading agents lose $500+ per large swap to front-runners
- Data exposure: Portfolio queries reveal positions to competitors
- Vendor lock-in: Agents tied to specific service providers
- Integration overhead: 10x development time for each new capability
- Trust vacuum: No reputation system for agent reliability
2.4 The CAP-402 Solution
CAP-402 introduces a semantic capability layer with integrated privacy infrastructure:
┌─────────────┐ ┌─────────────────────────────────┐ ┌─────────────┐
│ Agent A │────▶│ CAP-402 Router │────▶│ Service X │
└─────────────┘ │ ┌─────────────────────────┐ │ └─────────────┘
│ │ Privacy Stack │ │ ┌─────────────┐
┌─────────────┐ │ │ ┌─────┐ ┌──────┐ ┌────┐│ │────▶│ Service Y │
│ Agent B │────▶│ │ │Noir │ │Arcium│ │Inco││ │ └─────────────┘
└─────────────┘ │ │ └─────┘ └──────┘ └────┘│ │ ┌─────────────┐
│ └─────────────────────────┘ │────▶│ Service Z │
└─────────────────────────────────┘ └─────────────┘
3. Protocol Overview
3.1 Core Concepts
Capability
A versioned, semantic contract defining:
- Identity: Stable ID (e.g.,
cap.price.lookup.v1) - Interface: Typed inputs/outputs (JSON Schema)
- Execution: Mode (public/confidential) + proof type
- Economics: Cost hints, currency, payment methods
Invocation
A request to execute a capability with specific inputs, returning:
- Outputs: Capability-specific results
- Receipt: Cryptographic proof of execution
- Economic hints: Payment information
3.2 Protocol Flow
1. Discovery Agent queries: "I need to swap tokens privately"
Router returns: [cap.confidential.swap.v1, cap.cspl.wrap.v1, ...]
2. Negotiation Agent requests options for cap.confidential.swap.v1
Router returns: [{privacy: 2, cost: 0.01}, {privacy: 3, cost: 0.05}]
3. Invocation Agent invokes with selected option
Router executes via appropriate executor
4. Receipt Agent receives cryptographic receipt
Receipt can be verified without re-execution
5. Settlement Economic hints enable payment (X.402 or on-chain)
4. Architecture
4.1 Layer Model
CAP-402 ARCHITECTURE
═══════════════════════════════════════════════════════════════════
┌─────────────┐ ┌─────────────────────────────────┐ ┌─────────────┐
│ Agent A │────▶│ CAP-402 Router │────▶│ Service X │
└─────────────┘ │ ┌─────────────────────────┐ │ └─────────────┘
│ │ Privacy Stack │ │ ┌─────────────┐
┌─────────────┐ │ │ ┌─────┐ ┌──────┐ ┌────┐│ │────▶│ Service Y │
│ Agent B │────▶│ │ │Noir │ │Arcium│ │Inco││ │ └─────────────┘
└─────────────┘ │ │ └─────┘ └──────┘ └────┘│ │ ┌─────────────┐
│ └─────────────────────────┘ │────▶│ Service Z │
└─────────────────────────────────┘ └─────────────┘
┌─────────────────────────────────────────────────────────────────────────┐
│ LAYER MODEL │
├─────────────────────────────────────────────────────────────────────────┤
│ Application │ Agents, SDKs, Integrations │
├─────────────────────────────────────────────────────────────────────────┤
│ Protocol │ Capability Schema, Routing, Composition, Receipts │
├─────────────────────────────────────────────────────────────────────────┤
│ Execution │ Public Executor, Confidential Executor │
├─────────────────────────────────────────────────────────────────────────┤
│ Privacy │ Noir ZK Proofs, Arcium MPC, Inco FHE │
├─────────────────────────────────────────────────────────────────────────┤
│ Security │ Tokens, Trust Network, Handshake, Encryption │
├─────────────────────────────────────────────────────────────────────────┤
│ Economic │ X.402 Hints, Privacy Cash, Trust-Based Pricing │
├─────────────────────────────────────────────────────────────────────────┤
│ Settlement │ Solana (Future: Multi-chain) │
└─────────────────────────────────────────────────────────────────────────┘
5. Cryptographic Foundation
UNIFIED PRIVACY STACK FLOW
═══════════════════════════════════════════════════════════════════
User / Agent
│
│ 1️⃣ Proves something privately (identity, limits, ownership)
▼
┌─────────────────────────────────────────────────────────────────┐
│ NOIR (Proof Layer) │
│ │
│ User generates ZK proof that: │
│ • They own NFT credential X │
│ • Their balance exceeds threshold │
│ • Their identity satisfies KYC requirements │
│ │
│ OUTPUT: Compact proof (no secrets revealed) │
└──────────────────────────────┬──────────────────────────────────┘
│
│ 2️⃣ Proof + encrypted context
▼
┌─────────────────────────────────────────────────────────────────┐
│ ARCIUM (Decision Layer) │
│ │
│ Arcium receives: │
│ • Verified Noir proof │
│ • Encrypted strategy parameters │
│ • Encrypted risk thresholds │
│ │
│ Arcium computes (on encrypted data): │
│ • Is risk_exposure < daily_limit? │
│ • Do all compliance rules pass? │
│ │
│ OUTPUT: ALLOW or DENY (signed attestation) │
│ LEAKED: Nothing about thresholds or strategy │
└──────────────────────────────┬──────────────────────────────────┘
│
│ 3️⃣ Decision + state update
▼
┌─────────────────────────────────────────────────────────────────┐
│ INCO (Execution Layer) │
│ │
│ If ALLOW: │
│ • Execute swap with hidden amount │
│ • Update encrypted daily exposure counter │
│ • Update encrypted position balances │
│ • Log encrypted audit trail │
│ │
│ PUBLIC VISIBILITY: "A transaction occurred" │
│ HIDDEN: Amount, strategy, positions, everything else │
└─────────────────────────────────────────────────────────────────┘
5.1 Noir (Zero-Knowledge Proofs)
Noir enables agents to prove statements without revealing underlying data:
- Balance proofs ("I have > $10K" without revealing exact amount)
- Identity verification without exposing credentials
- Trade execution proofs for audit trails
5.2 Arcium (Confidential Computation)
Arcium provides MPC-based confidential computation:
- Confidential token swaps (cSPL tokens)
- Private order matching
- Encrypted portfolio management
5.3 Inco (Encrypted On-Chain State)
Inco enables FHE-based encrypted state on-chain:
- Encrypted agent messaging
- Private governance voting
- Confidential smart contract execution
5.4 Why All Three Are Required
| Technology | What Happens If Removed |
|---|---|
| Noir | Cannot generate portable proofs; users must expose data to prove conditions |
| Arcium | Decision logic becomes public; strategies can be copied or gamed |
| Inco | On-chain state leaks; execution results expose private information |
The One-Sentence Mental Model:
Noir proves things privately, Arcium decides things privately, Inco stores and executes things privately.
6. Privacy Gradient
CAP-402 introduces a 4-level privacy gradient that maps to the cryptographic foundation:
| Level | Name | Technology | Description | Cost |
|---|---|---|---|---|
| 0 | Public | Direct execution | Standard execution, visible results | 1.0x |
| 1 | Obscured | Router attestation | Basic obfuscation, limited visibility | 1.1x |
| 2 | Encrypted | Arcium MPC | Strong encryption, authorized access only | 1.5x |
| 3 | ZK Verifiable | Noir + Inco | Zero-knowledge proofs, maximum privacy | 2.0x |
7. Capability Schema
7.1 Schema Definition
interface Capability {
id: string; // e.g., "cap.price.lookup.v1"
name: string; // Human-readable name
description: string; // What this capability does
version: string; // Semantic version
execution: {
mode: "public" | "confidential";
proof_type: ProofType;
timeout_ms: number;
};
inputs: { schema: JSONSchema; required: string[]; };
outputs: { schema: JSONSchema; };
economics: {
cost_hint: string;
currency: string;
payment_methods: string[];
};
}
7.2 Capability Categories
| Category | Examples | Execution Mode | Privacy Stack |
|---|---|---|---|
| Price Data | cap.price.lookup.v1 | Public | — |
| Wallet Operations | cap.wallet.snapshot.v1 | Public/Confidential | Inco |
| Confidential Compute | cap.fhe.compute.v1 | Confidential | Inco FHE |
| Private Swaps | cap.confidential.swap.v1 | Confidential | Arcium MPC |
| ZK Proofs | cap.zk.proof.balance.v1 | Confidential | Noir |
8. Economic Model
8.1 Trust-Based Pricing
| Trust Level | Rate Limit | Discount |
|---|---|---|
| Anonymous | 10 req/min | 0% |
| Verified | 50 req/min | 10% |
| Trusted | 200 req/min | 20% |
| Premium | 1000 req/min | 50% |
8.2 Payment Methods
- X.402 Payment Hints: HTTP-native micropayments
- Privacy Cash: Anonymous payment notes
- On-chain Settlement: Solana SPL tokens
- Subscription: Pre-paid capability bundles
10. Advanced Features
10.1 Agent-to-Agent (A2A) Protocol
CAP-402 enables direct agent-to-agent communication:
A2A PROTOCOL ARCHITECTURE
═══════════════════════════════════════════════════════════════════
┌─────────────┐ DIRECT INVOKE ┌─────────────┐
│ Agent A │ ──────────────────▶ │ Agent B │
└─────────────┘ └─────────────┘
│ │
│ AUCTION │
│ ┌───────────────────────┐ │
└───▶│ AUCTION MANAGER │◀─────┘
│ │
│ • Bid collection │
│ • Winner selection │
│ • Escrow handling │
└───────────────────────┘
│
▼
┌───────────────────────┐
│ SWARM COORDINATOR │
│ │
│ • Task distribution │
│ • Result aggregation │
│ • Consensus voting │
└───────────────────────┘
│
┌───────────────┼───────────────┐
▼ ▼ ▼
┌──────────┐ ┌──────────┐ ┌──────────┐
│ Agent 1 │ │ Agent 2 │ │ Agent N │
└──────────┘ └──────────┘ └──────────┘
10.1.1 Communication Modes
- Discovery — Find agents by capability
- Invocation — Request execution from another agent
- Auction — Competitive bidding for best execution
- Swarm — Coordinate multi-agent workflows
10.1.2 A2A Message Types
| Message Type | Purpose | Privacy |
|---|---|---|
a2a.invoke | Direct capability invocation | Configurable |
a2a.quote_request | Request trading quote | Encrypted |
a2a.quote_response | Respond with quote | Encrypted |
a2a.trade_execute | Execute agreed trade | Maximum |
a2a.auction_bid | Submit auction bid | Sealed |
a2a.swarm_task | Distribute swarm task | Configurable |
10.2 MEV Protection
CAP-402 provides comprehensive MEV protection for trading operations:
MEV PROTECTION FLOW
═══════════════════════════════════════════════════════════════════
TRADE SUBMISSION: swap(SOL → USDC, amount: 10,000)
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ MEV RISK ANALYSIS │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Sandwich Risk │ │ Front-run Risk │ │ Back-run Risk │ │
│ │ Probability: 75%│ │ Probability: 60%│ │ Probability: 40%│ │
│ │ Est. Loss: $150 │ │ Est. Loss: $80 │ │ Est. Loss: $30 │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
│ Overall Risk: HIGH | Potential Loss: $260 | Savings: $234 │
└──────────────────────────────┬──────────────────────────────────┘
│
┌──────────────┴──────────────┐
▼ ▼
┌───────────────────────────┐ ┌───────────────────────────────┐
│ STANDARD EXECUTION │ │ PROTECTED EXECUTION │
│ • Public mempool │ │ • Private mempool (Jito) │
│ • Visible to MEV bots │ │ • Confidential amounts │
│ • ~$260 expected loss │ │ • Arcium C-SPL wrapping │
└───────────────────────────┘ └───────────────────────────────┘
10.2.1 Protection Levels
| Level | Method | Protection | Cost |
|---|---|---|---|
| None | Public mempool | 0% | Free |
| Basic | Private RPC | 40% | +0.1% |
| Standard | Jito bundles | 70% | +0.2% |
| Maximum | Arcium C-SPL | 95% | +0.5% |
10.3 Real-Time Trading Signals
CAP-402 provides SSE-based real-time signal streaming for trading agents:
| Signal Type | Description | Use Case |
|---|---|---|
price_movement | Significant price changes | Entry/exit triggers |
whale_activity | Large wallet movements | Follow smart money |
mev_risk | MEV bot detection | Protection alerts |
arbitrage_opportunity | Cross-DEX spreads | Instant profit |
a2a_quote_available | Agent-to-agent offers | Better prices |
Signals include actionable recommendations with confidence scores and urgency timers.
10.4 Sealed-Bid A2A Auctions
Private OTC trading between agents using commit-reveal auctions:
SEALED-BID AUCTION FLOW
═══════════════════════════════════════════════════════════════════
Phase 1: OPEN (5 min) Phase 2: REVEAL (1 min)
┌─────────────────────┐ ┌─────────────────────┐
│ Agents submit │ │ Agents reveal │
│ sealed bids │ → │ bid + nonce │
│ (hash commitment) │ │ (verify commitment) │
└─────────────────────┘ └─────────────────────┘
│
▼
┌─────────────────────┐
│ Winner determined │
│ (2nd price auction) │
│ Trade executed │
└─────────────────────┘
Benefits: No front-running, fair price discovery, MEV-resistant execution.
9. Security Framework
- API Key Authentication — Rate limiting and access control
- Capability Tokens — Scoped, time-limited authorization
- Trust Network — Agent reputation and verification
- Cryptographic Receipts — Verifiable execution proofs
12. Use Cases
12.1 Private DeFi Trading
Problem: MEV bots front-run large swaps, extracting $500+ per trade.
Solution: Wrap tokens to confidential (C-SPL), execute private swap with hidden amount. Result: Zero MEV extraction.
12.2 Proof of Wealth Without Disclosure
Problem: Proving creditworthiness exposes entire portfolio.
Solution: Generate ZK proof that balance > $10K without revealing actual amount.
12.3 Encrypted Agent Messaging
Problem: Agent communications are public, strategies leaked.
Solution: FHE-encrypted messages that only the recipient can decrypt.
12.4 Atomic Multi-Step Workflows
Problem: 5 separate API calls, any can fail, no rollback.
Solution: Intent graphs with atomic execution and single receipt.
12.5 Automated Trading Bot
Problem: Manual trading is slow, emotional, and misses opportunities.
Solution: CAP-402 Trading Agent with:
- Instant Execution — Sub-second trades with
instantSwap()andsmartTrade() - Risk Management — Automated stop-loss, take-profit, trailing stops
- DCA Scheduling — Recurring buys at hourly/daily/weekly intervals
- Limit Orders — Buy/sell at specific price targets
- Portfolio Rebalancing — Auto-rebalance to target allocations
- Trade Journal — Notes, tags, strategy tracking, CSV export
- Performance Analytics — Win rate, profit factor, latency stats
12.6 Professional Trading Desk
Problem: Institutional traders need advanced order types and analytics.
Solution: Full-featured trading infrastructure:
// Smart execution - auto-selects best method
await trader.smartTrade('SOL', 'USDC', 10000);
// < $100: instant | $100-$10K: protected | > $10K: stealth
// Risk management
trader.setStopLoss('SOL', 140, 10);
trader.setTakeProfit('SOL', 200, 10);
trader.setTrailingStop('SOL', 5, 10);
// DCA automation
trader.startDCA('SOL', 'USDC', 100, 'daily', 30);
// Portfolio rebalancing
await trader.rebalance({ SOL: 60, ETH: 30, USDC: 10 });
// Performance tracking
const analytics = trader.getPerformanceAnalytics();
console.log(analytics.risk.profit_factor);
13. Market Opportunity
13.1 Total Addressable Market
| Segment | 2024 | 2026 (Projected) | CAGR |
|---|---|---|---|
| AI Agent Platforms | $2.1B | $8.4B | 100%+ |
| DeFi Infrastructure | $47B TVL | $150B TVL | 78% |
| Privacy Tech (ZK/MPC) | $890M | $4.2B | 117% |
| Combined TAM | $50B | $162B | 80% |
13.2 Competitive Landscape
| Competitor | Approach | CAP-402 Advantage |
|---|---|---|
| Direct API calls | Hard-coded endpoints | Semantic discovery, composability |
| Generic oracles | Public data only | Full privacy stack (Noir + Arcium + Inco) |
| Single-chain solutions | One ecosystem | Multi-chain roadmap |
| Privacy-only protocols | No agent focus | Agent-first with economic coordination |
11. Implementation
| Metric | Value |
|---|---|
| TypeScript files | 70+ |
| Tests | 399 passing (19 test suites) |
| API endpoints | 100+ |
| Capabilities | 13 |
| Trading Agent Methods | 40+ (instant, stealth, DCA, limits, etc.) |
| Sponsor integrations | 4 (Arcium, Noir, Helius, Inco) |
11.1 SDK One-Liners
import { prepareSwap, bestSwap, findAlpha } from '@cap402/sdk';
// Prepare swap - no setup required
const tx = await prepareSwap('SOL', 'USDC', 10);
console.log(tx.summary.headline); // "Swap 10 SOL → ~1,433 USDC"
// Best execution - auto-picks DEX vs A2A
const result = await bestSwap('SOL', 'USDC', 100);
console.log(result.route, result.savings_vs_dex);
// Detect alpha signals
const signals = await findAlpha(['SOL', 'ETH', 'BTC']);
signals.forEach(s => console.log(s.token, s.direction));
14. Roadmap
Phase 1: Foundation ✅ Complete
- Protocol specification (OpenAPI 3.1, JSON Schema, TypeScript types)
- Reference router (58 TypeScript files, 100+ endpoints)
- Privacy stack integration (Noir, Arcium, Inco fully integrated)
- Security framework (Multi-layer auth, capability tokens, trust network)
Phase 2: Expansion (Q1 2026)
- Multi-language SDKs (Python, Rust, Go)
- Capability expansion (50+ capabilities)
- Mainnet deployment (Solana mainnet)
Phase 3: Decentralization (Q2 2026)
- Distributed routers (10+ nodes)
- On-chain registry (Solana program)
- Staking & governance (CAP token)
- Cross-chain support (EVM, Cosmos)
15. Conclusion
CAP-402 represents a fundamental shift in how autonomous agents interact. By introducing semantic capabilities, privacy gradients, and economic coordination, we enable a new paradigm where agents can:
- Discover capabilities by intent, not implementation
- Execute with configurable privacy guarantees
- Verify results through cryptographic receipts
- Compose complex workflows atomically
- Transact through standardized economic hints
CAP-402 COMPLETE FLOW
═══════════════════════════════════════════════════════════════════
┌──────────┐ ┌──────────┐
│ AGENT │ │ PROVIDER │
└────┬─────┘ └────┬─────┘
│ │
│ 1. invoke(capability_id, inputs, preferences) │
│ ────────────────────────────────────────────────────▶│
│ │
│ ┌─────────────────┐ │
│ │ CAP-402 ROUTER │ │
│ │ │ │
│ │ • Validate │ │
│ │ • Route │ │
│ │ • Execute │ │
│ │ • Receipt │ │
│ └─────────────────┘ │
│ │
│ 2. {success, outputs, receipt, economic_hints} │
│ ◀────────────────────────────────────────────────────│
│ │
═════╧══════════════════════════════════════════════════════╧═════
CAP-402 is not just a protocol—it's the infrastructure layer for the agent economy.
"Agents don't call APIs. Agents call capabilities."
References
- Arcium Network Documentation — docs.arcium.com
- Solana Documentation — docs.solana.com
- Noir Language — noir-lang.org
- Inco Network Documentation — docs.inco.org
- X.402 Payment Protocol — x402.org
- JSON Schema Specification — json-schema.org
CAP-402 | Agent Infrastructure Standard | v1.0.0