Structural security, proven at the first millisecond.
CISS is the transport security implementation based on mTLS. It establishes an end-to-end encrypted channel between Agent and tool, and completes cryptographic identity proof before the first byte of application data is exchanged.
CISS is the skeleton of the CIS/CAP protocol family.
The Agent's private key is its sole trust anchor. Identity is cryptographically proven at mTLS handshake — no centralized tokens required.
Agent Server
├─── TLS ClientHello ────────►
│◄── CertificateRequest ──────┤
├─── Client Certificate ─────►
├─── CertificateVerify ──────► (signed with private key)
│◄── Handshake Complete ──────┤ ← identity proven
├─── Encrypted CIS/CAP Data ──►
CIS (intent semantics)
↑
CIB (transport binding)
↑
CISS ← You are here
↑
CAP (capability auth & HITL)
| Protocol | Repository |
|---|---|
| CIS | CommonIntents/CIS |
| CAP | CommonIntents/CAP |
| CIB | CommonIntents/CIB |
Apache 2.0 — see LICENSE.