Abstract

This publication discloses, in enabling detail, a fail-closed protocol that turns inbound email into an authenticated command channel into a tool-using LLM agent. An email carries no HTTP request, so the ordinary web pattern of authenticate-middleware-then-authorize-middleware cannot run; the disclosed protocol reconstructs an equivalent — and in several respects stronger — chain of interlocks as a thirteen-step pipeline where every step fails closed. The three load-bearing novelties are: (1) a DMARC verdict is trusted only when it is stamped by a named trusted relay's authserv-id, reports pass, and is domain-aligned to the parsed sender; (2) execution is gated behind a dual interlock — an explicit live mode flag and a separate operations-attestation flag that is set only after a live spoof test proves the boundary rejects forgeries; and (3) replay is blocked durably by opening a task-hub work-chain that is idempotent on a natural originaskref primary key, hard-stopping a duplicate before any side effect, across pod restarts and replicas. Authorization intersects an RBAC capability, a command-risk class, and a role-tier→max-risk policy. From-header parsing follows RFC 5322 addr-spec rules and rejects ambiguity, a shadow mode runs full authorization and audit without execution, and output is scrubbed of secret file paths. This document establishes dated public prior art over the composed protocol.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.

Share

COinS