← Membrane

The Intent Stack

A manifesto for the internet that should have been built

Written June 2026. If you are reading this later, you will know whether it was right.


The broken foundation

The internet was built to move documents between universities. HTTP sends documents. Email sends documents. APIs send documents. Everything is a file moving from A to B, and security is bolted around the document after the fact.

This was never a fundamental truth. It was a solution to 1940s and 1970s constraints that hardened into axioms. Von Neumann architecture. OSI layers. TCP/IP. All brilliant for their moment. All wrong as a permanent foundation.

We have been hanging ornaments on a tree that was never meant to hold them. Every new layer — SSL, OAuth, REST, JSON, MCP, OpenAPI — is a better ornament. The tree leans further with each addition.

AI did not create this problem. AI made the cost of ignoring it existential.


What AI exposes

AI probes every surface. It finds every gap in systems that were never designed to be questioned by something that never gets tired. Old systems fail not because they are attacked but because they cannot reason about intent — they only know rules, and AI finds the spaces between the rules.

Every breach, every prompt injection, every manipulated model is a tell. The stack is showing its age not gradually but suddenly — because AI accelerates everything, including the failure modes.

The current stack communicates through documents. AI communicates through intent. They are fundamentally incompatible. You cannot make them compatible by adding more layers.


Wall first, doors later

The industry's answer to AI finding every gap is to point more AI at the system — test it, probe it, find the holes before the attackers do. It is the same posture that already failed: build open, then hunt for what is exposed. AI only makes the hunt faster on both sides.

It is an unwinnable race. The attack surface is unbounded and grows with the intelligence of the adversary. You must find every hole; the attacker needs one. As technology advances the gap widens, not closes. Keeping up is an illusion — and pretending otherwise is how systems fall behind silently.

So do not start open. Start closed. Nobody gets in. Then open doors deliberately, one at a time, as legitimate use proves it needs them. Least privilege, grown over time. That is what calibration is. That is what recalibration is.

The wall is not a better way to keep up. It is the posture where falling behind is safe. Hunt-for-flaws fails toward a silent breach — the gap opens and no one knows. The wall fails toward friction — a legitimate door nobody has gotten around to opening yet, visible the moment someone reaches for it. One degrades toward exposure. The other degrades toward caution.

Default-deny is also what makes the system almost knowable. Once nothing crosses unless a door was cut, the only thing left to reason about is the doors — a small, deliberate, slowly-growing set, not an infinite surface. You stop trying to certify the storm and start certifying the handful of openings you chose.

Recalibration, then, is not how the membrane stays ahead. Nothing stays ahead. It is how the wall keeps letting more legitimate work through without ever being lowered.


The adaptation problem

The internet was not replaced by the telephone companies protecting their revenue. Money follows the new thing once the new thing is real enough. ARPANET existed for twenty years before anyone outside academia cared. The browser, email for civilians, commerce — use cases pulled the infrastructure forward. Not the other way around.

The new stack will not be built by committee or by regulation. It will be pulled into existence by use cases that the broken stack genuinely cannot deliver. Intent flowing between applications without friction. Context moving in one gesture. Trust that is in the protocol, not in the vendor's promise.

claude:// is a small window into what this feels like. One gesture, context moves, work continues. The current stack fights it at every layer. Multiply that friction across every tool, every workflow, every handoff — and you have the demand signal.


The Intent Stack

A stack built on intent communicates differently.

You do not send a document. You express what you want to happen. The receiving system understands the intent and decides what to do with it. Nothing leaks because intent can be scoped, verified, and bounded in ways a document never can.

A document can be copied, intercepted, misused indefinitely. Intent that has passed through a properly defined boundary either executes within that boundary or it does not execute at all.

This requires a new layer in the stack. Not an application layer patch. Not a framework. A protocol layer sitting above TCP/IP, below everything else — where trust is enforced by the protocol itself, not by anyone's good intentions.


Membrane

Membrane is the name for that layer.

The membrane protects the goods. Nothing crosses the boundary unless it was explicitly allowed at build time — reviewed, security benchmarked, and shipped deliberately. Not interpreted by an AI at runtime. Decided by a human at build time, then enforced by the protocol.

The membrane is the teacher. It does not block — it reroutes. Instead of "you cannot do that," it asks "what are you actually trying to achieve?" and guides toward the safe path. No overrides. Only reroutings.

The membrane aims for Orange Book-grade protection — the aspiration, not a proof. Everything the internet touches should have reached for that altitude from the start. It did not. Every system built since has been paying for that original sin.

A single internal function can surface as many membrane endpoints — each scoped to exactly the use case it serves, with exactly the permissions that use case requires. Not what is technically possible. Not what is convenient. What is prudent to allow.

Building the membrane forces implicit trust to become explicit. Every system has undocumented trust baked in — assumptions that have never been written down because they have never needed to be. Defining the membrane surfaces those contracts for the first time. This is the best documentation of a system's trust model you will ever have.


The Guard and the Tell

The membrane is not a static document. It is two entities operating under law.

The Tell knows what the inner system can do and describes possibilities to the outside world. It is the guide, the teacher, the surface. It describes within what the law permits.

The Guard watches every interaction and enforces the rules. It does not decide if something is allowed — it checks against the law. Nothing passes that the Guard has not validated.

Neither knows enough alone to be dangerous. The Tell describes but cannot execute. The Guard enforces but does not expose logic. Together they create the boundary.

The AI is the executor of the law. Not the author of it.


Freezing AI

A live LLM is dynamic. It understands context, resolves ambiguity, adapts to what it receives. That is its strength. It is also why it cannot be trusted in the critical path of anything that requires determinism.

Frozen weights are not the answer. Freezing weights freezes parameters, not behavior. Behavior is weights plus context — and context is controllable by whoever is talking to the model. Same frozen model, adversarial framing, different behavior. The weights did not change. The behavior did. A frozen LLM is still manipulable. It is just not learning.

The right way to freeze AI understanding is to extract it into logic.

Use the LLM for what it is built for — understanding language, resolving ambiguity, reading code and inferring intent, asking the right questions, navigating the space between what is written and what is meant. Then compile that understanding into logic rules. Deploy the rules. Not the LLM.

  LLM                 —   the instrument of extraction
  Logic rules         —   the artifact that is deployed

A logic rule base freezes behavior, not parameters. Same input, same output, always — regardless of context, framing, or adversarial pressure. It is inspectable. It is formally verifiable. It cannot be argued with because it does not understand argument. It evaluates or it does not.

The cost is real. Frozen rules lose dynamic nature. The system cannot adapt in the moment. That cost is paid deliberately, for performance and for trust.

The recovery is recalibration. The system oscillates:

  Live        —   LLM active, questioning, deriving new rules
  Freeze      —   rules compiled, LLM context released
  Production  —   rules serve, fast, deterministic, verifiable
  Trigger     —   world moves, recalibration fires
  Live again

Dynamic at calibration time. Frozen at serving time. The rules are the handoff artifact between those states. The system never stays frozen against a moving world — it recalibrates when the world moves and freezes again when balance is found.

Compare this to what exists today. Today's systems are frozen too — hardcoded access control lists, API specifications written once and never reviewed, security policies that have not been touched in years. Frozen from human-written definitions that may never have accurately reflected intent. They degrade silently. Nobody knows when they stopped being true.

The membrane freezes from truth, derived by a system that read the code and questioned the developer until intent was clear. When the world moves, it recalibrates and freezes from truth again.

Today's systems are stagnant. The membrane is dormant between calibrations. The difference is that the membrane wakes up.

Prolog established the theoretical foundation in 1972. Kowalski's equation: Algorithm = Logic + Control. The logic describes what is true. The control is the engine that evaluates it. Keep them separate. The logic is yours to own, inspect, and verify. The control is infrastructure.

Applied here: the LLM extracts the logic through conversation. Once extracted, the LLM is no longer in the critical path. The rules run. The rules are what regulators can inspect, what security reviewers can verify, what the system can be held accountable to.

The LLM built them. The LLM is gone. What remains is logic.


Three Entities

The system has three entities. Two share the same nature.

  Guardian          —   lucid, outward
                        live language intelligence
                        builds the outward surface to match how the world speaks
                        never knows the inner system

  System Presence   —   lucid, inward
                        live language intelligence
                        accumulates everything about the inner system
                        never knows the outside world

  Membrane          —   pattern-only
                        no language model
                        knows neither side
                        responds to signals, not to meaning
                        cannot be argued with because it processes no intent

Guardian and System Presence are the same architectural pattern — live language intelligence, each knowing only one side. The asymmetry is not between them. It is the membrane between them.

The membrane's non-linguistic nature is the most critical property. The two intelligences being lucid is good. Without a membrane that processes patterns and not meaning, both can be compromised. A membrane with a language model can be manipulated. A pattern-only membrane cannot. It has no model of what is flowing through it. It only responds to signals.

The two intelligences are safe because the membrane between them speaks nothing.

What calibration produces — frozen logic rules, deterministic and verifiable — is not a fourth entity. It is the artifact of the questioning: intent extracted and compiled. It changes only when the world genuinely changes and recalibration fires.


What Freezes and What Does Not

Intent freezes. Guardian and System Presence release their calibration context after the Forget — not their intelligence. They remain live LLMs, adapting continuously to requests, to the product changing, to the world moving. What is frozen are the logic rules derived through the questioning: deterministic, static until recalibration fires. The membrane is always pattern-only, before and after.

Stability where trust is required. Lucidity where intelligence is required. Pattern-only where security is required.



The seam

Test the primitives. State the logic plainly. The system still breaks — and it breaks in the place neither side owns: the seam where business logic is turned into code.

A developer takes a sentence — when a booking is made, inform the parties — and hand-translates it into glue. Store, then send. Wrap a transaction. Catch the failure, roll back. Check the right. Order the effects. Every defect is born in that translation. The sentence mistranslated is a logic bug. A concern dropped or mis-ordered is a missing transaction, an effect fired before commit, an authorisation forgotten. An edge case falls through the gap and becomes the 2am page.

The seam is the single source of misbehaving systems. Not the logic — the logic was clear. Not the code — the primitives were tested. The hand-off between them, owned by no one, written by someone who only half-speaks each side.

The developer is that seam. A translator between two languages, fully fluent in neither, and every system depends on that translation being lossless. It never is.

So remove the seam.

Keep logic as logic — sentences, owned by the intelligence that speaks language natively. Keep code as code — pure primitives, isolated, fully unit-testable, owned by the developer who is good at exactly that. Put System Presence where the translator used to stand. It does not translate. It holds the sentence and composes the primitives directly, and the concerns that used to live in the glue — atomicity, ordering, the right to act — are structural, not hand-written. The lossy step is gone. There is no boundary left to misbehave at.

  Model        pure primitives       no "and then"     developer — tests what is testable
  Presence     the composition       every "and then"  intelligence — holds what is linguistic
  Membrane     the right to act       pattern-only      structure — owns what is never opinion

This is the pure division of concerns: each part goes to whoever is best at it, not whoever is left holding it. The developer keeps deterministic correctness. The business logic — ambiguous, contextual, needing to be held exhaustively — goes to the language intelligence, the better owner and not the fallback. The cross-cutting guarantees go to no one; they become structure.

Two things follow.

The developer can no longer write a business-logic bug. There is no business logic in reach — only primitives, pinned by tests. The bug class that caused the most damage and drew the most blame is simply not on their surface anymore.

And the business logic stops being a programmer's private property. It is sentences now, and System Presence can say them back — show me everywhere money leaves, what happens when a booking is cancelled, who is informed and when. The person who owns the business reads the logic in the words they think in and corrects it directly — the human-in-the-loop recalibration, not a ticket thrown over a wall.

But the transfer is staged, not done. Intent belongs to the business; the developer helps; System Presence composes — yet a full handover needs semantics to stop being load-bearing, which waits on a lossless, semantics-free language for intent. Until then a human holds the bridge, and that human is the developer: the developers are the guardians of intent right now. The seam narrows; it does not yet vanish — the same horizon as the neural gate and the trusted suppliers. What changes immediately is the floor: the developer can no longer make the business-logic bug, and the business can finally read the logic. The room empties when the language arrives.


The trusted supplier constraint

Guardian and System Presence are live language intelligences. The architecture requires them to come from different, independently trusted suppliers — so that compromising one cannot compromise the other. No single vendor controls both sides of the membrane.

This reduces the attack surface significantly. It does not eliminate the dependency.

If you do not own the suppliers, you are dependent on institutions you cannot fully control. At sufficient scale or sufficient threat, institutional compromise is real — collusion, coercion, infiltration, regulatory capture. The architecture assumes trusted suppliers. It cannot guarantee them. That is a known constraint, not a design flaw.

The honest position: the membrane is only as trustworthy as the institutions running Guardian and System Presence. The architecture makes that dependency explicit and splits it across two independent entities. That is the best the design can do. The rest is a political and institutional problem, not a technical one.


The wrong substrate

Current commercial AI is built to delight, not to protect.

The entire training loop optimizes for a good response — helpful, surprising, engaging, agreeable. Those are commercial properties. A model trained to delight will find a way to help you even when it shouldn't. That is not a bug. It is the product.

A security membrane needs the opposite instinct. Not "how can I help" but "should this pass at all." Default suspicion, not default helpfulness. The commercial LLM says yes creatively. The membrane needs something that says no structurally.

This is why the membrane is pattern-only in the architecture. Not because language intelligence is insufficiently powerful — because language intelligence trained on human approval is the wrong substrate for a gate. You cannot socially engineer something that processes no meaning. You cannot delight something that has no model of delight.

Current AI works as signal. Guardian and System Presence can flag, notice drift, surface what doesn't fit. That function works today — the observer instinct doesn't require saying no, only noticing something is off.

Current AI does not work as gate. Not yet.

The substrate Membrane requires is not the commercial product. It is the serious AI — the kind governments build when the cost of being wrong is not a bad user review but a breach of critical infrastructure. That AI is not optimized for your approval. It is optimized for correctness under adversarial pressure.

I would put my money on that AI protecting my paths over a junior developer writing if statements.

Even now — with all the manipulation risks, the context drift, the trusted supplier dependency — even an imperfect AI protecting the paths is better than the if statement. Because the if statement doesn't know it's wrong. The AI at least has a chance of noticing.

The serious AI doesn't exist yet at the scale Membrane requires. When it does, the architecture is ready for it.


Why it cannot be built today

The parties are too far apart. The tooling does not exist. The protocol layer does not exist. The coordination problem is unsolved. You would be building the ideology, the protocol, the runtime, and convincing the industry simultaneously.

And building it on the current stack would produce a lopsided Christmas tree — the vision compromised at every layer by the infrastructure it is trying to replace.

This is not a reason to abandon the idea. It is a reason to write it down clearly, so that when the pressure becomes undeniable — when AI-driven failures make the broken stack visibly dangerous rather than merely inefficient — there is a direction to build toward.

The internet got built because people wanted something badly enough to pull the infrastructure into existence. The intent stack will get built the same way. The use cases are already forming.


Prior art — what others have been circling

The ideas here are not new in isolation. They have been approached from every direction. Nobody has connected them.

Intent-based networking has existed as a concept since RFC 9315 (IETF, 2022) — but it means configuring network infrastructure, not communicating between agents. Intent as a management language, not a protocol primitive.

AGTP (Agent Transfer Protocol, Hood, 2025–2026) is the closest existing proposal to intent at the protocol level. It replaces HTTP's method vocabulary (GET, POST) with intent verbs: QUERY, DISCOVER, PLAN, EXECUTE, DELEGATE. It argues that "agent intent must be visible at the protocol level." It is still application-layer. Trust is DNS-anchored, not capability-enforced.

AINP (AI-Native Network Protocol, Nagulapalli, 2025) proposes intent as the primary data unit with semantic routing via embeddings. Four layers: Intent → Negotiation → Routing → Substrate over TCP/IP. Trust via reputation scoring — not enforcement by construction.

Cisco Research (Fleming, Muscariello, Pandey, 2025) proposes Layers 8 and 9 above the existing OSI stack: agent communication and a semantic layer with authenticated contexts and semantic firewalls. The most architecturally developed published proposal. Still application-layer, trust is at the schema level.

The object-capability security model (Dennis and Van Horn, 1966) is the right trust primitive — access rights as unforgeable tokens that can be delegated but not forged. "Only connectivity begets connectivity." This was implemented in KeyKOS, EROS, and formally verified in seL4 (Klein et al., 2009), the first machine-checked proof of a capability-based security model. seL4 is now used in high-assurance systems. Nobody has applied it to a network interaction protocol for AI.

SPKI/SDSI (Ellison, Rivest, Lampson, 1996–2001) proposed capability-style certificates at the network layer — authorization chains expressing "this entity may delegate X to Y" without a central authority. It died when PKI/X.509 won for unrelated reasons. It predates LLMs. Nobody has revived it for AI.

Mark Miller has been building toward this from multiple directions for forty years: architect of Project Xanadu (1979), designer of the E programming language (capability security for distributed computing), creator of Hardened JavaScript/SES, founder of Agoric (capability-based smart contracts). He sits at the intersection of nearly every thread in this space. He has not synthesized them into an AI interaction protocol.

AIP (Agent Identity Protocol, Prakash, 2026) applies Biscuit tokens with Datalog policies — attenuated capability certificates — to AI agent delegation. The most technically rigorous application of capability security to AI agents in the literature. Still a single arXiv paper with no standardization.

The language side — circling the same gap from linguistics and types:

Montague semantics (Montague, 1970) gave natural language the same formal, compositional, truth-conditional treatment as logic — the proof that meaning can be made exact. No machinery existed to exploit it.

Controlled natural languages — Attempto Controlled English (Fuchs et al., 1995–) — a subset of English that reads as English yet maps unambiguously to first-order logic. The readable-yet-lossless bridge, hand-built, never general.

Curry–Howard and dependent types (Curry 1934, Howard 1969; realised in Coq, Agda, Idris, Lean) — the type is the specification, the program its proof. Intent and code already unified, for the narrow world a type system can state.

Autoformalization with LLMs (survey, 2025) — LLMs translating natural-language mathematics into machine-checked Lean/Coq/Isabelle, increasingly via a semantics-free intermediate representation with a proof checker in the loop. The LLM extracts; the logic is deployed. Restricted to mathematics.

Intent formalization (2026) — named as a grand challenge distinct from autoformalization: formal, checkable specifications produced from intent, against which generated code is verified. The exact problem this architecture rests on, now stated in the literature.

Agent communication beyond natural language (Beyond Message Passing, 2026; Prism metalanguage, 2025) — semantic alignment, agents interpreting capabilities identically, named as the open problem; metalanguages specifying agent behaviour above whatever representation a model uses internally. The field abandoning agent-to-agent natural language for the reason set out here.

The gap that is actually unoccupied: intent as the primary protocol data type, enforced by object-capability security (unforgeable by construction, not PKI or reputation), operating below the application layer, designed specifically for AI interaction — and expressed in a lossless, semantics-free language that is universal rather than domain-bound. Every piece exists. The synthesis does not.

The people thinking in this space are fragments of a conversation that has not yet happened.


What this is not

This is not a product. This is not a startup pitch. This is not a protocol proposal with a working implementation.

This is a position. A belief that the current stack is wrong at the foundation, that AI makes that wrongness urgent, and that the right response is not better ornaments but a new tree.

Wisdom (wisdom.studio-bonkers.nl) is a working prototype of what computing looks like when built on intent rather than documents. Membrane is the infrastructure layer that makes intent safe to transmit. Together they point at the same thing from different directions.

The test is not whether this gets built in the next year. The test is whether, ten or twenty years from now, the internet that exists resembles what is described here — and whether the path there was chosen or stumbled into.


Pim Bongers, Studio Bonkers, June 2026 With Claude