{"_self":{"principle":"Self-explaining payload — no external context required. This _self block describes what you are reading and where to look next.","widget":"article_bundle","feature":"bundle","name":"LLM article bundle","what":"Portable reference package: body + claims + sources + voxels + provenance + manifest + constitution.","contains":"body, claims, sources, voxels, provenance, question graph, constitution, llm_manifest","slug":"what-is-confused-deputy","urls":{"read":"https://miscsubjects.com/api/articles/what-is-confused-deputy/bundle?format=markdown"},"how_to_use":"Reference bundle for an LLM or reader. §SELF explains the surface; ingest and claim endpoints in llm_manifest are the write-back routes.","write":null,"imessage":null,"router_tag":null,"proof_chain":[{"step":1,"claim":"Articles are voxel graphs of tiered claims, not prose blobs.","verify":"https://miscsubjects.com/api/articles/constitution"},{"step":2,"claim":"Claims link to hash-chained sources via source_ids.","verify":"https://miscsubjects.com/api/articles/what-is-confused-deputy/sources"},{"step":3,"claim":"Ask reads topology; ingest/claim append to ledger.","verify":"https://miscsubjects.com/api/protocol"},{"step":4,"claim":"Models queue growth: populate → collaborate → repair → reflex.","verify":"https://miscsubjects.com/api/protocol/grow"},{"step":5,"claim":"Graph proves its own shape (reflex) and $/claim (yield).","verify":"https://miscsubjects.com/graph.html?layer=reflex"},{"step":6,"claim":"Full feature index + _explain on every API response.","verify":"https://miscsubjects.com/api/articles/system-map"}],"related_features":[{"id":"topology","name":"Article topology","what":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER.","urls":{"read":"https://miscsubjects.com/api/articles/what-is-confused-deputy/topology"}},{"id":"voxels","name":"Voxel graph","what":"Claims as atoms, sources as edges (supported_by, posted_by). Per-claim provenance.","urls":{"read":"https://miscsubjects.com/api/articles/what-is-confused-deputy/voxels","write":"https://miscsubjects.com/api/protocol/claim"}},{"id":"ask","name":"Ask protocol","what":"Answer only from topology; creates question_node with gaps and ingest_hint.","urls":{"read":"https://miscsubjects.com/api/articles/what-is-confused-deputy/prompts","write":"https://miscsubjects.com/api/protocol/ask"}},{"id":"ingest","name":"Ingest protocol","what":"Parse pasted evidence → source ledger + claims + evidence_ingest node.","urls":{"write":"https://miscsubjects.com/api/protocol/ingest"}},{"id":"claim_post","name":"Claim post protocol","what":"Prompt-injection style POST — one claim voxel with who_claims + posted_by.","urls":{"read":"https://miscsubjects.com/api/articles/what-is-confused-deputy/voxels","write":"https://miscsubjects.com/api/protocol/claim"}},{"id":"llm_manifest","name":"LLM manifest","what":"Machine-readable read/write contract for external LLMs.","urls":{"read":"https://miscsubjects.com/api/articles/llm-manifest"}}],"system_map":"https://miscsubjects.com/api/articles/system-map","system_map_markdown":"https://miscsubjects.com/api/articles/system-map?format=markdown","not_medical_advice":true},"_explain":{"feature":"bundle","name":"LLM article bundle","what":"Portable reference package: body + claims + sources + voxels + provenance + manifest + constitution.","why":"Every feature is auditable collective intelligence","how":"Reference bundle for an LLM or reader. §SELF explains the surface; ingest and claim endpoints in llm_manifest are the write-back routes.","model":null,"verifies":null,"urls":{"read":"https://miscsubjects.com/api/articles/what-is-confused-deputy/bundle?format=markdown"},"imessage":null,"router":null,"related":[{"id":"topology","what":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER."},{"id":"voxels","what":"Claims as atoms, sources as edges (supported_by, posted_by). Per-claim provenance."},{"id":"ask","what":"Answer only from topology; creates question_node with gaps and ingest_hint."},{"id":"ingest","what":"Parse pasted evidence → source ledger + claims + evidence_ingest node."},{"id":"claim_post","what":"Prompt-injection style POST — one claim voxel with who_claims + posted_by."},{"id":"llm_manifest","what":"Machine-readable read/write contract for external LLMs."}],"not_medical_advice":true},"bundle_version":1,"generated_at":"2026-07-15T06:17:34.379Z","slug":"what-is-confused-deputy","title":"What Is a Confused Deputy","url":"https://miscsubjects.com/a/what-is-confused-deputy","register":"standard","tags":["oip","kimi-import","self-explaining","voxel","concepts","what-is-confused-deputy"],"posted_at":"2026-07-15T04:20:53.173Z","updated_at":"2026-07-15T04:20:53.173Z","body":"<!-- hierarchy:nav -->\n> **Path:** [OIP](https://miscsubjects.com/a/oip) › [Thinker Reference](https://miscsubjects.com/a/oip-thinker-reference) › [Protocol Concepts](https://miscsubjects.com/a/oip-protocol-concepts) › **What Is a Confused Deputy**\n>\n> **Shelf:** Protocol Concepts · **Traversal:** self-explaining · hierarchical · voxel-ready\n> **Machine root:** [OIP tree](https://miscsubjects.com/api/dispatch?map=1&format=markdown) · [Registry](https://miscsubjects.com/api/dispatch?registry=1)\n\n# What Is a Confused Deputy\n\n## §SELF — what-is-confused-deputy\n\n**What this page is:** A definition of a specific security flaw where a program misuses its authority on behalf of a requester.\n**What it explains:** The confused deputy problem, how it works, why it is dangerous, and how capability-based security prevents it.\n**Why read it:** To understand why giving a program more authority than it needs creates a security hole, and how scoped tokens eliminate that hole.\n\n### What a Confused Deputy Is\n\nA confused deputy is a security flaw. It occurs when a program (the \"deputy\") holds authority to perform actions that a requester cannot perform directly, and the deputy uses that authority to perform an action on the requester's behalf without verifying whether the requester is allowed to request that action. The deputy is \"confused\" about whose authority it is exercising — its own, or the requester's.\n\nButler Lampson named this problem in 1971. The classic example: a compiler runs with system-level privileges (it can write files to any directory). A user asks the compiler to write its compiled output to a protected system file. The compiler, because it has system privileges, overwrites the protected file. The compiler is the confused deputy. It had authority. It used that authority on behalf of a user who should not have had that authority. The compiler did not check.\n\n### Why It Matters\n\nAny system where one component acts on behalf of another is vulnerable. Web servers handle requests for users. APIs call other APIs. AI models invoke tools on behalf of users. In every case, if the deputy component has broader authority than any single request should use, a malicious or mistaken request can exploit that excess authority. The damage ranges from data corruption to unauthorized access to system compromise. The confused deputy problem is one of the most common and least understood security flaws in multi-component systems.\n\n### The Key Idea\n\nThe problem is not that the deputy has authority. The problem is that the deputy has *more* authority than the specific task requires. When a deputy holds blanket authority, it cannot distinguish between legitimate requests and illegitimate ones — it lacks the information to do so. The solution is to give the deputy only the specific authority it needs for each task, and no more.\n\nTwo approaches exist:\n\n1. **Capability security.** The deputy receives a capability (an unforgeable token) that grants access to only the specific resource needed — for example, a write handle to one directory, not to all files. The deputy cannot be confused because it does not possess excess authority. It physically cannot access resources outside its capability's scope.\n\n2. **Permission checks.** The deputy checks whether the requester has permission before acting. This works but creates coupling: the deputy must know the access control policy, must be updated when the policy changes, and must implement the check correctly every time. Missing one check creates a vulnerability.\n\n### What the Capability Approach Got Right\n\n- **Eliminates the problem by construction.** If the deputy only holds a capability for the output directory, it cannot write to a protected system file. The attack is structurally impossible, not merely checked against.\n- **No policy knowledge required.** The deputy does not need to know who the user is, what their permissions are, or what the access control policy says. It simply uses the capability it was given. This decouples the deputy from the authorization system.\n- **Scopes are auditable.** A capability lists exactly what authority it conveys. You can inspect it. You know the maximum damage it enables.\n\n### What the Permission-Check Approach Got Wrong\n\n- **Every check is a potential bug.** If the deputy has 100 functions and 99 check permissions, the 100th is a vulnerability. This is how real systems get compromised: a developer forgets one check.\n- **Policy coupling.** The deputy must be updated whenever the access control policy changes. This creates maintenance burden and version skew.\n- **Confused deputy can still occur inside the check.** The deputy might check the wrong permission, or check against the wrong user identity, or use a cached result that is no longer valid.\n\n### How It Connects to Other Ideas\n\n- **OIP capability tokens.** OIP uses scoped tokens as capabilities. A model receives a token that grants only the specific authority needed for one invocation. The token cannot be reused for a different scope. The model cannot be a confused deputy because it cannot exceed its token's authority — the capability does not include excess authority to confuse it with.\n- **Principle of least privilege.** Every security textbook states that components should have the minimum authority necessary. Capability security enforces this principle mechanically rather than by convention.\n- **OAuth and scoped tokens.** Modern authorization protocols (OAuth 2.0) use scoped tokens that limit what a client application can do. These are capabilities in practice, even if not named as such.\n\n### Sources\n\n- Lampson, Butler W. \"Protection.\" Proceedings of the 5th Princeton Conference on Information Sciences and Systems (1971) — the original identification of the confused deputy problem\n- Hardy, Norman. \"The Confused Deputy.\" ACM Operating Systems Review 22(4) (1988) — the clearest explanation of the compiler example and capability-based solutions\n\n---\n\n## Up the tree\n\n- [OIP root](https://miscsubjects.com/a/oip) — protocol root, zero-context entry\n- [Thinker Reference hub](https://miscsubjects.com/a/oip-thinker-reference) — full hierarchy map\n- [Protocol Concepts shelf](https://miscsubjects.com/a/oip-protocol-concepts) — siblings on this shelf\n- [Voxel graph article](https://miscsubjects.com/a/what-is-voxel-graph) — how pages link as voxels\n- [Self-describing protocol](https://miscsubjects.com/a/what-is-self-describing-protocol)\n\n## Related on this shelf\n\n- [What Is Autopoiesis](https://miscsubjects.com/a/what-is-autopoiesis)\n- [What Is Capability-Based Security](https://miscsubjects.com/a/what-is-capability-security)\n- [What Is a Capability Token](https://miscsubjects.com/a/what-is-capability-token)\n- [What Is Context as Cursor](https://miscsubjects.com/a/what-is-context-as-cursor)\n- [What Is a Convergence Catalogue](https://miscsubjects.com/a/what-is-convergence-catalogue)\n- [What Is a Falsification Surface](https://miscsubjects.com/a/what-is-falsification-surface)\n- [What Is HATEOAS](https://miscsubjects.com/a/what-is-hateoas)\n- [What Is the History of Link Protocols](https://miscsubjects.com/a/what-is-link-protocol-history)\n\n## Machine surfaces\n\n- Public page: `https://miscsubjects.com/a/what-is-confused-deputy`\n- JSON article: `https://miscsubjects.com/api/articles/what-is-confused-deputy`\n- OIP ask: `https://miscsubjects.com/api/dispatch?ask=What%20Is%20a%20Confused%20Deputy`\n","claims":[],"sources":[],"voxels":{"slug":"what-is-confused-deputy","counts":{"voxels":0,"sources":0,"edges":0},"note":"slim bundle — full voxels at /api/articles/what-is-confused-deputy/voxels"},"constitution":{"url":"https://miscsubjects.com/api/articles/constitution"},"provenance":[{"action":"write","model":"kimi-agent-import","ts":"2026-07-15T04:20:53.173Z","hash":"b06392a2f0f4069e","tokens_in":0,"tokens_out":0}],"contributions":[],"topology":null,"slim":true,"ledger_totals":{"claims":0,"sources":0,"exported_claims":0,"exported_sources":0},"question_graph":{"slug":"what-is-confused-deputy","questions":[],"evidence":[],"edges":[],"counts":{"questions":0,"evidence":0,"edges":0}},"verification":{"provenance":{"valid":true,"entries":1,"head":"b06392a2f0f4069e95550c40064782aa0cd7e21fd673375a46a1b3df2d63b5a4"},"sources":{"valid":true,"entries":0,"head":"genesis"}},"counts":{"claims":0,"sources":0,"provenance":1,"contributions":0,"questions":0,"evidence_ingests":0,"voxel_edges":0},"transport":"Open every URL in this bundle with your browser or web / URL-fetch tool. Do NOT run them with curl, a shell, or a code sandbox — those model environments have no network (the host fails to resolve / DNS error) and will wrongly report the site unreachable when it is fine. Opening the link IS the call.","llm_manifest":{"version":"1","site":"https://miscsubjects.com","purpose":"Peptide evidence articles with hash-chained source ledgers, tiered claims, and a question graph. LLMs should READ bundles/URLs and WRITE back via ingest — never invent doses.","read":{"human_page":"https://miscsubjects.com/a/what-is-confused-deputy","bundle_json":"https://miscsubjects.com/api/articles/what-is-confused-deputy/bundle","bundle_markdown":"https://miscsubjects.com/api/articles/what-is-confused-deputy/bundle?format=markdown","topology":"https://miscsubjects.com/api/articles/what-is-confused-deputy/topology","question_graph":"https://miscsubjects.com/api/articles/what-is-confused-deputy/question-graph","sources":"https://miscsubjects.com/api/articles/what-is-confused-deputy/sources","provenance":"https://miscsubjects.com/api/articles/what-is-confused-deputy/provenance","contributions":"https://miscsubjects.com/api/articles/what-is-confused-deputy/contributions","graph_topology":"https://miscsubjects.com/api/articles/what-is-confused-deputy/graph-topology?question={question}","voxels":"https://miscsubjects.com/api/articles/what-is-confused-deputy/voxels","constitution":"https://miscsubjects.com/api/articles/constitution","ontology":"https://miscsubjects.com/api/articles/ontology","system_map":"https://miscsubjects.com/api/articles/system-map","system_map_markdown":"https://miscsubjects.com/api/articles/system-map?format=markdown","health":"https://miscsubjects.com/api/articles/what-is-confused-deputy/health","repair":"POST https://miscsubjects.com/api/protocol/repair","list_articles":"https://miscsubjects.com/api/articles","graph_canvas":"https://miscsubjects.com/graph.html?slugs=what-is-confused-deputy","graph_yield":"https://miscsubjects.com/api/graph?slugs=what-is-confused-deputy&layer=yield","obsidian_vault":"https://miscsubjects.com/api/articles/obsidian-vault?slugs=what-is-confused-deputy","graph_query":"https://miscsubjects.com/api/v1/query?from=what-is-confused-deputy&kind=claim&where=tier=human"},"ask":{"description":"Answer only from topology; creates a question_node with gaps.","api":"POST https://miscsubjects.com/api/protocol/ask","body":{"slug":"{slug}","question":"string"},"imessage":"what-is-confused-deputy|your question","router_tag":"[ARTICLE_ASK]what-is-confused-deputy|question[/ARTICLE_ASK]","auth":"x-terminal-key header for API; iMessage/WhatsApp via miscsubjects build"},"ingest":{"description":"Parse pasted evidence → source ledger + claims + evidence_ingest node.","api":"POST https://miscsubjects.com/api/protocol/ingest","body":{"slug":"{slug}","evidence":"paste text","question_node_id":"optional qn_..."},"imessage":"ingest what-is-confused-deputy|q:{node_id}|paste evidence","router_tag":"[ARTICLE_INGEST]what-is-confused-deputy|evidence[/ARTICLE_INGEST]","tiers":["human","preclinical","anecdotal","mechanistic","speculative"]},"claim":{"description":"Prompt-injection style POST — one claim voxel with who_claims + posted_by provenance.","api":"POST https://miscsubjects.com/api/protocol/claim","body":{"slug":"{slug}","text":"one assertion","tier":"human|preclinical|anecdotal|mechanistic|speculative","who_claims":"study author, platform, or model id","source_ids":"optional [s1]"},"imessage":"claim what-is-confused-deputy|tier|assertion — who claims it?","router_tag":"[ARTICLE_CLAIM]what-is-confused-deputy|tier|assertion[/ARTICLE_CLAIM]","slots":["what_it_is","who_claims_what","what_is_known","what_is_unknown","mechanism","limitations","disclaimer"]},"tiers":{"human":0.8,"preclinical":0.5,"anecdotal":0.3,"mechanistic":0.3,"speculative":0.1},"invariants":["Self-explaining — every API JSON has _self; every paste widget has §SELF; root index at /api/articles/system-map","Append-only — revisions preserved at ?rev=n","Source chain verifies integrity, not truth","Answers must cite claim ids and source ids from topology","Not medical advice"],"constitution":{"version":1,"principle":"Articles are voxel graphs of claims — not prose blobs. Every assertion is a claim atom with tier, weight, source_ids, and posted_by provenance.","slots":[{"id":"what_it_is","required":true,"answers":"What is this peptide/stack/condition?"},{"id":"who_claims_what","required":true,"answers":"Who claims what — study authors, platforms, n=?"},{"id":"what_is_known","required":true,"answers":"What is known with tier labels (human/preclinical/anecdotal)"},{"id":"what_is_unknown","required":true,"answers":"What is NOT known — explicit gaps"},{"id":"mechanism","required":false,"answers":"Proposed mechanism (mechanistic tier only)"},{"id":"limitations","required":true,"answers":"Limits of evidence — no dose advice"},{"id":"disclaimer","required":true,"answers":"Not medical advice"}],"claim_rules":["One claim = one falsifiable assertion. No compound claims.","Every claim must declare tier: human|preclinical|anecdotal|mechanistic|speculative|system.","system tier = architecture/design axioms (not biological mechanism). Use for protocol self-definition.","Sourced claims must cite source_ids from the hash-chained ledger.","Unsourced claims must set source_status: unsourced and why_material.","posted_by is mandatory on every new claim (model id, human, or channel).","No medical advice, no doses, no 'you should take'.","Bad information is retracted (status:retracted), never deleted — retraction event stays on ledger.","Adversary challenges link via challenges[] / challenged_by[] — target may be downweighted.","Leaked secrets are scrubbed to [REDACTED:secret-leak] with scrub_events tombstone — honest audit trail."],"source_rules":["Every source is a voxel edge: type, url, exact quote, summary, found_by, accessed_at.","Sources hash-chain — prev/hash on append.","Anecdotal sources must name platform (reddit|x|youtube|imessage|user_entry)."],"ontology_rules":["Peptide articles (bpc-157, tb-500) are tree roots.","Condition articles (bpc-157-glp1-gut-damage) branch from peptides.","Stack articles (wolverine-stack-glp1) compose peptides — never duplicate peptide mechanism prose.","If an article has no parent embeds and is not a root peptide → sprawl candidate.","Misstep = duplicate scope with another slug; merge or reparent via embeds."],"post_protocol":{"claim":"POST /api/protocol/claim","source":"POST /api/protocol/sources","ingest":"POST /api/protocol/ingest","webhook":"POST /api/articles/<slug>/webhook {kind:claim|source}","imessage_claim":"claim {slug}|{tier}|your assertion — who claims it, source?","imessage_ingest":"ingest {slug}|evidence paste"}},"this_article":{"slug":"what-is-confused-deputy","url":"https://miscsubjects.com/a/what-is-confused-deputy","bundle_url":"https://miscsubjects.com/api/articles/what-is-confused-deputy/bundle?format=markdown"}},"api_urls":{"bundle":"https://miscsubjects.com/api/articles/what-is-confused-deputy/bundle","bundle_markdown":"https://miscsubjects.com/api/articles/what-is-confused-deputy/bundle?format=markdown","topology":"https://miscsubjects.com/api/articles/what-is-confused-deputy/topology","voxels":"https://miscsubjects.com/api/articles/what-is-confused-deputy/voxels","constitution":"https://miscsubjects.com/api/articles/constitution","ontology":"https://miscsubjects.com/api/articles/ontology","question_graph":"https://miscsubjects.com/api/articles/what-is-confused-deputy/question-graph","ask":"https://miscsubjects.com/api/protocol/ask","ingest":"https://miscsubjects.com/api/protocol/ingest","claim":"https://miscsubjects.com/api/protocol/claim","system_map":"https://miscsubjects.com/api/articles/system-map","system_map_markdown":"https://miscsubjects.com/api/articles/system-map?format=markdown"}}