KDCube
KDCube Press

KDCube Writing

Engineering deep dives, industry perspective, implementation notes, and practical recipes.

47 articles · latest 2026-07-04

Search covers titles, summaries, tags and full article text.

Create Delegated Automation Access

A signed-in KDCube user can now mint a short-lived bearer token for their own automation, scoped server-side by resource_grants ( resource → grants[] ) plus selected operations. The token is only a handle — the guard loads the server-side grant record and enforces resource-grant matching per call. Grants never union across resources: {A: read, B: write} c...

connection-hubdelegated-accessresource_grantsautomationbearer-token
2026-07-04

Public Content To CDN: Make App Content Discoverable

App content was visible to humans, invisible to crawlers — SPA shells with no title, body, or structured data. This entry records the new public content surface: an app declares an alias and publishes items into a registry; the platform serves crawlable pages, JSON-LD, canonical/OG metadata, and a per-alias sitemap.xml — runtime-updated, no rebuilds — and...

public-contentseositemapjson-ldcdn
2026-07-03

Setting Up Platform Authority In KDCube

KDCube can turn a browser user into a platform user through Cognito, multiple Cognito pools, a local SimpleIDP, or an application-hosted login. These are not interchangeable — they differ in who proves the user, which credential is written, and which verifier accepts it. This overview puts all methods side by side, anchored on one contract: Connection Hub...

platform-authoritycognitomulti-cognitosimpleidpapplication-hosted
2026-07-03

Connect Your Named Services To Claude Code

Field notes from making a KDCube named service — conversations ( conv ) — usable by Claude Code as an external agent over the managed named_services MCP surface. What bit us once a real agent started calling it: binary files returned as base64 blew the model's context, so they now come back as a short-lived download link ; and refs had to be made self-con...

named-servicesmcpclaude-codeconvfiles-over-mcp
2026-07-02

Your Application As A Platform Authority

Sometimes the product already has a login page, a branded sign-in, or an upstream proof like Google. An application can host the platform login and consent screens while Connection Hub owns the authority registry and KDCube still verifies a standard platform session. This piece walks the split: the app hosts the door, Connection Hub registers what the doo...

connection-hubauthority-registryapplication-sessionplatform-logindelegated-credentials
2026-07-02

The Conversation Is a Lane

Accepted external events are kept in an ordered lane keyed by the full id_card : tenant, project, user, conversation, and agent. A turn is a consumer that briefly owns that lane. The hard part is not delivery — it is ownership when turns overlap, and guaranteeing a stale turn can never commit. This piece walks the path from client action to folded block t...

event-busexternal-eventsevent-laneownershipsupersession
2026-07-02

Named services can now leave KDCube through a delegated MCP connector

The same named-service realm an in-platform agent reads internally, a user's own external agent can now read too — through one guarded MCP door , scoped to exactly what the user consented to. The durable memory realm ( mem ) is live today; task and cnv are the same pattern, not yet on MCP. This is the payoff of "portable memory": build the realm once, and...

named-servicesmcpdelegated-credentialportable-memoryagent-portable-realms
2026-06-30

Connecting A Telegram Channel To KDCube Through Connection Hub

Field notes on the Telegram channel integration for KDCube Companion: a Telegram webhook for messages, a Telegram Mini App for UI, and Connection Hub linking the Telegram actor to a KDCube platform identity through an explicit edge . The Telegram actor stays telegram_<id> ; platform authority, economics, and identity-family are projected only through sele...

connection-hubtelegrammini-appconnection-edgeidentity-family
2026-06-30

Authenticated MCP In KDCube: Delegated Credentials, Not Shared Secrets

An external client speaks MCP and wants a KDCube service. The lazy answer — a shared secret — fails the moment you ask whose data it acts on, what it may do, who pays, and how to turn one connection off. KDCube's answer is a delegated credential : a bearer KDCube issues, scopes to one resource, narrows to consented tools and grants, and records back to th...

mcpoauthdelegated-credentialsconnection-hubpkce
2026-06-30

The Three Memory Realms

A user's memory here is not one store but three folds , each a different aspect: mem holds curated durable entities (what is true), conv records the temporal stream with its production context (what happened, when & where), and cnv gathers cross-world references on a focus board (what is kept at hand). Formed differently, meaning different things, designe...

memorymemconvcnvrecall
2026-06-29

Protecting KDCube Surfaces With Managed Credentials

Your MCP handler should never see an unauthorized call. A managed surface declares its auth in descriptors; one shared Connection Hub guard then runs a fixed sequence of fail-closed checks — credential valid → authority → resource (exact) → tool allowed → grants present → tool consented — before the bundle handler is ever called. This Deep piece walks the...

connection-hubmanaged-credentialssurface-guarddescriptorsmcp
2026-06-29

Delegating A KDCube Service To An External App

You have an external app and you want it to reach one KDCube service. Connecting it issues a delegated credential — carrying only the resource grants and selected operations/tools you approved, recorded as a durable consent edge that keeps the app as its own actor and you as the grantor. This Deep piece walks the connect → consent → delegated-credential f...

connection-hubdelegated-credentialconsentmcpleast-privilege
2026-06-29
← Newer25–36 of 47Older →