Thryvate's developer argues AI agents need five design properties before they can safely publish to the public web. The naive primitive—dump HTML to a CDN URL—exposes half-finished drafts, leaks customer data, and leaves permanent links with no revocation.
Key facts
- Naive publish primitive: dump HTML to public CDN URL.
- Five properties: default-private, revocable, expiring, analytics, idempotent.
- MCP tools enforce policy; model handles intent.
- Public visibility must be a deliberate, reviewable step.
- Thryvate ships an MCP server with these design points.
The post, written by a builder at Thryvate who works on agent workflows, identifies the gap between a human hitting "publish" and an autonomous agent doing the same as one step in a longer plan. According to the source, the first version everyone writes is a tool that takes content and dumps it to object storage behind a public CDN URL: publish(html) -> https://cdn.example.com/a8f3c2.html. For a human, that's acceptable. For an agent, it's a landmine.
The five design properties
The post proposes five properties that turn the naive primitive into something trustworthy:
- Default to private, opt into public. Public should be an explicit parameter, not the fallback.
- Revocability. Anything an agent publishes must be un-publishable instantly.
- Expiry as a first-class field. "This link dies in 7 days" should be a parameter, not a cron job.
- Per-viewer visibility. Telemetry on who opened it and when doubles as leak detection.
- Idempotent updates. The second draft updates the same URL, not spray new ones.
Where MCP fits
The Model Context Protocol (MCP) provides a clean place to expose this surface. Instead of an agent shelling out to aws s3 cp, the developer gives it typed tools: publish_site(content, visibility="private"), set_link_expiry(site, days=7), add_to_allowlist(site, email), get_analytics(site). The access-control model lives in the tool layer, enforced and audited, instead of improvised by the model inside a bash command. "The agent reasons about intent, and the tools enforce policy," the post says. That separation is the whole game.
The guardrail that matters most
The single most useful guardrail the developer landed on: the agent can draft and stage a link, but flipping something to fully public stays a deliberate, reviewable step. It keeps the worst failure mode at "a draft sat private a little too long" instead of "an agent published the wrong thing to the open web."
Key Takeaways
- Thryvate argues AI agents need five design properties for safe web publishing: default-private, revocable, expiring, per-viewer analytics, and idempotent updates.
- MCP tools enforce policy while the model handles intent.
What to watch
Watch for the MCP ecosystem to adopt these design properties as a de facto standard for agent publishing tools. The key metric: how many MCP servers for publishing include default-private and revocability as first-class parameters rather than afterthoughts.
Source: dev.to








