Capability Host Protocol · evidence for what AI agents do

See exactly what your AI agents did.

Your agent reads files, runs commands, calls tools. Then a security review asks what it actually did — and the launch stalls. CHP captures every tool call as replayable, tamper-evident evidence. One command, no application code changes.

For anyone who has to prove what their AI did — to a security review, an auditor, a regulator, or a customer.

$ chp hooks install

Start where the proof is real

One command. Every tool call, captured.

chp hooks install
bash
# One command — no application code changes required
chp hooks install

# → Hooks registered for Claude Code
# → Every tool call intercepted: Bash, Read, Edit, Write, WebFetch...
# → Evidence stored to ~/.chp/evidence.sqlite automatically

# Then inspect any session:
chp session list
chp session tree <session_id>
chp session autonomy-report <session_id>
chp session otel <session_id> --endpoint http://localhost:4318
  • Every tool call — Bash, Read, Edit, Write — captured as a typed evidence event.
  • Replay any session by ID; denials are first-class, not swallowed exceptions.
  • SHA256 hash-chained and local — the record a security or compliance review can replay and trust.
  • Works with Claude Code, Codex, and Gemini CLI — and any Python host.

Provable today: local, tamper-evident replay. Hosted retention, role-based access, and compliance export are what we build with design partners.

How agent governance works →

The proof, end to end

From one action to a record you can defend.

The same four steps, whoever acts — scroll through them.

01

An action crosses the boundary.

A person, an agent, or a product invokes a capability. The moment it goes from intent to effect is the capability boundary — the one place to govern and prove what happens.

intent → effect

Human
Agent
Product
boundary
governed effect

02

It emits a structured event.

The crossing produces a typed evidence event — outcome, subject, correlation — every time, by contract. Not a log someone remembered to write.

evidence event
{
  "event_type": "execution_completed",
  "capability_id": "schedule_technician",
  "correlation": { "id": "session-abc" },
  "outcome": "success",
  "subject": "agent://planner",
  "hash": "9c7e…",
  "redacted": true
}

03

Events hash-chain.

Each event hashes the one before it. Alter one and every link after it breaks — tamper-evidence you can verify. Try it.

evidence chain · tamper-evident

each block hashes the one before it — chain verifies ✓

tip: click a block to alter it

04

The whole session replays.

One correlation id reconstructs the causal sequence across tools, agents, and hosts — in order, on demand. Denials and approvals included.

correlation: session-abc

start
read
approve
denied
done

one id · the actual ordered sequence, replayed

Why it is different

Evidence, not telemetry. A protocol, not a feature.

Tool protocols govern what an agent can call. Observability watches machines. CHP treats a human approval, an agent action, and a product call as the same governed, provable event — so you can prove an entire process end to end.

Answers

Tool protocols

What can the agent call?

Observability

Is the system healthy?

CHP

What happened — and can I prove it?

Record

Tool protocols

Tool calls, if logged

Observability

Sampled traces, mutable

CHP

Mandatory, tamper-evident evidence

Denials

Tool protocols

Protocol errors

Observability

A failed span

CHP

First-class outcomes, with reason

Spans

Tool protocols

One agent, one app

Observability

One system

CHP

People, agents, products — one trace

Build against the open protocol.

Spec, schemas, reference host, examples, and conformance suite are public.