Why a protocol

Evidence you can trust has to outlive the system that made it.

The hard part of governing agents and automation is not calling a tool. It is being able to prove, later and to someone skeptical, what was done and that it was allowed. That only works if the record is neutral, portable, and means the same thing across independent systems — which is what a protocol is for.

evidence chain · tamper-evident

each block hashes the one before it — chain verifies ✓

tip: click a block to alter it

Why not just a feature of my agent framework?

A framework can record what its own tools did. It cannot be the neutral boundary that an auditor, a regulator, or a second framework will trust. Evidence is only useful when it outlives the system that produced it and means the same thing across independent implementations. That is a protocol problem, not a feature.

Won’t MCP or a model vendor just absorb this?

MCP and tool-calling answer “what can the model call.” CHP answers “what actually happened, who was denied, and can I replay it” — across hosts that no single vendor controls. A capability host can be a person, a business process, a device, or another vendor’s framework. The value is precisely the part a single vendor cannot own: independence and portability.

Why now?

Agents are being put into consequential work faster than anyone can prove what they did. The gap between “the agent acted” and “we can show what it did, and that it was allowed to” is becoming a launch blocker — first in software, then everywhere a wrong action is expensive.

Why an open, conformance-backed boundary?

Trust that depends on one vendor staying in business, or one framework staying in fashion, is not trust. A small, versioned spec with a conformance suite lets independent hosts prove they behave the same way — so the evidence is portable and the boundary survives vendor moves.

What it does not replace

CHP is deliberately narrow.

It standardizes one boundary — how capabilities are declared, called, governed, and proven — and stays out of the model, framework, cloud, and policy engine you already chose.

MCP / tool calling

You already chose

Exposes tools to a model.

What CHP adds

Records and governs the execution around those calls.

OpenTelemetry

You already chose

Observes systems with traces and spans.

What CHP adds

Makes evidence and denial part of the invocation contract — not optional logs.

Temporal / workflow engines

You already chose

Orchestrate durable workflows.

What CHP adds

Evidences the individual capability calls inside them.

Application authorization

You already chose

Decides who may act.

What CHP adds

Records that the decision happened, and lets you replay it.

CHP and MCP →Evidence vs telemetry →Glossary →Full comparisons →

If this has happened

The protocol should meet the failure before the demo does.

CHP is for teams that have already learned that hosted capabilities need more than a callable function and a hopeful log line.

Capability contracts change quietly.

Callers discover the mismatch during execution, after a person, agent, app, or workflow has already planned around the capability.

CHP makes host, protocol, and capability versions explicit before invocation.

Sensitive capabilities look like ordinary functions.

Authorization, subject context, host timeout policy, and denials end up scattered across app glue.

CHP carries policy and entitlement metadata and returns denials as structured protocol outcomes.

Logs are not evidence.

After an incident, teams cannot reconstruct the ordered action trail across hosts and runtimes.

CHP emits replayable evidence tied to capability ID, version, host, sequence, and correlation ID.

Hosts disappear or disable actions.

Callers infer lifecycle state from transport errors, exceptions, or framework-specific behavior.

CHP treats unknown hosts, unavailable capabilities, and lifecycle violations as first-class outcomes.

Why CHP exists

Hosted capability needs a public protocol boundary.

CHP separates the hosts that expose capabilities from the actors and systems that call them. The protocol makes discovery, invocation, governance, evidence, and replay portable across independent implementations.

Every product and agent framework invents its own tool contract.
Hosts expose powerful actions without portable lifecycle semantics.
Applications need audit trails that survive provider and runtime changes.
Browse the 68 governed adapters →

Capability hosts

Expose reliable capability surfaces.

Publish typed manifests, lifecycle state, version compatibility, permission requirements, and structured invocation outcomes.

Agents and frameworks

Call tools through a stable contract.

Discover available capabilities, request invocations with correlation context, and handle denials or unavailable hosts predictably.

Applications

Compose governed workflows.

Route high-value actions through capability hosts without baking every provider, policy engine, or audit path into the app.

Infrastructure providers

Build trust layers around the protocol.

Validate host descriptors, enforce policy checks, stitch evidence, export telemetry, and run conformance for independent hosts.

See the boundary where the proof is already real.

Start with agents: one command captures every tool call as replayable, tamper-evident evidence — then read the spec to see how narrow the contract really is.

Govern your agentsProtocol surface