Capability Host Protocol · evidence for what AI agents do
See exactly what your AI agents did.
Your agent reads files, runs commands, calls tools. Then a security review asks what it actually did — and the launch stalls. CHP captures every tool call as replayable, tamper-evident evidence. One command, no application code changes.
For anyone who has to prove what their AI did — to a security review, an auditor, a regulator, or a customer.
Start where the proof is real
One command. Every tool call, captured.
# One command — no application code changes required
chp hooks install
# → Hooks registered for Claude Code
# → Every tool call intercepted: Bash, Read, Edit, Write, WebFetch...
# → Evidence stored to ~/.chp/evidence.sqlite automatically
# Then inspect any session:
chp session list
chp session tree <session_id>
chp session autonomy-report <session_id>
chp session otel <session_id> --endpoint http://localhost:4318- Every tool call — Bash, Read, Edit, Write — captured as a typed evidence event.
- Replay any session by ID; denials are first-class, not swallowed exceptions.
- SHA256 hash-chained and local — the record a security or compliance review can replay and trust.
- Works with Claude Code, Codex, and Gemini CLI — and any Python host.
Provable today: local, tamper-evident replay. Hosted retention, role-based access, and compliance export are what we build with design partners.
How agent governance works →Applications
What people use it for.
The same evidence contract covers all of these — a human approval and an agent's action are the same kind of governed, provable event. Agents are where it is easiest to start.
See what an AI agent did
LiveCapture every tool call as replayable, tamper-evident evidence, and unblock the security review.
See it →Put a human approval in the record
DemonstratedMake a sign-off, consent, or authorization a first-class, provable event — not a side note.
How it would work →Prove why an automated decision happened
DemonstratedShow the reason a claim, credit, or eligibility decision went the way it did.
How it would work →Replay a process across hosts and orgs
DemonstratedReconstruct work that crossed machines, teams, and partners as one correlated trace.
How it would work →Gate a high-risk action at the boundary
DemonstratedDeny an action when policy, entitlement, or a safety check fails — recorded, not swallowed.
How it would work →Expose a product capability safely
DemonstratedTurn an API or service into a governed, discoverable, provable boundary.
How it would work →By industry
Demonstrated where governance matters.
Software is provable today. The rest show how the same primitives would work in your domain — each an open invitation to build it with us.
AI-native software
LiveProve what your agent did and unblock the security review.
See it →Insurance
Partner wantedA provable record of why an automated claim decision went the way it did.
Build it with us →Legal
Partner wantedChain of custody for AI-assisted review; privilege as governed decisions.
Build it with us →Healthcare
Partner wantedAI acts, a clinician signs off, both land in one replayable trace.
Build it with us →Manufacturing
Partner wantedHuman and agent commands governed by approval and safety invariants.
Build it with us →Financial services
Partner wantedApprovals and model-risk checks captured as a replayable evidence bundle.
Build it with us →The proof, end to end
From one action to a record you can defend.
The same four steps, whoever acts — scroll through them.
01
An action crosses the boundary.
A person, an agent, or a product invokes a capability. The moment it goes from intent to effect is the capability boundary — the one place to govern and prove what happens.
intent → effect
02
It emits a structured event.
The crossing produces a typed evidence event — outcome, subject, correlation — every time, by contract. Not a log someone remembered to write.
{
"event_type": "execution_completed",
"capability_id": "schedule_technician",
"correlation": { "id": "session-abc" },
"outcome": "success",
"subject": "agent://planner",
"hash": "9c7e…",
"redacted": true
}03
Events hash-chain.
Each event hashes the one before it. Alter one and every link after it breaks — tamper-evidence you can verify. Try it.
evidence chain · tamper-evident
each block hashes the one before it — chain verifies ✓
tip: click a block to alter it
04
The whole session replays.
One correlation id reconstructs the causal sequence across tools, agents, and hosts — in order, on demand. Denials and approvals included.
correlation: session-abc
one id · the actual ordered sequence, replayed
intent → effect
{
"event_type": "execution_completed",
"capability_id": "schedule_technician",
"correlation": { "id": "session-abc" },
"outcome": "success",
"subject": "agent://planner",
"hash": "9c7e…",
"redacted": true
}evidence chain · tamper-evident
each block hashes the one before it — chain verifies ✓
tip: click a block to alter it
correlation: session-abc
one id · the actual ordered sequence, replayed
Why it is different
Evidence, not telemetry. A protocol, not a feature.
Tool protocols govern what an agent can call. Observability watches machines. CHP treats a human approval, an agent action, and a product call as the same governed, provable event — so you can prove an entire process end to end.
Tool protocols
MCP, tool-calling
Observability
traces, spans
CHP
evidence
Answers
Tool protocols
What can the agent call?
Observability
Is the system healthy?
CHP
What happened — and can I prove it?
Record
Tool protocols
Tool calls, if logged
Observability
Sampled traces, mutable
CHP
Mandatory, tamper-evident evidence
Denials
Tool protocols
Protocol errors
Observability
A failed span
CHP
First-class outcomes, with reason
Spans
Tool protocols
One agent, one app
Observability
One system
CHP
People, agents, products — one trace
Go deeper
How it works
The mechanics — capability, contract, guarantees, evidence.
Read →Writing
Essays on evidence, the capability boundary, and each vertical.
Read →Protocol surface
The formal contract: descriptors, invocation, lifecycle, replay.
Read →Documentation
Concepts, quickstarts, the spec, schemas, and the registry.
Read →Build against the open protocol.
Spec, schemas, reference host, examples, and conformance suite are public.