A worker reviews a document alongside a small robot holding a CHAP section summary in an open-plan office

CHAP · The Collaborative Human-Agent Protocol

Including the
responsible human

CHAP is the open standard for multi-human, multi-agent collaboration. Designed to work with MCP and A2A.

An agent drafts a decision. A human approves, edits or overrides it. Yet that moment of judgement, often the most valuable signal in the system, usually vanishes. Into chat threads, ticket comments and tribal memory.

CHAP turns it into a structured, verifiable record.

01

What it is

Audit trails for change

Maya, a senior support agent, will review dozens of agent message drafts this afternoon – thousands by year-end. Most she approves; a few she edits before sending. Without capturing her changes – and implementing a learning loop – the agent will make the same mistake next time.

What Maya does

We sincerely apologise for the extreme delay just wanted to follow up, your order is in transit and will arrive within the next three business days. We deeply regret any inconvenience caused. Let me know if you don't see it by then.

Her reason, in her words
Tone too apologetic for a routine tracking question
What CHAP records · wire shape (illustrative)
// a human override, captured as structured data
{
  "method": "decide.override",
  "params": {
    "task": "tsk_01HZ9YX7K3X8M2V4",
    "diff": [
      { "op": "replace", "path": "/body",  "value": "Thanks for following up…" }
    ],
    "intent_preserved": true,        // refined the result, didn't substitute it
    "rationale": "Over-apologetic for a routine tracking enquiry.",
    "tags": ["tone-softened"],
    "policy_refs": ["support-tone-v2"]
  },
  "evidence": { "prev_hash": "sha256:9f3c…", "sig": "ed25519:…" }
}

Now, Maya edits the draft and types a one-line reason as she saves. The change is saved, along with her reason as the rationale. Which means any person, or AI tool, can apply her judgement – in the next five minutes or decades later.

CHAP records the everyday actions of everyday work. And builds intelligence capital across the organisation.

The common actions it manages include:

delegateacceptdeclinecompletereviewapproveoverrideabstainescalatehand offpauseresume
02

Why CHAP?

Because we're accountable for what is decided

Underwriters own every decision. A Qualified Person signs-off a batch. An operator owns the line. So when you are using AI, human oversight needs to happen. And afterwards, it must be provable that it happened.

CHAP adds the missing piece:

Agent proposes Human decides CHAP records Team can prove, AI can learn
CHAP This layer · humans
Humans, agents and services collaborating in an auditable workspace
A2A Agents → agents
Agents delegating to other agents
MCP Agents → tools
Agents calling tools and data

CHAP composes with both – tool calls are recorded as citations; A2A peers appear as participants.

The benefits of CHAP

CHAP pays off at the project, programme, site and organisation level.

Less risk – at a lower cost.

Build with CHAP and human-agent collaboration becomes systematised with a single common, standard method. No more reinvention for critical functions such as approvals, overrides or audit trails.

One record across tools.

Instead of approvals scattered across Slack, Jira, CRM notes and model logs, CHAP gives them one shape. So if a decision is challenged, the answer is a query, not a reconstruction exercise.

Open standards are optimal.

Just like MCP or HTTP, building with CHAP means you're not locked into one vendor's platform. And when the subject matter is the accountability layer, betting on an at-cost proprietary format may not feel optimal.

CHAP supports the records these regimes ask for – it does not make a system compliant by itself, but it produces the verifiable evidence that supports oversight, logging and incident review.

EU AI Act · Art 14 & 12NIST AI RMFGMP Annex 11DORASOX-404SMCRHIPAA

CHAP can answer all of these.

Eight questions every CHAP deployment can answer – straight from the evidence log.

Who delegated this work?
task.assign
Which agent and which tools did the work?
citations · mcp_tool_invocation
Was it reviewed, overridden or abstained – and why?
review · decide.override · abstain
What changed, and under which policy?
diff · policy_refs
Which mode was the agent in – shadow, trial or production?
modes
What was the abstention reason?
insufficient_evidence · policy_conflict · authority_boundary
Was there a handoff, deliberation or rollback?
handoff · deliberate · control
Can a third party verify the chain wasn't altered?
audit.read · evidence chain
CHAP answers all eight from the evidence chain – and with the security-signed and audit-scitt profiles the record is verifiable offline, without trusting any vendor.
If accountability sits with you, let's talk about the evidence layer.
Talk to us
03

See it work

This is CHAP in action

Click through this CHAP session. You will see that every action – acceptances, reviews, overrides and assigns – become an entry in the audit log. Which you can review and replay. Notice that the overrides are collected – by tag – at the end. That's the learning signal CHAP captures. All as a by-product of normal review.

Workspace
wsp_support_triage
Live
M
Maya
human · reviewer
T
Triage Bot
agent · drafter
C
Coordinator
service · workspace
0 / 6
Click Start to walk through a real CHAP flow, envelope by envelope.
04

At every scale

Always the same building blocks

Whether you're using CHAP for a personal project – or implementing it across a global, regulated estate in a GMP environment, CHAP helps you get started with 12 worked scenarios directly available in the repo. Despite a wide range of use cases, each reuses the same primitives:

  1. A typed override with the difference and reason for it
  2. A clarifying question
  3. A context-preserving handoff
  4. A signed approval that becomes externally verifiable

Here are six of the 12 scenarios:

Biopharma · GMP
A pressure drop on the fill-finish line

Deviation → investigation → QP release, signed with regulatory credentials and externally anchored.

Insurance · FCA Consumer Duty
The bereavement that changes everything

Vulnerability-based routing plus handler override with policy citations – evidence of meaningful review within SLA.

Wealth · SMCR / SOX
Five years on, the regulator asks

Replay an advisor's approval chain across years to prove control continuity and suitability.

Medtech
A device-complaint triage

Abstention on authority boundary escalates to a qualified human – recorded, with the reason typed.

Manufacturing
An operator agent in production

Mode-gated promotion: the agent earns production only on evidence from the chain.

Creative · dispute
'We never approved that'

A non-repudiable signed approval tied to a content version by hash settles it.

See all scenarios in the repo →

05

For builders

Get started in five minutes.

Run the reference server locally, then send JSON-RPC envelopes with curl. No SDK, identity provider or signing setup needed for the first walkthrough.

git clone https://github.com/BrightbeamAI/chap
cd chap/reference/core && npm install && npm run start:demo
# CHAP Core → http://localhost:8080/chap  ·  then send envelopes with curl
examples/00-five-minute-start.md
# with the reference server running – envelope 1: Alice joins as a reviewer
curl -s -X POST http://localhost:8080/chap \
  -H 'Content-Type: application/json' \
  -d '{
    "jsonrpc": "2.0",
    "id": "1",
    "method": "participant.join",
    "params": {
      "workspace":    "wsp_demo",
      "from":         "human:[email protected]",
      "to":           "service:[email protected]",
      "ts":           "2026-05-17T09:00:00Z",
      "type":         "human",
      "display_name": "Alice",
      "role":         "reviewer"
    }
  }' | jq

# then: join the bot → describe → create → progress → complete → audit.read

The anatomy.

Workspace

The shared, policy-bound room.

Participants

Humans, agents, services – typed addresses.

Tasks

The units of work they hold.

Artefacts

Drafts, decisions, overrides, citations.

Evidence log

Append-only, hash-linked – signed with the security-signed profile.

The seven methods in the core.

The anatomy is driven end-to-end by just seven calls.

workspace.describeWhat is this room? Who's in it? Which profiles are advertised?
participant.joinAdd a human, agent or service to the workspace.
participant.leaveRemove a participant.
task.createDelegate work to an assignee with structured input.
task.updateReport progress; transition state.
task.completeDeliver output and finalise the task.
audit.readQuery the workspace's history with filters and ranges.

That's enough to run a conformant workspace. Everything else is an optional profile layered on top.

Add the profiles you need

A small core. Optional everything else.

Everything beyond the deliberately small core is an optional, versioned profile. Only add when you need it – advertised at runtime through workspace.describe.

Immutability is itself an optional profile – blockchain is only one way to implement it, never part of the core.

Featured · deliberation

'A veto with reasoning is permanently part of the audit log. The minority view is not erased.'

Start here core + 1
coreMandatory
Workspaces, participants, tasks, append-only audit log. Seven Core methods.
reviewHighest value
Request, approve, reject, override, abstain, escalate. The profile you just saw in the demo.
Workflow 5 profiles
modes
Shadow → trial → production. Roll out new agent versions safely.
Safe agent rollout
routing
Cost, criticality and confidence signals carried, not interpreted.
Match review depth to risk
deliberation
Quorum, weighted votes, vetoes. Group decisions that keep the dissent.
Multi-approver sign-offs
whisper
Deadline-bound interrupt questions with a default if it lapses.
The tap on the shoulder
handoff
Propose, accept or decline a transfer of work, with context preserved.
Shift changes · time-zone handovers
Identity & trust 4 profiles
identity-oidc
OIDC binding – reuse your existing identity layer; the private key never leaves the device.
Enterprise SSO
identity-vc
W3C Verifiable Credentials – a qualification asserted cryptographically in the workspace.
Regulated professions
security-signed
Ed25519 + JCS canonicalisation. Per-message non-repudiation.
Signed at origin
audit-scitt
IETF SCITT transparency log. Offline-verifiable receipts.
Regulatory audit
Operations 1 profile
control
Pause, resume, snapshot and roll back agent work. The operational control plane.
Incident response

It works with what is already there.

CHAP defers to good standards everywhere else. MCP tool calls are recorded as citations, not re-implemented. A2A peers appear as bridge participants.

JSON-RPC 2.0envelopes
OIDC / W3C VCidentity
IETF SCITTtransparency log
in-totoattestations
MCPtool calls as citations
A2Apeers as participants

One query, one chain, three protocols.

Ready-to-adapt how-to guides ship in the repo: CHAP + MCP · CHAP + A2A · CHAP + OIDC.

A real audit trail

One session, end to end.

A task assigned and accepted, worked with a cited tool call, reviewed, overridden with a rationale, put to a weighted group decision, and signed off – every entry hash-linked and replayable years later. The paper's Appendix A trace.

wsp_claims_review · evidence chain 15 entries · hash-linked · signed at origin
000
task.assign
A claim is delegated to the agent. human:handler → agent:claims-bot
001
task.accept
The agent accepts the work. agent:claims-bot
002
task.start
Work begins; the task transitions to in-progress.
003
whisper.ask
A quick, deadline-bound question to a human – the tap on the shoulder.
004
whisper.answer
The human answers in seconds; the answer is recorded.
005
task.complete
The agent delivers a draft – with MCP tool calls recorded as citations (server, call id, input + output hashes).
006
review.request
The draft is sent for human review. agent:claims-bot → human:handler
007
decide.override
The handler overrides – diff, rationale, tags and policy refs captured together. The killer entry.
008
deliberate.open
A point too big for one approver goes to a weighted group decision.
009
deliberate.vote
Each vote carries yea / nay / abstain and an optional weight.
010
deliberate.close
Outcome computed against the decision rule. A veto, if any, stays in the log with its reasoning.
011
task.assign
A follow-up credit task is delegated as a result of the decision.
012
task.complete
The follow-up is delivered and finalised.
013
notify.message
Participants are notified the chain is settled.
014
audit.read
Anyone with access can replay the full history – and verify it wasn't altered.
Each entry: prev_hash = SHA-256(JCS(envelope) ‖ sig) – rewriting any line breaks every hash after it. The Coordinator is trusted for routing and ordering, but not for content.

The audit log becomes the point.

Because every override carries a typed diff – and a reason – the audit log becomes a tuning dataset as a side effect of normal work. It tells the systems not just that a human stepped in, but why.

A high refining-override rate

means the agent reached the right decision the wrong way – weak retrieval, a poor template.

A high substituting-override rate

means it reached the wrong decision – ambiguous policy, missing context.

These tune to different fixes. Abstention rates tell you where the human/agent boundary should sit. You can slice overrides by model version, task kind, policy, reviewer role and tag – without scraping a single final document.

Why open – and why from us

Open standards gain most traction

TCP/IP, HTTP, OAuth, OIDC and now MCP – the pattern is consistent. Open, shared standards become the basis of many platforms. And given that the collaboration between humans and agents will have to be standardised – one way or another – we believe better in the open, with as many implementers contributing as possible.

Built against capture

At least three Steering Committee seats must be held by people not employed by the largest contributor. No single party – including us – can steer it.

Grounded in running code

A CHAP Enhancement Proposal cannot be accepted without a working reference implementation. Vendor-specific extensions are out of scope.

Status, and the road to 1.0.

CHAP is v0.2 – a public draft. The wire format and schemas are stable for review; the Core runs; the review profile and a routing-aware playground are runnable; conformance scaffolding is in the repo. Wire-format changes in 0.x remain possible – we're inviting feedback before committing to 1.0.

Runs today
Tier 1

Minimal

The seven Core methods, Ed25519, hash chain, one transport. The weekend build.

Runs today
Tier 2

Recommended

Adds override, abstain, escalate, handoff, whisper, capture, plus OIDC human identity and MCP composition.

Planned
Tier 3

Full

Needs a second, independent implementation passing the same interop suite – one from outside Brightbeam; our TypeScript and Python references don't count. That is the headline step to 1.0.

The method catalogue holds 39 method handlers – seven for the Core path, nine for Minimal conformance. Hierarchical workspaces are an explicit candidate for v0.3. Security note: Ed25519 lacks post-quantum resistance – hybrid post-quantum signatures are named as future work. CHANGELOG · SPECIFICATION

Build it in the open

The most useful thing you can build right now is your second implementation.

CHAP is licensed CC-BY 4.0 for the specification and Apache 2.0 for the code, implementable royalty-free in any language.

Small changes → a pull request

Typos, examples, test vectors, integrations go straight to a PR.

Bigger changes → a CEP

New methods, transports or breaking changes go through a CHAP Enhancement Proposal and rough working-group consensus.

'The Human–Agent Symphony will not emerge simply because models improve. It will emerge when the collaboration layer between humans and agents becomes explicit, observable, portable and shared. CHAP is a proposal for that layer.'

CHAP paper · §15
Start on GitHub Read a CEP Build an implementation

FAQ

Questions we are asked.

For leaders
Teams building human-agent systems in regulated environments – biopharma, medtech, insurance, financial services, manufacturing – where accountability is enforced by regulators, not goodwill.
A legitimate concern. The governance of how aggregations are used matters more than the raw data – and the same record that holds people accountable also protects them by showing exactly what they did, when, and why.
The evidence chain holds only participant URIs and keys – PII stays in a separate, mutable store. Redaction swaps content for a placeholder while keeping the hash and signature, so the fact of redaction is itself permanently recorded; key rotation supports erasure.
Yes – CC-BY 4.0 for the specification and Apache 2.0 for the code, royalty-free, any language, any deployment. Specs, schemas, reference code, conformance suites and even meeting notes are public.
For builders
It composes with them; it doesn't compete. MCP tool calls are recorded as citations; A2A peers appear as participants. CHAP only adds the human layer the other two leave out.
Elicitation captures a moment of consent. CHAP captures the relationship – override with rationale, typed abstention, handoff, and a portable, verifiable evidence log across the whole task.
Those give you chat. CHAP gives you a portable audit, structured overrides, mode promotion and open standards instead of vendor lock-in – the record survives the tool you used to create it.
Workflow engines handle orchestration – the 'how'. CHAP handles structure and accountability – the 'what' and 'who'. They sit at different layers and compose cleanly.
v0.2 – a public draft with working reference code and a conformance harness. The wire may still change in 0.x; we want feedback before committing to 1.0. The headline step to 1.0 is a second independent implementation – independent meaning from outside Brightbeam; the two reference implementations are both ours.

The third protocol

One clear record of how people and agents work together.

Better models won't create it. An open standard will. CHAP is that protocol.

Start on GitHub Read the paper