Introduction

The Problem

87% of AI agent systems lack safety cards. Every major agent protocol — MCP, A2A, ACP, AGNTCY — defines how agents communicate. None define whether a worker should be trusted to execute, under what controls, with what blast radius, and with what evidence.

The result is four recurring failure patterns:

The Blast Radius Accident. An agent calls a worker with write access. The worker fails mid-execution. Nobody knows how far the damage spread. No audit trail. No blast radius score was ever computed.

The Silent Failure. A worker fails. No notification. No dead-letter queue. The agent retries. The worker fails again. The system appears to be running. Nothing is happening.

The Hallucinated Tool Call. An agent calls a capability that doesn’t exist. The system returns a generic error. The agent retries with a different tool. Neither call was governed, logged, or attributable.

The Unqualified Worker. An agent dispatches a worker to handle sensitive data. The worker was never certified for that data label. No policy gate exists. The data moves without authorization.

WCP is the answer to all four patterns.

What WCP Defines

WCP (Worker Class Protocol) is an open standard for governing the dispatch of AI workers. It defines:

• Classification — how workers declare their capabilities, risk tier, and blast radius before they are ever called
• Routing — how capability requests are matched to enrolled workers through a policy-aware dispatch engine
• Controls — what governance invariants must be satisfied before a worker can be dispatched
• Evidence — the mandatory audit trail that every dispatch produces, regardless of outcome

Note

WCP does not define a transport. WCP does not define an agent architecture. WCP defines the governance layer between a capability request and its execution — the layer that answers: should this worker be trusted with this job, under these conditions, with this data?

The Union Hall Metaphor

Agents are contractors. Workers are tradespeople. The Hall is the union hiring hall.

In a union hall, contractors who have signed a labor agreement can dispatch trained, certified workers. An unknown contractor showing up at the dispatch window is turned away. Workers must be enrolled — credentials verified, capabilities declared, controls confirmed — before they can be dispatched.

WCP implements the same principle for AI systems:

1. Workers enroll with a registry record that declares capabilities, risk tier, controls implemented, and blast radius
2. Agents make capability requests — not “call worker X by name,” but “I need cap.doc.summarize”
3. The Hall routes the request: matches rules, verifies controls, scores blast radius, evaluates policy gate
4. The Hall returns a RouteDecision — a cryptographic evidence receipt documenting every governance decision made, including an artifact hash of the worker record

No enrollment means no dispatch. The Hall fails closed: if no routing rule matches a capability, the decision is denied. Unknown capabilities are never executed.

Where WCP Fits in the Stack

WCP is not a replacement for MCP or A2A. It is an additive governance layer:

Agent reasoning (Claude, GPT, local LLM)
         ↓
WCP Hall (capability request → governed routing → dispatch)
         ↓
Transport (MCP stdio, HTTP, A2A, direct subprocess)
         ↓
Worker execution

WCP answers: should this worker execute? MCP answers: how does the agent call the tool? A2A answers: how do agents communicate with each other?

In the FAFO Lab protocol stack: H2A (Discord) handles human-to-agent communication. AGP (future) handles agent governance. WCP governs workers. MCP and A2A handle transport.

A WCP-governed worker can be exposed as an MCP tool. A2A agents can make WCP capability requests. The governance layer is additive, not exclusive.

Note

Worker Class Protocol (WCP) and Work Context Protocol are different protocols solving different problems at different layers of the stack.

Work Context Protocol addresses persistent work/task context and workflow continuity across agent sessions — structured project memory for agents and humans.

Worker Class Protocol (WCP) addresses execution governance: capability authorization, policy-gated dispatch, worker integrity attestation, and cryptographic evidence semantics. It governs what is allowed to run and how that is proven, not what needs to be done.

A mature agent stack can use both: Work Context Protocol for shared project memory, Worker Class Protocol for fail-closed execution governance. They are complementary, not competing.

The canonical reference for Worker Class Protocol is workerclassprotocol.dev.

Who WCP Is For

WCP scales from a solo developer’s laptop to a multi-tenant production enterprise fleet.

A solo developer running a local Hall API gets governed dispatch, blast radius containment, and an evidence trail — with zero cloud dependencies and zero vendor lock-in. Swap a profile from prof.dev.permissive to prof.prod.strict and the same worker fleet runs under production discipline with no code changes.

An enterprise deployment adds signatory tenant validation, HSM-signed attestation, and the full WCP-Full compliance tier — including require_signatory: true and require_worker_attestation: true — without modifying worker code.

No cloud required. No lock-in. SDKs for Python, TypeScript, and Go. Hall Monitor desktop app for macOS, Windows, and Linux.

pyhall as a selling point

Developers building AI-powered products use pyhall as a trust signal to their own customers. Just as Stripe is the trust signal for payments and AWS is the trust signal for infrastructure — pyhall is the first and only trust signal for AI worker governance.

When your product runs on pyhall, you can tell your enterprise customer’s security team, compliance officer, or CTO: every AI worker in this system is registered, attested, and governed. Every routing decision produces a cryptographic evidence receipt with an artifact hash of the worker record. If a worker is compromised, it is banned network-wide and your Hall stops dispatching it — automatically.

That is something you put in front of a customer. “We use pyhall” is not a technical detail. It is a statement about how you build.

WCP Compliance Levels

Level	Requirements
WCP-Basic	Capability routing · fail-closed · deterministic
WCP-Standard	+ Controls enforcement · mandatory telemetry · dry-run
WCP-Full	+ Blast radius · privilege envelopes · policy gate · evidence receipts · discovery API · signatory tenant validation · worker code attestation

PyHall implements WCP-Full.

---

Ready to run it? Start with Quick Start — five minutes to a governed dispatch.

Want the full specification? The WCP v0.1 spec defines every required behavior with RFC 2119 language.