CRP Header Specification

Motivation: HTTP did this for the web

Before HTTP headers, every client-server interaction was bespoke — you sent a request, you got bytes back, and nothing in between knew what had happened. Headers created a universal metadata contract: any hop in the chain could read it, act on it, forward it, or gate on it — without touching the payload.

AI calls are in exactly that chaos today. A raw LLM response carries zero standardised metadata. Was it grounded? Did it hallucinate? What session is this? What was the risk classification? Nobody knows without bespoke instrumentation bolted on top.

CRP already computes all of this internally. The Quality Report, the DPE analysis, the HMAC chain, the EU AI Act classification, the 4-tier memory state — it all exists. Headers make it portable, language-agnostic, and interceptable by any middleware.

The mapping

Architecture

Headers flow in both directions through the CRP gateway (sidecar). On a request, the client sends preference and policy headers. On a response, the gateway emits state and signal headers computed from the dispatch pipeline.

Header Namespaces

Six namespaces, each mapping directly to an existing layer of the CRP protocol. Nothing is invented — everything is a header-form expression of data CRP already produces.

CRP-Context-* — Envelope State Headers

Sourced directly from the Context Envelope and Quality Report. Every field maps 1:1 to an existing CRP internal value.

CRP-Safety-* — Hallucination & Risk Headers

Sourced from the Decision Provenance Engine (DPE) — the 13-module pipeline that runs after every dispatch. These are the most important headers for downstream applications: any middleware can now gate on AI safety signals without touching the CRP SDK.

CRP-Provenance-* — Audit Chain Headers

Sourced from the HMAC-SHA256 session binding and Window DAG. These headers make tamper-evidence portable — any downstream system can verify chain integrity without having the full audit log locally.

CRP-Compliance-* — Regulatory Headers

Sourced from CRP Comply and the compliance pipeline. The audit trail URI is the killer header — it deep-links every AI response to its regulatory evidence pack in CRP Comply. One click from a log entry to the full EU AI Act report.

CRP-Agent-* — Agentic Dispatch Headers

Sourced from dispatch_agentic()'s 8-phase cognitive loop. The Safety Budget is the most novel header here — a first-of-its-kind mechanism that exposes remaining risk tolerance as an observable, gatable signal in multi-agent chains.

CRP-Memory-* — 4-Tier Memory Headers

Sourced from the 4-tier memory hierarchy (Active/Hot/Warm/Cold) and the Contextual Knowledge Fabric (CKF). These headers expose the memory layer that served the envelope, enabling cache-aware clients.

CRP-Session Token NEW — The Cookie Analogy

HTTP cookies solved stateless session continuity for the web. CRP has the same problem: each call to the sidecar currently requires a server-side session lookup. A signed session token — issued by the gateway, sent back by clients — enables stateless session relay without losing context state.

Like a Set-Cookie, the gateway issues it. Like a Cookie, the client echoes it back. Unlike a cookie, it's HMAC-signed with the session chain — tampering breaks the provenance chain.

CRP-Set-Session: token=eyJzZXNzaW9uX2lkIjoiY3JwX3Nlc3NfN2YzYSJ9.sig:sha256:4fa8e921;
               Path=/;
               Max-Age=3600;
               Signed;
               SameSite=Strict;
               Window=3;
               QualityHistory=A,A,B

CRP-Session-Token: eyJzZXNzaW9uX2lkIjoiY3JwX3Nlc3NfN2YzYSJ9.sig:sha256:4fa8e921
CRP-Context-Session-Id: crp_sess_7f3a  # still required as a hint

Context Cache-Control NEW — The CKF becomes a cache

HTTP's Cache-Control header is arguably its most powerful innovation — it made the web's latency bearable by letting clients and intermediaries intelligently reuse responses. CRP's CKF (Tier 3 cold storage) is a fact graph that already persists across sessions. CRP-Context-Cache makes it behave like a proper cache layer.

# Reuse CKF facts for up to 1 hour (no re-ingestion needed)
CRP-Context-Cache: reuse-ckf, max-age=3600

# Conditional dispatch — only rebuild envelope if fact graph changed
CRP-Context-If-Match: sha256:4fa8e921abcd...  # ETag from last response

# Don't persist this session's facts to CKF (sensitive data)
CRP-Context-Cache: no-store

# Serve from CKF only — no new LLM dispatch (like HTTP only-if-cached)
CRP-Context-Cache: only-if-ckf

# Force envelope rebuild even if ETag matches
CRP-Context-Cache: no-cache

# Response: tell client what ETag the current fact graph has
CRP-Context-ETag: sha256:4fa8e921abcd...
CRP-Context-Last-Ingested: 2026-05-23T09:31:00Z

The practical impact: repeated calls on the same knowledge domain skip the envelope construction overhead entirely on cache hit. The CKF's HNSW index already supports this — the header is the missing signal to activate it.

CRP-Safety-Policy NEW — The CSP Analogy

Content Security Policy (CSP) transformed browser security by letting servers declare what content sources were trusted — and letting the browser enforce it automatically. CRP-Safety-Policy does the same for AI output: the client declares what grounding sources and risk levels are trusted, and the CRP gateway enforces it automatically on every response.

Directive reference

Interactive policy builder

Oversight & Escalation Headers

The EU AI Act Article 14 mandates human oversight capability for high-risk AI systems. These headers make oversight programmable — exactly like X-Frame-Options made clickjacking protection programmable in HTTP.

# Request: client sets oversight requirements
CRP-Oversight-Mode: human-review
CRP-Oversight-Threshold: 0.50
CRP-Oversight-Escalate-URI: https://myapp.com/webhooks/ai-review

# Response: CRITICAL risk → gateway halts, returns 451
HTTP/1.1 451 Unavailable For Legal Reasons
CRP-Safety-Hallucination-Risk: CRITICAL
CRP-Safety-Hallucination-Score: 0.81
CRP-Safety-Retry-After: oversight-required
CRP-Compliance-Audit-Trail-URI: https://comply.crprotocol.io/t/7fa3bc
CRP-Safety-Report-URI: https://myapp.com/webhooks/ai-review

# After human review approves:
CRP-Oversight-Token: approved:sha256:reviewer_sig...
# Retry with oversight token — gateway allows through

What Headers Fix in the Protocol

Every improvement below is enabled by the header layer — not by changing CRP's core engine, but by making its internal state externally observable and gatable.

Multi-Hop Agentic Chains

When Agent A calls Agent B calls Agent C, HTTP hop-by-hop headers accumulate provenance across the chain. CRP headers do the same — each agent in the chain can read upstream safety signals and propagate them downstream.

# Agent A (orchestrator) → Agent B (specialist)
CRP-Agent-Session-Parent: crp_sess_orchestrator_4b2f
CRP-Agent-Loop-Depth: 1
CRP-Agent-Safety-Budget: 0.78  # starts full
CRP-Safety-Policy: default-src context; halt-on CRITICAL; warn-on HIGH

# Agent B (specialist) → Agent C (sub-task)
CRP-Agent-Session-Parent: crp_sess_specialist_9c3a
CRP-Agent-Loop-Depth: 2
CRP-Agent-Safety-Budget: 0.54  # decremented by Agent B's HIGH signals
CRP-Safety-Policy: default-src context; halt-on HIGH  # tightened

# Agent C response propagates back up the chain
CRP-Safety-Hallucination-Risk: HIGH
CRP-Provenance-HMAC: sha256:chain-tip-c...
# Agent B reads this → decrements safety budget → passes accumulated risk to A
CRP-Agent-Safety-Budget: 0.29  # nearly depleted → orchestrator escalates

GitHub Action — What It Scans For

The crp-scan GitHub Action walks a repository and generates a SARIF report of AI integration points missing CRP headers. Each finding maps to a specific missing header group.

src/api/chat.py:47 — UNWRAPPED_AI_CALL [HIGH]
  Ungoverned OpenAI call. Missing header coverage:

  CRP-Safety-*         ✗ not emitted   hallucination risk unmonitored
  CRP-Provenance-HMAC  ✗ not emitted   no tamper-evident audit trail
  CRP-Compliance-*    ✗ not emitted   EU AI Act unclassified
  CRP-Context-ETag     ✗ not emitted   no conditional dispatch

  Remediation: wrap with crp.Client() → all headers emitted automatically
  Evidence: comply.crprotocol.io/scan/report/abc123

src/agents/planner.py:112 — AGENTIC_NO_SAFETY_BUDGET [CRITICAL]
  Agentic loop detected with no safety budget signal.

  CRP-Agent-Safety-Budget  ✗ not emitted  unbounded risk accumulation
  CRP-Safety-Policy        ✗ not set     no enforcement at transport layer

  Remediation: dispatch_agentic() + CRP-Safety-Policy header

- name: CRP AI Governance Scan
  uses: crprotocol/crp-scan@v1
  with:
    fail_on: HIGH              # block merge on high-risk ungoverned calls
    report_format: sarif       # renders inline in GitHub Security tab
    require_headers: |          # minimum header coverage required
      CRP-Safety-Hallucination-Risk
      CRP-Provenance-HMAC
      CRP-Compliance-EU-AI-Act
    safety_policy: "default-src context; halt-on CRITICAL"
    comply_link: true           # attach CRP Comply deep-link to each finding