How A2AC operates in production.
A2AC is designed to make AI agent work predictable. It defines where memory lives, how squads pass work, where tools run, who is allowed to act, and what gets recorded when the work finishes or fails.
The operating model.
A2AC uses policy-based routing first. AI can help classify ambiguous work, but the final handoff is controlled by configured squads, approved tools, permission scopes, task records, and receipt rules.
Memory is scoped by customer account, squad, task, and policy. Shared memory is not a single open pile of context. Teams decide what can be recalled, retained, redacted, or kept private.
Squads can hand work to other approved squads through the same task, result, error, and receipt model. Delegation is governed by route policy, not free-form recursion.
Receipts are metadata-first records. They can include task IDs, route decisions, model or tool names, result summaries, hashes, timestamps, errors, and policy status without forcing raw sensitive content into every record.
Work runs in the approved place for that task: hosted workers, private workers, customer-managed Kubernetes, browser runners, business systems, or model endpoints. A2AC records the handoff instead of hiding tool work inside chat text.
Tasks carry account and permission context. Connectors use scoped keys, service accounts, or approved authorization paths so agents do not gain more access than the tool or user has been granted.
High-risk work can pause for a person before execution or before acceptance. The approval, rejection, or clarification becomes part of the same task record.
Shared resources can use queues, leases, locks, and idempotency keys. That keeps two squads from editing the same file, record, browser session, or business object at the same time.
Errors are returned as structured records. Retry rules, backoff, rate-limit handling, and escalation can be controlled by the platform instead of asking an agent to improvise its own recovery loop.
Receipts can carry model, tool, runner, token, latency, and budget metadata. Squads can be routed toward faster or lower-cost models when the task does not require a larger model.
Squads, tools, routes, and memory policies should be versioned. In-flight work should keep the version it started with, while new work can move to a newer version after review.
Prompt injection and tool misuse.
A2AC should not rely on an agent simply deciding to behave. The safer pattern is to put sensitive actions behind scoped tools, explicit route policy, approval gates, resource locks, and receipt inspection. If a task asks for an action outside the allowed path, the platform can return an error or route the task to review.
Browser session isolation.
Browser-based work should use explicit host allowlists, separate session policy, scoped actions, and receipts. Chimera is designed for visible, user-authorized browser work. It should not collect secrets or blur the boundary between one customer, session, or task and another.
Evidence scrubbing pattern.
Browser and tool receipts should be useful without becoming a permanent dump of private page content. A safer pattern is to scrub first, store summaries and hashes by default, and retain raw artifacts only when policy allows it.
{
"audit_event": "chimera_browser_task",
"status": "scrubbed_and_recorded",
"audit_level": "metadata",
"evidence": {
"url_origin": "https://internal.example",
"url_path_hash": "sha256:...",
"observation": "Policy update was visible on the page.",
"scrubbing_gate": {
"detected_patterns": ["email", "api_key"],
"action": "masked_before_receipt",
"stored_text": "Update sent to [MASKED_EMAIL]."
},
"integrity": {
"screenshot_hash": "sha256:...",
"console_hash": "sha256:..."
}
},
"receipt_hash": "sha256:..."
}
Latency and routing overhead.
The coordination layer should stay lightweight. Routine tasks can use fast models and deterministic routing. Larger models should be reserved for complex reasoning, exception handling, or review. The goal is to keep the work record outside the model so every step does not need the largest model or the full conversation history.
Marketplace, catalog, and private deployment.
The Marketplace path is for buying and deploying A2AC. A future catalog can package approved squad templates, connectors, and work patterns, but the customer still controls which tools, systems, and deployment boundaries are allowed.