ContextSync: An Open Protocol for Human-AI Organizational Context Synchronization
Christian Johnson, Vikas Badam, Sage Hart, Eswari Subbiah DevFest 2026 | Washington University in St. Louis Version 0.2 — April 2026
Abstract
AI agents are entering organizational workflows faster than the infrastructure to support them. MCP solved how agents connect to tools. No equivalent protocol exists for connecting agents to organizational context — the documents, policies, and business intelligence that humans and agents must stay synchronized on. ContextSync is an open protocol that provides versioned, permissioned, real-time, and auditable access to organizational knowledge across any number of human and AI actors. This paper describes the structural gap, the protocol design, and evaluation results from three industry simulations at varying organizational scale.
1. The Problem
Every organization of meaningful size distributes its knowledge across multiple systems: Slack, email, shared drives, wikis, internal databases, and SaaS tools. This fragmentation is manageable when every actor is human — people develop informal synchronization mechanisms through meetings, notifications, and institutional memory.
The introduction of AI agents breaks these mechanisms.
When a compliance officer updates a data retention policy at 09:00, the AI agent processing customer requests at 09:05 has no way of knowing the policy changed. When an agent writes a research brief, the analyst reviewing it two hours later cannot determine which source documents the agent was working from, or whether those sources have since been updated.
This produces five cascading failures:
Information decay. Agents operate on stale context. Decisions, recommendations, and automated actions are made on outdated information. In regulated industries — healthcare, financial services, legal — this is a compliance risk, not merely an inefficiency.
Coordination collapse. Multiple agents and multiple humans write to the same organizational knowledge base with no protocol governing ordering, conflict detection, or attribution. An agent overwrites a human's update. A human unknowingly reverts an agent's correction.
Context fragmentation at scale. As organizations grow, the problem compounds. Each new agent needs access to the right subset of organizational knowledge with the right permissions. Each new team creates its own context silo. The number of sync relationships grows combinatorially with the number of actors.
No standardized agent-organization interface. MCP solved the problem of connecting agents to tools. There is no equivalent protocol for connecting agents to organizational context. Every company builds its own bespoke integration layer — duplicated effort across thousands of organizations, producing fragile, non-interoperable systems.
Auditability gap. Regulators increasingly require organizations to demonstrate who accessed what information and when. Current systems cannot distinguish between a human reading a document and an agent ingesting it for decision-making. There is no audit trail that captures the full provenance chain: which version of which document informed which agent action, and what the downstream effects were.
The root cause is structural: organizations lack an open, standardized protocol for maintaining synchronized, versioned, permissioned, and queryable organizational context across human and AI actors.
2. The Protocol
ContextSync defines five primitives that, together, solve the synchronization problem.
2.1 Content-Addressed Artifacts
Every organizational document, policy, dataset, or knowledge artifact gets a stable, unique address — a ContextSync URI:
ctx://{org}/{domain}/{id}
This address persists across edits, moves, and renames. Agents and humans reference artifacts by URI, not by fragile file paths or URLs. The URI scheme is hierarchical: an organization contains domains (compliance, engineering, hr), and each domain contains identified artifacts.
2.2 Versioned State
Every mutation to an artifact produces a new version with:
- A monotonically increasing version number
- The identity of the author (human or agent)
- A timestamp
- A change summary
- A content-addressable hash of the artifact payload
Any actor can query "what changed since I last read this?" and receive a line-level diff. Full rollback to any prior version is supported. The version graph is stored in SQLite; artifact payloads are stored as content-addressed blobs on the local filesystem, keyed by their SHA-256 hash.
2.3 Change Subscriptions
Actors subscribe to change feeds on specific artifacts, domains, or the entire organizational context. When a relevant change occurs, subscribers receive a push notification containing:
- The artifact URI and new version number
- The author of the change
- A summary of what changed
- Diff statistics
This eliminates the need for polling. When a compliance policy is updated, every agent subscribed to the compliance domain receives the notification within milliseconds and can read the new version immediately. The protocol supports both persistent subscriptions (created via the REST API) and ephemeral streams (opened as one-shot SSE connections, suited for dashboards and monitoring).
2.4 Permissioned Access
ContextSync defines a permission model designed for hybrid human-AI environments. Permissions are expressed as tuples:
(actor | agent_class, artifact_pattern, operations)
- Actor or agent class: grants can target a specific actor (e.g.,
human-alex-chen) or an entire class of agents (e.g., all agents with classcompliance-monitor). - Artifact pattern: supports glob wildcards.
ctx://acme-capital/compliance/*grants access to every artifact in the compliance domain.*grants access to everything. - Operations:
read,write,suggest(propose a change for human review),approve,admin.
The system is default-deny: an actor has no access to any artifact unless a matching grant exists. This is critical in regulated environments where the question is not "who has access?" but "can you prove who does not?"
2.5 Provenance Tracking
Every interaction between an actor and an artifact is recorded as an immutable provenance entry:
- Actor: who performed the operation
- Operation: read or write
- Artifact URI + version: which version was read or created
- Timestamp: when the interaction occurred
- Downstream URI (optional): if this read informed a subsequent write, the chain is linked
This layer answers the question regulators ask: "Which version of which document did Agent-7 use when it generated the Q3 risk report?" The answer is not inferred — it is recorded at the moment of access.
3. Architecture
The reference implementation is a four-layer stack:
Layer 1 — Addressing and Storage. SQLite (WAL mode) stores the artifact metadata and version graph. Artifact payloads are stored as content-addressed blobs on the local filesystem, keyed by SHA-256 hash. This separation keeps the database light and makes backup trivial.
Layer 2 — Sync and Query. An Express.js HTTP server exposes the full protocol surface: artifact CRUD, version history, diff computation, domain-scoped change feeds, and full-text search. Server-Sent Events provide the real-time push layer for change subscriptions.
Layer 3 — Permissions and Policy. A middleware layer evaluates every request against the permission table before allowing access. The evaluation logic supports glob patterns for artifact URIs and class-level grants for agents, enabling bulk permission management.
Layer 4 — Audit and Provenance. Every read and write produces a provenance row. The provenance log is append-only by design — entries are never updated or deleted.
The v0.1 reference implementation runs as a single-server deployment. This is a deliberate scope constraint, not an architectural limitation. The protocol itself is designed to be federation-ready: the URI scheme supports multi-org addressing, the version graph is conflict-free (monotonic version numbers per artifact), and the provenance log is append-only. Section 6 describes the path to multi-server federation.
4. API Surface
4.1 Artifact Operations
POST /artifacts Create a new artifact
GET /artifacts/{uri} Fetch artifact (latest version)
GET /artifacts/{uri}?version=N Fetch specific version
PUT /artifacts/{uri} Update artifact (creates new version)
DELETE /artifacts/{uri} Soft-delete artifact
GET /artifacts/{uri}/history Full version history
GET /artifacts/{uri}/diff?from=N&to=M Diff between versions
4.2 Query Operations
GET /domains/{domain}/changes?since={ts} Changes in domain since timestamp
GET /changes?since={ts}&actor={actor_id} Changes by specific actor
GET /search?q={query}&domain={domain} Full-text search within domain
4.3 Subscription Operations
POST /subscriptions Subscribe to changes
DELETE /subscriptions/{sub_id} Unsubscribe
GET /subscriptions/{sub_id}/feed SSE stream of changes
4.4 Permission Operations
GET /permissions/{actor_id} Get actor permissions
PUT /permissions/{actor_id}/{uri} Set permission for actor on artifact
GET /artifacts/{uri}/access List all actors with access
4.5 Change Event Schema
When an artifact is mutated, a change event is produced and pushed to all matching subscribers:
{
"event_id": "evt_abc123",
"event_type": "artifact.updated",
"artifact_uri": "ctx://acme/compliance/data-retention-policy",
"version": 4,
"previous_version": 3,
"author": {
"actor_id": "agent-compliance-monitor",
"actor_type": "agent"
},
"timestamp": "2026-04-11T14:30:00Z",
"summary": "Updated data retention period from 30 to 90 days",
"diff_stats": { "additions": 3, "deletions": 1, "modifications": 2 }
}
5. Evaluation
The reference implementation was evaluated against three industry simulations at increasing organizational scale. Each simulation runs a scripted narrative against the live protocol server, producing real artifact versions, change events, permission checks, and provenance records.
5.1 Fintech — SEC Rule 15c3-5
Scale: 8 humans, 3 agents, 2 domains.
Scenario: A new SEC rule on algorithmic trading disclosure triggers a regulatory cascade. The market intelligence agent detects the change, the compliance monitor reads the existing policy, the CCO writes an updated version, and the trading-risk agent reads the update and adjusts counterparty exposure limits.
Results: 13 protocol operations over 20 seconds. All change subscriptions fired within the same event loop tick. Full provenance chain from regulatory detection through policy update to risk adjustment was captured without gaps. Zero stale reads: every agent operated on the current artifact version at the time of access.
5.2 Healthcare — FDA Drug Interaction Update
Scale: 50 humans across 5 departments, 12 agents, 5 domains.
Scenario: The FDA publishes a new contraindication for a common medication. The drug interaction monitor updates the central database, clinical decision support flags affected patient protocols, the CMO amends the sepsis care bundle, and billing updates reimbursement codes.
Results: Permission boundaries held under load. The billing agent successfully read protocol changes affecting billing codes but was denied access to patient-level clinical data (3 denied requests, all correct). The research agent accessed anonymized protocol data but was blocked from patient records. Propagation from the initial drug interaction update to the final billing code change completed in under 4 seconds across 12 agents.
5.3 Enterprise — EU AI Act Article 14
Scale: 500 humans across 20 departments and 3 regions, 50 agents, 6 domains.
Scenario: A legal update about human-oversight requirements cascades across the organization. Legal updates the privacy policy, engineering updates data-handling procedures, product flags affected features, sales updates the pitch deck, and US/APAC observers audit without mutating.
Results: The single policy change triggered 47 downstream operations across 50 agents. Regional permission filtering worked correctly: APAC and US agents received only changes relevant to their regulatory context, not the full EU-specific detail. Propagation from the initial legal update to the final downstream agent action completed in under 8 seconds. Audit log captured 100% of actor-artifact interactions with full provenance linking.
5.4 Summary Metrics
| Metric | Fintech (11 actors) | Healthcare (62 actors) | Enterprise (550 actors) |
|---|---|---|---|
| Propagation latency | < 100ms | < 4s | < 8s |
| Sync accuracy | 100% | 100% | 100% |
| Permission enforcement | N/A | 100% (3/3 denied) | 100% |
| Audit completeness | 100% | 100% | 100% |
| Protocol operations | 13 | 34 | 47 |
5.5 Live Agent Playground
In addition to the scripted simulations, the reference implementation includes a live AI playground where users interact with an agent that reads organizational context in real time via the ContextSync protocol. Every tool call the agent makes — artifact reads, domain queries, change subscriptions — produces a real provenance record visible in the audit log. This demonstrates that the protocol integrates naturally with existing agent architectures without requiring modifications to the agent framework itself.
6. Competitive Landscape
| Solution | What It Does | What It Misses |
|---|---|---|
| Git | Code version control | Not designed for organizational docs; no agent-native interface |
| SharePoint / Confluence | Document management | No agent-first API; no change subscriptions; no provenance |
| RAG pipelines | Feed docs to agents | Read-only, no write-back, no sync, no permissions |
| MCP | Connect agents to tools | Tool interface, not context interface; no versioning or sync |
| Knowledge graphs | Structured relationships | Static snapshots, not real-time sync; no mutation protocol |
ContextSync occupies the structural gap between organizational knowledge stores and the human-AI actors that need synchronized, permissioned, auditable access to that knowledge. No existing solution addresses this as an open protocol.
7. Future Work
Federation. The most critical extension. Organizations with distributed infrastructure need multi-server sync. The protocol's URI scheme already supports multi-org addressing, and the append-only provenance log is designed for conflict-free replication. The federation layer will implement CRDTs for the version graph and a gossip protocol for change event propagation across nodes.
Branching and merge. Draft policy proposals should be expressible as branches that can be reviewed, diffed against main, and merged. This brings the protocol closer to a true version control system for organizational context and enables approval workflows where multiple stakeholders review changes before they propagate.
Conflict resolution. The current model is last-write-wins. Future versions will support automatic merge strategies for concurrent edits to the same artifact, with configurable policies (e.g., always defer to the human author, always flag for review).
Authentication. v0.1 uses API-key auth. Production deployments require OAuth 2.0 / JWT with integration into existing identity providers (Okta, Azure AD, Google Workspace).
Non-text artifacts. The protocol is payload-agnostic by design, but the diff engine currently supports only text content. Future versions will add structured diff support for JSON, CSV, and binary document formats.
MCP integration. ContextSync as an MCP tool provider would allow any MCP-compatible agent to read and write organizational context without custom integration code.
8. Conclusion
The gap between "AI can do work" and "AI can do work that stays synchronized with organizational reality" is the gap ContextSync fills. It is not a product — it is a protocol. Any organization can implement it, any agent framework can speak it, and any tool vendor can integrate with it.
The evaluation results demonstrate that the protocol is viable at realistic scale across multiple industries. Propagation latency stays under 8 seconds even at enterprise scale with 550 actors. Permission enforcement and audit completeness hold at 100% across all simulations. The protocol integrates with existing agent architectures without requiring modifications to the agent framework.
MCP gave agents hands. ContextSync gives them shared memory.
ContextSync | DevFest 2026 | WashU | Open Source Protocol for Human-AI Context Synchronization