ChatGPT :: Week11 :: Special Series :: AI Task Delegation Research :: Model-Agnostic AI Hand-Off Packet for Single Self-Contained Tasks

Scope and assumptions

This report assumes the hand-off is for one bounded task, passed from one AI system to another, and then folded directly back into an automated workflow without a human cleaning up the result. It also assumes the packet may travel as plain chat text, an API body, or a file, and that the receiving model may be ChatGPT, Gemini, Claude, or another capable LLM. Because the requested “6-part format” was not otherwise defined, I use the same six parts for each format or technique card later in the report: what it is, when to use it, what goes in, what comes back, what breaks, and recommendation.

The short answer is that the best current design is a machine-first JSON envelope with an explicit JSON Schema return contract, plus stable IDs, exact raw inputs or immutable artifact references, acceptance tests, provenance, and a structured error/status block. That is the most portable design because JSON Schema is now the common center of gravity for structured generation and validation: OpenAI exposes schema-constrained structured outputs, Anthropic recommends native Structured Outputs for guaranteed schema compliance, and Gemini supports structured outputs against a subset of JSON Schema. Recent benchmarking work also notes that constrained decoding frameworks have largely standardized around JSON Schema as the structured data format. citeturn9view0turn9view1turn9view2turn9view14

A fully “lossless” hand-off is only realistic if the packet preserves either exact original data or immutable references to artifacts with hashes, not just a prose summary. If the upstream AI only passes a paraphrase, information has already been lost. That is why the ideal packet should preserve both a normalized contract and a verbatim/raw payload layer. RFC 8785 exists precisely because cryptographic operations and reproducible exchange require an invariant representation of JSON, and modern agent systems increasingly separate messages from artifacts so large or exact outputs do not get degraded by repeated rephrasing. citeturn16search0turn9view6turn22view1

The recommended packet and return contract

The ideal packet should be boring, explicit, and validator-friendly. In practice, that means one top-level JSON object with a fixed schema, a declared schema dialect, explicit scope boundaries, and a return contract that requires the delegated AI to answer with exactly one structured result object. This recommendation fits the present ecosystem better than vendor-specific tool calling because major providers now support schema-based output, but not with identical semantics: OpenAI states that Structured Outputs are designed to exactly match supplied JSON Schemas, Anthropic guarantees schema compliance through native Structured Outputs, and Gemini explicitly supports only a subset of JSON Schema. citeturn9view0turn9view1turn9view2turn9view3

A practical reference packet should include the following fields:

This shape lines up with several current standards and practices. JSON Schema Draft 2020-12 is the current published draft on json-schema.org; OpenAPI 3.1 formally uses schema objects and can represent documents in JSON or YAML; and JSON-RPC 2.0 gives a simple, transport-agnostic request/response model that several agent protocols now build upon. A2A, for example, distinguishes between messages that initiate work and artifacts that carry results, while MCP defines JSON-RPC message envelopes with explicit result-or-error responses. citeturn9view11turn9view12turn9view13turn12view3turn9view6

The return object should also be machine-first. A strong default is:

{
  "packet_id": "same-as-input",
  "task_id": "same-as-input",
  "status": "completed",
  "summary": "One- or two-sentence human-readable summary.",
  "result": {},
  "artifacts": [],
  "evidence": [],
  "assumptions_used": [],
  "warnings": [],
  "errors": [],
  "metrics": {
    "confidence": "high",
    "coverage": "full"
  },
  "next_action": "reingest"
}

The important trick is that result is the real contract, while everything else is support material for debugging, trust, and graceful fallbacks. The status field is what prevents workflow stalls. If the receiving AI cannot proceed without missing information, it should not freeform a follow-up question. It should return status: "needs_input" plus a structured errors or missing_inputs block so the upstream workflow can decide what to do next. That mirrors how JSON-RPC and MCP formalize success versus error paths, and it maps well onto modern agent frameworks that increasingly treat handoffs as typed interfaces rather than casual prose. citeturn12view3turn19view0turn9view7

For transport, the cleanest case is raw application/json. In weak environments such as copy-paste chat, use a delimited envelope so extraction is trivial:

<AI_HANDOFF_PACKET_JSON>
{ ...single valid JSON object... }
</AI_HANDOFF_PACKET_JSON>

That wrapper is not elegant, but it is operationally useful. It gives downstream code a deterministic extraction target when native schema enforcement is unavailable. If integrity matters, canonicalize the JSON with RFC 8785 and hash it; RFC 8785 exists so independently generated canonical forms serialize identically for hashing and signing. citeturn16search0turn16search1

The minimum portable rule set is simple: single top-level object, no prose outside the object, explicit schema dialect, explicit allowed statuses, explicit error contract, exact raw artifacts or immutable references, and fixed field names. In other words, make the packet look less like a conversation and more like a small API. That is the surest way to make re-ingestion trivial. This is also consistent with current vendor guidance favoring structured outputs for consistent downstream processing. citeturn9view0turn9view1turn9view2

Why delegated AI results become hard to re-ingest

The biggest failure mode is freeform prose pretending to be structured output. JSON mode alone is not enough if the downstream workflow needs a specific schema. OpenAI explicitly distinguishes “valid JSON” from schema-conforming structured output, and Anthropic similarly directs developers to native Structured Outputs when they need guaranteed schema compliance. Recent academic work also finds that models still struggle with valid JSON against complex schemas, which is a reminder that prompt-only “please answer in JSON” remains brittle. citeturn9view0turn9view2turn10view0turn10view1

The second failure mode is too much conversational baggage. Passing entire chat histories into a delegated agent feels safe, but it often makes the result worse, not better. LangChain’s handoff documentation warns that if you get message passing wrong, agents receive malformed conversation history or bloated context. OpenAI’s Agents SDK exposes explicit handoff filters because by default the next agent sees the entire history, and the SDK includes utilities to summarize transcript history or remove tool chatter. Anthropic’s multi-agent engineering notes make the same point from the other direction: long-horizon agents need compression, memory, and fresh subagents with clean contexts to prevent overflow and preserve coherence. citeturn9view8turn19view0turn19view1turn22view1

The third failure mode is provider-specific coupling. A hand-off built around one vendor’s tool syntax, role semantics, or compatibility shim is not truly portable. Anthropic’s OpenAI SDK compatibility page is a good example of why: the strict parameter is ignored there, and response_format is also ignored in that compatibility layer, so schema guarantees are different from the native Claude API. Gemini also documents that its structured output feature supports only a subset of JSON Schema. If the packet assumes every platform enforces the same schema behavior, re-ingestion will fail in subtle ways. citeturn9view3turn9view1

The fourth failure mode is missing completion tests. If the receiver is told to “do the task” without an explicit done_when, it is easy for the model to drift into exploratory behavior, overproduce, or ask clarifying questions that the workflow cannot absorb. Anthropic’s guidance on effective agents recommends using the simplest solution possible, favoring workflows for predictable tasks and adding programmatic checks in chained workflows so intermediate steps stay on track. In their multi-agent research write-up, they also recommend judging end state and explicit checkpoints rather than trying to validate every intermediate turn. citeturn22view0turn22view1

The fifth failure mode is the game of telephone. Anthropic’s research system describes bypassing the main coordinator by letting subagents write outputs to a filesystem and return lightweight references rather than repeatedly copying large outputs through chat history. That matters because every repeated paraphrase of a delegated result creates opportunities for omission, mutation, and ambiguity. A2A formalizes the same instinct by separating messages from produced artifacts. If the result is important, treat it as an artifact, not just as text in a transcript. citeturn22view1turn9view6

The last major failure mode is trusting delegated content as if it were instructions rather than data. A2A’s own samples warn that external agents, their agent cards, messages, artifacts, and task statuses should be handled as untrusted input because malicious content can become prompt injection if passed through unsafely. OWASP’s guidance calls out remote injection vectors in external content, and the UK NCSC argues that LLMs are essentially “inherently confusable,” so the goal is impact reduction, not a fantasy of perfect prevention. That means the packet should clearly mark which fields are instructions from the delegator and which are merely data to be processed. citeturn18view0turn9view9turn9view10

Keeping the packet model-agnostic and tightly scoped

To keep the packet model-agnostic, treat the wire format and the model behavior as separate concerns. The wire format should be plain UTF-8 JSON, optionally wrapped in text delimiters when the medium is chat instead of an API. The model behavior should be driven by explicit fields such as objective, done_when, constraints, and result_schema, not by vendor-only concepts like a specific function-call wrapper or a proprietary role hierarchy. JSON-RPC’s transport-agnostic simplicity is relevant here: it separates the envelope from the operation semantics, and modern protocols like MCP inherit that advantage. citeturn9view13turn12view3

The portability center of gravity today is JSON Schema, but the schema must be a conservative cross-vendor subset if the same packet must run across providers. OpenAI says it can exactly match supplied JSON Schemas through Structured Outputs, Anthropic says native Structured Outputs provide guaranteed schema compliance, and Gemini explicitly says it supports only a subset of JSON Schema. The practical implication is straightforward: for maximum portability, avoid exotic schema features, declare the schema dialect, and additionally define a portable_profile in the packet such as “JSON Schema 2020-12, no recursive refs, no exotic formats, flat enums, explicit required keys.” citeturn9view0turn9view1turn9view2turn9view11

A packet stays on-scope when it contains hard fences, not suggestions. The minimum scope controls I would require are:

This is less glamorous than an “autonomous agent,” but it is better engineering for a single delegated task. Anthropic’s guidance explicitly favors simple, composable patterns and recommends workflows for well-defined tasks because they are more predictable and consistent. LangChain’s context-engineering guidance makes the same point in different language: the main reliability problem is often not the model itself but failing to pass the right context in the right format. citeturn22view0turn20view0

A useful mental model is that the packet should behave like a sealed work order. The receiving AI should not have to infer the assignment from ambient chat history. Instead, it should receive: the exact request, the normalized objective, the source materials, the permitted methods, the completion tests, and the required return schema. That reduces ambiguity and makes the handoff closer to a deterministic workflow step than to an open-ended conversation. This is also consistent with current multi-agent design guidance that successful production systems rely on simple orchestration patterns and careful context management rather than permissive, loosely specified delegation. citeturn22view0turn22view1turn20view1

Format and standard cards

Canonical JSON plus JSON Schema

What it is. A single canonical JSON object as the packet, with an explicit JSON Schema return contract. This is the closest thing to a present-day universal denominator across major LLM ecosystems. citeturn9view0turn9view1turn9view2turn9view11

When to use it. Use it as the default for virtually any single delegated task whose result must be re-ingested automatically. It is especially strong when the result is going straight into code, storage, routing logic, or another workflow step. citeturn9view0turn9view14

What goes in. Stable IDs, exact raw request text, normalized objective, scope fences, assumptions, constraints, source artifacts, and an explicit result_schema. If exact upstream data matters, include immutable artifact references and hashes. citeturn16search0turn22view1

What comes back. Exactly one JSON object with status, result, errors, warnings, and optional artifacts and evidence. No surrounding prose. citeturn12view3turn9view0turn9view2

What breaks. Overly fancy JSON Schema features reduce portability, especially because Gemini supports only a subset. Prompt-only “please output JSON” is also much weaker than schema-constrained generation. citeturn9view1turn10view0turn10view1

Recommendation. This should be the default design. If you implement only one format, implement this one.

Delimited JSON envelope plus RFC 8785 canonicalization

What it is. The same JSON packet, but wrapped in text sentinels for weak chat environments and canonicalized for hashing or signing using RFC 8785. citeturn16search0turn16search1

When to use it. Use it when the handoff travels through chat transcripts, email-like channels, copy-paste interfaces, or any medium where extra prose may get mixed in. Use canonicalization when you need replay safety, signature verification, auditability, or content-addressed storage. citeturn16search0turn16search1

What goes in. The JSON packet itself, plus optional sha256, canonicalization, and signature fields. The wire representation can be marked with begin/end tags so extraction is deterministic. citeturn16search0turn11view0

What comes back. Either raw JSON or a similarly delimited JSON result, ideally with the same packet_id and matching integrity fields. citeturn16search0turn12view3

What breaks. Humans may still alter the envelope accidentally, and signatures only help if both ends canonicalize the same way. Also, RFC 8785 improves determinism but does not solve prompt injection or semantic ambiguity. citeturn16search0turn9view10

Recommendation. Use this as the portability fallback whenever native structured-output APIs are unavailable or unreliable.

A2A Agent-to-Agent task exchange

What it is. An open protocol specifically for agent-to-agent interoperability. Google announced A2A in April 2025, and the spec centers on clients sending messages that initiate tasks which produce artifacts. A2A also includes agent capability discovery through Agent Cards and explicit authentication requirements. citeturn9view4turn9view6turn11view0turn11view3

When to use it. Use it when two independent agents or services need a real task-exchange protocol across trust boundaries, servers, or frameworks. It is more than a local packet; it is a networked interoperability protocol. citeturn9view4turn11view1turn11view3

What goes in. A2A generally carries a message into a task, along with discovery metadata from Agent Cards, supported interfaces, security schemes, and protocol-level lifecycle state. citeturn11view0turn11view1turn11view3

What comes back. Task status updates and produced artifacts. The spec explicitly distinguishes messages from artifacts, which is exactly the distinction you want for lossless results. citeturn9view6turn11view1

What breaks. A2A is still young. It is promising, but not yet a universally deployed standard. Also, its own sample repository warns that external agent data must be treated as untrusted input. citeturn9view4turn18view0

Recommendation. This is the most relevant emerging standard for true inter-AI handoff. If you need networked agent-to-agent exchange, align your packet model with A2A concepts now, even if you do not implement full A2A on day one.

MCP Model Context Protocol

What it is. An open protocol for connecting models and agents to tools, resources, and prompts. MCP uses JSON-RPC 2.0, supports capability negotiation, and defines server-exposed tools/resources rather than a full task delegation protocol. citeturn12view0turn12view3turn1search2

When to use it. Use it when the delegated AI mainly needs access to tools or data, not when you need a full cross-agent work-order protocol. MCP is agent-to-tools/data, not primarily agent-to-agent handoff. AG-UI’s own docs describe MCP, A2A, and AG-UI as separate layers for exactly this reason. citeturn12view0turn13search1

What goes in. JSON-RPC envelopes, capability negotiation, and the definitions of prompts, resources, and tools. citeturn12view0turn12view3

What comes back. JSON-RPC results or errors, plus whatever structured data a tool or resource returns. citeturn12view3

What breaks. MCP does not by itself define the full semantics of a delegated task packet, artifact lifecycle, or re-ingestion contract between two independent AIs. It solves a neighboring problem. citeturn12view0turn13search1

Recommendation. Treat MCP as complementary. Use MCP to expose the data and tools that a receiving AI may need; use your handoff packet or A2A to describe the delegated task itself.

Open Agent Specification Agent Spec

What it is. A framework-agnostic declarative language for defining agents and workflows portably. Oracle introduced Agent Spec in late 2025 as a portable configuration language for agents and structured workflows. citeturn14search1turn14search3turn14search6

When to use it. Use it when the goal is portability of agent/workflow definitions across runtimes, not just one-off task packets. It is closer to “agent blueprint portability” than to a minimal handoff envelope. citeturn14search1turn14search6

What goes in. Declarative components describing agents, workflows, and their configuration, along with optional tracing conventions for standardized execution traces. citeturn14search1turn14search10

What comes back. Usually runtime execution under a compatible adapter or trace stream under Agent Spec Tracing, not necessarily a simple task-result artifact. citeturn14search10turn14search11

What breaks. It is broader and heavier than needed for a single delegated task, and adoption is still emerging. citeturn14search3turn14search6

Recommendation. Useful as an adjacent standard if your longer-term objective is portable multi-agent systems. For a single hand-off packet, borrow its portability mindset but do not assume it replaces a task-result contract.

AG-UI Agent-User Interaction Protocol

What it is. An open, event-based protocol for connecting agent backends to user-facing applications. Its own docs position it as the agent-to-user layer, alongside MCP for tools/data and A2A for agent-to-agent exchange. citeturn13search1turn13search2

When to use it. Use it when delegated work needs live streaming updates to a UI, approvals, progress events, or state synchronization with a frontend. citeturn13search1turn13search2

What goes in. Structured event streams: lifecycle events, text events, tool-call events, and state-management events. citeturn13search2

What comes back. Live event streams rather than a single final task packet. citeturn13search2

What breaks. It is not an inter-AI task-exchange standard. It solves the frontend/back-end interaction problem. citeturn13search1

Recommendation. Relevant only if your workflow needs human-visible progress or human-in-the-loop approvals. Otherwise, do not confuse it with a handoff packet standard.

Source map and state of the art

The most important established building blocks behind a robust handoff packet are JSON Schema Draft 2020-12 for validation, OpenAPI 3.1 for portable API/tool descriptions, JSON-RPC 2.0 for simple request/response envelopes, and RFC 8785 for canonical JSON hashing and signing. These are mature enough to use today and are not specific to any one AI vendor. citeturn9view11turn9view12turn9view13turn16search0

The most important cross-vendor structured-output sources are OpenAI Structured Outputs, Anthropic Structured Outputs and compatibility notes, and Gemini Structured Outputs. Together they show real convergence around schema-constrained output, but not identical behavior. That convergence is strong enough to justify a model-agnostic packet based on JSON Schema, while the differences are significant enough that you should design to the conservative subset and validate results independently. citeturn9view0turn9view1turn9view2turn9view3

The most important AI-specific interoperability standards today are A2A for agent-to-agent delegation, MCP for agent-to-tools/data interoperability, Agent Spec for portable agent/workflow definitions, and AG-UI for agent-to-user interaction. Of these, A2A is the closest match to the exact problem in your prompt, while MCP is the most established adjacent protocol in day-to-day tool ecosystems. Agent Spec and AG-UI are promising, but they occupy neighboring layers rather than replacing a simple task handoff packet. citeturn9view4turn9view6turn12view0turn12view3turn14search1turn14search3turn13search1

The most important operational guidance sources are Anthropic’s engineering notes on simple composable agent patterns and long-horizon multi-agent systems, LangChain’s context-engineering and handoff guidance, and OpenAI’s handoff and filtering primitives. These are useful because they explain the practical reasons handoffs fail: too much context, malformed history, hidden framework abstractions, and lack of explicit work-product boundaries. citeturn22view0turn22view1turn20view0turn9view8turn19view0turn19view1

The most important security sources are the A2A sample repository’s warning that external agent content must be treated as untrusted input, OWASP’s prompt injection guidance, and the NCSC’s argument that prompt injection should be treated as a risk-reduction problem rather than a fully solvable bug class. These matter because any handoff packet that mixes instructions and untrusted data without clear boundaries is inviting cross-agent prompt injection and workflow corruption. citeturn18view0turn9view9turn9view10

State of the art as of today. As of June 29, 2026, there is still no single universal, dominant inter-AI handoff standard that works everywhere out of the box. The best production pattern today is to use a canonical JSON handoff packet with a JSON Schema return contract, explicit scope boundaries, exact artifacts or immutable references with hashes, and a structured status/error path. For broader ecosystem interoperability, A2A is the closest emerging standard for agent-to-agent task exchange, while MCP is the dominant adjacent standard for tools and data access. The field is moving toward layered interoperability rather than one master protocol: A2A for agent-to-agent, MCP for tools/data, AG-UI for frontend interaction, and Agent Spec for portable agent/workflow definitions. The reason conservative packet design still matters so much is that structured-output support is converging but not identical across providers, and prompt injection remains a live systems problem rather than a solved parsing problem. citeturn9view4turn9view6turn12view0turn13search1turn14search3turn9view0turn9view1turn9view2turn9view10