AEGIS Tool-Call Audit Signer
Ed25519-signed, SHA-256-chained tool-call audit log for OpenClaw multi-agent setups. Tamper-evident provenance chain.
Install
openclaw plugins install clawhub:openclaw-aegis-signerAEGIS Tool-Call Audit Signer
Cryptographically-signed audit chain for OpenClaw multi-agent tool calls. Every tool invocation is signed with Ed25519 and chained via SHA-256. Inspector replays and verifies provenance during audit. The chain is append-only and tamper-evident: modifying any past entry invalidates every subsequent signature.
Pure Node: no Python, no native deps, no shell-out. Uses Node's built-in crypto module (Ed25519 signing native since Node 16).
Why this exists
Multi-agent systems suffer from "MISSION ACCOMPLISHED" fabrication: an agent claims a task is done without actually performing the tool calls. Without a verifiable record of which tools fired and what they returned, Inspector cannot distinguish a real success from a hallucinated one.
This plugin solves that:
- Hooks the
after_tool_callevent - Computes SHA-256 digests of tool args and results (both redacted by default)
- Signs the entry body with the configured Ed25519 private key
- Appends a chain link where each entry's
this_hash = sha256(prev_hash + body) - Stores the signed entry as one JSON line in
~/.openclaw/audit-log.jsonl
Inspector's audit phase replays the chain, recomputes hashes, verifies each signature against the public key, and confirms continuity. Any tampered or missing entry breaks verification.
Install
Via OpenClaw plugins CLI:
openclaw plugins install clawhub:openclaw-aegis-signer
No --dangerously-force-unsafe-install flag required as of v2.0.0. The plugin contains zero shell-execution patterns.
One-time key generation
Generate a fresh Ed25519 keypair before enabling the plugin:
mkdir -p ~/.openclaw/aegis
node -e '
const c = require("crypto");
const fs = require("fs");
const { publicKey, privateKey } = c.generateKeyPairSync("ed25519");
fs.writeFileSync(
process.env.HOME + "/.openclaw/aegis/private.key",
privateKey.export({ format: "pem", type: "pkcs8" }),
);
fs.writeFileSync(
process.env.HOME + "/.openclaw/aegis/public.key",
publicKey.export({ format: "pem", type: "spki" }),
);
'
chmod 600 ~/.openclaw/aegis/private.key
The plugin also accepts the 32-byte raw seed format produced by PyNaCl, so existing keypairs from earlier (1.x) deployments still work.
Configure in OpenClaw
{
"plugins": {
"entries": {
"aegis-signer": {
"enabled": true,
"config": {
"privateKeyPath": "/home/USER/.openclaw/aegis/private.key",
"publicKeyPath": "/home/USER/.openclaw/aegis/public.key",
"auditLogPath": "/home/USER/.openclaw/audit-log.jsonl"
}
}
}
}
}
Restart the gateway: systemctl --user restart openclaw-gateway.
What gets logged
Each tool call appends one JSON line. Example shape:
{
"agent": "captain",
"args_hash": "sha256:7a8b...",
"prev_hash": "sha256:9e8f...",
"result_hash": "sha256:c1d2...",
"seq": 4217,
"tool": "thalamus_route",
"ts": "2026-05-05T20:14:32.811Z",
"this_hash": "sha256:a3b4...",
"signature": "ed25519:6f7e8d9c..."
}
No raw arguments or results. Only their SHA-256 digests. This preserves privacy while still allowing replay verification by anyone with the input/output recorded separately (for example in Thalamus packets).
Verify the chain
Pure Node verifier ships with the plugin:
node node_modules/openclaw-aegis-signer/verify.js \
~/.openclaw/aegis/public.key \
~/.openclaw/audit-log.jsonl
Expected output: OK: <N> entries verified. If any entry was tampered with, verification fails at that index with a non-zero exit code.
Hooks
| Event | What this plugin does |
|---|---|
after_tool_call | Compute args + result hashes, link to previous chain head, sign with Ed25519, append to chain |
No other hooks. The plugin is purely passive after registration.
Performance
- Sign + chain operation: ~0.4ms per tool call on a Pi 5 CPU
- Audit log growth: ~250 bytes per entry, ~1MB per 4000 calls
- No network I/O, no native deps, no Python
- Chain verification: ~30ms per 1000 entries on a Pi 5
Security caveats
- Private key in
~/.openclaw/aegis/private.keyshould bechmod 600. The plugin warns at startup if the mode is wider. - If the key is compromised, rotate by generating a new keypair and starting a new chain. The old chain remains verifiable; new entries use the new key.
- This plugin is provenance, not a pre-execution firewall: it records what happened, it does not block. For pre-execution policy combine with OpenClaw's tool allowlist.
Changelog
2.0.0
- Removed Python dependency. Signing and verification are now pure Node via
node:crypto(Ed25519 native). - No more
child_process. Plugin scans cleanly without--dangerously-force-unsafe-install. - Manifest no longer declares
python3runtime. signer.pyandverify.pyremoved. Newverify.jsships in the package.- Backward compatible with existing chains and existing PyNaCl-format raw 32-byte keys.
License
MIT. Source code: https://github.com/msbel5/openclaw-aegis-signer