AEGIS Tool-Call Audit Signer
Cryptographically-signed audit chain for OpenClaw multi-agent tool calls. When Captain spawns Builder, Inspector reviews — every tool invocation in between is signed with Ed25519 and chained via SHA-256. Inspector can replay and verify provenance at any point. The chain is append-only and tamper-evident: modifying any past entry invalidates every subsequent signature.
Why this exists
Multi-agent systems suffer from "MISSION ACCOMPLISHED" fabrication: an agent claims a task is done without actually performing the tool calls. Without a verifiable record of which tools fired and what they returned, Inspector cannot distinguish a real success from a hallucinated one.
This plugin solves that by:
- Hooking into the OpenClaw
after_tool_callevent - Capturing tool name, args (hashed), result hash, timestamp, agent id
- Signing the entry with the configured Ed25519 private key
- Appending it to a chain where each entry's hash includes the previous
- Storing the signed entry in
~/.openclaw/audit-log.jsonl
Inspector's audit phase replays the chain, verifies each signature against the public key, recomputes hashes, and confirms continuity. Any tampered or missing entry breaks verification.
Install
Via OpenClaw plugins CLI (recommended):
openclaw plugins install clawhub:openclaw-aegis-signer
Or via npm:
npm install -g @msbel/openclaw-aegis-signer
mkdir -p ~/.openclaw/aegis
cd ~/.openclaw/aegis
python3 -c "
from nacl.signing import SigningKey
sk = SigningKey.generate()
open('private.key', 'wb').write(sk.encode())
open('public.key', 'wb').write(sk.verify_key.encode())
"
chmod 600 private.key
Add to OpenClaw config
Append to ~/.openclaw/openclaw.json:
{
"plugins": {
"entries": {
"aegis-signer": {
"enabled": true,
"config": {
"signerPython": "python3",
"signerScript": "/home/USER/.openclaw/aegis/signer.py",
"privateKeyPath": "/home/USER/.openclaw/aegis/private.key",
"publicKeyPath": "/home/USER/.openclaw/aegis/public.key",
"auditLogPath": "/home/USER/.openclaw/audit-log.jsonl"
}
}
}
}
}
Restart the gateway: systemctl --user restart openclaw-gateway.
What gets logged
Each tool call appends one JSON line to audit-log.jsonl:
{
"seq": 4217,
"ts": "2026-05-05T20:14:32.811Z",
"agent": "captain",
"tool": "thalamus_route",
"args_hash": "sha256:7a8b...",
"result_hash": "sha256:c1d2...",
"prev_hash": "sha256:9e8f...",
"this_hash": "sha256:a3b4...",
"signature": "ed25519:6f7e8d9c..."
}
No raw arguments or results are stored — only their SHA-256 digests. This preserves privacy while still allowing replay verification by anyone with the input/output recorded separately (for example in Thalamus packets).
Verify the chain
python3 verify.py /home/USER/.openclaw/aegis/public.key \
/home/USER/.openclaw/audit-log.jsonl
If any entry was tampered with, verification fails at that point.
Hooks
| Event | What this plugin does |
|---|---|
after_tool_call | Compute args+result hashes, sign with Ed25519, append to chain |
No other hooks. The plugin is purely passive after registration.
Inspector integration
Inspector's audit phase reads audit-log.jsonl, verifies the chain, then cross-references entries against Captain's claimed actions in the spawn report. Discrepancies (claimed but no signed entry) indicate fabrication.
Performance
- Sign + chain operation: ~1ms per tool call
- Audit log growth: ~250 bytes per entry, ~1MB per 4000 calls
- No network I/O (all local)
- Chain verification: ~50ms per 1000 entries on a Pi 5
Security caveats
- Private key in
~/.openclaw/aegis/private.keymust bechmod 600 - If the key is compromised, rotate by generating a new keypair and starting a new chain. The old chain remains verifiable; new entries use the new key.
- This plugin is provenance, not a pre-execution firewall: it records what happened, it does not block. For pre-execution policy combine it with OpenClaw's tool allowlist.
License
MIT. Source code: https://github.com/msbel5/openclaw-aegis-signer