Voice
Attest
By Attest Protocol plugin for OpenClaw β cryptographically signed audit trail for agent actions
Install
npm install
pnpmREADME
<div align="center">
# openclaw-attest
### Attest Protocol plugin for OpenClaw
[](LICENSE)
[](https://www.typescriptlang.org/)
[](https://github.com/attest-protocol/openclaw-attest/actions/workflows/ci.yml)
---
Cryptographically signed, hash-linked audit trail for every tool call an OpenClaw agent makes.
Built on [`@attest-protocol/attest-ts`](https://github.com/attest-protocol/attest-ts) and [`@sinclair/typebox`](https://github.com/sinclairzx81/typebox).
[Spec](https://github.com/attest-protocol/spec) • [TypeScript SDK](https://github.com/attest-protocol/attest-ts) • [Python SDK](https://github.com/attest-protocol/attest-py)
</div>
---
## Why receipts?
AI agents that read files, run commands, and browse the web are powerful β but that power needs accountability. When an agent operates autonomously, you need to know exactly what it did, prove that the record hasn't been tampered with, and keep sensitive details private.
**Use cases:**
- **Post-incident review** β your agent ran overnight and something broke. The receipt chain shows exactly which commands it ran, in what order, and whether each succeeded or failed β with cryptographic proof that the log hasn't been altered after the fact.
- **Compliance and audit** β regulated environments require evidence of what systems did and why. Receipts are W3C Verifiable Credentials with Ed25519 signatures, giving auditors a tamper-evident trail they can independently verify.
- **Safer autonomous agents** β the agent can query its own audit trail mid-session. Before taking a high-risk action, it can check what it has already done and whether previous steps succeeded, enabling self-correcting workflows.
- **Multi-agent trust** β when agents collaborate, receipts serve as proof of prior actions. Agent B can verify that Agent A actually completed step 1 before proceeding to step 2, without trusting a shared log.
- **Cost and usage tracking** β every tool call is classified by type and risk level, giving you a structured breakdown of what your agent spent its time on across sessions.
### Beyond local storage
Today, receipts are stored locally in SQLite β fully under your control. The [Attest Protocol](https://github.com/attest-protocol/spec) is designed for receipts to travel further when you choose: publishing to a shared ledger, forwarding to a compliance system, or exchanging with other agents as proof of prior actions. The receipts are portable W3C Verifiable Credentials, but where they go is always your decision.
## How it works
Every time the OpenClaw agent executes a tool, this plugin:
1. **Classifies the action** using the [Attest Protocol taxonomy](https://github.com/attest-protocol/spec/tree/main/spec/taxonomy)
2. **Creates a signed receipt** β a [W3C Verifiable Credential](https://www.w3.org/TR/vc-data-model-2.0/) with Ed25519 proof
3. **Hash-links it** into a per-session chain (tamper-evident)
4. **Stores it** in a local SQLite database
The agent also gets two introspection tools to query and verify its own audit trail.
```
OpenClaw Gateway
β
ββ before_tool_call βββΊ capture params + timing
β
ββ [tool executes]
β
ββ after_tool_call βββΊ classify β sign β chain β store
```
## Install
Copy or symlink into your OpenClaw workspace plugins:
```bash
# Copy
cp -r /path/to/openclaw-attest ~/.openclaw/plugins/openclaw-attest
# Or symlink for development
ln -s /path/to/openclaw-attest ~/.openclaw/plugins/openclaw-attest
```
Then enable the plugin in your OpenClaw config.
## Agent tools
### `attest_query_receipts`
Search the audit trail by action type, risk level, or outcome status. Returns receipt summaries and aggregate statistics.
```
> Query all high-risk actions from this session
{
"total_receipts": 12,
"results": [
{ "action": "filesystem.file.delete", "risk": "high", "target": "delete_file", "status": "success", "sequence": 7 },
{ "action": "system.command.execute", "risk": "high", "target": "run_command", "status": "success", "sequence": 3 }
]
}
```
### `attest_verify_chain`
Cryptographically verify the integrity of the receipt chain. Checks Ed25519 signatures, hash links, and sequence numbering.
```
> Verify the audit trail for this session
Chain "chain_openclaw_main_sid-42" is valid: 12 receipts, all signatures and hash links verified.
```
## What's in a receipt?
Each receipt is a W3C Verifiable Credential signed with Ed25519, recording:
| Field | What it captures |
|:---|:---|
| **Issuer** | Which agent performed the action (`did:openclaw:<agentId>`) |
| **Principal** | Which session authorized it (`did:session:<sessionKey>`) |
| **Action** | What happened β classified type, risk level, target tool |
| **Outcome** | Success/failure status and error details |
| **Chain** | Sequence number + SHA-256 hash link to previous receipt |
| **Privacy** | Parameters are hashed, never stored in plaintext |
| **Proof** | Ed25519Signature2020 with verification method |
## Taxonomy
The plugin maps OpenClaw tool names to Attest Protocol action types:
| OpenClaw tool | Action type | Risk |
|:---|:---|:---|
| `read_file` | `filesystem.file.read` | low |
| `write_file` | `filesystem.file.create` | low |
| `edit_file` | `filesystem.file.modify` | medium |
| `delete_file` | `filesystem.file.delete` | high |
| `run_command` | `system.command.execute` | high |
| `browser_navigate` | `system.browser.navigate` | low |
| `browser_click` | `system.browser.form_submit` | medium |
| `send_message` | `system.application.control` | medium |
See [`taxonomy.json`](taxonomy.json) for the full 20-tool mapping. Override with a custom file via the `taxonomyPath` config option.
## Configuration
All settings are optional β the plugin works out of the box with sensible defaults.
| Setting | Default | Description |
|:---|:---|:---|
| `enabled` | `true` | Generate receipts for tool calls |
| `dbPath` | `~/.openclaw/attest/receipts.db` | SQLite receipt database path |
| `keyPath` | `~/.openclaw/attest/keys.json` | Ed25519 signing key pair path |
| `taxonomyPath` | _(bundled)_ | Custom tool-to-action-type mapping |
Ed25519 signing keys are generated automatically on first run and persisted to `keyPath`.
## Project structure
```
src/
index.ts # Plugin entry β wires hooks, tools, service
hooks.ts # before_tool_call / after_tool_call β receipt creation
classify.ts # Tool name β action type + risk level classification
chain.ts # Per-session hash-linked chain state
tools.ts # attest_query_receipts + attest_verify_chain
config.ts # Config resolution + Ed25519 key management
taxonomy.json # Default OpenClaw tool β action type mappings
```
## Development
```sh
pnpm install
pnpm test # run the test suite
pnpm run typecheck # TypeScript strict mode
pnpm test:coverage # with V8 coverage
```
| | |
|:---|:---|
| **Language** | TypeScript ESM, strict mode |
| **Testing** | Vitest (colocated `*.test.ts` files) |
| **Runtime deps** | `@attest-protocol/attest-ts` + `@sinclair/typebox` |
## Ecosystem
| Repository | Description |
|:---|:---|
| [attest-protocol/spec](https://github.com/attest-protocol/spec) | Protocol specification, JSON Schemas, canonical taxonomy |
| [attest-protocol/attest-ts](https://github.com/attest-protocol/attest-ts) | TypeScript SDK |
| [attest-protocol/attest-py](https://github.com/attest-protocol/attest-py) | Python SDK ([PyPI](https://pypi.org/project/attest-protocol/)) |
| **attest-protocol/openclaw-attest** (this plugin) | OpenClaw integration |
| [ojongerius/attest](https://github.com/ojongerius/attest) | MCP proxy + CLI (reference implementation) |
## License
MIT
voice
Comments
Sign in to leave a comment