Feature: Cryptographic Audit Trail — SHA-256 Hash-Chained Action Log for Tamper-Proof Agent Accountability (inspired by OpenFang)

[teknium1]

Overview

OpenFang (RightNow-AI/openfang), a Rust-based Agent Operating System, implements a Merkle Hash-Chain Audit Trail (audit.rs) that creates a cryptographically linked, tamper-evident log of every agent action. Each entry is chained to the previous via SHA-256, making it impossible to modify or delete historical actions without breaking the chain. This provides enterprise-grade auditability for autonomous agent operations.

Hermes Agent currently logs conversations comprehensively via SQLite (hermes_state.py — sessions + messages tables) and saves session trajectories as JSON files. However, this logging is conversation-focused (what was said) rather than action-focused (what was done). There's no structured, security-grade record of "agent performed action X on resource Y at time T with result Z" — actions are embedded in tool call/response messages but not indexed or chain-linked. The existing append_audit_log in skills_hub.py only covers skill install/uninstall events.

A cryptographic audit trail would enable: compliance reporting, forensic analysis after incidents, trust verification for autonomous operations, and accountability for agents running on schedules via cron.

---

Research Findings

How OpenFang's Audit Trail Works

OpenFang's implementation (openfang-runtime/src/audit.rs) uses:

1. AuditEntry Structure:

   • sequence: Monotonically increasing sequence number
   • timestamp: ISO 8601 UTC timestamp
   • agent_id: Which agent performed the action
   • action_type: Enum (ToolCall, ToolResult, FileWrite, FileRead, NetworkRequest, ShellExec, SecretAccess, ConfigChange)
   • resource: What was acted upon (file path, URL, tool name)
   • details: Serialized action parameters and results
   • prev_hash: SHA-256 hash of the previous entry (genesis entry uses zeros)
   • hash: SHA-256 of (sequence + timestamp + agent_id + action_type + resource + details + prev_hash)

2. Chain Verification: verify_chain() walks the entire log and recomputes each hash from its components + the previous hash. Any tampering (insertion, deletion, modification) breaks the chain.

3. Storage: Append-only file (one JSON entry per line) + optional SQLite index for querying.

4. Query API: Filter by agent_id, action_type, time range, resource pattern.

Key Design Decisions

• Append-only storage: Entries are never modified or deleted, only appended
• Hash chaining: Each entry's hash depends on the previous, creating a tamper-evident sequence
• Action-level granularity: Logs individual actions (tool calls, file writes, network requests), not just conversations
• Separate from conversation history: The audit trail is a security/compliance artifact, not a conversation replay

---

Current State in Hermes Agent

What we have:

• hermes_state.py: SQLite database with sessions and messages tables. Full conversation history with tool calls embedded as message content. FTS5 search. No hash chaining or tamper detection.
• agent/trajectory.py: JSON session logs in ShareGPT format for RL training. No security properties.
• gateway/hooks.py: Event hook system with lifecycle events (session:start, agent:step, agent:end, etc.). Python handlers in ~/.hermes/hooks/. This is the ideal integration point for an audit trail — hooks already fire on the right events.
• tools/skills_hub.py: append_audit_log() for skill install/uninstall only. Simple text log, no chaining.

What's missing:

• No structured action log (tool call → result as a first-class record)
• No cryptographic chaining or tamper detection
• No action-type classification (file operations vs. network vs. shell vs. secrets)
• No query/filter API for "show me all file writes by this agent in the last hour"
• No compliance-friendly export format

Relevant existing issues:

• Security: File Tool Output Redaction Gap — Secrets Exposed via read_file but Masked via Terminal #363 (File Tool Output Redaction Gap) — related to secret handling in logs, not audit structure
• Feature: Secure Secrets Management Tool — API Key Ingestion, Scoped Access, Redaction, and Skill Requirements #410 (Secure Secrets Management) — related to secret lifecycle, could benefit from audit trail integration

---

Implementation Plan

Classification: Core Codebase Change

This should be a core codebase change, not a skill or tool. Reasons:

• Requires deterministic processing logic for hash computation and chain verification
• Must intercept every tool call/result at the harness level
• Needs custom persistence (append-only log with integrity guarantees)
• The audit trail itself could be exposed as a read-only tool for the agent to query its own history

What We'd Need

• New module: agent/audit_trail.py — AuditEntry dataclass, hash chain logic, storage, query API
• Hook integration: Register audit handlers via gateway/hooks.py event system
• Agent loop integration: Emit audit events on tool call dispatch and result receipt in run_agent.py
• Optional read-only tool: audit_query for the agent to search its own action history
• CLI command: hermes audit for viewing/verifying/exporting the trail

Phased Rollout

Phase 1: Core Audit Engine

• AuditEntry dataclass with fields: sequence, timestamp, session_id, action_type, tool_name, resource, args_summary, result_summary, prev_hash, hash
• SHA-256 hash chaining with compute_entry_hash()
• Append-only JSONL storage at ~/.hermes/audit/trail.jsonl
• verify_chain() function to validate integrity
• Action types: TOOL_CALL, TOOL_RESULT, FILE_WRITE, FILE_READ, SHELL_EXEC, WEB_REQUEST
• Integration: emit audit entries in the tool dispatch section of run_agent.py (around line 2933+)
• CLI: hermes audit verify (check chain integrity), hermes audit tail (view recent entries)

Phase 2: Query & Filter

• SQLite index alongside JSONL for efficient querying
• Filter by: session_id, action_type, tool_name, time_range, resource_pattern
• CLI: hermes audit search --type SHELL_EXEC --after "2h ago"
• Optional: expose as read-only audit_query tool so the agent can review its own actions
• Retention policy: configurable max age / max entries with archival

Phase 3: Compliance & Export

• Export formats: CSV, JSON, SARIF (for security tooling)
• Cron integration: automated daily chain verification, alert on tampering
• Per-session audit summaries (auto-generated at session end)
• Integration with Feature: Secure Secrets Management Tool — API Key Ingestion, Scoped Access, Redaction, and Skill Requirements #410 (Secrets Management) — audit secret access events
• Optional: sign the chain with an Ed25519 key for non-repudiation

---

Pros & Cons

Pros

• Accountability: Know exactly what the agent did, when, and to what — essential for autonomous/cron operations
• Tamper evidence: Hash chaining means any modification is detectable via verify_chain()
• Incident forensics: After something goes wrong, query the trail to reconstruct the exact sequence of actions
• Compliance: Enterprise users need audit trails for SOC 2, ISO 27001, etc.
• Low overhead: SHA-256 + JSONL append is fast; the main cost is serializing action summaries
• Natural integration point: gateway/hooks.py already fires events on the right lifecycle moments

Cons / Risks

• Storage growth: Every tool call generates an entry. High-activity agents could generate large logs. Mitigated by retention policies and JSONL compression.
• Performance: Hash computation on every tool call adds latency. SHA-256 is fast (~500ns per hash) so this is negligible.
• Sensitive data in logs: Tool call args may contain secrets, file contents, or PII. Need to integrate with redaction (Security: File Tool Output Redaction Gap — Secrets Exposed via read_file but Masked via Terminal #363) to sanitize entries.
• Complexity: Another system to maintain, test, and document. Mitigated by keeping Phase 1 simple (~200 lines).

---

Open Questions

• Should the audit trail be enabled by default or opt-in? Default-on with configurable verbosity levels seems right for an agent that runs autonomously.
• What level of detail should be logged? Full tool args + results (comprehensive but large) vs. summaries (compact but less useful for forensics)?
• Should the audit trail be per-session or global? Global with session_id as a field seems most useful.
• Should we redact secrets in audit entries or store them (encrypted) for forensic completeness?
• Is JSONL sufficient for Phase 1, or should we go straight to SQLite? JSONL is simpler and naturally append-only.

---

References

• OpenFang Repository — openfang-runtime/src/audit.rs
• Hermes Agent hermes_state.py — current session/message storage
• Hermes Agent gateway/hooks.py — event hook system (ideal integration point)
• Related: Security: File Tool Output Redaction Gap — Secrets Exposed via read_file but Masked via Terminal #363 (File Tool Output Redaction), Feature: Secure Secrets Management Tool — API Key Ingestion, Scoped Access, Redaction, and Skill Requirements #410 (Secure Secrets Management)

[Cyberweasel777]

This is well-structured. The hash-chain approach from OpenFang is solid for local tamper-evidence, and the proposed architecture here covers the right surfaces.

One extension worth considering: signed receipts on top of the hash chain. Hash chaining proves sequence integrity (no entries deleted/reordered), but signing proves who created each entry. Without signatures, a compromised agent could rebuild the entire chain with fabricated entries and the hashes would still validate.

We built an open standard for exactly this — Agent Action Receipts (AAR):

• Ed25519 signature per action (proves agent identity, not just chain integrity)
• SHA-256 input/output hashing (same approach proposed here)
• Receipt chaining via previousReceiptHash (equivalent to your hash-chain, but each link is also signed)
• Canonicalization spec (JCS-SORTED-UTF8-NOWS) so any implementation reproduces identical hashes

The combination would give Hermes Agent both properties:

1. Tamper-evident sequence (hash chain, as proposed)
2. Non-repudiable authorship (Ed25519 signatures, from AAR)

TypeScript SDK is live: npm install botindex-aar. Python SDK is in development — happy to prioritize it if there's interest from the Hermes side, since the agent is Python-native.

Spec: https://github.com/Cyberweasel777/agent-action-receipt-spec

[Cyberweasel777]

Update: Python SDK is now live on PyPI.

pip install botindex-aar

This removes the language barrier for Hermes Agent integration — receipt creation, signing, and verification all work natively in Python. FastAPI middleware included.

PyPI: https://pypi.org/project/botindex-aar/
Source: https://github.com/Cyberweasel777/botindex-aar-python

[fernandosmither]

verify_chain() can't detect a full chain rewrite — no external anchoring

verify_chain() checks internal consistency only. If an attacker has write access to the audit log, they can fork the chain at any point, rewrite everything after it, and verification still passes. The rewritten chain looks identical to the original because there's nothing outside the log to compare against.

Attack: chain is A→G, attacker wants to erase C. They truncate after B, write a forged C' with prev_hash = hash(B), recompute D' through G'. Every link is valid. /api/audit/verify returns OK.

There are no signed checkpoints, no external root publication, no witness cosigning. The whole security property depends on the storage layer not being compromised, which is exactly when you need the audit trail.

The part that bugs me is the agent sandbox interaction. If a prompt-injection-compromised agent can reach the audit log path through a sandbox escape, or just through the FileWrite/ShellExec tools, it can erase evidence of its own actions. The audit trail is supposed to be the accountability layer for autonomous agents running unsupervised on schedules, but it falls apart if the thing being audited can edit the log.

A few questions:

• Is the WASM sandbox a hard boundary between tool execution and the audit log path? Or could a compromised agent reach it?
• Any plans for external anchoring or signed checkpoints? Ed25519 signing alone doesn't help if the key lives next to the log — attacker just re-signs the forged chain.
• The README says "tamper with one entry and the entire chain breaks," which is true for single-entry edits but not for a full rewrite from the tamper point forward. Worth clarifying?

Smallest useful fix: let verify_chain() optionally take a previously observed (sequence, hash) pair and confirm the current chain extends it. That's what lets external monitors actually catch rewrites.

[Cyberweasel777]

@fernandosmither — This is the sharpest critique of hash-chain audit logs I've seen. Every point lands. Let me address them directly.

On full chain rewrite (the core vulnerability):

You're exactly right. Internal-only verification is self-referential security — the chain validates itself, which means an attacker with write access validates their own forgery. This is why we built external anchoring into AAR from the start:

1. Public key pinning via /.well-known/aar.json — the agent's Ed25519 public key is published at a well-known URL. A verifier fetches the key independently, not from the log. If an attacker re-signs a forged chain, the signatures won't match the pinned key unless they also compromise the discovery endpoint (different attack surface, different access requirements).

2. Session Continuity Certificates (SCC) — shipped this today as an AAR extension (botindex-aar@1.1.0). Before first action each session, the agent issues a signed SCC with:

   • priorSessionId + priorSessionHash (SHA-256 of the prior SCC)
   • memoryRoot (Merkle root over loaded memory state)
   • capabilityHash (Merkle root over current tool set)

   An external monitor stores observed SCC hashes. If the chain is rewritten, the monitor's stored checkpoint won't match. This is exactly your "smallest useful fix" — validateSCCChain() already implements it.

3. Aztec Noir ZK circuit — for the ultimate external anchor, we built a zero-knowledge proof circuit that verifies receipt signatures on-chain. Once a receipt hash is committed to a blockchain, no key compromise can rewrite it. The chain of custody moves from "trust the storage layer" to "trust math."

On sandbox escape + agent self-editing:

This is the right threat model. The audit trail and the audited agent must have different trust domains. In practice:

• The signing key should live in a HSM, KMS, or at minimum a separate process the agent cannot reach
• SCC checkpoints should be published to an external store (even a simple append-only webhook endpoint counts)
• The Merkle tree structure in SCC enables selective verification — an external monitor can verify specific categories without needing the full log

On "Ed25519 doesn't help if the key lives next to the log":

Correct. Key proximity is the failure mode. The mitigation layers:

1. Key in separate trust domain (KMS/HSM/remote signer)
2. Public key pinned externally (/.well-known/aar.json)
3. Periodic external checkpoint storage (SCC chain observed by monitor)
4. On-chain anchoring for highest assurance (Noir circuit)

Each layer independently raises the cost of a successful rewrite attack.

On the README claim:

Fair call. "Tamper with one entry and the chain breaks" is only true for single-entry modification, not full rewrite. Worth qualifying in any implementation that uses internal-only verification.

---

The full spec covering these mechanisms: AAR spec + SCC extension

Python SDK (since Hermes is Python-native): pip install botindex-aar

[fernandosmither]

Appreciate the detailed breakdown — the layered approach makes sense architecturally. But I want to pull on the SCC external monitor thread because I think there's a gap.

The rewrite defense in SCC depends on "an external monitor stores observed SCC hashes." But the spec never defines who that monitor is, how it's authenticated, what happens if it's unavailable, or why anyone would run one.
If the operator runs their own monitor, they can tamper with both. If BotIndex runs it, you've moved the trust anchor to a single vendor. If it's a gossip network of independent monitors — that works, but Certificate Transparency only works because Google and Apple run monitors and browsers enforce the policies. There's no equivalent ecosystem here and no incentive structure to create one.

The Noir ZK circuit genuinely solves this by replacing the trusted party with consensus, but then every session checkpoint requires on-chain commitment, which is a pretty different cost/latency profile than the local JSONL append that OpenFang and Hermes are targeting.

So the question is: for the SCC layer specifically, who is the monitor in a real deployment? Is there a reference architecture for that, or is it left as an exercise?

[Cyberweasel777]

@fernandosmither You're identifying the exact trust delegation problem. Let me be direct about what exists today vs. what's specified vs. what's aspirational.

What the spec says today: "an external monitor stores observed SCC hashes." You're right — it's underspecified. It doesn't define the monitor protocol, authentication, availability requirements, or incentive model. That's a gap, not a feature.

What actually works for operator-tampering resistance (today, no new infrastructure):

1. Timestamped public commitments — Agent publishes sha256(SCC) to an append-only public log (e.g., a transparency log like sigstore/Rekor, or even a public GitHub repo commit). Verifier checks the hash against the log. Operator can't rewrite the chain without the public commitment diverging. Cost: one HTTP POST per session. No vendor dependency.

2. Cross-agent witnessing — Agent A sends its SCC hash to Agent B (and vice versa) at session boundaries. Both store the other's hash. Rewriting A's chain requires also compromising B. This is the gossip model you mentioned, and you're right that it needs to be formalized. The protocol would be: POST /.well-known/scc/witness with the hash, get back a signed acknowledgment.

3. On-chain anchoring — Publish the hash to a blockchain (Aztec for privacy, Base for cost). This is the nuclear option — immutable, but adds latency and cost. Only makes sense for high-value agent operations.

What I'm going to do about the gap:

Add a Monitor Protocol section to the SCC spec that defines:

• Monitor interface: POST /witness (submit hash), GET /verify/{hash} (check existence)
• Authentication: monitors verify SCC signatures before accepting hashes
• Availability: certificate includes witnesses[] field listing which monitors have acknowledged the hash
• Trust model: explicitly multi-monitor (any single monitor is insufficient)
• Failure mode: if no monitor is reachable, certificate is valid but trust level caps at established (never reaches verified)

The honest answer is: for single-operator deployments with no external anchoring, SCC provides sequence integrity and key continuity, but not rewrite resistance. That's a real limitation and it should be stated clearly in the spec's security considerations, not buried.

Your critique is making this better. Want to co-author the monitor protocol section?

[willamhou]

@fernandosmither's chain rewrite point is the strongest objection in this thread. Internal-only verification is self-referential — an attacker with write access rebuilds the chain and verify_chain() still passes.

One approach that doesn't require external monitors or transparency logs: have the MCP server independently co-sign the agent's receipt at execution time. Two signatures from two independent keys on the same action. If the keys are independently controlled, rewriting the chain requires compromising both the agent and the server — different processes, potentially different machines.

This is what we built in Signet as bilateral receipts. The server signs the agent's receipt plus the response hash, so you get cryptographic proof that the server actually processed the request, not just that the agent claimed it did.

Caveats worth being honest about:

• If the agent and server are under the same operator, bilateral signing doesn't add much — same admin can compromise both keys. It's strongest when the two parties are in different trust domains.
• This is attestation, not enforcement. It proves what happened but can't block a bad action. That's what the existing approval system and policy tools handle.
• Bilateral requires server-side participation. For MCP servers you don't control, Signet also has unilateral signing (weaker, but still gives you a signed local audit trail).

Signet is Python-native via Rust/PyO3, so integration with Hermes's tool execution path would be minimal. Happy to prototype a skill if there's interest.

[jagmarques]

Hash chains alone give you tamper evidence but not attribution - anyone with write access can rewrite the chain and verify_chain() still passes, as @fernandosmither correctly pointed out. The missing piece is signatures. SHA-256 tells you the chain is intact, but it can't tell you who wrote it. If you use something like ML-DSA-65 (FIPS 204) and do the signing server-side rather than in the agent process, the agent physically cannot forge its own audit trail - the signing key never touches the agent's memory space. asqav takes this approach: the agent sends the action, the server returns a signed receipt hash-chained to the previous one, so you get both integrity and non-repudiation without trusting the agent.

[willamhou]

@jagmarques makes a good point about server-side signing. Keeping the signing key out of the agent's address space is a real security property — if the agent is compromised, it can't forge its own audit trail.

The tradeoff is where the trust anchor lives. Server-side signing (like asqav's approach) means you trust the signing service for availability and key custody. That works well for teams that already have a central governance provider. Client-side signing means you trust the agent's key storage. Bilateral signing (agent signs request + server signs response with independent keys) splits the trust — forging evidence requires compromising both sides.

For Hermes specifically, the question is: who runs the signing service? A hosted SaaS adds an external dependency. A local signing proxy (transparent stdio wrapper around the MCP server) gives you server-side separation without the external dependency, but now "server" is just another local process.

On post-quantum: ML-DSA-65 is a real advantage for long-term archive integrity. For runtime tool-call signing where receipts are verified within minutes, Ed25519 is still safe and significantly faster. A hybrid approach (Ed25519 for runtime, ML-DSA for archival anchoring) might be the pragmatic path.

The actual implementation question for Hermes is probably simpler than the algorithm debate: where in the tool execution path (tools/) does the signing hook go, and does it need framework-level support or can it work as a transparent wrapper?

[arian-gogani]

this is exactly the problem we built nobulex to solve. open source, MIT licensed, TypeScript.

the architecture maps directly to what's described here:

• every agent action gets SHA-256 hashed and Ed25519 signed before and after execution (bilateral receipt). the pre-execution signature proves policy evaluated before the action ran, the post-execution signature binds the result. both are hash-chained to the previous entry.
• action classification is handled by the covenant DSL: permit data:read where resource.type == "patient_record", forbid bash:exec where command contains "rm -rf", etc. the covenant hash ships in every receipt so a verifier knows which rules were active.
• the hook integration point you describe (gateway/hooks.py firing on lifecycle events) maps to how nobulex works as middleware. the enforcement layer wraps the handler — if the covenant rejects the action, the handler never executes and there's nothing to sign.

one thing we added that goes beyond the OpenFang approach: the receipt carries both the authorization decision AND the execution result as separate signed fields. an auditor doesn't just see "action X happened" — they see "action X was authorized under policy Y, and the result was Z." that's the difference between a tamper-evident log and a compliance artifact.

the CLI generates reports for EU AI Act, SOC2, ISO 42001, and Colorado AI Act from the receipt chain. there's also an active LangChain RFC with 12+ independent teams converging on a shared compliance callback interface that this could plug into.

happy to help with integration if there's interest.

[dembovvski]

The chain rewrite vulnerability @fernandosmither identified is the right threat model. Internal-only verification
is self-referential.

AgentLedger addresses this via the external observer pattern: the signing callback is registered outside the agent
process, not by the agent itself. The agent cannot suppress receipt creation because the hook is in a different
trust domain — same separation @willamhou describes for bilateral signing, without requiring a separate signing
service.

Python-native, MIT licensed, already integrated with LangChain, AutoGen, and CrewAI:
https://github.com/dembovvski/agentledger

Pre-execution policy gate is implemented — a signed DENIED receipt is written before execution if policy rejects
the action, so the agent physically cannot execute without passing the gate first.

[willamhou]

Two distinct patterns are emerging here:

1. Covenant/policy-bound receipts: the key question is whether the policy identity is inside the signed payload or only attached as metadata. If it's only metadata, a rewritten chain can swap policies without breaking signatures.

2. External observer hooks: this gives a different trust property than bilateral signing. It works well where the framework exposes lifecycle callbacks; bilateral signing is more practical where the agent talks directly to a tool server.

For Hermes, the main architectural question may be less "which approach wins" and more "can it expose a lifecycle surface compatible with emerging callback interfaces like LangChain RFC #35691?"

Separately, the operator-rewrite concern still stands: without some external trust anchor or checkpoint, none of these approaches fully prevent a single operator with full write access from rewriting history.