Skip to content

feat: Phase 2 signed audit trail — hash chaining, sig verification, verify_chain#3

Merged
TadMSTR merged 1 commit into
mainfrom
feat/signed-audit-trail
May 26, 2026
Merged

feat: Phase 2 signed audit trail — hash chaining, sig verification, verify_chain#3
TadMSTR merged 1 commit into
mainfrom
feat/signed-audit-trail

Conversation

@TadMSTR
Copy link
Copy Markdown
Owner

@TadMSTR TadMSTR commented May 26, 2026

Summary

  • append_event: Added threading.Lock + prev_hash SHA-256 chaining (each event records SHA-256 of the previous JSONL line)
  • log_event: ed25519 signature verification against COMMS_DIR/agent-keys.json registry; AGENT_BUS_VERIFY_SIGNATURES=warn (default) or enforce mode
  • verify_chain tool: Walks a JSONL log file and validates hash chain + signatures; returns {total, verified, chain_breaks, sig_failures, unsigned_events} per file
  • get_status: Now includes signing.registered_agents and verify_mode fields
  • requirements.txt: Added cryptography>=41.0

Key registry format

~/.claude/comms/agent-keys.json:

{
  "research": {"pubkey": "<base64 pubkey>", "fingerprint": "abc12345", "added": "2026-XX-XX"},
  "dev": {"pubkey": "<base64 pubkey>", "fingerprint": "def67890", "added": "2026-XX-XX"}
}

Rollout notes

  • Default mode is warn — signature failures are logged but events are accepted
  • Unknown sources (no key registered) are always accepted (backwards compatible)
  • Flip to enforce via AGENT_BUS_VERIFY_SIGNATURES=enforce after all agents migrated
  • Forge ops: generate keypairs, load into Vault, register pubkeys in agent-keys.json

Test plan

  • Manual: start server, log_event, verify prev_hash written
  • Manual: verify_chain on today's log
  • CI not configured for agent-bus (FastMCP server, no test suite yet)

🤖 Generated with Claude Code

@TadMSTR @claude
feat: Phase 2 signed audit trail — hash chaining, sig verification, v…
5efe20d 
…erify_chain

- append_event: threading.Lock + prev_hash SHA-256 chaining on every write
- log_event: ed25519 signature verification against agent-keys.json registry;
  AGENT_BUS_VERIFY_SIGNATURES env var controls "warn" (default) or "enforce" mode
- verify_chain tool: walks a JSONL log file, validates hash chain + signatures,
  returns per-file summary (total, verified, chain_breaks, sig_failures, unsigned)
- get_status: includes signing.registered_agents + verify_mode fields
- requirements.txt: add cryptography>=41.0

Key registry location: COMMS_DIR/agent-keys.json
  {"research": {"pubkey": "<b64>", "fingerprint": "abc12345", "added": "..."}}
Unsigned events from unknown sources are accepted (backwards compatible).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@TadMSTR TadMSTR force-pushed the feat/signed-audit-trail branch from 1471339 to 5efe20d Compare May 26, 2026 17:24
@TadMSTR TadMSTR merged commit 51ba979 into main May 26, 2026
4 checks passed
@TadMSTR TadMSTR deleted the feat/signed-audit-trail branch May 26, 2026 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TadMSTR