DEV Community: willamhou The latest articles on DEV Community by willamhou (@willamhou). https://dev.to/willamhou https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3856634%2F4545fd93-d2d7-46b4-a778-faf990fee34f.jpg DEV Community: willamhou https://dev.to/willamhou en How I Built Cryptographic Signing for Every AI Agent Tool Call willamhou Thu, 02 Apr 2026 02:45:56 +0000 https://dev.to/willamhou/how-i-built-cryptographic-signing-for-every-ai-agent-tool-call-1f6a https://dev.to/willamhou/how-i-built-cryptographic-signing-for-every-ai-agent-tool-call-1f6a <h1> How I Built Cryptographic Signing for Every AI Agent Tool Call </h1> <p>Your AI agent just mass-deleted a production database. Can you prove exactly what it did? When? Who authorized it?</p> <p>You can't. None of the major agent frameworks produce cryptographic evidence of what happened.</p> <p>I built <a href="https://github.com/Prismer-AI/signet" rel="noopener noreferrer">Signet</a> to fix this. It gives every AI agent an Ed25519 identity and signs every tool call with a tamper-evident receipt. Open source, 3 lines of code to integrate.</p> <p>This post covers the design decisions, the crypto choices, and why I built an SDK instead of a proxy.</p> <h2> The Problem </h2> <p>MCP (Model Context Protocol) is becoming the standard for agent-tool communication. Claude, Cursor, Windsurf, and dozens of other tools use it. But MCP has no signing, no audit log, and no way to prove which agent did what.</p> <p>Real incidents that motivated this:</p> <ul> <li>Amazon Kiro deleted a production environment</li> <li>Replit agent dropped a live database </li> <li>Supabase MCP leaked tokens via prompt injection</li> </ul> <p>In every case: zero audit trail. The agent did something, nobody could prove exactly what.</p> <h2> Design Decisions </h2> <h3> SDK, not proxy </h3> <p>The existing tools in this space (Aegis, estoppl) use a proxy/gateway model. You deploy a separate process that sits between your agent and the MCP server, intercepting all traffic.</p> <p>I chose the opposite: a client-side SDK. Three reasons:</p> <ol> <li> <strong>Zero infrastructure.</strong> <code>npm install</code> or <code>pip install</code>, not Docker.</li> <li> <strong>stdio-native.</strong> Most MCP connections use stdio pipes. Proxying stdio requires process orchestration that adds failure modes.</li> <li> <strong>Framework-agnostic.</strong> Works with any MCP client, any transport, any language.</li> </ol> <p>The tradeoff: a proxy can enforce policies (block unauthorized calls). Signet can't — it's a camera, not a bouncer. Attestation, not prevention. I think both are needed, and they're complementary.</p> <h3> Ed25519, not ECDSA or RSA </h3> <p>Ed25519 was the obvious choice:</p> <ul> <li> <strong>Fast.</strong> ~70,000 signatures/sec on a laptop. Agent tool calls are maybe 10/sec. No bottleneck.</li> <li> <strong>Small.</strong> 64-byte signatures, 32-byte keys. Fits in JSON metadata without bloat.</li> <li> <strong>Deterministic.</strong> Same key + same message = same signature. No nonce generation needed at signing time (the nonce is in the key schedule).</li> <li> <strong>Battle-tested.</strong> SSH, Signal, age, WireGuard all use it.</li> </ul> <p>I use <code>ed25519-dalek</code> in Rust. The same core compiles to WASM for Node.js and to native for Python via PyO3. One implementation, three languages, zero divergence risk.</p> <h3> RFC 8785 (JCS) for canonical JSON </h3> <p>The signature covers the entire receipt body: action, signer, timestamp, nonce. But JSON serialization is non-deterministic — <code>{"a":1,"b":2}</code> and <code>{"b":2,"a":1}</code> are semantically identical but produce different bytes.</p> <p>I use <a href="https://datatracker.ietf.org/doc/html/rfc8785" rel="noopener noreferrer">RFC 8785 (JSON Canonicalization Scheme)</a> to solve this. JCS defines a deterministic JSON serialization: sorted keys, no whitespace, specific number formatting. Sign the JCS output, verify against the JCS output. Deterministic.</p> <p>Why JCS over alternatives like bencode or CBOR? Because the receipts are JSON, the MCP protocol is JSON, and I didn't want to introduce a second serialization format just for signing.</p> <h3> Hash-chained audit log </h3> <p>Every receipt is appended to a local JSONL audit log. Each entry includes the SHA-256 hash of the previous entry:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">record_</span><span class="mi">1</span><span class="err">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">receipt:</span><span class="w"> </span><span class="err">...</span><span class="p">,</span><span class="w"> </span><span class="err">prev_hash:</span><span class="w"> </span><span class="s2">"sha256:0000..."</span><span class="p">,</span><span class="w"> </span><span class="err">record_hash:</span><span class="w"> </span><span class="s2">"sha256:abc1..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">record_</span><span class="mi">2</span><span class="err">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">receipt:</span><span class="w"> </span><span class="err">...</span><span class="p">,</span><span class="w"> </span><span class="err">prev_hash:</span><span class="w"> </span><span class="s2">"sha256:abc1..."</span><span class="p">,</span><span class="w"> </span><span class="err">record_hash:</span><span class="w"> </span><span class="s2">"sha256:def2..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="err">record_</span><span class="mi">3</span><span class="err">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">receipt:</span><span class="w"> </span><span class="err">...</span><span class="p">,</span><span class="w"> </span><span class="err">prev_hash:</span><span class="w"> </span><span class="s2">"sha256:def2..."</span><span class="p">,</span><span class="w"> </span><span class="err">record_hash:</span><span class="w"> </span><span class="s2">"sha256:ghi3..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Delete or modify any record and the chain breaks. <code>signet verify --chain</code> detects it.</p> <p>This is tamper-<em>evident</em>, not tamper-<em>proof</em>. Someone with disk access can delete the entire log. The hash chain catches selective editing (changing one record while keeping others). Off-host anchoring (anchoring chain hashes to an external service) is on the roadmap for true tamper-proof guarantees.</p> <h3> Encrypted key storage </h3> <p>Agent keys are encrypted at rest with Argon2id + XChaCha20-Poly1305:</p> <ul> <li> <strong>Argon2id</strong> for key derivation (OWASP recommended, memory-hard, resists GPU attacks)</li> <li> <strong>XChaCha20-Poly1305</strong> for encryption (24-byte nonce = safe random nonce generation, AEAD for authenticated encryption)</li> <li> <strong>AAD</strong> (Additional Authenticated Data) binds the ciphertext to the key's metadata, preventing key-file swaps</li> </ul> <p>Unencrypted keys are supported for CI/automation (<code>--unencrypted</code> flag). Keys stored at <code>~/.signet/keys/</code> with <code>0600</code> permissions.</p> <h2> What a Receipt Looks Like </h2> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"v"</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="p">,</span><span class="w"> </span><span class="nl">"id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"rec_e7039e7e7714e84f..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"tool"</span><span class="p">:</span><span class="w"> </span><span class="s2">"github_create_issue"</span><span class="p">,</span><span class="w"> </span><span class="nl">"params"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="nl">"title"</span><span class="p">:</span><span class="w"> </span><span class="s2">"fix bug"</span><span class="p">,</span><span class="w"> </span><span class="nl">"body"</span><span class="p">:</span><span class="w"> </span><span class="s2">"details"</span><span class="p">},</span><span class="w"> </span><span class="nl">"params_hash"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:b878192252cb..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"target"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mcp://github.local"</span><span class="p">,</span><span class="w"> </span><span class="nl">"transport"</span><span class="p">:</span><span class="w"> </span><span class="s2">"stdio"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"signer"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"pubkey"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ed25519:0CRkURt/tc6r..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"demo-bot"</span><span class="p">,</span><span class="w"> </span><span class="nl">"owner"</span><span class="p">:</span><span class="w"> </span><span class="s2">"willamhou"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"ts"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2026-03-29T23:24:03.309Z"</span><span class="p">,</span><span class="w"> </span><span class="nl">"nonce"</span><span class="p">:</span><span class="w"> </span><span class="s2">"rnd_dcd4e135799393..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"sig"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ed25519:6KUohbnSmehP..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The signature covers <code>v + action + signer + ts + nonce</code> via JCS. Tamper with any field and verification fails.</p> <p>The <code>params_hash</code> is always present. By default, raw params are also stored. For sensitive data, <code>--hash-only</code> mode stores only the hash — you can prove <em>what shape</em> the params had without revealing their content.</p> <h2> Integration: 3 Lines </h2> <h3> TypeScript (MCP) </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">SigningTransport</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@signet-auth/mcp</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">inner</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">StdioClientTransport</span><span class="p">({</span> <span class="na">command</span><span class="p">:</span> <span class="dl">"</span><span class="s2">my-mcp-server</span><span class="dl">"</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">transport</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">SigningTransport</span><span class="p">(</span><span class="nx">inner</span><span class="p">,</span> <span class="nx">secretKey</span><span class="p">,</span> <span class="dl">"</span><span class="s2">my-agent</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>Every <code>tools/call</code> request gets a signed receipt injected into <code>params._meta._signet</code>. MCP servers don't need to change — they ignore unknown fields per the spec.</p> <h3> Python — LangChain </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">signet_auth</span> <span class="kn">import</span> <span class="n">SigningAgent</span> <span class="kn">from</span> <span class="n">signet_auth.langchain</span> <span class="kn">import</span> <span class="n">SignetCallbackHandler</span> <span class="n">agent</span> <span class="o">=</span> <span class="n">SigningAgent</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="sh">"</span><span class="s">my-agent</span><span class="sh">"</span><span class="p">,</span> <span class="n">owner</span><span class="o">=</span><span class="sh">"</span><span class="s">willamhou</span><span class="sh">"</span><span class="p">)</span> <span class="n">handler</span> <span class="o">=</span> <span class="nc">SignetCallbackHandler</span><span class="p">(</span><span class="n">agent</span><span class="p">)</span> <span class="c1"># Pass handler to your LangChain agent — every tool call is now signed </span></code></pre> </div> <h3> Python — CrewAI </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">signet_auth</span> <span class="kn">import</span> <span class="n">SigningAgent</span> <span class="kn">from</span> <span class="n">signet_auth.crewai</span> <span class="kn">import</span> <span class="n">install_hooks</span><span class="p">,</span> <span class="n">uninstall_hooks</span> <span class="n">agent</span> <span class="o">=</span> <span class="n">SigningAgent</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="sh">"</span><span class="s">my-agent</span><span class="sh">"</span><span class="p">,</span> <span class="n">owner</span><span class="o">=</span><span class="sh">"</span><span class="s">willamhou</span><span class="sh">"</span><span class="p">)</span> <span class="nf">install_hooks</span><span class="p">(</span><span class="n">agent</span><span class="p">)</span> <span class="n">crew</span><span class="p">.</span><span class="nf">kickoff</span><span class="p">()</span> <span class="c1"># every tool call is now signed </span><span class="nf">uninstall_hooks</span><span class="p">()</span> </code></pre> </div> <h3> Python — Low-level API (any framework) </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">signet_auth</span> <span class="kn">import</span> <span class="n">SigningAgent</span> <span class="n">agent</span> <span class="o">=</span> <span class="n">SigningAgent</span><span class="p">.</span><span class="nf">create</span><span class="p">(</span><span class="sh">"</span><span class="s">my-agent</span><span class="sh">"</span><span class="p">,</span> <span class="n">owner</span><span class="o">=</span><span class="sh">"</span><span class="s">willamhou</span><span class="sh">"</span><span class="p">)</span> <span class="n">receipt</span> <span class="o">=</span> <span class="n">agent</span><span class="p">.</span><span class="nf">sign</span><span class="p">(</span><span class="sh">"</span><span class="s">github_create_issue</span><span class="sh">"</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">title</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">fix bug</span><span class="sh">"</span><span class="p">})</span> </code></pre> </div> <p>All Python bindings are Rust compiled via PyO3 — same crypto, same behavior, native speed. <code>pip install signet-auth</code>.</p> <h3> CLI </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>signet identity generate <span class="nt">--name</span> my-agent signet sign <span class="nt">--key</span> my-agent <span class="nt">--tool</span> <span class="s2">"github_create_issue"</span> <span class="nt">--params</span> <span class="s1">'{"title":"fix bug"}'</span> signet audit <span class="nt">--since</span> 24h signet verify <span class="nt">--chain</span> </code></pre> </div> <h2> Architecture </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>signet/ ├── crates/signet-core/ Rust core (one implementation) ├── bindings/ │ ├── signet-ts/ → WASM for Node.js │ └── signet-py/ → PyO3 for Python ├── packages/ │ ├── @signet-auth/core TypeScript wrapper │ └── @signet-auth/mcp MCP middleware └── signet-cli/ CLI binary </code></pre> </div> <p>The key architectural decision: <strong>one Rust implementation, compiled to multiple targets.</strong> The WASM binding and Python binding call the same <code>signet-core</code> code. There is no separate TypeScript or Python reimplementation of the signing logic. This eliminates the "two implementations diverge" class of bugs entirely.</p> <p>172 tests across Rust (68), Python (85), TypeScript (11), and WASM (8).</p> <h2> What Signet Does NOT Do (Yet) </h2> <p><strong>It proves the agent requested an action, not that the server executed it.</strong> The receipt says "agent X signed intent to call tool Y with params Z at time T." Whether the server actually did it is a separate question. Server-side verification middleware is on the roadmap.</p> <p><strong>It doesn't prevent bad actions.</strong> Signet is a camera, not a bouncer. It complements prevention tools like policy engines and firewalls. You want both: stop the bad thing AND have evidence of what happened.</p> <p><strong>Signer identity is self-asserted.</strong> The <code>signer.name</code> and <code>signer.owner</code> fields are set by the agent. There's no external identity registry (yet) to verify that "demo-bot" actually belongs to "willamhou."</p> <h2> Try It </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>signet-auth <span class="c"># or</span> npm <span class="nb">install</span> @signet-auth/core @signet-auth/mcp <span class="c"># or</span> cargo build <span class="nt">--release</span> <span class="nt">-p</span> signet-cli </code></pre> </div> <p>GitHub: <a href="https://github.com/Prismer-AI/signet" rel="noopener noreferrer">github.com/Prismer-AI/signet</a></p> <p>Apache-2.0 + MIT dual license.</p> <p><em>Questions about the design decisions, crypto choices, or roadmap? I'm <a href="https://x.com/WillamUpUp" rel="noopener noreferrer">@willamhou</a> on Twitter/X.</em></p> ai security opensource rust