Tamper-evident cryptographic audit trail for OpenClaw and multi-agent AI sessions
Project description
Sasana
Your AI agent logs are not evidence. Sasana makes them defensible.
Every major observability tool — LangSmith, Arize, Langfuse — stores logs in mutable, operator-controlled storage. An administrator with file-system or database access can modify or delete a record with no detectable trace. Those logs satisfy a reporting requirement. They do not prove what happened.
Sasana records a SHA-256 hash-chained audit trail where any modification — to any byte, in any historical event — is detectable. Raw content never leaves your machine: only hashes are stored.
$ sasana verify session.jsonl --trust-key <archeion-pubkey>
Sasana Verifier v1.0.0
File : session.jsonl
Session : 3f8a2c1d-…
Events : 7
Evidence : AUTHORITATIVE_EVIDENCE
[1/5] Structural validity ... PASS
[2/5] Sequence integrity ... PASS
[3/5] Hash chain integrity ... PASS
[4/5] Session completeness ... PASS
[5/5] Seal signature ... PASS
Result: INTACT ✅
Who this is for
Teams deploying AI agents in regulated environments — fintech, healthtech, HR tech. Specifically:
- Compliance engineers implementing EU AI Act Article 12 (tamper-evident logging for high-risk AI systems)
- Security teams who need a cryptographically verifiable audit trail for incident response
- DevSecOps engineers who need to prove a session log has not been touched since it ended
If you are building an AI agent for a use case that falls under GDPR, SOC 2, HIPAA, or EU AI Act audit requirements, Sasana is the audit layer.
What it produces
A completed session produces a JSONL file. The verifier checks five properties and returns one of three results:
| Result | Meaning |
|---|---|
INTACT |
All checks pass. The log has not been modified. |
PARTIAL |
Hash chain intact but events were dropped during the session. |
COMPROMISED |
Hash chain broken. Log has been modified after the fact. |
Exit codes: 0 (INTACT), 1 (COMPROMISED), 2 (PARTIAL), 3 (ERROR) — suitable for
CI pipeline integration.
The evidence class tells you how strong the guarantee is:
| Class | Meaning |
|---|---|
AUTHORITATIVE_EVIDENCE |
Independent sealing authority verified this log. The agent could not have forged this. |
SIGNED_NON_AUTHORITATIVE |
Ed25519 signatures present. Requires private key to forge. |
NON_AUTHORITATIVE_EVIDENCE |
Hash chain intact. Proves no post-hoc modification. |
Install
pip install sasana
Install via OpenClaw
# Via GitHub URL
openclaw skill install https://github.com/sahiee-dev/Sasana
# Via skills.sh shorthand (when listed in the registry)
openclaw skill install sahiee-dev/Sasana/sasana
Every session automatically produces ~/.openclaw/sasana/<session_id>.jsonl.
No configuration required.
Quick start
from sasana.sqlite_ledger import SqliteLedger
import hashlib
def sha256(text: str) -> str:
return hashlib.sha256(text.encode()).hexdigest()
ledger = SqliteLedger(db_path="session.db")
ledger.connect()
ledger.open_session(session_id="my-session", agent_id="my-agent")
ledger.record("LLM_CALL", {"prompt_hash": sha256(prompt)})
ledger.record("LLM_RESPONSE", {"response_hash": sha256(response)})
ledger.close_session(status="success")
ledger.export_jsonl("session.jsonl")
ledger.close()
Verify:
sasana verify session.jsonl
Passive observer (zero code changes required):
pip install sasana[observer]
sasana observe # auto-detects OpenClaw WebSocket port
Authority sealing
For regulatory submissions and legal proceedings, NON_AUTHORITATIVE_EVIDENCE means the
operator is attesting their own logs. That is insufficient when the operator is a party
to a dispute.
Archeion is a sealing server that runs inside your security perimeter,
controlled by your security team — structurally separate from the agent process. The
agent cannot forge a seal. The sealed log carries AUTHORITATIVE_EVIDENCE.
# Start Archeion (self-hosted, inside your perimeter)
docker compose up -d
# Seal a completed session
sasana seal session.jsonl --server http://localhost:8747
# Verify with key pinning
sasana verify session.jsonl --trust-key <archeion-pubkey>
See docs/DEPLOYMENT.md for the full deployment guide — key lifecycle, network isolation, and what to tell a security reviewer.
How it works
Each event is stored with:
- SHA-256 hash over RFC 8785 canonical JSON — any mutation changes the hash
prev_hash— each event commits to all prior events, forming a chain- Ed25519 signature — optional per-session keypair; or Archeion's independent key
Raw content is never stored — only hashes. You cannot reconstruct what the agent said from a Sasana log.
A Rust binary (sasana-rs/) verifies sessions without a Python dependency — for forensic
environments where Python is not present or trusted.
Compliance mapping
| Regulation | Requirement addressed |
|---|---|
| EU AI Act Article 12 | Tamper-evident automatic recording for high-risk AI systems |
| SOC 2 CC7.2 | System monitoring with cryptographically verifiable audit trail |
| HIPAA §164.312(b) | Audit control for healthcare AI; raw PHI never recorded |
What Sasana does not do
- Does not record raw content. Hashes only — you cannot reconstruct prompts or responses.
- Does not prevent tampering. Detects it. Detection and prevention are different.
- Does not replace LangSmith or Arize. Those tools are for observability. Sasana is for evidence production. They are complementary.
- Does not have a managed cloud offering. Self-hosted only.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sasana-1.0.0.tar.gz.
File metadata
- Download URL: sasana-1.0.0.tar.gz
- Upload date:
- Size: 58.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
70a217a0a1f4aeeaf96d3070368cadd70281486a716586d5daf6abcfefbef0f7
|
|
| MD5 |
c0d671722af898f8cce28fc2eeb6dd00
|
|
| BLAKE2b-256 |
bcbd1d39e6bbf0db635d2d884f1743754be9a379b2b252f1c30710c8504d9761
|
File details
Details for the file sasana-1.0.0-py3-none-any.whl.
File metadata
- Download URL: sasana-1.0.0-py3-none-any.whl
- Upload date:
- Size: 56.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3e2c55c3a101ec81e4ab8d68c846a537eab0a014d382389843ea9fb1c581d0fb
|
|
| MD5 |
56ad81c75f67e317b88a8ffb9d00cea0
|
|
| BLAKE2b-256 |
8ff127e0f9ae19020c39b2e43d843aa924471ad634200001f43566f801180322
|