Skip to main content

Tamper-evident cryptographic audit trail for OpenClaw and multi-agent AI sessions

Project description

Sasana

Your AI agent logs are not evidence. Sasana makes them defensible.

Every major observability tool — LangSmith, Arize, Langfuse — stores logs in mutable, operator-controlled storage. An administrator with file-system or database access can modify or delete a record with no detectable trace. Those logs satisfy a reporting requirement. They do not prove what happened.

Sasana records a SHA-256 hash-chained audit trail where any modification — to any byte, in any historical event — is detectable. Raw content never leaves your machine: only hashes are stored.

$ sasana verify session.jsonl --trust-key <archeion-pubkey>

Sasana Verifier v1.0.0
File     : session.jsonl
Session  : 3f8a2c1d-…
Events   : 7
Evidence : AUTHORITATIVE_EVIDENCE

[1/5] Structural validity  ... PASS
[2/5] Sequence integrity   ... PASS
[3/5] Hash chain integrity ... PASS
[4/5] Session completeness ... PASS
[5/5] Seal signature       ... PASS

Result: INTACT ✅

Who this is for

Teams deploying AI agents in regulated environments — fintech, healthtech, HR tech. Specifically:

  • Compliance engineers implementing EU AI Act Article 12 (tamper-evident logging for high-risk AI systems)
  • Security teams who need a cryptographically verifiable audit trail for incident response
  • DevSecOps engineers who need to prove a session log has not been touched since it ended

If you are building an AI agent for a use case that falls under GDPR, SOC 2, HIPAA, or EU AI Act audit requirements, Sasana is the audit layer.


What it produces

A completed session produces a JSONL file. The verifier checks five properties and returns one of three results:

Result Meaning
INTACT All checks pass. The log has not been modified.
PARTIAL Hash chain intact but events were dropped during the session.
COMPROMISED Hash chain broken. Log has been modified after the fact.

Exit codes: 0 (INTACT), 1 (COMPROMISED), 2 (PARTIAL), 3 (ERROR) — suitable for CI pipeline integration.

The evidence class tells you how strong the guarantee is:

Class Meaning
AUTHORITATIVE_EVIDENCE Independent sealing authority verified this log. The agent could not have forged this.
SIGNED_NON_AUTHORITATIVE Ed25519 signatures present. Requires private key to forge.
NON_AUTHORITATIVE_EVIDENCE Hash chain intact. Proves no post-hoc modification.

Install

pip install sasana

Install via OpenClaw

# Via GitHub URL
openclaw skill install https://github.com/sahiee-dev/Sasana

# Via skills.sh shorthand (when listed in the registry)
openclaw skill install sahiee-dev/Sasana/sasana

Every session automatically produces ~/.openclaw/sasana/<session_id>.jsonl. No configuration required.


Quick start

from sasana.sqlite_ledger import SqliteLedger
import hashlib

def sha256(text: str) -> str:
    return hashlib.sha256(text.encode()).hexdigest()

ledger = SqliteLedger(db_path="session.db")
ledger.connect()
ledger.open_session(session_id="my-session", agent_id="my-agent")
ledger.record("LLM_CALL",     {"prompt_hash":   sha256(prompt)})
ledger.record("LLM_RESPONSE", {"response_hash": sha256(response)})
ledger.close_session(status="success")
ledger.export_jsonl("session.jsonl")
ledger.close()

Verify:

sasana verify session.jsonl

Passive observer (zero code changes required):

pip install sasana[observer]
sasana observe  # auto-detects OpenClaw WebSocket port

Authority sealing

For regulatory submissions and legal proceedings, NON_AUTHORITATIVE_EVIDENCE means the operator is attesting their own logs. That is insufficient when the operator is a party to a dispute.

Archeion is a sealing server that runs inside your security perimeter, controlled by your security team — structurally separate from the agent process. The agent cannot forge a seal. The sealed log carries AUTHORITATIVE_EVIDENCE.

# Start Archeion (self-hosted, inside your perimeter)
docker compose up -d

# Seal a completed session
sasana seal session.jsonl --server http://localhost:8747

# Verify with key pinning
sasana verify session.jsonl --trust-key <archeion-pubkey>

See docs/DEPLOYMENT.md for the full deployment guide — key lifecycle, network isolation, and what to tell a security reviewer.


How it works

Each event is stored with:

  • SHA-256 hash over RFC 8785 canonical JSON — any mutation changes the hash
  • prev_hash — each event commits to all prior events, forming a chain
  • Ed25519 signature — optional per-session keypair; or Archeion's independent key

Raw content is never stored — only hashes. You cannot reconstruct what the agent said from a Sasana log.

A Rust binary (sasana-rs/) verifies sessions without a Python dependency — for forensic environments where Python is not present or trusted.


Compliance mapping

Regulation Requirement addressed
EU AI Act Article 12 Tamper-evident automatic recording for high-risk AI systems
SOC 2 CC7.2 System monitoring with cryptographically verifiable audit trail
HIPAA §164.312(b) Audit control for healthcare AI; raw PHI never recorded

What Sasana does not do

  • Does not record raw content. Hashes only — you cannot reconstruct prompts or responses.
  • Does not prevent tampering. Detects it. Detection and prevention are different.
  • Does not replace LangSmith or Arize. Those tools are for observability. Sasana is for evidence production. They are complementary.
  • Does not have a managed cloud offering. Self-hosted only.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sasana-1.0.0.tar.gz (58.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sasana-1.0.0-py3-none-any.whl (56.2 kB view details)

Uploaded Python 3

File details

Details for the file sasana-1.0.0.tar.gz.

File metadata

  • Download URL: sasana-1.0.0.tar.gz
  • Upload date:
  • Size: 58.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.13

File hashes

Hashes for sasana-1.0.0.tar.gz
Algorithm Hash digest
SHA256 70a217a0a1f4aeeaf96d3070368cadd70281486a716586d5daf6abcfefbef0f7
MD5 c0d671722af898f8cce28fc2eeb6dd00
BLAKE2b-256 bcbd1d39e6bbf0db635d2d884f1743754be9a379b2b252f1c30710c8504d9761

See more details on using hashes here.

File details

Details for the file sasana-1.0.0-py3-none-any.whl.

File metadata

  • Download URL: sasana-1.0.0-py3-none-any.whl
  • Upload date:
  • Size: 56.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.13

File hashes

Hashes for sasana-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 3e2c55c3a101ec81e4ab8d68c846a537eab0a014d382389843ea9fb1c581d0fb
MD5 56ad81c75f67e317b88a8ffb9d00cea0
BLAKE2b-256 8ff127e0f9ae19020c39b2e43d843aa924471ad634200001f43566f801180322

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page