Your OpenClaw assistant just deleted a file, sent an email, or ran a shell command on your machine. Can you prove what it did? When? Authorized by whom? Standard log files don't answer that. They can be edited. They can be rotated. They can be deleted. After an incident, "the agent did X" is your word against the runtime that produced the log. This post walks through adding cryptographic audit trails to OpenClaw using @signet-auth/openclaw-plugin . Every tool call gets: An Ed25519 signature over the canonical action payload (RFC 8785 JCS → SHA-256 → Ed25519) A hash-chained entry in ~/.signet/audit/*.jsonl — deletion or reordering breaks the chain Optional policy enforcement (deny dangerous tools before they run) Optional encryption of tool params at rest Total setup time: under a minute. What you need OpenClaw ( >=2026.3.24-beta.2 ) — the gateway you already run The signet CLI on $PATH . Install via cargo install signet-cli , or grab a release binary Two minutes That's it.…