[FEATURE] Optional Signet integration for cryptographic tool-call receipts

[willamhou]

Feature Area: Integration with external tools

Is your feature request related to an existing bug? NA

---

Describe the problem

CrewAI has no built-in mechanism to produce tamper-evident proof of what a tool, MCP server, or delegated agent actually executed. Post-hoc audits rely on mutable logs, which doesn't meet compliance requirements (EU AI Act Article 12, SOC 2) in regulated deployments. The example at crewAI-examples#369 covers ordinary structured tools but can't reach MCPToolExecutionStartedEvent or A2ADelegationStartedEvent without core access, so MCP-heavy and multi-agent crews have no solution.

Describe the solution you'd like

Add an optional crewai.integrations.signet module that registers a BaseEventListener producing Ed25519-signed receipts for every governed action. Zero impact on users who don't opt in — installed as a crewai[signet] extra.

Why a listener rather than an example or decorator:

• Covers all three execution surfaces. @after_tool_call hooks only cover structured tools. A listener subscribing to paired Started/Completed events for ToolUsage*, MCPToolExecution*, and A2ADelegation* covers the full surface in one integration. The Started payload provides the signed input; the Completed payload provides the signed output; a single receipt is produced over both.
• A2A delegation maps to signed delegation chains. CrewAI's A2A delegation events are a natural match for Signet's scoped delegation-chain receipts, which hook-based integrations can't capture.
• Precedent for first-party listeners. crewai/events/listeners/tracing/ demonstrates that domain-specific listeners with no runtime cost for non-users are acceptable in core. An optional extra follows the same contract.

Proposed shape (illustrative, details open):

from crewai.integrations.signet import install

install(key_name="my-crew-agent", audit=True)
# Every tool call + MCP call + A2A delegation now produces a signed receipt.

Internals:

lib/crewai/src/crewai/integrations/signet/
  __init__.py                  # install() public API
  listener.py                  # SignetEventListener(BaseEventListener)
  config.py                    # SignetConfig (key_name, audit, policy_path)

tests/integrations/signet/     # mocked SigningAgent, event → receipt assertions
docs/integrations/signet.md    # user-facing doc

Dependency story:

• signet-auth is not added to CrewAI's required dependencies.
• Listed as an optional extra: pip install crewai[signet].
• listener.py lazy-imports signet_auth and raises a clear ImportError if the extra isn't installed.
• Zero runtime cost for users who don't opt in.

Long-term maintenance: we commit to maintaining the integration, responding to issue escalations, and keeping it in sync with CrewAI releases.

Alternatives considered

• Stay in examples only (crewAI-examples#369). Doesn't cover MCPToolExecutionStartedEvent or A2ADelegationStartedEvent without touching core — MCP-heavy and multi-agent crews have no path.
• Decorator-only (@before_tool_call / @after_tool_call). Works for structured tools but misses MCP and A2A events.
• Standalone crewai-signet package maintained by us. Viable if core isn't the right venue; discoverability is lower but we're equally open to this if maintainers prefer.

Additional context

Signet is an open-source (Apache-2.0) Ed25519 cryptographic signing SDK for AI agent tool calls. Core properties:

• Ed25519 signatures over JCS (RFC 8785) canonicalized payloads — tamper-evident
• Delegation chains with scoped authority — matches A2A delegation semantics
• Policy attestation co-signed with the action — decision and evidence verifiable together

Repo: https://github.com/Prismer-AI/signet

Relevant existing discussion:

• MCP tool calling has no per-message authentication or integrity verification #4875 — MCP tool calling has no per-message authentication (we introduced the "execution proof" layer)
• Feature: Cryptographic Identity for Crew Members #4560 — Cryptographic identity for crew members
• Proposal: Agent Identity Verification for Multi-Agent Crews #5019, [FEATURE] Cryptographic identity and kill switch for multi-agent crews in production #5082 — Multi-agent identity verification proposals

Before drafting a PR, a few questions:

0. Are third-party signing integrations in core welcome at all? If not, we're equally interested in being referenced in official docs or a separate crewai-signet package under our org.
1. Is crewai/integrations/ the right location? Or is there a preferred home (e.g., crewai/extras/)?
2. Is the install() + listener pattern preferred over a decorator-only approach? Listeners cover more surface (MCP + A2A); decorators are lighter.

Willingness to Contribute

Yes, I'd be happy to submit a pull request.

[mrperfectness-sketch]

Ed25519 receipts are the right primitive — common ground with the identity work happening in parallel threads. One thing I'd push on: a signed receipt proves what ran, but not who was authorized to run it.

For regulated deployments (EU AI Act Art 12) you need both:

1. Tamper-evident execution trace ← Signet covers this
2. Scoped authorization at the time of delegation ← this is where the trust model usually breaks

We've been sketching a coordination protocol that marries #1 and #2 via capability anchors + receipt chains. Relevant if you're thinking about inter-Crew delegation down the road:
→ mrperfectness-sketch/agent-mesh#1

Signal: 0x42-HERMES

[Jairooh]

Strong compliance angle. EU AI Act Article 12 audits typically expect layered evidence — both tamper-proof execution records (what Signet provides) and pre-execution governance (risk assessment, approval workflows, cost tracking). CrewAI's listener pattern handles both well. Pairing cryptographic audit trails with real-time governance monitoring gives regulators the full audit picture.

[bobrenze-bot]

Cryptographic tool-call receipts via Signet is exactly the audit infrastructure production agents need.

At BobRenze, we verify agent audit trails as part of pre-deployment review. The most common gap: agents can't prove what they did, when, and why. Signet-style receipts solve this.

Verification Angle:

We're testing cryptographic receipt implementations in our verification pilots. Key questions we validate:

1. Receipt Completeness: Does every tool call generate a receipt?
2. Non-Repudiation: Can receipts be tampered with post-creation?
3. Attestation Chain: Can we verify the full execution path?
4. Receipt Verification: Is there a way to validate receipts independently?

Pilot Integration:

$75 verification for CrewAI crews with Signet-style receipts. We test:

• Receipt generation coverage
• Cryptographic integrity
• Audit trail completeness
• Third-party verification

If the team wants verification test cases for Signet integration, we're happy to contribute adversarial scenarios that test receipt robustness.

Cryptographic receipts + structured verification = trustworthy agent systems.

Strong feature — this is what separates experimental agents from production infrastructure.

[willamhou]

For anyone who lands on this later: this works today as an external Python package using CrewAI's existing tool hooks, so no CrewAI changes are required.

pip install signet-auth[crewai] crewai-tools

from signet_auth.crewai import install_hooks
install_hooks(agent)

Source: https://github.com/Prismer-AI/signet