When your LangChain agent processes a refund, or your CrewAI pipeline hits an API endpoint, there's no built-in forensic record of what happened. If something breaks โ wrong data written, PII leaked, deployment botched โ you're flying blind. RootSign, the agent capture layer from Providex AI's Agent Accountability Platform, aims to fix that gap with cryptographic tamper-evident logging that's live as of v0.1.1.
How the Hash Chain Works
RootSign builds an immutable audit trail by chaining SHA-256 hashes. Every Action record contains a hash of the previous action in sequence โ modify any record after the fact and rootsign verify catches it instantly. The verification CLI returns exit code 0 for VALID chains, exit code 1 with a broken link identifier if something's been altered. Sessions can be verified from live PostgreSQL/TimescaleDB databases or offline JSONL files via --local. The storage backend runs on PostgreSQL 16 plus TimescaleDB 2.14, with the actions table configured as a hypertable for time-series performance at scale.
Zero Code Changes Required
The SDK wraps your existing tools without touching agent logic. For LangGraph, @rootsign.trace or wrap_tools() intercepts BaseTool calls automatically โ just pass in the session context and an ingest client. CrewAI follows the same pattern with wrap_crewai_tools(). Python 3.11+ is required; the crewai extra currently has wheel compatibility issues on Python 3.13/3.14, so stick to 3.12 if you're running both stacks. The LocalIngestClient handles in-process ingestion for v0.1.x, with an HttpIngestClient planned for Phase 2's hosted backend.
Human-in-the-Loop Checkpoints
High-risk actions can be gated on human approval via require_approval=True on the @rootsign.trace decorator. When a blocked tool fires, the SDK inserts an ACTION_RECORD with authorization_status='pending' and polls until someone approves or rejects from the CLI (rootsign approve ). Timeouts default to 300 seconds and transition the record to 'timed_out' โ a distinct forensic state. This gives you audit trails for normal operations plus explicit sign-offs for anything touching money, customer data, or infrastructure.
PII Redaction Built In
Before any hash gets computed, input/output values pass through redaction filters so stored hashes carry no sensitive signal. Three pre-built configs cover common ground: StandardPIIConfig handles email, phone, US SSN, credit cards, and UK NI numbers; FinancialPIIConfig adds account routing and IBAN patterns; HealthcarePIIConfig covers MRN, NPI, and DOB. All three accept extra_rules dictionaries for domain-specific patterns without subclassing.
Decision Capture (Opt-In)
RootSign can record the reasoning behind each tool call โ selected action, confidence score, and a text summary of the agent's logic โ by setting ROOTSIGN_CAPTURE_DECISIONS=true. Decisions aren't in the hash chain itself but link to Action records via decision_id, enabling session replay down the road. Depth control (minimal/summary/full) caps how much reasoning text gets stored.
Roadmap: Phase 2 and Beyond
Phase 1 MVP is feature-complete with LangGraph + CrewAI integrations, the verify CLI, PII redaction, HiTL checkpoints, and opt-in decision capture. Phase 2 targets a hosted ingest backend plus compliance dashboard (drop-in replacement for LocalIngestClient), web-based approval UI, and AutoGen integration following the same duck-typing patterns as CrewAI.
Key Takeaways
- SHA-256 hash chain makes agent actions tamper-evident without modifying your pipeline code
- Human-in-the-loop approvals gate high-risk operations with CLI workflow
- PII redaction runs before hashing โ stored hashes contain no sensitive signal
- Phase 2 brings hosted backend, web UI for approvals, and AutoGen support
The Bottom Line
RootSign solves a real accountability gap in agentic AI systems. If you're running LangChain or CrewAI in production and can't answer 'what did the agent do and was it authorized?', you need this yesterday. It's early (v0.1.1) but the architecture is solid โ hash chains, hypertable storage, opt-in compliance features. Watch Phase 2 closely; a hosted backend with session replay would make this mandatory infrastructure for regulated industries.