Providex AI just dropped RootSign v0.1.1 on Hacker News, and if you're running LangChain or CrewAI agents in production without an immutable audit trail, you need to read this carefully. The tool captures every agent action as a cryptographically verifiable record using SHA-256 hash chaining — modify anything after the fact and rootsign verify will call it out by name and position.

The Core Problem RootSign Solves

When your AI agent calls a tool, hits an API, or writes to a database in production, there's no built-in provenance. If that agent later does something catastrophic — processes a fraudulent refund, leaks PII, deploys malformed infrastructure — you're flying blind. You can't prove the chain of events, who authorized it, or whether your logs have been tampered with post-incident. RootSign closes this gap by instrumenting tool calls at the wrapper layer without requiring changes to your agent logic itself.

How the Hash Chain Works

Each Action record carries a SHA-256 hash of the previous action, creating an immutable chain per session. The @rootsign.trace decorator wraps any callable and emits an ACTION_RECORD envelope on every invocation. When you run rootsign verify , it reconstructs the chain and fails fast if any self_hash doesn't match — outputting something like 'TAMPERED ✗ — chain broken at record #2' with the offending action ID surfaced. The CLI exits 0 for VALID, 1 for TAMPERED, so you can gate deployments on it.

Integration Is Surprisingly Clean

For LangGraph users: install rootsign[langgraph], register your agent once with register_agent(), wrap tools via rootsign.wrap_tools() passing in the session context, and you're done. CrewAI follows the same pattern with wrap_crewai_tools(). Python 3.11 or 3.12 recommended — the crewai extra currently lacks wheels for 3.13/3.14, so stick to 3.12 if you hit distribution errors. Tested against CrewAI versions 0.28, 0.40, and 1.x in CI.

Human-in-the-Loop Checkpoints

High-risk actions can be gated on explicit human approval via require_approval=True on the @rootsign.trace decorator. When triggered, the SDK blocks execution and inserts a record with authorization_status='pending'. Operators approve or reject from another terminal using rootsign approve --reason "...". Timeouts default to 5 minutes and produce a distinct 'timed_out' forensic state — separate from human_rejected. This is the kind of compliance-grade control that enterprise auditors actually want to see.

PII Redaction Before Hashing

RedactionConfig runs before hash computation, so stored input_hash/output_hash values carry zero PII signal. Three presets ship out of the box: StandardPIIConfig (email, phone, US SSN, credit card, UK NI), FinancialPIIConfig (adds account/routing/IBAN patterns), and HealthcarePIIConfig (adds MRN/NPI/DOB). Each accepts extra_rules={...} for domain-specific patterns without subclassing. This is non-negotiable if you're running in regulated environments.

Storage Backends

Phase 1 uses LocalIngestClient backed by PostgreSQL 16 + TimescaleDB 2.14, with the actions table as a hypertable for time-series performance. The rootsign-admin start-db command wraps a single docker run timescale/timescaledb:latest-pg16, and init runs Alembic migrations. Offline JSONL verification is also supported via --local — no database required to validate archived sessions.

What's Coming in Phase 2

Planned: HttpIngestClient for a hosted backend, compliance dashboard UI, web-based HiTL approval (browser instead of CLI), and AutoGen integration using the same duck-typing shape as CrewAI. Policy enforcement and cross-platform governance are further out on the roadmap.

The Bottom Line

RootSign isn't trying to be sexy — it's trying to be admissible in court. If you're running autonomous agents against production systems without this level of instrumentation, you're one incident away from a forensic nightmare with no way to reconstruct what happened. v0.1.1 is MVP-grade but functional; watch the GitHub Issues for rapid iteration.