openclaw/extensions/web4-governance/src/soft-lct.ts
dp-web4 fd457ac3f4 Add web4-governance plugin: R6 audit trails and session identity
Adds a governance extension that creates verifiable audit trails for
agent tool usage using the R6 framework (Rules+Role+Request+Reference+
Resource→Result). Uses the typed after_tool_call hooks wired in #1
to capture every tool invocation with provenance, timing, and
hash-linked chain integrity.

Includes:
- R6 request framework with tool classification
- Hash-linked JSONL audit chain with verification
- Software-bound session identity tokens (Soft LCT)
- Session state tracking with tool/category counts
- CLI commands: audit summary, audit verify, audit last
- 39 unit tests across all modules

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-27 20:24:29 -08:00

36 lines
885 B
TypeScript

/**
* Soft LCT - Software-bound Linked Context Token.
*
* Generates a session identity token from machine + user context.
* NOT hardware-bound (no TPM/SE). Trust interpretation is up to
* the relying party.
*/
import { createHash } from "node:crypto";
import { hostname, userInfo } from "node:os";
export type SoftLCTToken = {
tokenId: string;
sessionId: string;
machineHash: string;
createdAt: string;
bindingType: "software";
};
export function createSoftLCT(sessionId: string): SoftLCTToken {
const machine = hostname();
const user = userInfo().username;
const machineHash = createHash("sha256")
.update(`${machine}:${user}`)
.digest("hex")
.slice(0, 8);
return {
tokenId: `web4:session:${machineHash}:${sessionId.slice(0, 8)}`,
sessionId,
machineHash,
createdAt: new Date().toISOString(),
bindingType: "software",
};
}