> For the complete documentation index, see [llms.txt](https://parad0xlabs.gitbook.io/parad0xlabs-docs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://parad0xlabs.gitbook.io/parad0xlabs-docs/openclaw-skills-+-agent-flight-recorder/how-it-works.md). # How It Works OpenClaw Vault is a Python evidence layer (`pip install liquefy-openclaw`, MIT-licensed) that wraps an agent's activity in a tamper-evident, anchorable record. The engine is shipped and open in [`openclaw-skills`](https://github.com/Parad0x-Labs/openclaw-skills) (the claw-family skills monorepo, formerly `openclaw-vault`) — the pieces below are real modules on `main`, not a roadmap. *** ## The evidence leaf Every recorded action becomes a leaf that binds *what happened*, *what it cost*, and *what authorized it* to the entry before it: ``` leaf = SHA-256( action, # what the agent did x402_receipt, # on-chain proof of the payment it made mandate_scope, # the delegated authority it acted under prev_hash # fingerprint of the previous leaf → the chain ) ``` Because each leaf eats the previous leaf's hash, the entries form a chain: alter, reorder, or drop one and every later hash stops matching. That's the black-box property — the record is append-only and self-checking. *** ## The spine (each piece is a shipped module) | Module | Guarantees | | ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **FIRC** — Forward-Integrity Receipt Chain | An HKDF-seeded MAC that **ratchets and zeroizes** each step (`A₀ = HKDF(spendKey, session_id)`). Steal the agent's key *now* and you still cannot forge, reorder, or delete anything it logged *before* the theft. | | **TERS** — Truncation-sealed evidence | A forward-secure aggregate + a finalization fold over `(count, aggregate, settlement_root)`. Reconciles the logged actions against on-chain settlements, so a **settled payment that was left out of the log is surfaced**. "No settled payment can be hidden." | | **ValueSeal** | A keyed integer accumulator that catches **amount substitution** — swapping a $5 receipt for $5,000 breaks the seal even if the receipt set looks identical. | | **firc\_path** | A **key-free Merkle path** over the entry digests: reveal *one* paid action to a stranger, prove it's in the sealed chain, and keep the rest private. | | **dual\_tier** | An Ed25519 **public cosignature** over the anchored head — the tier anyone can verify without a shared key. | | **vault\_evidence** | The unified verifier + CLI that composes the above into a single verdict. | *** ## Anchoring to Solana The whole vault rolls up into one root (an append-friendly MMR / Merkle structure with RFC-6962 consistency proofs, so old proofs keep verifying after new entries are added). That single root is written to Solana via the `receipt_anchor` program — **one on-chain fingerprint certifies the entire record.** ``` $ openclaw-vault verify ./session.vault chain: OK (1,284 entries, no breaks) seal: OK (no truncation; 1,284 logged == 1,284 settled) values: OK (no amount substitution) anchored: yes — Solana tx 3o8g9Lan… (confirmation-level) verdict: VERIFIED ``` Underneath, the record is stored with **Liquefy** compression and **per-column commitments** — so a single column (say, just the payment amounts) can be disclosed to an auditor *uncompressed, with an inclusion proof*, without unsealing the rest. *** ## Limits (read these) * **Anchoring is confirmation-level**, not finality-grade yet. We say "as of the last confirmation-level anchor," not "finalized." * The FIRC/TERS/ValueSeal tiers are **keyed** — verifiable by a scoped auditor or key-holder. *Public* verification is only via the Ed25519 `dual_tier` cosignature or the key-free `firc_path`. * Forward-integrity protects the **un-anchored tail** against key theft; it is not a claim that the agent's *inputs* were correct — it proves the record wasn't altered, not that the world was. * **Public Beta, not audited.** No "compliant erasure," no "insurance" — where we bond value it's *slashable*, which is a different, narrower claim. *** **Next:** [**Monetize**](/parad0xlabs-docs/openclaw-skills-+-agent-flight-recorder/make-money.md) **— who pays for provable agent behavior, and how every anchor feeds the protocol.** --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://parad0xlabs.gitbook.io/parad0xlabs-docs/openclaw-skills-+-agent-flight-recorder/how-it-works.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.