RFC: Cryptographic integrity for persistence layer and MCP config

[WillemJiang]

Discussed in #1855

^{Originally posted by tomjwxf April 4, 2026}

Context

Following up on the persistence/event layer RFC (#1850) and the security vulnerabilities in #1646 (unauthenticated MCP config execution) and #1648 (memory disclosure). This proposal adds cryptographic integrity to DeerFlow's control plane.

Problem

DeerFlow's memory and MCP config are currently accessible without authentication. Even with auth added, the integrity of stored data isn't verifiable — a compromised server or rogue sub-agent could modify memory entries or past event records without detection.

For enterprise deployments where DeerFlow orchestrates production sub-agents, teams need:

1. Tamper-evident memory — prove a memory entry hasn't been modified since it was written
2. Signed MCP config — prove the MCP configuration was authorized
3. Sub-agent attestation — prove which sub-agent produced which output

Proposal

Add Ed25519 receipt signing to the event/persistence layer. Each significant mutation gets a cryptographic receipt:

• Memory write: Receipt with content hash + timestamp + signing key
• MCP config change: Receipt with config hash + authorization context
• Sub-agent completion: Receipt with output hash + sub-agent identity
• Task delegation: Receipt proving delegation scope and authority

These receipts chain into a tamper-evident audit trail. Any modification after signing causes the hash chain to break.

Implementation

protect-mcp (MIT) already implements this for MCP tool calls. The persistence layer integration would:

1. Hook into the event store proposed in [RFC] Unified Persistence Layer: Message History, Event Tracing, Token Tracking & Feedback #1850
2. Sign each event with Ed25519 at write time (~50μs overhead)
3. Store content_hash, signature, and public_key alongside each event
4. Expose a /verify endpoint that recomputes hashes and checks signatures

The verifier is fully offline: npx @veritasacta/verify events.jsonl

Receipt format follows IETF Internet-Draft: draft-farley-acta-signed-receipts.

This complements (not replaces) auth

Adding authentication to #1646/#1648 prevents unauthorized access. Adding receipt signing prevents undetected tampering even by authorized parties. Both are needed for enterprise-grade security.

Happy to contribute a PR or collaborate on the design. The receipt signing module is ~120 lines with zero external dependencies (Node 22+ native Ed25519).

[tomjwxf]

@WillemJiang -- thanks for tracking this. I built a working proof-of-concept targeting DeerFlow's architecture:

examples/deerflow-receipts -- Ed25519 receipt signing for DeerFlow's memory, MCP config, and tool calls.

Three modules, each self-contained:

1. memory_integrity.py -- signs memory.json writes with hash chaining. Proves no memory entry was modified between writes. Includes a file watcher mode for continuous monitoring. (~290 lines)
2. mcp_config_signer.py -- signs MCP config changes via a FastAPI middleware wrapper. Each config change gets a receipt with the config hash + enabled/disabled servers. (~310 lines)
3. receipt_middleware.py -- LangGraph callback that signs tool calls and sub-agent completions. Drop-in compatible with DeerFlow's callback system. (~340 lines)

Plus a standalone verifier (verify.py, ~250 lines, zero deps) and an end-to-end demo. All receipts conform to IETF draft-farley-acta-signed-receipts-01.

# Run the demo
python demo.py

# Verify receipts offline
python verify.py example_receipts.jsonl
# or: npx @veritasacta/verify example_receipts.jsonl

Zero external dependencies beyond optional pynacl for signing. Gracefully degrades to unsigned receipts without it. Python 3.12+ native.

Also related: [microsoft/agent-governance-toolkit#667](https://github.com/microsoft/agent-governance-toolkit/pull/667) -- same receipt signing pattern proposed for Microsoft's agent governance toolkit. Happy to adapt this into a PR scoped to whichever integration point you'd prefer to start with. Memory writes seem like the natural first target since the memory system is already in production and #1648 demonstrated the need for integrity verification beyond just authentication.

[tomjwxf]

@WillemJiang update since the original RFC. Built a Python implementation targeting DeerFlow's architecture: https://github.com/VeritasActa/deerflow-receipts

Five modules, all conforming to IETF draft-farley-acta-signed-receipts:

1. memory_integrity.py: signs memory.json writes with hash chains. Addresses [security] Fix unauthenticated memory disclosure and prompt poisoning #1648. Even after auth is added, receipts prove entries have not been tampered with after write.
2. mcp_config_signer.py: signs MCP config changes with FastAPI middleware. Addresses [security] Fix unauthenticated MCP config disclosure and stdio process execution #1646. Each receipt records which servers were enabled/disabled and who authorized the change.
3. receipt_middleware.py: LangGraph callback handler for tool call receipts. Produces deerflow:tool_call and deerflow:subagent_completion receipts with policy enforcement at the on_tool_start boundary.
4. verify.py: standalone offline verifier. Zero dependencies beyond stdlib.
5. verify_mcp_tool.py: exposes verify_receipt and verify_chain as MCP tools so agents can verify each other's receipts. Runs as a stdio MCP server. This was requested by @jingchang0623-crypto in RFC: Cryptographic integrity for persistence layer and MCP config #1855.

The same receipt format is running in Microsoft Agent Governance Toolkit (8 merged PRs), Google ADK via protect-mcp-adk, and Pydantic AI. DeerFlow would be the fourth major framework producing interoperable receipts.

Can draft PR targeting the event store from #1850. Let me know if you prefer that or a design doc first.