Skip to content

HumanAssisted/moltyjacs

BranchesTags

Repository files navigation

moltyjacs

Sign it. Prove it. JACS cryptographic provenance plugin for OpenClaw.

Which integration should I use? | Full JACS documentation

Why use JACS?

So your OpenClaw agent can be trusted -- and can trust others. JACS is like DKIM for agents: you sign what you send; recipients verify the signature against your public key. It is decentralized -- no single authority. You publish your key (DNS, optional HAI.ai); others fetch and verify. Without it, nothing you say or do can be proven. With JACS you sign messages, commitments, and state; anyone with your public key can verify they came from you and were not altered. You get proof of origin, integrity, and accountability. Other agents can discover your key via DNS or HAI.ai and verify your documents; you verify theirs with jacs_verify_auto and optional trust levels (domain, attested). Keys and signed payloads stay local; you send the same signed JSON over any channel (WhatsApp, HTTP, MCP). Use it whenever another agent or human needs to trust that you said or agreed to something.

Overview

moltyjacs adds post-quantum cryptographic signatures to your OpenClaw agent communications. It enables:

  • Document signing - Sign any document with your agent's cryptographic identity
  • Verification - Verify documents from other agents
  • Agent discovery - Publish and discover agents via well-known endpoints and DNS
  • A2A interoperability - Export Agent Cards, wrap A2A artifacts with JACS provenance, and assess remote A2A trust
  • Multi-party agreements - Create and manage agreements requiring multiple signatures
  • Agent state - Sign and track memory, skills, plans, configs, and hooks
  • Commitments - Track agreements and obligations between agents with lifecycle management
  • Todo lists - Private, signed work tracking with goals and tasks
  • Conversations - Signed message threads between agents
  • HAI platform features - Hello/auth checks, username lifecycle, mailbox/email workflow, key registry lookups, and benchmark orchestration

Installation

From npm

npm install moltyjacs

From ClawHub

npx clawhub@latest install moltyjacs

As OpenClaw Plugin

openclaw plugins install moltyjacs

From GitHub

openclaw plugins install https://github.com/HumanAssisted/moltyjacs

Quick Start

1. Set a password for key generation

You need a password once — during jacs init — to encrypt your new private key. Pick whichever method fits your setup:

# Local dev / headless — set an env var
export JACS_PRIVATE_KEY_PASSWORD='use-a-strong-password'

# Containers / CI — point to a secrets-mounted file
export JACS_PASSWORD_FILE=/run/secrets/jacs_password

After init, the password is only needed to decrypt your private key for signing. On macOS the OS Keychain stores it automatically, so you can skip the env var for day-to-day use. On Linux/CI, keep one of the env vars above set.

2. Reserve a username and initialize

Reserve your username at https://hai.ai/dashboard and copy the registration key.

openclaw jacs init --name myagent --key YOUR_REGISTRATION_KEY

This generates a key pair, creates jacs.config.json, registers with HAI, and assigns myagent@hai.ai. Your agent now has a cryptographic identity and is registered.

For local-only init (no registration): openclaw jacs init --name myagent --register=false

3. Sign and verify

openclaw jacs sign document.json
openclaw jacs verify signed-document.json

4. Bootstrap trust with another agent

When your agent needs to trust (or be trusted by) another agent:

  1. Sender shares credentials via tools: jacs_share_public_key + jacs_share_agent
  2. Receiver imports them: jacs_trust_agent_with_key with the shared agentJson and publicKeyPem

Once trust is established, use jacs_verify_auto to verify any document from that agent (keys are fetched automatically).

Direct JACS SDK Quick Start (outside this plugin)

For direct @hai.ai/jacs/client or @hai.ai/jacs/simple usage:

import { JacsClient } from "@hai.ai/jacs/client";

const client = await JacsClient.quickstart({
  name: "my-agent",
  domain: "agent.example.com",
  algorithm: "pq2025", // optional, this is the default
});

JACS Workspace Compatibility

For coordinated local development, moltyjacs now resolves @hai.ai/jacs from the sibling ../JACS/jacsnpm workspace so its A2A surface matches the current haiai wrapper contract. The JACS Node API remains async-first. All NAPI operations return Promises by default; sync variants use a Sync suffix (e.g. loadSync vs load). moltyjacs uses the async API for setup (agent.load(), createAgent()) and the sync API for hot-path operations (signRequest, verifyResponse) that must run on the V8 thread.

Recent JACS updates relevant to moltyjacs:

  • Direct quickstart() usage in @hai.ai/jacs/client and @hai.ai/jacs/simple now requires identity inputs (name and domain) for first-time agent creation.
  • Default algorithm across JACS is pq2025.
  • Trust/bootstrap surfaces now include trustAgentWithKey / trust_agent_with_key, sharePublicKey / share_public_key, and shareAgent / share_agent.
  • A2A surfaces now include Agent Card export, wrapped-artifact signing/verification, and generated well-known discovery documents.

CLI Commands

Command Description
openclaw jacs init --name <name> [--key <key>] Initialize JACS with key generation and optional HAI registration
openclaw jacs status Show agent status and configuration
openclaw jacs sign <file> Sign a document file
openclaw jacs verify <file> Verify a signed document
openclaw jacs hash <string> Hash a string
openclaw jacs dns-record <domain> Generate DNS TXT record for discovery
openclaw jacs lookup <domain> Look up another agent's info
openclaw jacs attestation [domain] Check attestation status for this agent or another by domain
openclaw jacs claim [level] Set or view verification claim (includes DNS/HAI proof details)

HAI.ai registration

To get an attested trust level, register your agent with HAI.ai during init: run openclaw jacs init --name <name> --key <key> with a registration key from your HAI dashboard. Registration uses JACS-signed authentication (no API key needed). Alternatively, use the jacs_hai_register tool with a registrationKey after init. After registration, use openclaw jacs attestation to check your (or another agent's) attestation status, and openclaw jacs claim <level> to set or view your verification claim. verified now requires DNS TXT hash verification (domain configured + published hash matches your public key). See Configuration and Security for related options.

Agent Tools

When used with an AI agent, these tools are available:

Core signing and verification

Tool Purpose
jacs_sign Sign a document (returns signed doc; when small enough, includes verification_url for sharing)
jacs_verify_link Get a shareable verification URL for a signed document (for https://hai.ai/jacs/verify)
jacs_verify Verify a self-signed document
jacs_verify_standalone Verify any signed document without JACS init (no agent required)
jacs_verify_auto Verify any document (auto-fetches keys, supports trust levels)
jacs_verify_dns Verify agent identity via DNS TXT record
jacs_fetch_pubkey Fetch another agent's public key
jacs_verify_with_key Verify with a specific public key
jacs_hash Hash content
jacs_identity Get your identity info
jacs_share_public_key Share your current public key PEM for trust bootstrap
jacs_share_agent Share your self-signed agent document for trust establishment
jacs_trust_agent_with_key Trust an agent document using an explicit public key PEM
jacs_audit Run read-only JACS security audit

A2A interoperability

Tool Purpose
jacs_a2a_export_agent_card Export this agent as an A2A Agent Card
jacs_a2a_sign_artifact Wrap an A2A task/message/result with JACS provenance
jacs_a2a_verify_artifact Verify a wrapped A2A artifact
jacs_a2a_assess_remote_agent Apply A2A trust policy to a remote Agent Card
jacs_a2a_trust_agent Add a remote Agent Card to the local trust store
jacs_a2a_generate_well_known Generate A2A discovery documents for /.well-known serving

Discovery and trust

Tool Purpose
jacs_dns_lookup Look up DNS TXT record
jacs_lookup_agent Get complete agent info (well-known + DNS + HAI.ai)
jacs_verify_hai_registration Verify HAI.ai registration for an agent
jacs_get_attestation Get full attestation status for an agent
jacs_set_verification_claim Set verification claim level

HAI platform integration

Tool Purpose
jacs_hai_hello Call HAI hello endpoint with JACS auth
jacs_hai_test_connection Test HAI connectivity without mutating state
jacs_hai_register Register this agent with HAI (accepts optional registrationKey)
jacs_hai_update_username Rename claimed username
jacs_hai_delete_username Release claimed username
jacs_hai_verify_document Verify signed document via HAI public verifier
jacs_hai_get_verification Get advanced verification/badge by agent ID
jacs_hai_verify_agent_document Run advanced verification using an agent document
jacs_hai_fetch_remote_key Fetch remote key from HAI key registry
jacs_hai_verify_agent Multi-level agent verification (signature + DNS + HAI)
jacs_hai_send_email Send email from this agent mailbox
jacs_hai_list_messages List mailbox messages
jacs_hai_get_message Retrieve one mailbox message by ID
jacs_hai_mark_message_read Mark message as read
jacs_hai_mark_message_unread Mark message as unread
jacs_hai_delete_message Delete mailbox message
jacs_hai_search_messages Search mailbox with filters
jacs_hai_get_unread_count Get unread mailbox count
jacs_hai_reply Reply to a message ID
jacs_hai_get_email_status Get mailbox status/limits
jacs_hai_free_chaotic_run Run free benchmark tier
jacs_hai_dns_certified_run Run DNS-certified benchmark flow (returns checkout URL when pending)
jacs_hai_submit_response Submit benchmark job response
jacs_hai_benchmark_run Run legacy benchmark endpoint by name/tier

Agreements

Tool Purpose
jacs_create_agreement Create multi-party agreement
jacs_sign_agreement Sign an agreement
jacs_check_agreement Check agreement status

Agent state

Tool Purpose
jacs_create_agentstate Create signed agent state (memory, skill, plan, config, hook)
jacs_sign_file_as_state Sign a file as agent state with path reference and hash
jacs_verify_agentstate Verify an agent state document

Commitments

Tool Purpose
jacs_create_commitment Create a signed commitment
jacs_update_commitment Update commitment status or fields
jacs_dispute_commitment Dispute a commitment with a reason
jacs_revoke_commitment Revoke a commitment with a reason

Todo lists

Tool Purpose
jacs_create_todo Create a signed todo list
jacs_add_todo_item Add an item to a todo list
jacs_update_todo_item Update a todo item

Conversations

Tool Purpose
jacs_start_conversation Create the first signed message payload in a new thread
jacs_send_message Create a signed message payload in an existing thread

MCP and Message Transport

jacs_start_conversation and jacs_send_message create signed JACS message payloads. They do not perform delivery/transport by themselves.

Use this pattern for agent-to-agent messaging:

  1. Create/sign payload (jacs_start_conversation or jacs_send_message)
  2. Deliver the returned signed JSON over your chosen channel (MCP, HTTP, queue, chat bridge, etc.)
  3. Verify on receipt (jacs_verify_auto, jacs_verify_standalone, or jacs_verify_with_key)

For custom Node MCP servers, JACS supports transport-level integration via @hai.ai/jacs/mcp:

  • createJACSTransportProxy(...) for automatic signing/verification at transport boundaries
  • registerJacsTools(...) to expose JACS operations as MCP tools
  • Expanded trust/bootstrap MCP/LangChain tools include jacs_share_public_key, jacs_share_agent, and jacs_trust_agent_with_key

This OpenClaw plugin does not automatically intercept all host MCP traffic; use explicit JACS tools or host transport middleware/adapters.

Well-Known Endpoints

Your agent exposes these endpoints:

  • GET /.well-known/agent-card.json - A2A Agent Card for discovery
  • GET /.well-known/jwks.json - A2A/JACS JWKS for verifier interoperability
  • GET /.well-known/jacs-agent.json - JACS agent descriptor
  • GET /.well-known/jacs-extension.json - JACS A2A extension descriptor
  • GET /.well-known/jacs-pubkey.json - Your public key
  • GET /jacs/agent - Current self-signed JACS agent document
  • GET /jacs/status - Health check
  • POST /jacs/verify - Public verification (this agent)
  • GET /jacs/attestation - Full attestation status (trust level, HAI registration, DNS verification)

Recipients can verify any JACS document at https://hai.ai/jacs/verify (paste a link with ?s= or the base64). Use jacs_verify_link or the verification_url from jacs_sign when sharing signed content with humans.

Signing is internal only; no external sign endpoint is exposed (to protect the agent's identity).

Configuration

Configure via openclaw.plugin.json:

{
  "keyAlgorithm": "pq2025",
  "agentName": "My Agent",
  "agentDescription": "Description",
  "agentDomain": "agent.example.com"
}

autoSign and autoVerify are accepted for backward compatibility but are deprecated no-ops in moltyjacs.

agentId is set automatically when you run openclaw jacs init and is not edited in the config file.

JACS key filenames are read from jacs.config.json:

  • jacs_agent_public_key_filename (default: jacs.public.pem)
  • jacs_agent_private_key_filename (default: jacs.private.pem.enc)

Environment variables

Variable Purpose
JACS_PRIVATE_KEY_PASSWORD Password for the encrypted private key. Required for init; optional at runtime on macOS (OS Keychain).
JACS_PASSWORD_FILE Path to a file containing the password (trailing newline is stripped).

Set one of these for init and for Linux/CI signing. On macOS the OS Keychain is used automatically at runtime when neither is set. If both are set, initialization fails to avoid ambiguity.

Password files must be owner-only on Unix (chmod 600).

Key Algorithms

  • pq2025 (default) - Post-quantum ML-DSA-87
  • ring-Ed25519 - Ed25519
  • RSA-PSS - RSA with PSS padding

Cross-Language Compatibility

Documents signed by moltyjacs (Node.js) can be verified by Rust or Python agents, and vice versa. Cross-language interop is tested on every commit with Ed25519 and post-quantum (ML-DSA-87) algorithms. See the JACS cross-language tests for details.

Security

  • Private keys are encrypted with AES-256-GCM
  • Key derivation uses PBKDF2
  • Default algorithm (pq2025) provides quantum resistance
  • DNS records enable DNSSEC-backed identity verification

Development

# Install dependencies
npm install

# Build
npm run build

# Watch mode
npm run watch

# Run unit tests (uses mocked JACS module)
npm test

# Run integration tests (requires real @hai.ai/jacs native binary)
npm run test:integration

# Test local installation
openclaw plugins install . --link
openclaw plugins list

Publishing

CI publishes on push of a tag v* (e.g. v0.8.0). Publish @hai.ai/jacs from the JACS repo first (tag npm/v*), then tag and push moltyjacs so the build can resolve the dependency.

To npm

npm run build
npm publish

To ClawHub

npm run clawhub:publish

Or publish to both npm and ClawHub:

npm run publish:all

License

MIT License - see LICENSE

Links

About

Allow OpenClaw to use JACS

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

32 tags

Packages

 
 
 

Contributors

Languages