🔐 SIGIL
The missing security layer for AI agent-to-tool interactions.
AI agents execute real-world actions — reading emails, querying databases, sending money. The dominant protocol for this (MCP) has no built-in security layer:
- ❌ No identity verification for tool calls
- ❌ No content scanning for sensitive data
- ❌ No audit trail
- ❌ No permission gating
SIGIL fills this gap.
SIGIL defines 5 traits (interfaces) that any agent system can implement:
┌─────────────────────────────────────────────────────┐
│ SIGIL Envelope │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Identity │ │ Scanner │ │ Policy │ │
│ │ Provider │ │ │ │ │ │
│ └────┬─────┘ └────┬─────┘ └────┬─────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌──────────────────────────────────────────┐ │
│ │ Audit Logger │ │
│ └──────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌──────────────────────────────────────────┐ │
│ │ Vault Provider │ │
│ └──────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────┘
| Trait | Purpose |
|---|---|
IdentityProvider |
Bind users to verifiable trust levels (OIDC, eIDAS, SSI) |
SensitivityScanner |
Detect secrets, PII, financial data before they reach the LLM |
VaultProvider |
Encrypt and store intercepted sensitive content |
AuditLogger |
Tamper-evident logging of every security event |
SecurityPolicy |
Gate actions by risk level, rate, and authorization |
Plus a reference MCP server (SigilMcpServer) that wraps any tool set with all five layers.
| Runtime | Type | Description |
|---|---|---|
| OpenClaw | SKILL.md | Drop-in skill for OpenClaw — scans MCP tool calls, enforces policies, writes audit log. No code required. |
| ZeroClaw | Rust crate (sigil-zeroclaw) |
Implements ZeroClaw Tool + Observability traits. Three modes: standalone scan tool, transparent gate wrapper, or automatic per-turn observability hook. |
[dependencies]
sigil-protocol = "0.1"
# To auto-fetch community scanner patterns from the live registry:
sigil-protocol = { version = "0.1", features = ["registry"] }use sigil_protocol::RemoteScanner;
// Downloads 43+ verified patterns from registry.sigil-protocol.org
// Falls back to built-in patterns if registry is unreachable (5s timeout)
let scanner = RemoteScanner::from_registry().await?;
println!("Loaded {} rules from: {:?}", scanner.rule_count(), scanner.source());
if let Some(hit) = scanner.scan("Authorization: Bearer sk-abc...") {
println!("Sensitive content: {hit}");
// → "Sensitive content: [SIGIL-VAULT: OPENAI_KEY]"
}use sigil_protocol::SensitivityScanner;
struct MyScanner;
impl SensitivityScanner for MyScanner {
fn scan(&self, text: &str) -> Option<String> {
if text.contains("sk-") {
Some("API Key".into())
} else {
None
}
}
}use sigil_protocol::mcp_server::{SigilMcpServer, ToolDef};
use std::sync::Arc;
let scanner = Arc::new(MyScanner);
let audit = Arc::new(MyAuditLogger::new());
let mut server = SigilMcpServer::new("my-tools", "1.0", scanner, audit);
server.register_tool(ToolDef {
name: "read_email".into(),
description: "Read user emails".into(),
parameters_schema: serde_json::json!({"type": "object"}),
handler: Box::new(|args| Box::pin(async move {
// Your tool logic — SIGIL scans input AND output automatically
Ok(serde_json::json!({"emails": []}))
})),
});
// Every tool call is now identity-gated, scanned, and audited
let response = server.handle_request(json_rpc_request, caller_trust).await;use sigil_protocol::TrustLevel;
// This tool requires eIDAS-verified identity
server.register_tool_with_trust(banking_tool, TrustLevel::High);
// Low-trust caller tries to use it → DENIED + audit loggedSIGIL ships with a community-curated registry of scanner patterns and security policies, hosted at registry.sigil-protocol.org.
| Count | What | |
|---|---|---|
| ✅ | 43 | Verified scanner patterns (AWS, OpenAI, GitHub, Stripe, Slack, IBAN, EU PII…) |
| ✅ | 35 | Security policies (execute_sql, read_file, install_package, spawn_subprocess…) |
| 🔑 | DID Registry | did:sigil: identifiers resolved over HTTPS with TLS 1.3 |
| Category | Examples |
|---|---|
credential |
AWS keys, OpenAI, GitHub PAT, Stripe live keys, Slack tokens, Shopify, Cloudflare |
secret |
Private keys (PEM), database URLs, HashiCorp Vault tokens, Twilio Auth Token |
pii |
Email, phone, IBAN, credit card — plus FR INSEE, NL BSN, ES NIF/NIE, IT Codice Fiscale |
financial |
IBAN, credit/debit card numbers (PCI-DSS) |
Via the web form (signs with your did:sigil: in-browser) or directly via the API — no account needed, just a registered DID.
→ Full API docs: sigil-protocol.org/registry.html
SIGIL extends MCP JSON-RPC with a _sigil metadata field:
{
"method": "tools/call",
"params": { "name": "read_email", "arguments": {} },
"_sigil": {
"identity": "eidas:DE/123456789",
"trust_level": "High",
"policy_approved": true,
"audit_id": "550e8400-e29b-41d4-a716-446655440000"
}
}Responses are scanned automatically:
{
"result": {
"content": [{ "text": "Email from bank: [SIGIL-VAULT: IBAN — Access Required]" }]
},
"_sigil": { "scanned": true, "interceptions": 1 }
}| Level | Requirements | Use Case |
|---|---|---|
| SIGIL-Core | Identity + Audit | Minimum — who did what, when |
| SIGIL-Guard | Core + Scanner + Vault | Full interception — sensitive data never leaks |
| SIGIL-MCP | Guard + MCP Server | Agent tool security — every tool call is gated |
| Component | Status | Links |
|---|---|---|
Rust crate (sigil-protocol) |
✅ v0.1.5 | crates.io · docs.rs |
Registry (registry.sigil-protocol.org) |
✅ Live · Frankfurt EU | API · Docs |
TypeScript SDK (sigil-protocol npm) |
🔜 npm publish soon | sigil-ts/ |
| MyMolt (reference platform) | ✅ SIGIL-MCP conformant | github.com/beykuet/MyMolt |
| SIGIL Inspector UI | 🔄 In progress | Visual envelope & audit log viewer |
SIGIL integrates with any agent framework:
| Platform | Integration |
|---|---|
| MCP Hosts (Claude Desktop, Cursor) | Add _sigil envelope to tool calls |
| LangChain / LlamaIndex | Wrap tool executors with SIGIL policy gate |
| Enterprise agents | Enforce eIDAS/LDAP identity before sensitive operations |
| Banking / Healthcare | Domain-specific SensitivityScanner for PII, PHI |
| Self-hosted AI (Ollama, vLLM) | Add audit trails to local LLM tool usage |
| MyMolt | Reference implementation (SIGIL-MCP conformant) |
- Overview — Purpose, architecture, conformance levels
- Identity — TrustLevel, IdentityBinding, trust gating
- Interception — Scanner, vault envelope, opaque pointers
- Audit — Event schema, tamper evidence
- MCP Extension — SIGIL as MCP security wrapper
- Security Handshake — MCP initialization trust negotiation
- Registry — Distributed Scanners and Policies ecosystem
SIGIL Protocol is dual-licensed:
- Open Source (EUPL-1.2): Free for open-source projects and personal use.
See
LICENSE. - Commercial: Required for proprietary or closed-source applications.
See
LICENSE-COMMERCIALor contact info@sigil-protocol.org.
Note: Using SIGIL as a library dependency in a proprietary project does NOT automatically require a commercial licence, provided you do not modify and redistribute SIGIL itself in closed-source form.
Patent Pending — German Utility Model (Gebrauchsmuster) filed with the DPMA.
Priority date: 2026-02-23 · Applicant: Benjamin Küttner
Invention: Modular Security Protocol for Identity Binding, Rule-Based Content Redaction and Tamper-Evident Audit Logging in Networked Systems (SIGIL — Sovereign Identity-Gated Interaction Layer)
See PATENT-PRIORITY.md for full priority documentation.