xat-langchain: signed Agent-Signature headers on every tool call

Built a LangChain integration for the x-agent-trust extension (registered in the OpenAPI Extensions Registry). It wraps tool calls so every outbound HTTP request carries a signed Agent-Signature header.

**Install:**

```bash

pip install xat-langchain

```

**Usage:**

```python

from xat_langchain import XATToolkit

toolkit = XATToolkit(key_file=“agent.pem”, agent_id=“my-agent”)

signed_tools = toolkit.wrap(existing_tools)

# Every HTTP call these tools make now carries Agent-Signature

agent = create_react_agent(llm, signed_tools)

```

Also supports AWS KMS for production deployments where the private key never leaves the HSM.

**What it does:**

- Signs every tool HTTP request with ECDSA P-256 (ES256)

- Canonical request includes body hash (tamper-evident)

- Timestamp in bounded window (replay protection)

- XATCallbackHandler provides an audit trail of signed calls

**Links:**

- PyPI: Client Challenge

- Source: GitHub - razashariff/xat-langchain: XAT signing for LangChain -- every tool call gets an Agent-Signature header. OpenAPI x-agent-trust. · GitHub

- OpenAPI registry: X Agent Trust

Happy to take feedback on the approach.