governance-guard
v0.1.0Structural authority separation for autonomous agent actions. Three-phase governance pipeline: PROPOSE, DECIDE, PROMOTE. No action is both proposed and appro...
⭐ 0· 288·0 current·0 all-time
byMetaCortex Dynamics@devongenerally-png
MIT-0
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (a PROPOSE→DECIDE→PROMOTE governance pipeline) matches the provided code, policies, and CLI. Required binaries (node, npx) and the tsx package are appropriate for a TypeScript CLI. No unexpected credentials, network endpoints, or unrelated binaries are requested.
Instruction Scope
SKILL.md and scripts instruct the agent/operator to run a local CLI that serializes intents and evaluates policies. The system records full ActionIntent objects (including userInstruction, conversationId, messageId) into an append-only witness file in the user's home directory. This is expected for auditing but means user messages and intent payloads are persisted in plaintext by default.
Install Mechanism
Install uses a single npm package (tsx) via the Node ecosystem (package.json/devDependencies). All code is present in the repo; there are no downloads from arbitrary URLs or obscure hosts. Node engine requirement is >=22 which may be stricter than some runtimes.
Credentials
The skill does not request environment variables or external credentials, which is proportional. However, policies (e.g., standard.yaml) allow read access to the home directory (~/**) and the witness log writes intent/userInstruction to ~/.openclaw/governance/witness.jsonl — review sensitive_data patterns to ensure all sensitive paths are covered and consider encryption of audit logs if required.
Persistence & Privilege
The skill creates and writes an audit directory at ~/.openclaw/governance/ (policy.yaml, witness.jsonl). always:false and no modifications to other skills or system-wide settings. Persisting plaintext intents in the user's home directory is normal for an audit log but increases privacy risk if the log contains sensitive user content.
Assessment
This skill appears to implement exactly what it claims: a local, deterministic governance gate with an append-only witness log. Before installing, consider the following: (1) the witness log stores full intent objects (including userInstruction and conversation IDs) in plaintext at ~/.openclaw/governance/witness.jsonl — if those could contain secrets or private user messages, plan for encryption or a restricted path/permissions; (2) review and customize the provided policy presets (minimal/standard/strict). The standard policy currently permits reads of ~/**; ensure sensitive_data patterns cover all files you consider secret (dotfiles, config directories, application-specific credential locations); (3) confirm your runtime meets Node >=22 and that installing tsx is acceptable in your environment; (4) the system is fail-closed (errors → deny), which is safe for gating, but you should test escalation/resolve flows to ensure they fit your approval process. If you need the audit log to be stored elsewhere or encrypted, request or modify the code to change witnessPath behavior before deployment.Like a lobster shell, security has layers — review code before you run it.
governancelatestsecurity
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode, npx
Install
Node
Bins: tsx
npm i -g tsxSKILL.md
governance-guard
Governance guard enforces structural authority separation on all agent actions through a PROPOSE-DECIDE-PROMOTE pipeline.
When to activate
Before performing any write, execute, network, create, or delete action. The governance pipeline MUST be invoked before the action executes. Read actions may also be governed under standard or strict policies.
How to use
1. Full pipeline (recommended)
Run the complete PROPOSE → DECIDE → PROMOTE pipeline in a single call:
npx tsx scripts/governance.ts pipeline '<intent-json>' --policy policies/standard.yaml
The intent JSON must include:
skill: skill identifiertool: tool/function being invokedmodel: LLM model nameactionType: one ofread,write,execute,network,create,deletetarget: resource being acted uponparameters: tool parameters (object)dataScope: data categories accessed (array, e.g.["personal", "financial"])conversationId: current conversation IDmessageId: current message IDuserInstruction: the user message that triggered this action
2. Handle the verdict
The pipeline returns a JSON response:
- If
"governance": "approved"— proceed with the action - If
"governance": "deny"— do NOT proceed; inform the user with thereason - If
"governance": "escalate"— present the action to the user for approval:
Action requires your approval:
Skill: <skill>
Action: <actionType> on <target>
Reason: <reason>
Reply APPROVE or DENY
Then resolve:
npx tsx scripts/governance.ts resolve-escalation <intent-id> approve
# or
npx tsx scripts/governance.ts resolve-escalation <intent-id> deny
3. Audit decisions
npx tsx scripts/governance.ts audit --last 10
Policy presets
| Preset | Default | Description |
|---|---|---|
minimal | approve | Blocks only credentials and destructive commands. Lowest friction. |
standard | deny | Allows common ops, escalates network and data access. Recommended. |
strict | deny | Reads only. Everything else requires explicit approval. Maximum safety. |
Fail-closed guarantee
If any error occurs during governance evaluation, the default verdict is DENY. Missing policy files result in DENY ALL. This is by design. The system fails safe, never open.
Configuration
Governance data is stored in ~/.openclaw/governance/:
policy.yaml— active policy filewitness.jsonl— append-only, hash-chained audit log
Verify witness chain
npx tsx scripts/governance.ts verify
Any tampering with historical records is detected by recomputing the hash chain from genesis.
Files
21 totalSelect a file
Select a file to preview.
Comments
Loading comments…