consensus-deployment-guard
v0.1.10Pre-deployment governance for release and infrastructure rollout requests. Use when an agent or workflow proposes shipping code/config/infrastructure changes...
⭐ 0· 422·2 current·2 all-time
byKai Cianflone@kaicianflone
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code: the package validates a deployment JSON schema, computes policy flags, aggregates votes, and emits ALLOW|BLOCK|REQUIRE_REWRITE while writing audit artifacts. Required binaries (node, tsx) and state-path env vars align with a Node/npm package. Minor inconsistency: the install metadata claims the package 'creates binaries: node, tsx' — packages should not be creating system Node binaries; this is likely a metadata/doc error and not needed for the stated purpose.
Instruction Scope
SKILL.md and the code are scoped: schema validation, deterministic voting, and artifact writes under the configured state path. The handler only reads inputs and the resolved state path; it does not perform network calls or access other env vars. Small runtime detail: run.js (provided example entrypoint) also writes a separate ./out/deployment-<ts>.json file in the current dir in addition to the state artifact — this extra local write may be unexpected in some automation environments and should be considered when picking working directory and permissions.
Install Mechanism
Install is via npm (npm i consensus-deployment-guard) and the package.json/lockfile show only normal npm dependencies (ajv, ajv-formats, consensus-guard-core, tsx). No arbitrary remote downloads or URL-extract installs are present. The only oddity is the metadata entry claiming the package 'creates binaries: node, tsx' — npm install will provide 'tsx' as a dependency binary but it will not 'create' the system 'node' runtime; ensure Node >=18 is provided by the environment.
Credentials
The skill only requires two env vars (CONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOT) used for state path resolution; no API keys or unrelated credentials are requested. The package and security note explicitly recommend using a dedicated non-privileged directory for state and not exposing unrelated sensitive env vars.
Persistence & Privilege
always:false and no special platform-wide privileges are requested. The skill writes its own board/state artifacts and does not modify other skills or system configuration. It does not require permanent inclusion or elevated privileges.
Assessment
This package is coherent with its stated purpose as a local pre-deployment guard, but review these before installing:
- Provide Node >=18 and tsx from your environment (do not rely on the skill to supply the Node runtime). The metadata claim about 'creating binaries: node, tsx' appears to be a documentation/metadata error.
- Set CONSENSUS_STATE_ROOT/CONSENSUS_STATE_FILE to a dedicated, non-privileged directory (do NOT point it at /etc, home, or any secrets volume). Follow the SECURITY-ASSURANCE.md recommendations (non-root user, scoped writable mount, deny-by-default egress).
- Inspect and pin the transitive dependency 'consensus-guard-core' before running in production — the package delegates state/aggregation to that dependency and the maintainer note calls it part of the trust boundary.
- Note run.js will also write a ./out/deployment-<timestamp>.json file in the current working directory; in automated environments set the working directory or container mount so that this write is acceptable.
- Run npm test in an isolated environment and verify behavior on representative inputs; prefer running in a container or VM with limited egress and a scoped filesystem mount.
If you need higher assurance, request evidence that consensus-guard-core has been audited/pinned and consider running the package inside a sandbox with a minimal environment allowlist.Like a lobster shell, security has layers — review code before you run it.
latestvk979e3rqqsvwgcc6txpn0gd9js825qr7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode, tsx
EnvCONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOT
Install
Node
Bins: node, tsx
npm i -g consensus-deployment-guard