This skill provides a hierarchical policy inheritance system that allows policies to be defined at multiple levels and automatically inherited by child contexts.
Policies cascade from broad to specific:
Organization (broadest)
↓
Team
↓
Project
↓
Session (most specific)
deny at any level blocks the actionEach level contains a policies.yaml file:
# policies.yaml
version: "1.0"
level: organization # organization | team | project | session
parent: null # path to parent policy (null for root)
# Policy blocks
policies:
http:
- pattern: "*.internal.company.com"
action: allow
scope: ["GET", "POST"]
- pattern: "*"
action: deny
reason: "External HTTP requires approval"
shell:
- command: "git *"
action: allow
- command: "rm -rf /*"
action: deny
reason: "Destructive command blocked"
- command: "*"
action: require_approval
file:
read:
- path: "~/workspace/*"
action: allow
- path: "/etc/*"
action: deny
write:
- path: "~/workspace/*"
action: allow
- path: "*"
action: require_approval
# Inheritance configuration
inheritance:
mode: merge # merge | override | isolate
exceptions: # Policies that don't inherit
- shell.sudo
extensions: # Child can extend these
- http.allowlist
python scripts/init_governance.py --level organization --path ~/.openclaw/governance
python scripts/init_governance.py --level team --name engineering --parent ~/.openclaw/governance/organization
const result = await context.tools.governanceInheritance.evaluate({
action: "http",
details: { method: "GET", url: "https://api.example.com/data" },
context: {
sessionId: "sess_123",
project: "my-project",
team: "engineering"
}
});
// result: { allowed: true } | { allowed: false, reason: "...", level: "organization" }
When evaluating an action, the system:
| Parent | Child | Result |
|---|---|---|
| -------- | ------- | -------- |
| allow | allow | allow |
| allow | deny | deny (child wins) |
| allow | require_approval | require_approval |
| deny | allow | deny (deny always wins) |
| deny | deny | deny |
Policies automatically load based on session context:
# Session inherits from project → team → organization
session_context:
organization: "acme-corp"
team: "engineering"
project: "api-gateway"
session: "sess_abc123"
# Policy resolution path:
# ~/.openclaw/governance/organizations/acme-corp/policies.yaml
# ~/.openclaw/governance/teams/engineering/policies.yaml
# ~/.openclaw/governance/projects/api-gateway/policies.yaml
# ~/.openclaw/governance/sessions/sess_abc123/policies.yaml
Evaluates an action against the inherited policy chain.
Parameters:
action (string): Action type (http, shell, file, browser)details (object): Action-specific detailscontext (object): Session context for policy resolutionReturns:
{
allowed: boolean,
reason?: string,
level: string, // Which policy level made the decision
policy?: string, // Specific policy that matched
requiresApproval?: boolean
}
Initializes a new policy level.
Parameters:
level (string): organization, team, project, or sessionname (string): Identifier for this levelparent (string, optional): Path to parent policypath (string): Where to create the policyValidates a policy chain for conflicts or errors.
Parameters:
context (object): Session context to validateReturns:
{
valid: boolean,
errors: string[],
warnings: string[]
}
Set the governance root in your environment:
export GOVERNANCE_ROOT="~/.openclaw/governance"
Or in openclaw.json:
{
"skills": {
"governance-inheritance": {
"env": {
"GOVERNANCE_ROOT": "~/.openclaw/governance"
}
}
}
}
level: organization
policies:
http:
- pattern: "*.company.internal"
action: allow
- pattern: "*"
action: require_approval
shell:
- command: "*"
action: require_approval
level: team
parent: ../organization
inheritance:
mode: merge
policies:
http:
- pattern: "*.github.com"
action: allow
- pattern: "*.npmjs.com"
action: allow
shell:
- command: "git *"
action: allow
- command: "npm *"
action: allow
- command: "docker *"
action: allow
level: project
parent: ../engineering
inheritance:
mode: merge
policies:
http:
- pattern: "api.stripe.com"
action: allow # This project uses Stripe
file:
write:
- path: "./dist/*"
action: allow
This skill works alongside governclaw-middleware:
// governclaw-middleware calls governance-inheritance for policy resolution
const policyResult = await context.tools.governanceInheritance.evaluate({
action: "http",
details: { method, url, headers },
context: sessionContext
});
if (!policyResult.allowed) {
return { blocked: true, reason: policyResult.reason };
}
reason field to explain why policies existvalidatePolicyChain to catch conflictsversion field to track changesAlways check for policy evaluation errors:
const result = await context.tools.governanceInheritance.evaluate({...});
if (result.error) {
// Policy chain misconfiguration
console.error("Policy error:", result.error);
return { error: "Governance misconfigured" };
}
if (!result.allowed) {
// Policy blocked the action
console.log("Blocked by", result.level, "policy:", result.reason);
}
references/policy-schema.md - Complete policy YAML schemareferences/inheritance-algorithm.md - Detailed inheritance logicscripts/init_governance.py - Initialize policy levelsscripts/validate_chain.py - Validate policy chains共 1 个版本
暂无安全检测报告