← Back to Skills Marketplace
consensus-deployment-guard
by
Kai Cianflone
· GitHub ↗
· v0.1.10
454
Downloads
0
Stars
2
Active Installs
11
Versions
Install in OpenClaw
/install consensus-deployment-guard
Description
Pre-deployment governance for release and infrastructure rollout requests. Use when an agent or workflow proposes shipping code/config/infrastructure changes...
README (SKILL.md)
consensus-deployment-guard
consensus-deployment-guard is the final safety gate before deployment execution.
What this skill does
- validates deployment requests against a strict JSON schema (reject unknown fields)
- evaluates hard-block and rewrite policy flags for release risk patterns
- runs deterministic persona-weighted voting (or aggregates external votes)
- returns one of:
ALLOW | BLOCK | REQUIRE_REWRITE - writes decision artifacts for replay/audit
Decision policy shape
Hard-block examples:
- required tests not passing
- CI status failed
- rollback artifact missing when required
- incompatible schema migration
- error budget already breached
Rewrite examples:
- production rollout not using canary when policy requires it
- initial rollout percentage above policy limit
- production deploy missing explicit human confirmation gate
- CI still pending
- schema compatibility unknown
Runtime and safety model
- runtime binaries:
node,tsx - network behavior: none in guard decision logic
- environment config read by this package:
CONSENSUS_STATE_FILE,CONSENSUS_STATE_ROOT - filesystem writes: consensus board/state artifacts under configured state path
Invoke contract
invoke(input, opts?) -> Promise\x3COutputJson | ErrorJson>
Modes:
mode="persona"(default): use local deterministic persona defaults for internal votingmode="external_agent": consumeexternal_votes[], aggregate deterministically, and enforce policy
Install
npm i consensus-deployment-guard
Quick start
node --import tsx run.js --input ./examples/input.json
Tests
npm test
Coverage includes schema rejection, hard-block paths, rewrite paths, allow paths, idempotent retries, and external-agent aggregation behavior.
See also: SECURITY-ASSURANCE.md for threat model, runtime boundaries, and deployment hardening guidance.
Usage Guidance
This package is coherent with its stated purpose as a local pre-deployment guard, but review these before installing:
- Provide Node >=18 and tsx from your environment (do not rely on the skill to supply the Node runtime). The metadata claim about 'creating binaries: node, tsx' appears to be a documentation/metadata error.
- Set CONSENSUS_STATE_ROOT/CONSENSUS_STATE_FILE to a dedicated, non-privileged directory (do NOT point it at /etc, home, or any secrets volume). Follow the SECURITY-ASSURANCE.md recommendations (non-root user, scoped writable mount, deny-by-default egress).
- Inspect and pin the transitive dependency 'consensus-guard-core' before running in production — the package delegates state/aggregation to that dependency and the maintainer note calls it part of the trust boundary.
- Note run.js will also write a ./out/deployment-<timestamp>.json file in the current working directory; in automated environments set the working directory or container mount so that this write is acceptable.
- Run npm test in an isolated environment and verify behavior on representative inputs; prefer running in a container or VM with limited egress and a scoped filesystem mount.
If you need higher assurance, request evidence that consensus-guard-core has been audited/pinned and consider running the package inside a sandbox with a minimal environment allowlist.
Capability Analysis
Type: OpenClaw Skill
Name: consensus-deployment-guard
Version: 0.1.10
The OpenClaw AgentSkills skill bundle 'consensus-deployment-guard' is classified as benign. Its purpose is pre-deployment governance, involving input validation, policy evaluation, and local audit artifact generation. The skill explicitly states in `SKILL.md`, `metadata.json`, and `SECURITY-ASSURANCE.md` that it performs no outbound network calls. File system interactions are limited to reading input and schema, and writing decision artifacts to a configured state path (`CONSENSUS_STATE_FILE`, `CONSENSUS_STATE_ROOT`), with strong recommendations in `SECURITY-ASSURANCE.md` for secure configuration. There is no evidence of intentional harmful behavior, data exfiltration, persistence mechanisms, or prompt injection attempts against the agent.
Capability Assessment
Purpose & Capability
Name/description match the code: the package validates a deployment JSON schema, computes policy flags, aggregates votes, and emits ALLOW|BLOCK|REQUIRE_REWRITE while writing audit artifacts. Required binaries (node, tsx) and state-path env vars align with a Node/npm package. Minor inconsistency: the install metadata claims the package 'creates binaries: node, tsx' — packages should not be creating system Node binaries; this is likely a metadata/doc error and not needed for the stated purpose.
Instruction Scope
SKILL.md and the code are scoped: schema validation, deterministic voting, and artifact writes under the configured state path. The handler only reads inputs and the resolved state path; it does not perform network calls or access other env vars. Small runtime detail: run.js (provided example entrypoint) also writes a separate ./out/deployment-<ts>.json file in the current dir in addition to the state artifact — this extra local write may be unexpected in some automation environments and should be considered when picking working directory and permissions.
Install Mechanism
Install is via npm (npm i consensus-deployment-guard) and the package.json/lockfile show only normal npm dependencies (ajv, ajv-formats, consensus-guard-core, tsx). No arbitrary remote downloads or URL-extract installs are present. The only oddity is the metadata entry claiming the package 'creates binaries: node, tsx' — npm install will provide 'tsx' as a dependency binary but it will not 'create' the system 'node' runtime; ensure Node >=18 is provided by the environment.
Credentials
The skill only requires two env vars (CONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOT) used for state path resolution; no API keys or unrelated credentials are requested. The package and security note explicitly recommend using a dedicated non-privileged directory for state and not exposing unrelated sensitive env vars.
Persistence & Privilege
always:false and no special platform-wide privileges are requested. The skill writes its own board/state artifacts and does not modify other skills or system configuration. It does not require permanent inclusion or elevated privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install consensus-deployment-guard - After installation, invoke the skill by name or use
/consensus-deployment-guard - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.10
Bumped consensus-guard-core dependency to ^1.1.15 and rolled forward release.
v0.1.9
Added explicit requires/env/install SKILL frontmatter for registry scanner parity.
v0.1.8
Declared required state env vars in package config and README for scanner clarity.
v0.1.7
Updated to consensus-guard-core ^1.1.13 with package-root import contract and compatibility fixes.
v0.1.6
Bumped consensus-guard-core dependency to ^1.1.11 and rolled forward release.
v0.1.5
Added SECURITY-ASSURANCE.md and linked auditor guidance from SKILL.md.
v0.1.4
Metadata/docs aligned to consensus-interact strategy; removed ambiguous backend wording.
v0.1.3
Bumped consensus-guard-core dependency to ^1.1.10 and released patch version.
v0.1.2
Bumped semver deps (consensus-guard-core 1.1.5 / consensus-tools 0.1.8) and version.
v0.1.1
Decoupled guard/provider path; deterministic contract updates.
v0.1.0
Initial release: deployment guard with strict schema validation, deterministic policy flags, idempotency, board artifacts, and vector-driven tests.
Metadata
Frequently Asked Questions
What is consensus-deployment-guard?
Pre-deployment governance for release and infrastructure rollout requests. Use when an agent or workflow proposes shipping code/config/infrastructure changes... It is an AI Agent Skill for Claude Code / OpenClaw, with 454 downloads so far.
How do I install consensus-deployment-guard?
Run "/install consensus-deployment-guard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is consensus-deployment-guard free?
Yes, consensus-deployment-guard is completely free (open-source). You can download, install and use it at no cost.
Which platforms does consensus-deployment-guard support?
consensus-deployment-guard is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created consensus-deployment-guard?
It is built and maintained by Kai Cianflone (@kaicianflone); the current version is v0.1.10.
More Skills