← Back to Skills Marketplace
Governance Inheritance
by
aakash2289
· GitHub ↗
· v1.0.0
· MIT-0
141
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install governance-inheritance
Description
Hierarchical policy inheritance system for OpenClaw agents. Enables policies to be defined at organization, team, project, and session levels with automatic...
README (SKILL.md)
Governance Inheritance
This skill provides a hierarchical policy inheritance system that allows policies to be defined at multiple levels and automatically inherited by child contexts.
Policy Hierarchy Levels
Policies cascade from broad to specific:
Organization (broadest)
↓
Team
↓
Project
↓
Session (most specific)
Inheritance Rules
- Child overrides parent: More specific policies override broader ones
- Additive by default: Policies merge unless explicitly overridden
- Explicit deny wins: A
denyat any level blocks the action - Require explicit allow: Actions without an explicit allow are blocked in strict mode
Policy Structure
Each level contains a policies.yaml file:
# policies.yaml
version: "1.0"
level: organization # organization | team | project | session
parent: null # path to parent policy (null for root)
# Policy blocks
policies:
http:
- pattern: "*.internal.company.com"
action: allow
scope: ["GET", "POST"]
- pattern: "*"
action: deny
reason: "External HTTP requires approval"
shell:
- command: "git *"
action: allow
- command: "rm -rf /*"
action: deny
reason: "Destructive command blocked"
- command: "*"
action: require_approval
file:
read:
- path: "~/workspace/*"
action: allow
- path: "/etc/*"
action: deny
write:
- path: "~/workspace/*"
action: allow
- path: "*"
action: require_approval
# Inheritance configuration
inheritance:
mode: merge # merge | override | isolate
exceptions: # Policies that don't inherit
- shell.sudo
extensions: # Child can extend these
- http.allowlist
Quick Start
1. Initialize Organization Policies
python scripts/init_governance.py --level organization --path ~/.openclaw/governance
2. Create Team-Level Override
python scripts/init_governance.py --level team --name engineering --parent ~/.openclaw/governance/organization
3. Evaluate Policy for Action
const result = await context.tools.governanceInheritance.evaluate({
action: "http",
details: { method: "GET", url: "https://api.example.com/data" },
context: {
sessionId: "sess_123",
project: "my-project",
team: "engineering"
}
});
// result: { allowed: true } | { allowed: false, reason: "...", level: "organization" }
Policy Resolution
When evaluating an action, the system:
- Collects all applicable policies from root to leaf
- Merges according to inheritance rules
- Evaluates against the most specific matching rule
- Returns decision with provenance (which level decided)
Conflict Resolution
| Parent | Child | Result |
|---|---|---|
| allow | allow | allow |
| allow | deny | deny (child wins) |
| allow | require_approval | require_approval |
| deny | allow | deny (deny always wins) |
| deny | deny | deny |
Session Context Integration
Policies automatically load based on session context:
# Session inherits from project → team → organization
session_context:
organization: "acme-corp"
team: "engineering"
project: "api-gateway"
session: "sess_abc123"
# Policy resolution path:
# ~/.openclaw/governance/organizations/acme-corp/policies.yaml
# ~/.openclaw/governance/teams/engineering/policies.yaml
# ~/.openclaw/governance/projects/api-gateway/policies.yaml
# ~/.openclaw/governance/sessions/sess_abc123/policies.yaml
Available Tools
evaluate
Evaluates an action against the inherited policy chain.
Parameters:
action(string): Action type (http, shell, file, browser)details(object): Action-specific detailscontext(object): Session context for policy resolution
Returns:
{
allowed: boolean,
reason?: string,
level: string, // Which policy level made the decision
policy?: string, // Specific policy that matched
requiresApproval?: boolean
}
initPolicyLevel
Initializes a new policy level.
Parameters:
level(string): organization, team, project, or sessionname(string): Identifier for this levelparent(string, optional): Path to parent policypath(string): Where to create the policy
validatePolicyChain
Validates a policy chain for conflicts or errors.
Parameters:
context(object): Session context to validate
Returns:
{
valid: boolean,
errors: string[],
warnings: string[]
}
Configuration
Set the governance root in your environment:
export GOVERNANCE_ROOT="~/.openclaw/governance"
Or in openclaw.json:
{
"skills": {
"governance-inheritance": {
"env": {
"GOVERNANCE_ROOT": "~/.openclaw/governance"
}
}
}
}
Policy Examples
Organization Level (Restrictive Base)
level: organization
policies:
http:
- pattern: "*.company.internal"
action: allow
- pattern: "*"
action: require_approval
shell:
- command: "*"
action: require_approval
Team Level (Engineering - More Permissive)
level: team
parent: ../organization
inheritance:
mode: merge
policies:
http:
- pattern: "*.github.com"
action: allow
- pattern: "*.npmjs.com"
action: allow
shell:
- command: "git *"
action: allow
- command: "npm *"
action: allow
- command: "docker *"
action: allow
Project Level (Specific Overrides)
level: project
parent: ../engineering
inheritance:
mode: merge
policies:
http:
- pattern: "api.stripe.com"
action: allow # This project uses Stripe
file:
write:
- path: "./dist/*"
action: allow
Integration with GovernClaw
This skill works alongside governclaw-middleware:
// governclaw-middleware calls governance-inheritance for policy resolution
const policyResult = await context.tools.governanceInheritance.evaluate({
action: "http",
details: { method, url, headers },
context: sessionContext
});
if (!policyResult.allowed) {
return { blocked: true, reason: policyResult.reason };
}
Best Practices
- Start restrictive at organization level - Require approval for everything
- Grant specific permissions at lower levels - Teams/projects opt into what they need
- Document exceptions - Use
reasonfield to explain why policies exist - Regular audits - Run
validatePolicyChainto catch conflicts - Version your policies - Use the
versionfield to track changes
Error Handling
Always check for policy evaluation errors:
const result = await context.tools.governanceInheritance.evaluate({...});
if (result.error) {
// Policy chain misconfiguration
console.error("Policy error:", result.error);
return { error: "Governance misconfigured" };
}
if (!result.allowed) {
// Policy blocked the action
console.log("Blocked by", result.level, "policy:", result.reason);
}
See Also
references/policy-schema.md- Complete policy YAML schemareferences/inheritance-algorithm.md- Detailed inheritance logicscripts/init_governance.py- Initialize policy levelsscripts/validate_chain.py- Validate policy chains
Usage Guidance
This skill is coherent for creating and validating hierarchical policy YAMLs and does not request credentials or perform remote installs. Before installing/running: (1) review the templates and any generated policies—they can reference sensitive paths (e.g., /etc/*, ~) and will influence what the agent is allowed to do; (2) back up your existing ~/.openclaw/governance if present; (3) validate policies with validate_chain.py (it requires PyYAML) in a safe environment; (4) be aware that although the code doesn't execute shell commands, the policies produced may enable or block agent actions elsewhere—only enable autonomous invocation if you trust the policy author and integration. If anything seems unexpected (extra env vars, network calls, or an install script that fetches remote code), stop and inspect the files first.
Capability Analysis
Type: OpenClaw Skill
Name: governance-inheritance
Version: 1.0.0
The governance-inheritance skill provides a structured framework for managing hierarchical security policies (Organization, Team, Project, Session) within the OpenClaw ecosystem. The included Python scripts, init_governance.py and validate_chain.py, perform legitimate administrative tasks such as template-based policy initialization and YAML validation. The logic is transparently documented in SKILL.md and the reference files, with no evidence of malicious intent, data exfiltration, or unauthorized command execution.
Capability Assessment
Purpose & Capability
Name/description (hierarchical policy inheritance) align with the included files: init_governance.py creates policy YAML templates and validate_chain.py loads and validates policy chains. Required tools and paths (read/write under a GOVERNANCE_ROOT) match the stated functionality; nothing in the code requests unrelated cloud credentials or external services.
Instruction Scope
SKILL.md instructs use of exec, read, write tools and references GOVERNANCE_ROOT. The shipped scripts only read/write policy YAML files and validate rules; they do not execute arbitrary shell commands or contact network endpoints. Minor inconsistency: SKILL.md lists 'exec' as required but the provided Python scripts do not invoke external commands (they create/read YAML files). The templates and schema allow rules that reference sensitive system paths (e.g., /etc/*, ~), so you should review any policy files before applying them because those policies could control agent file/shell/http behavior.
Install Mechanism
No install spec; this is an instruction-only skill with included scripts. Nothing is downloaded or extracted from remote URLs. Risk from install mechanism is low.
Credentials
No required environment variables or credentials are declared. SKILL.md recommends an optional GOVERNANCE_ROOT (default ~/.openclaw/governance) which is proportional to storing policy files. The skill does not request unrelated secrets.
Persistence & Privilege
The skill writes and reads policy files under the user's governance root (default ~/.openclaw/governance). That level of persistence is expected for a governance/policy tool, but note it can modify files that affect agent behavior—review and back up existing governance data before initializing. always:false (normal); autonomous invocation is allowed by default (platform default) but is not itself unusual here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install governance-inheritance - After installation, invoke the skill by name or use
/governance-inheritance - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of governance-inheritance skill
- Implements a hierarchical policy inheritance system for OpenClaw agents with organization, team, project, and session levels.
- Supports policy cascade with automatic inheritance, overrides, and conflict resolution.
- Provides tools for policy evaluation, policy level initialization, and validation of policy chains.
- Offers additive merging, explicit deny/allow handling, and provenance tracking for policy decisions.
- Integrates with session context and external governance middleware for real-time enforcement.
Metadata
Frequently Asked Questions
What is Governance Inheritance?
Hierarchical policy inheritance system for OpenClaw agents. Enables policies to be defined at organization, team, project, and session levels with automatic... It is an AI Agent Skill for Claude Code / OpenClaw, with 141 downloads so far.
How do I install Governance Inheritance?
Run "/install governance-inheritance" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Governance Inheritance free?
Yes, Governance Inheritance is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Governance Inheritance support?
Governance Inheritance is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Governance Inheritance?
It is built and maintained by aakash2289 (@aakash2289); the current version is v1.0.0.
More Skills