← 返回 Skills 市场

consensus-code-merge-guard

Name: consensus-code-merge-guard
Author: kaicianflone

作者 Kai Cianflone · GitHub ↗ · v1.1.15

cross-platform ✓ 安全检测通过

525

总下载

当前安装

版本数

在 OpenClaw 中安装

/install consensus-code-merge-guard

功能描述

Persona-weighted merge governance for AI-assisted engineering. Evaluates PR risk (tests, security markers, reliability signals), returns MERGE/BLOCK/REVISE d...

使用说明 (SKILL.md)

consensus-code-merge-guard

consensus-code-merge-guard turns code merge approval into a governed, auditable decision.

What this skill does

consumes PR/change summary input
runs persona-weighted vote arbitration
enforces hard constraints (e.g., tests/security flags)
maps to engineering decision states: MERGE | BLOCK | REVISE
writes decision and updated persona artifacts to board state

Why this matters

CI passing does not guarantee risk-aware merge quality. Consensus review reduces silent failure propagation into production.

Ecosystem role

Uses the same consensus substrate as other guards, enabling cross-domain governance with comparable metrics.

Useful for

autonomous or semi-autonomous merge pipelines
high-risk repos needing policy checks
repeatable release governance with artifact history

Runtime, credentials, and network behavior

runtime binaries: node, tsx
network calls: none in the guard decision path itself
filesystem writes: board/state artifacts under the configured consensus state path

Dependency trust model

consensus-guard-core is the first-party consensus package used in guard execution
versions are semver-pinned in package.json for reproducible installs
this skill does not request host-wide privileges and does not mutate other skills

Install (registry)

npm i consensus-code-merge-guard

Quick start

node --import tsx run.js --input ./examples/input.json

Tool-call integration

This skill is wired to the consensus-interact contract boundary (via shared consensus-guard-core wrappers where applicable):

readBoardPolicy
getLatestPersonaSet / getPersonaSet
writeArtifact / writeDecision
idempotent decision lookup

This keeps board orchestration standardized across skills.

Invoke Contract

This skill exposes a canonical entrypoint:

invoke(input, opts?) -> Promise\x3COutputJson | ErrorJson>

invoke() starts the guard flow and executes deterministic policy evaluation with board operations via shared guard-core wrappers.

external_agent mode

Guards support two modes:

mode="external_agent": caller supplies external_votes[] from agents/humans/models for deterministic aggregation.
mode="persona": requires an existing persona_set_id; guard will not generate persona sets internally.

安全使用建议

This package appears to do what it says: evaluate PR summaries and write an auditable decision to a configured state path. Before installing, review the consensus-guard-core dependency because all board reads/writes and state resolution are delegated to it — that component determines whether any network calls or broader filesystem access occur. Confirm the CONSENSUS_STATE_FILE / CONSENSUS_STATE_ROOT environment variables point to a safe directory (not containing secrets or system config). Run the included tests in an isolated environment (npm test/demo) and inspect the produced artifact files (./out and your state path). Note minor metadata/version inconsistencies across SKILL.md, metadata.json, and package.json — not a blocker, but worth verifying you install the intended version.

功能分析

Type: OpenClaw Skill Name: consensus-code-merge-guard Version: 1.1.15 The skill is designed for code merge governance, evaluating PR risk and recording audit artifacts locally. It explicitly declares no network calls in its decision path and performs local filesystem writes for state management, as confirmed by `SKILL.md`, `metadata.json`, and `src/index.mjs`. Input validation is implemented in `src/index.mjs` to reject unknown fields. There is no evidence of data exfiltration, unauthorized execution, persistence mechanisms, or prompt injection attempts in any of the analyzed files. File system interactions are confined to its stated purpose of writing structured decision artifacts, relying on environment variables (`CONSENSUS_STATE_ROOT`, `CONSENSUS_STATE_FILE`) for path resolution, which is a configuration concern for the agent rather than malicious intent within the skill itself.

能力评估

✓ Purpose & Capability

Name/description (persona-weighted merge governance) match the code and declared requirements. Requested binaries (node, tsx) and environment variables (CONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOT) are plausibly needed to read/write the consensus board state and run the packaged JS guard.

ℹ Instruction Scope

SKILL.md and run.js describe a local decision flow that reads input JSON, evaluates policy, and writes decision/artifact files to a configured consensus state path. The decision path itself contains no outbound network calls, but actual board read/write/aggregation calls are delegated to the 'consensus-guard-core' package (imported functions like writeArtifact, getLatest, resolveStatePath). You should audit that package because it is the component that performs state persistence and could perform network or filesystem actions beyond what this skill's code shows.

✓ Install Mechanism

Install is a normal npm package (consensus-code-merge-guard) with a package-lock.json present. There are no download-from-personal-server or URL-extract install steps in the manifest. Dependencies are registry packages (consensus-guard-core, tsx) which is expected for a Node skill.

✓ Credentials

Only two env vars (CONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOT) are required and are consistent with the skill's stated need to read/write board state. No cloud credentials, tokens, or other sensitive variables are requested. Note: both env names are required by the metadata even though the code uses a resolveStatePath helper — verify which of the two actually controls the path in your deployment.

✓ Persistence & Privilege

always:false (no forced global presence). The skill writes artifacts only under the configured consensus state path and its own output directory (run.js writes ./out). It does not modify other skills or system-wide agent settings in the provided code.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install consensus-code-merge-guard
安装完成后，直接呼叫该 Skill 的名称或使用 /consensus-code-merge-guard 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.1.15

Aligned SKILL metadata/install docs for registry-only path and removed misleading install bins.

v1.1.14

Bumped consensus-guard-core dependency to ^1.1.15 and rolled forward release.

v1.1.13

Added explicit requires/env/install SKILL frontmatter for registry scanner parity.

v1.1.12

Updated to consensus-guard-core ^1.1.13 with package-root import contract and compatibility fixes.

v1.1.11

Bumped consensus-guard-core dependency to ^1.1.11 and rolled forward release.

v1.1.10

Bumped consensus-guard-core dependency to ^1.1.10 and released patch version.

v1.1.9

Bumped semver deps (consensus-guard-core 1.1.5 / consensus-tools 0.1.8) and version.

v1.1.8

Decoupled guard/provider path; deterministic contract updates.

v1.1.7

Bump consensus-guard-core dependency to ^1.1.4 for corrected invoke contract and shared core alignment.

v1.1.6

Scanner hardening: remove required OPENAI_API_KEY metadata; clarify optional/conditional LLM credentials

v1.1.5

confirm release sync

v1.1.4

Security hardening: explicit runtime/credential model and semver-pinned npm dependencies

v1.1.3

Packaging hardening: standalone install metadata, dependency cleanup, and safer runtime requirements

v1.1.2

Security hardening: statePath confined to safe root with traversal protection

v1.1.1

1.1.1: tested examples/input.json in e2e to keep docs and behavior synced

v1.1.0

Release 1.1.0: invoke contract + external-agent support + ecosystem alignment

v1.0.0

1.0.0 initial public release

v0.1.0

Initial public release

元数据

Slug consensus-code-merge-guard

版本 1.1.15

许可证 —

累计安装 0

当前安装数 0

历史版本数 18

常见问题