功能描述

Cross-system permission orchestration, workflow automation, and data consistency for enterprise software

使用说明 (SKILL.md)

Enterprise Agent OS

Name: Enterprise Agent OS
Author: zhenstaff

The orchestration layer for enterprise software. Control cross-system workflows. Own the enterprise budget.

Overview

Enterprise Agent OS solves the unsolved problem of cross-system permission coordination at enterprise scale. When an employee has Salesforce access to "Customer A" but no SAP access to "Customer A" financial data, traditional solutions require a 3-day IT ticket. We provide real-time coordination in under 50ms.

Core Capabilities

1. Permission Topology Orchestration

The Problem Nobody Else Solves:

Employee Alice has Salesforce access to "Customer A" but no SAP access to "Customer A" financials.

Traditional: Manual IT ticket, 3-day delay
Our Solution: Real-time cross-system coordination, \x3C 50ms

Features:

Query permissions across all systems simultaneously
Calculate minimum permission intersection
Auto-resolve conflicts
Complete audit trail for compliance

Impact: 70% reduction in IT tickets, zero manual escalations

2. Data Consistency Engine

Enterprise event sourcing - Single source of truth for all system changes.

Features:

All changes flow through central event log
Automatic conflict detection and resolution
Complete replay capability
7-year audit retention

Impact: 99.9% data consistency, zero manual reconciliation

3. Fault Isolation & Graceful Degradation

The Problem: Hub fails, 20 systems lose control, operations paralyzed

Our Solution:

Systems operate independently during downtime
Auto-queue pending operations
Intelligent reconciliation on recovery

Impact: 99.9% uptime, zero revenue loss from failures

Installation

Prerequisites

Node.js >= 18.0.0
PostgreSQL >= 14
Redis >= 6

Quick Start

# Clone project
git clone https://github.com/ZhenRobotics/openclaw-enterprise-hub.git ~/enterprise-agent-os
cd ~/enterprise-agent-os

# Install dependencies
npm install

# Configure environment
cp .env.example .env
nano .env  # Add database, Redis, system credentials

# Setup database
npm run db:migrate

# Start services
npm run dev

# Verify
curl http://localhost:3000/health

Usage

Use Case 1: Check Cross-System Permissions

Agent Request:

"Check if [email protected] has permission to view Customer CUST-001 data across Salesforce, SAP, and Jira"

Agent Executes:

curl -X POST http://localhost:3000/api/permissions/check \
  -H "Content-Type: application/json" \
  -d '{
    "userId": "[email protected]",
    "resource": "customer",
    "resourceId": "CUST-001",
    "action": "read",
    "systems": ["salesforce", "sap", "jira"]
  }'

Response:

{
  "allowed": true,
  "permissionTopology": {
    "salesforce": { "allowed": true, "permissions": ["read", "write"] },
    "sap": { "allowed": true, "permissions": ["read"] },
    "jira": { "allowed": false, "reason": "Not in support group" }
  },
  "effectivePermissions": ["read"],
  "auditId": "audit-12345"
}

Use Case 2: Cross-System Workflow

Agent Request:

"Create a workflow to onboard new customers across Salesforce, SAP, and Jira automatically"

Agent Creates:

workflow:
  name: "Customer Onboarding"
  trigger:
    type: "event"
    event: "customer.created"
    source: "salesforce"

  steps:
    - id: "validate_permissions"
      type: "permission_check"
      systems: ["salesforce", "sap", "jira"]

    - id: "create_sap_account"
      type: "system_call"
      target:
        system: "sap"
        action: "create_customer_account"

    - id: "create_jira_project"
      type: "system_call"
      target:
        system: "jira"
        action: "create_project"

Use Case 3: Compliance Audit

Agent Request:

"Generate compliance report: who accessed Customer CUST-001 financial data in the last 90 days?"

Agent Executes:

curl http://localhost:3000/api/audit/export \
  --data-urlencode "resource=customer:CUST-001" \
  --data-urlencode "startDate=2025-12-07" \
  --data-urlencode "endDate=2026-03-07" \
  --data-urlencode "format=csv"

Output: CSV file with complete audit trail, ready for compliance review.

When to Use This Skill

Auto-Trigger Keywords

Permission Management:

"check permissions", "permission conflict", "cross-system access"
"grant access across", "permission audit", "compliance report"

Workflow Orchestration:

"automate workflow", "cross-system workflow", "integrate Salesforce and SAP"
"customer onboarding", "employee offboarding"

System Integration:

"connect enterprise systems", "data consistency", "single source of truth"
Mentions multiple enterprise systems (Salesforce + SAP + Workday)

Do NOT Use

Simple single-system tasks
Personal productivity (use Zapier)
Media processing (different domain)

API Reference

GraphQL

# Check permission
query {
  checkPermission(
    userId: "[email protected]"
    resource: "customer"
    resourceId: "CUST-001"
    systems: ["salesforce", "sap"]
  ) {
    allowed
    permissionTopology { system allowed permissions }
    auditId
  }
}

# Create workflow
mutation {
  createWorkflow(input: {
    name: "Customer Onboarding"
    trigger: { type: EVENT, config: {...} }
    steps: [...]
  }) {
    id status deployedAt
  }
}

REST

POST /api/v1/permissions/check
GET  /api/v1/permissions/user/:userId
POST /api/v1/workflows
GET  /api/v1/workflows/:id
GET  /api/v1/audit/trail
GET  /health

Configuration

Environment Variables

# Core
DATABASE_URL=postgresql://user:pass@localhost:5432/enterprise_agent_os
REDIS_URL=redis://localhost:6379
OPA_ENDPOINT=http://localhost:8181

# Connected Systems
SALESFORCE_CLIENT_ID=your_id
SALESFORCE_CLIENT_SECRET=your_secret
SALESFORCE_INSTANCE_URL=https://your-instance.salesforce.com

SAP_API_ENDPOINT=https://your-sap.com/api
SAP_API_KEY=your_key

JIRA_INSTANCE_URL=https://your-company.atlassian.net
[email protected]
JIRA_API_TOKEN=your_token

Performance Metrics

Metric	Target
Permission check latency	\x3C 50ms (p95)
Workflow execution start	\x3C 100ms
Event processing	1,000 events/sec
API response time	\x3C 200ms (p95)
System availability	99.9%

Pricing

Tier	Pricing	Target
Starter	$50/user/month	50-500 employees
Professional	$100/user/month	500-2K employees
Enterprise	$150-200/user/month	2K+ employees
Transaction-based	$0.10-1.00/transaction	High-volume

ROI: 12-18 months typical payback period

Security & Compliance

SOC 2 Type II (target Q3 2026)
GDPR compliant
HIPAA compliant
End-to-end encryption (TLS 1.3)
7-year audit trail retention
Penetration tested quarterly

Architecture

Agent OS Hub (Orchestration)
  - Permission Topology
  - Workflow Engine
  - Agent Brain
         ↓
Event Store (Single Source of Truth)
  - PostgreSQL + Event Sourcing + CQRS
         ↓
Integration Adapters (20+ Systems)
  - Salesforce | SAP | Workday | Jira

Development Status

Current Phase: MVP Development (Week 3/8)

Completed:

Architecture design
Permission topology engine design
Event sourcing architecture
Documentation

In Progress:

Permission discovery service
OPA integration
Admin dashboard
GraphQL API

Next Milestones:

Week 4-6: Complete permission engine
Week 7-8: Pilot customer deployment

Agent Behavior Guidelines

DO:

Verify permissions before cross-system operations
Log all checks for audit trail
Handle conflicts gracefully
Suggest workflow automation
Provide compliance-ready reports

DON'T:

Bypass permission checks
Assume permissions are consistent
Execute workflows without validation
Ignore audit requirements

Support

Documentation: https://github.com/ZhenRobotics/openclaw-enterprise-hub/tree/main/docs
GitHub: https://github.com/ZhenRobotics/openclaw-enterprise-hub
Email: [email protected]
Enterprise Sales: [email protected]

Troubleshooting

Permission Check Timeout

# Check Redis
redis-cli ping

# Verify OPA
curl http://localhost:8181/health

# Restart service
docker-compose restart permission-service

Workflow Failed

# Check adapters
curl http://localhost:3000/api/adapters/status

# Test connection
curl http://localhost:3000/api/test/salesforce

Version History

v1.0.0-alpha (2026-03-07) - Current

Status: MVP Development

Features:

Permission topology orchestration (design complete)
Event sourcing architecture (design complete)
GraphQL API specification (design complete)

Known Limitations:

MVP supports 3 systems initially
Single-region deployment only
No multi-tenancy yet

License

Proprietary Software - Contact for licensing terms

Final Note

Enterprise Agent OS is not another integration tool.

It's the orchestration layer that will capture 90% of enterprise software value over the next decade.

Position yourself accordingly.

安全使用建议

Do not run or install this project in production or give it live credentials until you or your security team have reviewed the repository and code. Specific steps to reduce risk: 1) Verify the repository origin and that the repository contents match the packaged SKILL.md (the README references inconsistent org names/URLs and support info). 2) Manually review code (adapters, auth flows, webhook handling, any outbound network calls) before running npm install or database migrations. 3) Provide only least-privilege test credentials in an isolated environment (no production tokens); prefer read-only tokens or synthetic test tenants. 4) Treat GOOGLE_SERVICE_ACCOUNT_KEY and OAuth secrets as high-risk; do not place production keys on disk until audited. 5) If you plan to let agents invoke this autonomously, require explicit authorization and limit which env vars/credentials the agent can access; consider disabling autonomous invocation until reviewed. 6) After testing, rotate any credentials used. 7) Ask the publisher for an explicit list of required env vars, config paths, and a signed/reproducible release so you can review the code that will run.

功能分析

Type: OpenClaw Skill Name: enterprise-hub Version: 1.0.0 The bundle consists of documentation and instructions for an AI agent to interface with a local 'Enterprise Agent OS' API for permission orchestration and workflow automation. The instructions in SKILL.md and EXAMPLES.md are consistent with the stated purpose, emphasizing security-positive behaviors such as mandatory permission verification and audit logging. No evidence of malicious intent, data exfiltration, or harmful prompt injection was found; the provided examples interact exclusively with localhost:3000.

能力评估

⚠ Purpose & Capability

The stated purpose (cross-system permission orchestration) legitimately requires connectors and credentials for enterprise systems. However the registry metadata declares no required binaries or env vars while SKILL.md repeatedly requires Node.js, PostgreSQL, Redis and credentials for Salesforce, Google service account keys, Slack webhooks, etc. That mismatch is incoherent: either the metadata is incomplete or the package is mis-described.

⚠ Instruction Scope

Runtime instructions tell agents/operators to git clone the repo, run npm install, run DB migrations, edit a .env with system credentials, place a Google service-account key file path, start the service, and invoke local REST/GraphQL endpoints. Examples also show sending notifications via SLACK_WEBHOOK. These instructions require access to secrets, local files, and enterprise APIs and could perform cross-system changes — all of which go well beyond a minimal read-only helper.

ℹ Install Mechanism

There is no formal install spec in the registry (instruction-only), which lowers automated-install risk. But SKILL.md tells a human/agent to clone and run arbitrary project code (npm install, migrations, start). Because code is not bundled for static review, the scanner had nothing to analyze — making manual code review of the repository essential before executing those commands.

⚠ Credentials

The package metadata lists zero required env vars, yet the docs and examples require many sensitive values (SALESFORCE_CLIENT_ID/SECRET/INSTANCE_URL, GOOGLE_SERVICE_ACCOUNT_KEY file path, GOOGLE_ADMIN_EMAIL, SLACK_WEBHOOK, DATABASE_URL, REDIS_URL, JWT secrets, etc.). For an orchestration platform it's expected to need some credentials, but the skill should declare them explicitly. The presence of file-path secrets (service account JSON), webhooks, and OAuth secrets raises risk of credential exposure or misuse if the agent or installer is given broad access.

⚠ Persistence & Privilege

The skill is not marked always:true (good) but model invocation is allowed (default). Given the skill's ability to orchestrate cross-system actions (provision accounts, run workflows, call adapters), autonomous invocation combined with undeclared credential requirements increases blast radius: an agent that obtains credentials via instructions or misconfiguration could make wide-impact changes. This is a contextual privilege concern (not an automatic disqualification).

版本历史

v1.0.0

- Initial release of Enterprise Agent OS (v1.0.0-alpha), providing orchestration across enterprise software systems. - Introduces cross-system permission management, workflow automation, and centralized data consistency. - Features real-time permission checks (< 50ms), a unified audit log, and compliance tools. - Supports automated workflows spanning systems like Salesforce, SAP, and Jira. - Includes developer guides, API reference (REST & GraphQL), and sample use cases. - Targets high reliability, fast event processing, and stringent security/compliance standards.

元数据

Slug enterprise-hub

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题