governance-inheritance
Hierarchical policy inheritance system for OpenClaw agents. Enables policies to be defined at organization, team, project, and session levels with automatic inheritance, override rules, and conflict resolution. Use when setting up governance policies that need to cascade across multiple sessions, when defining policy hierarchies, or when resolving policy conflicts between parent and child contexts. Required tools - exec, read, write. Environment variables - GOVERNANCE_ROOT (default ~/.openclaw/governance).
Install via CLI (Recommended)
clawhub install openclaw/skills/skills/aakash2289/governance-inheritanceGovernance Inheritance
This skill provides a hierarchical policy inheritance system that allows policies to be defined at multiple levels and automatically inherited by child contexts.
Policy Hierarchy Levels
Policies cascade from broad to specific:
Organization (broadest)
↓
Team
↓
Project
↓
Session (most specific)
Inheritance Rules
- Child overrides parent: More specific policies override broader ones
- Additive by default: Policies merge unless explicitly overridden
- Explicit deny wins: A
denyat any level blocks the action - Require explicit allow: Actions without an explicit allow are blocked in strict mode
Policy Structure
Each level contains a policies.yaml file:
# policies.yaml
version: "1.0"
level: organization # organization | team | project | session
parent: null # path to parent policy (null for root)
# Policy blocks
policies:
http:
- pattern: "*.internal.company.com"
action: allow
scope: ["GET", "POST"]
- pattern: "*"
action: deny
reason: "External HTTP requires approval"
shell:
- command: "git *"
action: allow
- command: "rm -rf /*"
action: deny
reason: "Destructive command blocked"
- command: "*"
action: require_approval
file:
read:
- path: "~/workspace/*"
action: allow
- path: "/etc/*"
action: deny
write:
- path: "~/workspace/*"
action: allow
- path: "*"
action: require_approval
# Inheritance configuration
inheritance:
mode: merge # merge | override | isolate
exceptions: # Policies that don't inherit
- shell.sudo
extensions: # Child can extend these
- http.allowlist
Quick Start
1. Initialize Organization Policies
python scripts/init_governance.py --level organization --path ~/.openclaw/governance
2. Create Team-Level Override
python scripts/init_governance.py --level team --name engineering --parent ~/.openclaw/governance/organization
3. Evaluate Policy for Action
const result = await context.tools.governanceInheritance.evaluate({
action: "http",
details: { method: "GET", url: "https://api.example.com/data" },
context: {
sessionId: "sess_123",
project: "my-project",
team: "engineering"
}
});
// result: { allowed: true } | { allowed: false, reason: "...", level: "organization" }
Policy Resolution
When evaluating an action, the system:
- Collects all applicable policies from root to leaf
- Merges according to inheritance rules
- Evaluates against the most specific matching rule
- Returns decision with provenance (which level decided)
Conflict Resolution
Metadata
Not sure this is the right skill?
Describe what you want to build — we'll match you to the best skill from 16,000+ options.
Find the right skillPaste this into your clawhub.json to enable this plugin.
{
"plugins": {
"official-aakash2289-governance-inheritance": {
"enabled": true,
"auto_update": true
}
}
}