AgentMesh Governance — Trust & Policy for OpenClaw Agents
Zero-trust governance layer for OpenClaw agents. Enforce policies, verify identities,
score trust, and maintain tamper-evident audit logs — all from your agent's command line.
Setup
Install the AgentMesh governance CLI:
CODEBLOCK0
If agentmesh-governance is not yet on PyPI, install directly from source:
�CODEBLOCK1
Scripts
All scripts are in scripts/. They wrap the governance engine and output JSON results.
Check Policy Compliance
Evaluate an action against a governance policy before execution:
CODEBLOCK2
Returns JSON with allowed: true/false, any violations, and recommendations.
Use this before executing any tool call to enforce limits.
Get Trust Score
Check an agent's current trust score (0.0 – 1.0):
CODEBLOCK3
Returns the composite trust score with breakdown across 5 dimensions:
policy compliance, resource efficiency, output quality, security posture,
collaboration health.
Verify Agent Identity
Verify an agent's Ed25519 cryptographic identity before trusting its output:
CODEBLOCK4
Returns verified: true/false. Use when receiving data from another agent.
Record Interaction
Update trust scores after collaborating with another agent:
CODEBLOCK5
Success adds +0.01 to trust score. Failure subtracts the severity value.
Agents dropping below the minimum threshold (default 0.5) are auto-blocked.
Audit Log
View tamper-evident audit trail with Merkle chain verification:
CODEBLOCK6
The --verify flag checks Merkle chain integrity — any tampering is detected.
Generate Identity
Create a new Ed25519 cryptographic identity (DID) for your agent:
CODEBLOCK7
Returns your agent's DID, public key, and capability manifest.
Policy File Format
Create a policy.yaml to define governance rules:
CODEBLOCK8
When to Use This Skill
- - Before tool execution: Run
check-policy.sh to enforce limits - Before trusting another agent's output: Run �INLINECODE7
- After collaboration: Run
record-interaction.sh to update trust - Before delegation: Check
trust-score.sh — don't delegate to agents below 0.5 - For compliance: Run
audit-log.sh --verify to prove execution integrity - On setup: Run
generate-identity.sh to create your agent's DID
What It Enforces
| Policy | Description |
|---|
| Token limits | Cap per-action and per-session token usage |
| Tool allowlists |
Only explicitly permitted tools can execute |
| Tool blocklists | Dangerous tools are blocked regardless |
| Content patterns | Block regex patterns (secrets, destructive commands, PII) |
| Trust thresholds | Minimum trust score required for delegation |
| Human approval | Gate critical actions behind human confirmation |
Architecture
This skill bridges the OpenClaw agent runtime with the AgentMesh
governance engine:
CODEBLOCK9
Part of the Agent Ecosystem:
AgentMesh ·
Agent OS ·
Agent SRE
AgentMesh Governance — OpenClaw 代理的信任与策略
OpenClaw 代理的零信任治理层。从代理的命令行执行策略、验证身份、评估信任度并维护防篡改审计日志。
安装
安装 AgentMesh 治理 CLI:
bash
pip install agentmesh-governance
如果 agentmesh-governance 尚未在 PyPI 上发布,可直接从源码安装:
bash
pip install agentmesh @ git+https://github.com/imran-siddique/agent-mesh.git
脚本
所有脚本位于 scripts/ 目录下。它们封装了治理引擎并以 JSON 格式输出结果。
检查策略合规性
在执行前评估某个操作是否符合治理策略:
bash
scripts/check-policy.sh --action web_search --tokens 1500 --policy policy.yaml
返回包含 allowed: true/false、违规项及建议的 JSON 数据。
请在执行任何工具调用之前使用此命令以强制限制。
获取信任评分
检查代理当前的信任评分(0.0 – 1.0):
bash
scripts/trust-score.sh --agent research-agent
返回综合信任评分及其在 5 个维度上的细分:策略合规性、资源效率、输出质量、安全态势、协作健康度。
验证代理身份
在信任另一个代理的输出之前,验证其 Ed25519 加密身份:
bash
scripts/verify-identity.sh --did did:agentmesh:abc123 --message hello --signature base64sig
返回 verified: true/false。在接收来自其他代理的数据时使用。
记录交互
与另一个代理协作后更新信任评分:
bash
scripts/record-interaction.sh --agent writer-agent --outcome success
scripts/record-interaction.sh --agent writer-agent --outcome failure --severity 0.1
成功则信任评分 +0.01。失败则减去严重性值。低于最低阈值(默认 0.5)的代理将被自动屏蔽。
审计日志
查看带有默克尔链验证的防篡改审计追踪:
bash
scripts/audit-log.sh --last 20
scripts/audit-log.sh --agent research-agent --verify
--verify 标志检查默克尔链的完整性——任何篡改行为都会被检测到。
生成身份
为代理创建新的 Ed25519 加密身份(DID):
bash
scripts/generate-identity.sh --name my-agent --capabilities search,summarize,write
返回代理的 DID、公钥和能力清单。
策略文件格式
创建 policy.yaml 以定义治理规则:
yaml
name: production-policy
max_tokens: 4096
maxtoolcalls: 10
allowed_tools:
- web_search
- file_read
- summarize
blocked_tools:
- shell_exec
- file_delete
blocked_patterns:
- rm -rf
- DROP TABLE
- BEGIN CERTIFICATE
confidence_threshold: 0.7
requirehumanapproval: false
何时使用此技能
- - 执行工具前:运行 check-policy.sh 以强制限制
- 信任其他代理的输出前:运行 verify-identity.sh
- 协作后:运行 record-interaction.sh 以更新信任度
- 委托前:检查 trust-score.sh —— 不要委托给评分低于 0.5 的代理
- 合规性检查:运行 audit-log.sh --verify 以证明执行完整性
- 设置时:运行 generate-identity.sh 以创建代理的 DID
强制执行的策略
| 策略 | 描述 |
|---|
| Token 限制 | 限制每次操作和每次会话的 token 使用量 |
| 工具允许列表 |
仅允许明确许可的工具执行 |
| 工具阻止列表 | 危险工具无论何种情况均被阻止 |
| 内容模式 | 阻止正则表达式模式(密钥、破坏性命令、个人身份信息) |
| 信任阈值 | 委托所需的最低信任评分 |
| 人工审批 | 关键操作需经人工确认 |
架构
此技能将 OpenClaw 代理运行时与 AgentMesh 治理引擎桥接:
OpenClaw 代理 → SKILL.md 脚本 → AgentMesh 引擎
├── GovernancePolicy(执行策略)
├── TrustEngine(5 维度评分)
├── AgentIdentity(Ed25519 DID)
└── MerkleAuditChain(防篡改日志)
属于 Agent 生态系统 的一部分:
AgentMesh ·
Agent OS ·
Agent SRE
