vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-28 19:35:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
cda7c301506891929fb2ef6cec749d9cef7ca24c
openclaw/docs/plugins/reference/policy.md
Gio Della-Libera fbb6340542 Policy: add agent-scoped policy overlays (#85817) 
* feat(policy): add agent-scoped policy overlays

* docs(policy): use generic agent-scoped examples

* fix(policy): generalize scoped policy overlays

* fix(policy): clean scoped overlay checks

* fix(policy): evaluate inherited scoped agent posture

* chore(policy): keep agent harness out of scoped policy pr
2026-05-25 08:45:16 -07:00

2.3 KiB
Raw Blame History

summary, read_when, title
summary read_when title
Adds policy-backed doctor checks for workspace conformance.
You are installing, configuring, or auditing the policy plugin
Policy plugin

Policy plugin

Adds policy-backed doctor checks for workspace conformance.

Distribution

  • Package: @openclaw/policy
  • Install route: included in OpenClaw

Surface

plugin

Behavior

The Policy plugin contributes doctor health checks for policy-managed OpenClaw settings and governed workspace declarations. Policy currently covers channel conformance, governed tool metadata, MCP server posture, model-provider posture, private-network access posture, Gateway exposure posture, agent workspace/tool posture, configured global/per-agent tool posture, and OpenClaw config secret provider/auth profile posture.

Policy stores authored requirements in policy.jsonc, observes existing OpenClaw settings and workspace declarations as evidence, and reports drift through openclaw policy check and openclaw doctor --lint. A clean policy check emits policy, evidence, findings, and attestation hashes that operators can record for audit.

Tool posture rules can require approved profiles, workspace-only filesystem tools, bounded exec security/ask/host settings, disabled elevated mode, exact alsoAllow entries, and required tool deny entries. The evidence records additive alsoAllow entries because they can widen effective tool posture. These checks observe config conformance only; they do not read runtime approval state or add runtime enforcement.

Named agent policy scopes under scopes.<scopeName> can add stricter normal policy sections for the runtime agent ids listed in agentIds. The initial scoped sections are tools and agents.workspace; future sections such as sandbox or ingress can join the same container after their evidence carries agent identity. Every scope present in policy.jsonc must be valid and enforceable for its selector. Overlay rules are additional claims, so they do not weaken top-level policy and can produce their own findings when the same observed config violates both scopes. Runtime agent ids that are not explicitly listed in agents.list[] are checked against inherited global/default posture rather than silently passing with no evidence.

Related docs

Reference in New Issue View Git Blame Copy Permalink