π¦ ClawHub
consensus-permission-escalation-guard
by @kaicianflone
Pre-execution governance for IAM and permission escalation changes. Use when an agent or workflow proposes granting, expanding, or assuming higher privileges...
TERMINAL
clawhub install consensus-permission-escalation-guardπ About This Skill
name: consensus-permission-escalation-guard description: Pre-execution governance for IAM and permission escalation changes. Use when an agent or workflow proposes granting, expanding, or assuming higher privileges and you need deterministic ALLOW/BLOCK/REQUIRE_REWRITE decisions with strict schema validation, idempotency, and board-native audit artifacts. version: 0.1.12 homepage: https://github.com/kaicianflone/consensus-permission-escalation-guard source: https://github.com/kaicianflone/consensus-permission-escalation-guard upstream: consensus-guard-core: https://github.com/kaicianflone/consensus-guard-core metadata: openclaw: requires: bins: - node - tsx env: - CONSENSUS_STATE_FILE - CONSENSUS_STATE_ROOT install: - kind: node package: consensus-permission-escalation-guard bins: - node - tsx
consensus-permission-escalation-guard
consensus-permission-escalation-guard is the final safety gate before privilege elevation is applied.
What this skill does
ALLOW | BLOCK | REQUIRE_REWRITEDecision policy shape
Hard-block examples:
*, : *, broad owner/admin jumps)Rewrite examples:
Runtime and safety model
node, tsxCONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOTInvoke contract
invoke(input, opts?) -> PromiseModes:
mode="persona" (default): uses local deterministic persona defaults for internal votingmode="external_agent": consume external_votes[], then aggregate and enforce policy deterministicallyInstall
npm i consensus-permission-escalation-guard
Quick start
node --import tsx run.js --input ./examples/input.json
Tests
npm test
Test coverage includes schema rejection, hard-block paths, rewrite paths, allow paths, idempotent retries, and external-agent aggregation behavior.
Note: this skill depends on consensus-guard-core for aggregation/state helpers; review that package alongside this one for full runtime auditability.
See also: SECURITY-ASSURANCE.md for threat model, runtime boundaries, and deployment hardening guidance.
π‘ Examples
node --import tsx run.js --input ./examples/input.json