gatewaystack-governance

# GatewayStack Governance

Deny-by-default governance for every tool call in OpenClaw.

Five core checks run automatically on every invocation:

1. **Identity** — maps the agent to a policy role. Unknown agents are denied.
2. **Scope** — deny-by-default tool allowlist. Unlisted tools are blocked.
3. **Rate limiting** — per-user and per-session sliding window limits.
4. **Injection detection** — 40+ patterns from Cisco, Snyk, and Kaspersky research.
5. **Audit logging** — every decision recorded to append-only JSONL.

Three opt-in features extend governance further:

6. **Output DLP** — scans tool output for PII using `@gatewaystack/transformabl-core`. Log or redact.
7. **Escalation** — human-in-the-loop review for medium-severity detections and first-time tool use.
8. **Behavioral monitoring** — detects anomalous tool usage patterns using `@gatewaystack/limitabl-core`.

## Install

```bash
openclaw plugins install @gatewaystack/gatewaystack-governance
```

One command. Zero config. The core 5 checks are active on every tool call immediately.

The plugin hooks into `before_tool_call` at the process level — the agent can't bypass it, skip it, or talk its way around it.

## Customize

To override the defaults, create a policy file:

```bash
cp ~/.openclaw/plugins/gatewaystack-governance/policy.example.json \
   ~/.openclaw/plugins/gatewaystack-governance/policy.json
```

Configure which tools are allowed, who can use them, rate limits, injection detection sensitivity, and the three optional features (DLP, escalation, behavioral monitoring — all disabled by default).

## Optional GatewayStack packages

The opt-in features use GatewayStack packages via lazy import. Install only what you need:

```bash
npm install @gatewaystack/transformabl-core   # for output DLP
npm install @gatewaystack/limitabl-core       # for behavioral monitoring
```

The core 5 checks have zero external dependencies and work without these packages.

## Links

- [GitHub](https://github.com/davidcro...

<p align="center">
  <img src="OpenClaw-GatewayStack-Governance.png" alt="OpenClaw GatewayStack Governance" width="800" />
</p>

# GatewayStack Governance for OpenClaw

[![npm version](https://img.shields.io/npm/v/@gatewaystack/gatewaystack-governance)](https://www.npmjs.com/package/@gatewaystack/gatewaystack-governance)
[![CI](https://github.com/davidcrowe/openclaw-gatewaystack-governance/actions/workflows/ci.yml/badge.svg)](https://github.com/davidcrowe/openclaw-gatewaystack-governance/actions/workflows/ci.yml)
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)

OpenClaw gives your AI agents real power — they can read files, write code, execute commands, search the web, and call external APIs. 

**But there's nothing standing between an agent and a dangerous tool call.** 

No identity checks. No rate limits. No audit trail. If a malicious skill or a prompt injection tells your agent to exfiltrate your SSH keys, it just... does it.

**This plugin fixes that.** 

It hooks into OpenClaw at the process level and enforces five governance checks on **every** tool call before it executes. Your agent can't bypass it, skip it, or talk its way around it.

> **New to OpenClaw?** [OpenClaw](https://github.com/openclaw/openclaw) is an open-source framework for building personal AI agents that use tools — file access, shell commands, web search, and more. Tools are powerful, which is exactly why they need governance.

**Install with one command.** 

Zero config. Immediate security, governance, and peace of mind for every tool call.

```bash
openclaw plugins install @gatewaystack/gatewaystack-governance
```

**Contents** 
[The threat is real](#the-threat-is-real) · [Why skills aren't enough](#why-skills-arent-enough) · [How it protects you](#how-it-protects-you) · [See it block an attack](#see-it-block-an-attack) · [Get started](#get-started) · [Configure your policy](#configure-your-policy)

## The threat is real

These aren't hypotheticals. Published...