# AgentMesh Governance — Trust & Policy for OpenClaw Agents
Zero-trust governance layer for OpenClaw agents. Enforce policies, verify identities,
score trust, and maintain tamper-evident audit logs — all from your agent's command line.
## Setup
Install the AgentMesh governance CLI:
pip install agentmesh-governance
> If agentmesh-governance is not yet on PyPI, install directly from source:
> ```bash
> pip install "agentmesh @ git+https://github.com/imran-siddique/agent-mesh.git"
> ```
## Scripts
All scripts are in scripts/. They wrap the governance engine and output JSON results.
### Check Policy Compliance
Evaluate an action against a governance policy before execution:
scripts/check-policy.sh --action "web_search" --tokens 1500 --policy policy.yaml
Returns JSON with allowed: true/false, any violations, and recommendations.
Use this before executing any tool call to enforce limits.
### Get Trust Score
Check an agent's current trust score (0.0 – 1.0):
scripts/trust-score.sh --agent "research-agent"
Returns the composite trust score with breakdown across 5 dimensions:
policy compliance, resource efficiency, output quality, security posture,
collaboration health.
### Verify Agent Identity
Verify an agent's Ed25519 cryptographic identity before trusting its output:
scripts/verify-identity.sh --did "did:agentmesh:abc123" --message "hello" --signature "base64sig"
Returns verified: true/false. Use when receiving data from another agent.
### Record Interaction
Update trust scores after collaborating with another agent:
scripts/record-interaction.sh --agent "writer-agent" --outcome success
scripts/record-interaction.sh --agent "writer-agent" --outcome failure --severity 0.1
Success adds +0.01 to trust score. Failure subtracts the severity value.
Agents dropping below the minimum threshold (default 0.5) are auto-blocked.
### Audit Log
View tamper-evident audit trail with Merkle chain verification:
scripts/audit-log.sh --last 20
scripts/audit-log.sh --agent "research-agent" --verify
The --verify flag checks Merkle chain integrity — any tampering is detected.
### Generate Identity
Create a new Ed25519 cryptographic identity (DID) for your agent:
scripts/generate-identity.sh --name "my-agent" --capabilities "search,summarize,write"
Returns your agent's DID, public key, and capability manifest.
## Policy File Format
Create a policy.yaml to define governance rules:
name: production-policy
max_tokens: 4096
max_tool_calls: 10
allowed_tools:
- web_search
- file_read
- summarize
blocked_tools:
- shell_exec
- file_delete
blocked_patterns:
- "rm -rf"
- "DROP TABLE"
- "BEGIN CERTIFICATE"
confidence_threshold: 0.7
require_human_approval: false
## When to Use This Skill
- Before tool execution: Run
check-policy.shto enforce limits - Before trusting another agent's output: Run
verify-identity.sh - After collaboration: Run
record-interaction.shto update trust - Before delegation: Check
trust-score.sh— don't delegate to agents below 0.5 - For compliance: Run
audit-log.sh --verifyto prove execution integrity - On setup: Run
generate-identity.shto create your agent's DID
## What It Enforces
| Policy | Description |
|--------|-------------|
| Token limits | Cap per-action and per-session token usage |
| Tool allowlists | Only explicitly permitted tools can execute |
| Tool blocklists | Dangerous tools are blocked regardless |
| Content patterns | Block regex patterns (secrets, destructive commands, PII) |
| Trust thresholds | Minimum trust score required for delegation |
| Human approval | Gate critical actions behind human confirmation |
## Architecture
This skill bridges the OpenClaw agent runtime with the AgentMesh
governance engine:
OpenClaw Agent → SKILL.md scripts → AgentMesh Engine
├── GovernancePolicy (enforcement)
├── TrustEngine (5-dimension scoring)
├── AgentIdentity (Ed25519 DIDs)
└── MerkleAuditChain (tamper-evident logs)
Part of the Agent Ecosystem:
Agent OS ·