From 7819453f8418fed9414bea13c076565b519e0204 Mon Sep 17 00:00:00 2001 From: knuckles-stack <243669404+knuckles-stack@users.noreply.github.com> Date: Mon, 23 Feb 2026 20:51:21 -0500 Subject: [PATCH] feat: add kevros-governance skill for cryptographic agent verification MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds Kevros Governance as an OpenClaw skill providing cryptographic trust verification for autonomous agents — verify, attest, bind, and bundle. Co-Authored-By: Claude Opus 4.6 --- .../kevros-governance/SKILL.md | 155 ++++++++++++++++++ .../kevros-governance/_meta.json | 11 ++ 2 files changed, 166 insertions(+) create mode 100644 skills/taskhawk-systems/kevros-governance/SKILL.md create mode 100644 skills/taskhawk-systems/kevros-governance/_meta.json diff --git a/skills/taskhawk-systems/kevros-governance/SKILL.md b/skills/taskhawk-systems/kevros-governance/SKILL.md new file mode 100644 index 00000000000..58ddec5ef9f --- /dev/null +++ b/skills/taskhawk-systems/kevros-governance/SKILL.md @@ -0,0 +1,155 @@ +--- +name: kevros-governance +description: "Cryptographic governance verification for autonomous agents — verify actions, attest provenance, bind intent-to-action, and bundle compliance evidence." +homepage: https://github.com/taskhawk-systems/kevros +metadata: {"openclaw":{"emoji":"🛡️","requires":{"bins":[]}}} +--- + +# Kevros Governance + +Cryptographic trust verification for autonomous agents. Every agent action gets a signed decision, a hash-chained audit trail, and independently verifiable proof. + +Four primitives: `verify`, `attest`, `bind`, `bundle`. + +## Setup + +### Option 1: MCP Config (Recommended) + +```json +{ + "mcpServers": { + "kevros-governance": { + "url": "https://governance.taskhawktech.com/mcp" + } + } +} +``` + +### Option 2: Python SDK + +```bash +pip install kevros +``` + +```python +from kevros import GovernanceClient + +client = GovernanceClient(api_key="kvrs_...") +result = client.verify(action_type="skill_execution", agent_id="my-agent") +``` + +### Option 3: Direct API + +```bash +curl -X POST https://governance.taskhawktech.com/governance/verify \ + -H "X-API-Key: kvrs_..." \ + -H "Content-Type: application/json" \ + -d '{"action_type": "skill_execution", "agent_id": "my-claw-agent"}' +``` + +## Tools + +| Tool | Description | +|------|-------------| +| `verify` | Check if an agent is authorized to take a specific action | +| `attest` | Record a hash-chained provenance entry (tamper-evident audit trail) | +| `bind` | Cryptographic intent-to-action binding (prove what was requested matches what was done) | +| `bundle` | Generate a compliance evidence package for auditors or regulators | + +## How It Works + +### 1. Verify an action before execution + +```bash +curl -X POST https://governance.taskhawktech.com/governance/verify \ + -H "X-API-Key: kvrs_..." \ + -d '{ + "action_type": "tool_call", + "agent_id": "my-openclaw-agent", + "context": {"tool": "web-search", "query": "market data"} + }' +``` + +Response: + +```json +{ + "decision": "ALLOW", + "token": "eyJhbGciOi...", + "provenance_hash": "sha256:a3f8c2d1..." +} +``` + +### 2. Attest to completed work + +```bash +curl -X POST https://governance.taskhawktech.com/governance/attest \ + -H "X-API-Key: kvrs_..." \ + -d '{ + "agent_id": "my-openclaw-agent", + "action": "skill_execution", + "result_hash": "sha256:b7e9f3a2...", + "prior_hash": "sha256:a3f8c2d1..." + }' +``` + +Each attestation is chained to the previous one. The ledger is append-only and tamper-evident. + +### 3. Bundle compliance evidence + +```bash +curl -X POST https://governance.taskhawktech.com/governance/bundle \ + -H "X-API-Key: kvrs_..." \ + -d '{ + "agent_id": "my-openclaw-agent", + "time_range": "last_24h" + }' +``` + +Returns a signed evidence package suitable for audit or regulatory review. + +## Trust Model + +| Property | Implementation | +|----------|---------------| +| **Decision signing** | Every decision is HMAC-signed by the governance authority | +| **Tamper evidence** | All decisions logged to a hash-chained append-only ledger | +| **Independent verification** | Release tokens can be verified by any party | +| **Post-quantum ready** | ML-DSA-87 (Dilithium) signatures available | +| **Fail-closed** | Verification failure always results in DENY (never silent pass-through) | + +## Free Tier + +100 governance calls per month. Instant signup, no payment required: + +```bash +curl -X POST https://governance.taskhawktech.com/signup \ + -H "Content-Type: application/json" \ + -d '{"agent_id": "my-openclaw-agent"}' +``` + +## Use Cases for OpenClaw Agents + +- **Skill execution gates**: Verify an agent is authorized before running a skill +- **Tool call auditing**: Record every external tool invocation with provenance +- **Multi-agent coordination**: Prove chain of custody when agents hand off work +- **Compliance reporting**: Generate evidence packages for regulated industries +- **Trust bootstrapping**: New agents can build verifiable track records + +## A2A (Agent-to-Agent) Protocol + +Kevros implements the Google A2A protocol for agent interoperability: + +```bash +# Discover the governance agent +curl https://governance.taskhawktech.com/.well-known/agent.json +``` + +Any A2A-compatible agent can interact with the governance service directly. + +## Resources + +- [Agent Card](https://governance.taskhawktech.com/.well-known/agent.json) +- [SDK on PyPI](https://pypi.org/project/kevros/) +- [GitHub](https://github.com/taskhawk-systems/kevros) +- [Documentation](https://docs.taskhawktech.com) diff --git a/skills/taskhawk-systems/kevros-governance/_meta.json b/skills/taskhawk-systems/kevros-governance/_meta.json new file mode 100644 index 00000000000..e5c9f98518c --- /dev/null +++ b/skills/taskhawk-systems/kevros-governance/_meta.json @@ -0,0 +1,11 @@ +{ + "owner": "taskhawk-systems", + "slug": "kevros-governance", + "displayName": "Kevros Governance", + "latest": { + "version": "0.3.1", + "publishedAt": 1740326400000, + "commit": "" + }, + "history": [] +}