openclaw · knuckles-stack · Feb 24, 2026
diff --git a/skills/taskhawk-systems/kevros-governance/SKILL.md b/skills/taskhawk-systems/kevros-governance/SKILL.md
@@ -0,0 +1,155 @@
+---
+name: kevros-governance
+description: "Cryptographic governance verification for autonomous agents — verify actions, attest provenance, bind intent-to-action, and bundle compliance evidence."
+homepage: https://github.com/taskhawk-systems/kevros
+metadata: {"openclaw":{"emoji":"🛡️","requires":{"bins":[]}}}
+---
+
+# Kevros Governance
+
+Cryptographic trust verification for autonomous agents. Every agent action gets a signed decision, a hash-chained audit trail, and independently verifiable proof.
+
+Four primitives: `verify`, `attest`, `bind`, `bundle`.
+
+## Setup
+
+### Option 1: MCP Config (Recommended)
+
+```json
+{
+  "mcpServers": {
+    "kevros-governance": {
+      "url": "https://governance.taskhawktech.com/mcp"
+    }
+  }
+}
+```
+
+### Option 2: Python SDK
+
+```bash
+pip install kevros
+```
+
+```python
+from kevros import GovernanceClient
+
+client = GovernanceClient(api_key="kvrs_...")
+result = client.verify(action_type="skill_execution", agent_id="my-agent")
+```
+
+### Option 3: Direct API
+
+```bash
+curl -X POST https://governance.taskhawktech.com/governance/verify \
+  -H "X-API-Key: kvrs_..." \
+  -H "Content-Type: application/json" \
+  -d '{"action_type": "skill_execution", "agent_id": "my-claw-agent"}'
+```
+
+## Tools
+
+| Tool | Description |
+|------|-------------|
+| `verify` | Check if an agent is authorized to take a specific action |
+| `attest` | Record a hash-chained provenance entry (tamper-evident audit trail) |
+| `bind` | Cryptographic intent-to-action binding (prove what was requested matches what was done) |
+| `bundle` | Generate a compliance evidence package for auditors or regulators |
+
+## How It Works
+
+### 1. Verify an action before execution
+
+```bash
+curl -X POST https://governance.taskhawktech.com/governance/verify \
+  -H "X-API-Key: kvrs_..." \
+  -d '{
+    "action_type": "tool_call",
+    "agent_id": "my-openclaw-agent",
+    "context": {"tool": "web-search", "query": "market data"}
+  }'
+```
+
+Response:
+
+```json
+{
+  "decision": "ALLOW",
+  "token": "eyJhbGciOi...",
+  "provenance_hash": "sha256:a3f8c2d1..."
+}
+```
+
+### 2. Attest to completed work
+
+```bash
+curl -X POST https://governance.taskhawktech.com/governance/attest \
+  -H "X-API-Key: kvrs_..." \
+  -d '{
+    "agent_id": "my-openclaw-agent",
+    "action": "skill_execution",
+    "result_hash": "sha256:b7e9f3a2...",
+    "prior_hash": "sha256:a3f8c2d1..."
+  }'
+```
+
+Each attestation is chained to the previous one. The ledger is append-only and tamper-evident.
+
+### 3. Bundle compliance evidence
+
+```bash
+curl -X POST https://governance.taskhawktech.com/governance/bundle \
+  -H "X-API-Key: kvrs_..." \
+  -d '{
+    "agent_id": "my-openclaw-agent",
+    "time_range": "last_24h"
+  }'
+```
+
+Returns a signed evidence package suitable for audit or regulatory review.
+
+## Trust Model
+
+| Property | Implementation |
+|----------|---------------|
+| **Decision signing** | Every decision is HMAC-signed by the governance authority |
+| **Tamper evidence** | All decisions logged to a hash-chained append-only ledger |
+| **Independent verification** | Release tokens can be verified by any party |
+| **Post-quantum ready** | ML-DSA-87 (Dilithium) signatures available |
+| **Fail-closed** | Verification failure always results in DENY (never silent pass-through) |
+
+## Free Tier
+
+100 governance calls per month. Instant signup, no payment required:
+
+```bash
+curl -X POST https://governance.taskhawktech.com/signup \
+  -H "Content-Type: application/json" \
+  -d '{"agent_id": "my-openclaw-agent"}'
+```
+
+## Use Cases for OpenClaw Agents
+
+- **Skill execution gates**: Verify an agent is authorized before running a skill
+- **Tool call auditing**: Record every external tool invocation with provenance
+- **Multi-agent coordination**: Prove chain of custody when agents hand off work
+- **Compliance reporting**: Generate evidence packages for regulated industries
+- **Trust bootstrapping**: New agents can build verifiable track records
+
+## A2A (Agent-to-Agent) Protocol
+
+Kevros implements the Google A2A protocol for agent interoperability:
+
+```bash
+# Discover the governance agent
+curl https://governance.taskhawktech.com/.well-known/agent.json
+```
+
+Any A2A-compatible agent can interact with the governance service directly.
+
+## Resources
+
+- [Agent Card](https://governance.taskhawktech.com/.well-known/agent.json)
+- [SDK on PyPI](https://pypi.org/project/kevros/)
+- [GitHub](https://github.com/taskhawk-systems/kevros)
+- [Documentation](https://docs.taskhawktech.com)
diff --git a/skills/taskhawk-systems/kevros-governance/_meta.json b/skills/taskhawk-systems/kevros-governance/_meta.json
@@ -0,0 +1,11 @@
+{
+  "owner": "taskhawk-systems",
+  "slug": "kevros-governance",
+  "displayName": "Kevros Governance",
+  "latest": {
+    "version": "0.3.1",
+    "publishedAt": 1740326400000,
+    "commit": ""
+  },
+  "history": []
+}