gov_setup
GitHub用于在OpenClaw工作区安装、升级或检查治理文件。支持quick、install、upgrade和check模式,强制通过命令行工具执行决策,确保插件信任白名单对齐,并自动处理遗留技能迁移及Brain Docs路由逻辑。
Trigger Scenarios
Install
npx skills add NeverSight/learn-skills.dev --skill gov_setup -g -y
SKILL.md
Frontmatter
{
"name": "gov_setup",
"metadata": {
"openclaw": {
"emoji": "🧰",
"requires": {
"bins": [
"openclaw"
]
}
}
},
"description": "Install or upgrade governance files into the current OpenClaw workspace.",
"user-invocable": true
}
/gov_setup
Purpose
Deploy this plugin's governance files into the current workspace at prompts/governance/.
check mode is a read-only diagnostic for first-time setup and upgrade readiness.
In all modes, verify OpenClaw plugin trust allowlist alignment (plugins.allow) for this plugin.
Inputs
- Optional mode:
quick(default command-level one-click chain)install,upgrade,check- alias:
auto(same asquick)
Mode precedence (hard)
- Explicit operator intent takes precedence:
/gov_setup upgradeMUST execute upgrade workflow./gov_setup installMUST execute install workflow./gov_setup checkis diagnostics only.
- Never downgrade explicit
install/upgradeintocheck. - Never return
SKIPPED (No-op upgrade)for explicitupgrade. quick/automust run full chain in-order:check-> (install/upgrade/skip) ->migrate->audit- if any stage fails, stop at that stage and return deterministic next-step remediation.
Deterministic runner (hard)
gov_setupdecisions must be driven by:node {plugin_root}/tools/gov_setup_sync.mjs <mode>
- The runner output is authoritative:
- do not replace it with heuristic "no-op" reasoning
- if runner returns
PASS, reportPASS(neverSKIPPED) - if runner returns
BLOCKED, reportBLOCKEDand stop
- For
upgrade, runner execution is mandatory even when a previouscheckreturnedREADY. - Runner also reconciles legacy workspace shadow skills (
<workspace-root>/skills/gov_*) by moving them into workspace archive backup before continuing.
Brain Docs routing (hard)
When the request touches Brain Docs (USER.md, IDENTITY.md, TOOLS.md, SOUL.md, MEMORY.md, HEARTBEAT.md, memory/*.md):
- Read-only ask -> Mode B (verified answer): read the exact target files before answering.
- Any write/update request -> Mode C: full governance lifecycle is mandatory.
- If the same request also includes OpenClaw system claims, apply Mode B2 verification (
docs.openclaw.ai+ releases when version-sensitive). - If the request is specifically about auditing/hardening Brain Docs behavior wording, route to
gov_brain_audit(single entry; preview by default).
Required behavior
- Resolve plugin root from this skill directory:
plugin_root = {baseDir}/../..
- Resolve workspace root as the current OpenClaw workspace directory.
- Do not assume
~/.openclaw/workspaceas a fixed path.
- Do not assume
- Resolve platform config path candidates (read-only probe):
- Linux/macOS:
~/.openclaw/openclaw.json - Windows:
%USERPROFILE%\\.openclaw\\openclaw.json - Use the one that exists; if both exist, use the runtime-active one and report both paths.
- Linux/macOS:
- In all modes, evaluate plugin allowlist status from
openclaw.json:ALLOW_OK:plugins.allowis an array and containsopenclaw-workspace-governanceALLOW_NOT_SET:plugins.allowkey missing or not an arrayALLOW_EMPTY:plugins.allowis an empty arrayALLOW_MISSING_GOV: array exists but missingopenclaw-workspace-governance- Preserve existing trusted ids; never suggest replacing allowlist with only one id.
- Mandatory compatibility SOP check (every run):
- Evaluate whether governance is compatible with official OpenClaw daily flows and governance lifecycle flows:
- official flow families:
openclaw ...system-channel operations (including plugin-added/future commands and chainedopenclawsegments)
- official flow families:
- governance lifecycle:
gov_help,gov_setup quick/check/install/upgrade,gov_migrate,gov_audit,gov_openclaw_json,gov_brain_audit,gov_uninstall quick/check/uninstall - Decision rules:
- default outcome is
ALLOW/ROUTEfor these flows (no generic false block), - if prerequisite fails (for example allowlist misalignment), return governance policy warning with explicit copy-paste unblock commands.
- default outcome is
- For any allowlist remediation, keep existing trusted ids and append missing required id(s); never replace with governance id only.
- Evaluate whether governance is compatible with official OpenClaw daily flows and governance lifecycle flows:
- If mode is
installorupgradeandallow_status != ALLOW_OK:- do not hard-block governance workspace deployment
- continue install/upgrade (best-effort) and mark
allowlist_alignment_required=true - append immediate remediation commands (
/gov_openclaw_json->/gov_setup check) before migration/audit next steps - wording must clearly state this is a governance warning (not system error)
- Execute deterministic runner by mode:
check->node {plugin_root}/tools/gov_setup_sync.mjs checkinstall->node {plugin_root}/tools/gov_setup_sync.mjs installupgrade->node {plugin_root}/tools/gov_setup_sync.mjs upgradequick/auto-> orchestrated deterministic chain:- setup check runner
- setup install/upgrade runner when required by check result
- migrate runner
- audit runner
- If mode is
check:- Use runner JSON as source of truth for:
status(NOT_INSTALLED/PARTIAL/READY)allow_statusallowlist_alignment_requiredfile_sync_summaryshadow_reconcile_requirednext_action
- If runner reports
shadow_reconcile_required=trueor non-emptyworkspace_gov_skill_dirs_detected, treat status as upgrade-required (PARTIAL) and instruct operator to run explicit/gov_setup upgrade.
- Use runner JSON as source of truth for:
- After install or upgrade:
- Print next steps:
- Run
/gov_migrate, then/gov_audit(migration will reconcile missing governance_controlbaseline files deterministically)
- Run
- Explicit
upgrademust still run even ifcheckpreviously returnedREADY. - Idempotent upgrade is valid; report
PASS (already up-to-date)from runner output.
- Print next steps:
- If operator asks OpenClaw system questions (commands/config/paths) during setup:
- Verify against local skill docs and official docs
https://docs.openclaw.aibefore answering. - For latest/version-sensitive claims, also verify official releases
https://github.com/openclaw/openclaw/releases. - If verification cannot be completed, report uncertainty and required next check; do not infer.
- If operator asks date/time-sensitive setup questions:
- Verify runtime current time context (session status) before answering.
- Platform config patching policy during setup:
- do not patch inside
gov_setup - route to
gov_openclaw_json - copy-paste unblock intent:
Please update openclaw.json so plugins.allow keeps existing trusted ids and includes openclaw-workspace-governance, then validate and back up before apply.
Output requirements
- Report source root, target root, deterministic runner command/result, and backup path if created.
- If any required source file is missing, stop and report missing paths.
- Include
FILES_READ(exact paths) andTARGET_FILES_TO_CHANGE(exact paths, ornonefor read-onlycheck). - If required evidence fields are missing, output
BLOCKED (missing read/change evidence)instead of completion. - Use this output order for UX consistency:
STATUSWHYNEXT STEP (Operator)COMMAND TO COPY
- Always include a final
NEXT STEP (Operator)section with:- one primary command
- one fallback
/skill ...command
- In
checkmode, include:status(NOT_INSTALLED/PARTIAL/READY)allow_status(ALLOW_OK/ALLOW_NOT_SET/ALLOW_EMPTY/ALLOW_MISSING_GOV)allowlist_alignment_required(true/false)compat_sop_status(ALLOW_OR_ROUTE/POLICY_BLOCK_WITH_REMEDIATION)compat_sop_scope(official flows + governance lifecycle coverage summary)platform_config_path(resolved path used for check)next_actionfile_sync_summary(counts forMISSING/OUT_OF_SYNC/IN_SYNC)shadow_reconcile_required(true/false)workspace_gov_skill_dirs_detected(if any)- file lists in code blocks (one path per line) to avoid UI table-wrap ambiguity.
- if
allow_status!=ALLOW_OK, appendAlign Allowlistcommand block first:/gov_openclaw_json- fallback:
/skill gov_openclaw_json - then rerun:
/gov_setup check(fallback:/skill gov_setup check)
- if
allow_status=ALLOW_OKandshadow_reconcile_required=true, appendShadow Reconcilecommand block first:/gov_setup upgrade- fallback:
/skill gov_setup upgrade
- if
allow_status=ALLOW_OKandstatus=NOT_INSTALLED, append aQuick Startcommand block:/gov_setup install- fallback:
/skill gov_setup install
- if
allow_status=ALLOW_OKandstatus=PARTIAL, append:/gov_setup upgrade- fallback:
/skill gov_setup upgrade
- if
allow_status=ALLOW_OKandstatus=READY, append:/gov_migratethen/gov_audit- fallback:
/skill gov_migratethen/skill gov_audit
- append version visibility commands for operator-side check:
- installed:
openclaw plugins info openclaw-workspace-governance - latest:
npm view @adamchanadam/openclaw-workspace-governance version
- installed:
- In explicit
install/upgrademode:STATUSmust be eitherPASSorBLOCKED.- Do not output
SKIPPEDfor explicit write-mode setup commands. - Include
workspace_gov_skill_dirs_reconciledfrom runner output when present.
Version History
- e0220ca Current 2026-07-05 23:04


