Policy and CI Gates
Policy and CI Gates
Section titled “Policy and CI Gates”Use these policy profiles to move from visibility to enforcement for OpenClaw risks.
Strict Policy (Production OpenClaw)
Section titled “Strict Policy (Production OpenClaw)”metrics: - id: openclaw_architecture
policy: invariants: - metric: openclaw_architecture.overall_openclaw_health op: ">=" value: 0.80 severity: error message: "OpenClaw architecture health baseline not met"
- metric: openclaw_architecture.config_security_score op: ">=" value: 0.85 severity: error message: "Config security baseline not met"
- metric: openclaw_architecture.skill_governance_score op: ">=" value: 0.80 severity: error message: "Skill governance baseline not met"
- metric: openclaw_architecture.supply_chain_score op: ">=" value: 0.85 severity: error message: "Supply chain baseline not met"
- metric: openclaw_architecture.gateway_auth_gap_score op: ">=" value: 0.90 severity: error message: "Gateway auth token hardening is required"
- metric: openclaw_architecture.skill_virus_scan_absence_score op: ">=" value: 0.90 severity: error message: "Skill source virus scanning is required"Pragmatic Policy (Existing Codebases)
Section titled “Pragmatic Policy (Existing Codebases)”metrics: - id: openclaw_architecture
policy: invariants: - metric: openclaw_architecture.overall_openclaw_health op: ">=" value: 0.60 severity: warning message: "Improve OpenClaw architecture health over time"
- metric: openclaw_architecture.config_security_score op: ">=" value: 0.60 severity: warning message: "Improve config security controls"
- metric: openclaw_architecture.skill_governance_score op: ">=" value: 0.55 severity: warning message: "Improve skill governance controls"
- metric: openclaw_architecture.supply_chain_score op: ">=" value: 0.60 severity: warning message: "Improve supply chain integrity controls"No-Regression Policy (Baseline)
Section titled “No-Regression Policy (Baseline)”metrics: - id: openclaw_architecture
policy: baseline: mode: git ref: origin/main invariants: - metric: openclaw_architecture.overall_openclaw_health op: ">=" baseline: true severity: error message: "OpenClaw architecture health regressed vs baseline" - metric: openclaw_architecture.supply_chain_score op: ">=" baseline: true severity: error message: "Supply chain posture regressed vs baseline"CI Commands
Section titled “CI Commands”# Default policy evaluation from arxo.yamlarxo analyze --path . --config arxo.yaml --fail-fast# Metric-specific run in CI pipelinesarxo analyze --path . --metric openclaw_architecture --config arxo.yaml --fail-fastRollout Guidance
Section titled “Rollout Guidance”- Start with warning-level thresholds for 1-2 release cycles.
- Prioritize high-impact controls: gateway auth, sandboxing, and skill supply-chain checks.
- Promote key gates from warning to error after stabilization.
- Keep baseline no-regression checks enabled to prevent drift.