* Add policy engine to web4-governance (Tier 1.5) Configurable rule-based pre-action gating via before_tool_call hook. Rules match by tool name, category, and target pattern (glob/regex). Decisions (allow/deny/warn) enforced or dry-run, recorded in R6 constraints. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * Add policy admin CLI: status, rules, test commands * Add README and update ARCHITECTURE.md for Tier 1.5 policy engine --------- Co-authored-by: dp-web4 <dp@metalinxx.io> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
8.4 KiB
Web4 Governance Plugin — Architecture & Cross-Project Context
What This Is
The web4-governance plugin is a Tier 1 (Observational) implementation of the
Web4 R6 framework, running inside the moltbot agent runtime. It creates verifiable
audit trails for every tool call an agent makes, without blocking or requiring
approval.
This is the first live integration of Web4 governance into an agent runtime that actually executes tools — not a simulation or demo.
Where It Sits in the Web4 Stack
┌─────────────────────────────────────────────────────────────┐
│ Hardbound (Tier 2) │
│ Full Policy │ Trust Tensors │ ATP │ Hardware Binding │
│ hardbound-core/src/policy.rs │
│ hardbound/src/policy.ts │
└───────────────────────────┬─────────────────────────────────┘
│ upgrade path
┌───────────────────────────┴─────────────────────────────────┐
│ web4-governance (Tier 1 + 1.5) ← YOU ARE HERE │
│ R6 Audit │ Soft LCT │ Hash Chain │ Policy Engine │ CLI │
│ moltbot/extensions/web4-governance/ │
└───────────────────────────┬─────────────────────────────────┘
│ hooks into
┌───────────────────────────┴─────────────────────────────────┐
│ Moltbot Agent Runtime │
│ pi-tools.hooks.ts (before_tool_call / after_tool_call) │
│ moltbot/src/agents/pi-tools.ts │
└─────────────────────────────────────────────────────────────┘
R6 Implementation Tiers (from web4-standard/core-spec/r6-implementation-guide.md)
| Tier | Project | R6 Scope | Trust Model | Enforcement |
|---|---|---|---|---|
| 1 — Observational | web4-governance (this plugin) | Lite: audit_level, session token, tool/category/target/hash, chain position | None (relying party decides) | Record-only |
| 1.5 — Policy | web4-governance (this plugin) | Lite + configurable policy rules, allow/deny/warn, glob/regex matching | Rule-based (first-match-wins) | Block or warn (with dry-run mode) |
| 2 — Authorization | hardbound-core (Rust) | Full: policy rules, actor LCT, team context, ATP, trust delta | T3 tensor (competence, reliability, integrity) | Approve/Reject/Escalate |
| 3 — Training | HRM/SAGE | Training: exercise type, mode detection, meta-cognitive | T3 with developmental trajectory | Include/Exclude/Review |
What Was Built (PRs #1 and #2)
PR #1: Tool Call Hooks (src/agents/pi-tools.hooks.ts)
- Wired
before_tool_call/after_tool_calltyped plugin hooks into moltbot's tool execution pipeline before_tool_callcan modify params or block execution (returns{ block: true, blockReason })after_tool_callfires post-execution with result, error, and duration (fire-and-forget)- This is the hook surface that enables both observation (Tier 1) and enforcement (Tier 2)
PR #2: Web4 Governance Plugin (extensions/web4-governance/)
- R6 framework (
src/r6.ts): Creates structured R6 requests from tool calls. Classifies tools into categories (file_read, file_write, command, network, delegation, state). Hashes inputs and extracts targets. - Audit chain (
src/audit.ts): Hash-linked JSONL append log. Each record'sprevRecordHashis the SHA-256 prefix of the previous line. Verifiable integrity. - Session state (
src/session-state.ts): Tracks action index, tool/category counts, last R6 ID per session. - Soft LCT (
src/soft-lct.ts): Software-bound identity token fromhostname:usernamehash. Not hardware-bound — that's the Hardbound upgrade path.
Relationship to Hardbound
What's shared (protocol-compatible)
- R6 request structure (Tier 1 is a subset of Tier 2)
- Audit record format (Tier 1 records can be imported into Tier 2)
- Tool categories map to Hardbound
ActionTypeenum - Hash-linked provenance chain
- Session identity concept (Soft LCT → Hardware LCT upgrade path)
What Hardbound adds (Tier 2, proprietary)
- PolicyEngine (
policy.rs): Evaluates R6 requests against rules, roles, trust thresholds, ATP balance. Returns Approve/Reject/Escalate/AutoApprove. - T3 Trust Tensors: competence, reliability, integrity scoring with context weights
- Coherence Metrics: score + delta tracking with attestation
- ATP Economics: Resource allocation, daily limits, transfer caps
- Hardware Binding: TPM/SE-based LCT (P0 blocker, not yet implemented)
- Governance Rules: Role-based (developer, lead, admin, viewer, guest), action-type scoped, with prohibited requirements and auto-approve thresholds
The upgrade path
The R6 implementation guide documents a progressive adoption model:
- Start: Install web4-governance plugin (observational audit trail)
- Grow: Add policy evaluation in
before_tool_call(this is the next step) - Extend: Connect to Hardbound for full T3/ATP/hardware-bound governance
Tier 1.5: Policy Engine (Implemented)
The policy engine uses the before_tool_call hook to evaluate configurable rules
before each tool call. Rules match by tool name, category, and target pattern
(glob or regex). Decisions are allow, deny, or warn. Deny decisions block tool
execution when enforce: true; in dry-run mode (enforce: false), denials are
logged but not enforced.
What was built
- Policy types (
src/policy-types.ts):PolicyRule,PolicyMatch,PolicyConfig,PolicyEvaluation,PolicyDecision - Matchers (
src/matchers.ts): Glob-to-regex conversion, list matching, target pattern matching, composite AND-logic rule matching - PolicyEngine (
src/policy.ts): Loads rules, sorts by priority (ascending), first-match-wins evaluation,shouldBlock()for enforcement - Integration (
index.ts):before_tool_callhook evaluates policy and blocks if deny + enforce;after_tool_callpicks up stashed evaluation and writes constraints to R6rules.constraints - CLI (
index.ts):moltbot policy status,moltbot policy rules,moltbot policy test <tool> [target]
Deferred to Phase 2
- Rate limiting (needs windowed counters in session state)
- Config hot-reload
- T3/ATP integration (that's Tier 2 / Hardbound)
What this enables for Hardbound
The upgrade to Tier 2 is:
- Replace rule evaluation with PolicyEngine from hardbound-core
- Add T3 tensor snapshots to audit records
- Add coherence metrics
- Replace Soft LCT with hardware-bound LCT
- Add ATP tracking
The plugin interface stays the same — just the policy evaluation gets richer.
Storage Layout
~/.web4/
├── audit/
│ └── <sessionId>.jsonl # Hash-linked audit records (append-only)
└── sessions/
└── <sessionId>.json # Session metadata (overwritten on each action)
Cross-Project References
| File | Project | Relevance |
|---|---|---|
web4-standard/core-spec/r6-implementation-guide.md |
web4 | Tier definitions, ID formats, upgrade path |
web4-standard/core-spec/r6-security-analysis.md |
web4 | Attack vectors and mitigations |
hardbound-core/src/policy.rs |
hardbound | Full policy engine (Rust) |
hardbound/src/policy.ts |
hardbound | TypeScript policy with rule builder |
hardbound/tests/policy.test.ts |
hardbound | Policy test patterns |
hardbound-core/src/r6.rs |
hardbound | Full R6 request (Rust) |
hardbound/MVP_IMPLEMENTATION.md |
hardbound | MVP status, bundle schema, lessons |
src/agents/pi-tools.hooks.ts |
moltbot | Hook wrapper (our PR #1) |
src/plugins/hooks.ts |
moltbot | Hook runner (runBeforeToolCall/runAfterToolCall) |