enterprise-legal-guardrails

# Enterprise Legal Guardrails Use this skill to preflight bot output before posting, messaging, or publishing anything that could create legal/compliance risk. ## What it is A generic **outbound** guardrail checker used by workflows before execute actions such as post/comment/message/chat/send in any app. ## When to use - Before `create_post`, `create_comment`, `send_message`, or equivalent publish actions. - Before market-related commentary, strategy claims, or price/certainty statements. - Before HR-sensitive or workplace-adjacent messaging. - Before anti-spam or coordination-heavy communications. - Before handling or exposing personal identifiers. ## Workflow 1. Draft text. 2. Run the checker with the matching action/profile. 3. If result is **PASS/WATCH**, proceed. 4. If **REVIEW**, rewrite or route for human/legal review. 5. If **BLOCK**, do not execute. Use it as a shared OpenClaw outbound safety layer for any skill that publishes content. Babylon is only one current integration example, not the primary purpose of the skill. ## Quick usage ```bash python3 scripts/check_enterprise_guardrails.py \ --action post \ --app <app_name> \ --policies social antispam hr \ --text "Draft text here" ``` ```bash python3 scripts/check_enterprise_guardrails.py \ --action comment \ --scope include \ --apps whatsapp,telegram \ --text "Draft text here" ``` ```bash python3 scripts/check_enterprise_guardrails.py \ --action market-analysis \ --text "Market commentary..." \ --json ``` ## App scope (global filtering) Scope applies to any app-context passed with `--app` and these env vars (legacy names preserved for compatibility): - `ENTERPRISE_LEGAL_GUARDRAILS_OUTBOUND_SCOPE` (`all|include|exclude`) - `ENTERPRISE_LEGAL_GUARDRAILS_OUTBOUND_APPS` (comma-separated list) - `BABYLON_GUARDRAILS_SCOPE` - `BABYLON_GUARDRAILS_OUTBOUND_SCOPE` - `BABYLON_GUARDRAILS_APPS` Examples: - `all`: check all outbound content. - `include` + `whatsapp,email`: only check those apps. - `exclude` + `whatsapp,email,moltbook,babylon`: everything except these apps. If scope is omitted, default is `all`. ## Profiles - `social`: public social text, comments, announcements. - `antispam`: unsolicited/pumping/coordinating messaging. - `hr`: workplace, hiring, performance, or employee conduct language. - `privacy`: personally identifying data and private information disclosures. - `market`: market/financial claims and outcome assertions. - `legal`: legal conclusions/implication language. If no profile is provided, defaults are derived from `--action`: - `post|comment|message` → `social,legal` - `trade|market-analysis` → `market,financial` - `generic` → `legal,social` ## Output - `PASS`: safe to execute - `WATCH`: low risk; optional rewrite - `REVIEW`: human/legal review recommended - `BLOCK`: do not execute ## Tuning You can tune decision sensitivity via environment variables (or CLI flags in direct runs): - `ENTERPRISE_LEGAL_GUARDRAILS_REVIEW_THRESHOLD` (`default: 5`) - `ENTERPRISE_LEGAL_GUARDRAILS_BLOCK_THRESHOLD` (`default: 9`) CLI overrides: - `--review-threshold` - `--block-threshold` Legacy aliases are supported in legacy env names: `ELG_*` and `BABYLON_GUARDRAILS_*`. ## Universal outbound adapter (no-native integration path) For skills/tools without native guardrail hooks (for example: Gmail, custom website publishing, custom message bots), run outbound operations through the wrapper: ```bash python3 /path/to/enterprise-legal-guardrails/scripts/guard_and_run.py --app <app_name> --action <post|comment|message|trade|market-analysis|generic> --text "$DRAFT" -- <outbound command...> ``` Examples: ```bash # Gmail via gog python3 /path/to/enterprise-legal-guardrails/scripts/guard_and_run.py --app gmail --action message --text "Hello, ..." -- gog gmail send --to user@domain.com --subject "Update" --body "Hello, ..." # Website/publication publish flow python3 /path/to/enterprise-legal-guardrails/scripts/guard_and_run.py --app website --action post --text "$POST_COPY" -- npm run publish-post "$POST_COPY" ``` Use this wrapper to apply the same policy checks in non-Babylon outbound flows. ## Compatibility Legacy name `legal-risk-checker` is preserved in OpenClaw workspaces that still reference it. ## References See `references/guardrail-policy-map.md` for the full policy rule set and suggested rewrites. ## Packaging A distributable bundle is available at: - `dist/enterprise-legal-guardrails.skill` ### Hardening controls for `guard_and_run.py` For non-native outbound integrations, treat `guard_and_run` as an execution boundary. Recommended flags/env: Execution safety is allowlist-first by default. Wrapper requires explicit `--allowed-command` (or env alias) unless `--allow-any-command` is explicitly enabled. - `--allow-any-command` / `ENTERPRISE_LEGAL_GUARDRAILS_ALLOW_ANY_COMMAND` - Explicitly bypass allowlist enforcement (unsafe; audit-first use only). - `--suppress-allow-any-warning` / `ENTERPRISE_LEGAL_GUARDRAILS_SUPPRESS_ALLOW_ANY_WARNING` - Suppresses the runtime safety warning when `--allow-any-command` is intentionally enabled. - `--allow-any-command-reason` / `ENTERPRISE_LEGAL_GUARDRAILS_ALLOW_ANY_COMMAND_REASON` - Mandatory rationale for any `allow-any` bypass invocation. Suggested format: `SEC-1234: emergency fix`. - `--allow-any-command-approval-token` / `ENTERPRISE_LEGAL_GUARDRAILS_ALLOW_ANY_COMMAND_APPROVAL_TOKEN` - Mandatory approval token for any `allow-any` bypass invocation; stored as a short token fingerprint in audit logs. - `--allowed-command <exe...>` / `ENTERPRISE_LEGAL_GUARDRAILS_ALLOWED_COMMANDS` - Allow-list executables (supports comma/space lists and wildcards). - `--strict` / `ENTERPRISE_LEGAL_GUARDRAILS_STRICT` - Escalate `REVIEW` to hard block. - `--sanitize-env` - `--keep-env <VAR...>` / `--keep-env-prefix <PREFIX...>` - `--command-timeout`, `--checker-timeout`, `--max-text-bytes` - `--audit-log <file>` / `ENTERPRISE_LEGAL_GUARDRAILS_AUDIT_LOG` These flags provide execution safety, command scoping, and immutable trail for post-incident review without changing checker logic.