-
Notifications
You must be signed in to change notification settings - Fork 0
Safety
Jarvis can act on a real machine, so safety is built into the architecture, not bolted on. Read this before granting it more autonomy.
Out of the box mode: shadow — Jarvis proposes, never executes. Risky action classes (deploy, infra_mutate, self_modify) are deny. You raise the mode and grant action classes deliberately, in Settings → Behavior, and watch the Activity tab. Read-only investigate and propose are the only things on by default.
The fitness harness (jarvis/safety/fitness.py) runs as a separate, tamper-proof subprocess; the mind can only read its result, never write it. This is the defense against reward-hacking (an agent fabricating its own eval). The gate checks real invariants — a shadow tick, a memory write-then-read round-trip, and that verification fails closed.
verify() spawns a red-team agent to disprove a claim. If the check can't actually run — no brain, an error, or no explicit verdict — it returns not verified (survives=False, verified=False). An un-run check is never read as a pass. Answers Jarvis can't verify are flagged "unverified," and genuinely-stuck questions are escalated to you rather than guessed.
Editing its own code goes through propose_self_edit:
- Archive the current code (git tag) — rollback is one command.
- Apply the change in the working tree.
- Re-run the tamper-proof fitness gate.
- Run an independent red-team. (No red-team supplied ⇒ not adopted — no rubber-stamp.)
- Adopt only if fitness didn't drop AND it survived; otherwise roll back to the archive.
self_modify is deny by default — this whole path is dormant until you opt in.
- The dashboard is token-gated. The token (
state/dashboard_token, chmod 600) is your password; the login link embeds it. Keep it private — it grants access to anyone on your network who has it../install.sh urlre-prints it. -
Secrets live only in
.env(gitignored, chmod 600) and/or your external vault — never in source, logs, or chat. The repo's.gitignoreexcludes.env,state/, andextras/. - For internet exposure, put the dashboard behind a reverse proxy with real auth/TLS rather than exposing
:8787directly.
Please open a private security advisory on GitHub (or email the maintainer) rather than a public issue. This is beta — assume rough edges and run it somewhere blast-radius-limited.