Skip to content
Yohn Gutierrez edited this page Jun 17, 2026 · 2 revisions

Safety

Jarvis can act on a real machine, so safety is built into the architecture, not bolted on. Read this before granting it more autonomy.

Propose-only by default

Out of the box mode: shadow — Jarvis proposes, never executes. Risky action classes (deploy, infra_mutate, self_modify) are deny. You raise the mode and grant action classes deliberately, in Settings → Behavior, and watch the Activity tab. Read-only investigate and propose are the only things on by default.

The mind never grades its own homework

The fitness harness (jarvis/safety/fitness.py) runs as a separate, tamper-proof subprocess; the mind can only read its result, never write it. This is the defense against reward-hacking (an agent fabricating its own eval). The gate checks real invariants — a shadow tick, a memory write-then-read round-trip, and that verification fails closed.

Verification fails closed

verify() spawns a red-team agent to disprove a claim. If the check can't actually run — no brain, an error, or no explicit verdict — it returns not verified (survives=False, verified=False). An un-run check is never read as a pass. Answers Jarvis can't verify are flagged "unverified," and genuinely-stuck questions are escalated to you rather than guessed.

Self-modification seatbelt

Editing its own code goes through propose_self_edit:

  1. Archive the current code (git tag) — rollback is one command.
  2. Apply the change in the working tree.
  3. Re-run the tamper-proof fitness gate.
  4. Run an independent red-team. (No red-team supplied ⇒ not adopted — no rubber-stamp.)
  5. Adopt only if fitness didn't drop AND it survived; otherwise roll back to the archive.

self_modify is deny by default — this whole path is dormant until you opt in.

Access & secrets

  • The dashboard is token-gated. The token (state/dashboard_token, chmod 600) is your password; the login link embeds it. Keep it private — it grants access to anyone on your network who has it. ./install.sh url re-prints it.
  • Secrets live only in .env (gitignored, chmod 600) and/or your external vault — never in source, logs, or chat. The repo's .gitignore excludes .env, state/, and extras/.
  • For internet exposure, put the dashboard behind a reverse proxy with real auth/TLS rather than exposing :8787 directly.

Reporting a vulnerability

Please open a private security advisory on GitHub (or email the maintainer) rather than a public issue. This is beta — assume rough edges and run it somewhere blast-radius-limited.

Clone this wiki locally