Security Overview

Ryvos implements defense-in-depth for AI agent safety. Every tool call passes through multiple layers before it can execute.

The Problem

Most AI agents run with your full permissions. A single prompt injection — from a webpage, an MCP server, or a malicious dependency — can turn your assistant into an attacker. We've seen agents execute rm -rf /, leak SSH keys, and drop production databases without any confirmation.

Defense-in-Depth Architecture

Every tool call in Ryvos passes through the SecurityGate before execution:

Tool Call → SecurityGate
             ├→ Tier Classification (T0-T4)
             ├→ Dangerous Pattern Detection (9 built-in regexes)
             ├→ Policy Decision (Allow / NeedsApproval / Deny)
             ├→ ApprovalBroker (human-in-the-loop)
             └→ Execute (optionally in Docker sandbox)

Layer 1: Tier Classification

Every tool has a base security tier. The SecurityGate computes an effective tier by combining the base tier with input inspection:

Tier	Risk	Default Policy	Examples
T0	Safe	Auto-approve	read, glob, grep, memory_search
T1	Low	Auto-approve	web_fetch, web_search, memory_write
T2	Medium	Needs approval	write, edit, apply_patch
T3	High	Needs approval	bash, spawn_agent
T4	Critical	Always deny	Any command matching a dangerous pattern

Layer 2: Dangerous Pattern Detection

Nine built-in regex patterns scan every command before execution. If matched, the tool call is escalated to T4 (always denied):

• rm -rf — recursive deletion
• git push --force — force push
• DROP TABLE — SQL destruction
• chmod 777 — wide-open permissions
• mkfs. — filesystem format
• dd if= — raw disk write
• > /dev/ — device file write
• curl|bash — pipe to shell
• wget|sh — pipe to shell

You can add custom patterns in config.

Layer 3: Approval Flow

When a tool call needs approval, the ApprovalBroker sends the request to whatever channel you're using — REPL, TUI, Telegram, Discord, Slack, or the Web UI. You have 60 seconds (configurable) to approve or deny. Timeout = denied.

Layer 4: Docker Sandbox

With [agent.sandbox] enabled, the bash tool runs commands inside an isolated Docker container:

• Configurable memory limits
• Network isolation
• Read-only workspace mount
• Automatic cleanup

Layer 5: Sub-Agent Restrictions

When Ryvos spawns a child agent (via spawn_agent), the child runs under a stricter security policy than the parent. Default: auto-approve T0 only, deny above T2. This prevents privilege escalation through agent chains.

Layer 6: Guardian Watchdog

A background process monitors every run for anomalies:

• Doom loops — same tool called repeatedly with identical input
• Stalls — no progress for N seconds
• Token budget — prevent runaway conversations

The Guardian can inject corrective hints or cancel a run entirely.

Audit Trail

Every tool invocation is logged with:

• Timestamp
• Tool name and input
• Security tier (base and effective)
• Policy decision
• Approval status (if applicable)
• Execution result

Next Steps

• Tier System — detailed tier reference
• Dangerous Patterns — full pattern list
• Docker Sandbox — sandbox configuration
• Approval Flow — how approvals work across channels