Tier System
Every tool in Ryvos has a base security tier. The SecurityGate evaluates each call and may escalate the effective tier based on input inspection.
Tier Definitions
T0 — Safe
Read-only operations with no side effects. Always auto-approved.
| Tool | Description |
|---|---|
read | Read file contents |
glob | File pattern matching |
grep | Full-text search in files |
memory_search | Search across session history (FTS5) |
T1 — Low Risk
Reversible writes and low-risk network operations. Auto-approved by default.
| Tool | Description |
|---|---|
web_fetch | Fetch and parse web pages |
web_search | Web search (Tavily) |
memory_write | Write to persistent memory |
T2 — Medium Risk
File modifications and system changes. Requires approval by default.
| Tool | Description |
|---|---|
write | Create or overwrite files |
edit | Line-based file editing |
apply_patch | Apply patch files |
T3 — High Risk
Shell execution, network operations, and agent spawning. Always requires approval.
| Tool | Description |
|---|---|
bash | Execute shell commands |
spawn_agent | Create child agent |
T4 — Critical / Dangerous
Matched by dangerous pattern detection. Always denied, no override.
Examples: rm -rf /, DROP TABLE, curl|bash, mkfs, dd if=
Effective Tier Calculation
The effective tier is the maximum of:
- The tool's base tier
- Any escalation from dangerous pattern matching
effective_tier = max(tool.tier, pattern_escalation)
For example, bash has base tier T3. If the command matches rm -rf, it's escalated to T4.
Security Policy
The policy maps tiers to actions:
[security]
auto_approve_up_to = "t1" # T0-T1: Allow
deny_above = null # Only T4 denied (set to "t3" for stricter)
approval_timeout_secs = 60 # T2-T3: Approval with timeout| Effective Tier | Policy Decision |
|---|---|
| T0 | Allow |
| T1 | Allow |
| T2 | NeedsApproval |
| T3 | NeedsApproval |
| T4 | Deny |
Sub-Agent Policy
Spawned agents run under a stricter policy:
[security.sub_agent_policy]
auto_approve_up_to = "t0" # Only T0 auto-approved
deny_above = "t2" # T3+ denied entirelyThis prevents the LLM from escalating privileges by spawning agents that execute dangerous commands.
Customization
You can adjust the tier boundaries to match your risk tolerance:
# Paranoid mode — approve everything
[security]
auto_approve_up_to = "t0"
# YOLO mode — auto-approve all except T4
[security]
auto_approve_up_to = "t3"
# Air-gapped — deny all network + shell
[security]
deny_above = "t1"