Safety Model — 5-Layer Gatekeeper

The Three Safety Pillars

Containment

Path allowlists limit what Geneclaw can touch. Denylist patterns protect sensitive files. Diff size limits prevent large-scale mutations.

Detection

Secret scanning prevents credential leakage. Code pattern detection flags dangerous constructs. Every proposal is scanned before gating.

Reversibility

All changes are applied on dedicated git branches. Tests must pass before committing. One-command rollback is always available.

The 5-Layer Gatekeeper

The Gatekeeper is the enforcement layer between a proposal and the filesystem. Every proposal must pass all five layers in sequence. Any layer can reject. All decisions are appended to the event store.

Path Allowlist / Denylist Check Every file path in the proposal's diff is checked against the configured gatekeeper.allowlist and gatekeeper.denylist. A single path violation rejects the entire proposal. Paths not in the allowlist are implicitly denied.

Diff Size Limit The total line count of the unified diff is compared against gatekeeper.max_diff_lines (default: 200). Large changes are harder to review safely; this limit enforces incremental, reviewable evolution.

Secret Scan The entire diff is scanned for patterns matching API keys, tokens, passwords, private keys, and PII (emails, SSNs, etc.). Matches trigger an immediate rejection and a secret_leak_attempt event in the store. This layer also prevents secrets from entering the event store via proposals.

Code Pattern Detection Configurable regex and AST-based rules scan for dangerous code patterns: shell injection, eval(), exec(), subprocess.shell=True, unrestricted file writes, network calls in unexpected locations. Custom patterns can be added in config.

Dry-Run Pytest Gate The proposal is applied to a temporary git branch and the configured test command runs (default: pytest tests/). The proposal only receives a gate-passed status if all tests pass. The branch is always discarded after the gate check — regardless of result.

Recommended Allowlist Strategy

The single most important safety configuration is the allowlist. Follow the Minimal Allowlist Principle: only allow Geneclaw to touch the paths it genuinely needs to evolve. Expand the allowlist deliberately, one directory at a time, as you build trust in the system.

# Recommended starting configuration
[gatekeeper]
allowlist = [
  "src/prompts/",          # prompt templates only
  "config/agent/"           # agent config files only
]
denylist = [
  ".env", ".env.*",            # all .env files
  "secrets/",                # secrets directory
  "*.key", "*.pem", "*.p12",  # private keys
  "*.sqlite", "*.db",         # databases
  "**/migrations/**"         # database migrations
]
max_diff_lines = 200
secret_scan = true

# Expand only when ready:
# allowlist += ["src/tools/"]  # add tool definitions
# allowlist += ["tests/"]      # add test improvements

Dry-Run by Default — In Detail

The dry_run = true default means:

All evolve commands generate proposals without touching the filesystem
All gate commands check proposals without applying anything
The apply command requires the --apply flag explicitly; without it, it only simulates the apply and reports what would happen
The autopilot command never auto-applies if dry_run = true, even within risk thresholds

Rollback

Every applied change lives on a git branch named geneclaw/gep-{id}. Rollback is always available:

# Rollback the most recent applied proposal
geneclaw apply --rollback

# Rollback a specific proposal
geneclaw apply --rollback --proposal proposals/gep-001.json

# Manual git rollback
git checkout main
git branch -D geneclaw/gep-001

Vulnerability Reporting

If you discover a security vulnerability in Geneclaw, please see our Security Policy for responsible disclosure guidelines. Do not open a public GitHub issue for security vulnerabilities.

Read GEP v0 Protocol → Security Policy →

Safe by Design, Not by Convention