You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The README was missing every capability added recently. Adds two "What makes NULLA different"
subsections and four "What works right now" bullets, matching the file's existing maturity labels
(built + tested / stub-devnet):
- Tiered machine tools: read-only disk / Windows Event Log errors / processes / file inspection run
freely; writes are policy-gated; move/rename is gated by a protected-path denylist + OS consent.
- Safety/control: /stopx402 wallet freeze, /stopall + desktop Stop button, OS-native (Windows Hello)
consent on every spend, HMAC-authenticated spend caps + panic freeze, and a self-updater that swaps
only code and preserves data/ (wallet/keys/tx/receipts), proven by adversarial tests.
- Local-first, self-healing provider routing: serves an installed local model on a tag mismatch
instead of going dark, never fails open to a paid lane, and names the gap on an empty ranking.
States wallet/x402 settlement is stub/devnet and release signing is pending, so nothing reads as more
mature than it is.
Copy file name to clipboardExpand all lines: README.md
+25-1Lines changed: 25 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -67,6 +67,27 @@ NULLA runs a real agent loop: call LLM → parse tool intent → execute (read f
67
67
68
68
Tasks were specifically designed to be impossible without tool use: bugs only visible at runtime, multi-file changes that require reading before editing. The benchmark is in `tests/benchmarks/agent_capability_bench.py` — run it yourself.
69
69
70
+
### Tiered machine tools — read freely, mutate with consent
71
+
72
+
The agent acts on your machine through a typed tool registry, tiered by risk so a model can never quietly do something destructive:
73
+
74
+
-**Read-only (runs freely):** list/read files, machine specs, **disk space**, **recent Windows Event Log errors**, **top processes by memory**, web fetch / search / browser render.
75
+
-**Local writes (policy-gated, off by default):** write files, create directories.
76
+
-**Destructive (explicit OS consent):** e.g. **move/rename a file or folder** — refuses protected system and wallet locations outright, then requires a live Windows Hello / credential prompt before touching anything. Fail-closed everywhere.
77
+
78
+
Every tool declares its `side_effect_class` and `approval_requirement`; the model can only fulfil a gate's preconditions, never bypass it. (Built + tested.)
79
+
80
+
### Safety you control — kill switches + OS-gated spends
81
+
82
+
NULLA touches a real Solana wallet, so control is first-class:
83
+
84
+
-**Emergency brakes.**`/stopx402` freezes the wallet instantly — no x402 payment or `.null` registration can go through — while the assistant keeps running (`/startx402` resumes). `/stopall`, and a red **Stop NULLA** desktop button, hard-stop every NULLA process and disable auto-restart. The desktop button works even if the agent is hung.
85
+
-**The model can't move money on its own.** Every spend is gated by an OS-native consent prompt (Windows Hello / credential dialog) that names the exact amount and wallet, fail-closed — a prompt-injected or mistaken "yes" in chat cannot satisfy it.
86
+
-**Spend policy.** Per-transaction, daily, and weekly caps plus a panic freeze, HMAC-authenticated on disk so a tampered policy fails closed.
87
+
-**Updates never touch your wallet.** The self-updater swaps only code; `data/` (wallet, keys, tx history, x402 receipts) is preserved by construction — proven with adversarial tests that a malicious release shipping its own `data/` still cannot overwrite your originals.
88
+
89
+
(All built + tested. The wallet/x402 *settlement* itself is stub/devnet today — see "What works right now".)
90
+
70
91
### Three-tier memory that actually works
71
92
72
93
Most local LLM setups either blow up the context window or chop off the beginning and lose everything. NULLA compresses without forgetting.
@@ -251,7 +272,10 @@ wants **WSL2/Linux plus a non-local-only profile**:
251
272
-**Compute-rental market** — prices your real hardware, welds x402 receipt hash into tamper-evident `WorkProof`. The `rent()` → `_pay_x402()` pay-upfront path is **wired and integration-tested** (315-LOC end-to-end test; stub/devnet modes — live mainnet anchor pending).
252
273
-**DNA x402 payment bridge + wallet manager** — simulated USDC→credit purchase path (1 USDC = 1000 credits) against a local SQLite wallet; settlement is simulated today (stub/devnet), live on-chain settlement coming. A local on-chain receipt verifier gates real settlement so reputation can't be self-claimed (built + tested).
253
274
-**Directory-less peer discovery** — Kademlia DHT routing table (k=20 buckets) + verified-endpoint liveness index; nodes find each other without a central directory (built + tested).
254
-
-**Role-aware provider routing** — local drone lanes vs synthesis lanes, local llama.cpp, vLLM, and Kimi lanes when configured.
275
+
-**Role-aware, local-first provider routing** — drone vs synthesis lanes; local llama.cpp, vLLM, and Kimi lanes when configured. Self-healing: if the exact model tag you asked for isn't installed it serves the best available **local** model instead of going dark, and **never fails open to a paid cloud lane** (cost/safety constraints stay enforced). When nothing can serve, the trace names the gap (empty registry / disabled / missing license) rather than a generic error.
276
+
-**Kill switches + OS-gated spends** — `/stopx402` freezes the wallet, `/stopall` and a desktop Stop button hard-stop everything; every spend is gated by a fail-closed Windows Hello / credential prompt; per-tx / daily / weekly caps + panic freeze are HMAC-authenticated on disk (built + tested).
277
+
-**Tiered machine tools** — read-only disk / Windows Event Log errors / process / file inspection run freely; writes are policy-gated; move/rename is gated by a protected-path denylist **and** OS consent (built + tested).
278
+
-**Wallet-safe self-update** — consent-gated in-chat update that swaps only code and preserves `data/` (wallet, keys, tx history, receipts); adversarial tests prove a malicious release can't overwrite them (built + tested; release signing pending).
0 commit comments