Skip to content

Commit 21854bc

Browse files
committed
docs(readme): document kill switches, tiered machine tools, OS-gated spends, self-healing routing
The README was missing every capability added recently. Adds two "What makes NULLA different" subsections and four "What works right now" bullets, matching the file's existing maturity labels (built + tested / stub-devnet): - Tiered machine tools: read-only disk / Windows Event Log errors / processes / file inspection run freely; writes are policy-gated; move/rename is gated by a protected-path denylist + OS consent. - Safety/control: /stopx402 wallet freeze, /stopall + desktop Stop button, OS-native (Windows Hello) consent on every spend, HMAC-authenticated spend caps + panic freeze, and a self-updater that swaps only code and preserves data/ (wallet/keys/tx/receipts), proven by adversarial tests. - Local-first, self-healing provider routing: serves an installed local model on a tag mismatch instead of going dark, never fails open to a paid lane, and names the gap on an empty ranking. States wallet/x402 settlement is stub/devnet and release signing is pending, so nothing reads as more mature than it is.
1 parent a88e727 commit 21854bc

1 file changed

Lines changed: 25 additions & 1 deletion

File tree

README.md

Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,27 @@ NULLA runs a real agent loop: call LLM → parse tool intent → execute (read f
6767

6868
Tasks were specifically designed to be impossible without tool use: bugs only visible at runtime, multi-file changes that require reading before editing. The benchmark is in `tests/benchmarks/agent_capability_bench.py` — run it yourself.
6969

70+
### Tiered machine tools — read freely, mutate with consent
71+
72+
The agent acts on your machine through a typed tool registry, tiered by risk so a model can never quietly do something destructive:
73+
74+
- **Read-only (runs freely):** list/read files, machine specs, **disk space**, **recent Windows Event Log errors**, **top processes by memory**, web fetch / search / browser render.
75+
- **Local writes (policy-gated, off by default):** write files, create directories.
76+
- **Destructive (explicit OS consent):** e.g. **move/rename a file or folder** — refuses protected system and wallet locations outright, then requires a live Windows Hello / credential prompt before touching anything. Fail-closed everywhere.
77+
78+
Every tool declares its `side_effect_class` and `approval_requirement`; the model can only fulfil a gate's preconditions, never bypass it. (Built + tested.)
79+
80+
### Safety you control — kill switches + OS-gated spends
81+
82+
NULLA touches a real Solana wallet, so control is first-class:
83+
84+
- **Emergency brakes.** `/stopx402` freezes the wallet instantly — no x402 payment or `.null` registration can go through — while the assistant keeps running (`/startx402` resumes). `/stopall`, and a red **Stop NULLA** desktop button, hard-stop every NULLA process and disable auto-restart. The desktop button works even if the agent is hung.
85+
- **The model can't move money on its own.** Every spend is gated by an OS-native consent prompt (Windows Hello / credential dialog) that names the exact amount and wallet, fail-closed — a prompt-injected or mistaken "yes" in chat cannot satisfy it.
86+
- **Spend policy.** Per-transaction, daily, and weekly caps plus a panic freeze, HMAC-authenticated on disk so a tampered policy fails closed.
87+
- **Updates never touch your wallet.** The self-updater swaps only code; `data/` (wallet, keys, tx history, x402 receipts) is preserved by construction — proven with adversarial tests that a malicious release shipping its own `data/` still cannot overwrite your originals.
88+
89+
(All built + tested. The wallet/x402 *settlement* itself is stub/devnet today — see "What works right now".)
90+
7091
### Three-tier memory that actually works
7192

7293
Most local LLM setups either blow up the context window or chop off the beginning and lose everything. NULLA compresses without forgetting.
@@ -251,7 +272,10 @@ wants **WSL2/Linux plus a non-local-only profile**:
251272
- **Compute-rental market** — prices your real hardware, welds x402 receipt hash into tamper-evident `WorkProof`. The `rent()``_pay_x402()` pay-upfront path is **wired and integration-tested** (315-LOC end-to-end test; stub/devnet modes — live mainnet anchor pending).
252273
- **DNA x402 payment bridge + wallet manager** — simulated USDC→credit purchase path (1 USDC = 1000 credits) against a local SQLite wallet; settlement is simulated today (stub/devnet), live on-chain settlement coming. A local on-chain receipt verifier gates real settlement so reputation can't be self-claimed (built + tested).
253274
- **Directory-less peer discovery** — Kademlia DHT routing table (k=20 buckets) + verified-endpoint liveness index; nodes find each other without a central directory (built + tested).
254-
- **Role-aware provider routing** — local drone lanes vs synthesis lanes, local llama.cpp, vLLM, and Kimi lanes when configured.
275+
- **Role-aware, local-first provider routing** — drone vs synthesis lanes; local llama.cpp, vLLM, and Kimi lanes when configured. Self-healing: if the exact model tag you asked for isn't installed it serves the best available **local** model instead of going dark, and **never fails open to a paid cloud lane** (cost/safety constraints stay enforced). When nothing can serve, the trace names the gap (empty registry / disabled / missing license) rather than a generic error.
276+
- **Kill switches + OS-gated spends**`/stopx402` freezes the wallet, `/stopall` and a desktop Stop button hard-stop everything; every spend is gated by a fail-closed Windows Hello / credential prompt; per-tx / daily / weekly caps + panic freeze are HMAC-authenticated on disk (built + tested).
277+
- **Tiered machine tools** — read-only disk / Windows Event Log errors / process / file inspection run freely; writes are policy-gated; move/rename is gated by a protected-path denylist **and** OS consent (built + tested).
278+
- **Wallet-safe self-update** — consent-gated in-chat update that swaps only code and preserves `data/` (wallet, keys, tx history, receipts); adversarial tests prove a malicious release can't overwrite them (built + tested; release signing pending).
255279
- **Capability-reporting API**`GET /api/runtime/capabilities` — implemented / simulated / disabled, per feature.
256280
- **CI** — sharded local regression + GitHub Actions + fast LLM acceptance suite.
257281

0 commit comments

Comments
 (0)