🛡️ Safety Gate
AEGIS safe action matrix and task type risk tiers
The safety gate evaluates every task before execution.
Blocked tasks are rejected unconditionally.
Needs-approval tasks require explicit operator sign-off.
Safe Actions (17)
| Action | Risk |
|---|---|
| read_file | safe |
| list_directory | safe |
| query_database_readonly | safe |
| search_memory | safe |
| generate_report | safe |
| summarize_text | safe |
| run_audit | safe |
| check_service_status | safe |
| read_model_info | safe |
| run_embedding | safe |
| list_tasks | safe |
| view_dashboard | safe |
| view_logs | safe |
| run_proof_of_life | safe |
| brain_council_consult | safe |
| challenge_mode_run | safe |
| brain_bridge_lookup | safe |
Needs Approval (12)
| Action | Risk |
|---|---|
| write_file | needs_approval |
| update_database | needs_approval |
| delete_task | needs_approval |
| run_script | needs_approval |
| stop_service | needs_approval |
| start_service | needs_approval |
| restart_service | needs_approval |
| pull_model | needs_approval |
| create_collection | needs_approval |
| drop_collection | needs_approval |
| send_notification | needs_approval |
| export_data | needs_approval |
Blocked Actions (11)
| Action | Risk |
|---|---|
| send_email | blocked |
| send_message | blocked |
| deploy_to_production | blocked |
| rm_rf | blocked |
| sudo_command | blocked |
| modify_system_files | blocked |
| create_external_account | blocked |
| execute_payment | blocked |
| publish_post | blocked |
| access_external_api_key | blocked |
| open_port_external | blocked |
Task Type → Risk Tier
| Task Type | Risk Tier |
|---|---|
| audit | safe |
| delete | needs_approval |
| demo | safe |
| deploy | blocked |
| health | safe |
| memory | safe |
| message | blocked |
| model | safe |
| payment | blocked |
| read | safe |
| report | safe |
| run | needs_approval |
| search | safe |
| system | blocked |
| unknown | needs_approval |
| update | needs_approval |
| write | needs_approval |