Ralph Ultra implements a three-tier security model to balance development velocity with system safety. This document explains how the security model works and how to configure it for your project.

The security model protects your system from potentially destructive operations while giving you flexibility based on your trust level and project requirements.

Philosophy: "Read everything, write nothing without permission."

• Reading files and directories
• Running analysis commands (grep, find, ls)
• Git status/log (read-only operations)
• Package manager info commands (npm list, pip show)

• File writes (unless explicitly approved)
• Package installations
• Git commits/pushes
• Database operations
• System configuration changes
• Network operations (API calls, curl)

Sandbox mode is active by default. No configuration needed.

# Run in sandbox mode (default)
ralph run

Philosophy: "Allow common safe operations, block dangerous ones."

Standard mode uses regex patterns to permit specific commands while blocking everything else.

{
  "security": {
    "mode": "standard",
    "allowlist": [
      "^npm (install|ci|run|test|run build)$",
      "^git (add|commit|status|log|diff|branch)$",
      "^pytest",
      "^flutter (pub get|test|analyze|run)$",
      "^npx (eslint|prettier|tsc)$",
      "^docker-compose up -d$"
    ]
  }
}

Add custom patterns to .ralph/config.json:

{
  "security": {
    "mode": "standard",
    "allowlist": [
      "^curl https://api\\.mycompany\\.com/.*$",
      "^python scripts/custom_tool\\.py$",
      "^make (build|test|clean)$"
    ]
  }
}

Even in standard mode, these operations are always blocked:

# Destructive git operations
git reset --hard
git clean -fdx
git push --force
git branch -D

# System-level changes
sudo rm -rf
chmod 777
chown

# Database drops
DROP DATABASE
DELETE FROM

# Environment tampering
export AWS_SECRET_KEY=
rm -rf ~/.ssh

Philosophy: "Maximum velocity, minimum friction."

Everything. The AI agent has full system permissions.

Even in YOLO mode, Ralph Ultra includes:

1. Interactive Confirmation: You must explicitly approve YOLO mode on each run.
2. Audit Logging: All commands are logged to .ralph/audit.log.
3. Revert Points: Git commits are created before destructive operations.

You must use the --security yolo flag AND interactively confirm:

ralph run --security yolo

⚠️  WARNING: You are about to run in YOLO mode.
⚠️  This gives the AI agent unrestricted system access.
⚠️  Type 'CONFIRM' to proceed:

• Rapid prototyping: "Just make it work, I'll review later."
• Trusted private projects: Solo development on your local machine.
• Experimental features: Testing new AI capabilities.

• Production systems: Never on servers with real data.
• Shared repositories: Risk of unintended changes to team code.
• Unfamiliar codebases: Without understanding the system, YOLO is dangerous.

Configure security settings in .ralph/config.json:

{
  "security": {
    "mode": "standard",
    "allowlist": [
      "^npm (install|test|run build)$",
      "^git (add|commit|status)$"
    ],
    "blocklist": [
      "^rm -rf /$",
      "^sudo"
    ],
    "require_approval": [
      "^git push",
      "^npm publish"
    ]
  }
}

┌─────────────────────────────────┐
│   AI Agent Proposes Command     │
└───────────────┬─────────────────┘
                │
                ▼
┌─────────────────────────────────┐
│  Check Blocklist (Always First) │
└───────────────┬─────────────────┘
                │
         ┌──────┴──────┐
         │  Blocked?   │
         └──────┬──────┘
         Yes    │    No
          │     │
          ▼     ▼
      [DENY] [Continue]
                │
                ▼
┌─────────────────────────────────┐
│   Check Security Mode           │
└───────────────┬─────────────────┘
                │
       ┌────────┼────────┐
       │        │        │
    Sandbox  Standard  YOLO
       │        │        │
       ▼        ▼        ▼
   [Safe?]  [Allowlist?] [ALLOW]
       │        │
    Yes│No   Yes│No
       │        │
       ▼        ▼
   [ALLOW]  [DENY]

Begin with sandbox mode to understand what the agent is trying to do. Gradually promote to standard mode with a custom allowlist.

YOLO mode is powerful but dangerous. Reserve it for isolated experiments, not production work.

After each Ralph session, review .ralph/audit.log to see what commands were executed.

tail -n 50 .ralph/audit.log

Tailor the allowlist to your specific tools and workflows. For example, a Python project might allow:

{
  "allowlist": [
    "^pip install -r requirements\\.txt$",
    "^pytest",
    "^mypy \\.",
    "^ruff check \\."
  ]
}

Even in YOLO mode, Ralph Ultra never commits files containing secrets. The security auditor skill scans for:

• API keys (e.g., API_KEY=sk-...)
• Private keys (e.g., BEGIN PRIVATE KEY)
• AWS credentials
• Database passwords

Ralph Ultra includes a dedicated security-auditor skill that runs automatically before every commit. It scans for:

• Hardcoded secrets
• SQL injection vulnerabilities
• XSS vulnerabilities
• Insecure dependencies (via npm audit or safety check)

ralph skill run security-auditor

ralph run --skip-security-audit

Warning: Only use this for throwaway code or non-sensitive projects.

A: Not recommended. Ralph Ultra is designed for development environments. For production deployments, use ralph deploy which has additional safeguards.

A: Add it to your allowlist in .ralph/config.json. If it's a one-time operation, you can also run it manually outside of Ralph.

A: Run ralph status. It shows the current security mode at the top.

A: It's safer than on shared systems, but still use caution. YOLO mode can delete files, install packages, and make network requests. Always review the PRD before running in YOLO mode.

If you discover a security vulnerability in Ralph Ultra, please report it to:

Email: security@ralph-ultra.dev (or file a GitHub issue marked [SECURITY])

Do not publicly disclose the vulnerability until it has been addressed.

Last Updated: January 31, 2026 Version: Ralph Ultra 1.0