Ralph manages autonomous Claude sessions that run for hours or days without operator attention. Safety floors are the set of non-negotiable guardrails that keep those sessions from damaging the repo, the operator’s machine, or the broader state of the world. This page documents each floor and the narrow, deliberate ways to opt into more aggressive behavior.

The floors¶

1. Mirror-based isolation for destructive variants¶

Variants whose profile declares object_store = full (in internal/variant) must be spawned inside a worktree backed by a git clone --mirror, not the operator’s repo. This is enforced in internal/workspace at spawn time; single-flag overrides are rejected.

Why: a destructive variant that rebases history or force-pushes can corrupt the operator’s working copy. Mirror-based isolation ensures every destructive op runs against a disposable clone.

2. Confirmation gates on destructive operations¶

Before certain operations — force-push, git reset --hard, deleting non-merged branches — the supervisor raises a gate that blocks the session until the operator confirms. Gates are defined per-variant in the variant profile.

Opt-out: set ShellExplicitlyTrusted = true in the variant config and supply the matching variant profile tag. Both must be present; one-flag overrides fail closed.

3. Plans-first discipline¶

Every variant except fixit refuses to boot without an active plan. This prevents “let me just start working” sessions that drift into unscoped churn.

Opt-out: run fixit --advise to produce a plan first. There is no way to run a non-fixit variant without one.

4. SSH-only git remotes¶

Ralph rewrites https:// git remotes to their git@ form when attaching a worktree, and refuses to operate on a worktree whose origin is still HTTPS. Enforced in internal/workspace.

Why: HTTPS remotes default to prompting for credentials, which freezes autonomous sessions indefinitely.

5. Conventional commits¶

The supervisor’s system-prompt bias includes a conventional-commits rule. Variants that don’t honor it get their commits rejected at the commit-message hook level.

6. `cmd.ExtraFiles` lifeline pipe¶

Every spawned variant subprocess holds a read handle on FD 3 tied to a pipe the supervisor owns. When the supervisor dies for any reason (clean exit, crash, SIGKILL, OOM), the child reads EOF and self-terminates within ~3 seconds. See internal/variantpool/pool.go and internal/proclife for the per-platform belt-and-suspenders.

Why: without this, a supervisor that crashes leaves orphan Claude subprocesses burning API tokens indefinitely.

`ShellExplicitlyTrusted`¶

A single operator-set flag in .radioactive-ralph/local.toml (gitignored) that unlocks the confirmation gates for variants the operator has already vetted. It is intentionally machine-local: it cannot be committed to the repo or propagated across machines.

# .radioactive-ralph/local.toml
[shell]
explicitly_trusted = true

[shell.variants]
# Per-variant grants — a blanket trust flag isn't enough; the variant
# profile must also declare shell_trust_eligible = true.
green = true

When both are present, the supervisor skips the shell-confirmation gate for that variant. All other floors (isolation, plans-first, SSH, lifeline) still apply.

Auditing¶

Every time a safety floor triggers — whether it passes or blocks — the supervisor writes an event into the plan DAG’s task_events table. radioactive_ralph plan history --events floor surfaces them.