| Version | Supported |
|---|---|
| 0.x | ✅ |
The project is pre-1.0; security fixes are issued against the current 0.x release line.
If you discover a security vulnerability, please report it responsibly:
- Do NOT open a public issue
- Create a GitHub Security Advisory
- Include: description, reproduction steps, and potential impact
We aim to acknowledge reports within 48 hours and provide a fix timeline within 7 days.
The pure hexagonal core (ruthless/, the default install) is a computation library:
- Config is parsed with
yaml.safe_load— neveryaml.load, so no arbitrary object construction. - The CLI objective loader (
ruthless.cli.resolve_objective) is trusted-config-only: it resolvespkg.module:attrviaimportlib.import_module+getattr(nevereval/exec) and isinstance-checks the result against theObjectiveprotocol. Only pass import-strings you control. - The core does not open network connections, execute subprocesses, or deserialize untrusted data.
Optional extras broaden the surface and are not installed by default:
- The
[backends]extra adds SSH / Hugging Face Jobs / Docker compute backends — these open network connections and dispatch remote work. SSH calls use key-based auth (BatchMode=yes,StrictHostKeyChecking=accept-new); secrets (e.g.HF_TOKEN) are passed to the node by a 0600 file, not on the command line. - The
[evolve]extra adds an evolutionary strategy that executes candidate programs. LLM-generated code is screened by an AST allowlist (a defense-in-depth belt, not a sandbox boundary — see docs/adr/ADR-001-ast-sandbox-security-model.md); run untrusted code only inside an OS-level sandbox (container/VM).
Treat objective functions and any remote-backend configuration as trusted code paths.