Project Starfish DevlogGitHub
2026-07-10

Risk in numbers, and a calmer cockpit

v0.23 reworks how Starfish decides how risky an action is, hands the operator a dial to tune it, and rebuilds the desktop surface so nothing that needs you ever hides below the fold.

For a governance system, "how risky is this?" is the load-bearing question — it decides what runs, what asks, and what routes to a bigger model. Until now the answer was a coarse four-tier label. In v0.23 it's a number: every governed action is scored one to ten across fifty risk categories — file access, network, data sensitivity, reversibility, execution, autonomy, exfiltration, self-modification, and forty-six more — which roll up into a single 0–100 composite with ten human descriptors, from Clear to Forbidden.

The roll-up is deliberately max-driven, not averaged. A naïve average would let one catastrophic dimension get diluted by dozens of harmless ones; instead the riskiest single dimension sets the floor, and stacking several high dimensions pushes it higher. A handful of categories are hard floors — the constitutional guarantees (boundaries, secrets, destructive execution, exfiltration, loss of audit, touching governance itself) expressed in the scoring language, so the number can widen convenience but never open a dangerous door. The old four-tier label still exists as a derived view, which is why the entire prior test suite passes untouched.

One dangerous dimension can never be diluted by fifty benign ones — and no score, however low, lifts a hard floor.

A dial the operator controls

On top of the score sits Risk Tolerance: Low by default, or Medium. On Medium, actions scoring up to 70 of 100 run without asking — for people on a spare machine, with backups, or just experimenting who'd rather not be interrupted for routine, reversible work. What Medium cannot do is lift a hard floor, a prompt-injection reject, or a critical action; those always require a human. It's a governed setting like any other: operator-only, a two-step confirmation to raise it, one click to drop it, audited, persisted, and fail-safe to Low if the config is ever unreadable. A chip in the header shows it, and pulses when you're in the looser mode so you never forget. We stress-tested the whole model against fifty ways to game it before shipping.

A cockpit that fits one screen

The desktop surface was redesigned around a simple rule: a governance console fails if what needs your attention is a scroll away. The default is now a calm, neutral, light-or-dark cockpit — a risk-sorted approval queue on the left and the selected decision's full context on the right, so you can never rubber-stamp. Each card shows the risk descriptor and score. The old always-scrolling decision feed moved to its own Activity screen, and the dashboard keeps only an at-a-glance summary that links to it. The playful "fleet" theme that started this project is still here — just as an optional skin, off by default, because a security control plane earns trust by looking like one. And if you launch as administrator, a banner flashes: governed workers should not run with the keys to the whole machine.

None of this lowers the deny-by-default, fail-closed floor. It makes the floor legible — you can finally see the number behind every decision — and lets you decide, deliberately and reversibly, how much of the routine you want to handle yourself.

Project Starfish · a governance-first, deny-by-default AI ecosystem · Apache-2.0. This devlog is a build journal reconstructed from the project history.