Skip to main content

Immune System

The immune system is Cruvero's automated runtime safety monitor. It detects repeated tool anomalies, records reusable failure signatures, and can quarantine tools that exhibit degraded quality or dangerous behavior. Operators resolve anomalies through the vaccinate CLI or approval signals.

Source: internal/agent/immune*.go, cmd/vaccinate/main.go

Overview

The immune subsystem detects repeated tool anomalies, records reusable signatures, and can quarantine unsafe tools.

Core goals:

  • stop repeated failure patterns early
  • preserve learnings as procedural memory
  • provide operator controls for quarantine and remediation

Anomaly Detection

An anomaly signature is built from normalized tool failure context and stored with counters.

Behavior:

  • records signature hash and hit count
  • increments totals on repeated matches
  • supports per-tool thresholds and global thresholds

Config:

  • CRUVERO_IMMUNE_ENABLED
  • CRUVERO_IMMUNE_QUARANTINE_THRESHOLD
  • CRUVERO_IMMUNE_TOOL_THRESHOLDS
  • CRUVERO_IMMUNE_TOOL_NO_AUTO

Auto-Quarantine

When thresholds are exceeded, the affected tool can be quarantined.

Behavior:

  • quarantined tool execution is blocked by activity guardrails
  • optional TTL expiration can auto-release quarantine
  • blocked execution emits telemetry and audit events

Config:

  • CRUVERO_IMMUNE_QUARANTINE_TTL
  • CRUVERO_IMMUNE_CLEANUP_ENABLED
  • CRUVERO_IMMUNE_CLEANUP_INTERVAL
  • CRUVERO_IMMUNE_RETENTION_DAYS

Vaccination Workflow

Vaccination captures a known-good fix and makes it reusable.

CLI:

  • cmd/vaccinate --signature-hash <hash> --procedure "..." --resolved-by <actor>

Expected outcomes:

  • anomaly marked resolved
  • procedural memory updated with remediation guidance
  • future runs can leverage remediation instructions earlier

Tool Release Workflow

Operators can inspect and release quarantined tools.

CLI:

  • list unresolved anomalies: cmd/vaccinate --list
  • list quarantined tools: cmd/vaccinate --quarantine
  • release tool: cmd/vaccinate --release <tool> --reason "..."

CLI Reference

cmd/vaccinate flags:

  • --signature-hash
  • --procedure
  • --resolved-by
  • --list
  • --quarantine
  • --release
  • --reason
  • --tenant

Observability

Alert/snapshot controls:

  • CRUVERO_IMMUNE_ALERT_ENABLED
  • CRUVERO_IMMUNE_ALERT_INTERVAL
  • CRUVERO_IMMUNE_ALERT_ANOMALY_DELTA
  • CRUVERO_IMMUNE_ALERT_QUARANTINE_DELTA
  • CRUVERO_IMMUNE_ALERT_BLOCKED_DELTA
  • CRUVERO_IMMUNE_SNAPSHOT_ENABLED
  • CRUVERO_IMMUNE_SNAPSHOT_DIR
  • CRUVERO_IMMUNE_SNAPSHOT_BATCH