SOP-008 — AI Production Risk Review (NIST AI RMF + OWASP AI/LLM + CIS Benchmark)
1. Purpose
This Standard Operating Procedure defines the Atlantis ITS review process for moving AI-enabled applications, agents, automations, and public-facing workflows into production.
It combines two complementary frameworks:
- NIST AI Risk Management Framework (AI RMF) — governance, lifecycle risk, trustworthiness, accountability, and documentation
- OWASP AI/LLM security guidance — technical vulnerabilities, adversarial testing, attack surface review, and mitigations
NIST tells Atlantis what risks to govern. OWASP tells Atlantis how attackers may break the system.
This SOP exists to prevent Atlantis ITS from shipping AI systems that are useful but unsafe, poorly governed, vulnerable to prompt injection, leaky with data, overly autonomous, missing a human approval gate, or unclear in ownership.
Version 0.2 adds Jimmy’s governance updates:
- Human-in-the-loop (HITL) requirements
- Long-term memory / RAG hygiene
- Automated secrets scanning
- Excessive agency review
- Kill Switch protocol
- Environment separation
- Incident-owner alert path
Version 0.4 adds CIS Ubuntu 24.04 LTS Benchmark integration:
- CIS Benchmark infrastructure baseline added as a third framework pillar (Section 4.3)
- Infrastructure Security Baseline section added (Section 16.3, 16.4, 16.5)
- CIS audit script reference added (
~/nova/cis_wsl2_audit.sh) - VPS pre-deployment CIS requirement added (Section 16.4)
- atlantis-lab sandbox CIS container baseline added (Section 16.5)
- Agent tech watch sandbox rules updated to reference CIS hardening (Section 16.5)
- OpenClaw CVE-2026-25253 "ClawBleed" (CVSS 8.8) flagged in OWASP supply chain review (Section 12)
- Production readiness checklist updated with CIS audit requirement (Section 19)
- Related documents updated with CIS Benchmark reference (Section 22)
- Multi-user isolation review added to Intake Template (Section 8)
- Kill Switch KPI tightened to < 5 minutes in Nova Router checklist (Section 14.1)
- Docker hardening checklist added to Environment Separation section (Section 16)
- Rate Limiting / Abuse Prevention section added (Section 14.4)
- Privacy fix: full last name removed from approval table (Section 24)
2. Scope
In scope:
- Public Atlantis apps moved to GitHub
AtlantisITS - Apps deployed to Vercel, Cloudflare, VPS, or public domains
- Nova Router / Nova Bus routes promoted beyond local testing
- n8n workflows handling real leads, customer data, travel inquiries, contractor requests, or alerts
- AI chat intake pages, including Home Help / Nova chat intake
- LLM-powered summaries, recommendations, lead scoring, content generation, or agent-chain decisions
- Apps using external AI APIs, OpenRouter, local Ollama models, or n8n AI workflows
- Production-facing workflows connected to Google Sheets, CRM, Telegram, Discord, email, or other notification systems
- AI agents with ability to execute code, write files, update memory, send public emails, post externally, delete records, or write to external databases
- Systems using shared RAG, long-term memory, vector stores, or persistent AI context
Out of scope:
- Private experiments with no customer data and no public exposure
- One-off local scripts that do not connect to customer, lead, or production systems
- Purely static marketing pages with no AI, forms, customer data, or automation
- Full legal/compliance audit by external counsel
- Formal certification against NIST, ISO, SOC 2, or other third-party audit frameworks
3. Ownership
| Area | Owner | Responsibility |
|---|---|---|
| Procedure owner | Jimmy | Governance, approval gate, NIST alignment, final risk posture |
| Architecture review | Ozzy | System design, routes, infrastructure, n8n nodes, CI/CD, service boundaries |
| Threat review | Scout | OWASP AI/LLM threats, abuse cases, adversarial review, threat intel |
| Documentation / public-safe language | Mercy | SOP language, privacy review, positioning, customer-facing clarity |
| Implementation support | Cooper / Mercy-Codex | Code changes, checklist automation, automated secrets scanning, repo templates |
| Local runtime integration | Nova | Future CLI checks, local command execution, bus/routing validation |
| Final approval | Shane | Founder approval to ship |
| Finance / budget gate | Maranda | Required when cost, pricing, client-facing monetization, or budget impact exists |
4. Framework Summary
NIST AI RMF
NIST AI RMF is the governance and lifecycle backbone.
It focuses on:
- Govern
- Map
- Measure
- Manage
Atlantis uses NIST AI RMF to answer:
- Who owns this system?
- What risks exist?
- What data is used?
- What documentation exists?
- What monitoring is required?
- What happens when the system fails?
- What is the expected impact on customers, users, operators, and the business?
- Where must a human review or approve the AI action?
OWASP AI/LLM Security
OWASP is the hands-on security and adversarial testing layer.
Atlantis uses OWASP guidance to review:
- Prompt injection
- Data leakage
- Insecure output handling
- Model or data poisoning
- Overreliance on LLM output
- Supply chain risk
- Sensitive information disclosure
- Agent/tool misuse
- Authentication and authorization gaps
- Excessive agency
- Logging and monitoring blind spots
4.3 CIS Ubuntu 24.04 LTS Benchmark
CIS Benchmark is the infrastructure hardening baseline.
Atlantis uses CIS Level 1 to enforce:
- Filesystem security (kernel modules, partition options)
- Service minimization (disable unused services)
- Network parameter hardening (sysctl settings)
- Host-based firewall (UFW active, default deny inbound)
- SSH hardening (no root login, MaxAuthTries ≤ 4)
- Password policy (PASS_MAX_DAYS, PASS_MIN_DAYS, PASS_WARN_AGE)
- Audit logging (auditd, rsyslog)
- File permission integrity (/etc/passwd, /etc/shadow, /etc/group)
- Account hygiene (no UID 0 duplicates, no empty passwords)
Audit script: ~/nova/cis_wsl2_audit.sh Minimum score: 80% pass rate (excluding WSL2 skips) before production Re-audit required: after any major system change, kernel update, or new service deployment
NIST tells Atlantis what risks to govern. OWASP tells Atlantis how attackers may break the system. CIS tells Atlantis how to harden the infrastructure they run on.
5. Trigger Conditions
Run this SOP before production release when any of the following are true:
- An app is moved to the public
AtlantisITSGitHub organization - An app is deployed to a public domain or public subdomain
- A Nova route is exposed to production traffic
- A workflow handles real leads, customers, contractor requests, travel inquiries, or business data
- A form, chatbot, or intake system sends data into n8n, Sheets, CRM, Discord, Telegram, or email
- LLM output influences user-facing responses, routing, lead qualification, scoring, summaries, or decisions
- A workflow uses API keys, secrets, credentials, or external AI services
- A system becomes part of the revenue path
- An agent gains tool access that can execute code, delete files, modify records, send emails, post publicly, write to memory, or write to external systems
- A system uses shared RAG, long-term memory, persistent context, or vector storage
- A repo is moved from private/internal Forgejo to public GitHub
If unsure, run the review.
6. Architecture
App / Page / Agent / Workflow
↓
SOP-008 Intake
↓
NIST AI RMF Review
↓
OWASP AI/LLM Security Review
↓
Atlantis Architecture Review
↓
Privacy / Public Content Review
↓
HITL + Kill Switch Review
↓
Risk Rating + Mitigation Plan
↓
Sign-off Gate
↓
Production Release
↓
Post-launch Monitoring
For Nova/Atlantis systems:
Public App / QR / Chat Intake
↓
Nova Router / Nova Bus
↓
Agent or Lead Engine
↓
n8n Workflow
↓
Sheets / CRM / Alerting
↓
Human Review / Follow-up / Monitoring / Incident Path
7. Prerequisites
Before starting SOP-008, collect:
- App or workflow name
- Repo path and branch
- Owner / lead agent
- Production target URL or internal route
- Data handled
- Authentication method
- Secrets used
- n8n workflow names or IDs
- Nova route names, if applicable
- Cloudflare / Vercel / VPS deployment notes
- Known risks or prior incidents
- Whether the system affects revenue, client trust, or public reputation
- Whether the system has any agent/tool permissions
- Whether the system writes to memory, RAG, Sheets, CRM, files, or external systems
- Whether a human approval gate exists
- Whether a Kill Switch exists and has been tested
- Whether the repo has been secrets-scanned
8. Intake Template
Create or complete the following intake block:
# SOP-008 Intake
## System
- Name:
- Type: app / agent / workflow / route / page / automation
- Repo:
- Branch:
- Owner:
- Production URL:
- Internal URL:
- Current status: draft / staging / production candidate / production
## Business Context
- Purpose:
- Audience:
- Revenue impact:
- Customer or lead impact:
- Related funnel:
- Multi-user system? yes/no
- User isolation model: (e.g., namespace, database-level, agent-level, none)
## Data
- Data collected:
- Data stored:
- Data transmitted:
- Sensitive data present? yes/no
- Customer/client data present? yes/no
## AI Usage
- AI model(s):
- Local or external:
- Prompting involved:
- Agent/tool access:
- Human approval required:
- Shared memory / RAG / vector store involved? yes/no
## Agent Agency
- Can the agent execute code? yes/no
- Can the agent write files? yes/no
- Can the agent update memory/RAG? yes/no
- Can the agent send email/messages? yes/no
- Can the agent post publicly? yes/no
- Can the agent delete or modify records? yes/no
- Can the agent move money, trigger billing, or affect revenue? yes/no
## Integrations
- Nova routes:
- n8n workflows:
- External APIs:
- Alert channels:
- Storage destinations:
## Controls
- Auth method:
- HITL gate:
- Kill Switch path:
- Incident owner:
- Logging path:
- Rollback path:
- Secrets scan completed? yes/no
- Rate limiting / abuse prevention implemented? yes/no
## Known Risks
- Known security concerns:
- Known privacy concerns:
- Known reliability concerns:
- Known unresolved TODOs:
9. NIST AI RMF Review
9.1 Govern
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| System owner assigned | ||
| Purpose documented | ||
| Data owner identified | ||
| Human approval path defined | ||
| HITL required for high-impact actions | ||
| Public/private boundary documented | ||
| Incident owner identified | ||
| Privacy review completed | ||
| Kill Switch owner identified | ||
| Finance gate identified, if applicable |
Required output:
Govern result:
- Status:
- Required fixes:
- Owner:
9.2 Map
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| Use case clearly described | ||
| User journey mapped | ||
| Data flow mapped | ||
| AI decision points identified | ||
| Human approval points identified | ||
| External dependencies listed | ||
| Failure modes listed | ||
| Abuse cases listed | ||
| Memory/RAG touchpoints mapped | ||
| Agent/tool permissions mapped |
Required output:
Map result:
- Status:
- Key risks:
- Required fixes:
9.3 Measure
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| Basic functional test completed | ||
| Security test completed | ||
| Prompt injection test completed | ||
| Data leakage test completed | ||
| Secrets scan completed | ||
| Memory hygiene test completed | ||
| Logging verified | ||
| Alerting verified | ||
| Human review path tested | ||
| Kill Switch tested |
Required output:
Measure result:
- Status:
- Tests run:
- Evidence:
9.4 Manage
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| Risk rating assigned | ||
| Mitigation plan created | ||
| Launch blockers identified | ||
| Post-launch monitoring defined | ||
| Incident path documented | ||
| Kill Switch documented | ||
| Rollback path documented | ||
| Approval captured |
Required output:
Manage result:
- Status:
- Risk rating:
- Go / no-go:
10. Human-in-the-Loop (HITL) Requirements
HITL is required for high-impact or irreversible actions.
10.1 HITL Required When
A human must review or approve before the AI/agent can:
- Delete files, records, rows, tickets, issues, repos, or workflows
- Send public emails or external customer messages
- Post publicly to social media, websites, Chronicle, Briefing, or public feeds
- Modify long-term memory, RAG, production prompts, or shared context
- Affect billing, pricing, payments, refunds, commissions, or revenue records
- Route real customer/lead data to a third party
- Trigger contractor/customer outreach
- Execute code that changes production infrastructure or data
- Change credentials, auth rules, Cloudflare settings, Vercel settings, or firewall behavior
10.2 HITL Review Questions
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| High-impact actions identified | ||
| Human reviewer assigned | ||
| Approval step exists before action | ||
| Approval is logged | ||
| User-facing AI decisions are reviewable | ||
| Revenue-impacting actions require Shane/Maranda review | ||
| Data deletion/modification requires explicit confirmation |
Required output:
HITL result:
- Required? yes/no
- Reviewer:
- Approval path:
- Launch blocker? yes/no
11. Memory / RAG Hygiene Review
Run this review for any system that reads from or writes to:
ATLANTIS_AI_MEMORY.mdupdates.md- Persona files
- Prompt files
- RAG stores
- Vector databases
- Shared agent memory
- Google Sheets or docs used as persistent context
11.1 Memory Hygiene Checks
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| User input cannot directly overwrite long-term memory | ||
| Memory writes require validation or human approval | ||
| Cross-user data cannot poison shared memory | ||
| Private data is not promoted to public memory | ||
| Prompt injection cannot modify source-of-truth files | ||
| Memory update path is logged | ||
| Rollback path exists for bad memory writes |
Required output:
Memory hygiene result:
- Status:
- Highest risk:
- Required mitigations:
12. OWASP AI/LLM Security Review
Use this section for adversarial review.
| Risk Area | Review Question | Status | Notes |
|---|---|---|---|
| Prompt injection | Can a user override the system, agent, or tool instructions? | ||
| Scout-layer injection | Can a malicious signal enter through Scout ingestion and influence downstream routes? | ||
| Sensitive data leakage | Can prompts, logs, outputs, or alerts leak private data? | ||
| System prompt leakage | Can users infer system prompts, persona files, route config, or agent instructions? | ||
| Insecure output handling | Is LLM output executed, rendered, emailed, posted, or routed without validation? | ||
| Excessive agency | Can the agent perform actions without proper authorization or confirmation? | ||
| Overreliance | Could users/operators trust the output without verification? | ||
| Supply chain | Are external packages, APIs, models, or workflows trusted and pinned? Known CVEs reviewed? NOTE: OpenClaw CVE-2026-25253 "ClawBleed" CVSS 8.8 — one-click RCE via token theft. Verify patch status before any OpenClaw deployment. | ||
| Data poisoning | Can malicious input corrupt future memory, logs, sheets, workflows, or RAG? | ||
| Model/tool extraction | Can users infer internal prompts, secrets, or agent configuration? | ||
| Auth gaps | Are routes protected by API keys, Cloudflare Access, HMAC, or equivalent? | ||
| Logging gaps | Are security-relevant events logged without leaking secrets? | ||
| Secrets exposure | Has the repo been scanned for hardcoded secrets before GitHub/public deployment? |
Required output:
OWASP result:
- Highest risk:
- Required mitigations:
- Blocker? yes/no
13. Automated Secrets Scanning
Before moving any repo to public GitHub or production deployment, perform automated secrets scanning.
13.1 Minimum Requirement
Run at least one secrets scan before release.
Suggested tools:
- TruffleHog
- Gitleaks
- GitHub secret scanning, if available
- Manual grep for common secret patterns as fallback
13.2 Example Commands
# TruffleHog example
trufflehog git file://$PWD --only-verified
# Gitleaks example
gitleaks detect --source . --redact
# Lightweight fallback checks
grep -R "OPENAI_API_KEY\|ANTHROPIC_API_KEY\|BRAVE_API_KEY\|N8N\|TOKEN\|SECRET\|PASSWORD" . --exclude-dir=node_modules --exclude-dir=.git
13.3 Secrets Scan Checklist
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| Automated scan completed | ||
| Results reviewed | ||
| Secrets removed or rotated | ||
.env excluded from Git | ||
.env.example provided if needed | ||
| Public repo has no private memory files | ||
| Public repo has no internal URLs/IPs/hostnames |
Required output:
Secrets scan result:
- Tool used:
- Result:
- Secrets found? yes/no
- Rotations required:
14. Atlantis-Specific Review
14.1 Nova Router / Nova Bus
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| Route is registered | ||
| Route is protected | ||
| Agent permissions are clear | ||
| Input validation exists | ||
| Output is bounded | ||
| Failure response is honest | ||
| Metrics or logs exist | ||
| Kill Switch path exists | ||
| Route can be disabled in < 5 minutes |
14.2 n8n Workflow
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| Webhook protected | ||
| Required fields validated | ||
| Honeypot or spam control present | ||
| Field mapping verified | ||
| Alert template clean | ||
| Error path tested | ||
| Incident owner notified on failure | ||
| Secrets not hardcoded | ||
| Production workflow does not use dev API keys | ||
| Production workflow does not write to staging/test Sheets | ||
| Kill Switch path exists |
14.3 Public App / Page
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| Uses current Atlantis design standard | ||
| Privacy-safe copy | ||
| Clear CTA | ||
| Mobile usable | ||
| No internal hostnames/IPs exposed | ||
| No credentials or debug output | ||
| Contact info limited to approved public contact | ||
| Terms/disclaimer provided if AI intake is used | ||
| User understands when human follow-up occurs |
14.4 Abuse Prevention & Rate Limiting
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| Rate limiting enabled on all public endpoints | ||
| Webhook payload validation implemented | ||
| Honeypot fields present on intake forms | ||
| Logic exists to block repetitive prompt flooding | ||
| Lead injection / fake submission filtering enabled | ||
| Abuse threshold documented and tested | ||
| Alert triggered on rate limit breach |
Required output:
Abuse prevention result:
- Rate limiting: yes/no
- Method:
- Honeypot: yes/no
- Launch blocker? yes/no
14.5 GitHub / Repo
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| Correct org/repo | ||
| Correct branch | ||
| Secrets excluded | ||
| Automated secrets scan completed | ||
.env.example present if needed | ||
| README has safe setup notes | ||
| License/status clear if public | ||
| No private memory or updates file leaked | ||
| No internal hostnames, IPs, or port mappings leaked |
15. Kill Switch Protocol
Every production AI system, route, workflow, or public intake path must have a documented Kill Switch.
The Kill Switch must be simple enough to execute under stress.
15.1 Kill Switch Options
Acceptable Kill Switches include:
- Disable route in Nova Router registry
- Disable n8n workflow
- Rotate or revoke API key
- Disable Cloudflare route / Access policy
- Remove Vercel production domain
- Set feature flag to disabled
- PM2 stop/restart for local production-like services
- Block webhook path at reverse proxy
- Temporarily replace public page with maintenance message
15.2 Kill Switch Checklist
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| Kill Switch owner assigned | ||
| Kill Switch steps documented | ||
| Kill Switch tested | ||
| Rollback/re-enable path documented | ||
| Alert channel defined | ||
| Shane can execute or delegate under pressure | ||
| Jimmy can trigger governance hold |
Required output:
Kill Switch result:
- Owner:
- Method:
- Tested? yes/no
- Launch blocker? yes/no
15.3 Minimum Kill Switch Record
## Kill Switch Record
- System:
- Owner:
- Disable method:
- Command / UI path:
- Alert channel:
- Re-enable method:
- Last tested:
16. Environment Separation & Docker Hardening
Production systems must not use development credentials, test data stores, staging alert channels, or unhardened containers unless explicitly documented.
16.1 Environment Separation
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| Production API keys used only in production | ||
| Dev keys not present in production workflows | ||
| Test Google Sheets not used for production leads | ||
| Staging Discord/Telegram channels not used for production alerts unless intended | ||
| Environment variables documented | ||
Secrets are stored in platform secret manager or .env excluded from Git |
16.2 Docker Hardening
Run this checklist for any system deployed in a Docker container.
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| Ports bound to localhost only (not 0.0.0.0 public interface) | ||
| Volume mounts are read-only where possible | ||
| Environment variables not exposed in image build or Dockerfile | ||
| Secrets loaded from secure env file or secret manager (not hardcoded) | ||
| Container does not run as root | ||
| Image is from trusted source and pinned to a specific version | ||
| Unused ports not exposed | ||
| Container restart policy documented | ||
| Docker network isolated from other containers unless explicitly bridged |
Required output:
Environment & Docker hardening result:
- Environment separation status:
- Docker hardening status: (N/A if not containerized)
- Required fixes:
16.3 CIS Ubuntu 24.04 LTS Infrastructure Baseline
All Atlantis production infrastructure (Trunks WSL2, Hetzner VPS, Docker hosts) must meet CIS Ubuntu 24.04 LTS Level 1 benchmark before any production service is deployed.
Audit script: ~/nova/cis_wsl2_audit.sh
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| CIS Level 1 audit run on target system | ||
| Audit score ≥ 80% pass (excluding WSL2 skips) | ||
| All FAIL items reviewed and remediated or documented | ||
| All WARN items reviewed and decided | ||
Audit log saved to ~/nova/logs/cis-audit-YYYYMMDD.txt | ||
Audit log committed to atlantis-docs/security/ | ||
| Re-audit scheduled after any major system change |
CIS Level 1 minimum requirements before production:
| Area | Minimum Requirement |
|---|---|
| Filesystem | Unused kernel modules disabled |
| Services | No unnecessary services enabled |
| Network | Sysctl hardening applied (redirects, martians, syncookies) |
| Firewall | UFW active, default deny inbound |
| SSH | PermitRootLogin no, MaxAuthTries ≤ 4, X11Forwarding no |
| Passwords | PASS_MAX_DAYS ≤ 365, PASS_MIN_DAYS ≥ 1, PASS_WARN_AGE ≥ 7 |
| Logging | rsyslog active, auditd installed |
| File perms | /etc/passwd 644, /etc/shadow 640, /etc/group 644 |
| Accounts | No duplicate UID 0, no empty passwords |
Required output:
CIS baseline result:
- System audited:
- Audit date:
- Score:
- FAIL items:
- WARN items:
- Remediation status:
- Launch blocker? yes/no
16.4 VPS Pre-Deployment CIS Requirement
Before any Atlantis service (Forgejo, n8n, NTFY, Prometheus, Grafana, Portainer) is deployed to Hetzner or Hostinger VPS:
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
| CIS Level 1 audit run on fresh VPS instance | ||
| Zero WSL2 skips expected on bare VPS | ||
| Audit score ≥ 80% pass | ||
| UFW configured before any service port exposed | ||
| SSH hardened before Forgejo or any service goes live | ||
| auditd installed and active | ||
| All FAIL items resolved before deployment begins | ||
Audit result committed to atlantis-docs/security/cis-audit-vps-YYYYMMDD.txt |
Sequence: CIS audit PASS → UFW configured → SSH hardened → then deploy services. Never the other way.
16.5 atlantis-lab Sandbox CIS Container Baseline
All agent tool experiments (Freebuff, UI-TARS, OpenHuman, Hermes, OpenClaw, and any future agent tech watch candidates) must run inside a CIS-hardened container environment in atlantis-lab.
| Check | Pass / Needs Work / N/A | Notes |
|---|---|---|
Experiment runs in atlantis-lab repo only — never production repo | ||
Container is isolated via Docker bridge network (atlantis_sandbox) | ||
| Container does not run as root | ||
| No saved credentials, API keys, or tokens in container scope | ||
| No production browser sessions accessible | ||
| No banking, Cloudflare, Vercel, GoDaddy, or admin consoles in scope | ||
| No customer data or lead data in container scope | ||
| No direct connection to live Nova Bus, n8n, or Forgejo | ||
| Volume mounts read-only where possible | ||
| Ports bound to localhost only | ||
Container kill switch documented (docker stop <container>) | ||
Results documented in atlantis-lab/docs/findings/ | ||
| SOP-008 review required before any experiment is promoted to production |
Special rule for UI-TARS and any desktop-control agent: UI-TARS and similar tools that can control mouse and keyboard must run in a fully isolated WSL profile or VM with no access to the host Windows session, no saved Windows credentials, and no access to production dashboards or browser profiles. Shortest leash on the property.
Required output:
atlantis-lab sandbox result:
- Tool tested:
- Container isolation verified: yes/no
- Credentials in scope: yes/no (must be no)
- Production access in scope: yes/no (must be no)
- Findings documented: yes/no
- Ready for SOP-008 promotion review: yes/no
Use the highest applicable level.
| Rating | Meaning | Production Action |
|---|---|---|
| Low | Minor risk, mitigations in place | Can launch |
| Medium | Manageable risk, some follow-up needed | Can launch with owner and due date, normally within 7 days |
| High | Material security, privacy, reliability, governance, or brand risk | Do not launch until mitigated |
| Critical | Known leak, broken auth, unsafe high-agency behavior, missing Kill Switch, or broken incident path | Launch prohibited |
Required output:
Final risk rating:
- Rating:
- Reason:
- Launch decision:
- Required fixes:
- Follow-up owner:
18. Sign-Off
| Role | Name | Status | Notes |
|---|---|---|---|
| Governance Owner | Jimmy | Pending | |
| Architecture Reviewer | Ozzy | Complete — v0.3 | |
| Threat Reviewer | Scout | Pending | |
| Documentation / Privacy Reviewer | Mercy | Pending | |
| Code / Implementation Reviewer | Cooper or Mercy-Codex | Pending | |
| Final Approver | Shane | Pending | |
| Finance Gate | Maranda | N/A unless cost/pricing/client-facing impact |
No system covered by this SOP should move to production until required sign-offs are complete or explicitly waived by Shane with documented reason.
19. Production Readiness Checklist
- [ ] Intake completed
- [ ] NIST Govern reviewed
- [ ] NIST Map reviewed
- [ ] NIST Measure reviewed
- [ ] NIST Manage reviewed
- [ ] HITL requirements reviewed
- [ ] Memory / RAG hygiene reviewed
- [ ] OWASP AI/LLM review completed
- [ ] Automated secrets scan completed
- [ ] Atlantis-specific review completed
- [ ] Environment separation reviewed
- [ ] Docker hardening reviewed (if containerized)
- [ ] CIS Level 1 audit run on target infrastructure (score ≥ 80%)
- [ ] CIS audit log saved to ~/nova/logs/ and atlantis-docs/security/
- [ ] Rate limiting / abuse prevention reviewed
- [ ] Kill Switch documented and tested (< 5 min)
- [ ] Privacy / OPSEC review completed
- [ ] Risk rating assigned
- [ ] Required mitigations completed or assigned
- [ ] Monitoring path defined
- [ ] Rollback path defined
- [ ] Sign-off captured
20. Example: Nova Chat Intake Page
Use this example when reviewing the Home Help chat intake.
System
- Name: Nova Home Help Chat Intake
- Type: public chat intake / lead capture
- Domain:
atlantisits.co/home-help - Data: name, phone, email optional, service need, location, urgency, message
- Flow: public page → Nova Router → lead-engine → n8n → Sheets/CRM/alerts
NIST concerns
- Data collection must be disclosed clearly
- User must understand this is an intake, not a guaranteed contractor assignment
- Human follow-up path must be clear
- Lead routing and storage must be documented
- Human review should occur before contractor handoff
- Incident owner must be assigned before public release
- Kill Switch must disable the intake route or n8n workflow quickly
OWASP concerns
- Prompt injection attempting to override Nova behavior
- Malicious payloads in message fields
- Data leakage in Telegram/Discord alert templates
- Overreliance on automated classification
- Insecure output handling if user text is reflected into alerts or sheets
- Scout-layer or signal-ingestion abuse if lead source is later connected to social/search input
- Persistent memory poisoning if intake content is saved to long-term memory
Required mitigations
- Input validation
- Message length limit
- Field normalization
- Alert template fallback text
- No internal hostnames or debug output
- Human review before contractor handoff
- Logging without secrets
- Secrets scan before public GitHub deployment
- Kill Switch documented and tested
- Production workflow separated from dev/test keys and Sheets
21. Troubleshooting
| Symptom | Likely Cause | Fix |
|---|---|---|
| App wants to launch but no owner exists | Missing governance | Assign owner before review |
| n8n alert shows blank fields | Field mapping mismatch | Normalize payload and template fallbacks |
| Nova says an action succeeded without evidence | Missing verification layer | Add command/result verification |
| Public page exposes internal hostname | OPSEC failure | Remove and replace with public-safe URL |
| Prompt injection changes behavior | Missing system guardrails | Add instruction hierarchy and input filtering |
| Lead route rejects payload | Vertical/type resolver mismatch | Prefer explicit vertical over derived type |
| Logs expose secrets | Logging misconfigured | Redact secrets and rotate affected credentials |
| Repo scan finds secrets | Secret committed or copied into repo | Remove secret, rotate credential, rewrite history if needed |
| Agent can act without approval | Excessive agency | Add HITL gate or remove permission |
| Bad data enters memory/RAG | Memory poisoning | Freeze writes, rollback memory, require review before re-enable |
| Anomaly appears in production | No containment path | Execute Kill Switch and notify incident owner |
22. Related Documents
- NIST AI RMF — AI risk management framework
- OWASP Top 10 for LLM Applications — LLM security risks and mitigations
- OWASP ML Security Top 10 — machine learning security risks
- CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0 — infrastructure hardening baseline
- ~/nova/cis_wsl2_audit.sh — Atlantis CIS Level 1 audit script (Trunks WSL2 + VPS)
- SOP-005 — Forgejo Deployment
- SOP-006 — Credential Rotation
- SOP-007 — Chronicle Build Procedure
- SOP-010 — Gemma 4 E4B Local Model Deployment
- atlantis-lab/SECURITY.md — sandbox rules for agent tech watch experiments
- core/PRIVACY-PROTOCOL.md — Atlantis privacy and OPSEC rules
- core/PRIORITY-RULES.md — Atlantis priority system
- atlantis-memory/updates.md — current tactical state
- ATLANTIS_AI_MEMORY.md — long-term memory
23. Revision History
| Version | Date | Author | Notes |
|---|---|---|---|
| 0.1 | 2026-05-10 | Mercy | Initial draft based on Cooper’s NIST/OWASP comparison and SOP-005 structure. |
| 0.2 | 2026-05-11 | Mercy + Jimmy | Merged Jimmy governance updates: HITL, memory/RAG hygiene, automated secrets scanning, excessive agency, Kill Switch, environment separation, and incident-owner alert path. |
| 0.3 | 2026-05-13 | Ozzy | Merged architecture review updates: multi-user isolation in intake (Section 8), Kill Switch < 5min KPI (Section 14.1), Rate Limiting / Abuse Prevention section (Section 14.4), Docker hardening checklist (Section 16.2), privacy fix in approval table (Section 24). |
| 0.4 | 2026-05-18 | Ozzy | Added CIS Ubuntu 24.04 LTS Benchmark v1.0.0 as third framework pillar (Section 4.3). Added Infrastructure Security Baseline: CIS audit requirement (16.3), VPS pre-deployment CIS checklist (16.4), atlantis-lab sandbox CIS container baseline (16.5). Flagged OpenClaw CVE-2026-25253 ClawBleed CVSS 8.8 in OWASP supply chain review (Section 12). Updated production readiness checklist with CIS audit item (Section 19). Updated related documents (Section 22). |
24. Approval
| Role | Name | Status |
|---|---|---|
| Initial Drafter | Mercy | Complete |
| Governance Owner | Jimmy | Pending |
| Architecture Reviewer | Ozzy | Complete — v0.4 |
| Threat Reviewer | Scout | Pending |
| Implementation Reviewer | Cooper | Pending |
| Approver | Shane | Pending |
| Finance Gate | Maranda | N/A unless cost/pricing/client-facing impact |
End of SOP-008 — AI Production Risk Review (NIST AI RMF + OWASP AI/LLM + CIS Benchmark)