feat(monitor): targeted, tiered escalation for the ambiguous band#21
Merged
Conversation
Instead of escalating every flagged skill (wasteful — most spend lands on
skills already decided), give a deep second opinion only where it can change
the verdict: the ambiguous middle the rules are unsure about.
- EscalationPolicy: pure, testable selection of the band (rule risk ~8-74,
below the confident-malicious line), ranked by suspicion and capped by a
per-run budget. Confident-clean and confident-malicious are skipped.
- Pluggable backends behind one async 'assess' interface:
none | hf (free local HF classifier) | anthropic (full LLM) |
tiered (hf triage -> anthropic only on a hit).
'tiered' spends the paid LLM on the residual, not the whole band. HF is an
optional [hf] extra, lazy-loaded, and degrades gracefully if absent so it
can never break a sweep.
- build_snapshot is now two-phase: rule-scan everything (phase 1), then run
the backend on policy-selected candidates (phase 2). Anthropic/tiered
verdicts are authoritative (can raise a sneaky skill or clear a false
positive); hf is recorded as a triage signal. SkillRecord gains
ml_risk_score + escalation_{backend,verdict,score}; snapshot gains
escalated_count.
- CLI: --escalate-backend / --escalate-budget (--no-escalate = backend none).
Finding baked into the defaults: the stock ML risk scorer outputs ~1.0 for
both benign and malicious skills, so the 'rule-clean but ML-anomalous'
escalation path is DISABLED by default (would escalate everything). Kept as
a config knob for when the model is recalibrated.
31 new tests (policy bands, ranking, budget; hf/anthropic/tiered/none
backends incl. graceful degradation; two-phase integration). 1623 pass.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01DNoTXU8k3pfSBzR7aJubqL
✅ Malwar Scan Results
Scanned by Malwar — malware detection for agentic AI skills. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Implements the escalation model we talked through: the rules pass is confident at the two ends (obviously clean, obviously malicious), but there's an ambiguous middle where a sneaky skill hides — it scores just under the line. Instead of paying for a deep look at every flagged skill, spend the deep analysis only where it can change the verdict.
What's here
EscalationPolicy— pure, fully-tested selection of the ambiguous band (rule risk ~8–74, below the confident-malicious threshold), ranked by suspicion, capped by a per-run budget. Confident-clean and confident-malicious are skipped (a second opinion can't change them).Pluggable backends behind one small async
assessinterface:nonehf[hf]extra)anthropictieredhftriage →anthropiconly on a hittieredis the money-saver you asked for: the free tier filters the band, the LLM is spent only on what the free tier still flags. The HF tier is lazy-loaded and degrades gracefully iftransformersisn't installed — it can never break a sweep.build_snapshotis now two-phase: rule-scan everything (fast/free), then run the backend on policy-selected candidates.anthropic/tieredverdicts are authoritative (can raise a sneaky skill or clear a rule-engine false positive);hfis recorded as a triage signal without overriding the rule verdict. New fields:SkillRecord.ml_risk_score+escalation_{backend,verdict,score},RegistrySnapshot.escalated_count.CLI:
--escalate-backend none|hf|anthropic|tieredand--escalate-budget N(--no-escalate=none).A real finding baked into the defaults
While testing I checked the existing ML risk scorer against benign vs. malicious inputs: it returns ~0.9999998 for both. It saturates near 1.0 and can't discriminate — so the "rule-clean but ML-anomalous" escalation path (for truly-sneaky risk-0 skills) is disabled by default; enabling it would escalate the entire registry. It's kept as a config knob (
EscalationPolicy.ml_threshold) for once the model is recalibrated. This is the "measure before you spend" instinct paying off.Scope note
The scheduled workflow stays rules-only for now (from #20). This PR lands the capability + policy; flipping the workflow to
tieredis a one-line follow-up once we've validated the exact HF model live (its tools were offline while I built this, so the default model id is documented but not yet pinned against the Hub).Type of Change
Checklist
ruff+mypycleandocs/crawl.md); optional[hf]extra added🤖 Generated with Claude Code
https://claude.ai/code/session_01DNoTXU8k3pfSBzR7aJubqL
Generated by Claude Code