Skip to content

feat(monitor): targeted, tiered escalation for the ambiguous band#21

Merged
Ap6pack merged 1 commit into
mainfrom
claude/escalation-policy
Jul 6, 2026
Merged

feat(monitor): targeted, tiered escalation for the ambiguous band#21
Ap6pack merged 1 commit into
mainfrom
claude/escalation-policy

Conversation

@Ap6pack

@Ap6pack Ap6pack commented Jul 6, 2026

Copy link
Copy Markdown
Owner

Description

Implements the escalation model we talked through: the rules pass is confident at the two ends (obviously clean, obviously malicious), but there's an ambiguous middle where a sneaky skill hides — it scores just under the line. Instead of paying for a deep look at every flagged skill, spend the deep analysis only where it can change the verdict.

What's here

  • EscalationPolicy — pure, fully-tested selection of the ambiguous band (rule risk ~8–74, below the confident-malicious threshold), ranked by suspicion, capped by a per-run budget. Confident-clean and confident-malicious are skipped (a second opinion can't change them).

  • Pluggable backends behind one small async assess interface:

    backend runs cost
    none nothing (policy still records candidates) free
    hf free local Hugging Face classifier (CPU, optional [hf] extra) free
    anthropic full LLM analyzer (rules + LLM + FP suppression) paid
    tiered hf triage → anthropic only on a hit paid on the residual only

    tiered is the money-saver you asked for: the free tier filters the band, the LLM is spent only on what the free tier still flags. The HF tier is lazy-loaded and degrades gracefully if transformers isn't installed — it can never break a sweep.

  • build_snapshot is now two-phase: rule-scan everything (fast/free), then run the backend on policy-selected candidates. anthropic/tiered verdicts are authoritative (can raise a sneaky skill or clear a rule-engine false positive); hf is recorded as a triage signal without overriding the rule verdict. New fields: SkillRecord.ml_risk_score + escalation_{backend,verdict,score}, RegistrySnapshot.escalated_count.

  • CLI: --escalate-backend none|hf|anthropic|tiered and --escalate-budget N (--no-escalate = none).

A real finding baked into the defaults

While testing I checked the existing ML risk scorer against benign vs. malicious inputs: it returns ~0.9999998 for both. It saturates near 1.0 and can't discriminate — so the "rule-clean but ML-anomalous" escalation path (for truly-sneaky risk-0 skills) is disabled by default; enabling it would escalate the entire registry. It's kept as a config knob (EscalationPolicy.ml_threshold) for once the model is recalibrated. This is the "measure before you spend" instinct paying off.

Scope note

The scheduled workflow stays rules-only for now (from #20). This PR lands the capability + policy; flipping the workflow to tiered is a one-line follow-up once we've validated the exact HF model live (its tools were offline while I built this, so the default model id is documented but not yet pinned against the Hub).

Type of Change

  • New feature

Checklist

  • 31 new tests (policy bands/ranking/budget; none/hf/anthropic/tiered backends incl. graceful degradation; two-phase integration) — 1623 pass, 16 skipped
  • ruff + mypy clean
  • Docs updated (docs/crawl.md); optional [hf] extra added

🤖 Generated with Claude Code

https://claude.ai/code/session_01DNoTXU8k3pfSBzR7aJubqL


Generated by Claude Code

Instead of escalating every flagged skill (wasteful — most spend lands on
skills already decided), give a deep second opinion only where it can change
the verdict: the ambiguous middle the rules are unsure about.

- EscalationPolicy: pure, testable selection of the band (rule risk ~8-74,
  below the confident-malicious line), ranked by suspicion and capped by a
  per-run budget. Confident-clean and confident-malicious are skipped.
- Pluggable backends behind one async 'assess' interface:
    none | hf (free local HF classifier) | anthropic (full LLM) |
    tiered (hf triage -> anthropic only on a hit).
  'tiered' spends the paid LLM on the residual, not the whole band. HF is an
  optional [hf] extra, lazy-loaded, and degrades gracefully if absent so it
  can never break a sweep.
- build_snapshot is now two-phase: rule-scan everything (phase 1), then run
  the backend on policy-selected candidates (phase 2). Anthropic/tiered
  verdicts are authoritative (can raise a sneaky skill or clear a false
  positive); hf is recorded as a triage signal. SkillRecord gains
  ml_risk_score + escalation_{backend,verdict,score}; snapshot gains
  escalated_count.
- CLI: --escalate-backend / --escalate-budget (--no-escalate = backend none).

Finding baked into the defaults: the stock ML risk scorer outputs ~1.0 for
both benign and malicious skills, so the 'rule-clean but ML-anomalous'
escalation path is DISABLED by default (would escalate everything). Kept as
a config knob for when the model is recalibrated.

31 new tests (policy bands, ranking, budget; hf/anthropic/tiered/none
backends incl. graceful degradation; two-phase integration). 1623 pass.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01DNoTXU8k3pfSBzR7aJubqL
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

✅ Malwar Scan Results

Metric Value
Verdict CLEAN
Risk Score 0/100
Findings 0

Scanned by Malwar — malware detection for agentic AI skills.

@Ap6pack Ap6pack merged commit 1c06a15 into main Jul 6, 2026
6 checks passed
@Ap6pack Ap6pack deleted the claude/escalation-policy branch July 6, 2026 06:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants