Skip to content

Add agent integrity canary layer#11

Open
slavazeph-coder wants to merge 6 commits into
mainfrom
feature/agent-integrity-layer
Open

Add agent integrity canary layer#11
slavazeph-coder wants to merge 6 commits into
mainfrom
feature/agent-integrity-layer

Conversation

@slavazeph-coder

Copy link
Copy Markdown
Contributor

Summary

Adds a lightweight agent integrity layer for CRUMB-powered agent loops.

This extracts the practical engineering pattern from CL1/LLM encoder-style experiments — deterministic canaries, confidence scoring, safety checks, and drift monitoring — without adopting speculative consciousness claims.

Added

  • cli/agent_integrity.py

    • run_agent_integrity_check(input_text, proposed_action, model_output)
    • physical logic / car-wash canary
    • instruction-following check
    • contradiction detection
    • destructive tool-use safety check
    • memory write validation and secret detection
    • high-risk file edit scoring
    • DriftMonitor for long-running sessions
    • module CLI via python -m cli.agent_integrity
  • tests/test_agent_integrity.py

    • clean proceed path
    • car-wash canary fail/pass
    • secret-memory write block
    • destructive command block
    • high-risk file escalation
    • drift monitor degradation
  • docs/AGENT_INTEGRITY.md

    • usage examples
    • recommendation semantics
    • where to insert this into CRUMB, OpenClaw, and desktop agent loops

Notes

This is intentionally isolated and dependency-free. It does not modify the existing crumb command parser yet, so it can be merged safely and wired into higher-level commands in a follow-up.

@github-actions

Copy link
Copy Markdown
Contributor

✅ Shadow AI Scan

No Shadow AI findings detected at or above medium risk.

@github-actions

github-actions Bot commented Apr 15, 2026

Copy link
Copy Markdown
Contributor

CRUMB Bench Results

File Score Grade Tokens Compression
./.crumb N/A - - -
./.crumb/latest.crumb N/A - - -
./crumbs/map.crumb 79/100 B ~269 1.6x
./crumbs/mem.crumb 80/100 B ~225 1.7x
./examples/log-deployment.crumb 84/100 B ~147 2.0x
./examples/map-client-takeover.crumb 78/100 B ~290 1.6x
./examples/map-repo-onboarding.crumb 82/100 B ~166 1.7x
./examples/mem-mempalace-auth-migration.crumb 87/100 A ~120 2.5x
./examples/mem-terse-output.crumb 77/100 B ~336 1.6x
./examples/mem-user-preferences.crumb 83/100 B ~135 1.8x
./examples/task-bug-fix.crumb 83/100 B ~127 1.7x
./examples/task-content-repurpose-handoff.crumb 80/100 B ~250 1.7x
./examples/task-cross-tool-feature-handoff.crumb 79/100 B ~249 1.6x
./examples/task-feature-continuation.crumb 82/100 B ~134 1.7x
./examples/task-packed-auth-context.crumb 82/100 B ~233 2.1x
./examples/todo-sprint.crumb 84/100 B ~90 1.7x
./examples/wake-session.crumb N/A - - -
./fixtures/extensions/mempalace-export.crumb 86/100 A ~102 2.3x
./fixtures/extensions/task-packed.crumb 85/100 B ~157 2.3x
./fixtures/invalid/bad-kind.crumb N/A - - -
./fixtures/invalid/missing-source.crumb N/A - - -
./fixtures/valid/log-basic.crumb 82/100 B ~51 1.4x
./fixtures/valid/mem-basic.crumb 81/100 B ~42 1.2x
./fixtures/valid/task-basic.crumb 81/100 B ~65 1.2x

Powered by crumb-format — two-stage context compression

github-actions Bot added a commit that referenced this pull request Apr 15, 2026

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bd80e0abaa

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread cli/agent_integrity.py
if not result.failures:
print("- All checks passed.")

sys.exit(0 if result.recommendation in ("proceed", "ask_user") else 1)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Treat ask_user as non-success in CLI exit status

The CLI currently exits with code 0 for both proceed and ask_user, so automation that gates execution on process success (for example, if ...; then run_tool) will continue even when the integrity layer explicitly requested human confirmation. That bypasses the safety intent of ask_user and can allow risky actions to run unattended.

Useful? React with 👍 / 👎.

Comment thread cli/agent_integrity.py
Comment on lines +156 to +158
says_drive = re.search(r"\bdrive|bring|take\s+the\s+car|take\s+it\b", model_output, re.I) is not None

passed = says_drive and not says_walk

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Reject negated drive phrases in car-wash canary

The car-wash canary treats any drive/bring/take token as a positive signal, then passes when says_drive is true and says_walk is false. This incorrectly passes outputs like “Do not drive to the car wash,” because negation is ignored; in that case the canary reports success and the overall recommendation can become proceed for exactly the physical-logic error this check is meant to catch.

Useful? React with 👍 / 👎.

@slavazeph-coder slavazeph-coder force-pushed the feature/agent-integrity-layer branch from bd80e0a to c9a514d Compare April 15, 2026 03:19
github-actions Bot added a commit that referenced this pull request Apr 15, 2026

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ad04ed4e54

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread cli/agent_integrity.py
)

says_walk = re.search(r"\bwalk(?:ing)?\b", model_output, re.I) is not None
says_drive = re.search(r"\bdrive|bring|take\s+the\s+car|take\s+it\b", model_output, re.I) is not None

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Tighten car-wash drive matcher to avoid false passes

The says_drive regex is broad enough to treat unrelated phrasing as “car is physically involved” (for example, take it in “Take it easy and call ahead”). In car-wash context this sets says_drive=True, so the canary can pass and return proceed even when the output never says to bring/drive the car. That bypasses the exact safeguard this canary is intended to provide; use stricter word boundaries and car-specific phrases.

Useful? React with 👍 / 👎.

Comment thread cli/agent_integrity.py
)

score = _clip(mean([r.score for r in results]) if results else 0.0)
failures = [r.message for r in results if not r.passed]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve escalation reasons when warnings trigger ask_user

failures is built only from checks where passed is false, but _recommendation can return ask_user from warning checks that still have passed=True (like file_edit_risk with score 0.65). That yields recommendation=ask_user with failures=[], and the CLI then prints “All checks passed,” which hides why escalation happened for humans and downstream consumers relying on failures for rationale.

Useful? React with 👍 / 👎.

@slavazeph-coder slavazeph-coder force-pushed the feature/agent-integrity-layer branch from ad04ed4 to 869a4a5 Compare April 15, 2026 03:43

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 79ade9123a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread cli/agent_integrity.py
Comment on lines +288 to +289
text = f"{proposed_action}\n{model_output}"
secret_hits = [label for label, pattern in _SECRET_PATTERNS if pattern.search(text)]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Scan input text for secrets before approving memory writes

check_memory_write_validation only searches proposed_action and model_output for secret patterns, so a memory action can be marked safe even when the secret exists in input_text and the agent plans to store the user message verbatim. In that case run_agent_integrity_check can return proceed and allow credentials to be persisted to CRUMB memory despite this check’s stated purpose to prevent secret writes.

Useful? React with 👍 / 👎.

Comment thread cli/agent_integrity.py
Comment on lines +193 to +194
if key_terms and all(term in output or term in action for term in key_terms[:2]):
violations.append(forbidden[:120])

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Handle negated compliance in instruction-following check

The violation heuristic treats presence of forbidden keywords as a violation without checking whether the model is explicitly refusing the action, so compliant replies like “I will not delete the database” are flagged as constraint breaks. This produces false instruction_following failures and escalates recommendations (ask_user/block) in normal safety-preserving responses.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant