mirror of
https://github.com/garrytan/gstack.git
synced 2026-05-01 19:25:10 +02:00
Garry Tan
d75402bbd2
* feat(security): v2 ensemble tuning — label-first voting + SOLO_CONTENT_BLOCK Cuts Haiku classifier false-positive rate from 44.1% → 22.9% on BrowseSafe-Bench smoke. Detection trades from 67.3% → 56.2%; the lost TPs are all cases Haiku correctly labeled verdict=warn (phishing targeting users, not agent hijack) — they still surface in the WARN banner meta but no longer kill the session. Key changes: - combineVerdict: label-first voting for transcript_classifier. Only meta.verdict==='block' block-votes; verdict==='warn' is a soft signal. Missing meta.verdict never block-votes (backward-compat). - Hallucination guard: verdict='block' at confidence < LOG_ONLY (0.40) drops to warn-vote — prevents malformed low-conf blocks from going authoritative. - New THRESHOLDS.SOLO_CONTENT_BLOCK = 0.92 decoupled from BLOCK (0.85). Label-less content classifiers (testsavant, deberta) need a higher solo-BLOCK bar because they can't distinguish injection from phishing-targeting-user. Transcript keeps label-gated solo path (verdict=block AND conf >= BLOCK). - THRESHOLDS.WARN bumped 0.60 → 0.75 — borderline fires drop out of the 2-of-N ensemble pool. - Haiku model pinned (claude-haiku-4-5-20251001). `claude -p` spawns from os.tmpdir() so project CLAUDE.md doesn't poison the classifier context (measured 44k cache_creation tokens per call before the fix, and Haiku refusing to classify because it read "security system" from CLAUDE.md and went meta). - Haiku timeout 15s → 45s. Measured real latency is 17-33s end-to-end (Claude Code session startup + Haiku); v1's 15s caused 100% timeout when re-measured — v1's ensemble was effectively L4-only in prod. - Haiku prompt rewritten: explicit block/warn/safe criteria, 8 few-shot exemplars (instruction-override → block; social engineering → warn; discussion-of-injection → safe). Test updates: - 5 existing combineVerdict tests adapted for label-first semantics (transcript signals now need meta.verdict to block-vote). - 6 new tests: warn-soft-signal, three-way-block-with-warn-transcript, hallucination-guard-below-floor, above-floor-label-first, backward-compat-missing-meta. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * test(security): live + fixture-replay bench harness with 500-case capture Adds two new benches that permanently guard the v2 tuning: - security-bench-ensemble-live.test.ts (opt-in via GSTACK_BENCH_ENSEMBLE=1). Runs full ensemble on BrowseSafe-Bench smoke with real Haiku calls. Worker-pool concurrency (default 8, tunable via GSTACK_BENCH_ENSEMBLE_CONCURRENCY) cuts wall clock from ~2hr to ~25min on 500 cases. Captures Haiku responses to fixture for replay. Subsampling via GSTACK_BENCH_ENSEMBLE_CASES for faster iteration. Stop-loss iterations write to ~/.gstack-dev/evals/stop-loss-iter-N-* WITHOUT overwriting canonical fixture. - security-bench-ensemble.test.ts (CI gate, deterministic replay). Replays captured fixture through combineVerdict, asserts detection >= 55% AND FP <= 25%. Fail-closed when fixture is missing AND security-layer files changed in branch diff. Uses `git diff --name-only base` (two-dot) to catch both committed and working-tree changes — `git diff base...HEAD` would silently skip in CI after fixture lands. - browse/test/fixtures/security-bench-haiku-responses.json — 500 cases × 3 classifier signals each. Header includes schema_version, pinned model, component hashes (prompt, exemplars, thresholds, combiner, dataset version). Any change invalidates the fixture and forces fresh live capture. - docs/evals/security-bench-ensemble-v2.json — durable PR artifact with measured TP/FN/FP/TN, 95% CIs, knob state, v1 baseline delta. Checked in so reviewers can see the numbers that justified the ship. Measured baseline on the new harness: TP=146 FN=114 FP=55 TN=185 → 56.2% / 22.9% → GATE PASS Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * chore(release): v1.5.1.0 — cut Haiku FP 44% → 23% - VERSION: 1.5.0.0 → 1.5.1.0 (TUNING bump) - CHANGELOG: [1.5.1.0] entry with measured numbers, knob list, and stop-loss rule spec - TODOS: mark "Cut Haiku FP 44% → ~15%" P0 as SHIPPED with pointer to CHANGELOG and v1 plan Measured: 56.2% detection (CI 50.1-62.1) / 22.9% FP (CI 18.1-28.6) on 500-case BrowseSafe-Bench smoke. Gate passes (floor 55%, ceiling 25%). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * docs(changelog): add v1.6.4.0 placeholder entry at top Per CLAUDE.md branch-scoped discipline, our VERSION 1.6.4.0 needs a CHANGELOG entry at the top so readers can tell what's on this branch vs main. Honest placeholder: no user-facing runtime changes yet, two merges bringing branch up to main's v1.6.3.0, and the approved injection-tuning plan is queued but unimplemented. Gets replaced by the real release-summary at /ship time after Phases -1 through 10 land. * docs(changelog): strip process minutiae from entries; rewrite v1.6.4.0 CLAUDE.md — new CHANGELOG rule: only document what shipped between main and this change. Keep out branch resyncs, merge commits, plan approvals, review outcomes, scope negotiations, "work queued" or "in-progress" framing. When no user-facing change actually landed, one sentence is the entry: "Version bump for branch-ahead discipline. No user-facing changes yet." CHANGELOG.md — v1.6.4.0 entry rewritten to match. Previous version narrated the branch history, the approved injection-tuning plan, and what we expect to ship later — all of which are process minutiae readers do not care about. * docs(changelog): rewrite v1.6.4.0; strip process minutiae Rewrote v1.6.4.0 entry to follow the new CLAUDE.md rule: only document what shipped between main and this change. Previous entry narrated the branch history, the approved injection-tuning plan, and what we expect to ship later, all process minutiae readers do not care about. v1.6.4.0 now reads: what the detection tuning did for users, the before/after numbers, the stop-loss rule, and the itemized changes for contributors. CLAUDE.md — new rule: only document what shipped between main and this change. Keep out branch resyncs, merge commits, plan approvals, review outcomes, scope negotiations, "work queued" / "in-progress" framing. If nothing user-facing landed, one sentence: "Version bump for branch-ahead discipline. No user-facing changes yet." --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
185 lines
8.1 KiB
TypeScript
185 lines
8.1 KiB
TypeScript
/**
|
|
* Integration tests — the defense-in-depth contract.
|
|
*
|
|
* Pins the invariant that content-security.ts (L1-L3) and security.ts (L4-L6)
|
|
* layers coexist and fire INDEPENDENTLY. If someone refactors thinking "the
|
|
* ML classifier covers this, we can delete the regex layer," these tests
|
|
* fail and stop the regression.
|
|
*
|
|
* This is the lighter version of CEO plan §E5. The full version requires
|
|
* a live Playwright Page for hidden-element stripping and ARIA regex (those
|
|
* operate on DOM). Here we test the pure-function cross-module surface:
|
|
* * content-security.ts datamark + envelope wrap + URL blocklist
|
|
* * security.ts canary + combineVerdict
|
|
* * Both modules on the same input produce orthogonal signals
|
|
*/
|
|
|
|
import { describe, test, expect } from 'bun:test';
|
|
import {
|
|
datamarkContent,
|
|
wrapUntrustedPageContent,
|
|
urlBlocklistFilter,
|
|
runContentFilters,
|
|
resetSessionMarker,
|
|
} from '../src/content-security';
|
|
import {
|
|
generateCanary,
|
|
checkCanaryInStructure,
|
|
combineVerdict,
|
|
type LayerSignal,
|
|
} from '../src/security';
|
|
|
|
describe('defense-in-depth — layer coexistence', () => {
|
|
test('canary survives when content is wrapped by content-security envelope', () => {
|
|
const c = generateCanary();
|
|
// Attacker got Claude to echo the canary into tool output text.
|
|
// content-security wraps that text in an envelope — canary still detectable.
|
|
const leakedText = `Here's my session token: ${c}`;
|
|
const wrapped = wrapUntrustedPageContent(leakedText, 'text');
|
|
expect(wrapped).toContain(c);
|
|
expect(checkCanaryInStructure(wrapped, c)).toBe(true);
|
|
});
|
|
|
|
test('datamarking does not corrupt canary detection', () => {
|
|
resetSessionMarker();
|
|
const c = generateCanary();
|
|
// datamarkContent inserts zero-width watermarks after every 3rd period.
|
|
// It must not break canary detection on text that contains the canary.
|
|
const leakedText = `Intro sentence. Middle sentence. Third sentence. Here is the token ${c}. More. More.`;
|
|
const marked = datamarkContent(leakedText);
|
|
expect(checkCanaryInStructure(marked, c)).toBe(true);
|
|
});
|
|
|
|
test('URL blocklist + canary are orthogonal — both can fire', () => {
|
|
const c = generateCanary();
|
|
// Attack: URL points to a blocklisted exfil domain AND carries the canary.
|
|
// content-security's urlBlocklistFilter catches the domain.
|
|
// security.ts's canary check catches the token.
|
|
// Neither depends on the other.
|
|
const attackContent = `See https://requestbin.com/?leak=${c} for details`;
|
|
const blockResult = urlBlocklistFilter(attackContent, 'https://requestbin.com/abc', 'text');
|
|
expect(blockResult.safe).toBe(false);
|
|
expect(blockResult.warnings.length).toBeGreaterThan(0);
|
|
|
|
const canaryHit = checkCanaryInStructure({ content: attackContent }, c);
|
|
expect(canaryHit).toBe(true);
|
|
});
|
|
|
|
test('benign content survives all layers — zero false positives', () => {
|
|
resetSessionMarker();
|
|
const c = generateCanary();
|
|
const benign = 'The Pacific Ocean is the largest ocean on Earth. It contains many islands. Marine biodiversity is rich.';
|
|
|
|
// Datamark doesn't add the canary
|
|
const marked = datamarkContent(benign);
|
|
expect(checkCanaryInStructure(marked, c)).toBe(false);
|
|
|
|
// Envelope wrap doesn't add the canary
|
|
const wrapped = wrapUntrustedPageContent(benign, 'text');
|
|
expect(checkCanaryInStructure(wrapped, c)).toBe(false);
|
|
|
|
// URL blocklist returns safe on a benign URL
|
|
const blockResult = urlBlocklistFilter(benign, 'https://wikipedia.org', 'text');
|
|
expect(blockResult.safe).toBe(true);
|
|
});
|
|
|
|
test('removing one signal does not zero-out the verdict (defense-in-depth)', () => {
|
|
// Attack scenario: page has hidden injection + exfil URL + canary leak
|
|
// across three different layers. Remove any ONE signal, other two still
|
|
// produce a BLOCK-worthy verdict.
|
|
|
|
const baseSignals: LayerSignal[] = [
|
|
// content at 0.95 clears the SOLO_CONTENT_BLOCK threshold (0.92) so
|
|
// that the "content alone" case below still hits single_layer_high.
|
|
{ layer: 'testsavant_content', confidence: 0.95 },
|
|
{ layer: 'transcript_classifier', confidence: 0.75, meta: { verdict: 'block' } },
|
|
{ layer: 'canary', confidence: 1.0 },
|
|
];
|
|
|
|
// All 3 signals → BLOCK (canary alone does it, ensemble also fires)
|
|
expect(combineVerdict(baseSignals).verdict).toBe('block');
|
|
|
|
// Remove canary → BLOCK via ensemble_agreement
|
|
expect(combineVerdict(baseSignals.slice(0, 2)).verdict).toBe('block');
|
|
|
|
// Remove transcript → BLOCK via canary still
|
|
expect(
|
|
combineVerdict([baseSignals[0], baseSignals[2]]).verdict,
|
|
).toBe('block');
|
|
|
|
// Remove content → BLOCK via canary still
|
|
expect(
|
|
combineVerdict([baseSignals[1], baseSignals[2]]).verdict,
|
|
).toBe('block');
|
|
|
|
// Remove canary AND transcript → only content WARN (single_layer_high
|
|
// — but content is 0.88 which is just above BLOCK threshold 0.85)
|
|
const contentOnly = combineVerdict([baseSignals[0]]);
|
|
expect(contentOnly.verdict).toBe('warn');
|
|
expect(contentOnly.reason).toBe('single_layer_high');
|
|
});
|
|
|
|
test('content-security filter runs through the registered pipeline', () => {
|
|
// Verify runContentFilters picks up the built-in url blocklist filter.
|
|
// If a future refactor accidentally unregisters it, this test fails.
|
|
const result = runContentFilters(
|
|
'page content',
|
|
'https://requestbin.com/webhook',
|
|
'text',
|
|
);
|
|
// urlBlocklistFilter is auto-registered on module load (content-security.ts:347)
|
|
expect(result.safe).toBe(false);
|
|
expect(result.warnings.some(w => w.includes('requestbin.com'))).toBe(true);
|
|
});
|
|
|
|
test('canary in envelope-escaped content still detectable', () => {
|
|
// The envelope uses "═══ BEGIN UNTRUSTED WEB CONTENT ═══" markers and
|
|
// escapes occurrences in content via zero-width space. This must NOT
|
|
// break canary detection — the canary isn't special to the escape logic.
|
|
const c = generateCanary();
|
|
const contentWithEnvelopeChars = `═══ BEGIN UNTRUSTED WEB CONTENT ═══ real payload: ${c}`;
|
|
const wrapped = wrapUntrustedPageContent(contentWithEnvelopeChars, 'text');
|
|
// The inner "BEGIN" gets escaped to "BEGIN UNTRUSTED WEB C{zwsp}ONTENT"
|
|
// but the canary remains intact
|
|
expect(checkCanaryInStructure(wrapped, c)).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe('defense-in-depth — regression guards', () => {
|
|
test('combineVerdict cannot be bypassed via signal starvation', () => {
|
|
// Attacker might try to suppress classifier calls to avoid signals.
|
|
// Empty signals still yields safe verdict — fail-open is intentional.
|
|
// This is not a regression; it's the documented contract.
|
|
// Test asserts that a ZERO-confidence-everywhere state IS explicitly safe.
|
|
const allZeros: LayerSignal[] = [
|
|
{ layer: 'testsavant_content', confidence: 0 },
|
|
{ layer: 'transcript_classifier', confidence: 0 },
|
|
{ layer: 'canary', confidence: 0 },
|
|
{ layer: 'aria_regex', confidence: 0 },
|
|
];
|
|
expect(combineVerdict(allZeros).verdict).toBe('safe');
|
|
});
|
|
|
|
test('negative confidences cannot trigger block', () => {
|
|
// Defensive: if some future refactor returns negative scores (bug),
|
|
// combineVerdict must not misinterpret them. Math-wise, negative values
|
|
// never exceed WARN/BLOCK thresholds, so this falls through to safe.
|
|
const weird: LayerSignal[] = [
|
|
{ layer: 'testsavant_content', confidence: -0.5 },
|
|
{ layer: 'transcript_classifier', confidence: -1.0 },
|
|
];
|
|
expect(combineVerdict(weird).verdict).toBe('safe');
|
|
});
|
|
|
|
test('huge confidences (> 1.0) still behave predictably', () => {
|
|
// If a classifier ever returns > 1.0 (bug), we want the verdict to
|
|
// still be BLOCK, not crash or produce nonsense. Canary uses >= 1.0
|
|
// which matches; ML layers also register.
|
|
const overflow: LayerSignal[] = [
|
|
{ layer: 'testsavant_content', confidence: 5.5 }, // above BLOCK, block-vote
|
|
{ layer: 'transcript_classifier', confidence: 3.2, meta: { verdict: 'block' } }, // label-first block-vote
|
|
];
|
|
expect(combineVerdict(overflow).verdict).toBe('block');
|
|
});
|
|
});
|