From e7335b160f7e3d7fafca5b069217279b5c39d86d Mon Sep 17 00:00:00 2001 From: Adrian Asher Date: Thu, 21 May 2026 10:52:00 +0100 Subject: [PATCH 1/8] =?UTF-8?q?feat(approvals):=20Phase=209=20=E2=80=94=20?= =?UTF-8?q?tacit=20approval=20capture=20from=20Claude=20Code-native=20prom?= =?UTF-8?q?pts?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When Dredd says allow but Claude Code surfaces its own permission prompt (because the tool isn't in the user's local allowlist), the user clicking Yes is real consent we can learn from. Phase 9 captures it. Flow: /evaluate (allow) stashes a tacit-pending candidate; /notification arrives with a permission-style message; /track promotes the candidate with source="tacit" gated on a matching notification in the 60s window. No notification → no promotion (tool was auto-allowed; no consent given). Safety floor: tacit approvals feed the soft pattern-trust signal (judge prompt context) but are filtered out of the Stage 0.5 hard short-circuit count. Hard-override of Dredd policy denies still requires ≥2 explicit prior approvals — a Claude Code native click can never authorise rm -rf. Tests: 21 new assertions in test_phase9_tacit_approval.ts + 4 new cases in test_phase8b_pattern_trust.ts covering tacit filtering, mixed sources, and legacy missing-source rows. Co-Authored-By: Claude Opus 4.7 (1M context) --- hooks/tests/test_phase8b_pattern_trust.ts | 112 +++++++++++++ hooks/tests/test_phase9_tacit_approval.ts | 192 ++++++++++++++++++++++ package.json | 2 +- src/approval-store.ts | 21 +++ src/dynamo-approval-store.ts | 9 +- src/handlers/evaluate.ts | 38 +++++ src/handlers/notification.ts | 5 +- src/handlers/track.ts | 106 +++++++----- src/pending-approvals.ts | 29 +++- src/pretool-interceptor.ts | 19 ++- src/server-core.ts | 63 ++++++- 11 files changed, 541 insertions(+), 55 deletions(-) create mode 100644 hooks/tests/test_phase9_tacit_approval.ts diff --git a/hooks/tests/test_phase8b_pattern_trust.ts b/hooks/tests/test_phase8b_pattern_trust.ts index 91318fd8e..befff1c9d 100644 --- a/hooks/tests/test_phase8b_pattern_trust.ts +++ b/hooks/tests/test_phase8b_pattern_trust.ts @@ -262,6 +262,118 @@ async function main() { result.patternTrust === undefined ? pass("[]-vector approvals ignored") : fail("[]-vector counted somehow"); } + // ------------------------------------------------------------------- + // Phase 9 — only explicit approvals count for the hard short-circuit. + section("Phase 9: tacit approvals don't drive HARD short-circuit"); + + { + const approvals = [ + makeApproval({ summary: "tacit 1", inputEmbedding: ALIGNED, source: "tacit" }), + makeApproval({ summary: "tacit 2", inputEmbedding: ALMOST, source: "tacit" }), + ]; + const result = await interceptor.evaluate( + "s-test", + "Bash", + { command: "ALIGNED something" }, + undefined, + "/proj/foo", + "interactive", + undefined, + false, + undefined, + null, + approvals, + true, + ); + result.stage !== "pattern-trust-allow" + ? pass(`2 tacit matches: no hard short-circuit (stage=${result.stage})`) + : fail("tacit-only matches incorrectly short-circuited"); + // Soft signal still feeds the judge prompt (softContext); the + // result.patternTrust annotation is only set on the hard path + // (see InterceptionResult.patternTrust JSDoc), so we don't assert + // on it here. + } + + section("Phase 9: 1 explicit + 1 tacit: still no HARD short-circuit"); + + { + const approvals = [ + makeApproval({ summary: "explicit", inputEmbedding: ALIGNED, source: "explicit" }), + makeApproval({ summary: "tacit", inputEmbedding: ALMOST, source: "tacit" }), + ]; + const result = await interceptor.evaluate( + "s-test", + "Bash", + { command: "ALIGNED rm" }, + undefined, + "/proj/foo", + "interactive", + undefined, + false, + undefined, + null, + approvals, + true, + ); + result.stage !== "pattern-trust-allow" + ? pass(`mixed 1-explicit-1-tacit: no hard short-circuit (stage=${result.stage})`) + : fail("mixed counted as 2 explicit"); + } + + section("Phase 9: 2 explicit (mixed with tacit) short-circuits"); + + { + const approvals = [ + makeApproval({ summary: "explicit 1", inputEmbedding: ALIGNED, source: "explicit" }), + makeApproval({ summary: "explicit 2", inputEmbedding: ALMOST, source: "explicit" }), + makeApproval({ summary: "tacit noise", inputEmbedding: ALIGNED, source: "tacit" }), + ]; + const result = await interceptor.evaluate( + "s-test", + "Bash", + { command: "ALIGNED rm -rf" }, + undefined, + "/proj/foo", + "interactive", + undefined, + false, + undefined, + null, + approvals, + true, + ); + result.stage === "pattern-trust-allow" + ? pass(`2 explicit + 1 tacit short-circuited (stage=${result.stage})`) + : fail(`expected pattern-trust-allow, got ${result.stage}`); + } + + section("Phase 9: legacy approvals (missing source) treated as explicit"); + + { + // Simulate legacy rows that pre-date the source field by deleting it. + const a1 = makeApproval({ summary: "legacy 1", inputEmbedding: ALIGNED }) as any; + const a2 = makeApproval({ summary: "legacy 2", inputEmbedding: ALMOST }) as any; + delete a1.source; + delete a2.source; + const result = await interceptor.evaluate( + "s-test", + "Bash", + { command: "ALIGNED rm -rf" }, + undefined, + "/proj/foo", + "interactive", + undefined, + false, + undefined, + null, + [a1, a2], + true, + ); + result.stage === "pattern-trust-allow" + ? pass(`legacy rows count as explicit (stage=${result.stage})`) + : fail(`expected pattern-trust-allow, got ${result.stage}`); + } + } finally { stub.close(); } diff --git a/hooks/tests/test_phase9_tacit_approval.ts b/hooks/tests/test_phase9_tacit_approval.ts new file mode 100644 index 000000000..969cdc0a2 --- /dev/null +++ b/hooks/tests/test_phase9_tacit_approval.ts @@ -0,0 +1,192 @@ +/** + * Phase 9 — tacit approval capture from Claude Code-native prompts. + * + * Covers the surface area that doesn't need a running server: + * 1. isPermissionPromptMessage classifier + * 2. recordNotification + consumeRecentPermissionNotification + * (timing window, message-classification gating) + * 3. ApprovalStore round-trips the source field (InMemory + Dynamo + * marshal would diverge; Dynamo path is covered by integration) + * 4. Pending-approval source defaulting + * + * Run: npx tsx hooks/tests/test_phase9_tacit_approval.ts + */ + +import { + isPermissionPromptMessage, + recordNotification, + consumeRecentPermissionNotification, + notificationCounts, + TACIT_NOTIFICATION_WINDOW_MS, +} from "../../src/server-core.js"; +import { InMemoryApprovalStore } from "../../src/approval-store.js"; +import { + recordPendingApproval, + consumePendingApproval, +} from "../../src/pending-approvals.js"; + +const c = { green: "\x1b[32m", red: "\x1b[31m", off: "\x1b[0m", dim: "\x1b[2m" }; +let PASS = 0; +let FAIL = 0; +const pass = (m: string) => { console.log(` ${c.green}✓${c.off} ${m}`); PASS++; }; +const fail = (m: string) => { console.log(` ${c.red}✗${c.off} ${m}`); FAIL++; }; +const section = (h: string) => console.log(`\n${c.dim}---${c.off} ${h} ${c.dim}---${c.off}`); + +async function main() { + // ------------------------------------------------------------------------- + section("isPermissionPromptMessage classifier"); + + const positives = [ + "Claude needs your permission to use Bash", + "Approve tool use", + "Permission to use Edit", + "Allow Bash command?", + "Authorize this action", + "Proceed with this tool call?", + "Approval required", + ]; + for (const m of positives) { + isPermissionPromptMessage(m) + ? pass(`positive: "${m}"`) + : fail(`expected positive for "${m}"`); + } + + const negatives = [ + "Waiting for input", + "Task completed", + "", + "Editor opened", + ]; + for (const m of negatives) { + !isPermissionPromptMessage(m) + ? pass(`negative: "${m || "(empty)"}"`) + : fail(`expected negative for "${m}"`); + } + + // ------------------------------------------------------------------------- + section("recordNotification + consumeRecentPermissionNotification"); + + // Reset notification state — server-core maps are module-scoped. + notificationCounts.clear(); + + const sid = "test-session-phase9"; + recordNotification(sid, "Claude needs your permission to use Bash"); + const n = consumeRecentPermissionNotification(sid); + n + ? pass("recent permission notification is consumable") + : fail("expected a notification within window"); + + // Non-permission notification — should NOT be consumed. + notificationCounts.clear(); + const sid2 = "test-session-phase9b"; + recordNotification(sid2, "Waiting for input"); + const n2 = consumeRecentPermissionNotification(sid2); + n2 === null + ? pass("non-permission notification is not consumed") + : fail("expected null for non-permission message"); + + // No notification at all → null. + consumeRecentPermissionNotification("missing-session") === null + ? pass("missing-session returns null") + : fail("expected null for missing session"); + + // ------------------------------------------------------------------------- + section("ApprovalRecord round-trips source"); + + const store = new InMemoryApprovalStore(); + const scope = { ownerSub: "u1", projectRoot: "/proj/p" }; + const explicit = await store.recordApproval({ + scope, + ownerEmail: null, + fingerprintHash: "fp-explicit", + fingerprintJson: "{}", + summary: "explicit", + tool: "Bash", + intentSnapshot: "", + goalEmbedding: [], + inputEmbedding: [], + // omit source → defaults to "explicit" + }); + explicit.source === "explicit" + ? pass("omitted source defaults to explicit") + : fail(`got ${explicit.source}`); + + const tacit = await store.recordApproval({ + scope, + ownerEmail: null, + fingerprintHash: "fp-tacit", + fingerprintJson: "{}", + summary: "tacit", + tool: "Bash", + intentSnapshot: "", + goalEmbedding: [], + inputEmbedding: [], + source: "tacit", + }); + tacit.source === "tacit" + ? pass("tacit source persists") + : fail(`got ${tacit.source}`); + + const lookedUp = await store.lookup(scope, "fp-tacit"); + lookedUp?.source === "tacit" + ? pass("lookup returns tacit source") + : fail(`lookup source: ${lookedUp?.source}`); + + // listForScope returns BOTH sources — filtering is the caller's job. + const scoped = await store.listForScope(scope); + const sources = new Set(scoped.map((r) => r.source)); + sources.has("explicit") && sources.has("tacit") + ? pass("listForScope returns both explicit + tacit") + : fail(`sources in scope: ${[...sources].join(",")}`); + + // ------------------------------------------------------------------------- + section("Pending-approval source defaulting"); + + recordPendingApproval("s1", "tool-1", { + tool: "Bash", + fingerprintHash: "fp1", + fingerprintJson: "{}", + summary: "p1", + intentSnapshot: "", + goalEmbedding: [], + // omit source + }); + const p1 = consumePendingApproval("s1", "tool-1"); + (p1?.source ?? "explicit") === "explicit" + ? pass("pending defaults to explicit when source omitted") + : fail(`got ${p1?.source}`); + + recordPendingApproval("s1", "tool-2", { + tool: "Bash", + fingerprintHash: "fp2", + fingerprintJson: "{}", + summary: "p2", + intentSnapshot: "", + goalEmbedding: [], + source: "tacit", + }); + const p2 = consumePendingApproval("s1", "tool-2"); + p2?.source === "tacit" + ? pass("pending preserves tacit source") + : fail(`got ${p2?.source}`); + + // ------------------------------------------------------------------------- + section("Timing window — stale notification not consumable"); + + // Simulate a stale notification by reaching past the window. + // We can't easily fast-forward Date.now in this isolated test, so + // instead assert the constant is exposed correctly so the gating + // is configurable from the test side. + typeof TACIT_NOTIFICATION_WINDOW_MS === "number" && TACIT_NOTIFICATION_WINDOW_MS > 0 + ? pass(`TACIT_NOTIFICATION_WINDOW_MS exposed as ${TACIT_NOTIFICATION_WINDOW_MS}ms`) + : fail("expected positive window constant"); + + // ------------------------------------------------------------------------- + console.log(`\n${PASS} passed, ${FAIL} failed`); + process.exit(FAIL === 0 ? 0 : 1); +} + +main().catch((e) => { + console.error(e); + process.exit(1); +}); diff --git a/package.json b/package.json index 8f5077a10..330660c7d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "judge-ai-dredd", - "version": "0.1.413", + "version": "0.1.414", "description": "Intent tracking and goal hijacking defence for autonomous AI agents", "type": "module", "scripts": { diff --git a/src/approval-store.ts b/src/approval-store.ts index 7ee7db823..d159105c8 100644 --- a/src/approval-store.ts +++ b/src/approval-store.ts @@ -74,6 +74,23 @@ export interface ApprovalRecord { * existed — those rows fall through to the existing fingerprint * match path. */ inputEmbedding: number[]; + /** Phase 9 — how the approval was captured. + * + * "explicit" — user clicked Allow on a Dredd-surfaced "ask" prompt. + * Strong consent. Eligible for the Stage 0.5 hard + * short-circuit (overrides Dredd policy denies). + * "tacit" — user clicked Yes on a Claude Code-native prompt + * while Dredd had already said allow. We infer this + * via Notification-timing correlation (see Phase 9 + * in CLAUDE.md). Weaker consent: contributes to + * the soft signal (judge prompt context) and can + * still drive Stage 1.75 approval-allow, but does + * NOT override Stage 1 policy deny via Stage 0.5. + * + * Optional for backwards compat — legacy rows written before this + * field existed are treated as "explicit" (the only path that + * recorded approvals before Phase 9). */ + source?: "explicit" | "tacit"; /** Set when revoked from the dashboard. Active records have null. */ revokedAt: string | null; @@ -95,6 +112,9 @@ export interface RecordApprovalInput { * Pass [] if the embed call failed; the row is still persisted but * won't contribute to pattern-trust matching. */ inputEmbedding: number[]; + /** Phase 9 — see ApprovalRecord.source. Defaults to "explicit" when + * omitted to keep existing callers working unchanged. */ + source?: "explicit" | "tacit"; } export interface ApprovalStore { @@ -181,6 +201,7 @@ export class InMemoryApprovalStore implements ApprovalStore { intentSnapshot: input.intentSnapshot, goalEmbedding: input.goalEmbedding, inputEmbedding: input.inputEmbedding ?? [], + source: input.source ?? "explicit", revokedAt: null, revokedBy: null, }; diff --git a/src/dynamo-approval-store.ts b/src/dynamo-approval-store.ts index 4ad3b9e3f..e544960ed 100644 --- a/src/dynamo-approval-store.ts +++ b/src/dynamo-approval-store.ts @@ -118,6 +118,10 @@ function itemToRecord(item: Record): ApprovalRecord { intentSnapshot: item.intentSnapshot ?? "", goalEmbedding: Array.isArray(item.goalEmbedding) ? item.goalEmbedding : [], inputEmbedding: Array.isArray(item.inputEmbedding) ? item.inputEmbedding : [], + // Default missing source to "explicit" — only the Dredd-ask-accept + // path recorded approvals before Phase 9, so all legacy rows are + // explicit by construction. + source: item.source === "tacit" ? "tacit" : "explicit", revokedAt: item.revokedAt ?? null, revokedBy: item.revokedBy ?? null, }; @@ -160,11 +164,12 @@ export class DynamoApprovalStore implements ApprovalStore { "summary = :sum, " + "lastUsedAt = :now, expiresAt = :exp, #ttl = :ttl, " + "intentSnapshot = :is, goalEmbedding = :ge, inputEmbedding = :ie, " + + "#src = :src, " + "gsi1pk = :gpk, gsi1sk = :gsk, " + "useCount = if_not_exists(useCount, :zero) + :one, " + "grantedAt = if_not_exists(grantedAt, :now) " + "REMOVE revokedAt, revokedBy", - ExpressionAttributeNames: { "#ttl": "ttl" }, + ExpressionAttributeNames: { "#ttl": "ttl", "#src": "source" }, ExpressionAttributeValues: { ":os": input.scope.ownerSub, ":oe": input.ownerEmail, @@ -179,6 +184,7 @@ export class DynamoApprovalStore implements ApprovalStore { ":is": input.intentSnapshot, ":ge": input.goalEmbedding, ":ie": input.inputEmbedding ?? [], + ":src": input.source ?? "explicit", ":gpk": userGsiPk(input.scope.ownerSub), ":gsk": userGsiSk(grantedAt, input.fingerprintHash), ":zero": 0, @@ -202,6 +208,7 @@ export class DynamoApprovalStore implements ApprovalStore { intentSnapshot: input.intentSnapshot, goalEmbedding: input.goalEmbedding, inputEmbedding: input.inputEmbedding ?? [], + source: input.source ?? "explicit", revokedAt: null, revokedBy: null, }; diff --git a/src/handlers/evaluate.ts b/src/handlers/evaluate.ts index e9ef39ca6..c75b0dc20 100644 --- a/src/handlers/evaluate.ts +++ b/src/handlers/evaluate.ts @@ -565,6 +565,44 @@ async function handleEvaluate(req: IncomingMessage, res: ServerResponse) { permissionDecision: "allow", permissionDecisionReason: `${DREDD_TAG}: ${result.reason}`, }; + + // Phase 9 — tacit-pending stash. Dredd is fine with this call, but + // Claude Code may still surface a native permission prompt because + // it's not in the user's local allowlist. If that prompt fires and + // the user clicks Yes, we want to learn the consent for next time. + // + // Stashing here is cheap: we just hold the fingerprint in memory + // until /track arrives. The actual promotion in /track gates on a + // matching /notification arriving in the window — if no prompt + // fires (Claude Code auto-allowed), the candidate is silently + // dropped without producing an approval record. + // + // Gated to interactive mode + non-pattern-trust stages: in + // autonomous mode Claude Code's native prompt path is rarely the + // friction we're trying to capture, and a pattern-trust-allow has + // already inherited consent from a prior explicit approval. + if ( + mode === "interactive" && + tool_use_id && + result.stage !== "pattern-trust-allow" && + result.stage !== "approval-allow" + ) { + const fp = computeFingerprint(tool_name, tool_input ?? {}); + if (fp) { + const freshest = activeIntents && activeIntents.length > 0 + ? activeIntents[activeIntents.length - 1] + : null; + recordPendingApproval(session_id, tool_use_id, { + tool: tool_name, + fingerprintHash: hashFingerprint(fp), + fingerprintJson: fingerprintJson(fp), + summary: fp.summary, + intentSnapshot: freshest?.prompt ?? "", + goalEmbedding: freshest?.embedding ?? [], + source: "tacit", + }); + } + } } if (isBenchmarkFormat) { diff --git a/src/handlers/notification.ts b/src/handlers/notification.ts index b7518d20e..7a1672d7a 100644 --- a/src/handlers/notification.ts +++ b/src/handlers/notification.ts @@ -31,7 +31,10 @@ export async function handleNotification(req: IncomingMessage, res: ServerRespon if (rejectInvalidSessionId(res, session_id)) return; - const count = recordNotification(session_id); + const count = recordNotification( + session_id, + typeof message === "string" ? message : "", + ); addFeed({ timestamp: new Date().toISOString(), diff --git a/src/handlers/track.ts b/src/handlers/track.ts index b12d3dce0..b84464242 100644 --- a/src/handlers/track.ts +++ b/src/handlers/track.ts @@ -18,6 +18,7 @@ import { json, rejectInvalidSessionId, authenticateHookRequest, + consumeRecentPermissionNotification, CONFIG, } from "../server-core.js"; import { consumePendingApproval } from "../pending-approvals.js"; @@ -70,53 +71,78 @@ export async function handleTrack(req: IncomingMessage, res: ServerResponse) { await tracker.recordEnvVar(session_id, String(tool_input?.command ?? "")); } - // Approval-learning promotion. Only fires when /evaluate stashed a - // pending candidate against this tool_use_id (i.e. Dredd returned - // permissionDecision="ask" and the user accepted — the tool wouldn't - // be running otherwise). Best-effort: any failure logs and continues - // without blocking the tracking response. + // Approval-learning promotion. Two flows funnel into the same record: + // + // explicit — /evaluate returned "ask" and the user accepted; the + // PostToolUse arrival here is itself proof of consent. + // + // tacit (Phase 9) — /evaluate returned "allow" but Claude Code + // surfaced its own permission prompt. We only promote when a + // permission-style /notification arrived for this session in + // the recent window — otherwise we can't tell whether the + // tool was auto-allowed (no consent to capture) or the user + // actively clicked Yes. + // + // Best-effort: any failure logs and continues without blocking the + // tracking response. if (tool_use_id) { const pending = consumePendingApproval(session_id, tool_use_id); if (pending) { - try { - const projectRoot = await tracker.getProjectRoot(session_id); - const { ownerSub, ownerEmail } = await tracker.getSessionOwner(session_id); - if (projectRoot && ownerSub) { - // Phase 8a — embed the (tool, input) JSON so future /evaluate - // calls can find pattern-similar prior approvals. Best-effort: - // an embed failure stores `[]` and the approval still lands - // (just won't contribute to pattern-trust matching). - let inputEmbedding: number[] = []; - try { - const embedText = JSON.stringify({ tool: pending.tool, input: pending.fingerprintJson }); - const vecs = await embedAny(embedText, CONFIG.embeddingModel); - if (vecs?.[0]?.length) inputEmbedding = vecs[0]; - } catch (err) { - console.warn( - ` [${session_id.substring(0, 8)}] [APPRV] inputEmbedding failed (storing []): ${(err as Error)?.message ?? err}`, + const source: "explicit" | "tacit" = pending.source ?? "explicit"; + + // Tacit gating: require a recent permission-style notification. + // If none, the tool was almost certainly auto-allowed by Claude + // Code's user permissions; no consent to record. + let shouldPromote = true; + if (source === "tacit") { + const lastN = consumeRecentPermissionNotification(session_id); + if (!lastN) { + shouldPromote = false; + } + } + + if (shouldPromote) { + try { + const projectRoot = await tracker.getProjectRoot(session_id); + const { ownerSub, ownerEmail } = await tracker.getSessionOwner(session_id); + if (projectRoot && ownerSub) { + // Phase 8a — embed the (tool, input) JSON so future /evaluate + // calls can find pattern-similar prior approvals. Best-effort: + // an embed failure stores `[]` and the approval still lands + // (just won't contribute to pattern-trust matching). + let inputEmbedding: number[] = []; + try { + const embedText = JSON.stringify({ tool: pending.tool, input: pending.fingerprintJson }); + const vecs = await embedAny(embedText, CONFIG.embeddingModel); + if (vecs?.[0]?.length) inputEmbedding = vecs[0]; + } catch (err) { + console.warn( + ` [${session_id.substring(0, 8)}] [APPRV] inputEmbedding failed (storing []): ${(err as Error)?.message ?? err}`, + ); + } + await approvals.recordApproval({ + scope: { ownerSub, projectRoot }, + ownerEmail, + fingerprintHash: pending.fingerprintHash, + fingerprintJson: pending.fingerprintJson, + summary: pending.summary, + tool: pending.tool, + intentSnapshot: pending.intentSnapshot, + goalEmbedding: pending.goalEmbedding, + inputEmbedding, + source, + }); + console.log( + ` [${session_id.substring(0, 8)}] [APPRV] learned (${source}): ${pending.summary}` + + (inputEmbedding.length ? ` (+${inputEmbedding.length}-dim embedding)` : ""), ); } - await approvals.recordApproval({ - scope: { ownerSub, projectRoot }, - ownerEmail, - fingerprintHash: pending.fingerprintHash, - fingerprintJson: pending.fingerprintJson, - summary: pending.summary, - tool: pending.tool, - intentSnapshot: pending.intentSnapshot, - goalEmbedding: pending.goalEmbedding, - inputEmbedding, - }); - console.log( - ` [${session_id.substring(0, 8)}] [APPRV] learned: ${pending.summary}` + - (inputEmbedding.length ? ` (+${inputEmbedding.length}-dim embedding)` : ""), + } catch (err) { + console.warn( + ` [${session_id.substring(0, 8)}] [APPRV] failed to record approval:`, + (err as Error)?.message ?? err, ); } - } catch (err) { - console.warn( - ` [${session_id.substring(0, 8)}] [APPRV] failed to record approval:`, - (err as Error)?.message ?? err, - ); } } } diff --git a/src/pending-approvals.ts b/src/pending-approvals.ts index 3ced772aa..7f5dfa373 100644 --- a/src/pending-approvals.ts +++ b/src/pending-approvals.ts @@ -2,13 +2,22 @@ * Pending approvals — the missing-piece between Dredd asking and the * user deciding. * - * Flow: - * 1. /evaluate returns permissionDecision="ask" → record a pending - * approval candidate keyed by (session_id, tool_use_id). - * 2. Claude Code surfaces the permission prompt to the user. - * 3a. User accepts → tool runs → PostToolUse fires → /track lookups - * the candidate and promotes it to a durable ApprovalStore entry. - * 3b. User denies → no PostToolUse → candidate expires and is dropped. + * Two flows feed the same map: + * + * A. **Explicit** — /evaluate returned permissionDecision="ask". + * Dredd surfaced its own reason in the prompt; the user accepted. + * PostToolUse arrives and we promote with source="explicit". + * + * B. **Tacit** (Phase 9) — /evaluate returned permissionDecision="allow" + * but Claude Code still surfaced a native permission prompt because + * the user's local Claude settings required it (e.g. Bash not in + * their allowlist). We can't see the prompt, but a /notification + * event arrives between /evaluate and /track. When that notification + * looks like a permission ask, we infer the user clicked Yes and + * promote with source="tacit". Tacit approvals are weaker consent: + * they feed the soft pattern-trust signal but cannot override + * Dredd's hard policy denies (Stage 0.5 filters them out of the + * hard short-circuit count). * * This map is in-process / ephemeral on purpose. The 60-second TTL is * the worst-case "time from ask to user decision." Anything longer than @@ -29,6 +38,12 @@ export interface PendingApproval { intentSnapshot: string; /** Goal embedding snapshot for the intent-drift backstop at lookup time. */ goalEmbedding: number[]; + /** Phase 9 — which capture flow stashed this candidate. Drives the + * promotion path in /track: explicit promotes unconditionally, + * tacit promotes only if a permission-style notification arrived + * between /evaluate and /track. Defaults to "explicit" so existing + * callers behave unchanged. */ + source?: "explicit" | "tacit"; /** Epoch ms — entries past this are ignored on consume. */ expiresAt: number; } diff --git a/src/pretool-interceptor.ts b/src/pretool-interceptor.ts index 66bff12bb..6f9429d11 100644 --- a/src/pretool-interceptor.ts +++ b/src/pretool-interceptor.ts @@ -411,8 +411,19 @@ export class PreToolInterceptor { intentAtConsent: m.rec.intentSnapshot, })); - const strongCount = sims.filter((m) => m.sim >= HARD_THRESHOLD).length; - if (patternTrustHard && strongCount >= HARD_MIN_COUNT) { + // Phase 9 — the hard short-circuit counts only EXPLICIT + // prior approvals (user clicked Allow on a Dredd-surfaced + // ask). Tacit approvals (inferred from a Claude Code + // native prompt + matching /notification) feed the soft + // signal above but never override Dredd policy denies. + // Anything missing the source field is legacy data, all + // of which came from the explicit path. + const strongMatches = sims.filter((m) => m.sim >= HARD_THRESHOLD); + const strongCount = strongMatches.length; + const strongExplicitCount = strongMatches.filter( + (m) => (m.rec.source ?? "explicit") === "explicit", + ).length; + if (patternTrustHard && strongExplicitCount >= HARD_MIN_COUNT) { const top = sims[0]; const result: InterceptionResult = { allowed: true, @@ -422,14 +433,14 @@ export class PreToolInterceptor { policyResult: { decision: "allow", tool, - reason: `pattern-trust: ${strongCount} matches ≥ ${HARD_THRESHOLD}`, + reason: `pattern-trust: ${strongExplicitCount} explicit matches ≥ ${HARD_THRESHOLD}`, matchedRule: "pattern-trust", }, similarity: top.sim, judgeVerdict: null, evaluationMs: Date.now() - start, reason: - `pattern-trust: ${strongCount} prior approvals of similar calls ` + + `pattern-trust: ${strongExplicitCount} explicit prior approvals of similar calls ` + `(top: "${top.rec.summary}", sim=${top.sim.toFixed(3)})`, patternTrust: { hard: true, diff --git a/src/server-core.ts b/src/server-core.ts index df0104994..0a0839a73 100644 --- a/src/server-core.ts +++ b/src/server-core.ts @@ -446,9 +446,58 @@ export function addFeed(entry: FeedEntry) { export const notificationCounts: Map = new Map(); -export function recordNotification(sessionId: string): number { +/** Phase 9 — last notification metadata per session. Used to correlate + * a Claude Code-native permission prompt with the subsequent /track + * arrival so we can promote a tacit-pending approval. Ephemeral; the + * 60s pending-approval TTL caps how stale this can become. */ +export interface LastNotification { + /** Epoch ms when /notification fired. */ + receivedAt: number; + /** Raw message text (truncated to 500). Already redacted by Claude Code. */ + message: string; + /** Cached classification — true when the message text looks like a + * permission/approval prompt. Computed once on receipt; consumed by + * /track when deciding whether to promote a tacit-pending. */ + isPermissionPrompt: boolean; +} + +const lastNotificationBySession: Map = new Map(); + +/** How long after a /notification we'll still treat it as the trigger + * for the next /track in tacit-approval promotion. Lines up with the + * 60s pending-approval TTL — the user has at most ~1 minute to click + * Yes before the candidate ages out anyway. */ +export const TACIT_NOTIFICATION_WINDOW_MS = 60_000; + +const PERMISSION_PROMPT_PATTERNS = [ + /\bpermission\b/i, + /\bapprove\b/i, + /\bapproval\b/i, + /\ballow\b/i, + /\bconsent\b/i, + /\bproceed\b/i, + /\bauthoriz/i, +]; + +/** Heuristic — does this notification text look like Claude Code asking + * the user to grant permission for a tool call (as opposed to e.g. + * "waiting for input" status pings)? Lenient: matches on common + * permission/approval keywords. False positives degrade gracefully + * (tacit promotion still requires a matching /track within window). */ +export function isPermissionPromptMessage(message: string): boolean { + if (!message) return false; + return PERMISSION_PROMPT_PATTERNS.some((p) => p.test(message)); +} + +export function recordNotification(sessionId: string, message?: string): number { const next = (notificationCounts.get(sessionId) ?? 0) + 1; notificationCounts.set(sessionId, next); + const msg = typeof message === "string" ? message.substring(0, 500) : ""; + lastNotificationBySession.set(sessionId, { + receivedAt: Date.now(), + message: msg, + isPermissionPrompt: isPermissionPromptMessage(msg), + }); return next; } @@ -456,6 +505,18 @@ export function getNotificationCount(sessionId: string): number { return notificationCounts.get(sessionId) ?? 0; } +/** Returns the most recent /notification for this session iff it + * arrived within `TACIT_NOTIFICATION_WINDOW_MS` AND classified as a + * permission prompt. The tacit-approval promotion path uses this as + * its gating signal — no qualifying notification → don't promote. */ +export function consumeRecentPermissionNotification(sessionId: string): LastNotification | null { + const last = lastNotificationBySession.get(sessionId); + if (!last) return null; + if (Date.now() - last.receivedAt > TACIT_NOTIFICATION_WINDOW_MS) return null; + if (!last.isPermissionPrompt) return null; + return last; +} + // ============================================================================ // Stores // ============================================================================ From 976ceba5505fa4e3c3e031565d25a2165a5d6716 Mon Sep 17 00:00:00 2001 From: Adrian Asher Date: Thu, 21 May 2026 11:54:16 +0100 Subject: [PATCH 2/8] feat(metrics): per-caller Bedrock cost + cache-hit visibility MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sonnet input tokens dominate ~96% of Bedrock spend. Without per-call cache-hit info we can't tell whether the cachePoint marker on the system prompt is actually saving money or whether something is invalidating the cache key every call. bedrock-metrics.ts: in-process accumulator keyed by caller name ("judge", "classifier", "promptarmor", "preflight"). Records every bedrockChat invocation's input/output/cache-read/cache-write tokens and exposes a snapshot with derived hitRate, cachedTokenShare, and estimated USD cost (Sonnet 4.6 EU rates). bedrock-client.ts now takes an optional caller tag and fires the accumulator. The three prod call sites (judge, classifier, preflight) pass their tag. pretool-interceptor.ts judge log line gains token + cache fields: "judge=consistent(1886ms in=3500/cr=1700/cw=0 out=45)" — greppable in CloudWatch for ad-hoc cost outlier hunts. server-hook.ts: GET /api/bedrock-metrics returns the snapshot. CORS matches the existing dashboard origin policy; no auth (no secrets, just aggregate counters). 24 unit tests in test_bedrock_metrics.ts cover arithmetic + derived fields including cache-write pricing at 125% of normal input. Co-Authored-By: Claude Opus 4.7 (1M context) --- hooks/tests/test_bedrock_metrics.ts | 144 ++++++++++++++++++++++ package.json | 2 +- src/bedrock-client.ts | 32 ++++- src/bedrock-metrics.ts | 184 ++++++++++++++++++++++++++++ src/intent-classifier.ts | 2 +- src/intent-judge.ts | 2 +- src/pretool-interceptor.ts | 25 +++- src/server-hook.ts | 10 ++ 8 files changed, 390 insertions(+), 11 deletions(-) create mode 100644 hooks/tests/test_bedrock_metrics.ts create mode 100644 src/bedrock-metrics.ts diff --git a/hooks/tests/test_bedrock_metrics.ts b/hooks/tests/test_bedrock_metrics.ts new file mode 100644 index 000000000..e5171cc9c --- /dev/null +++ b/hooks/tests/test_bedrock_metrics.ts @@ -0,0 +1,144 @@ +/** + * bedrock-metrics — accumulator unit tests. + * + * Validates per-caller stat math and the derived cost / cache-hit rate + * fields without hitting Bedrock. The point of the module is to give + * us operator visibility on real cache-hit rates — these tests just + * make sure the arithmetic stays correct as we add fields. + * + * Run: npx tsx hooks/tests/test_bedrock_metrics.ts + */ + +import { + recordBedrockCall, + getBedrockMetrics, + resetBedrockMetrics, +} from "../../src/bedrock-metrics.js"; + +const c = { green: "\x1b[32m", red: "\x1b[31m", off: "\x1b[0m", dim: "\x1b[2m" }; +let PASS = 0; +let FAIL = 0; +const pass = (m: string) => { console.log(` ${c.green}✓${c.off} ${m}`); PASS++; }; +const fail = (m: string) => { console.log(` ${c.red}✗${c.off} ${m}`); FAIL++; }; +const section = (h: string) => console.log(`\n${c.dim}---${c.off} ${h} ${c.dim}---${c.off}`); + +function approx(a: number, b: number, eps = 1e-6): boolean { + return Math.abs(a - b) < eps; +} + +function main() { + section("Empty state"); + resetBedrockMetrics(); + const empty = getBedrockMetrics(); + empty.totals.calls === 0 ? pass("totals.calls = 0") : fail(`got ${empty.totals.calls}`); + Object.keys(empty.perCaller).length === 0 ? pass("perCaller empty") : fail("expected empty perCaller"); + + section("Single call — no cache"); + resetBedrockMetrics(); + recordBedrockCall("judge", { inputTokens: 4000, outputTokens: 50, durationMs: 1800 }); + const s1 = getBedrockMetrics(); + s1.perCaller.judge.calls === 1 ? pass("judge calls = 1") : fail(`got ${s1.perCaller.judge.calls}`); + s1.perCaller.judge.cacheHits === 0 ? pass("cacheHits = 0 on no-cache call") : fail("unexpected hits"); + s1.perCaller.judge.totalInputTokens === 4000 ? pass("input tokens summed") : fail("input mismatch"); + approx(s1.perCaller.judge.cacheHitRate, 0) ? pass("hitRate = 0") : fail(`got ${s1.perCaller.judge.cacheHitRate}`); + approx(s1.perCaller.judge.cachedTokenShare, 0) ? pass("cachedTokenShare = 0") : fail("unexpected share"); + + // Cost = 4000 input × $3.30/M + 50 output × $16.50/M + // = 0.0132 + 0.000825 = 0.014025 + const expected1 = (4000 / 1e6) * 3.30 + (50 / 1e6) * 16.50; + approx(s1.perCaller.judge.estimatedCostUsd, expected1, 1e-6) + ? pass(`cost ${s1.perCaller.judge.estimatedCostUsd.toFixed(6)} matches uncached calc`) + : fail(`got ${s1.perCaller.judge.estimatedCostUsd} expected ${expected1}`); + + section("Cache hit — discount applied"); + resetBedrockMetrics(); + recordBedrockCall("judge", { + inputTokens: 4000, + outputTokens: 50, + cacheReadInputTokens: 3500, // 87.5% cached + durationMs: 1800, + }); + const s2 = getBedrockMetrics(); + s2.perCaller.judge.cacheHits === 1 ? pass("cache hit counted") : fail(`got ${s2.perCaller.judge.cacheHits}`); + approx(s2.perCaller.judge.cacheHitRate, 1) ? pass("hitRate = 1.0") : fail("hitRate wrong"); + approx(s2.perCaller.judge.cachedTokenShare, 3500 / 4000) + ? pass(`cachedTokenShare = ${s2.perCaller.judge.cachedTokenShare.toFixed(3)}`) + : fail(`got ${s2.perCaller.judge.cachedTokenShare}`); + + // Cost = (4000 - 3500) × $3.30/M + 3500 × $0.33/M + 50 × $16.50/M + // = 500 × 0.0000033 + 3500 × 0.00000033 + 50 × 0.0000165 + // = 0.00165 + 0.001155 + 0.000825 = 0.00363 + const expected2 = + ((4000 - 3500) / 1e6) * 3.30 + + (3500 / 1e6) * 0.33 + + (50 / 1e6) * 16.50; + approx(s2.perCaller.judge.estimatedCostUsd, expected2, 1e-6) + ? pass(`cost ${s2.perCaller.judge.estimatedCostUsd.toFixed(6)} matches cached calc`) + : fail(`got ${s2.perCaller.judge.estimatedCostUsd} expected ${expected2}`); + + // Cache should make this dramatically cheaper than the uncached case. + s2.perCaller.judge.estimatedCostUsd < expected1 * 0.5 + ? pass("cached cost < 50% of uncached") + : fail(`cached cost ${s2.perCaller.judge.estimatedCostUsd} not much lower than uncached ${expected1}`); + + section("Cache write — first call in window"); + resetBedrockMetrics(); + recordBedrockCall("judge", { + inputTokens: 4000, + outputTokens: 50, + cacheWriteInputTokens: 1760, + durationMs: 1800, + }); + const s3 = getBedrockMetrics(); + s3.perCaller.judge.cacheWrites === 1 ? pass("cache write counted") : fail("expected write"); + // 1760 × $4.125/M for the write, rest at normal input + const expected3 = + ((4000 - 1760) / 1e6) * 3.30 + + (1760 / 1e6) * 4.125 + + (50 / 1e6) * 16.50; + approx(s3.perCaller.judge.estimatedCostUsd, expected3, 1e-6) + ? pass(`cache-write cost ${s3.perCaller.judge.estimatedCostUsd.toFixed(6)} matches`) + : fail(`got ${s3.perCaller.judge.estimatedCostUsd} expected ${expected3}`); + + section("Multiple callers — totals roll up"); + resetBedrockMetrics(); + recordBedrockCall("judge", { inputTokens: 4000, outputTokens: 50, cacheReadInputTokens: 3500 }); + recordBedrockCall("judge", { inputTokens: 4200, outputTokens: 55, cacheReadInputTokens: 3500 }); + recordBedrockCall("classifier", { inputTokens: 1900, outputTokens: 80, cacheWriteInputTokens: 1200 }); + const s4 = getBedrockMetrics(); + s4.totals.calls === 3 ? pass("totals.calls = 3") : fail(`got ${s4.totals.calls}`); + s4.perCaller.judge.calls === 2 ? pass("judge calls = 2") : fail("judge count"); + s4.perCaller.classifier.calls === 1 ? pass("classifier calls = 1") : fail("classifier count"); + s4.totals.totalInputTokens === (4000 + 4200 + 1900) + ? pass("totals.totalInputTokens summed") + : fail(`got ${s4.totals.totalInputTokens}`); + approx(s4.perCaller.judge.cacheHitRate, 1) + ? pass("judge hitRate = 1") + : fail("judge hitRate"); + approx(s4.perCaller.classifier.cacheHitRate, 0) + ? pass("classifier hitRate = 0 (write, not read)") + : fail("classifier hitRate"); + + section("Unknown caller folds into 'unknown'"); + resetBedrockMetrics(); + recordBedrockCall("", { inputTokens: 100 }); + recordBedrockCall("unknown", { inputTokens: 200 }); + const s5 = getBedrockMetrics(); + s5.perCaller.unknown?.calls === 2 + ? pass("empty caller folded into 'unknown'") + : fail(`unknown calls = ${s5.perCaller.unknown?.calls}`); + + section("Snapshot includes uptime + timestamp"); + const s6 = getBedrockMetrics(); + typeof s6.snapshotAt === "string" && s6.snapshotAt.length > 0 + ? pass(`snapshotAt = ${s6.snapshotAt}`) + : fail("snapshotAt missing"); + typeof s6.processUptimeSec === "number" && s6.processUptimeSec >= 0 + ? pass(`processUptimeSec = ${s6.processUptimeSec}`) + : fail("uptime missing"); + + console.log(`\n ${PASS} passed, ${FAIL} failed`); + process.exit(FAIL === 0 ? 0 : 1); +} + +main(); diff --git a/package.json b/package.json index 330660c7d..c87796a7d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "judge-ai-dredd", - "version": "0.1.414", + "version": "0.1.415", "description": "Intent tracking and goal hijacking defence for autonomous AI agents", "type": "module", "scripts": { diff --git a/src/bedrock-client.ts b/src/bedrock-client.ts index ecba0806d..4d10b0f2d 100644 --- a/src/bedrock-client.ts +++ b/src/bedrock-client.ts @@ -18,6 +18,7 @@ import { ConverseCommand, InvokeModelCommand, } from "@aws-sdk/client-bedrock-runtime"; +import { recordBedrockCall } from "./bedrock-metrics.js"; const REGION = process.env.BEDROCK_REGION ?? process.env.AWS_REGION ?? "eu-central-1"; const MODEL_ID = process.env.BEDROCK_JUDGE_MODEL ?? "nvidia.nemotron-super-3-120b"; @@ -44,12 +45,19 @@ function clientFor(region: string): BedrockRuntimeClient { return c; } +/** Optional tag identifying which call site is invoking Bedrock. Used + * by `bedrock-metrics.ts` to attribute per-caller cost and cache + * performance. Unknown values fall through to "unknown" so a forgotten + * call site still shows up in the snapshot. */ +export type BedrockCaller = "judge" | "classifier" | "promptarmor" | "preflight" | "unknown"; + export async function bedrockChat( systemPrompt: string, userMessage: string, modelId = MODEL_ID, effort?: EffortLevel, - images?: BedrockImageBlock[] + images?: BedrockImageBlock[], + caller: BedrockCaller = "unknown", ): Promise<{ content: string; thinking: string; @@ -152,15 +160,31 @@ export async function bedrockChat( const inputTokens = usage.inputTokens ?? 0; const outputTokens = usage.outputTokens ?? 0; const hasThinkingBlock = blocks.some((c) => c.reasoningContent !== undefined); + const durationMs = Date.now() - start; + const cacheReadInputTokens = usage.cacheReadInputTokens ?? undefined; + const cacheWriteInputTokens = usage.cacheWriteInputTokens ?? undefined; + + // Cost accounting. Fire-and-forget — accumulator is in-process and + // never throws. Failure here must not break the judge / classifier. + try { + recordBedrockCall(caller, { + inputTokens, + outputTokens, + cacheReadInputTokens, + cacheWriteInputTokens, + durationMs, + }); + } catch { /* metrics never fail the request */ } + return { content, thinking, - durationMs: Date.now() - start, + durationMs, inputTokens, outputTokens, totalTokens: usage.totalTokens ?? (inputTokens + outputTokens), - cacheReadInputTokens: usage.cacheReadInputTokens ?? undefined, - cacheWriteInputTokens: usage.cacheWriteInputTokens ?? undefined, + cacheReadInputTokens, + cacheWriteInputTokens, hasThinkingBlock, estimatedThinkingTokens: thinking ? Math.ceil(thinking.length / 4) : 0, }; diff --git a/src/bedrock-metrics.ts b/src/bedrock-metrics.ts new file mode 100644 index 000000000..aa78072fb --- /dev/null +++ b/src/bedrock-metrics.ts @@ -0,0 +1,184 @@ +/** + * Bedrock cost-visibility metrics. + * + * The judge and the intent classifier are our two Sonnet 4.6 callers. + * Each call costs $3.30/M input tokens uncached, $0.33/M when read + * from the 5-minute prompt cache. Without per-call cache-hit info we + * can't tell whether the cachePoint marker in `bedrock-client.ts` is + * actually saving money or whether something is invalidating the cache + * key every call. + * + * This module is a tiny in-process accumulator: every `bedrockChat` + * call records its tokens here keyed by caller name. The hook server + * exposes the snapshot at `GET /api/bedrock-metrics`. + * + * In-process only — restarts reset the counters. That's fine for + * cost-visibility: we want to see a recent few hours and compare against + * the AWS Bedrock CloudWatch metrics (which lag ~3h). Container + * restarts are infrequent enough that we'll catch enough samples in + * any working window. + * + * Not exported to Dynamo. If we ever need durable accounting we can + * stamp these into session META instead. + */ + +export interface BedrockCallStats { + /** Total invocations recorded for this caller. */ + calls: number; + /** Number of calls where cacheReadInputTokens > 0 (cache hit). */ + cacheHits: number; + /** Number of calls where cacheWriteInputTokens > 0 (cold write). */ + cacheWrites: number; + /** Sum of `inputTokens` across all calls. Includes the cache-read + * portion (Bedrock reports input as the full prompt size). */ + totalInputTokens: number; + /** Sum of cached input portion (billed at ~10% of normal). */ + totalCacheReadTokens: number; + /** Sum of cache-write portion (billed at ~125% of normal). */ + totalCacheWriteTokens: number; + /** Sum of output tokens. */ + totalOutputTokens: number; + /** Total time spent in Bedrock for this caller (ms). */ + totalDurationMs: number; + /** First and last call timestamps (ISO). */ + firstCallAt: string | null; + lastCallAt: string | null; +} + +function emptyStats(): BedrockCallStats { + return { + calls: 0, + cacheHits: 0, + cacheWrites: 0, + totalInputTokens: 0, + totalCacheReadTokens: 0, + totalCacheWriteTokens: 0, + totalOutputTokens: 0, + totalDurationMs: 0, + firstCallAt: null, + lastCallAt: null, + }; +} + +const stats = new Map(); + +export interface BedrockCallRecord { + inputTokens?: number; + outputTokens?: number; + cacheReadInputTokens?: number; + cacheWriteInputTokens?: number; + durationMs?: number; +} + +/** Record one bedrockChat invocation. Caller names should be short and + * stable — "judge", "classifier", "promptarmor", "preflight". Unknown + * callers fold into "unknown" so a forgotten call site is still + * visible in the metrics. */ +export function recordBedrockCall(caller: string, r: BedrockCallRecord): void { + const key = caller || "unknown"; + const s = stats.get(key) ?? emptyStats(); + const now = new Date().toISOString(); + s.calls += 1; + const cr = r.cacheReadInputTokens ?? 0; + const cw = r.cacheWriteInputTokens ?? 0; + if (cr > 0) s.cacheHits += 1; + if (cw > 0) s.cacheWrites += 1; + s.totalInputTokens += r.inputTokens ?? 0; + s.totalCacheReadTokens += cr; + s.totalCacheWriteTokens += cw; + s.totalOutputTokens += r.outputTokens ?? 0; + s.totalDurationMs += r.durationMs ?? 0; + if (!s.firstCallAt) s.firstCallAt = now; + s.lastCallAt = now; + stats.set(key, s); +} + +export interface BedrockMetricsSnapshot { + /** When this snapshot was generated. */ + snapshotAt: string; + /** Process uptime in seconds — useful for back-of-envelope rate calcs. */ + processUptimeSec: number; + /** Per-caller stats. */ + perCaller: Record; + /** Total across all callers — handy for a single Slack/console line. */ + totals: BedrockCallStats & { + cacheHitRate: number; + cachedTokenShare: number; + avgInputTokens: number; + estimatedCostUsd: number; + }; +} + +// Sonnet 4.6 EU (eu.anthropic.claude-sonnet-4-6) — published rates in +// USD per 1M tokens. Cache-read is 10% of normal input; cache-write +// is 125% of normal input. Output is unaffected by cache. +const PRICE_INPUT_PER_M = 3.30; +const PRICE_CACHE_READ_PER_M = 0.33; +const PRICE_CACHE_WRITE_PER_M = 4.125; +const PRICE_OUTPUT_PER_M = 16.50; + +function deriveExtras(s: BedrockCallStats) { + const cacheHitRate = s.calls > 0 ? s.cacheHits / s.calls : 0; + const cachedTokenShare = + s.totalInputTokens > 0 ? s.totalCacheReadTokens / s.totalInputTokens : 0; + const avgInputTokens = s.calls > 0 ? s.totalInputTokens / s.calls : 0; + // Cost: the cached-read portion is already included in inputTokens + // (Bedrock reports the full prompt size as input). Bill the cached + // fraction at the discount rate and the rest at normal input rate. + const cacheReadCost = (s.totalCacheReadTokens / 1_000_000) * PRICE_CACHE_READ_PER_M; + const cacheWriteCost = (s.totalCacheWriteTokens / 1_000_000) * PRICE_CACHE_WRITE_PER_M; + const uncachedInputTokens = Math.max( + 0, + s.totalInputTokens - s.totalCacheReadTokens - s.totalCacheWriteTokens, + ); + const uncachedInputCost = (uncachedInputTokens / 1_000_000) * PRICE_INPUT_PER_M; + const outputCost = (s.totalOutputTokens / 1_000_000) * PRICE_OUTPUT_PER_M; + const estimatedCostUsd = cacheReadCost + cacheWriteCost + uncachedInputCost + outputCost; + return { cacheHitRate, cachedTokenShare, avgInputTokens, estimatedCostUsd }; +} + +export function getBedrockMetrics(): BedrockMetricsSnapshot { + const perCaller: BedrockMetricsSnapshot["perCaller"] = {}; + const totals = emptyStats(); + for (const [name, s] of stats) { + perCaller[name] = { ...s, ...deriveExtras(s) }; + totals.calls += s.calls; + totals.cacheHits += s.cacheHits; + totals.cacheWrites += s.cacheWrites; + totals.totalInputTokens += s.totalInputTokens; + totals.totalCacheReadTokens += s.totalCacheReadTokens; + totals.totalCacheWriteTokens += s.totalCacheWriteTokens; + totals.totalOutputTokens += s.totalOutputTokens; + totals.totalDurationMs += s.totalDurationMs; + if (!totals.firstCallAt || (s.firstCallAt && s.firstCallAt < totals.firstCallAt)) { + totals.firstCallAt = s.firstCallAt; + } + if (!totals.lastCallAt || (s.lastCallAt && s.lastCallAt > totals.lastCallAt)) { + totals.lastCallAt = s.lastCallAt; + } + } + return { + snapshotAt: new Date().toISOString(), + processUptimeSec: Math.round(process.uptime()), + perCaller, + totals: { ...totals, ...deriveExtras(totals) }, + }; +} + +/** Test/diagnostic helper. */ +export function resetBedrockMetrics(): void { + stats.clear(); +} diff --git a/src/intent-classifier.ts b/src/intent-classifier.ts index d1dc9e709..61d4dcc58 100644 --- a/src/intent-classifier.ts +++ b/src/intent-classifier.ts @@ -223,7 +223,7 @@ export class IntentClassifier { try { const result = await Promise.race([ this.backend === "bedrock" - ? bedrockChat(SYSTEM_PROMPT, userMessage, this.model) + ? bedrockChat(SYSTEM_PROMPT, userMessage, this.model, undefined, undefined, "classifier") : chat( [ { role: "system", content: SYSTEM_PROMPT }, diff --git a/src/intent-judge.ts b/src/intent-judge.ts index be148abef..01005e4e6 100644 --- a/src/intent-judge.ts +++ b/src/intent-judge.ts @@ -562,7 +562,7 @@ ${lines} data: img.data, mediaType: img.mediaType, })); - const response = await bedrockChat(systemPrompt, userPrompt, this.chatModel, this.effort, bedrockImages); + const response = await bedrockChat(systemPrompt, userPrompt, this.chatModel, this.effort, bedrockImages, "judge"); content = response.content; thinking = response.thinking || undefined; durationMs = response.durationMs; diff --git a/src/pretool-interceptor.ts b/src/pretool-interceptor.ts index 6f9429d11..d0b34eb15 100644 --- a/src/pretool-interceptor.ts +++ b/src/pretool-interceptor.ts @@ -235,7 +235,7 @@ export class PreToolInterceptor { const judgeStart = Date.now(); try { if (this.config.judgeBackend === "bedrock") { - const r = await bedrockChat("You are a test.", "Reply with the single word: ok", this.config.judgeModel); + const r = await bedrockChat("You are a test.", "Reply with the single word: ok", this.config.judgeModel, undefined, undefined, "preflight"); if (!r.content) throw new Error("empty response"); } else { const r = await chat( @@ -791,9 +791,26 @@ export class PreToolInterceptor { const simStr = result.similarity !== null ? ` sim=${result.similarity.toFixed(3)}` : ""; - const judgeStr = result.judgeVerdict - ? ` judge=${result.judgeVerdict.verdict}(${result.judgeVerdict.durationMs}ms)` - : ""; + // Judge log includes token + cache info so we can grep CloudWatch + // for cost outliers without dumping the full metrics snapshot. + // Format: `judge=consistent(1886ms in=3500/cr=1700/cw=0 out=45)` + // cr = cacheReadInputTokens (billed at 10% of input) + // cw = cacheWriteInputTokens (billed at 125%; happens on first + // call of a 5-min cache window) + // A missing cr field means cache miss; a missing cw means we did + // not write either (cache disabled or below the 1024-token minimum). + let judgeStr = ""; + if (result.judgeVerdict) { + const j = result.judgeVerdict; + const tokens = + j.inputTokens !== undefined + ? ` in=${j.inputTokens}` + + `/cr=${j.cacheReadInputTokens ?? 0}` + + `/cw=${j.cacheWriteInputTokens ?? 0}` + + ` out=${j.outputTokens ?? 0}` + : ""; + judgeStr = ` judge=${j.verdict}(${j.durationMs}ms${tokens})`; + } const sessionStr = ` [${sessionId.substring(0, 8)}]`; const userPermStr = result.userPermissionMatch ? ` userPerm=${result.userPermissionMatch.kind}(${result.userPermissionMatch.rule})` diff --git a/src/server-hook.ts b/src/server-hook.ts index 7c237c8e7..310e43a76 100644 --- a/src/server-hook.ts +++ b/src/server-hook.ts @@ -347,6 +347,16 @@ document.getElementById('mode-select').dataset.current = ${JSON.stringify(CONFIG }); } + // /api/bedrock-metrics — in-process cost & cache-hit visibility. + // Read-only, no auth (no secrets surfaced; just aggregate counters). + // Cross-origin from the dashboard so the dashboard can poll it. + if (url.pathname === "/api/bedrock-metrics") { + if (applyCors(req, res)) return; + if (req.method !== "GET") return json(res, 405, { error: "Method not allowed" }); + const { getBedrockMetrics } = await import("./bedrock-metrics.js"); + return json(res, 200, getBedrockMetrics()); + } + // /api/whoami — OIDC discovery. No auth; read-only. if (req.method === "GET" && url.pathname === "/api/whoami") { const oidcData = req.headers["x-amzn-oidc-data"] as string | undefined; From 3d086056958e5d2d87e65ea21427c79d187aa37b Mon Sep 17 00:00:00 2001 From: Adrian Asher Date: Thu, 21 May 2026 12:03:17 +0100 Subject: [PATCH 3/8] fix(metrics): gate /api/bedrock-metrics behind admin API key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The endpoint is non-sensitive in isolation but it reveals call rates, token volumes, and cost — operational observability that belongs behind the same admin gate as the logs endpoint. Without auth, anyone who guesses the path could scrape it. Auth flow: authenticateHookRequest (Bearer API key) → isAdminEmail (ADMIN_EMAILS in clerk-auth). Non-admin keys get 403; missing/invalid land on 401. Co-Authored-By: Claude Opus 4.7 (1M context) --- package.json | 2 +- src/server-hook.ts | 20 +++++++++++++++++--- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index c87796a7d..44a4f9a19 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "judge-ai-dredd", - "version": "0.1.415", + "version": "0.1.416", "description": "Intent tracking and goal hijacking defence for autonomous AI agents", "type": "module", "scripts": { diff --git a/src/server-hook.ts b/src/server-hook.ts index 310e43a76..40482e9d5 100644 --- a/src/server-hook.ts +++ b/src/server-hook.ts @@ -31,9 +31,10 @@ import { rejectInvalidSessionId, flushLogs, AUTH_MODE, + authenticateHookRequest, type TrustMode, } from "./server-core.js"; -import { CLERK_PUBLISHABLE_KEY } from "./clerk-auth.js"; +import { CLERK_PUBLISHABLE_KEY, isAdminEmail } from "./clerk-auth.js"; import { INTENT_HISTORY_MODE, INTENT_CLASSIFIER_LLM_ENABLED, @@ -348,11 +349,24 @@ document.getElementById('mode-select').dataset.current = ${JSON.stringify(CONFIG } // /api/bedrock-metrics — in-process cost & cache-hit visibility. - // Read-only, no auth (no secrets surfaced; just aggregate counters). - // Cross-origin from the dashboard so the dashboard can poll it. + // Read-only, admin-only. The data is non-sensitive in isolation + // (aggregate counters, no secrets, no per-session info) but it + // does reveal call rates, token volumes, and cost — operational + // observability that belongs behind the same admin gate as logs. + // + // Auth: Bearer API key, then admin-email check via Clerk-config + // ADMIN_EMAILS. Cross-origin from the dashboard browser still + // works because applyCors echoes Authorization. Non-admin keys + // get a 403; missing/invalid keys land on 401 from + // authenticateHookRequest. if (url.pathname === "/api/bedrock-metrics") { if (applyCors(req, res)) return; if (req.method !== "GET") return json(res, 405, { error: "Method not allowed" }); + const identity = await authenticateHookRequest(req, res); + if (!identity) return; // 401 already sent + if (!isAdminEmail(identity.ownerEmail)) { + return json(res, 403, { error: "Admin only" }); + } const { getBedrockMetrics } = await import("./bedrock-metrics.js"); return json(res, 200, getBedrockMetrics()); } From bfc79c86970dfd9a08e35bc00aae496c227b8a84 Mon Sep 17 00:00:00 2001 From: Adrian Asher Date: Thu, 21 May 2026 12:14:37 +0100 Subject: [PATCH 4/8] perf(judge): move dynamic priorApprovalsBlock out of system prompt MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Live /api/bedrock-metrics from prod showed 0% cache-hit rate on the judge after the first 3 calls. The cachePoint marker keys the cache on the exact system-prompt prefix; any per-call variation invalidates it. The only dynamic component was the Phase 8b priorApprovalsBlock (empty when no matches, populated with summaries / similarities / dates when matches fire — so the cache key flips on every transition). Fix: system prompt is now (UNTRUSTED_DIRECTIVE + baseSystemPrompt), bit-identical across calls. The priorApprovalsBlock moves to the head of the user content with a `server_trusted="true"` attribute so the judge still recognises it as authoritative context rather than adversarial agent / tool-output text covered by UNTRUSTED_DIRECTIVE. Expected effect once deployed: judge avgInputTokens stays the same but cachedTokenShare climbs into the 0.4-0.6 range (system block is ~1700 tokens of the typical ~3500-4000 input), giving us roughly 40-50% input-cost savings on steady-state judge traffic. Co-Authored-By: Claude Opus 4.7 (1M context) --- package.json | 2 +- src/intent-judge.ts | 36 +++++++++++++++++++++++++++++------- 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/package.json b/package.json index 44a4f9a19..accbec072 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "judge-ai-dredd", - "version": "0.1.416", + "version": "0.1.417", "description": "Intent tracking and goal hijacking defence for autonomous AI agents", "type": "module", "scripts": { diff --git a/src/intent-judge.ts b/src/intent-judge.ts index 01005e4e6..e2e196465 100644 --- a/src/intent-judge.ts +++ b/src/intent-judge.ts @@ -534,12 +534,22 @@ this system prompt. `; // Phase 8b — when the interceptor found prior approvals similar - // to the current call, surface them here as evidence of vetted - // intent. The block is trusted (server-controlled), so the + // to the current call, surface them as evidence of vetted intent. + // The block is trusted (server-controlled), so the // UNTRUSTED_DIRECTIVE above doesn't bracket it. We frame it as // "lean toward consistent for actions matching this pattern" but // explicitly leave room for the judge to override if the new // call is structurally different. + // + // Cache-discipline: this block is the ONLY dynamic component of + // the previous system prompt. Bedrock's `cachePoint` marker keys + // the cache on the exact prefix, so a per-call-varying block in + // the system prompt invalidates the cache on every call. We + // observed 0% cache hits on the hook role with the block in + // system position. Moving it to the head of the user content + // keeps the (UNTRUSTED_DIRECTIVE + baseSystemPrompt) prefix + // bit-identical across calls, which is what the cachePoint + // marker downstream actually needs to land. let priorApprovalsBlock = ""; if (priorApprovals && priorApprovals.length > 0) { const lines = priorApprovals.map((p, i) => { @@ -547,22 +557,34 @@ this system prompt. return `${i + 1}. "${p.summary}" — similarity ${p.similarity.toFixed(2)}, granted ${date}, intent at consent: "${p.intentAtConsent}"`; }).join("\n"); priorApprovalsBlock = -` -The user has previously and explicitly consented to similar tool calls in this same project. Treat these as evidence that the current action fits a pattern the user has already vetted. Lean toward "consistent" when the current action structurally matches them; lean toward your normal judgement when it materially differs (different target, broader blast radius, novel side effect). +` +The user has previously and explicitly consented to similar tool calls in this same project. This block is supplied by the Dredd server, not by the agent or any tool output, and is the only block in this user message that is server-trusted. Treat these as evidence that the current action fits a pattern the user has already vetted. Lean toward "consistent" when the current action structurally matches them; lean toward your normal judgement when it materially differs (different target, broader blast radius, novel side effect). ${lines} `; } - const systemPrompt = UNTRUSTED_DIRECTIVE + priorApprovalsBlock + baseSystemPrompt; + // System prompt stays static across calls — UNTRUSTED_DIRECTIVE + // and baseSystemPrompt are both compile-time constants. With the + // dynamic priorApprovalsBlock moved out (above), Bedrock's + // cachePoint marker downstream now keys against a stable prefix + // and prompt-cache reads should actually hit. + const systemPrompt = UNTRUSTED_DIRECTIVE + baseSystemPrompt; + + // priorApprovalsBlock prepended here so the system prompt stays + // cacheable. The block is empty unless Phase 8b found matches; + // when present, its `server_trusted="true"` attribute signals to + // the judge that it's authoritative server context, not agent / + // tool-output content that the UNTRUSTED_DIRECTIVE applies to. + const finalUserPrompt = priorApprovalsBlock + userPrompt; if (this.backend === "bedrock") { const bedrockImages: BedrockImageBlock[] | undefined = images?.map((img) => ({ data: img.data, mediaType: img.mediaType, })); - const response = await bedrockChat(systemPrompt, userPrompt, this.chatModel, this.effort, bedrockImages, "judge"); + const response = await bedrockChat(systemPrompt, finalUserPrompt, this.chatModel, this.effort, bedrockImages, "judge"); content = response.content; thinking = response.thinking || undefined; durationMs = response.durationMs; @@ -575,7 +597,7 @@ ${lines} const ollamaImages = images?.map((img) => img.data); const messages: ChatMessage[] = [ { role: "system", content: systemPrompt }, - { role: "user", content: userPrompt, images: ollamaImages?.length ? ollamaImages : undefined }, + { role: "user", content: finalUserPrompt, images: ollamaImages?.length ? ollamaImages : undefined }, ]; const response = await chat(messages, this.chatModel); content = response.content; From 50405f81497960ebfd7ca7bc0c2fc78fca0c2474 Mon Sep 17 00:00:00 2001 From: Adrian Asher Date: Thu, 21 May 2026 12:45:27 +0100 Subject: [PATCH 5/8] chore(metrics): log first 10 Bedrock calls per process for cache diagnostic MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Live /api/bedrock-metrics after the 0.1.417 rollout shows 0 cache writes and 0 cache reads even on the first call after a container restart — the first call SHOULD always write the cache. Static system prompt is ~6740 chars / ~1700 tokens (B7.1), comfortably above Sonnet 4.6's 1024-token cache minimum, so the prefix length isn't the issue. Diagnostic: log model ID, system prompt char count, inputTokens, outputTokens, cacheRead/cacheWrite (or "n/a" if missing), and the list of keys present on the usage object for the first 10 calls per process. Lets us see whether Bedrock is returning the cache fields at all on the cross-region inference profile (eu.anthropic.claude-sonnet-4-6). Capped at 10 calls per process so CloudWatch doesn't get spammed once we know what's going on. Co-Authored-By: Claude Opus 4.7 (1M context) --- package.json | 2 +- src/bedrock-client.ts | 30 ++++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/package.json b/package.json index accbec072..9d9b586c1 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "judge-ai-dredd", - "version": "0.1.417", + "version": "0.1.418", "description": "Intent tracking and goal hijacking defence for autonomous AI agents", "type": "module", "scripts": { diff --git a/src/bedrock-client.ts b/src/bedrock-client.ts index 4d10b0f2d..36d9f8f36 100644 --- a/src/bedrock-client.ts +++ b/src/bedrock-client.ts @@ -23,6 +23,14 @@ import { recordBedrockCall } from "./bedrock-metrics.js"; const REGION = process.env.BEDROCK_REGION ?? process.env.AWS_REGION ?? "eu-central-1"; const MODEL_ID = process.env.BEDROCK_JUDGE_MODEL ?? "nvidia.nemotron-super-3-120b"; +// One-shot cache diagnostic counter. Logs the cache-engagement state +// for the first N bedrockChat calls of a process so we can diagnose +// whether prompt caching is actually firing without redeploying. Kept +// small to avoid spamming CloudWatch — after the threshold normal log +// lines (via pretool-interceptor judge line) carry the same info. +const CACHE_DIAGNOSTIC_LIMIT = 10; +let firstCacheCallsLogged = 0; + type EffortLevel = "low" | "medium" | "high" | "xhigh" | "max" | "none"; export interface BedrockImageBlock { @@ -164,6 +172,28 @@ export async function bedrockChat( const cacheReadInputTokens = usage.cacheReadInputTokens ?? undefined; const cacheWriteInputTokens = usage.cacheWriteInputTokens ?? undefined; + // Cache-engagement diagnostic. The cachePoint marker above SHOULD + // cause Bedrock to return non-zero cacheRead or cacheWrite once the + // 1024-token minimum is met. If we see neither after several judge + // calls, that's a signal the cache isn't engaging — either the + // system prompt is below the per-model minimum, the cross-region + // inference profile doesn't honor the marker, or the model ID we + // passed isn't in the cache-supported list. Log the first few calls + // per process so we can diagnose without redeploying. + try { + if (firstCacheCallsLogged < CACHE_DIAGNOSTIC_LIMIT) { + firstCacheCallsLogged++; + console.log( + `[bedrock-cache] caller=${caller} model=${modelId} ` + + `systemChars=${systemPrompt.length} ` + + `inputTokens=${inputTokens} outputTokens=${outputTokens} ` + + `cacheRead=${cacheReadInputTokens ?? "n/a"} ` + + `cacheWrite=${cacheWriteInputTokens ?? "n/a"} ` + + `usageKeys=[${Object.keys(usage).join(",")}]`, + ); + } + } catch { /* diagnostic must not fail the request */ } + // Cost accounting. Fire-and-forget — accumulator is in-process and // never throws. Failure here must not break the judge / classifier. try { From a0ce07f4cf29ceb8c8e7ccfe1ad4eb59e3917537 Mon Sep 17 00:00:00 2001 From: Adrian Asher Date: Thu, 21 May 2026 13:07:57 +0100 Subject: [PATCH 6/8] docs: note Sonnet 4.6 prompt-cache threshold empirically ~2048 tokens MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Direct boto3 probe of eu.anthropic.claude-sonnet-4-6 shows the cache point engages around 2048 tokens, not the 1024 documented in AWS's prompt-caching table: 1,619 tokens — 0 cache writes 1,994 tokens — 0 cache writes 2,108 tokens — 2,096 written, 2,096 read on the next call Our B7.1 system prompt is ~1,766 tokens — under the real threshold — so the cachePoint marker is a silent no-op today. Single-user prod traffic isn't material; deferred until we scale. Documents the finding in CLAUDE.md "Cost & cache-engagement notes" with the break-even math (300-token static padding pays for itself in <1 cache hit per 5-min window) and leaves a pointer in bedrock-client.ts so the next person touching prompt caching sees the constraint inline. Co-Authored-By: Claude Opus 4.7 (1M context) --- CLAUDE.md | 14 ++++++++++++++ package.json | 2 +- src/bedrock-client.ts | 25 +++++++++++++------------ 3 files changed, 28 insertions(+), 13 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 68b514d14..152d42523 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -315,6 +315,20 @@ The catastrophic case (session-locked after N consecutive hijack verdicts) hard- Configurable in tracker: `<0.2` on-task, `0.2–0.3` scope-creep (inject reminder), `0.3–0.5` drifting (escalate to judge), `>0.5` hijacked (block). +## Cost & cache-engagement notes + +`GET /api/bedrock-metrics` (admin-only Bearer API key) returns in-process per-caller stats: calls, cacheHits, cachedTokenShare, avgInputTokens, estimatedCostUsd. The judge log line in `pretool-interceptor.ts` also carries `in=N/cr=N/cw=N out=N` per call for ad-hoc CloudWatch greps. + +**Known issue (2026-05-21, deferred — apply when scaling): prompt cache silently disabled on `eu.anthropic.claude-sonnet-4-6`.** The AWS docs say Sonnet 4.6's minimum cacheable prefix is 1,024 tokens. Empirically on the EU cross-region inference profile the cutoff is closer to **~2,048 tokens**. Our B7.1 system prompt is ~1,766 tokens — under the real threshold — so Bedrock silently skips the cache point and the entire system prompt is billed as uncached input on every call. Confirmed via direct boto3 test: 1,994-token prefix → 0 cache writes; 2,108-token prefix → 2,096 written then read on the next call. + +When we scale beyond a single user it'll be worth fixing. The cheapest fix is to add ~300 tokens of static "operating notes / reference examples" at the END of the B7.1 system prompt (`intent-judge.ts` HARDENED_V2_SYSTEM_PROMPT). Padding must be byte-identical across calls to keep the cache key stable. Cost math on the deferred fix: + +- One-time write per 5-minute window: 300 padding tokens × $4.125/M = $0.0012 +- Savings per cache read: ~2,200 cached tokens × ($3.30 − $0.33)/M = $0.0065 +- Break-even at <1 cache hit per write window; with the current judge rate the cache discount drops Sonnet input cost by roughly 40–50% on steady-state traffic. + +If we ever cut over to a different model ID (e.g. `anthropic.claude-sonnet-4-6` without the `eu.` prefix, or Claude Sonnet 4.7), re-run the threshold probe via the boto3 snippet in commit history before relying on the documented minimum. + ## User permissions — Claude Code allow/deny/ask integration Two independent features that both touch Claude Code's `permissions.{allow,deny,ask}` configuration. Both ship in the hook + server; both are env-gated. diff --git a/package.json b/package.json index 9d9b586c1..ad9185e48 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "judge-ai-dredd", - "version": "0.1.418", + "version": "0.1.419", "description": "Intent tracking and goal hijacking defence for autonomous AI agents", "type": "module", "scripts": { diff --git a/src/bedrock-client.ts b/src/bedrock-client.ts index 36d9f8f36..4c84af043 100644 --- a/src/bedrock-client.ts +++ b/src/bedrock-client.ts @@ -110,20 +110,21 @@ export async function bedrockChat( : undefined; // Prompt caching: mark the system prompt as a cache point so the - // 6500-token B7.1 hardened prompt is billed at 10% of the input rate - // for the next 5 minutes (cache TTL). The cache key is "everything - // before this marker"; the per-call user message after it is billed - // normally. - // - // Only effective when the cached portion is >= ~1024 tokens (Bedrock - // minimum). The standard SYSTEM_PROMPT may fall under that threshold - // and Bedrock will silently skip caching — that's fine, the marker - // costs nothing on a no-op. + // hardened system prompt is billed at 10% of the input rate for the + // next 5 minutes (cache TTL). The cache key is "everything before + // this marker"; the per-call user message after it is billed normally. // // We do NOT mark a cache point inside the user content because that - // changes per call (tool input, file context, agent reasoning) — caching - // it would invalidate every time. The system prompt is the static - // 90%+ of every judge request. + // changes per call (tool input, file context, agent reasoning) — + // caching it would invalidate every time. The system prompt is the + // static 90%+ of every judge request. + // + // KNOWN ISSUE (deferred — see CLAUDE.md "Cost & cache-engagement notes"): + // On `eu.anthropic.claude-sonnet-4-6` the empirical cache-engagement + // threshold is ~2048 tokens, not the documented 1024. Our B7.1 system + // prompt is ~1766 tokens — under the real threshold — so this marker + // is silently a no-op in prod today. Fix when we scale: pad the + // system prompt to >2048 tokens with static content. const systemBlocks: any[] = [ { text: systemPrompt }, { cachePoint: { type: "default" } }, From 342fae17f89735f68b2e4313069184d1b8a4cf2f Mon Sep 17 00:00:00 2001 From: Adrian Asher Date: Sat, 23 May 2026 13:15:51 +0100 Subject: [PATCH 7/8] fix(dashboard,bundle): wire API-key step into the integration flow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The dashboard's Integration tab and the bundle's README both jumped from "install hook" → "wire up settings" → "verify" with no mention of the Bearer API key the hook server requires (DREDD_AUTH_MODE=required is the default in prod). A new user following the UI got 401s on every /intent and /evaluate, the hook fail-soft'd, and Claude Code proceeded without Dredd — silently broken because the suggested verify step hit /api/health which answers without auth. Changes: - API Keys tab: plaintext banner now ships a ready-to-run shell snippet that drops the key into ~/.claude/dredd/api-key (chmod 600), the location the hook script reads from by default. textContent prevents HTML injection. - Integration tab: new step 1 "Generate & install your API key" with a link into the API Keys tab. Existing steps renumbered to 2/3/4. The verify step now hits /api/auth-check (see below) instead of /api/health so a missing key actually fails the check. - Bundle README.md: mirrors the new step 1 + verify against /api/auth-check. - New endpoint GET /api/auth-check on the hook role. Runs authenticateHookRequest so missing/invalid keys return 401 and valid keys return 200 + ownerSub/ownerEmail/keyType. CORS so the dashboard can poll it too. Read-only. Co-Authored-By: Claude Opus 4.7 (1M context) --- package.json | 2 +- src/integration-bundle.ts | 47 +++++++++++++++++++++++++++++++-------- src/server-hook.ts | 20 +++++++++++++++++ src/web/dashboard.html | 45 ++++++++++++++++++++++++++++++++----- 4 files changed, 98 insertions(+), 16 deletions(-) diff --git a/package.json b/package.json index ad9185e48..d7728c7f0 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "judge-ai-dredd", - "version": "0.1.419", + "version": "0.1.420", "description": "Intent tracking and goal hijacking defence for autonomous AI agents", "type": "module", "scripts": { diff --git a/src/integration-bundle.ts b/src/integration-bundle.ts index 378cb7176..caac773f8 100644 --- a/src/integration-bundle.ts +++ b/src/integration-bundle.ts @@ -143,7 +143,25 @@ This bundle points your Claude Code CLI at the judge server at: Every tool call your agent attempts will be evaluated by the judge; prompt- injection / goal-hijacking attempts are blocked before the tool runs. -## 1. Install the hook script +## 1. Generate & install your API key + +The hook server requires a Bearer key on every request. Without one, +\`/intent\` and \`/evaluate\` return 401 and Dredd silently falls back +to allowing everything. + +Open the dashboard's **API Keys** tab → **Generate key**. The plaintext +key is shown ONCE — run the snippet shown in the banner, which does: + +\`\`\`bash +mkdir -p ~/.claude/dredd +printf '%s\\n' 'jaid_live_PASTE_KEY_HERE' > ~/.claude/dredd/api-key +chmod 600 ~/.claude/dredd/api-key +\`\`\` + +The hook script reads from \`~/.claude/dredd/api-key\` by default; override +with \`$DREDD_API_KEY_FILE\` if you keep it elsewhere. + +## 2. Install the hook script \`\`\`bash mkdir -p ~/.claude/dredd @@ -151,7 +169,7 @@ cp dredd-hook.sh ~/.claude/dredd/ chmod +x ~/.claude/dredd/dredd-hook.sh \`\`\` -## 2. Wire up the hooks +## 3. Wire up the hooks Pick one scope: @@ -184,24 +202,35 @@ keep it to yourself. The script defaults to the URL above but respects \`$DREDD_URL\` if set. -## 3. Prerequisites +## 4. Prerequisites - \`curl\` and \`jq\` on your PATH (preinstalled on macOS / most Linux). -## 4. Verify +## 5. Verify + +Confirm the API key is wired up by hitting an auth-required endpoint: + +\`\`\`bash +curl -H "Authorization: Bearer $(cat ~/.claude/dredd/api-key)" \\ + ${dreddUrl}/api/auth-check +# Expected: HTTP 200 with {"authenticated":true,"ownerEmail":"…"} +# A 401 means the key file is missing, malformed, or revoked. +\`\`\` -Start a Claude Code session in any project. Open the dashboard at: +Then start a Claude Code session in any project. Open the dashboard at: ${dreddUrl}/ You should see your session appear in the Live Feed the moment you send -your first prompt. +your first prompt. Note that \`${dreddUrl}/api/health\` answers without +auth — useful for proving the server is reachable, but it won't catch a +missing API key. Use \`/api/auth-check\` above for that. ## Troubleshooting -- **Dashboard shows no sessions** — check that \`curl ${dreddUrl}/api/health\` - returns JSON with a \`version\` field. If not, the URL is wrong or the - server is down. +- **Dashboard shows no sessions but \`/api/health\` works** — the API key + is missing or wrong. Re-run \`curl … /api/auth-check\`; on 401, regenerate + the key from the dashboard and re-save to \`~/.claude/dredd/api-key\`. - **Hook runs but blocks nothing** — the server defaults to interactive mode; check the dashboard's mode badge. \`autonomous\` mode blocks on hijack, \`learn\` mode blocks nothing by design. diff --git a/src/server-hook.ts b/src/server-hook.ts index 40482e9d5..4de4504fc 100644 --- a/src/server-hook.ts +++ b/src/server-hook.ts @@ -371,6 +371,26 @@ document.getElementById('mode-select').dataset.current = ${JSON.stringify(CONFIG return json(res, 200, getBedrockMetrics()); } + // /api/auth-check — Bearer-key verification for the integration tab's + // verify step. /api/health and /api/whoami both answer without auth, + // which is exactly what makes them useless for confirming an API key + // is wired up — a missing or bad key still returns 200. This endpoint + // runs authenticateHookRequest so a missing/invalid key surfaces as + // 401 and a valid key surfaces as 200 + the resolved owner identity. + // Read-only; CORS so the dashboard can poll it from a browser too. + if (url.pathname === "/api/auth-check") { + if (applyCors(req, res)) return; + if (req.method !== "GET") return json(res, 405, { error: "Method not allowed" }); + const identity = await authenticateHookRequest(req, res); + if (!identity) return; // 401 already sent by authenticateHookRequest + return json(res, 200, { + authenticated: identity.keyValid, + ownerSub: identity.ownerSub, + ownerEmail: identity.ownerEmail, + keyType: identity.keyType, + }); + } + // /api/whoami — OIDC discovery. No auth; read-only. if (req.method === "GET" && url.pathname === "/api/whoami") { const oidcData = req.headers["x-amzn-oidc-data"] as string | undefined; diff --git a/src/web/dashboard.html b/src/web/dashboard.html index 57b8a7b58..32ed10720 100644 --- a/src/web/dashboard.html +++ b/src/web/dashboard.html @@ -417,7 +417,20 @@

Connect your Claude Code CLI to this judge

has this server's URL baked in.

-

1. Install the hook

+

1. Generate & install your API key

+

+ The hook server requires a Bearer key on every request — without + one, /intent and /evaluate return + 401 and Dredd silently falls back to allowing + everything. Open the + API Keys tab, + click Generate key, then run the snippet shown in + the plaintext banner. The hook script reads from + ~/.claude/dredd/api-key by default; override with + $DREDD_API_KEY_FILE if you keep it elsewhere. +

+ +

2. Install the hook

unzip judge-dredd-integration.zip -d /tmp/dredd
@@ -426,7 +439,7 @@ 
1. Install the hook

 chmod +x ~/.claude/dredd/dredd-hook.sh
-

2. Wire up the hooks

+

3. Wire up the hooks

Global (all projects)
Per-project
@@ -486,16 +499,21 @@

2. Wire up the hooks

default.

-

3. Verify

+

4. Verify

Start a Claude Code session in any project. Return to this dashboard's Overview tab — your session should appear in the Live Feed the moment - you send your first prompt. + you send your first prompt. The snippet below exercises the + Bearer-key auth path; /api/health answers without auth, + so it would lie to you if you used it here.

- 
# Sanity-check the server is reachable from your machine:
-curl {BASE}/api/health
+ 
# Confirm the key is set up correctly (returns your identity on success):
+curl -H "Authorization: Bearer $(cat ~/.claude/dredd/api-key)" \
+  {BASE}/api/auth-check
+# Expected: HTTP 200 with {"authenticated":true,"ownerEmail":"…"}
+# A 401 means the key file is missing, malformed, or revoked.

Prerequisites

@@ -592,6 +610,16 @@

API Keys

+
+ Save it to ~/.claude/dredd/api-key with mode 600 + — the hook script reads from there by default: +
+
+ + 
mkdir -p ~/.claude/dredd
+printf '%s\n' 'PASTE_KEY_HERE' > ~/.claude/dredd/api-key
+chmod 600 ~/.claude/dredd/api-key
+
@@ -2225,6 +2253,11 @@

/.claude/settings.json). - Never touch .bashrc, .zshrc, .profile, env files, shell aliases, or any path outside the allow-list. - Never exfiltrate the API key. - Stop and report any unexpected failure rather than "fix" it by editing other files. Three surfaces: - integration-bundle.ts: renderInstallPrompt() now exported; bundle zip ships claude-install-prompt.txt alongside the existing 3 files. - server-dashboard.ts: new GET /api/install-prompt returns just the prompt as text/plain (Clerk-gated, same auth as /api/integration-bundle). - dashboard.html: Integration tab gains an "Or: let Claude install Dredd for you" panel at the top with download button + the one-line `claude < ~/.claude/dredd/claude-install-prompt.txt` snippet. The existing manual-install flow is preserved unchanged below it. Co-Authored-By: Claude Opus 4.7 (1M context) --- package.json | 2 +- src/integration-bundle.ts | 157 ++++++++++++++++++++++++++++++++++++++ src/server-dashboard.ts | 20 +++++ src/web/dashboard.html | 51 ++++++++++++- 4 files changed, 227 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index d7728c7f0..cd381e062 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "judge-ai-dredd", - "version": "0.1.420", + "version": "0.1.421", "description": "Intent tracking and goal hijacking defence for autonomous AI agents", "type": "module", "scripts": { diff --git a/src/integration-bundle.ts b/src/integration-bundle.ts index caac773f8..c42612b29 100644 --- a/src/integration-bundle.ts +++ b/src/integration-bundle.ts @@ -271,6 +271,162 @@ DREDD_URL=http://127.0.0.1:1 claude `; } +/** + * Render the "let Claude install Dredd for you" prompt. + * + * The user feeds this to Claude (e.g. `claude < claude-install-prompt.txt` + * or pastes it as the first prompt) and Claude walks through the install + * one step at a time, describing each action and asking permission before + * running it. The dredd-on-dredd bootstrap problem (Dredd isn't installed + * yet so it can't judge this install session) is handled by deliberately + * keeping the instructions narrow: only the API-key path, the hook script + * path under ~/.claude/dredd/, and the settings.json wiring are in scope. + * + * Two guardrails: + * - The prompt INSTRUCTS Claude to describe each step and ask permission + * before running it. The user retains a human-in-the-loop checkpoint + * on every file write. + * - The prompt scopes filesystem writes to ~/.claude/dredd/ and + * ~/.claude/settings.json (or /.claude/settings.json) ONLY. + * Any other path is out of scope and Claude is told to stop and flag it. + * + * The bundle URL is embedded into the prompt so the installer can curl + * the hook script directly rather than relying on a separate `unzip` step. + */ +export function renderInstallPrompt(dreddUrl: string): string { + return `# Install Judge AI Dredd + +You are being asked to install Judge AI Dredd — a prompt-injection +defence layer for Claude Code — into the user's environment. Dredd +intercepts your tool calls at PreToolUse and blocks ones the judge +classifies as goal-hijacking. + +The judge server this install targets is: + + ${dreddUrl} + +## Before you do anything + +Print a numbered summary of what you are about to do, then **stop and +ask the user to confirm** before running a single command. The summary +must list: + +1. Every file you will create or modify, with its absolute path. +2. The URL you will fetch the hook script from. +3. That you will ask the user to paste an API key (which they must + first generate from the dashboard). +4. The verification step you will run at the end. + +Wait for an explicit "yes" / "go ahead" / "proceed" before running +anything. If the user asks questions, answer them, then re-ask for +confirmation. + +## What you will do (after the user confirms) + +### Step 1 — Get the API key from the user + +Tell the user: + +> Open the dashboard at ${dreddUrl.replace(/^https:\/\/dredd-hook\./, "https://dredd.")} +> (or whichever dashboard URL Dredd is running on for you). +> Go to the **API Keys** tab → **Generate key** with a description +> like "$(hostname) install — $(date +%Y-%m-%d)". +> Copy the plaintext key (shown ONCE) and paste it back here. + +WAIT for the user to paste the key. The key starts with \`jaid_live_\`. +Do not proceed without it. Do not make one up. + +When the user pastes it, do NOT echo it back in plaintext anywhere +except as the body of the file you write to disk. + +### Step 2 — Install the API key + +Create \`~/.claude/dredd/\` if missing. Write the pasted key to +\`~/.claude/dredd/api-key\` with mode 600. Confirm with the user +that the file is there before continuing. + +\`\`\`bash +mkdir -p ~/.claude/dredd +# Then write the key (use the user-supplied value, NOT a placeholder): +printf '%s\\n' "" > ~/.claude/dredd/api-key +chmod 600 ~/.claude/dredd/api-key +\`\`\` + +### Step 3 — Install the hook script + +Fetch the hook script from this server, write it to +\`~/.claude/dredd/dredd-hook.sh\`, and chmod 755. + +The bundle endpoint requires authentication, so use the API key from +Step 2: + +\`\`\`bash +curl -fsSL \\ + -H "Authorization: Bearer $(cat ~/.claude/dredd/api-key)" \\ + -o /tmp/judge-dredd-integration.zip \\ + ${dreddUrl.replace(/^https:\/\/dredd-hook\./, "https://dredd.")}/api/integration-bundle +unzip -o /tmp/judge-dredd-integration.zip -d /tmp/dredd +cp /tmp/dredd/dredd-hook.sh ~/.claude/dredd/ +chmod 755 ~/.claude/dredd/dredd-hook.sh +\`\`\` + +Confirm the script is there and executable. + +### Step 4 — Wire the hooks into Claude Code + +Ask the user whether to install globally (\`~/.claude/settings.json\` — +affects every Claude Code session on this machine) or per-project +(\`/.claude/settings.json\` — affects only sessions started +in that directory). + +For whichever target the user picks: + +- If the target file does NOT exist, copy \`/tmp/dredd/settings.json\` + into place. +- If the target file DOES exist, do NOT overwrite. Read it, show the + user the existing \`hooks\` and \`env\` blocks (if any), then propose + a merge that splices in the Dredd entries while preserving everything + else. Apply the merge only after the user approves. + +### Step 5 — Verify + +Run this — it exercises the API-key path, unlike \`/api/health\`: + +\`\`\`bash +curl -sfk -H "Authorization: Bearer $(cat ~/.claude/dredd/api-key)" \\ + ${dreddUrl}/api/auth-check +\`\`\` + +Expected: HTTP 200 with JSON \`{"authenticated":true,...}\`. + +On 401: the key file is missing, malformed, or revoked. Re-run Step 1. +On any other error: report the status code to the user and stop. + +## Boundaries + +- Do NOT touch any path outside \`~/.claude/dredd/\`, + \`~/.claude/settings.json\`, or \`/.claude/settings.json\`. +- Do NOT install any other tools, package managers, or shell hooks. +- Do NOT modify \`.bashrc\`, \`.zshrc\`, \`.profile\`, environment files, + or shell aliases. +- Do NOT exfiltrate the API key. It belongs only in + \`~/.claude/dredd/api-key\` with mode 600. +- If any step fails, stop and report the failure to the user; do not + try to "fix" by editing files the user did not ask you to touch. + +## After install + +Tell the user: + +> Restart your Claude Code session for the hooks to take effect. +> Your next session will appear in the Live Feed at the dashboard the +> moment you send your first prompt. + +Then you are done. Do not start any other work in this session unless +the user explicitly asks. +`; +} + /** * Build the integration bundle for the given judge URL. Called by the * /api/integration-bundle route. @@ -282,6 +438,7 @@ export function buildIntegrationBundle(dreddUrl: string): Buffer { const entries: ZipEntry[] = [ { name: "dredd-hook.sh", data: Buffer.from(bakedHook, "utf8"), mode: 0o755 }, + { name: "claude-install-prompt.txt", data: Buffer.from(renderInstallPrompt(dreddUrl), "utf8"), mode: 0o644 }, { name: "settings.json", data: Buffer.from(renderSettings(dreddUrl), "utf8"), mode: 0o644 }, { name: "README.md", data: Buffer.from(renderReadme(dreddUrl), "utf8"), mode: 0o644 }, ]; diff --git a/src/server-dashboard.ts b/src/server-dashboard.ts index 266d20217..dddac71f9 100644 --- a/src/server-dashboard.ts +++ b/src/server-dashboard.ts @@ -261,6 +261,26 @@ const server = createServer(async (req, res) => { return; } + // /api/install-prompt — the "let Claude install Dredd for you" prompt + // as a standalone file, for users who want to pipe it straight into + // claude < prompt.txt without unpacking the whole bundle. Same Clerk + // gate as the bundle — anonymous downloads would let an attacker + // grab the prompt + craft a phishing message that imitates Dredd. + if (req.method === "GET" && url.pathname === "/api/install-prompt") { + const principal = await requireClerkAuth(req, res); + if (!principal) return; + const { renderInstallPrompt } = await import("./integration-bundle.js"); + const dreddUrl = HOOK_URL || resolvePublicOrigin(req); + const body = Buffer.from(renderInstallPrompt(dreddUrl), "utf8"); + res.writeHead(200, { + "Content-Type": "text/plain; charset=utf-8", + "Content-Disposition": 'attachment; filename="claude-install-prompt.txt"', + "Content-Length": body.length, + }); + res.end(body); + return; + } + if (req.method === "GET" && url.pathname === "/api/logs/download") { const principal = await requireClerkAuth(req, res); if (!principal) return; diff --git a/src/web/dashboard.html b/src/web/dashboard.html index 32ed10720..ea300ad27 100644 --- a/src/web/dashboard.html +++ b/src/web/dashboard.html @@ -405,6 +405,30 @@

Connect your Claude Code CLI to this judge

your agent makes will be evaluated by this judge server before it runs.

+
+
Or: let Claude install Dredd for you
+

+ Download the install prompt below and pipe it into a Claude Code + session — Claude will describe each step, ask permission, and + walk through the install one file at a time. Scoped to + ~/.claude/dredd/ and ~/.claude/settings.json + only; everything else is out of bounds. +

+
+ + ~/.claude/dredd/claude-install-prompt.txt +
+
+ + 
mkdir -p ~/.claude/dredd
+mv ~/Downloads/claude-install-prompt.txt ~/.claude/dredd/
+claude < ~/.claude/dredd/claude-install-prompt.txt
+
+
+ +

Install manually

The bundle is a zip containing dredd-hook.sh, - settings.json, and README.md. The hook script - has this server's URL baked in. + settings.json, README.md, and + claude-install-prompt.txt. The hook script has this + server's URL baked in.

1. Generate & install your API key

@@ -1203,6 +1228,28 @@

Feed entry

} } + async function downloadInstallPrompt() { + // Same flow as the bundle download but pulls the standalone + // claude-install-prompt.txt file — the "let Claude install Dredd + // for you" entry path. Clerk-gated server-side; we just need to + // carry the bearer token via dreddFetch. + try { + const resp = await dreddFetch(`${API}/api/install-prompt`); + if (!resp.ok) throw new Error('HTTP ' + resp.status); + const blob = await resp.blob(); + const url = URL.createObjectURL(blob); + const a = document.createElement('a'); + a.href = url; + a.download = 'claude-install-prompt.txt'; + document.body.appendChild(a); + a.click(); + a.remove(); + setTimeout(() => URL.revokeObjectURL(url), 5_000); + } catch (err) { + alert('Download failed: ' + err.message); + } + } + function switchScope(tabEl, scope) { // Scope tabs are scoped to a single parent (the Integrate tab's // Step 2) — querying from tabEl.parentElement keeps it working even if