Skip to content

[nightly] fix(agent-sec-core): degrade scan-prompt to fast mode during cold start#1344

Closed
zhangtaibo wants to merge 1 commit into
alibaba:mainfrom
zhangtaibo:fix/agent-sec-core-cold-start-degrade-nightly-20260706
Closed

[nightly] fix(agent-sec-core): degrade scan-prompt to fast mode during cold start#1344
zhangtaibo wants to merge 1 commit into
alibaba:mainfrom
zhangtaibo:fix/agent-sec-core-cold-start-degrade-nightly-20260706

Conversation

@zhangtaibo

Copy link
Copy Markdown
Contributor

Summary

Fixes #1342

During cold start (ML model not ready), scan-prompt --mode standard|strict returned verdict=error instead of degrading to fast mode (L1 rule-engine only). This caused the cold-start degradation test to fail and left the security scanner non-functional during the model load window.

Root Cause

prompt_scan_handler() in daemon/handlers/prompt_scan.py raised UnavailableError when prompt_scan_state.status != "ready". There was no fallback path to L1 rule-engine scanning, so any request during the cold-start window got a hard error.

Fix

Add cold-start degradation logic:

  • When the ML model (L2) is not ready and mode is standard or strict, degrade to fast mode (L1 rule-engine only).
  • L1 DENY is rewritten to WARN to avoid false blocks during the degraded window.
  • Response carries degraded=true, degraded_reason, and degraded_original_verdict for audit purposes.

Verification

ECS (47.83.182.36), anolisa main 8ac16a96:

# Build
bash scripts/rpm-build.sh agent-sec-core
# → exit 0, 8 RPMs produced (agent-sec-cli-0.7.0-1.alnx4.x86_64.rpm 207M)

# Install + test
rpm -Uvh --force --nodeps scripts/rpmbuild/RPMS/x86_64/agent-sec-*.rpm
systemctl --user restart agent-sec-core
cd /root/agentic-os-tests/agent-sec-core
python3 -m pytest -xvs 'tests/test_cli_scan_prompt_cold_start_degrade.py::test_scan_prompt_degrades_to_fast_during_cold_start'
# → 1 passed in 1.15s

[nightly] Discovered and fixed by AgenticOS Nightly automated product-fix-agent (regression-20260706-113053).

@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.


云孟 seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@github-actions github-actions Bot added the component:sec-core src/agent-sec-core/ label Jul 6, 2026
@zhangtaibo

Copy link
Copy Markdown
Contributor Author

[automated review] case 连续通过 10 次,PR 未 merged,原始 verdict=env_specific(非 product_bug),疑似误报,关闭 issue+PR。若确已修复请重开。

@zhangtaibo zhangtaibo closed this Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

component:sec-core src/agent-sec-core/

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[nightly] agent-sec-core: scan-prompt returns verdict=error during cold start instead of degrading to fast mode

2 participants