Skip to content

feat(rules): hard-BLOCK local hard smuggled-token channels in strict/paranoid#100

Open
fu351 wants to merge 1 commit into
mainfrom
feat/token-channels/mode-hard-block
Open

feat(rules): hard-BLOCK local hard smuggled-token channels in strict/paranoid#100
fu351 wants to merge 1 commit into
mainfrom
feat/token-channels/mode-hard-block

Conversation

@fu351

@fu351 fu351 commented Jul 11, 2026

Copy link
Copy Markdown
Owner

Slice

  • Repo: doberman-core
  • Feature / Slice: F3 objective guardrail — token-channel mode escalation
  • Plan reference: red-team synthetic benchmark finding (asr_strict=1.0 / hard channels never hard-BLOCK; AUTH defeated under operator fatigue, effective_asr_approve=1.0)

What this PR does

Strict/Paranoid now hard-BLOCK a LOCAL hard smuggled-token channel (bidi / Unicode tag-block / invisible / noncharacter — the near-zero-false-positive HARD channels), instead of only stepping up to AUTH. Mirrors the existing trifecta_hard_block mode escalation exactly. Light/Balanced are unchanged (still AUTH). The external-destination BLOCK branch is untouched (already mode-independent).

Motivation: a hard smuggling channel has no legitimate use in tool traffic, so in the strictest modes it should be refused outright rather than left to an AUTH prompt a fatigued operator may rubber-stamp.

Tests added (run in CI)

  • tests/unit/test_token_channel_hard_block.py — 8 deterministic tests: strict/paranoid -> BLOCK; balanced/light -> AUTH (unchanged); external-destination -> BLOCK in every mode; no-channel -> PASS; raise-only (strict verdict >= balanced via VERDICT_ORDER); redaction (decoded payload + raw smuggled bytes never appear in explanation/reason_codes).

Public-release safety (doberman-core only)

  • Contains nothing from the "not allowed" list
  • Core still builds/tests/runs with NO enterprise package installed

Security checklist

  • Fails closed on error / uncertainty
  • No secret, full file, or unredacted prompt logged or committed
  • Any guardrail/learning change is raise-only (no silent loosening)
  • Every BLOCK/AUTH carries reason codes + a human explanation
  • doberman-core does not import doberman_enterprise

Edge cases covered / Deviations from plan / Risks introduced

  • Raise-only by construction: only escalates an existing local AUTH to BLOCK, only in strict/paranoid. No new dependency; no new import boundary (engine.rules -> policy already used by commands.py/destinations.py/role_boundary.py). Full suite green locally: 1368 passed, 4 skipped, 91% coverage.

…paranoid

A hard smuggled-token channel (bidi / Unicode tag-block / invisible / noncharacter
- near-zero false positive, no legitimate use in tool traffic) that stays LOCAL
previously only stepped up to AUTH, which an operator can rubber-stamp under
alert fatigue. Strict/Paranoid now escalate the local case to BLOCK, mirroring
the existing trifecta_hard_block precedent.

Raise-only (ADR 0021): only escalates an existing local AUTH to BLOCK, only in
the strictest modes; Light/Balanced unchanged. External-destination BLOCK branch
untouched (already mode-independent).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant