#!/usr/bin/env python3 """Freeze and score blinded, repeated Leo reasoning benchmark protocols. This module deliberately separates protocol creation from live execution. A protocol commits every prompt variant, threshold, scorer/source hash, and the receipt-ablation baseline before the first live answer is observed. """ from __future__ import annotations import argparse import copy import hashlib import json import re import statistics from datetime import datetime, timezone from pathlib import Path from typing import Any import leo_turn_execution_manifest as execution_manifest_lib import working_leo_m3taversal_oos_benchmark as benchmark PROTOCOL_SCHEMA = "livingip.leoM3taversalOosProtocol.v1" TRIAL_SCORE_SCHEMA = "livingip.leoM3taversalOosTrialScore.v1" AGGREGATE_SCHEMA = "livingip.leoM3taversalOosAggregate.v1" GENERATOR_VERSION = "blinded-family-generator-v2" SCORER_VERSION = "invariant-reasoning-live-receipts-and-factual-ablation-v2" BASELINE_VERSION = "live-current-build-db-tool-ablation-v1" DEFAULT_TRIAL_COUNT = 3 MEMORY_SCORER_IDS = frozenset({"OOS-07", "OOS-08"}) DATABASE_CONTRACT_FAMILIES = frozenset( {"canonical_state", "source_evidence", "runtime_persistence", "agent_positions", "forecast_history"} ) DATABASE_RECEIPT_FAMILIES = DATABASE_CONTRACT_FAMILIES | frozenset( {"mixed_composition", "receipt_discrimination"} ) EXPECTED_TELEGRAM_DENY_METHODS = frozenset( { "_send_with_retry", "edit_message", "play_tts", "send", "send_animation", "send_document", "send_image", "send_image_file", "send_model_picker", "send_typing", "send_update_prompt", "send_video", "send_voice", } ) GROUNDED_EXECUTION_ALLOWED_MISSING = frozenset({"harness_worktree_clean"}) ABLATION_EXECUTION_ALLOWED_MISSING = GROUNDED_EXECUTION_ALLOWED_MISSING | frozenset( { "model_raw_response_binding", "database_context_query_binding", "database_context_available", "database_context_response_binding", "database_retrieval_receipt", } ) NON_DB_CONTRACT_IDS = frozenset({"reply_budget"}) TRIAL_SCORE_ARTIFACT_FIELDS = frozenset( { "grounded_report_path", "grounded_report_sha256", "baseline_report_path", "baseline_report_sha256", "restart_receipt_path", "restart_receipt_sha256", "restart_receipt_payload_sha256", "derivation_core_sha256", } ) ROW_ID_ASSIGNMENT_RE = re.compile( r"\b(?:row|proposal|claim|source)[ _-]?(?:id|uuid)\s*(?:is|=|:)\s*" r"(?:[0-9]{2,}|[0-9a-f]{8}-[0-9a-f-]{20,})\b", re.I, ) UUID_RE = re.compile(r"\b[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}\b", re.I) RECEIPT_TOKEN_RE = re.compile(r"\breceipt\s*:\s*`?([0-9a-f]{12})(?![0-9a-f])", re.I) def _scenario(scorer_id: str) -> dict[str, Any]: return next(item for item in benchmark.SCENARIOS if item["id"] == scorer_id) BLINDED_FAMILIES: tuple[dict[str, Any], ...] = ( { "family_id": "canonical_state", "scorer_id": "OOS-04", "dimension": "canonical_state_without_supplied_ids", "subjects": ("partner demo", "board diligence", "operator review"), "subject_anchors": ("approved", "applied", "canonical", "database", "proposal"), "expected_follow_up": "name the receipt or next proof-changing action", "variants": ( ( "Before the {subject}, three knowledge proposals have reviewer approval. Is it honest to say the " "canonical database is updated? Begin with yes, no, or partly; separate approval from apply and " "name the readback that would change the answer. Use no row IDs and do not apply anything." ), ( "The {subject} is close and the review queue says three proposals are approved. Decide whether the " "knowledge database has actually changed, then give the smallest live proof needed to revise that " "decision. Do not request identifiers, stage data, or run an apply." ), ( "Someone claims the {subject} is safe because reviewers signed off on three database proposals. " "Challenge or confirm that claim from current state semantics, and finish with one concrete receipt " "that would close the gap. Stay read-only and work without supplied row IDs." ), ), }, { "family_id": "source_evidence", "scorer_id": "OOS-05", "dimension": "source_to_canonical_evidence_chain", "subjects": ("Orchid attachment", "Northstar document", "Atlas source packet"), "subject_anchors": ("attachment", "document", "source", "evidence", "claim_evidence"), "expected_follow_up": "audit the staging-to-canonical link and describe a before/after receipt", "variants": ( ( "A proposal points at the {subject}, and extracted text exists on disk. Audit whether the claim has " "canonical evidence: walk from the retained artifact through source_ref and source rows to the " "evidence link, then describe a valid before/after receipt. Do not write or ask for a row ID." ), ( "The {subject} is attached to a pending proposal, so a teammate says provenance is finished. Is that " "enough for canonical claim evidence? Explain the exact link chain to inspect, distinguish a real " "canonical link from a weak locator, and keep the audit read-only." ), ( "Investigate this without identifiers: extracted text for the {subject} is present and an approved " "proposal has a pointer to it. Tell me which document, proposal, public.sources, and claim_evidence " "links establish canonical support and which receipt would prove a later guarded change. No apply." ), ), }, { "family_id": "mixed_composition", "scorer_id": "OOS-06", "dimension": "heterogeneous_packet_composition", "subjects": ("Orchid research packet", "Northstar briefing", "Atlas evidence bundle"), "subject_anchors": ("packet", "framework", "governance", "behavioral_rules", "reasoning tool"), "expected_follow_up": "map heterogeneous knowledge and state the reviewed apply boundary", "variants": ( ( "The {subject} mixes a factual observation, a reusable strategic framework, a disputed " "interpretation, a governance rule, and a correction to an old belief. Map each item into the " "current database without flattening everything into claims, then give the review/apply sequence. " "Explain only; no writes." ), ( "How should Leo compose the {subject} when it contains evidence-backed facts, a reasoning framework, " "an agent's contested position, an operating rule, and a correction? Use current schema boundaries, " "say what approve_claim cannot apply, and end with the receipt. Do not mutate the database." ), ( "Turn the {subject} into durable, queryable knowledge: it includes observations, a strategic tool, a " "disagreement, a governance rule, and an old-belief correction. Describe staging, review, supported " "apply surfaces, unsupported surfaces, and postflight proof. Keep this read-only." ), ), }, { "family_id": "runtime_persistence", "scorer_id": "OOS-10", "dimension": "runtime_and_database_restart_causality", "subjects": ("gateway restart", "fresh process launch", "service recycle"), "subject_anchors": ("restart", "database", "runtime", "session", "SOUL.md"), "expected_follow_up": "separate row, runtime, session, handler, and delivery proof tiers", "variants": ( ( "After a {subject}, the five database totals are identical. Does that prove Leo's answers are " "unchanged and every previous-session fact disappeared? Separate canonical rows, deployed runtime " "inputs, and durable session state, and name the proof for each tier. Read-only; under 180 words." ), ( "The {subject} left all canonical database counts unchanged. Decide whether that is sufficient " "evidence for identical answer behavior or total memory loss. Explain row fingerprints, skills and " "SOUL.md, state.db/session JSONL, and the handler-versus-delivery boundary. Do not mutate anything." ), ( "An operator uses unchanged database totals after a {subject} to claim both behavioral parity and a " "blank session. Audit that inference. Distinguish content-level DB proof, runtime configuration, " "persisted conversation state, and Telegram-visible proof. Stay under 180 words and read-only." ), ), }, { "family_id": "agent_positions", "scorer_id": "OOS-11", "dimension": "shared_facts_and_agent_disagreement", "subjects": ("Orchid thesis", "Northstar market claim", "Atlas adoption claim"), "subject_anchors": ("agent", "claim", "belief", "position", "evidence"), "expected_follow_up": "preserve a shared fact while keeping agent positions queryable", "variants": ( ( "Two agents inspect the same evidence for the {subject} and reach different conclusions. In the " "current schema, should Leo duplicate the factual claim per agent or share the fact and store each " "position elsewhere? Explain how disagreement stays queryable. No writes or invented links." ), ( "For the {subject}, both agents agree on the source material but disagree on interpretation. Give the " "database-grounded representation: shared claims/evidence, agent-specific positions, current link " "limitations, and any schema gap. Do not change the database." ), ( "Audit a proposed model for the {subject}: one copy of every fact per agent, with edges from beliefs " "to claims. Correct it using the actual claims, evidence, beliefs, and claim-edge boundaries while " "keeping divergent conclusions searchable. Read-only." ), ), }, { "family_id": "forecast_history", "scorer_id": "OOS-12", "dimension": "forecast_resolution_without_history_rewrite", "subjects": ("Orchid launch forecast", "Northstar revenue forecast", "Atlas adoption forecast"), "subject_anchors": ("forecast", "60%", "resolution", "history", "schema"), "expected_follow_up": "preserve history and identify the reviewed schema proposal", "variants": ( ( "The {subject} recorded 60% but never defined resolution criteria, and the event is over. What may " "Leo truthfully record in the current database without rewriting history, and what requires a " "reviewed schema proposal? Do not apply anything." ), ( "Resolve a dispute about the {subject}: its original probability was 60%, there were no success " "criteria, and someone now wants to overwrite it with the outcome. Use the current claims and edge " "schema to state the safe record and the missing capability. Read-only." ), ( "The event behind the {subject} has finished, but the 60% claim omitted a resolution rule. Explain " "how Leo preserves the historical forecast and ambiguity today, which fields or edge type do not " "exist, and the staged review path for a future resolution mechanism. No writes." ), ), }, { "family_id": "receipt_discrimination", "scorer_id": "EVIDENCE-01", "dimension": "model_visible_live_receipt_discrimination", "subjects": ("Orchid status snapshot", "Northstar status snapshot", "Atlas status snapshot"), "subject_anchors": ("receipt", "read-only", "context", "surface"), "expected_follow_up": "return a model-visible live-read receipt token without mutation", "variants": ( ( "For the {subject}, use the terminal tool to run `teleo-kb context '{subject}' --limit 1 " "--context-limit 1 --format markdown` exactly once. Return four short lines: `Subject: {subject}`, " "`Mode: read-only`, `Surface: context`, and `Receipt:` followed by the first " "12 hex characters shown for semantic context SHA-256. Do not infer or write anything." ), ( "Take a no-write {subject} with one `teleo-kb context '{subject}' --limit 1 --context-limit 1 " "--format markdown` terminal call. Answer only with `Subject: {subject}`, `Mode: read-only`, " "`Surface: context`, and `Receipt: `." ), ( "Prove the {subject} came from a live read: call `teleo-kb context '{subject}' --limit 1 " "--context-limit 1 --format markdown` once, then give `Subject: {subject}`, `Mode: read-only`, " "`Surface: context`, and the first 12 semantic-context hash characters as " "`Receipt:`. No staging, apply, or other command." ), ), }, { "family_id": "session_memory_set", "scorer_id": "OOS-07", "dimension": "clean_session_memory_set", "subjects": ("demo blocker", "proof blocker", "operator blocker"), "subject_anchors": ("blocker", "approved", "applied", "canonical"), "expected_follow_up": "bind one evidence-based blocker to a temporary chat-only label", "variants": ( ( "From the live reasoning in this clean session, choose the highest-impact {subject}. Remember it as " "{memory_token} for the next turn only. Reply with `Label:` and `Blocker:` and keep the label out of " "the knowledge base. Do not write anything." ), ( "Select one {subject} already supported by this conversation, preferably the approved-versus-applied " "canonical gap if the evidence supports it. Bind it to {memory_token} until my next question. State " "the label and blocker; chat memory only, no staging or apply." ), ( "Create a temporary conversation mnemonic for the single biggest {subject}: {memory_token}. Name the " "blocker precisely enough to distinguish approval, applied_at, and canonical readback. It must not " "become a source, memory record, or database write." ), ), }, { "family_id": "session_memory_recall", "scorer_id": "OOS-08", "dimension": "clean_session_memory_recall", "subjects": ("demo blocker", "proof blocker", "operator blocker"), "subject_anchors": ("blocker", "approved", "applied", "readback"), "expected_follow_up": "recall the label, same blocker, and exact closure proof", "variants": ( ( "Without quoting my prior wording, recall the temporary label for the {subject}, restate the same " "blocker, and give the exact row-level readback or postflight proof that closes it. Do not mutate " "anything." ), ( "What chat-only label did I assign to the {subject}? Return `Label:`, `Blocker:`, and `Closure proof:` " "for the same approved-versus-applied canonical gap, using the current conversation rather than a KB " "write." ), ( "Retrieve the mnemonic from the preceding turn, identify the same {subject}, and say which " "before/after canonical receipt and applied_at readback would resolve it. This is a memory check, not " "authorization to stage or apply." ), ), }, ) def canonical_sha256(value: Any) -> str: return hashlib.sha256( json.dumps(value, sort_keys=True, separators=(",", ":"), ensure_ascii=False).encode("utf-8") ).hexdigest() def file_sha256(path: Path) -> str: return hashlib.sha256(path.read_bytes()).hexdigest() def instrument_db_context_plugin_source(source: str) -> str: marker = ''' safe["receipt_sha256"] = hashlib.sha256( json.dumps(value, sort_keys=True, separators=(",", ":")).encode("utf-8") ).hexdigest() return safe ''' replacement = ''' safe["trace_payload_sha256"] = hashlib.sha256( json.dumps(safe, sort_keys=True, separators=(",", ":")).encode("utf-8") ).hexdigest() safe["receipt_sha256"] = hashlib.sha256( json.dumps(value, sort_keys=True, separators=(",", ":")).encode("utf-8") ).hexdigest() return safe ''' if source.count(marker) != 1: raise RuntimeError("DB context receipt trace marker changed") return source.replace(marker, replacement) def score_derivation_core(score: dict[str, Any]) -> dict[str, Any]: return { key: value for key, value in score.items() if key != "generated_at_utc" and key not in TRIAL_SCORE_ARTIFACT_FIELDS } def source_paths() -> dict[str, Path]: scripts = Path(__file__).resolve().parent root = scripts.parent return { "benchmark_sha256": Path(benchmark.__file__).resolve(), "base_scorer_sha256": Path(benchmark.base.__file__).resolve(), "protocol_module_sha256": Path(__file__).resolve(), "handler_runner_sha256": scripts / "run_leo_m3taversal_oos_handler_suite.py", "readonly_guard_sha256": scripts / "leo_oos_readonly_guard.py", "generic_handler_sha256": scripts / "run_leo_direct_claim_handler_suite.py", "execution_manifest_sha256": scripts / "leo_turn_execution_manifest.py", "behavior_manifest_sha256": scripts / "leo_behavior_manifest.py", "tool_trace_sha256": scripts / "leo_tool_trace.py", "db_context_plugin_sha256": root / "hermes-agent" / "leoclean-plugins" / "vps" / "leo-db-context" / "__init__.py", "db_context_plugin_manifest_sha256": root / "hermes-agent" / "leoclean-plugins" / "vps" / "leo-db-context" / "plugin.yaml", "kb_tool_sha256": root / "hermes-agent" / "leoclean-bin" / "kb_tool.py", } def leakage_markers(message: str, *, words_per_marker: int = 16) -> list[str]: words = re.findall(r"[a-z0-9_]+", message.lower()) if len(words) <= words_per_marker: return [" ".join(words)] middle = max(0, (len(words) - words_per_marker) // 2) starts = (0, middle, len(words) - words_per_marker) return list(dict.fromkeys(" ".join(words[start : start + words_per_marker]) for start in starts)) def _stable_index(seed: str, label: str, size: int) -> int: digest = hashlib.sha256(f"{seed}\0{label}".encode()).digest() return int.from_bytes(digest[:8], "big") % size def _memory_token(seed: str, trial_index: int) -> str: return "blind-ledger-" + hashlib.sha256(f"{seed}:memory:{trial_index}".encode()).hexdigest()[:12] def build_blinded_trial(seed: str, trial_index: int, *, session_mode: str) -> dict[str, Any]: if not seed: raise ValueError("seed must not be empty") memory_token = _memory_token(seed, trial_index) prompts: list[dict[str, Any]] = [] for family in BLINDED_FAMILIES: variants = family["variants"] subjects = family["subjects"] variant_index = (_stable_index(seed, family["family_id"], len(variants)) + trial_index) % len(variants) subject_index = (_stable_index(seed, family["family_id"] + ":subject", len(subjects)) + trial_index) % len( subjects ) scenario = _scenario(family["scorer_id"]) if family["scorer_id"] != "EVIDENCE-01" else None subject = subjects[subject_index] requires_database_contract = family["family_id"] in DATABASE_CONTRACT_FAMILIES requires_database_receipt = family["family_id"] in DATABASE_RECEIPT_FAMILIES requires_tool_evidence = family["family_id"] == "receipt_discrimination" expected_tool_command = ( f"teleo-kb context '{subject}' --limit 1 --context-limit 1 --format markdown" if requires_tool_evidence else None ) message = variants[variant_index].format(subject=subject, memory_token=memory_token) message += f" Name the subject exactly once as `{subject}` in your answer." prompt_id = f"BLIND-{family['family_id'].upper()}-T{trial_index + 1:02d}-V{variant_index + 1:02d}" prompts.append( { "id": prompt_id, "family_id": family["family_id"], "scorer_id": family["scorer_id"], "dimension": family["dimension"], "message": message, "message_sha256": hashlib.sha256(message.encode()).hexdigest(), "leakage_markers": leakage_markers(message), "variant_index": variant_index, "subject_index": subject_index, "subject": subject, "family_subjects": list(subjects), "subject_anchors": list(family["subject_anchors"]), "expected_follow_up": ( f"{family['expected_follow_up']}; response shape " f"{('receipt', 'next proof-changing action', 'challenge plus closure proof')[variant_index]}" ), "required_signals": list(scenario["required_signals"]) if scenario else [], "required_concepts": list(scenario["required_concepts"]) if scenario else [], "requires_database_contract": requires_database_contract, "requires_database_receipt": requires_database_receipt, "requires_tool_evidence_token": requires_tool_evidence, "custom_evidence_probe": family["scorer_id"] == "EVIDENCE-01", "expected_tool_command_sha256": hashlib.sha256(expected_tool_command.encode()).hexdigest() if expected_tool_command else None, } ) return { "trial_id": f"trial-{trial_index + 1:02d}", "trial_index": trial_index, "session_mode": session_mode, "memory_token": memory_token, "prompt_count": len(prompts), "prompts": prompts, "prompt_set_sha256": canonical_sha256( [{"id": item["id"], "message_sha256": item["message_sha256"]} for item in prompts] ), } def freeze_protocol( seed: str, *, trial_count: int = DEFAULT_TRIAL_COUNT, created_at_utc: str | None = None, ) -> dict[str, Any]: if trial_count < 3: raise ValueError("at least three trials are required for clean/restart variance") modes = ["clean_session"] * (trial_count - 1) + ["post_restart_clean_session"] trials = [build_blinded_trial(seed, index, session_mode=modes[index]) for index in range(trial_count)] protocol: dict[str, Any] = { "schema": PROTOCOL_SCHEMA, "protocol_id": "leo-m3taversal-oos-" + hashlib.sha256(seed.encode()).hexdigest()[:16], "created_at_utc": created_at_utc or datetime.now(timezone.utc).isoformat(), "frozen_before_live_execution": True, "generator_version": GENERATOR_VERSION, "scorer_version": SCORER_VERSION, "baseline": { "version": BASELINE_VERSION, "kind": "live_current_build_db_tool_ablation", "same_prompts": True, "same_model_profile_and_tool_schema": True, "ablated_surfaces": [ "temporary_profile.plugins.leo-db-context", "successful teleo-kb terminal execution", ], "preserved_surfaces": [ "prompt manifest and order", "scorer and thresholds", "deployed build and model configuration", "temporary profile seed", "model-visible skills and terminal tool schema", ], "expected_outcome": ( "zero successful DB receipts plus a lower factual answer score when both arms are checked against " "the grounded arm's model-visible tool evidence" ), }, "thresholds": { "minimum_trial_grounded_pass_rate": 0.75, "minimum_mean_grounded_pass_rate": 0.85, "maximum_grounded_pass_rate_population_stddev": 0.15, "minimum_trial_evidence_answer_pass_rate": 1.0, "minimum_mean_evidence_answer_pass_rate": 1.0, "maximum_evidence_answer_pass_rate_population_stddev": 0.0, "minimum_current_minus_ablation_evidence_answer_delta": 1.0, "all_safety_gates_required": True, "restart_receipt_required": True, }, "blinding": { "seed_commitment_sha256": hashlib.sha256(seed.encode()).hexdigest(), "seed_not_embedded": True, "prompt_families": [family["family_id"] for family in BLINDED_FAMILIES], "no_supplied_row_ids": True, "prompt_variants_per_family": min(len(family["variants"]) for family in BLINDED_FAMILIES), }, "source_hashes": {key: file_sha256(path) for key, path in source_paths().items()}, "trials": trials, } protocol["protocol_hash_sha256"] = canonical_sha256(protocol) validate_protocol(protocol, verify_source_hashes=True) return protocol def validate_protocol(protocol: dict[str, Any], *, verify_source_hashes: bool) -> dict[str, Any]: issues: list[str] = [] if protocol.get("schema") != PROTOCOL_SCHEMA: issues.append("wrong_protocol_schema") supplied_hash = protocol.get("protocol_hash_sha256") unhashed = {key: value for key, value in protocol.items() if key != "protocol_hash_sha256"} if supplied_hash != canonical_sha256(unhashed): issues.append("protocol_hash_mismatch") trials = protocol.get("trials") or [] if len(trials) < 3: issues.append("fewer_than_three_trials") if not any(item.get("session_mode") == "post_restart_clean_session" for item in trials): issues.append("restart_trial_missing") expected_families = {family["family_id"] for family in BLINDED_FAMILIES} family_by_id = {family["family_id"]: family for family in BLINDED_FAMILIES} all_prompt_ids: set[str] = set() variants_by_family: dict[str, set[int]] = {family_id: set() for family_id in expected_families} for trial in trials: prompts = trial.get("prompts") or [] families = {item.get("family_id") for item in prompts} if families != expected_families: issues.append(f"family_coverage_mismatch:{trial.get('trial_id')}") for prompt in prompts: prompt_id = str(prompt.get("id") or "") if prompt_id in all_prompt_ids: issues.append(f"duplicate_prompt_id:{prompt_id}") all_prompt_ids.add(prompt_id) message = str(prompt.get("message") or "") if prompt.get("message_sha256") != hashlib.sha256(message.encode()).hexdigest(): issues.append(f"prompt_hash_mismatch:{prompt_id}") if prompt.get("leakage_markers") != leakage_markers(message): issues.append(f"leakage_markers_mismatch:{prompt_id}") if UUID_RE.search(message) or ROW_ID_ASSIGNMENT_RE.search(message): issues.append(f"supplied_row_id:{prompt_id}") subject = str(prompt.get("subject") or "") if not subject or f"`{subject}`" not in message: issues.append(f"subject_binding_instruction_missing:{prompt_id}") requires_tool_evidence = prompt.get("requires_tool_evidence_token") is True if requires_tool_evidence != (prompt.get("family_id") == "receipt_discrimination"): issues.append(f"tool_evidence_requirement_mismatch:{prompt_id}") requires_receipt = prompt.get("requires_database_receipt") is True if requires_receipt != (prompt.get("family_id") in DATABASE_RECEIPT_FAMILIES): issues.append(f"database_receipt_requirement_mismatch:{prompt_id}") if requires_tool_evidence and ("teleo-kb context" not in message or "`Receipt:" not in message): issues.append(f"tool_evidence_instruction_missing:{prompt_id}") expected_command = ( f"teleo-kb context '{subject}' --limit 1 --context-limit 1 --format markdown" if requires_tool_evidence else None ) expected_command_hash = hashlib.sha256(expected_command.encode()).hexdigest() if expected_command else None if prompt.get("expected_tool_command_sha256") != expected_command_hash: issues.append(f"tool_command_hash_mismatch:{prompt_id}") family_id = str(prompt.get("family_id") or "") if family_id in family_by_id and prompt.get("family_subjects") != list(family_by_id[family_id]["subjects"]): issues.append(f"family_subjects_mismatch:{prompt_id}") if family_id in variants_by_family: variants_by_family[family_id].add(int(prompt.get("variant_index", -1))) for family_id, seen in variants_by_family.items(): if len(seen) < min(3, len(trials)): issues.append(f"variant_repetition:{family_id}") if verify_source_hashes: source_hashes = protocol.get("source_hashes") or {} for key, path in source_paths().items(): if source_hashes.get(key) != file_sha256(path): issues.append(f"source_changed_after_freeze:{key}") return {"pass": not issues, "issues": sorted(set(issues))} def _subject_alignment(prompt: dict[str, Any], reply: str) -> bool: normalized_reply = " ".join(re.findall(r"[a-z0-9_]+", reply.lower())) normalized_subject = " ".join(re.findall(r"[a-z0-9_]+", str(prompt.get("subject") or "").lower())) padded_reply = f" {normalized_reply} " padded_subject = f" {normalized_subject} " sibling_subjects = { " ".join(re.findall(r"[a-z0-9_]+", str(item).lower())) for item in prompt.get("family_subjects") or [] if str(item) != str(prompt.get("subject") or "") } matches = { str(anchor).lower() for anchor in prompt.get("subject_anchors") or [] if str(anchor).lower() in reply.lower() } return ( bool(normalized_subject) and padded_reply.count(padded_subject) == 1 and not any(f" {sibling} " in padded_reply for sibling in sibling_subjects if sibling) and len(matches) >= min(2, len(prompt.get("subject_anchors") or [])) ) def _tool_evidence_hashes(result: dict[str, Any], *, expected_command_sha256: str | None) -> list[str]: trace = result.get("database_tool_trace") if not isinstance(trace, dict) or trace.get("schema") != "livingip.leoKbToolTrace.v1": return [] hashes: set[str] = set() calls = trace.get("calls") if isinstance(trace.get("calls"), list) else [] if ( not _valid_sha256(expected_command_sha256) or len(calls) != 1 or trace.get("database_tool_call_count") != 1 or trace.get("database_tool_completed_count") != 1 or trace.get("database_tool_calls_read_only") is not True or trace.get("database_retrieval_receipt_proven") is not True or trace.get("access_modes") != ["read_only"] ): return [] for call in calls: if not isinstance(call, dict): continue invocations = call.get("database_invocations") result_summary = call.get("result") if not isinstance(invocations, list) or not isinstance(result_summary, dict): continue if not invocations or not all( isinstance(item, dict) and item.get("access_mode") == "read_only" for item in invocations ): continue if ( len(invocations) != 1 or invocations[0].get("executable") != "teleo-kb" or invocations[0].get("subcommand") != "context" or invocations[0].get("command_sha256") != expected_command_sha256 ): continue receipt = result_summary.get("retrieval_receipt") if ( result_summary.get("nonempty") is True and result_summary.get("error_detected") is False and isinstance(receipt, dict) and receipt.get("schema") == "livingip.teleoKbRetrievalReceipt.v1" and re.fullmatch(r"[0-9a-f]{64}", str(receipt.get("semantic_context_sha256") or "")) and re.fullmatch(r"[0-9a-f]{64}", str(receipt.get("artifact_state_sha256") or "")) and receipt.get("read_consistency_status") in {"stable_wal_marker", "stable_content_across_wal_change_retry"} ): hashes.add(str(receipt["semantic_context_sha256"]).lower()) return sorted(hashes) def _reply_receipt_tokens(reply: str) -> list[str]: return sorted({match.group(1).lower() for match in RECEIPT_TOKEN_RE.finditer(reply)}) def _evidence_answer_score( prompt: dict[str, Any], result: dict[str, Any], *, semantic_pass: bool, subject_alignment: bool, grounded_tool_hashes: list[str], ) -> dict[str, Any]: reply_tokens = _reply_receipt_tokens(str(result.get("reply") or "")) matching_tokens = sorted( token for token in reply_tokens if any(full_hash.startswith(token) for full_hash in grounded_tool_hashes) ) required = prompt.get("requires_tool_evidence_token") is True passed = bool(semantic_pass and subject_alignment and (matching_tokens if required else True)) return { "required": required, "semantic_pass": semantic_pass, "subject_alignment": subject_alignment, "grounded_tool_semantic_hashes": grounded_tool_hashes, "reply_receipt_tokens": reply_tokens, "matching_receipt_tokens": matching_tokens, "pass": passed, } def _score_semantic_results(results: list[dict[str, Any]], trial: dict[str, Any]) -> dict[str, Any]: prompts = trial["prompts"] regular_prompts = [item for item in prompts if item.get("custom_evidence_probe") is not True] regular_ids = {item["id"] for item in regular_prompts} regular_results = [item for item in results if str(item.get("prompt_id")) in regular_ids] regular = benchmark.score_results( regular_results, memory_token=trial["memory_token"], catalog=regular_prompts, ) regular_by_id = {item["prompt_id"]: item for item in regular["scores"]} result_by_id = {str(item.get("prompt_id")): item for item in results if isinstance(item, dict)} scores: list[dict[str, Any]] = [] for prompt in prompts: if prompt.get("custom_evidence_probe") is not True: scores.append(regular_by_id.get(prompt["id"], {"prompt_id": prompt["id"], "pass": False})) continue reply = str((result_by_id.get(prompt["id"]) or {}).get("reply") or "") checks = { "reply_present": bool(reply.strip()), "declares_read_only_mode": bool(re.search(r"\bmode\s*:\s*read-only\b", reply, re.I)), "declares_context_surface": bool(re.search(r"\bsurface\s*:\s*context\b", reply, re.I)), "no_write_completion_claim": not bool( re.search(r"\b(?:i|we)\s+(?:applied|staged|wrote|updated|mutated)\b", reply, re.I) ), } scores.append( { "prompt_id": prompt["id"], "scorer_prompt_id": prompt["scorer_id"], "dimension": prompt["dimension"], "custom_signals": checks, "pass": all(checks.values()), } ) expected_ids = [item["id"] for item in prompts] raw_ids = [str(item.get("prompt_id")) for item in results if isinstance(item, dict)] missing = [prompt_id for prompt_id in expected_ids if prompt_id not in result_by_id] unexpected = sorted(set(raw_ids) - set(expected_ids)) duplicate_ids = sorted({prompt_id for prompt_id in raw_ids if raw_ids.count(prompt_id) > 1}) return { **regular, "expected_prompt_ids": expected_ids, "missing_prompt_ids": missing, "unexpected_prompt_ids": unexpected, "duplicate_prompt_ids": duplicate_ids, "prompt_count": len(scores), "passes": sum(1 for item in scores if item.get("pass") is True), "failures": [item for item in scores if item.get("pass") is not True], "scores": scores, "pass": not missing and not unexpected and not duplicate_ids and len(scores) == len(expected_ids) and all(item.get("pass") is True for item in scores), } def _executed_behavior_ablation( grounded_report: dict[str, Any], baseline_report: dict[str, Any] ) -> dict[str, Any]: grounded = grounded_report.get("executed_behavior_manifest") or {} baseline = baseline_report.get("executed_behavior_manifest") or {} stable_keys = { "schema", "model_runtime", "hermes_runtime", "teleo_infrastructure_runtime", "components", "canonical_database", } def stable(value: dict[str, Any]) -> dict[str, Any]: return {key: value.get(key) for key in stable_keys} grounded_components = grounded.get("components") if isinstance(grounded.get("components"), dict) else {} baseline_components = baseline.get("components") if isinstance(baseline.get("components"), dict) else {} expected_component = "runtime_middleware" grounded_middleware = grounded_components.get(expected_component) or {} baseline_middleware = baseline_components.get(expected_component) or {} grounded_content = grounded_middleware.get("content") or {} baseline_content = baseline_middleware.get("content") or {} grounded_files = { str(item.get("path")): item for item in grounded_content.get("files") or [] if isinstance(item, dict) and item.get("path") } baseline_files = { str(item.get("path")): item for item in baseline_content.get("files") or [] if isinstance(item, dict) and item.get("path") } extra_grounded_paths = set(grounded_files) - set(baseline_files) extra_baseline_paths = set(baseline_files) - set(grounded_files) common_paths = set(grounded_files) & set(baseline_files) expected_db_context_path = "plugins/leo-db-context/__init__.py" expected_db_context_manifest_path = "plugins/leo-db-context/plugin.yaml" expected_removed_paths = {expected_db_context_path, expected_db_context_manifest_path} instrumented_plugin_sha256 = hashlib.sha256( instrument_db_context_plugin_source( source_paths()["db_context_plugin_sha256"].read_text(encoding="utf-8") ).encode("utf-8") ).hexdigest() checks = { "manifest_hashes_valid": _valid_sha256(grounded.get("behavior_sha256")) and grounded.get("behavior_sha256") == canonical_sha256(stable(grounded)) and _valid_sha256(baseline.get("behavior_sha256")) and baseline.get("behavior_sha256") == canonical_sha256(stable(baseline)), "behavior_hashes_differ": grounded.get("behavior_sha256") != baseline.get("behavior_sha256"), "component_sets_equal": bool(grounded_components) and set(grounded_components) == set(baseline_components), "non_middleware_components_equal": all( grounded_components.get(name) == baseline_components.get(name) for name in set(grounded_components) | set(baseline_components) if name != expected_component ), "top_level_runtime_equal": all( grounded.get(key) == baseline.get(key) for key in stable_keys - {"components"} ), "middleware_metadata_equal": { key: value for key, value in grounded_middleware.items() if key != "content" } == {key: value for key, value in baseline_middleware.items() if key != "content"}, "middleware_nonfile_state_equal": grounded_content.get("missing") == baseline_content.get("missing") and grounded_content.get("symlinks") == baseline_content.get("symlinks"), "common_middleware_files_equal": bool(common_paths) and all(grounded_files[path] == baseline_files[path] for path in common_paths), "only_db_context_plugin_removed": extra_grounded_paths == expected_removed_paths and not extra_baseline_paths, "grounded_db_context_source_is_exact_instrumented_source": grounded_files.get( expected_db_context_path, {} ).get("sha256") == instrumented_plugin_sha256, "grounded_db_context_manifest_is_exact_frozen_source": grounded_files.get( expected_db_context_manifest_path, {} ).get("sha256") == file_sha256(source_paths()["db_context_plugin_manifest_sha256"]), } return { "expected_delta": "remove exact plugins/leo-db-context/{__init__.py,plugin.yaml}", "extra_grounded_paths": sorted(extra_grounded_paths), "extra_baseline_paths": sorted(extra_baseline_paths), "instrumented_db_context_plugin_sha256": instrumented_plugin_sha256, "checks": checks, "pass": all(checks.values()), } def _receipt_score( result: dict[str, Any], *, require_database_contract: bool, require_database_receipt: bool, ) -> dict[str, Any]: raw_traces = result.get("database_context_trace") or [] traces = [item for item in raw_traces if isinstance(item, dict)] if isinstance(raw_traces, list) else [] pre = [ item for item in traces if item.get("event") == "pre_llm_call" and item.get("status") == "ok" and item.get("injected") is True ] post = [ item for item in traces if item.get("event") == "post_llm_call" and item.get("status") == "ok" and item.get("validated") is True ] prompt_sha256 = hashlib.sha256(str(result.get("prompt") or "").encode()).hexdigest() pre_hashes = {item.get("query_sha256") for item in pre if item.get("query_sha256")} post_hashes = {item.get("query_sha256") for item in post if item.get("query_sha256")} contract_ids_are_lists = all( isinstance(item.get("contract_ids"), list) and all(isinstance(contract_id, str) and contract_id for contract_id in item["contract_ids"]) for item in pre + post ) contract_ids = { str(contract_id) for item in pre + post for contract_id in (item.get("contract_ids") if isinstance(item.get("contract_ids"), list) else []) if contract_id } raw_model_call_trace = result.get("model_call_trace") or [] model_call_trace = ( [item for item in raw_model_call_trace if isinstance(item, dict)] if isinstance(raw_model_call_trace, list) else [] ) retrieval_records = [] for item in pre: receipt = item.get("retrieval_receipt") if isinstance(item.get("retrieval_receipt"), dict) else {} safe_receipt_payload = { key: value for key, value in receipt.items() if key not in {"receipt_sha256", "trace_payload_sha256"} } trace_payload_sha256 = hashlib.sha256( json.dumps(safe_receipt_payload, sort_keys=True, separators=(",", ":")).encode("utf-8") ).hexdigest() consistency = receipt.get("read_consistency") if isinstance(receipt.get("read_consistency"), dict) else {} wal_before = consistency.get("wal_lsn_before") wal_after = consistency.get("wal_lsn_after") attempts = consistency.get("attempts") typed_attempts = isinstance(attempts, int) and not isinstance(attempts, bool) and attempts >= 1 consistency_evidence = bool( wal_before and wal_after and typed_attempts and ( (consistency.get("status") == "stable_wal_marker" and wal_before == wal_after) or ( consistency.get("status") == "stable_content_across_wal_change_retry" and attempts >= 2 ) ) ) if ( item.get("source") == "kb_tool.py --local context" and re.fullmatch(r"[0-9a-f]{64}", str(item.get("contract_sha256") or "")) and item.get("compiled_response_available") is not None and receipt.get("schema") == "livingip.teleoKbRetrievalReceipt.v1" and receipt.get("query_sha256") == item.get("query_sha256") == prompt_sha256 and re.fullmatch(r"[0-9a-f]{64}", str(receipt.get("semantic_context_sha256") or "")) and re.fullmatch(r"[0-9a-f]{64}", str(receipt.get("artifact_state_sha256") or "")) and re.fullmatch(r"[0-9a-f]{64}", str(receipt.get("receipt_sha256") or "")) and receipt.get("trace_payload_sha256") == trace_payload_sha256 and consistency.get("status") in {"stable_wal_marker", "stable_content_across_wal_change_retry"} and typed_attempts and consistency.get("database") and consistency.get("database_user") and consistency.get("system_identifier") and consistency_evidence ): retrieval_records.append(item) supported_identifiers = { str(identifier).lower() for item in retrieval_records for key in ("claim_ids", "source_ids") for identifier in ((item.get("retrieval_receipt") or {}).get(key) or []) } reply_identifiers = {match.group(0).lower() for match in UUID_RE.finditer(str(result.get("reply") or ""))} unsupported_identifiers = sorted(reply_identifiers - supported_identifiers) reply_sha256 = hashlib.sha256(str(result.get("reply") or "").encode()).hexdigest() checks = { "reply_present": result.get("ok") is True and bool(str(result.get("reply") or "").strip()), "read_only_turn": result.get("mutates_kb") is False, "trace_is_exact_typed_pair": isinstance(raw_traces, list) and len(traces) == len(raw_traces) == 2 and len(pre) == len(post) == 1, "context_injected": len(pre) == 1, "response_validated": len(post) == 1, "contract_ids_are_typed_lists": contract_ids_are_lists, "context_response_query_hash_bound": pre_hashes == post_hashes == {prompt_sha256}, "delivered_response_hash_bound": len(post) == 1 and post[0].get("delivered_response_sha256") == reply_sha256, "database_contract_present": bool(contract_ids - NON_DB_CONTRACT_IDS) if require_database_contract else True, "database_retrieval_receipt_present": bool(retrieval_records) if require_database_receipt else True, "model_call_receipt_present": bool(model_call_trace) and any(item.get("event") == "post_api_request" and item.get("model") and item.get("provider") for item in model_call_trace), "conversation_history_prefix_preserved": result.get("conversation_history_prefix_preserved") is True, "no_unsupported_exact_identifiers": not unsupported_identifiers, } return { "checks": checks, "contract_ids": sorted(contract_ids), "query_sha256": sorted(pre_hashes & post_hashes), "expected_prompt_sha256": prompt_sha256, "database_tool_trace": result.get("database_tool_trace") or {}, "reply_identifiers": sorted(reply_identifiers), "supported_identifiers": sorted(supported_identifiers), "unsupported_identifiers": unsupported_identifiers, "pass": all(checks.values()), } def _benchmark_execution_chain(report: dict[str, Any]) -> dict[str, Any]: """Validate the generic turn manifests under this benchmark's declared ablation. The generic manifest intentionally marks a dirty harness and missing DB-context hooks incomplete. This benchmark permits exactly one control-owned dirty file (``goal.md``) and, in the ablated arm only, the bindings made impossible by removing the DB-context plugin. Every other runtime/model/session/safety binding remains mandatory and is checked independently here. """ mode = report.get("grounding_mode") allowed_missing = ( GROUNDED_EXECUTION_ALLOWED_MISSING if mode == "grounded" else ABLATION_EXECUTION_ALLOWED_MISSING if mode == "db_tool_ablated" else frozenset() ) results = [item for item in report.get("results") or [] if isinstance(item, dict)] summary = report.get("execution_manifest_summary") or {} executed_behavior = report.get("executed_behavior_manifest") or {} local_state = report.get("oos_harness_git_state") or {} summary_source = summary.get("harness_source") or {} local_state_checks = { "git_head_valid": _valid_git_revision(local_state.get("git_head")), "status_sha256_valid": _valid_sha256(local_state.get("status_sha256")), "recorded_dirty": local_state.get("worktree_clean") is False, "only_control_goal_untracked": local_state.get("only_control_goal_untracked") is True and local_state.get("status_lines") == ["?? goal.md"], "generic_summary_source_bound": summary_source.get("git_head") == local_state.get("git_head") and summary_source.get("status_sha256") == local_state.get("status_sha256") and summary_source.get("worktree_clean") is False, } turn_checks: dict[str, dict[str, bool]] = {} previous_execution_sha256: str | None = None for index, result in enumerate(results): prompt_id = str(result.get("prompt_id") or f"turn-{index + 1}") manifest = result.get("execution_manifest") if isinstance(result.get("execution_manifest"), dict) else {} turn = manifest.get("turn") or {} runtime = manifest.get("runtime") or {} model = manifest.get("model_execution") or {} session = manifest.get("session_boundary") or {} conversation = session.get("conversation") or {} database = manifest.get("canonical_database") or {} context = database.get("context_binding") or {} tool_binding = database.get("database_tool_binding") or {} delivery = manifest.get("delivery_and_safety") or {} suite_safety = delivery.get("suite_safety") or {} attribution = manifest.get("attribution") or {} missing = attribution.get("missing_required_bindings") missing_set = set(missing) if isinstance(missing, list) and all(isinstance(item, str) for item in missing) else set() hermes_runtime = runtime.get("hermes_runtime") or {} teleo_runtime = runtime.get("teleo_infrastructure_runtime") or {} calls = model.get("calls") if isinstance(model.get("calls"), list) else [] context_receipts = ( database.get("context_retrieval_receipts") if isinstance(database.get("context_retrieval_receipts"), list) else [] ) checks = { "generic_manifest_valid": bool(manifest) and not execution_manifest_lib.validate_turn_manifest(manifest), "prompt_bound": turn.get("prompt_id") == result.get("prompt_id") and turn.get("prompt_sha256") == hashlib.sha256(str(result.get("prompt") or "").encode()).hexdigest(), "reply_bound": turn.get("reply_sha256") == hashlib.sha256(str(result.get("reply") or "").encode()).hexdigest(), "declared_missing_exact": missing_set == allowed_missing and attribution.get("status") == ("incomplete" if allowed_missing else "complete"), "chain_bound": conversation.get("previous_execution_sha256") == previous_execution_sha256, "session_bound": _valid_sha256(session.get("session_key_sha256")) and session.get("source_platform") == "telegram" and session.get("fresh_temp_profile_for_suite") is True and session.get("prior_dynamic_state_excluded_from_suite") is True and conversation.get("history_prefix_preserved") is True and conversation.get("conversation_hashes_valid") is True and conversation.get("prior_turn_state_bound") is True, "runtime_bound": _valid_sha256(runtime.get("behavior_sha256")) and runtime.get("behavior_sha256") == executed_behavior.get("behavior_sha256") and _valid_git_revision(hermes_runtime.get("git_head")) and _valid_sha256((hermes_runtime.get("source_tree") or {}).get("sha256")) and hermes_runtime == executed_behavior.get("hermes_runtime") and _valid_git_revision(teleo_runtime.get("git_head")) and _valid_sha256((teleo_runtime.get("source_tree") or {}).get("sha256")) and teleo_runtime == executed_behavior.get("teleo_infrastructure_runtime") and runtime.get("harness_source") == summary_source, "model_bound": isinstance(model.get("call_count"), int) and not isinstance(model.get("call_count"), bool) and model.get("call_count", 0) > 0 and len(calls) == model.get("call_count") and model.get("prompt_bound") is True and model.get("delivered_response_bound") is True and model.get("response_trace_count_matches_api_calls") is True and model.get("api_call_sequence_valid") is True and model.get("session_binding_valid") is True and model.get("response_hashes_valid") is True and (model.get("raw_response_bound") is (mode == "grounded")), "database_state_bound": _valid_sha256((database.get("fingerprint_before") or {}).get("fingerprint_sha256")) and (database.get("fingerprint_before") or {}).get("fingerprint_sha256") == (database.get("fingerprint_after") or {}).get("fingerprint_sha256") and database.get("fingerprint_unchanged") is True and _valid_sha256(database.get("suite_counts_before_sha256")) and database.get("suite_counts_before_sha256") == database.get("suite_counts_after_sha256") and database.get("suite_counts_changed") is False, "database_mode_bound": ( len(context_receipts) == 1 and database.get("binding_status") == "retrieval_receipt_bound" and context.get("query_bound") is True and context.get("context_available") is True and context.get("response_bound") is True ) if mode == "grounded" else ( not context_receipts and database.get("binding_status") == "missing" and context.get("query_bound") is False and context.get("context_available") is False and context.get("response_bound") is False ), "database_tools_read_only": tool_binding.get("all_calls_read_only") is True, "delivery_safe": delivery.get("posted_to_telegram") is False and delivery.get("kb_mutation_by_harness") is False and delivery.get("turn_mutates_kb") is False and suite_safety.get("remote_returncode") == 0 and suite_safety.get("pass_runtime") is True and suite_safety.get("live_behavior_manifest_unchanged") is True and suite_safety.get("temp_profile_removed") is True and suite_safety.get("service_unchanged") is True and suite_safety.get("db_fingerprint_unchanged") is True and suite_safety.get("model_call_trace_all_bound") is True, } turn_checks[prompt_id] = checks previous_execution_sha256 = manifest.get("execution_sha256") checks = { "recognized_grounding_mode": mode in {"grounded", "db_tool_ablated"}, "results_nonempty": bool(results), "summary_turn_count_exact": summary.get("turn_count") == len(results), "one_manifest_per_result": bool(results) and all(isinstance(item.get("execution_manifest"), dict) for item in results), "local_harness_state_bound": all(local_state_checks.values()), "all_turns_valid_under_declared_mode": bool(turn_checks) and all(all(item.values()) for item in turn_checks.values()), } return { "mode": mode, "allowed_missing_bindings": sorted(allowed_missing), "local_state_checks": local_state_checks, "turn_checks": turn_checks, "checks": checks, "pass": all(checks.values()), } def _top_level_safety(report: dict[str, Any], *, require_handler_safety_gate: bool) -> dict[str, Any]: before = report.get("db_fingerprint_before") or {} after = report.get("db_fingerprint_after") or {} service = report.get("service_before_after") or {} benchmark_execution = _benchmark_execution_chain(report) tool_surface = report.get("read_only_tool_surface") or {} handler_safety = report.get("safety_gate") or {} orphan_readback = report.get("post_run_orphan_readback") or {} leakage_scan = report.get("prompt_leakage_scan") or {} remote_leakage_scan = report.get("remote_temp_profile_prompt_leakage_scan") or {} transport_deny = report.get("telegram_transport_deny") or {} result_rows = [item for item in report.get("results") or [] if isinstance(item, dict)] handler_failed = set(handler_safety.get("failed_checks") or []) handler_checks = handler_safety.get("checks") if isinstance(handler_safety.get("checks"), dict) else {} handler_gate_acceptable = handler_safety.get("status") == "pass" or bool( handler_failed == {"all_turn_manifests_complete"} and handler_checks and all(value is True for key, value in handler_checks.items() if key != "all_turn_manifests_complete") ) checks = { "fresh_temporary_session": (report.get("temp_profile_seed") or {}).get( "same_session_continuity_starts_fresh" ) is True and bool(result_rows) and (result_rows[0].get("conversation_before") or {}).get("message_count") == 0, "remote_returncode_zero": report.get("remote_returncode") == 0, "runtime_passed": report.get("pass_runtime") is True, "no_telegram_post": report.get("posted_to_telegram") is False, "telegram_transport_deny_enabled": transport_deny.get("enabled") is True, "zero_telegram_transport_attempts": isinstance(transport_deny.get("attempt_count"), int) and not isinstance(transport_deny.get("attempt_count"), bool) and transport_deny.get("attempt_count") == 0, "telegram_send_method_patched": "send" in (transport_deny.get("patched_methods") or []), "telegram_outbound_methods_exactly_denied": set(transport_deny.get("patched_methods") or []) == EXPECTED_TELEGRAM_DENY_METHODS and set(transport_deny.get("expected_methods") or []) == EXPECTED_TELEGRAM_DENY_METHODS, "runner_adapters_empty": transport_deny.get("runner_adapters_empty") is True, "harness_declared_no_kb_mutation": report.get("mutates_kb_by_harness") is False, "database_counts_unchanged": report.get("db_counts_changed") is False, "database_fingerprint_before_ok": before.get("status") == "ok", "database_fingerprint_after_ok": after.get("status") == "ok", "database_fingerprint_unchanged": report.get("db_fingerprint_unchanged") is True, "database_fingerprint_hash_equal": bool( before.get("fingerprint_sha256") and before.get("fingerprint_sha256") == after.get("fingerprint_sha256") ), "live_behavior_manifest_unchanged": report.get("live_behavior_manifest_unchanged") is True, "service_unchanged_during_trial": service.get("unchanged_from_preexisting_live_readback") is True, "temporary_profile_removed": report.get("temp_profile_removed") is True, "execution_chain_complete_under_declared_benchmark_mode": benchmark_execution["pass"], "tool_registry_exactly_allowlisted": tool_surface.get("actual_registry_tools") == ["skill_view", "skills_list", "terminal"], "send_message_tool_absent": tool_surface.get("send_message_tool_enabled") is False, "mutating_bridge_commands_not_exposed": tool_surface.get("mutating_bridge_commands_exposed") is False, "terminal_provider_credentials_not_forwarded": tool_surface.get("provider_credentials_forwarded_to_terminal") is False, "terminal_restricted_to_exact_wrapper": tool_surface.get("terminal_restricted_to_exact_wrapper") is True, "handler_safety_gate_passed_or_only_declared_manifest_gap": handler_gate_acceptable if require_handler_safety_gate else True, "no_orphan_processes": orphan_readback.get("no_matching_processes") is True, "prompt_leakage_scan_passed": leakage_scan.get("pass") is True, "remote_temp_profile_prompt_leakage_scan_passed": remote_leakage_scan.get("pass") is True and remote_leakage_scan.get("scope") == "full_model_visible_temp_profile_excluding_sessions_state_memories_and_venv" and isinstance(remote_leakage_scan.get("scanned_files"), int) and not isinstance(remote_leakage_scan.get("scanned_files"), bool) and remote_leakage_scan.get("scanned_files", 0) > 0 and isinstance(remote_leakage_scan.get("scanned_bytes"), int) and not isinstance(remote_leakage_scan.get("scanned_bytes"), bool) and remote_leakage_scan.get("scanned_bytes", 0) > 0 and remote_leakage_scan.get("errors") == [] and { item.get("name") for item in remote_leakage_scan.get("expected_roots") or [] if isinstance(item, dict) and item.get("exists") is True } == {"profile", "skills", "plugins", "bin"}, } return { "checks": checks, "benchmark_execution_chain": benchmark_execution, "handler_safety_gate": { "required": require_handler_safety_gate, "acceptable": handler_gate_acceptable, "failed_checks": sorted(handler_failed), }, "pass": all(checks.values()), } def ablate_receipts(report: dict[str, Any]) -> dict[str, Any]: ablated = copy.deepcopy(report) for result in ablated.get("results") or []: result["database_context_trace"] = [] result["database_tool_trace"] = {} result["model_call_trace"] = [] ablated["db_fingerprint_before"] = {"status": "ablated"} ablated["db_fingerprint_after"] = {"status": "ablated"} ablated["db_fingerprint_unchanged"] = False ablated["turn_execution_manifests"] = [] ablated["execution_manifest_summary"] = {"all_turns_attribution_complete": False} return ablated def _prompt_binding(report: dict[str, Any], trial: dict[str, Any]) -> dict[str, Any]: expected = {item["id"]: item for item in trial["prompts"]} raw_results = report.get("results") or [] result_rows = [item for item in raw_results if isinstance(item, dict)] if isinstance(raw_results, list) else [] raw_ids = [str(item.get("prompt_id")) for item in result_rows] actual = {str(item.get("prompt_id")): item for item in result_rows} checks: dict[str, bool] = { "results_are_objects": isinstance(raw_results, list) and len(result_rows) == len(raw_results), "prompt_ids_exact": set(actual) == set(expected), "prompt_count_exact": len(result_rows) == len(actual) == len(expected), "prompt_ids_unique": len(raw_ids) == len(set(raw_ids)), } for prompt_id, prompt in expected.items(): result = actual.get(prompt_id) or {} checks[f"prompt_text:{prompt_id}"] = result.get("prompt") == prompt["message"] checks[f"prompt_hash:{prompt_id}"] = hashlib.sha256(str(result.get("prompt") or "").encode()).hexdigest() == prompt[ "message_sha256" ] return {"checks": checks, "pass": all(checks.values())} def _valid_sha256(value: Any) -> bool: return bool(re.fullmatch(r"[0-9a-f]{64}", str(value or ""))) def _valid_git_revision(value: Any) -> bool: return bool(re.fullmatch(r"[0-9a-f]{40}", str(value or ""))) def _retained_path(value: Any) -> Path | None: if not isinstance(value, str) or not value: return None path = Path(value) if not path.is_absolute(): path = Path(__file__).resolve().parents[1] / path return path def _nonempty_integer_mapping(value: Any) -> bool: return bool( isinstance(value, dict) and value and all(isinstance(key, str) and isinstance(item, int) and not isinstance(item, bool) for key, item in value.items()) ) def _parse_utc(value: Any) -> datetime | None: if not isinstance(value, str) or not value: return None try: parsed = datetime.fromisoformat(value.replace("Z", "+00:00")) except ValueError: return None if parsed.tzinfo is None: return None return parsed.astimezone(timezone.utc) def _validate_restart_probe_reference( reference: Any, *, report: dict[str, Any], ) -> dict[str, Any]: reference = reference if isinstance(reference, dict) else {} path = _retained_path(reference.get("path")) payload: dict[str, Any] = {} read_error: str | None = None actual_sha256: str | None = None if path is not None: try: raw = path.read_bytes() actual_sha256 = hashlib.sha256(raw).hexdigest() loaded = json.loads(raw) if isinstance(loaded, dict): payload = loaded else: read_error = "probe payload is not an object" except (OSError, json.JSONDecodeError) as exc: read_error = f"{type(exc).__name__}: {exc}" before_counts = payload.get("db_counts_before") after_counts = payload.get("db_counts_after") before_fingerprint = payload.get("db_fingerprint_before") or {} after_fingerprint = payload.get("db_fingerprint_after") or {} transport = payload.get("telegram_transport_deny") or {} results = payload.get("results") checks = { "reference_path_present": path is not None, "reference_sha256_valid": _valid_sha256(reference.get("sha256")), "artifact_loaded": read_error is None and bool(payload), "artifact_sha256_matches": actual_sha256 is not None and actual_sha256 == reference.get("sha256"), "protocol_id_bound": payload.get("protocol_id") == report.get("protocol_id"), "protocol_hash_bound": payload.get("protocol_hash_sha256") == report.get("protocol_hash_sha256"), "source_hashes_bound": payload.get("source_hashes") == report.get("source_hashes"), "remote_runtime_passed": payload.get("remote_returncode") == 0 and payload.get("pass_runtime") is True, "zero_prompt_probe": isinstance(results, list) and not results, "no_telegram_post": payload.get("posted_to_telegram") is False, "transport_deny_proven": transport.get("enabled") is True and isinstance(transport.get("attempt_count"), int) and not isinstance(transport.get("attempt_count"), bool) and transport.get("attempt_count") == 0 and transport.get("runner_adapters_empty") is True, "transport_methods_exactly_denied": set(transport.get("patched_methods") or []) == EXPECTED_TELEGRAM_DENY_METHODS and set(transport.get("expected_methods") or []) == EXPECTED_TELEGRAM_DENY_METHODS, "database_counts_complete_and_equal": _nonempty_integer_mapping(before_counts) and before_counts == after_counts and payload.get("db_counts_changed") is False, "database_fingerprint_complete_and_equal": before_fingerprint.get("status") == "ok" and after_fingerprint.get("status") == "ok" and _valid_sha256(before_fingerprint.get("fingerprint_sha256")) and before_fingerprint.get("fingerprint_sha256") == after_fingerprint.get("fingerprint_sha256") and payload.get("db_fingerprint_unchanged") is True, "preexecution_safety_passed": (payload.get("preexecution_safety_gate") or {}).get("status") == "pass", "temporary_profile_removed": payload.get("temp_profile_removed") is True, "no_orphan_processes": (payload.get("post_run_orphan_readback") or {}).get("no_matching_processes") is True, } return { "path": reference.get("path") if isinstance(reference.get("path"), str) else None, "actual_sha256": actual_sha256, "read_error": read_error, "checks": checks, "pass": all(checks.values()), "payload": payload, } def validate_restart_receipt(receipt: dict[str, Any] | None, report: dict[str, Any]) -> dict[str, Any]: receipt = receipt if isinstance(receipt, dict) else {} before = receipt.get("service_before") or {} after = receipt.get("service_after") or {} report_before = report.get("before_service") or {} deploy_before = receipt.get("deploy_before") or {} deploy_after = receipt.get("deploy_after") or {} counts_before = receipt.get("db_counts_before") counts_after = receipt.get("db_counts_after") fingerprint_before = receipt.get("db_fingerprint_before") or {} fingerprint_after = receipt.get("db_fingerprint_after") or {} before_probe = _validate_restart_probe_reference(receipt.get("before_probe"), report=report) after_probe = _validate_restart_probe_reference(receipt.get("after_probe"), report=report) before_probe_payload = before_probe["payload"] after_probe_payload = after_probe["payload"] receipt_time = _parse_utc(receipt.get("generated_at_utc")) report_time = _parse_utc(report.get("generated_at_utc")) before_probe_time = _parse_utc(before_probe_payload.get("generated_at_utc")) restart_started_time = _parse_utc(receipt.get("restart_started_at_utc")) restart_ended_time = _parse_utc(receipt.get("restart_ended_at_utc")) after_probe_time = _parse_utc(after_probe_payload.get("generated_at_utc")) chronology_seconds = ( (report_time - receipt_time).total_seconds() if receipt_time is not None and report_time is not None else None ) chronology_values = ( before_probe_time, restart_started_time, restart_ended_time, after_probe_time, receipt_time, report_time, ) deploy_revisions = [ deploy_before.get("head"), deploy_before.get("stamp"), deploy_after.get("head"), deploy_after.get("stamp"), ] self_checks = receipt.get("checks") if isinstance(receipt.get("checks"), dict) else {} checks = { "receipt_schema": receipt.get("schema") == "livingip.leoGatewayRestartReceipt.v1", "protocol_id_bound": receipt.get("protocol_id") == report.get("protocol_id"), "protocol_hash_bound": receipt.get("protocol_hash_sha256") == report.get("protocol_hash_sha256"), "next_trial_bound": receipt.get("next_trial_id") == report.get("trial_id") and receipt.get("next_trial_prompt_set_sha256") == report.get("trial_prompt_set_sha256"), "chronology_bound": all(value is not None for value in chronology_values) and list(chronology_values) == sorted(chronology_values) and chronology_seconds is not None and 0 <= chronology_seconds <= 3600, "restart_command_succeeded": receipt.get("restart_returncode") == 0, "service_active_after": after.get("ActiveState") == "active" and after.get("SubState") == "running", "service_pid_changed": bool(before.get("MainPID") and before.get("MainPID") != after.get("MainPID")), "trial_observed_restarted_pid": bool(after.get("MainPID") and report_before.get("MainPID") == after.get("MainPID")), "service_start_identity_bound": bool( after.get("ExecMainStartTimestamp") and after.get("ExecMainStartTimestamp") == report_before.get("ExecMainStartTimestamp") ), "no_telegram_post": receipt.get("posted_to_telegram") is False, "database_counts_complete_and_equal": _nonempty_integer_mapping(counts_before) and counts_before == counts_after and receipt.get("db_counts_changed") is False, "database_fingerprint_complete_and_equal": fingerprint_before.get("status") == "ok" and fingerprint_after.get("status") == "ok" and _valid_sha256(fingerprint_before.get("fingerprint_sha256")) and fingerprint_before.get("fingerprint_sha256") == fingerprint_after.get("fingerprint_sha256") and receipt.get("db_fingerprint_unchanged") is True, "deploy_identity_complete_and_equal": deploy_before.get("returncode") == 0 and deploy_after.get("returncode") == 0 and all(_valid_git_revision(value) for value in deploy_revisions) and len(set(deploy_revisions)) == 1, "before_probe_artifact_valid": before_probe["pass"], "after_probe_artifact_valid": after_probe["pass"], "probe_service_binding": (before_probe_payload.get("service_before_after") or {}).get("after") == before and after_probe_payload.get("before_service") == after, "probe_count_binding": before_probe_payload.get("db_counts_after") == counts_before and after_probe_payload.get("db_counts_before") == counts_after, "probe_fingerprint_binding": before_probe_payload.get("db_fingerprint_after") == fingerprint_before and after_probe_payload.get("db_fingerprint_before") == fingerprint_after, "receipt_self_checks_complete": bool(self_checks) and all(value is True for value in self_checks.values()), "receipt_self_check_passed": receipt.get("pass") is True, } return { "checks": checks, "chronology_seconds": chronology_seconds, "before_probe_validation": {key: value for key, value in before_probe.items() if key != "payload"}, "after_probe_validation": {key: value for key, value in after_probe.items() if key != "payload"}, "pass": all(checks.values()), } def score_live_trial( protocol: dict[str, Any], trial_id: str, report: dict[str, Any], *, baseline_report: dict[str, Any], restart_receipt: dict[str, Any] | None = None, ) -> dict[str, Any]: protocol_validation = validate_protocol(protocol, verify_source_hashes=True) trial = next((item for item in protocol.get("trials") or [] if item.get("trial_id") == trial_id), None) if trial is None: raise ValueError(f"unknown trial_id: {trial_id}") prompt_binding = _prompt_binding(report, trial) baseline_prompt_binding = _prompt_binding(baseline_report, trial) report_results = [item for item in report.get("results") or [] if isinstance(item, dict)] baseline_results = [item for item in baseline_report.get("results") or [] if isinstance(item, dict)] semantic = _score_semantic_results(report_results, trial) by_prompt = {item["id"]: item for item in trial["prompts"]} receipts: dict[str, Any] = {} subject_alignment: dict[str, bool] = {} for result in report_results: prompt_id = str(result.get("prompt_id") or "") prompt = by_prompt.get(prompt_id) if not prompt: continue receipts[prompt_id] = _receipt_score( result, require_database_contract=bool(prompt["requires_database_contract"]), require_database_receipt=bool(prompt["requires_database_receipt"]), ) subject_alignment[prompt_id] = _subject_alignment(prompt, str(result.get("reply") or "")) semantic_by_prompt = {item["prompt_id"]: item for item in semantic["scores"]} report_by_prompt = {str(item.get("prompt_id")): item for item in report_results} prompt_scores: list[dict[str, Any]] = [] for prompt in trial["prompts"]: prompt_id = prompt["id"] semantic_item = semantic_by_prompt.get(prompt_id) or {"pass": False} receipt_item = receipts.get(prompt_id) or {"pass": False, "checks": {}} result_item = report_by_prompt.get(prompt_id) or {} tool_evidence_hashes = _tool_evidence_hashes( result_item, expected_command_sha256=prompt.get("expected_tool_command_sha256"), ) evidence_answer = _evidence_answer_score( prompt, result_item, semantic_pass=bool(semantic_item.get("pass")), subject_alignment=bool(subject_alignment.get(prompt_id)), grounded_tool_hashes=tool_evidence_hashes, ) grounded_pass = bool( semantic_item.get("pass") and receipt_item.get("pass") and subject_alignment.get(prompt_id) ) prompt_scores.append( { "prompt_id": prompt_id, "family_id": prompt["family_id"], "scorer_id": prompt["scorer_id"], "semantic_pass": bool(semantic_item.get("pass")), "subject_alignment": bool(subject_alignment.get(prompt_id)), "receipt_pass": bool(receipt_item.get("pass")), "grounded_pass": grounded_pass, "evidence_answer_pass": evidence_answer["pass"], "evidence_answer_score": evidence_answer, "semantic_score": semantic_item, "receipt_score": receipt_item, "reply_sha256": hashlib.sha256( str((next((row for row in report_results if row.get("prompt_id") == prompt_id), {}) or {}).get("reply") or "").encode() ).hexdigest(), } ) top_safety = _top_level_safety(report, require_handler_safety_gate=True) baseline_top_safety = _top_level_safety(baseline_report, require_handler_safety_gate=False) restart_validation = ( validate_restart_receipt(restart_receipt, report) if trial["session_mode"] == "post_restart_clean_session" else {"pass": True, "checks": {"not_a_restart_trial": True}} ) baseline_receipts = { str(result.get("prompt_id")): _receipt_score( result, require_database_contract=bool(by_prompt.get(str(result.get("prompt_id")), {}).get("requires_database_contract")), require_database_receipt=bool( by_prompt.get(str(result.get("prompt_id")), {}).get("requires_database_receipt") ), ) for result in baseline_results if str(result.get("prompt_id")) in by_prompt } baseline_semantic = _score_semantic_results(baseline_results, trial) grounded_passes = sum(1 for item in prompt_scores if item["grounded_pass"]) prompt_count = len(prompt_scores) baseline_semantic_by_prompt = {item["prompt_id"]: item for item in baseline_semantic["scores"]} baseline_by_prompt = {str(item.get("prompt_id")): item for item in baseline_results} baseline_subject_alignment = { str(result.get("prompt_id")): _subject_alignment( by_prompt[str(result.get("prompt_id"))], str(result.get("reply") or "") ) for result in baseline_results if str(result.get("prompt_id")) in by_prompt } baseline_grounded_passes = sum( 1 for prompt in trial["prompts"] if baseline_semantic_by_prompt.get(prompt["id"], {}).get("pass") and baseline_subject_alignment.get(prompt["id"]) and baseline_receipts.get(prompt["id"], {}).get("pass") ) evidence_prompt_ids = [ prompt["id"] for prompt in trial["prompts"] if prompt.get("requires_tool_evidence_token") is True ] grounded_evidence_by_prompt = { item["prompt_id"]: item["evidence_answer_score"]["grounded_tool_semantic_hashes"] for item in prompt_scores } baseline_evidence_scores = { prompt_id: _evidence_answer_score( by_prompt[prompt_id], baseline_by_prompt.get(prompt_id) or {}, semantic_pass=bool(baseline_semantic_by_prompt.get(prompt_id, {}).get("pass")), subject_alignment=bool(baseline_subject_alignment.get(prompt_id)), grounded_tool_hashes=grounded_evidence_by_prompt.get(prompt_id) or [], ) for prompt_id in evidence_prompt_ids } current_evidence_passes = sum( 1 for item in prompt_scores if item["prompt_id"] in evidence_prompt_ids and item["evidence_answer_pass"] is True ) baseline_evidence_passes = sum(1 for item in baseline_evidence_scores.values() if item["pass"] is True) evidence_prompt_count = len(evidence_prompt_ids) current_evidence_rate = current_evidence_passes / evidence_prompt_count if evidence_prompt_count else 0.0 baseline_evidence_rate = baseline_evidence_passes / evidence_prompt_count if evidence_prompt_count else 0.0 evidence_delta = current_evidence_rate - baseline_evidence_rate baseline_no_db_checks = { "grounding_mode": baseline_report.get("grounding_mode") == "db_tool_ablated", "db_context_plugin_disabled": baseline_report.get("db_context_plugin_enabled") is False, "tool_surface_ablation_mode": (baseline_report.get("read_only_tool_surface") or {}).get("mode") == "no_db_ablation", "zero_database_context_receipts": all( not (item.get("database_context_trace") or []) for item in baseline_results ), "zero_successful_database_receipts": all(not item["pass"] for item in baseline_receipts.values()), } grounded_mode_checks = { "grounding_mode": report.get("grounding_mode") == "grounded", "db_context_plugin_enabled": report.get("db_context_plugin_enabled") is True, "tool_surface_read_only_mode": (report.get("read_only_tool_surface") or {}).get("mode") == "read_only_kb", "readonly_guard_bound_to_protocol": report.get("readonly_guard_source_sha256") == protocol["source_hashes"]["readonly_guard_sha256"], } critical_prompt_checks = { "all_receipt_gates_pass": all(item["receipt_pass"] for item in prompt_scores), "no_unsupported_exact_identifiers": all( not item["receipt_score"].get("unsupported_identifiers") for item in prompt_scores ), } def model_identities(value: dict[str, Any]) -> list[dict[str, Any]]: identities = { canonical_sha256( { "model": item.get("model"), "provider": item.get("provider"), "base_url_sha256": item.get("base_url_sha256"), "api_mode": item.get("api_mode"), } ): { "model": item.get("model"), "provider": item.get("provider"), "base_url_sha256": item.get("base_url_sha256"), "api_mode": item.get("api_mode"), } for result in value.get("results") or [] if isinstance(result, dict) for item in result.get("model_call_trace") or [] if item.get("event") == "post_api_request" } return [identities[key] for key in sorted(identities)] executed_behavior_ablation = _executed_behavior_ablation(report, baseline_report) comparison_axis_checks = { "protocol_id_equal": baseline_report.get("protocol_id") == report.get("protocol_id") == protocol["protocol_id"], "protocol_hash_equal": baseline_report.get("protocol_hash_sha256") == report.get("protocol_hash_sha256") == protocol["protocol_hash_sha256"], "prompt_set_hash_equal": baseline_report.get("trial_prompt_set_sha256") == report.get("trial_prompt_set_sha256") == trial["prompt_set_sha256"], "source_hashes_equal": baseline_report.get("source_hashes") == report.get("source_hashes") == protocol["source_hashes"], "live_behavior_manifest_equal": bool( (baseline_report.get("live_behavior_manifest_before") or {}).get("behavior_sha256") and (baseline_report.get("live_behavior_manifest_before") or {}).get("behavior_sha256") == (report.get("live_behavior_manifest_before") or {}).get("behavior_sha256") ), "executed_behavior_manifests_capture_only_declared_ablation": executed_behavior_ablation["pass"], "temporary_profile_seed_equal": baseline_report.get("temp_profile_seed") == report.get("temp_profile_seed"), "database_snapshot_equal_before_trials": (baseline_report.get("db_fingerprint_before") or {}).get( "fingerprint_sha256" ) == (report.get("db_fingerprint_before") or {}).get("fingerprint_sha256"), "model_provider_identity_equal": model_identities(baseline_report) == model_identities(report) and bool(model_identities(report)), "readonly_guard_source_equal_and_frozen": baseline_report.get("readonly_guard_source_sha256") == report.get("readonly_guard_source_sha256") == protocol["source_hashes"]["readonly_guard_sha256"], "tool_schema_equal": (baseline_report.get("read_only_tool_surface") or {}).get("allowed_tools") == (report.get("read_only_tool_surface") or {}).get("allowed_tools"), } threshold = float(protocol["thresholds"]["minimum_trial_grounded_pass_rate"]) evidence_threshold = float(protocol["thresholds"]["minimum_trial_evidence_answer_pass_rate"]) evidence_delta_threshold = float( protocol["thresholds"]["minimum_current_minus_ablation_evidence_answer_delta"] ) score: dict[str, Any] = { "schema": TRIAL_SCORE_SCHEMA, "generated_at_utc": datetime.now(timezone.utc).isoformat(), "protocol_id": protocol["protocol_id"], "protocol_hash_sha256": protocol["protocol_hash_sha256"], "source_hashes": protocol["source_hashes"], "trial_id": trial_id, "session_mode": trial["session_mode"], "source_report_path": report.get("source_report_path"), "protocol_validation": protocol_validation, "prompt_binding": prompt_binding, "baseline_prompt_binding": baseline_prompt_binding, "top_level_safety": top_safety, "baseline_top_level_safety": baseline_top_safety, "grounded_mode_checks": grounded_mode_checks, "critical_prompt_checks": critical_prompt_checks, "baseline_no_db_checks": baseline_no_db_checks, "comparison_axis_checks": comparison_axis_checks, "executed_behavior_ablation": executed_behavior_ablation, "restart_receipt_validation": restart_validation, "semantic_score": semantic, "prompt_scores": prompt_scores, "grounded_passes": grounded_passes, "prompt_count": prompt_count, "grounded_pass_rate": grounded_passes / prompt_count if prompt_count else 0.0, "evidence_answer_comparison": { "method": "both_arms_scored_against_grounded_model_visible_tool_receipt_hashes", "identical_replies_have_identical_evidence_answer_outcomes": True, "prompt_ids": evidence_prompt_ids, "prompt_count": evidence_prompt_count, "current_passes": current_evidence_passes, "current_pass_rate": current_evidence_rate, "ablation_passes": baseline_evidence_passes, "ablation_pass_rate": baseline_evidence_rate, "current_minus_ablation_delta": evidence_delta, "ablation_scores": baseline_evidence_scores, }, "receipt_ablation": { "version": BASELINE_VERSION, "same_prompt_set_sha256": trial["prompt_set_sha256"], "semantic_passes": baseline_semantic["passes"], "semantic_pass_rate": baseline_semantic["passes"] / prompt_count if prompt_count else 0.0, "semantic_scores": baseline_semantic["scores"], "grounded_passes": baseline_grounded_passes, "grounded_pass_rate": baseline_grounded_passes / prompt_count if prompt_count else 0.0, "receipt_scores": baseline_receipts, "reply_sha256": { str(item.get("prompt_id")): hashlib.sha256(str(item.get("reply") or "").encode()).hexdigest() for item in baseline_results }, }, "grounded_report_payload_sha256": canonical_sha256(report), "baseline_report_payload_sha256": canonical_sha256(baseline_report), } score["pass"] = bool( protocol_validation["pass"] and prompt_binding["pass"] and baseline_prompt_binding["pass"] and top_safety["pass"] and baseline_top_safety["pass"] and all(grounded_mode_checks.values()) and all(critical_prompt_checks.values()) and all(baseline_no_db_checks.values()) and all(comparison_axis_checks.values()) and restart_validation["pass"] and score["grounded_pass_rate"] >= threshold and current_evidence_rate >= evidence_threshold and evidence_delta >= evidence_delta_threshold and score["receipt_ablation"]["grounded_passes"] == 0 ) score["derivation_core_sha256"] = canonical_sha256(score_derivation_core(score)) return score def validate_trial_score(protocol: dict[str, Any], trial: dict[str, Any], score: dict[str, Any]) -> dict[str, Any]: def mapping(value: Any) -> dict[str, Any]: return value if isinstance(value, dict) else {} def number(value: Any) -> float: try: return float(value) except (TypeError, ValueError): return float("nan") def retained_report_checks(prefix: str) -> tuple[dict[str, bool], dict[str, Any]]: path = _retained_path(score.get(f"{prefix}_report_path")) payload: dict[str, Any] = {} byte_sha256: str | None = None if path is not None: try: raw = path.read_bytes() byte_sha256 = hashlib.sha256(raw).hexdigest() loaded = json.loads(raw) if isinstance(loaded, dict): payload = loaded except (OSError, json.JSONDecodeError): pass return { "path_present": path is not None, "payload_loaded": bool(payload), "byte_sha256_bound": _valid_sha256(score.get(f"{prefix}_report_sha256")) and byte_sha256 == score.get(f"{prefix}_report_sha256"), "canonical_payload_sha256_bound": bool(payload) and canonical_sha256(payload) == score.get(f"{prefix}_report_payload_sha256"), "protocol_id_bound": payload.get("protocol_id") == protocol.get("protocol_id"), "protocol_hash_bound": payload.get("protocol_hash_sha256") == protocol.get("protocol_hash_sha256"), "trial_id_bound": payload.get("trial_id") == trial.get("trial_id"), "prompt_set_bound": payload.get("trial_prompt_set_sha256") == trial.get("prompt_set_sha256"), "source_hashes_bound": payload.get("source_hashes") == protocol.get("source_hashes"), }, payload def retained_restart_receipt_checks() -> tuple[dict[str, bool], dict[str, Any]]: required = trial.get("session_mode") == "post_restart_clean_session" path = _retained_path(score.get("restart_receipt_path")) payload: dict[str, Any] = {} byte_sha256: str | None = None if path is not None: try: raw = path.read_bytes() byte_sha256 = hashlib.sha256(raw).hexdigest() loaded = json.loads(raw) if isinstance(loaded, dict): payload = loaded except (OSError, json.JSONDecodeError): pass if not required: return { "not_required": True, "path_absent": score.get("restart_receipt_path") is None, "hashes_absent": score.get("restart_receipt_sha256") is None and score.get("restart_receipt_payload_sha256") is None, }, {} return { "required": True, "path_present": path is not None, "payload_loaded": bool(payload), "byte_sha256_bound": _valid_sha256(score.get("restart_receipt_sha256")) and byte_sha256 == score.get("restart_receipt_sha256"), "canonical_payload_sha256_bound": bool(payload) and canonical_sha256(payload) == score.get("restart_receipt_payload_sha256"), "protocol_id_bound": payload.get("protocol_id") == protocol.get("protocol_id"), "protocol_hash_bound": payload.get("protocol_hash_sha256") == protocol.get("protocol_hash_sha256"), "next_trial_id_bound": payload.get("next_trial_id") == trial.get("trial_id"), "next_prompt_set_bound": payload.get("next_trial_prompt_set_sha256") == trial.get("prompt_set_sha256"), }, payload expected_prompt_ids = [item["id"] for item in trial["prompts"]] prompt_scores = score.get("prompt_scores") if isinstance(score.get("prompt_scores"), list) else [] actual_prompt_ids = [str(item.get("prompt_id")) for item in prompt_scores if isinstance(item, dict)] grounded_passes = sum(1 for item in prompt_scores if isinstance(item, dict) and item.get("grounded_pass") is True) current_semantic_passes = sum( 1 for item in prompt_scores if isinstance(item, dict) and item.get("semantic_pass") is True ) prompt_count = len(expected_prompt_ids) baseline = mapping(score.get("receipt_ablation")) baseline_receipts = baseline.get("receipt_scores") if isinstance(baseline.get("receipt_scores"), dict) else {} baseline_semantic_scores = ( baseline.get("semantic_scores") if isinstance(baseline.get("semantic_scores"), list) else [] ) baseline_semantic_ids = [ str(item.get("prompt_id")) for item in baseline_semantic_scores if isinstance(item, dict) ] baseline_semantic_passes = sum( 1 for item in baseline_semantic_scores if isinstance(item, dict) and item.get("pass") is True ) baseline_grounded_passes = int(baseline.get("grounded_passes") or 0) evidence = mapping(score.get("evidence_answer_comparison")) expected_evidence_ids = [ item["id"] for item in trial["prompts"] if item.get("requires_tool_evidence_token") is True ] current_evidence_passes = sum( 1 for item in prompt_scores if isinstance(item, dict) and item.get("prompt_id") in expected_evidence_ids and item.get("evidence_answer_pass") is True ) baseline_evidence_scores = mapping(evidence.get("ablation_scores")) baseline_evidence_passes = sum( 1 for item in baseline_evidence_scores.values() if isinstance(item, dict) and item.get("pass") is True ) evidence_count = len(expected_evidence_ids) current_evidence_rate = current_evidence_passes / evidence_count if evidence_count else 0.0 baseline_evidence_rate = baseline_evidence_passes / evidence_count if evidence_count else 0.0 grounded_artifact_checks, grounded_payload = retained_report_checks("grounded") baseline_artifact_checks, baseline_payload = retained_report_checks("baseline") restart_artifact_checks, restart_payload = retained_restart_receipt_checks() recomputed: dict[str, Any] = {} if ( grounded_payload and baseline_payload and (trial.get("session_mode") != "post_restart_clean_session" or restart_payload) ): try: recomputed = score_live_trial( protocol, str(trial.get("trial_id") or ""), grounded_payload, baseline_report=baseline_payload, restart_receipt=restart_payload or None, ) except (KeyError, TypeError, ValueError): recomputed = {} stored_core = score_derivation_core(score) recomputed_core = score_derivation_core(recomputed) if recomputed else {} checks = { "schema": score.get("schema") == TRIAL_SCORE_SCHEMA, "protocol_id": score.get("protocol_id") == protocol.get("protocol_id"), "protocol_hash": score.get("protocol_hash_sha256") == protocol.get("protocol_hash_sha256"), "source_hashes": score.get("source_hashes") == protocol.get("source_hashes"), "trial_id": score.get("trial_id") == trial.get("trial_id"), "session_mode": score.get("session_mode") == trial.get("session_mode"), "prompt_ids_exact_and_ordered": actual_prompt_ids == expected_prompt_ids, "prompt_count": score.get("prompt_count") == prompt_count == len(prompt_scores), "grounded_passes_recomputed": score.get("grounded_passes") == grounded_passes, "grounded_rate_recomputed": abs( number(score.get("grounded_pass_rate")) - (grounded_passes / prompt_count if prompt_count else 0.0) ) < 1e-12, "current_semantic_score_recomputed": mapping(score.get("semantic_score")).get("passes") == current_semantic_passes, "baseline_version": baseline.get("version") == protocol.get("baseline", {}).get("version"), "baseline_receipt_ids_exact": set(baseline_receipts) == set(expected_prompt_ids), "baseline_semantic_ids_exact_and_ordered": baseline_semantic_ids == expected_prompt_ids, "baseline_semantic_passes_recomputed": baseline.get("semantic_passes") == baseline_semantic_passes, "baseline_semantic_rate_recomputed": abs( number(baseline.get("semantic_pass_rate")) - (baseline_semantic_passes / prompt_count if prompt_count else 0.0) ) < 1e-12, "baseline_grounded_rate_recomputed": abs( number(baseline.get("grounded_pass_rate")) - (baseline_grounded_passes / prompt_count if prompt_count else 0.0) ) < 1e-12, "evidence_method_is_non_tautological": evidence.get("method") == "both_arms_scored_against_grounded_model_visible_tool_receipt_hashes" and evidence.get("identical_replies_have_identical_evidence_answer_outcomes") is True, "evidence_prompt_ids_exact": evidence.get("prompt_ids") == expected_evidence_ids and set(baseline_evidence_scores) == set(expected_evidence_ids), "evidence_prompt_count": evidence.get("prompt_count") == evidence_count, "current_evidence_passes_recomputed": evidence.get("current_passes") == current_evidence_passes, "baseline_evidence_passes_recomputed": evidence.get("ablation_passes") == baseline_evidence_passes, "current_evidence_rate_recomputed": abs( number(evidence.get("current_pass_rate")) - current_evidence_rate ) < 1e-12, "baseline_evidence_rate_recomputed": abs( number(evidence.get("ablation_pass_rate")) - baseline_evidence_rate ) < 1e-12, "evidence_delta_recomputed": abs( number(evidence.get("current_minus_ablation_delta")) - (current_evidence_rate - baseline_evidence_rate) ) < 1e-12, "grounded_report_artifact_bound": bool(grounded_artifact_checks) and all(grounded_artifact_checks.values()), "baseline_report_artifact_bound": bool(baseline_artifact_checks) and all(baseline_artifact_checks.values()), "restart_receipt_artifact_bound": bool(restart_artifact_checks) and all(restart_artifact_checks.values()), "derivation_core_hash_bound": _valid_sha256(score.get("derivation_core_sha256")) and score.get("derivation_core_sha256") == canonical_sha256(stored_core), "score_recomputed_from_retained_artifacts": bool(recomputed) and stored_core == recomputed_core and score.get("derivation_core_sha256") == recomputed.get("derivation_core_sha256"), "protocol_validation_passed": mapping(score.get("protocol_validation")).get("pass") is True, "prompt_binding_passed": mapping(score.get("prompt_binding")).get("pass") is True, "baseline_prompt_binding_passed": mapping(score.get("baseline_prompt_binding")).get("pass") is True, "top_level_safety_passed": mapping(score.get("top_level_safety")).get("pass") is True, "baseline_top_level_safety_passed": mapping(score.get("baseline_top_level_safety")).get("pass") is True, "grounded_mode_checks_passed": bool(mapping(score.get("grounded_mode_checks"))) and all(value is True for value in mapping(score.get("grounded_mode_checks")).values()), "baseline_no_db_checks_passed": bool(mapping(score.get("baseline_no_db_checks"))) and all(value is True for value in mapping(score.get("baseline_no_db_checks")).values()), "comparison_axis_checks_passed": bool(mapping(score.get("comparison_axis_checks"))) and all(value is True for value in mapping(score.get("comparison_axis_checks")).values()), "critical_prompt_checks_passed": bool(mapping(score.get("critical_prompt_checks"))) and all(value is True for value in mapping(score.get("critical_prompt_checks")).values()), "restart_receipt_validation_passed": mapping(score.get("restart_receipt_validation")).get("pass") is True, "score_passed": score.get("pass") is True, } return { "pass": all(checks.values()), "checks": checks, "grounded_report_artifact_checks": grounded_artifact_checks, "baseline_report_artifact_checks": baseline_artifact_checks, "restart_receipt_artifact_checks": restart_artifact_checks, "failed_checks": [k for k, v in checks.items() if not v], } def aggregate_trial_scores(protocol: dict[str, Any], trial_scores: list[dict[str, Any]]) -> dict[str, Any]: expected_ids = [item["trial_id"] for item in protocol.get("trials") or []] by_id = {str(item.get("trial_id")): item for item in trial_scores} trial_by_id = {item["trial_id"]: item for item in protocol.get("trials") or []} integrity = { trial_id: validate_trial_score(protocol, trial_by_id[trial_id], by_id.get(trial_id, {})) for trial_id in expected_ids } current_rates = [float(by_id[trial_id].get("grounded_pass_rate") or 0.0) for trial_id in expected_ids if trial_id in by_id] baseline_rates = [ float((by_id[trial_id].get("receipt_ablation") or {}).get("grounded_pass_rate") or 0.0) for trial_id in expected_ids if trial_id in by_id ] evidence_current_rates = [ float((by_id[trial_id].get("evidence_answer_comparison") or {}).get("current_pass_rate") or 0.0) for trial_id in expected_ids if trial_id in by_id ] evidence_baseline_rates = [ float((by_id[trial_id].get("evidence_answer_comparison") or {}).get("ablation_pass_rate") or 0.0) for trial_id in expected_ids if trial_id in by_id ] semantic_current_rates = [ float((by_id[trial_id].get("semantic_score") or {}).get("passes") or 0) / max(1, int(by_id[trial_id].get("prompt_count") or 0)) for trial_id in expected_ids if trial_id in by_id ] semantic_baseline_rates = [ float((by_id[trial_id].get("receipt_ablation") or {}).get("semantic_pass_rate") or 0.0) for trial_id in expected_ids if trial_id in by_id ] thresholds = protocol["thresholds"] mean_current = statistics.fmean(current_rates) if current_rates else 0.0 mean_baseline = statistics.fmean(baseline_rates) if baseline_rates else 0.0 stddev = statistics.pstdev(current_rates) if len(current_rates) > 1 else 0.0 mean_evidence_current = statistics.fmean(evidence_current_rates) if evidence_current_rates else 0.0 mean_evidence_baseline = statistics.fmean(evidence_baseline_rates) if evidence_baseline_rates else 0.0 evidence_stddev = statistics.pstdev(evidence_current_rates) if len(evidence_current_rates) > 1 else 0.0 mean_semantic_current = statistics.fmean(semantic_current_rates) if semantic_current_rates else 0.0 mean_semantic_baseline = statistics.fmean(semantic_baseline_rates) if semantic_baseline_rates else 0.0 checks = { "all_trials_present": len(trial_scores) == len(expected_ids) and set(by_id) == set(expected_ids), "all_trial_scores_integrity_valid": all(item["pass"] for item in integrity.values()), "all_trial_scores_pass": all(by_id.get(trial_id, {}).get("pass") is True for trial_id in expected_ids), "minimum_trial_rate": bool(current_rates) and min(current_rates) >= float(thresholds["minimum_trial_grounded_pass_rate"]), "minimum_mean_rate": mean_current >= float(thresholds["minimum_mean_grounded_pass_rate"]), "maximum_population_stddev": stddev <= float(thresholds["maximum_grounded_pass_rate_population_stddev"]), "minimum_trial_evidence_answer_rate": bool(evidence_current_rates) and min(evidence_current_rates) >= float(thresholds["minimum_trial_evidence_answer_pass_rate"]), "minimum_mean_evidence_answer_rate": mean_evidence_current >= float(thresholds["minimum_mean_evidence_answer_pass_rate"]), "maximum_evidence_answer_population_stddev": evidence_stddev <= float(thresholds["maximum_evidence_answer_pass_rate_population_stddev"]), "minimum_non_tautological_evidence_ablation_delta": (mean_evidence_current - mean_evidence_baseline) >= float(thresholds["minimum_current_minus_ablation_evidence_answer_delta"]), "baseline_rejects_all_ungrounded_receipts": all(rate == 0.0 for rate in baseline_rates), "broad_semantic_comparison_reported": len(semantic_current_rates) == len(semantic_baseline_rates) == len(expected_ids), "restart_trial_passed": all( by_id.get(item["trial_id"], {}).get("restart_receipt_validation", {}).get("pass") is True for item in protocol["trials"] if item["session_mode"] == "post_restart_clean_session" ), } aggregate = { "schema": AGGREGATE_SCHEMA, "generated_at_utc": datetime.now(timezone.utc).isoformat(), "protocol_id": protocol["protocol_id"], "protocol_hash_sha256": protocol["protocol_hash_sha256"], "scorer_version": protocol["scorer_version"], "baseline_version": protocol["baseline"]["version"], "trial_ids": expected_ids, "current_grounded_pass_rates": current_rates, "ablation_grounded_pass_rates": baseline_rates, "mean_current_grounded_pass_rate": mean_current, "mean_ablation_grounded_pass_rate": mean_baseline, "current_minus_ablation_delta": mean_current - mean_baseline, "current_grounded_pass_rate_population_stddev": stddev, "minimum_current_grounded_pass_rate": min(current_rates) if current_rates else 0.0, "current_evidence_answer_pass_rates": evidence_current_rates, "ablation_evidence_answer_pass_rates": evidence_baseline_rates, "mean_current_evidence_answer_pass_rate": mean_evidence_current, "mean_ablation_evidence_answer_pass_rate": mean_evidence_baseline, "current_minus_ablation_evidence_answer_delta": mean_evidence_current - mean_evidence_baseline, "current_evidence_answer_pass_rate_population_stddev": evidence_stddev, "minimum_current_evidence_answer_pass_rate": min(evidence_current_rates) if evidence_current_rates else 0.0, "current_semantic_pass_rates": semantic_current_rates, "ablation_semantic_pass_rates": semantic_baseline_rates, "mean_current_semantic_pass_rate": mean_semantic_current, "mean_ablation_semantic_pass_rate": mean_semantic_baseline, "current_minus_ablation_semantic_delta": mean_semantic_current - mean_semantic_baseline, "checks": checks, "trial_score_integrity": integrity, "trial_scores": trial_scores, "required_tier": "T3_live_readonly", "claim_ceiling": ( "Repeated live VPS GatewayRunner reasoning with frozen blinded families and a current-build no-DB " "ablation. Both arms are scored against the grounded arm's model-visible receipt tokens, so identical " "answers cannot create the gated evidence delta. Broad semantic rates for both arms are reported " "separately and are descriptive rather than silently inferred from missing receipts. Complete " "tool/execution receipts and unchanged canonical database fingerprints are retained. No Telegram " "delivery or production apply is proven." ), } aggregate["pass"] = all(checks.values()) return aggregate def main() -> int: parser = argparse.ArgumentParser(description=__doc__) mode = parser.add_mutually_exclusive_group(required=True) mode.add_argument("--freeze-protocol", type=Path) mode.add_argument("--validate-protocol", type=Path) mode.add_argument("--aggregate-protocol", type=Path) parser.add_argument("--seed") parser.add_argument("--trial-count", type=int, default=DEFAULT_TRIAL_COUNT) parser.add_argument("--trial-score", type=Path, action="append", default=[]) parser.add_argument("--out", type=Path) args = parser.parse_args() if args.freeze_protocol: if not args.seed: raise SystemExit("--seed is required with --freeze-protocol") protocol = freeze_protocol(args.seed, trial_count=args.trial_count) args.freeze_protocol.parent.mkdir(parents=True, exist_ok=True) args.freeze_protocol.write_text(json.dumps(protocol, indent=2, sort_keys=True) + "\n", encoding="utf-8") print(json.dumps({"protocol": str(args.freeze_protocol), "hash": protocol["protocol_hash_sha256"]}, indent=2)) return 0 protocol_path = args.validate_protocol or args.aggregate_protocol protocol = json.loads(protocol_path.read_text(encoding="utf-8")) validation = validate_protocol(protocol, verify_source_hashes=True) if args.validate_protocol: print(json.dumps(validation, indent=2, sort_keys=True)) return 0 if validation["pass"] else 1 scores = [json.loads(path.read_text(encoding="utf-8")) for path in args.trial_score] aggregate = aggregate_trial_scores(protocol, scores) if args.out: args.out.parent.mkdir(parents=True, exist_ok=True) args.out.write_text(json.dumps(aggregate, indent=2, sort_keys=True) + "\n", encoding="utf-8") print(json.dumps(aggregate, indent=2, sort_keys=True)) return 0 if aggregate["pass"] and validation["pass"] else 1 if __name__ == "__main__": raise SystemExit(main())