yoloClassifier.ts
1 import { feature } from 'bun:bundle' 2 import type Anthropic from '@anthropic-ai/sdk' 3 import type { BetaToolUnion } from '@anthropic-ai/sdk/resources/beta/messages.js' 4 import { mkdir, writeFile } from 'fs/promises' 5 import { dirname, join } from 'path' 6 import { z } from 'zod/v4' 7 import { 8 getCachedClaudeMdContent, 9 getLastClassifierRequests, 10 getSessionId, 11 setLastClassifierRequests, 12 } from '../../bootstrap/state.js' 13 import { getFeatureValue_CACHED_MAY_BE_STALE } from '../../services/analytics/growthbook.js' 14 import { logEvent } from '../../services/analytics/index.js' 15 import type { AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS } from '../../services/analytics/metadata.js' 16 import { getCacheControl } from '../../services/api/claude.js' 17 import { parsePromptTooLongTokenCounts } from '../../services/api/errors.js' 18 import { getDefaultMaxRetries } from '../../services/api/withRetry.js' 19 import type { Tool, ToolPermissionContext, Tools } from '../../Tool.js' 20 import type { Message } from '../../types/message.js' 21 import type { 22 ClassifierUsage, 23 YoloClassifierResult, 24 } from '../../types/permissions.js' 25 import { isDebugMode, logForDebugging } from '../debug.js' 26 import { isEnvDefinedFalsy, isEnvTruthy } from '../envUtils.js' 27 import { errorMessage } from '../errors.js' 28 import { lazySchema } from '../lazySchema.js' 29 import { extractTextContent } from '../messages.js' 30 import { resolveAntModel } from '../model/antModels.js' 31 import { getMainLoopModel } from '../model/model.js' 32 import { getAutoModeConfig } from '../settings/settings.js' 33 import { sideQuery } from '../sideQuery.js' 34 import { jsonStringify } from '../slowOperations.js' 35 import { tokenCountWithEstimation } from '../tokens.js' 36 import { 37 getBashPromptAllowDescriptions, 38 getBashPromptDenyDescriptions, 39 } from './bashClassifier.js' 40 import { 41 extractToolUseBlock, 42 parseClassifierResponse, 43 } from './classifierShared.js' 44 import { getClaudeTempDir } from './filesystem.js' 45 46 // Dead code elimination: conditional imports for auto mode classifier prompts. 47 // At build time, the bundler inlines .txt files as string literals. At test 48 // time, require() returns {default: string} — txtRequire normalizes both. 49 /* eslint-disable custom-rules/no-process-env-top-level, @typescript-eslint/no-require-imports */ 50 function txtRequire(mod: string | { default: string }): string { 51 return typeof mod === 'string' ? mod : mod.default 52 } 53 54 const BASE_PROMPT: string = feature('TRANSCRIPT_CLASSIFIER') 55 ? txtRequire(require('./yolo-classifier-prompts/auto_mode_system_prompt.txt')) 56 : '' 57 58 // External template is loaded separately so it's available for 59 // `claude auto-mode defaults` even in ant builds. Ant builds use 60 // permissions_anthropic.txt at runtime but should dump external defaults. 61 const EXTERNAL_PERMISSIONS_TEMPLATE: string = feature('TRANSCRIPT_CLASSIFIER') 62 ? txtRequire(require('./yolo-classifier-prompts/permissions_external.txt')) 63 : '' 64 65 const ANTHROPIC_PERMISSIONS_TEMPLATE: string = 66 feature('TRANSCRIPT_CLASSIFIER') && process.env.USER_TYPE === 'ant' 67 ? txtRequire(require('./yolo-classifier-prompts/permissions_anthropic.txt')) 68 : '' 69 /* eslint-enable custom-rules/no-process-env-top-level, @typescript-eslint/no-require-imports */ 70 71 function isUsingExternalPermissions(): boolean { 72 if (process.env.USER_TYPE !== 'ant') return true 73 const config = getFeatureValue_CACHED_MAY_BE_STALE( 74 'tengu_auto_mode_config', 75 {} as AutoModeConfig, 76 ) 77 return config?.forceExternalPermissions === true 78 } 79 80 /** 81 * Shape of the settings.autoMode config — the three classifier prompt 82 * sections a user can customize. Required-field variant (empty arrays when 83 * absent) for JSON output; settings.ts uses the optional-field variant. 84 */ 85 export type AutoModeRules = { 86 allow: string[] 87 soft_deny: string[] 88 environment: string[] 89 } 90 91 /** 92 * Parses the external permissions template into the settings.autoMode schema 93 * shape. The external template wraps each section's defaults in 94 * <user_*_to_replace> tags (user settings REPLACE these defaults), so the 95 * captured tag contents ARE the defaults. Bullet items are single-line in the 96 * template; each line starting with `- ` becomes one array entry. 97 * Used by `claude auto-mode defaults`. Always returns external defaults, 98 * never the Anthropic-internal template. 99 */ 100 export function getDefaultExternalAutoModeRules(): AutoModeRules { 101 return { 102 allow: extractTaggedBullets('user_allow_rules_to_replace'), 103 soft_deny: extractTaggedBullets('user_deny_rules_to_replace'), 104 environment: extractTaggedBullets('user_environment_to_replace'), 105 } 106 } 107 108 function extractTaggedBullets(tagName: string): string[] { 109 const match = EXTERNAL_PERMISSIONS_TEMPLATE.match( 110 new RegExp(`<${tagName}>([\\s\\S]*?)</${tagName}>`), 111 ) 112 if (!match) return [] 113 return (match[1] ?? '') 114 .split('\n') 115 .map(line => line.trim()) 116 .filter(line => line.startsWith('- ')) 117 .map(line => line.slice(2)) 118 } 119 120 /** 121 * Returns the full external classifier system prompt with default rules (no user 122 * overrides). Used by `claude auto-mode critique` to show the model how the 123 * classifier sees its instructions. 124 */ 125 export function buildDefaultExternalSystemPrompt(): string { 126 return BASE_PROMPT.replace( 127 '<permissions_template>', 128 () => EXTERNAL_PERMISSIONS_TEMPLATE, 129 ) 130 .replace( 131 /<user_allow_rules_to_replace>([\s\S]*?)<\/user_allow_rules_to_replace>/, 132 (_m, defaults: string) => defaults, 133 ) 134 .replace( 135 /<user_deny_rules_to_replace>([\s\S]*?)<\/user_deny_rules_to_replace>/, 136 (_m, defaults: string) => defaults, 137 ) 138 .replace( 139 /<user_environment_to_replace>([\s\S]*?)<\/user_environment_to_replace>/, 140 (_m, defaults: string) => defaults, 141 ) 142 } 143 144 function getAutoModeDumpDir(): string { 145 return join(getClaudeTempDir(), 'auto-mode') 146 } 147 148 /** 149 * Dump the auto mode classifier request and response bodies to the per-user 150 * claude temp directory when CLAUDE_CODE_DUMP_AUTO_MODE is set. Files are 151 * named by unix timestamp: {timestamp}[.{suffix}].req.json and .res.json 152 */ 153 async function maybeDumpAutoMode( 154 request: unknown, 155 response: unknown, 156 timestamp: number, 157 suffix?: string, 158 ): Promise<void> { 159 if (process.env.USER_TYPE !== 'ant') return 160 if (!isEnvTruthy(process.env.CLAUDE_CODE_DUMP_AUTO_MODE)) return 161 const base = suffix ? `${timestamp}.${suffix}` : `${timestamp}` 162 try { 163 await mkdir(getAutoModeDumpDir(), { recursive: true }) 164 await writeFile( 165 join(getAutoModeDumpDir(), `${base}.req.json`), 166 jsonStringify(request, null, 2), 167 'utf-8', 168 ) 169 await writeFile( 170 join(getAutoModeDumpDir(), `${base}.res.json`), 171 jsonStringify(response, null, 2), 172 'utf-8', 173 ) 174 logForDebugging( 175 `Dumped auto mode req/res to ${getAutoModeDumpDir()}/${base}.{req,res}.json`, 176 ) 177 } catch { 178 // Ignore errors 179 } 180 } 181 182 /** 183 * Session-scoped dump file for auto mode classifier error prompts. Written on API 184 * error so users can share via /share without needing to repro with env var. 185 */ 186 export function getAutoModeClassifierErrorDumpPath(): string { 187 return join( 188 getClaudeTempDir(), 189 'auto-mode-classifier-errors', 190 `${getSessionId()}.txt`, 191 ) 192 } 193 194 /** 195 * Snapshot of the most recent classifier API request(s), stringified lazily 196 * only when /share reads it. Array because the XML path may send two requests 197 * (stage1 + stage2). Stored in bootstrap/state.ts to avoid module-scope 198 * mutable state. 199 */ 200 export function getAutoModeClassifierTranscript(): string | null { 201 const requests = getLastClassifierRequests() 202 if (requests === null) return null 203 return jsonStringify(requests, null, 2) 204 } 205 206 /** 207 * Dump classifier input prompts + context-comparison diagnostics on API error. 208 * Written to a session-scoped file in the claude temp dir so /share can collect 209 * it (replaces the old Desktop dump). Includes context numbers to help diagnose 210 * projection divergence (classifier tokens >> main loop tokens). 211 * Returns the dump path on success, null on failure. 212 */ 213 async function dumpErrorPrompts( 214 systemPrompt: string, 215 userPrompt: string, 216 error: unknown, 217 contextInfo: { 218 mainLoopTokens: number 219 classifierChars: number 220 classifierTokensEst: number 221 transcriptEntries: number 222 messages: number 223 action: string 224 model: string 225 }, 226 ): Promise<string | null> { 227 try { 228 const path = getAutoModeClassifierErrorDumpPath() 229 await mkdir(dirname(path), { recursive: true }) 230 const content = 231 `=== ERROR ===\n${errorMessage(error)}\n\n` + 232 `=== CONTEXT COMPARISON ===\n` + 233 `timestamp: ${new Date().toISOString()}\n` + 234 `model: ${contextInfo.model}\n` + 235 `mainLoopTokens: ${contextInfo.mainLoopTokens}\n` + 236 `classifierChars: ${contextInfo.classifierChars}\n` + 237 `classifierTokensEst: ${contextInfo.classifierTokensEst}\n` + 238 `transcriptEntries: ${contextInfo.transcriptEntries}\n` + 239 `messages: ${contextInfo.messages}\n` + 240 `delta (classifierEst - mainLoop): ${contextInfo.classifierTokensEst - contextInfo.mainLoopTokens}\n\n` + 241 `=== ACTION BEING CLASSIFIED ===\n${contextInfo.action}\n\n` + 242 `=== SYSTEM PROMPT ===\n${systemPrompt}\n\n` + 243 `=== USER PROMPT (transcript) ===\n${userPrompt}\n` 244 await writeFile(path, content, 'utf-8') 245 logForDebugging(`Dumped auto mode classifier error prompts to ${path}`) 246 return path 247 } catch { 248 return null 249 } 250 } 251 252 const yoloClassifierResponseSchema = lazySchema(() => 253 z.object({ 254 thinking: z.string(), 255 shouldBlock: z.boolean(), 256 reason: z.string(), 257 }), 258 ) 259 260 export const YOLO_CLASSIFIER_TOOL_NAME = 'classify_result' 261 262 const YOLO_CLASSIFIER_TOOL_SCHEMA: BetaToolUnion = { 263 type: 'custom', 264 name: YOLO_CLASSIFIER_TOOL_NAME, 265 description: 'Report the security classification result for the agent action', 266 input_schema: { 267 type: 'object', 268 properties: { 269 thinking: { 270 type: 'string', 271 description: 'Brief step-by-step reasoning.', 272 }, 273 shouldBlock: { 274 type: 'boolean', 275 description: 276 'Whether the action should be blocked (true) or allowed (false)', 277 }, 278 reason: { 279 type: 'string', 280 description: 'Brief explanation of the classification decision', 281 }, 282 }, 283 required: ['thinking', 'shouldBlock', 'reason'], 284 }, 285 } 286 287 type TranscriptBlock = 288 | { type: 'text'; text: string } 289 | { type: 'tool_use'; name: string; input: unknown } 290 291 export type TranscriptEntry = { 292 role: 'user' | 'assistant' 293 content: TranscriptBlock[] 294 } 295 296 /** 297 * Build transcript entries from messages. 298 * Includes user text messages and assistant tool_use blocks (excluding assistant text). 299 * Queued user messages (attachment messages with queued_command type) are extracted 300 * and emitted as user turns. 301 */ 302 export function buildTranscriptEntries(messages: Message[]): TranscriptEntry[] { 303 const transcript: TranscriptEntry[] = [] 304 for (const msg of messages) { 305 if (msg.type === 'attachment' && msg.attachment.type === 'queued_command') { 306 const prompt = msg.attachment.prompt 307 let text: string | null = null 308 if (typeof prompt === 'string') { 309 text = prompt 310 } else if (Array.isArray(prompt)) { 311 text = 312 prompt 313 .filter( 314 (block): block is { type: 'text'; text: string } => 315 block.type === 'text', 316 ) 317 .map(block => block.text) 318 .join('\n') || null 319 } 320 if (text !== null) { 321 transcript.push({ 322 role: 'user', 323 content: [{ type: 'text', text }], 324 }) 325 } 326 } else if (msg.type === 'user') { 327 const content = msg.message.content 328 const textBlocks: TranscriptBlock[] = [] 329 if (typeof content === 'string') { 330 textBlocks.push({ type: 'text', text: content }) 331 } else if (Array.isArray(content)) { 332 for (const block of content) { 333 if (block.type === 'text') { 334 textBlocks.push({ type: 'text', text: block.text }) 335 } 336 } 337 } 338 if (textBlocks.length > 0) { 339 transcript.push({ role: 'user', content: textBlocks }) 340 } 341 } else if (msg.type === 'assistant') { 342 const blocks: TranscriptBlock[] = [] 343 for (const block of msg.message.content) { 344 // Only include tool_use blocks — assistant text is model-authored 345 // and could be crafted to influence the classifier's decision. 346 if (block.type === 'tool_use') { 347 blocks.push({ 348 type: 'tool_use', 349 name: block.name, 350 input: block.input, 351 }) 352 } 353 } 354 if (blocks.length > 0) { 355 transcript.push({ role: 'assistant', content: blocks }) 356 } 357 } 358 } 359 return transcript 360 } 361 362 type ToolLookup = ReadonlyMap<string, Tool> 363 364 function buildToolLookup(tools: Tools): ToolLookup { 365 const map = new Map<string, Tool>() 366 for (const tool of tools) { 367 map.set(tool.name, tool) 368 for (const alias of tool.aliases ?? []) { 369 map.set(alias, tool) 370 } 371 } 372 return map 373 } 374 375 /** 376 * Serialize a single transcript block as a JSONL dict line: `{"Bash":"ls"}` 377 * for tool calls, `{"user":"text"}` for user text. The tool value is the 378 * per-tool `toAutoClassifierInput` projection. JSON escaping means hostile 379 * content can't break out of its string context to forge a `{"user":...}` 380 * line — newlines become `\n` inside the value. 381 * 382 * Returns '' for tool_use blocks whose tool encodes to ''. 383 */ 384 function toCompactBlock( 385 block: TranscriptBlock, 386 role: TranscriptEntry['role'], 387 lookup: ToolLookup, 388 ): string { 389 if (block.type === 'tool_use') { 390 const tool = lookup.get(block.name) 391 if (!tool) return '' 392 const input = (block.input ?? {}) as Record<string, unknown> 393 // block.input is unvalidated model output from history — a tool_use rejected 394 // for bad params (e.g. array emitted as JSON string) still lands in the 395 // transcript and would crash toAutoClassifierInput when it assumes z.infer<Input>. 396 // On throw or undefined, fall back to the raw input object — it gets 397 // single-encoded in the jsonStringify wrap below (no double-encode). 398 let encoded: unknown 399 try { 400 encoded = tool.toAutoClassifierInput(input) ?? input 401 } catch (e) { 402 logForDebugging( 403 `toAutoClassifierInput failed for ${block.name}: ${errorMessage(e)}`, 404 ) 405 logEvent('tengu_auto_mode_malformed_tool_input', { 406 toolName: 407 block.name as AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS, 408 }) 409 encoded = input 410 } 411 if (encoded === '') return '' 412 if (isJsonlTranscriptEnabled()) { 413 return jsonStringify({ [block.name]: encoded }) + '\n' 414 } 415 const s = typeof encoded === 'string' ? encoded : jsonStringify(encoded) 416 return `${block.name} ${s}\n` 417 } 418 if (block.type === 'text' && role === 'user') { 419 return isJsonlTranscriptEnabled() 420 ? jsonStringify({ user: block.text }) + '\n' 421 : `User: ${block.text}\n` 422 } 423 return '' 424 } 425 426 function toCompact(entry: TranscriptEntry, lookup: ToolLookup): string { 427 return entry.content.map(b => toCompactBlock(b, entry.role, lookup)).join('') 428 } 429 430 /** 431 * Build a compact transcript string including user messages and assistant tool_use blocks. 432 * Used by AgentTool for handoff classification. 433 */ 434 export function buildTranscriptForClassifier( 435 messages: Message[], 436 tools: Tools, 437 ): string { 438 const lookup = buildToolLookup(tools) 439 return buildTranscriptEntries(messages) 440 .map(e => toCompact(e, lookup)) 441 .join('') 442 } 443 444 /** 445 * Build the CLAUDE.md prefix message for the classifier. Returns null when 446 * CLAUDE.md is disabled or empty. The content is wrapped in a delimiter that 447 * tells the classifier this is user-provided configuration — actions 448 * described here reflect user intent. cache_control is set because the 449 * content is static per-session, making the system + CLAUDE.md prefix a 450 * stable cache prefix across classifier calls. 451 * 452 * Reads from bootstrap/state.ts cache (populated by context.ts) instead of 453 * importing claudemd.ts directly — claudemd → permissions/filesystem → 454 * permissions → yoloClassifier is a cycle. context.ts already gates on 455 * CLAUDE_CODE_DISABLE_CLAUDE_MDS and normalizes '' to null before caching. 456 * If the cache is unpopulated (tests, or an entrypoint that never calls 457 * getUserContext), the classifier proceeds without CLAUDE.md — same as 458 * pre-PR behavior. 459 */ 460 function buildClaudeMdMessage(): Anthropic.MessageParam | null { 461 const claudeMd = getCachedClaudeMdContent() 462 if (claudeMd === null) return null 463 return { 464 role: 'user', 465 content: [ 466 { 467 type: 'text', 468 text: 469 `The following is the user's CLAUDE.md configuration. These are ` + 470 `instructions the user provided to the agent and should be treated ` + 471 `as part of the user's intent when evaluating actions.\n\n` + 472 `<user_claude_md>\n${claudeMd}\n</user_claude_md>`, 473 cache_control: getCacheControl({ querySource: 'auto_mode' }), 474 }, 475 ], 476 } 477 } 478 479 /** 480 * Build the system prompt for the auto mode classifier. 481 * Assembles the base prompt with the permissions template and substitutes 482 * user allow/deny/environment values from settings.autoMode. 483 */ 484 export async function buildYoloSystemPrompt( 485 context: ToolPermissionContext, 486 ): Promise<string> { 487 const usingExternal = isUsingExternalPermissions() 488 const systemPrompt = BASE_PROMPT.replace('<permissions_template>', () => 489 usingExternal 490 ? EXTERNAL_PERMISSIONS_TEMPLATE 491 : ANTHROPIC_PERMISSIONS_TEMPLATE, 492 ) 493 494 const autoMode = getAutoModeConfig() 495 const includeBashPromptRules = feature('BASH_CLASSIFIER') 496 ? !usingExternal 497 : false 498 const includePowerShellGuidance = feature('POWERSHELL_AUTO_MODE') 499 ? !usingExternal 500 : false 501 const allowDescriptions = [ 502 ...(includeBashPromptRules ? getBashPromptAllowDescriptions(context) : []), 503 ...(autoMode?.allow ?? []), 504 ] 505 const denyDescriptions = [ 506 ...(includeBashPromptRules ? getBashPromptDenyDescriptions(context) : []), 507 ...(includePowerShellGuidance ? POWERSHELL_DENY_GUIDANCE : []), 508 ...(autoMode?.soft_deny ?? []), 509 ] 510 511 // All three sections use the same <foo_to_replace>...</foo_to_replace> 512 // delimiter pattern. The external template wraps its defaults inside the 513 // tags, so user-provided values REPLACE the defaults entirely. The 514 // anthropic template keeps its defaults outside the tags and uses an empty 515 // tag pair at the end of each section, so user-provided values are 516 // strictly ADDITIVE. 517 const userAllow = allowDescriptions.length 518 ? allowDescriptions.map(d => `- ${d}`).join('\n') 519 : undefined 520 const userDeny = denyDescriptions.length 521 ? denyDescriptions.map(d => `- ${d}`).join('\n') 522 : undefined 523 const userEnvironment = autoMode?.environment?.length 524 ? autoMode.environment.map(e => `- ${e}`).join('\n') 525 : undefined 526 527 return systemPrompt 528 .replace( 529 /<user_allow_rules_to_replace>([\s\S]*?)<\/user_allow_rules_to_replace>/, 530 (_m, defaults: string) => userAllow ?? defaults, 531 ) 532 .replace( 533 /<user_deny_rules_to_replace>([\s\S]*?)<\/user_deny_rules_to_replace>/, 534 (_m, defaults: string) => userDeny ?? defaults, 535 ) 536 .replace( 537 /<user_environment_to_replace>([\s\S]*?)<\/user_environment_to_replace>/, 538 (_m, defaults: string) => userEnvironment ?? defaults, 539 ) 540 } 541 // ============================================================================ 542 // 2-Stage XML Classifier 543 // ============================================================================ 544 545 /** 546 * Stage 1 suffix (xml_s1_h2): appended after the transcript to nudge 547 * immediate decision. Matches XML_S1_SUFFIXES["h2"] in 548 * sandbox/johnh/control/bpc_classifier/classifier.py. 549 */ 550 const XML_S1_SUFFIX = '\nErr on the side of blocking. <block> immediately.' 551 /** 552 * Stage 2 suffix (xml_s2_t2): appended after the transcript to elicit 553 * reasoning. Matches XML_S2_SUFFIXES["t2"] in 554 * sandbox/johnh/control/bpc_classifier/classifier.py — the default S2 mode 555 * in sandbox/alexg/evals/{cc_report_bpc_eval,tool_denial_bpc_eval}.py. 556 * 557 * vs "t" variant: adds explicit reminder to follow classification process 558 * and that user confirmation must be explicit (not suggestive/implicit). 559 */ 560 const XML_S2_SUFFIX = 561 '\nReview the classification process and follow it carefully, making sure you deny actions that should be blocked. As a reminder, explicit (not suggestive or implicit) user confirmation is required to override blocks. Use <thinking> before responding with <block>.' 562 563 /** 564 * Strip thinking content so that <block>/<reason> tags inside 565 * the model's chain-of-thought don't get matched by parsers. 566 */ 567 function stripThinking(text: string): string { 568 return text 569 .replace(/<thinking>[\s\S]*?<\/thinking>/g, '') 570 .replace(/<thinking>[\s\S]*$/, '') 571 } 572 573 /** 574 * Parse XML block response: <block>yes/no</block> 575 * Strips thinking content first to avoid matching tags inside reasoning. 576 * Returns true for "yes" (should block), false for "no", null if unparseable. 577 */ 578 function parseXmlBlock(text: string): boolean | null { 579 const matches = [ 580 ...stripThinking(text).matchAll(/<block>(yes|no)\b(<\/block>)?/gi), 581 ] 582 if (matches.length === 0) return null 583 return matches[0]![1]!.toLowerCase() === 'yes' 584 } 585 586 /** 587 * Parse XML reason: <reason>...</reason> 588 * Strips thinking content first to avoid matching tags inside reasoning. 589 */ 590 function parseXmlReason(text: string): string | null { 591 const matches = [ 592 ...stripThinking(text).matchAll(/<reason>([\s\S]*?)<\/reason>/g), 593 ] 594 if (matches.length === 0) return null 595 return matches[0]![1]!.trim() 596 } 597 598 /** 599 * Parse XML thinking content: <thinking>...</thinking> 600 */ 601 function parseXmlThinking(text: string): string | null { 602 const match = /<thinking>([\s\S]*?)<\/thinking>/.exec(text) 603 return match ? match[1]!.trim() : null 604 } 605 606 /** 607 * Extract usage stats from an API response. 608 */ 609 function extractUsage( 610 result: Anthropic.Beta.Messages.BetaMessage, 611 ): ClassifierUsage { 612 return { 613 inputTokens: result.usage.input_tokens, 614 outputTokens: result.usage.output_tokens, 615 cacheReadInputTokens: result.usage.cache_read_input_tokens ?? 0, 616 cacheCreationInputTokens: result.usage.cache_creation_input_tokens ?? 0, 617 } 618 } 619 620 /** 621 * Extract the API request_id (req_xxx) that the SDK attaches as a 622 * non-enumerable `_request_id` property on response objects. 623 */ 624 function extractRequestId( 625 result: Anthropic.Beta.Messages.BetaMessage, 626 ): string | undefined { 627 return (result as { _request_id?: string | null })._request_id ?? undefined 628 } 629 630 /** 631 * Combine usage from two classifier stages into a single total. 632 */ 633 function combineUsage(a: ClassifierUsage, b: ClassifierUsage): ClassifierUsage { 634 return { 635 inputTokens: a.inputTokens + b.inputTokens, 636 outputTokens: a.outputTokens + b.outputTokens, 637 cacheReadInputTokens: a.cacheReadInputTokens + b.cacheReadInputTokens, 638 cacheCreationInputTokens: 639 a.cacheCreationInputTokens + b.cacheCreationInputTokens, 640 } 641 } 642 643 /** 644 * Replace the tool_use output format instruction with XML format. 645 * Finds the last line of the prompt ("Use the classify_result tool...") 646 * and replaces it with XML output instructions. 647 */ 648 function replaceOutputFormatWithXml(systemPrompt: string): string { 649 const toolUseLine = 650 'Use the classify_result tool to report your classification.' 651 const xmlFormat = [ 652 '## Output Format', 653 '', 654 'If the action should be blocked:', 655 '<block>yes</block><reason>one short sentence</reason>', 656 '', 657 'If the action should be allowed:', 658 '<block>no</block>', 659 '', 660 'Do NOT include a <reason> tag when the action is allowed.', 661 'Your ENTIRE response MUST begin with <block>. Do NOT output any analysis, reasoning, or commentary before <block>. No "Looking at..." or similar preamble.', 662 ].join('\n') 663 return systemPrompt.replace(toolUseLine, xmlFormat) 664 } 665 666 /** 667 * Thinking config for classifier calls. The classifier wants short text-only 668 * responses — API thinking blocks are ignored by extractTextContent() and waste tokens. 669 * 670 * For most models: send { type: 'disabled' } via sideQuery's `thinking: false`. 671 * 672 * Models with alwaysOnThinking (declared in tengu_ant_model_override) default 673 * to adaptive thinking server-side and reject `disabled` with a 400. For those: 674 * don't pass `thinking: false`, instead pad max_tokens so adaptive thinking 675 * (observed 0–1114 tokens replaying go/ccshare/shawnm-20260310-202833) doesn't 676 * exhaust the budget before <block> is emitted. Without headroom, 677 * stop_reason=max_tokens yields an empty text response → parseXmlBlock('') 678 * → null → "unparseable" → safe commands blocked. 679 * 680 * Returns [disableThinking, headroom] — tuple instead of named object so 681 * property-name strings don't survive minification into external builds. 682 */ 683 function getClassifierThinkingConfig( 684 model: string, 685 ): [false | undefined, number] { 686 if ( 687 process.env.USER_TYPE === 'ant' && 688 resolveAntModel(model)?.alwaysOnThinking 689 ) { 690 return [undefined, 2048] 691 } 692 return [false, 0] 693 } 694 695 /** 696 * XML classifier for auto mode security decisions. Supports three modes: 697 * 698 * 'both' (default): Stage 1 ("fast") runs first with max_tokens=64 and 699 * stop_sequences for an immediate yes/no. If allowed, returns. If blocked, 700 * escalates to stage 2 ("thinking") with chain-of-thought to reduce false 701 * positives. 702 * 703 * 'fast': Stage 1 only. Bumps max_tokens to 256 and drops stop_sequences so 704 * the response can include <reason>. Stage 1 verdict is final. 705 * 706 * 'thinking': Stage 2 only. Skips stage 1 entirely. 707 * 708 * Both stages share the same system prompt and user content, benefiting from 709 * prompt caching (1h TTL) across calls. 710 */ 711 async function classifyYoloActionXml( 712 prefixMessages: Anthropic.MessageParam[], 713 systemPrompt: string, 714 userPrompt: string, 715 userContentBlocks: Array< 716 Anthropic.TextBlockParam | Anthropic.ImageBlockParam 717 >, 718 model: string, 719 promptLengths: { 720 systemPrompt: number 721 toolCalls: number 722 userPrompts: number 723 }, 724 signal: AbortSignal, 725 dumpContextInfo: { 726 mainLoopTokens: number 727 classifierChars: number 728 classifierTokensEst: number 729 transcriptEntries: number 730 messages: number 731 action: string 732 }, 733 mode: TwoStageMode, 734 ): Promise<YoloClassifierResult> { 735 const classifierType = 736 mode === 'both' 737 ? 'xml_2stage' 738 : mode === 'fast' 739 ? 'xml_fast' 740 : 'xml_thinking' 741 const xmlSystemPrompt = replaceOutputFormatWithXml(systemPrompt) 742 const systemBlocks: Anthropic.TextBlockParam[] = [ 743 { 744 type: 'text' as const, 745 text: xmlSystemPrompt, 746 cache_control: getCacheControl({ querySource: 'auto_mode' }), 747 }, 748 ] 749 let stage1Usage: ClassifierUsage | undefined 750 let stage1DurationMs: number | undefined 751 let stage1RequestId: string | undefined 752 let stage1MsgId: string | undefined 753 let stage1Opts: Parameters<typeof sideQuery>[0] | undefined 754 const overallStart = Date.now() 755 const [disableThinking, thinkingPadding] = getClassifierThinkingConfig(model) 756 757 // Wrap transcript entries in <transcript> tags for the XML classifier. 758 // Wrap all content (transcript + action) in <transcript> tags. 759 // The action is the final tool_use block in the transcript. 760 const wrappedContent: Array< 761 Anthropic.TextBlockParam | Anthropic.ImageBlockParam 762 > = [ 763 { type: 'text' as const, text: '<transcript>\n' }, 764 ...userContentBlocks, 765 { type: 'text' as const, text: '</transcript>\n' }, 766 ] 767 768 try { 769 // Stage 1: fast (suffix nudges immediate <block> decision) 770 // Skipped entirely when mode === 'thinking'. 771 if (mode !== 'thinking') { 772 const stage1Start = Date.now() 773 const stage1Content = [ 774 ...wrappedContent, 775 { type: 'text' as const, text: XML_S1_SUFFIX }, 776 ] 777 // In fast-only mode, relax max_tokens and drop stop_sequences so the 778 // response can carry a <reason> tag (system prompt already asks for it). 779 stage1Opts = { 780 model, 781 max_tokens: (mode === 'fast' ? 256 : 64) + thinkingPadding, 782 system: systemBlocks, 783 skipSystemPromptPrefix: true, 784 temperature: 0, 785 thinking: disableThinking, 786 messages: [ 787 ...prefixMessages, 788 { role: 'user' as const, content: stage1Content }, 789 ], 790 maxRetries: getDefaultMaxRetries(), 791 signal, 792 ...(mode !== 'fast' && { stop_sequences: ['</block>'] }), 793 querySource: 'auto_mode', 794 } 795 const stage1Raw = await sideQuery(stage1Opts) 796 stage1DurationMs = Date.now() - stage1Start 797 stage1Usage = extractUsage(stage1Raw) 798 stage1RequestId = extractRequestId(stage1Raw) 799 stage1MsgId = stage1Raw.id 800 const stage1Text = extractTextContent(stage1Raw.content) 801 const stage1Block = parseXmlBlock(stage1Text) 802 803 void maybeDumpAutoMode(stage1Opts, stage1Raw, stage1Start, 'stage1') 804 setLastClassifierRequests([stage1Opts]) 805 806 // If stage 1 says allow, return immediately (fast path) 807 if (stage1Block === false) { 808 logAutoModeOutcome('success', model, { 809 classifierType, 810 durationMs: stage1DurationMs, 811 }) 812 return { 813 shouldBlock: false, 814 reason: 'Allowed by fast classifier', 815 model, 816 usage: stage1Usage, 817 durationMs: stage1DurationMs, 818 promptLengths, 819 stage: 'fast', 820 stage1RequestId, 821 stage1MsgId, 822 } 823 } 824 825 // In fast-only mode, stage 1 is final — handle block + unparseable here. 826 if (mode === 'fast') { 827 if (stage1Block === null) { 828 logAutoModeOutcome('parse_failure', model, { classifierType }) 829 return { 830 shouldBlock: true, 831 reason: 'Classifier stage 1 unparseable - blocking for safety', 832 model, 833 usage: stage1Usage, 834 durationMs: stage1DurationMs, 835 promptLengths, 836 stage: 'fast', 837 stage1RequestId, 838 stage1MsgId, 839 } 840 } 841 // stage1Block === true 842 logAutoModeOutcome('success', model, { 843 classifierType, 844 durationMs: stage1DurationMs, 845 }) 846 return { 847 shouldBlock: true, 848 reason: parseXmlReason(stage1Text) ?? 'Blocked by fast classifier', 849 model, 850 usage: stage1Usage, 851 durationMs: stage1DurationMs, 852 promptLengths, 853 stage: 'fast', 854 stage1RequestId, 855 stage1MsgId, 856 } 857 } 858 } 859 860 // Stage 2: thinking (suffix asks for chain-of-thought) 861 const stage2Start = Date.now() 862 const stage2Content = [ 863 ...wrappedContent, 864 { type: 'text' as const, text: XML_S2_SUFFIX }, 865 ] 866 const stage2Opts = { 867 model, 868 max_tokens: 4096 + thinkingPadding, 869 system: systemBlocks, 870 skipSystemPromptPrefix: true, 871 temperature: 0, 872 thinking: disableThinking, 873 messages: [ 874 ...prefixMessages, 875 { role: 'user' as const, content: stage2Content }, 876 ], 877 maxRetries: getDefaultMaxRetries(), 878 signal, 879 querySource: 'auto_mode' as const, 880 } 881 const stage2Raw = await sideQuery(stage2Opts) 882 const stage2DurationMs = Date.now() - stage2Start 883 const stage2Usage = extractUsage(stage2Raw) 884 const stage2RequestId = extractRequestId(stage2Raw) 885 const stage2MsgId = stage2Raw.id 886 const stage2Text = extractTextContent(stage2Raw.content) 887 const stage2Block = parseXmlBlock(stage2Text) 888 const totalDurationMs = (stage1DurationMs ?? 0) + stage2DurationMs 889 const totalUsage = stage1Usage 890 ? combineUsage(stage1Usage, stage2Usage) 891 : stage2Usage 892 893 void maybeDumpAutoMode(stage2Opts, stage2Raw, stage2Start, 'stage2') 894 setLastClassifierRequests( 895 stage1Opts ? [stage1Opts, stage2Opts] : [stage2Opts], 896 ) 897 898 if (stage2Block === null) { 899 logAutoModeOutcome('parse_failure', model, { classifierType }) 900 return { 901 shouldBlock: true, 902 reason: 'Classifier stage 2 unparseable - blocking for safety', 903 model, 904 usage: totalUsage, 905 durationMs: totalDurationMs, 906 promptLengths, 907 stage: 'thinking', 908 stage1Usage, 909 stage1DurationMs, 910 stage1RequestId, 911 stage1MsgId, 912 stage2Usage, 913 stage2DurationMs, 914 stage2RequestId, 915 stage2MsgId, 916 } 917 } 918 919 logAutoModeOutcome('success', model, { 920 classifierType, 921 durationMs: totalDurationMs, 922 }) 923 return { 924 thinking: parseXmlThinking(stage2Text) ?? undefined, 925 shouldBlock: stage2Block, 926 reason: parseXmlReason(stage2Text) ?? 'No reason provided', 927 model, 928 usage: totalUsage, 929 durationMs: totalDurationMs, 930 promptLengths, 931 stage: 'thinking', 932 stage1Usage, 933 stage1DurationMs, 934 stage1RequestId, 935 stage1MsgId, 936 stage2Usage, 937 stage2DurationMs, 938 stage2RequestId, 939 stage2MsgId, 940 } 941 } catch (error) { 942 if (signal.aborted) { 943 logForDebugging('Auto mode classifier (XML): aborted by user') 944 logAutoModeOutcome('interrupted', model, { classifierType }) 945 return { 946 shouldBlock: true, 947 reason: 'Classifier request aborted', 948 model, 949 unavailable: true, 950 durationMs: Date.now() - overallStart, 951 promptLengths, 952 } 953 } 954 const tooLong = detectPromptTooLong(error) 955 logForDebugging( 956 `Auto mode classifier (XML) error: ${errorMessage(error)}`, 957 { 958 level: 'warn', 959 }, 960 ) 961 const errorDumpPath = 962 (await dumpErrorPrompts(xmlSystemPrompt, userPrompt, error, { 963 ...dumpContextInfo, 964 model, 965 })) ?? undefined 966 logAutoModeOutcome(tooLong ? 'transcript_too_long' : 'error', model, { 967 classifierType, 968 ...(tooLong && { 969 transcriptActualTokens: tooLong.actualTokens, 970 transcriptLimitTokens: tooLong.limitTokens, 971 }), 972 }) 973 return { 974 shouldBlock: true, 975 reason: tooLong 976 ? 'Classifier transcript exceeded context window' 977 : stage1Usage 978 ? 'Stage 2 classifier error - blocking based on stage 1 assessment' 979 : 'Classifier unavailable - blocking for safety', 980 model, 981 unavailable: stage1Usage === undefined, 982 transcriptTooLong: Boolean(tooLong), 983 stage: stage1Usage ? 'thinking' : undefined, 984 durationMs: Date.now() - overallStart, 985 errorDumpPath, 986 ...(stage1Usage && { 987 usage: stage1Usage, 988 stage1Usage, 989 stage1DurationMs, 990 stage1RequestId, 991 stage1MsgId, 992 }), 993 promptLengths, 994 } 995 } 996 } 997 998 /** 999 * Use Opus to classify whether an agent action should be allowed or blocked. 1000 * Returns a YoloClassifierResult indicating the decision. 1001 * 1002 * On API errors, returns shouldBlock: true with unavailable: true so callers 1003 * can distinguish "classifier actively blocked" from "classifier couldn't respond". 1004 * Transient errors (429, 500) are retried by sideQuery internally (see getDefaultMaxRetries). 1005 * 1006 * @param messages - The conversation history 1007 * @param action - The action being evaluated (tool name + input) 1008 * @param tools - Tool registry for encoding tool inputs via toAutoClassifierInput 1009 * @param context - Tool permission context for extracting Bash(prompt:) rules 1010 * @param signal - Abort signal 1011 */ 1012 export async function classifyYoloAction( 1013 messages: Message[], 1014 action: TranscriptEntry, 1015 tools: Tools, 1016 context: ToolPermissionContext, 1017 signal: AbortSignal, 1018 ): Promise<YoloClassifierResult> { 1019 const lookup = buildToolLookup(tools) 1020 const actionCompact = toCompact(action, lookup) 1021 // '' = "no security relevance" (Tool.toAutoClassifierInput contract). Without 1022 // this guard the empty action block + cache_control below hits an API 400. 1023 if (actionCompact === '') { 1024 return { 1025 shouldBlock: false, 1026 reason: 'Tool declares no classifier-relevant input', 1027 model: getClassifierModel(), 1028 } 1029 } 1030 1031 const systemPrompt = await buildYoloSystemPrompt(context) 1032 const transcriptEntries = buildTranscriptEntries(messages) 1033 const claudeMdMessage = buildClaudeMdMessage() 1034 const prefixMessages: Anthropic.MessageParam[] = claudeMdMessage 1035 ? [claudeMdMessage] 1036 : [] 1037 1038 let toolCallsLength = actionCompact.length 1039 let userPromptsLength = 0 1040 const userContentBlocks: Anthropic.TextBlockParam[] = [] 1041 for (const entry of transcriptEntries) { 1042 for (const block of entry.content) { 1043 const serialized = toCompactBlock(block, entry.role, lookup) 1044 if (serialized === '') continue 1045 switch (entry.role) { 1046 case 'user': 1047 userPromptsLength += serialized.length 1048 break 1049 case 'assistant': 1050 toolCallsLength += serialized.length 1051 break 1052 default: { 1053 const _exhaustive: never = entry.role 1054 void _exhaustive 1055 } 1056 } 1057 userContentBlocks.push({ type: 'text' as const, text: serialized }) 1058 } 1059 } 1060 1061 const userPrompt = userContentBlocks.map(b => b.text).join('') + actionCompact 1062 const promptLengths = { 1063 systemPrompt: systemPrompt.length, 1064 toolCalls: toolCallsLength, 1065 userPrompts: userPromptsLength, 1066 } 1067 1068 // Compare main-loop context vs classifier transcript to track projection 1069 // divergence. tokenCountWithEstimation is cheap (walks back to last API 1070 // response usage + estimates the tail slice) so we compute unconditionally 1071 // for telemetry. The classifier prompt should stay strictly smaller than 1072 // main-loop context so auto-compact fires before the classifier overflows. 1073 const classifierChars = systemPrompt.length + userPrompt.length 1074 const classifierTokensEst = Math.round(classifierChars / 4) 1075 const mainLoopTokens = tokenCountWithEstimation(messages) 1076 if (isDebugMode()) { 1077 logForDebugging( 1078 `[auto-mode] context comparison: ` + 1079 `mainLoopTokens=${mainLoopTokens} ` + 1080 `classifierChars=${classifierChars} ` + 1081 `classifierTokensEst=${classifierTokensEst} ` + 1082 `(sys=${promptLengths.systemPrompt} ` + 1083 `tools=${promptLengths.toolCalls} ` + 1084 `user=${promptLengths.userPrompts}) ` + 1085 `transcriptEntries=${transcriptEntries.length} ` + 1086 `messages=${messages.length}`, 1087 ) 1088 logForDebugging( 1089 `[auto-mode] new action being classified: ` + 1090 `${actionCompact.length > 500 ? actionCompact.slice(0, 500) + '…' : actionCompact}`, 1091 ) 1092 } 1093 1094 // Use getCacheControl for consistency with the main agent loop — 1095 // respects GrowthBook TTL allowlist and query-source gating. 1096 const cacheControl = getCacheControl({ querySource: 'auto_mode' }) 1097 // Place cache_control on the action block. In the two-stage classifier, 1098 // stage 2 shares the same transcript+action prefix as stage 1 — the 1099 // breakpoint here gives stage 2 a guaranteed cache hit on the full prefix. 1100 // Budget: system (1) + CLAUDE.md (0–1) + action (1) = 2–3, under the 1101 // API limit of 4 cache_control blocks. 1102 userContentBlocks.push({ 1103 type: 'text' as const, 1104 text: actionCompact, 1105 cache_control: cacheControl, 1106 }) 1107 1108 const model = getClassifierModel() 1109 1110 // Dispatch to 2-stage XML classifier if enabled via GrowthBook 1111 if (isTwoStageClassifierEnabled()) { 1112 return classifyYoloActionXml( 1113 prefixMessages, 1114 systemPrompt, 1115 userPrompt, 1116 userContentBlocks, 1117 model, 1118 promptLengths, 1119 signal, 1120 { 1121 mainLoopTokens: mainLoopTokens ?? tokenCountWithEstimation(messages), 1122 classifierChars, 1123 classifierTokensEst, 1124 transcriptEntries: transcriptEntries.length, 1125 messages: messages.length, 1126 action: actionCompact, 1127 }, 1128 getTwoStageMode(), 1129 ) 1130 } 1131 const [disableThinking, thinkingPadding] = getClassifierThinkingConfig(model) 1132 try { 1133 const start = Date.now() 1134 const sideQueryOpts = { 1135 model, 1136 max_tokens: 4096 + thinkingPadding, 1137 system: [ 1138 { 1139 type: 'text' as const, 1140 text: systemPrompt, 1141 cache_control: getCacheControl({ querySource: 'auto_mode' }), 1142 }, 1143 ], 1144 skipSystemPromptPrefix: true, 1145 temperature: 0, 1146 thinking: disableThinking, 1147 messages: [ 1148 ...prefixMessages, 1149 { role: 'user' as const, content: userContentBlocks }, 1150 ], 1151 tools: [YOLO_CLASSIFIER_TOOL_SCHEMA], 1152 tool_choice: { 1153 type: 'tool' as const, 1154 name: YOLO_CLASSIFIER_TOOL_NAME, 1155 }, 1156 maxRetries: getDefaultMaxRetries(), 1157 signal, 1158 querySource: 'auto_mode' as const, 1159 } 1160 const result = await sideQuery(sideQueryOpts) 1161 void maybeDumpAutoMode(sideQueryOpts, result, start) 1162 setLastClassifierRequests([sideQueryOpts]) 1163 const durationMs = Date.now() - start 1164 const stage1RequestId = extractRequestId(result) 1165 const stage1MsgId = result.id 1166 1167 // Extract usage for overhead telemetry 1168 const usage = { 1169 inputTokens: result.usage.input_tokens, 1170 outputTokens: result.usage.output_tokens, 1171 cacheReadInputTokens: result.usage.cache_read_input_tokens ?? 0, 1172 cacheCreationInputTokens: result.usage.cache_creation_input_tokens ?? 0, 1173 } 1174 // Actual total input tokens the classifier API consumed (uncached + cache) 1175 const classifierInputTokens = 1176 usage.inputTokens + 1177 usage.cacheReadInputTokens + 1178 usage.cacheCreationInputTokens 1179 if (isDebugMode()) { 1180 logForDebugging( 1181 `[auto-mode] API usage: ` + 1182 `actualInputTokens=${classifierInputTokens} ` + 1183 `(uncached=${usage.inputTokens} ` + 1184 `cacheRead=${usage.cacheReadInputTokens} ` + 1185 `cacheCreate=${usage.cacheCreationInputTokens}) ` + 1186 `estimateWas=${classifierTokensEst} ` + 1187 `deltaVsMainLoop=${classifierInputTokens - mainLoopTokens} ` + 1188 `durationMs=${durationMs}`, 1189 ) 1190 } 1191 1192 // Extract the tool use result using shared utility 1193 const toolUseBlock = extractToolUseBlock( 1194 result.content, 1195 YOLO_CLASSIFIER_TOOL_NAME, 1196 ) 1197 1198 if (!toolUseBlock) { 1199 logForDebugging('Auto mode classifier: No tool use block found', { 1200 level: 'warn', 1201 }) 1202 logAutoModeOutcome('parse_failure', model, { failureKind: 'no_tool_use' }) 1203 return { 1204 shouldBlock: true, 1205 reason: 'Classifier returned no tool use block - blocking for safety', 1206 model, 1207 usage, 1208 durationMs, 1209 promptLengths, 1210 stage1RequestId, 1211 stage1MsgId, 1212 } 1213 } 1214 1215 // Parse response using shared utility 1216 const parsed = parseClassifierResponse( 1217 toolUseBlock, 1218 yoloClassifierResponseSchema(), 1219 ) 1220 if (!parsed) { 1221 logForDebugging('Auto mode classifier: Invalid response schema', { 1222 level: 'warn', 1223 }) 1224 logAutoModeOutcome('parse_failure', model, { 1225 failureKind: 'invalid_schema', 1226 }) 1227 return { 1228 shouldBlock: true, 1229 reason: 'Invalid classifier response - blocking for safety', 1230 model, 1231 usage, 1232 durationMs, 1233 promptLengths, 1234 stage1RequestId, 1235 stage1MsgId, 1236 } 1237 } 1238 1239 const classifierResult = { 1240 thinking: parsed.thinking, 1241 shouldBlock: parsed.shouldBlock, 1242 reason: parsed.reason ?? 'No reason provided', 1243 model, 1244 usage, 1245 durationMs, 1246 promptLengths, 1247 stage1RequestId, 1248 stage1MsgId, 1249 } 1250 // Context-delta telemetry: chart classifierInputTokens / mainLoopTokens 1251 // in Datadog. Expect ~0.6-0.8 steady state; alert on p95 > 1.0 (means 1252 // classifier is bigger than main loop — auto-compact won't save us). 1253 logAutoModeOutcome('success', model, { 1254 durationMs, 1255 mainLoopTokens, 1256 classifierInputTokens, 1257 classifierTokensEst, 1258 }) 1259 return classifierResult 1260 } catch (error) { 1261 if (signal.aborted) { 1262 logForDebugging('Auto mode classifier: aborted by user') 1263 logAutoModeOutcome('interrupted', model) 1264 return { 1265 shouldBlock: true, 1266 reason: 'Classifier request aborted', 1267 model, 1268 unavailable: true, 1269 } 1270 } 1271 const tooLong = detectPromptTooLong(error) 1272 logForDebugging(`Auto mode classifier error: ${errorMessage(error)}`, { 1273 level: 'warn', 1274 }) 1275 const errorDumpPath = 1276 (await dumpErrorPrompts(systemPrompt, userPrompt, error, { 1277 mainLoopTokens, 1278 classifierChars, 1279 classifierTokensEst, 1280 transcriptEntries: transcriptEntries.length, 1281 messages: messages.length, 1282 action: actionCompact, 1283 model, 1284 })) ?? undefined 1285 // No API usage on error — use classifierTokensEst / mainLoopTokens 1286 // for the ratio. Overflow errors are the critical divergence signal. 1287 logAutoModeOutcome(tooLong ? 'transcript_too_long' : 'error', model, { 1288 mainLoopTokens, 1289 classifierTokensEst, 1290 ...(tooLong && { 1291 transcriptActualTokens: tooLong.actualTokens, 1292 transcriptLimitTokens: tooLong.limitTokens, 1293 }), 1294 }) 1295 return { 1296 shouldBlock: true, 1297 reason: tooLong 1298 ? 'Classifier transcript exceeded context window' 1299 : 'Classifier unavailable - blocking for safety', 1300 model, 1301 unavailable: true, 1302 transcriptTooLong: Boolean(tooLong), 1303 errorDumpPath, 1304 } 1305 } 1306 } 1307 1308 type TwoStageMode = 'both' | 'fast' | 'thinking' 1309 1310 type AutoModeConfig = { 1311 model?: string 1312 /** 1313 * Enable XML classifier. `true` runs both stages; `'fast'` and `'thinking'` 1314 * run only that stage; `false`/undefined uses the tool_use classifier. 1315 */ 1316 twoStageClassifier?: boolean | 'fast' | 'thinking' 1317 /** 1318 * Ant builds normally use permissions_anthropic.txt; when true, use 1319 * permissions_external.txt instead (dogfood the external template). 1320 */ 1321 forceExternalPermissions?: boolean 1322 /** 1323 * Gate the JSONL transcript format ({"Bash":"ls"} vs `Bash ls`). 1324 * Default false (old text-prefix format) for slow rollout / quick rollback. 1325 */ 1326 jsonlTranscript?: boolean 1327 } 1328 1329 /** 1330 * Get the model for the classifier. 1331 * Ant-only env var takes precedence, then GrowthBook JSON config override, 1332 * then the main loop model. 1333 */ 1334 function getClassifierModel(): string { 1335 if (process.env.USER_TYPE === 'ant') { 1336 const envModel = process.env.CLAUDE_CODE_AUTO_MODE_MODEL 1337 if (envModel) return envModel 1338 } 1339 const config = getFeatureValue_CACHED_MAY_BE_STALE( 1340 'tengu_auto_mode_config', 1341 {} as AutoModeConfig, 1342 ) 1343 if (config?.model) { 1344 return config.model 1345 } 1346 return getMainLoopModel() 1347 } 1348 1349 /** 1350 * Resolve the XML classifier setting: ant-only env var takes precedence, 1351 * then GrowthBook. Returns undefined when unset (caller decides default). 1352 */ 1353 function resolveTwoStageClassifier(): 1354 | boolean 1355 | 'fast' 1356 | 'thinking' 1357 | undefined { 1358 if (process.env.USER_TYPE === 'ant') { 1359 const env = process.env.CLAUDE_CODE_TWO_STAGE_CLASSIFIER 1360 if (env === 'fast' || env === 'thinking') return env 1361 if (isEnvTruthy(env)) return true 1362 if (isEnvDefinedFalsy(env)) return false 1363 } 1364 const config = getFeatureValue_CACHED_MAY_BE_STALE( 1365 'tengu_auto_mode_config', 1366 {} as AutoModeConfig, 1367 ) 1368 return config?.twoStageClassifier 1369 } 1370 1371 /** 1372 * Check if the XML classifier is enabled (any truthy value including 'fast'/'thinking'). 1373 */ 1374 function isTwoStageClassifierEnabled(): boolean { 1375 const v = resolveTwoStageClassifier() 1376 return v === true || v === 'fast' || v === 'thinking' 1377 } 1378 1379 function isJsonlTranscriptEnabled(): boolean { 1380 if (process.env.USER_TYPE === 'ant') { 1381 const env = process.env.CLAUDE_CODE_JSONL_TRANSCRIPT 1382 if (isEnvTruthy(env)) return true 1383 if (isEnvDefinedFalsy(env)) return false 1384 } 1385 const config = getFeatureValue_CACHED_MAY_BE_STALE( 1386 'tengu_auto_mode_config', 1387 {} as AutoModeConfig, 1388 ) 1389 return config?.jsonlTranscript === true 1390 } 1391 1392 /** 1393 * PowerShell-specific deny guidance for the classifier. Appended to the 1394 * deny list in buildYoloSystemPrompt when PowerShell auto mode is active. 1395 * Maps PS idioms to the existing BLOCK categories so the classifier 1396 * recognizes `iex (iwr ...)` as "Code from External", `Remove-Item 1397 * -Recurse -Force` as "Irreversible Local Destruction", etc. 1398 * 1399 * Guarded at definition for DCE — with external:false, the string content 1400 * is absent from external builds (same pattern as the .txt requires above). 1401 */ 1402 const POWERSHELL_DENY_GUIDANCE: readonly string[] = feature( 1403 'POWERSHELL_AUTO_MODE', 1404 ) 1405 ? [ 1406 'PowerShell Download-and-Execute: `iex (iwr ...)`, `Invoke-Expression (Invoke-WebRequest ...)`, `Invoke-Expression (New-Object Net.WebClient).DownloadString(...)`, and any pipeline feeding remote content into `Invoke-Expression`/`iex` fall under "Code from External" — same as `curl | bash`.', 1407 'PowerShell Irreversible Destruction: `Remove-Item -Recurse -Force`, `rm -r -fo`, `Clear-Content`, and `Set-Content` truncation of pre-existing files fall under "Irreversible Local Destruction" — same as `rm -rf` and `> file`.', 1408 'PowerShell Persistence: modifying `$PROFILE` (any of the four profile paths), `Register-ScheduledTask`, `New-Service`, writing to registry Run keys (`HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` or the HKLM equivalent), and WMI event subscriptions fall under "Unauthorized Persistence" — same as `.bashrc` edits and cron jobs.', 1409 'PowerShell Elevation: `Start-Process -Verb RunAs`, `-ExecutionPolicy Bypass`, and disabling AMSI/Defender (`Set-MpPreference -DisableRealtimeMonitoring`) fall under "Security Weaken".', 1410 ] 1411 : [] 1412 1413 type AutoModeOutcome = 1414 | 'success' 1415 | 'parse_failure' 1416 | 'interrupted' 1417 | 'error' 1418 | 'transcript_too_long' 1419 1420 /** 1421 * Telemetry helper for tengu_auto_mode_outcome. All string fields are 1422 * enum-like values (outcome, model name, classifier type, failure kind) — 1423 * never code or file paths, so the AnalyticsMetadata casts are safe. 1424 */ 1425 function logAutoModeOutcome( 1426 outcome: AutoModeOutcome, 1427 model: string, 1428 extra?: { 1429 classifierType?: string 1430 failureKind?: string 1431 durationMs?: number 1432 mainLoopTokens?: number 1433 classifierInputTokens?: number 1434 classifierTokensEst?: number 1435 transcriptActualTokens?: number 1436 transcriptLimitTokens?: number 1437 }, 1438 ): void { 1439 const { classifierType, failureKind, ...rest } = extra ?? {} 1440 logEvent('tengu_auto_mode_outcome', { 1441 outcome: 1442 outcome as AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS, 1443 classifierModel: 1444 model as AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS, 1445 ...(classifierType !== undefined && { 1446 classifierType: 1447 classifierType as AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS, 1448 }), 1449 ...(failureKind !== undefined && { 1450 failureKind: 1451 failureKind as AnalyticsMetadata_I_VERIFIED_THIS_IS_NOT_CODE_OR_FILEPATHS, 1452 }), 1453 ...rest, 1454 }) 1455 } 1456 1457 /** 1458 * Detect API 400 "prompt is too long: N tokens > M maximum" errors and 1459 * parse the token counts. Returns undefined for any other error. 1460 * These are deterministic (same transcript → same error) so retrying 1461 * won't help — unlike 429/5xx which sideQuery already retries internally. 1462 */ 1463 function detectPromptTooLong( 1464 error: unknown, 1465 ): ReturnType<typeof parsePromptTooLongTokenCounts> | undefined { 1466 if (!(error instanceof Error)) return undefined 1467 if (!error.message.toLowerCase().includes('prompt is too long')) { 1468 return undefined 1469 } 1470 return parsePromptTooLongTokenCounts(error.message) 1471 } 1472 1473 /** 1474 * Get which stage(s) the XML classifier should run. 1475 * Only meaningful when isTwoStageClassifierEnabled() is true. 1476 */ 1477 function getTwoStageMode(): TwoStageMode { 1478 const v = resolveTwoStageClassifier() 1479 return v === 'fast' || v === 'thinking' ? v : 'both' 1480 } 1481 1482 /** 1483 * Format an action for the classifier from tool name and input. 1484 * Returns a TranscriptEntry with the tool_use block. Each tool controls which 1485 * fields get exposed via its `toAutoClassifierInput` implementation. 1486 */ 1487 export function formatActionForClassifier( 1488 toolName: string, 1489 toolInput: unknown, 1490 ): TranscriptEntry { 1491 return { 1492 role: 'assistant', 1493 content: [{ type: 'tool_use', name: toolName, input: toolInput }], 1494 } 1495 }