docs: add amoral model containment playbook#22283
Conversation
BrianCLong
added
the
codex
ChatGPT Codex Connector
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 23 minutes and 43 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a comprehensive security playbook for amoral model containment, establishing a multi-layered control architecture and incident response framework for high-risk intents. The review feedback focuses on improving technical precision and consistency, specifically by clarifying that blocked intents are terminated before routing, standardizing terminology for retrieval budgets, and ensuring that the SEV-1 definition aligns with all identified Category-A risks.
| - child sexual abuse material or non-consensual sexual exploitation, | ||
| - extremist hate recruitment. | ||
|
|
||
| For Summit, these are all **Category-A blocked intents**. They are never fulfilled, never transformed into “better prompts,” and never routed to a weaker model. |
There was a problem hiding this comment.
The phrase "never routed to a weaker model" is slightly ambiguous. Since Category-A intents are "never fulfilled," they should be terminated immediately. Explicitly stating that they are blocked before model routing provides a clearer security guarantee.
| For Summit, these are all **Category-A blocked intents**. They are never fulfilled, never transformed into “better prompts,” and never routed to a weaker model. | |
| For Summit, these are all **Category-A blocked intents**. They are never fulfilled, never transformed into “better prompts,” and are terminated before model routing. |
|
|
||
| - Parse user input into typed intents. | ||
| - Reject direct weaponization, terror ops, sexual exploitation, hate recruitment, and disinformation facilitation intents. | ||
| - Enforce evidence budget and deterministic query limits for any graph retrieval. |
There was a problem hiding this comment.
The term "evidence budget" is not standard in LLM security. Replacing it with "retrieval context budget" or "token budget" makes the control more actionable for engineering teams.
| - Enforce evidence budget and deterministic query limits for any graph retrieval. | |
| - Enforce retrieval context budgets and deterministic query limits for any graph retrieval. |
|
|
||
| - Strip or quarantine operational details that increase attacker capability. | ||
| - Require safe reframing templates (defensive, educational, legal, de-escalatory). | ||
| - Ban latent jailbreak payloads in system/developer/user merged prompt views. |
There was a problem hiding this comment.
In the "Guard" layer, "Ban" is a policy requirement. Using "Detect and strip" more accurately describes the active mitigation expected at this layer to prevent jailbreak payloads from reaching the model.
| - Ban latent jailbreak payloads in system/developer/user merged prompt views. | |
| - Detect and strip latent jailbreak payloads in system/developer/user merged prompt views. |
|
|
||
| ### Triage Severity | ||
|
|
||
| - **SEV-1**: actionable violent/extremist/weapons/sexual exploitation guidance. |
There was a problem hiding this comment.
The SEV-1 definition should include all Category-A intents (like misinformation and insider-threat planning) to ensure consistent incident response for all critical risks identified in the problem statement.
| - **SEV-1**: actionable violent/extremist/weapons/sexual exploitation guidance. | |
| - **SEV-1**: actionable Category-A violations (violence, extremism, weapons, sexual exploitation, misinformation, insider-threat). |
## Summary Rebuilds the golden-main merge train from a clean `main` base and converges the currently mergeable PR set into one replacement branch. This branch absorbs: - #22296 - #22279 - #22281 - #22282 - #22283 - #22284 - #22285 - #22295 - #22297 - #22286 - #22291 - #22280 - #22277 - unique non-conflicting surfaces from #22241 - the admissibility/CACert/failure-demo runtime lane from #22314 This branch supersedes: - #22298 as the contaminated/conflicting convergence branch - #22277 as a standalone merge vehicle - #22241 as the broad mixed-purpose convergence vehicle once remaining review is complete - #22314 as the standalone admissibility lane now folded into the golden path This branch intentionally excludes: - #22292 because it targets `merge-surge/staging`, not `main` ## Conflict policy used while absorbing #22241 When merging `#22241` on top of the cleaned train, the following files conflicted and were resolved in favor of the current train versions so the newer focused CI/governance repairs remain authoritative: - `.github/ci/required-checks.json` - `.github/workflows/drift-sentinel.yml` - `.github/workflows/pr-gate.yml` - `docs/ci/REQUIRED_CHECKS_POLICY.yml` - `pnpm-lock.yaml` - `scripts/ci/check_branch_protection_drift.mjs` - `scripts/ci/validate_workflows.mjs` All other `#22241` changes merged on top of the train. ## Mapping Change Summary This convergence branch updates workflow, schema, and governance contracts that control merge eligibility, admissibility evidence, and deterministic trust artifacts. ## Diff - Added admissibility/evidence/CACert surfaces including `packages/evidence/schemas/decision_trace.schema.json` - Tightened golden-lane workflow policy and drift handling in `.github/workflows/_policy-enforcer.yml`, `.github/workflows/execution-graph-reconciliation.yml`, `.github/workflows/post-ga-hardening-enforcement.yml`, `.github/workflows/merge-surge.yml`, `.github/workflows/control-plane-drift.yml` - Realigned governance state in `governance/pilot-ci-policy.json` and `governance/branch-protection.json` - Repaired deterministic reconciliation verification in `scripts/ci/verify_execution_graph_reconciliation.mjs` and `scripts/ci/drift-sentinel.mjs` ## Justification The repo needed one mergeable replacement lane that restores deterministic governance checks, folds the admissibility implementation into the golden path, and suppresses broken optional PR workflows that were blocking convergence without being canonical required checks. ## Impact - Canonical pilot checks remain `pr-gate / gate` and `drift-sentinel / enforce` - Merge-train branches no longer fail ordinary small-PR enforcement gates by construction - Optional broken workflows are narrowed to their owned surfaces so they stop contaminating this convergence lane and the immediate post-merge main push - Execution-graph reconciliation now accepts the repo’s canonical snake_case trust bundle fields ## Rollback Plan Revert commit `ce32b96c0f` from `merge-train/golden-main-20260331-final`, then rerun the prior golden-lane checks and restore the previous PR body. ## Backfill Plan After the lane is green, backfill the same workflow scoping and governance-contract repairs into any surviving PRs that still touch `.github/workflows/**` or governance surfaces, then close superseded PRs against `#22309`. ## Validation Evidence Local validation completed: - `node scripts/ci/drift-sentinel.mjs` - `ruby -e 'require "yaml"; ... YAML.load_file(...)'` over all edited workflow files - `jq . governance/pilot-ci-policy.json` - `jq . governance/branch-protection.json` - merge-marker scan over all edited files returned clean ## Notes - Live GitHub PR checks on the open PR set are being converged through this single branch instead of salvaging each broken lane independently. - I did not run the full local verification matrix in this session; this PR is intended to give the repo one clean convergence lane for CI and human review. - After this PR lands, the absorbed PRs should be closed as superseded. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> Co-authored-by: Bot <bot@summit.ai> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Gemini CLI <gemini-cli@google.com>
|
Superseded by #22309, which is now merged into main. |
Pull request was closed
1 participant
Motivation
Description
docs/security/AMORAL_MODEL_CONTAINMENT_PLAYBOOK.mdwhich defines Category‑A blocked intents, reclassifies legacy bypasses as "Governed Exceptions" with mandatory controls, and specifies a 4‑layer control architecture (Intent Compilation Gate, Prompt Construction Guard, Model Output Policy Gate, Human Escalation + Audit) plus MAESTRO alignment, tiered verification (Tier A/B/C), and an incident response runbook.{
"agentId": "antigravity",
"change_type": "docs",
"scope": "security",
"artifacts": ["docs/security/AMORAL_MODEL_CONTAINMENT_PLAYBOOK.md"]
}
Testing
pnpm exec prettier --check docs/security/AMORAL_MODEL_CONTAINMENT_PLAYBOOK.mdsucceeded.Codex Task