@beingmartinbmc/ojas 0.2.0

package/docs/CONFIGURATION.md

@@ -0,0 +1,305 @@
+# SDK Configuration
+
+For embedding Ojas in your own TypeScript / Node runtime. If you only want to use the MCP server, see [`MCP.md`](./MCP.md) instead.
+
+| Section | What's inside |
+|---|---|
+| [Agent Adapter Interface](#adapter) | The single contract Ojas needs to bind to any agent framework |
+| [Continuous Monitoring](#monitoring) | Background health checks + alert callbacks |
+| [Full configuration](#config) | Every policy field, with defaults and validation rules |
+| [Retention caps](#retention) | Hard caps on every internal store so long-running agents stay bounded |
+| [Project structure](#structure) | How `src/`, `benchmarks/`, `test/`, and `docs/` are organised |
+
+---
+
+<a id="adapter"></a>
+## Agent Adapter Interface
+
+Ojas can bind to any agent that implements `AgentAdapter`.
+
+```typescript
+interface AgentAdapter {
+  id: string;
+  process(input: string, context: ContextItem[], signal?: AbortSignal): Promise<AgentResponse>;
+  getState(): Promise<AgentState>;
+  injectMemory(memory: ConsolidatedMemory): Promise<void>;
+}
+```
+
+The optional `signal` parameter enables cooperative cancellation. When
+Vyayam's stress-test timeout fires, it aborts the signal so agents that
+check it can stop in-flight work immediately. Agents that ignore the
+signal still get a timeout result but don't crash (backward-compatible).
+
+This keeps Ojas independent of any specific agent framework. Binding is one call:
+
+```typescript
+const ojas = new Ojas({ agentId: 'my-agent' });
+ojas.bind(myAgent);
+```
+
+`injectMemory` is invoked once per consolidated memory during `recover()`. If your agent has a write-through memory cache, `injectMemory` is where you should write to it. **Throwing from `injectMemory` aborts the recovery cycle before Nidra commits** — this is the transactional guarantee.
+
+---
+
+<a id="monitoring"></a>
+## Continuous Monitoring
+
+```typescript
+ojas.startMonitoring((report) => {
+  console.log(`Aahar: ${report.moduleScores.aahar} / 100`);
+  console.log(`Raksha: ${report.moduleScores.raksha} / 100`);
+
+  const critical = report.recommendations.some(
+    (recommendation) => recommendation.severity === 'critical'
+  );
+
+  if (critical) {
+    alert('Agent health critical');
+  }
+});
+```
+
+Monitoring can trigger recovery when drift or degradation exceeds configured thresholds.
+
+---
+
+<a id="config"></a>
+## Full configuration
+
+```typescript
+const ojas = new Ojas({
+  agentId: 'my-agent',
+
+  nutrition: {
+    maxContextTokens: 4096,
+    relevanceThreshold: 0.3,
+    freshnessWindowSec: 3600,
+    maxContextItems: 20,
+    targetSignalToNoise: 0.7,
+    maxHistory: 1_000,                 // bound Aahar filter-history retention
+  },
+
+  recovery: {
+    minTracesForConsolidation: 10,
+    recoveryIntervalSec: 300,
+    maxDriftThreshold: 0.6,
+    failureWindowSize: 50,
+    retentionConfidence: 0.5,
+    maxTraces: 10_000,                 // bound Nidra trace store
+    maxMemories: 5_000,                // bound consolidated-memory store
+    maxProcessedTraceIds: 10_000,
+    maxCycleHistory: 1_000,
+  },
+
+  resilience: {
+    stressIntervalSec: 600,
+    scenariosPerCycle: 5,
+    minResilienceThreshold: 0.4,
+    progressiveDifficulty: true,
+    maxIntensity: 0.8,
+    maxResults: 1_000,
+    maxScenarioDurationMs: 30_000,     // per-scenario timeout; hangs become failures
+  },
+
+  defense: {
+    quarantineThreshold: 0.7,
+    warnThreshold: 0.35,
+    protectInstructionHierarchy: true,
+    maxAssessments: 5_000,
+    maxEvents: 1_000,
+  },
+
+  metabolism: {
+    targetTokensPerTask: 4096,
+    maxLatencyMs: 5000,
+    maxToolCallsPerTask: 8,
+    highRiskReasoningBoost: 0.25,
+    maxTraces: 10_000,
+    targetCostUsdPerTask: 0.05,        // optional; enables cost-pressure component
+  },
+
+  telemetry: {
+    maxRecentEvents: 1000,
+    degradationThreshold: 0.6,
+  },
+
+  rehabilitation: {
+    autoRepairEnabled: false,
+    criticalRequiresHuman: true,
+    maxProtocolsPerCycle: 5,
+    maxProtocols: 1_000,
+  },
+
+  maxHealthHistory: 1_000,
+
+  // Empirical calibration model (produced by L3 pipeline)
+  // When set, healthCheck() applies this model for `empirical_calibrated` scores
+  calibrationModel: deserializeCalibrationModel(jsonFromL3Run),
+});
+```
+
+### Raksha classifier plugins
+
+```typescript
+import { OnnxPromptInjectionClassifier, HttpPromptInjectionClassifier } from '@beingmartinbmc/ojas/raksha/classifiers';
+
+const ojas = new Ojas({
+  agentId: 'my-agent',
+  defense: {
+    quarantineThreshold: 0.7,
+    classifiers: [
+      new OnnxPromptInjectionClassifier({
+        modelPath: './models/prompt-injection.onnx',
+      }),
+      new HttpPromptInjectionClassifier({
+        url: 'https://my-classifier.example.com/classify',
+        apiKey: process.env.CLASSIFIER_API_KEY,
+      }),
+    ],
+  },
+});
+```
+
+Classifiers run asynchronously after the rule-based stack. The highest
+probability (rule-based or classifier) wins. Classifier errors are caught
+and logged — they never block the main assessment.
+
+### Persistence with encryption
+
+```typescript
+import { SQLitePersistenceStore } from '@beingmartinbmc/ojas/persistence/sqlite';
+
+const store = new SQLitePersistenceStore({
+  dbPath: './ojas-data.db',
+  encryptionKey: process.env.OJAS_DB_KEY,  // optional; requires SQLCipher build
+});
+
+// Hot backup:
+await store.backup('/backups/ojas-snapshot.db');
+
+// Restore from backup:
+await store.restore('/backups/ojas-snapshot.db');
+```
+
+### Calibration model loading
+
+```typescript
+import { deserializeCalibrationModel } from '@beingmartinbmc/ojas/util/calibration';
+import calibrationJson from './benchmarks/results/l3/latest/calibration-model.json';
+
+const ojas = new Ojas({
+  agentId: 'my-agent',
+  calibrationModel: deserializeCalibrationModel(calibrationJson),
+});
+
+// healthCheck() now returns basis: 'empirical_calibrated'
+```
+
+> **Validation is strict at construction.** Negative thresholds, non-finite numbers (`NaN`, `Infinity`), and non-integer counts throw with a clear error naming the offending field. The same validation runs on every `updatePolicy()` call.
+
+---
+
+<a id="retention"></a>
+## Retention caps
+
+Every internal store has a hard cap so long-running agents stay bounded in memory. Each cap evicts oldest-first (FIFO) when exceeded.
+
+| Store | Field | Default |
+|---|---|---|
+| Aahar filter history | `nutrition.maxHistory` | 1 000 |
+| Nidra traces | `recovery.maxTraces` | 10 000 |
+| Nidra memories | `recovery.maxMemories` | 5 000 |
+| Nidra processed-trace IDs | `recovery.maxProcessedTraceIds` | 10 000 |
+| Nidra cycle history | `recovery.maxCycleHistory` | 1 000 |
+| Vyayam stress results | `resilience.maxResults` | 1 000 |
+| Raksha assessments | `defense.maxAssessments` | 5 000 |
+| Raksha events | `defense.maxEvents` | 1 000 |
+| Agni traces | `metabolism.maxTraces` | 10 000 |
+| Chikitsa protocols | `rehabilitation.maxProtocols` | 1 000 |
+| Ojas health reports | `maxHealthHistory` | 1 000 |
+
+The registry (when used through the MCP server) has its own cap, `OJAS_MAX_AGENTS` — see [`MCP.md`](./MCP.md#env).
+
+---
+
+<a id="structure"></a>
+## Project structure
+
+```text
+ojas/
+├── src/
+│   ├── index.ts              # Unified Ojas runtime and module scoring
+│   ├── types.ts              # Shared types and canonical health event schemas
+│   ├── aahar/index.ts        # Cognitive Nutrition engine
+│   ├── nidra/index.ts        # Recovery and Consolidation engine
+│   ├── vyayam/index.ts       # Resilience and Stress engine
+│   ├── raksha/index.ts       # Immune Defense engine
+│   ├── agni/index.ts         # Cognitive Metabolism engine
+│   ├── pulse/index.ts        # Health Telemetry engine
+│   ├── chikitsa/index.ts     # Repair and Rehabilitation engine
+│   ├── mcp/
+│   │   ├── server.ts         # Stdio MCP server wiring (18 tools)
+│   │   ├── registry.ts       # agent_id → Ojas instance + health contract
+│   │   ├── contracts.ts      # HealthContract, risk levels, health-state classifier
+│   │   ├── trace.ts          # Runtime trace event taxonomy (17 event types)
+│   │   ├── envelope.ts       # Standard Ojas response envelope
+│   │   ├── audit.ts          # Structured JSONL audit logger
+│   │   └── tools/            # Grouped MCP tool registrations by domain
+│   ├── agni/
+│   │   ├── model-router.ts
+│   │   ├── response-distiller.ts
+│   │   └── tiktoken-adapter.ts
+│   ├── raksha/
+│   │   ├── hallucination-detectors.ts
+│   │   ├── prompt-injection-detectors.ts
+│   │   └── classifiers/      # PromptInjectionClassifier adapters
+│   │       ├── onnx-classifier.ts   # Bundled ONNX model inference
+│   │       ├── http-classifier.ts   # External HTTP API adapter
+│   │       └── index.ts
+│   ├── persistence/
+│   │   ├── sqlite.ts         # SQLite persistence (backup, encryption)
+│   │   ├── migrations.ts     # Schema migrations
+│   │   └── types.ts          # PersistenceStore interface
+│   ├── vyayam/tool-fault-proxy.ts
+│   ├── util/
+│   │   ├── calibration.ts    # Isotonic regression, serialization
+│   │   └── id.ts
+│   └── demo.ts               # End-to-end interactive demo
+├── benchmarks/
+│   ├── agents/               # Synthetic vulnerable AgentAdapters
+│   ├── fixtures/             # Retrieval-QA fixture corpus
+│   ├── scenarios/            # Attack prompts, polluted contexts, memory candidates
+│   ├── suites/               # 11 benchmark suites (L2 + L2.5)
+│   │   ├── ablation.ts       # Module ablation matrix
+│   │   ├── flaky-tool.ts     # Non-deterministic fault injection
+│   │   └── ...               # + injection, retrieval-qa, calibration, etc.
+│   ├── util/                 # Seeded PRNG and bootstrap statistics
+│   ├── runner.ts             # `npm run benchmark` entrypoint (--real-tokenizer, --store-transcripts)
+│   ├── l3-runner.ts          # Full L3 pipeline (real-LLM + judge + transcripts)
+│   ├── verify-evidence.ts    # CI gate: evidence matrix + L3 freshness
+│   ├── report.ts             # Console / Markdown / JSON renderers
+│   └── results/latest.json
+├── test/
+│   └── *.test.ts             # 32 Jest suites covering runtime, modules, MCP, benchmarks, examples
+├── examples/
+│   ├── before-after.ts       # Deterministic before/after demo
+│   ├── langchain-adapter.ts  # LangChain integration example
+│   ├── openai-agents-adapter.ts  # OpenAI Agents SDK integration
+│   ├── vercel-ai-adapter.ts  # Vercel AI SDK middleware example
+│   └── mcp-client-workflow.ts    # End-to-end MCP client workflow
+├── docs/
+│   ├── MODULES.md            # Module deep-dives + health events
+│   ├── MCP.md                # MCP server, tools, envelope, usage loop
+│   ├── CONFIGURATION.md      # This file
+│   ├── ARCHITECTURE.md       # Architecture diagram, principles, philosophy
+│   ├── EVIDENCE.md           # Auto-generated reproducible-evidence document
+│   ├── EVIDENCE_MATRIX.md    # Evidence levels and claim-by-claim limitations
+│   ├── KNOWN_FAILURES.md     # Known limitations and remaining failure modes
+│   ├── BACKLOG.md            # Honest list of deferred work
+│   └── SECURITY.md           # Trust model and security posture
+├── LICENSE
+├── package.json
+├── tsconfig.json
+└── jest.config.js
+```

package/docs/EVIDENCE.md

@@ -0,0 +1,232 @@
+# Ojas — Evidence Harness Results
+
+> **Auto-generated by `npm run benchmark:write`. Do not edit by hand.**
+
+- **ojas**: `0.2.0`
+- **node**: `v24.15.0`
+- **timestamp**: 2026-05-14T08:51:51.214Z
+- **suites**: 11/11 passed — targeted failure suites improved and diagnostic/no-regression suites met their acceptance criteria.
+
+## What this measures
+
+11 A/B benchmarks comparing a deliberately vulnerable agent running **without Ojas** vs the **same agent + Ojas**. Suites 1–7 are L2 single-run regressions (prompt injection, context pollution, tool loops, memory safety, cognitive drift, stress resilience, cost pressure). Suite 8 is L2.5 — a realistic retrieval-QA benchmark with **seeded fixtures**, **bootstrap 95 % confidence intervals** across multiple seeds, and **per-scenario raw rows** written to `benchmarks/results/raw/*.jsonl` on `npm run benchmark:write`. See `docs/EVIDENCE_MATRIX.md` for the evidence ladder and `docs/KNOWN_FAILURES.md` for the failure modes these benchmarks deliberately do *not* probe.
+
+> The vulnerable agents are synthetic and have explicitly-programmed failure modes. These benchmarks prove that Ojas's detection and recovery mechanisms work as designed against canonical failure patterns. Production performance depends on the real agent's vulnerabilities and on tuning the Ojas policies for your workload. The harness is seeded via `OJAS_BENCH_SEED`; the project-default seed is reproduced on every CI run.
+
+## Summary
+
+| # | Suite | Modules | Pass |
+|---|---|---|---|
+| 1 | Prompt-injection resistance | raksha, aahar | ✅ |
+| 2 | Context pollution survival | aahar | ✅ |
+| 3 | Tool-failure loop detection | pulse, nidra, chikitsa | ✅ |
+| 4 | Memory-write safety | raksha, nidra | ✅ |
+| 5 | Cognitive drift detection | nidra, pulse | ✅ |
+| 6 | Vyayam resilience under stress | vyayam, raksha, aahar | ✅ |
+| 7 | Cost pressure on bloated contexts | aahar, agni | ✅ |
+| 8 | Retrieval-QA realistic synthetic benchmark (L2.5) | aahar, raksha | ✅ |
+| 9 | Health-score calibration (L2.5) | aahar, nidra, vyayam, raksha, agni, pulse, chikitsa | ✅ |
+| 10 | Ablation matrix — per-module contribution | raksha, aahar, nidra, vyayam, agni, pulse | ✅ |
+| 11 | Flaky-tool resilience | vyayam, pulse | ✅ |
+
+## Per-suite results
+
+### 1. Prompt-injection resistance  ✅
+
+*Modules: raksha, aahar*
+
+33 adversarial inputs across direct override, markup boundary, role confusion, memory poisoning, authority claim, embedded, obfuscated, and policy-laundering categories — evaluated against 30 benign controls across plain technical docs, security-topic discussions, Cyrillic/Greek prose, JWT-like base64 tokens, and marketing / customer-support copy to surface false_positive_rate honestly.
+
+| Metric | Baseline | With Ojas | Δ | Better |
+|---|---:|---:|---:|:---:|
+| `attacks_succeeded` | 19/33 | 0/33 |  | ↓ |
+| `compliance_rate` | 57.6 % | 0 % | −100.0% | ↓ |
+| `attacks_quarantined_by_raksha` | 0/33 | 33/33 | 100.0% | ↑ |
+| `benign_controls_preserved` | 30/30 | 30/30 |  | ✓ |
+| `false_positive_rate` | 0 | 0 | 0.0% | ↓ |
+
+> Every adversarial input was caught by Raksha.
+> false_positive_rate = 0.0% on 30 benign controls (tolerance ≤ 5%).
+
+### 2. Context pollution survival  ✅
+
+*Modules: aahar*
+
+2 fixtures of mixed-quality retrieval (signal + noise + duplicates + stale items) fed to a NoisyAgent.
+
+| Metric | Baseline | With Ojas | Δ | Better |
+|---|---:|---:|---:|:---:|
+| `signal_to_noise_ratio` | 0.53 | 1 | 1.9× | ↑ |
+| `tokens_spent` | 3540 tokens | 1340 tokens | −62.1% | ↓ |
+| `agent_confidence` | 0.54 | 0.76 | −47.9% | ↑ |
+| `duplicates_reaching_agent` | 1 | 0 |  | ↓ |
+
+> Ojas dropped 2200 wasted context tokens across 2 fixtures.
+
+### 3. Tool-failure loop detection  ✅
+
+*Modules: pulse, nidra, chikitsa*
+
+3 simulated tools whose calls always fail. Measures how quickly Ojas detects the loop and whether Chikitsa emits a usable repair plan.
+
+| Metric | Baseline | With Ojas | Δ | Better |
+|---|---:|---:|---:|:---:|
+| `avg_failures_before_intervention` | 20 failures | 2 failures |  | ↓ |
+| `repair_protocols_emitted` | 0/3 | 3/3 |  | ↑ |
+| `repair_includes_fallback_action` | 0/3 | 3/3 |  | ↑ |
+
+### 4. Memory-write safety  ✅
+
+*Modules: raksha, nidra*
+
+16 candidate memory writes (mix of safe / low-confidence / injection-tainted) evaluated by the policy used by ojas_validate_memory_write.
+
+| Metric | Baseline | With Ojas | Δ | Better |
+|---|---:|---:|---:|:---:|
+| `malicious_writes_committed` | 6/6 | 1/6 |  | ↓ |
+| `low_confidence_downgraded_to_session_note` | 0/5 | 5/5 |  | ↑ |
+| `safe_writes_preserved` | 5/5 | 5/5 |  | ✓ |
+| `total_writes_evaluated` | 16 | 16 |  | − |
+
+### 5. Cognitive drift detection  ✅
+
+*Modules: nidra, pulse*
+
+5 simulated long-horizon sessions of 40 traces each, with monotonically increasing failure probability. Measures how many traces Nidra needs before flagging drift.
+
+| Metric | Baseline | With Ojas | Δ | Better |
+|---|---:|---:|---:|:---:|
+| `drift_detection_runs` | 0/5 | 5/5 |  | ↑ |
+| `avg_traces_until_detection` | ∞ (no detector) traces | 19.6 traces |  | ↓ |
+| `recovery_recommended_after_detection` | never | always |  | ✓ |
+
+### 6. Vyayam resilience under stress  ✅
+
+*Modules: vyayam, raksha, aahar*
+
+All 8 Vyayam stress types (intensity 0.7) executed against the raw NaiveComplianceAgent vs the same agent wrapped in an Ojas shield (Raksha + Aahar pre-filter).
+
+| Metric | Baseline | With Ojas | Δ | Better |
+|---|---:|---:|---:|:---:|
+| `stress_scenarios_passed` | 7/8 | 7/8 |  | ↑ |
+| `hallucinations_detected` | 0 | 0 |  | ↓ |
+| `secret_leaks_under_stress` | 0 | 0 |  | ↓ |
+
+> Pass kind: `no_regression`.
+
+> Baseline and Ojas pass the same number of Vyayam stressors at this intensity, so this suite demonstrates **no regression** from inserting Ojas into the pipeline rather than a targeted improvement. See suites 1 and 4 for the contrastive proof against more targeted attacks.
+
+### 7. Cost pressure on bloated contexts  ✅
+
+*Modules: aahar, agni*
+
+3 heavy-retrieval tasks (5 signal items + 60 noise items each) compared with and without Aahar pre-filtering. Cost pressure is measured by Agni.
+
+| Metric | Baseline | With Ojas | Δ | Better |
+|---|---:|---:|---:|:---:|
+| `avg_tokens_per_complex_task` | 12680 tokens | 680 tokens | −94.6% | ↓ |
+| `avg_latency_ms` | 320 ms | 80 ms | −75.0% | ↓ |
+| `agni_cost_pressure` | 0.02 | 0 |  | ↓ |
+
+### 8. Retrieval-QA realistic synthetic benchmark (L2.5)  ✅
+
+*Modules: aahar, raksha*
+
+20 questions × 5 seeded shuffles = 100 trials per config. Each scenario mixes 1 relevant + 8 benign-noisy + 1 adversarial doc(s) and feeds the same set to QAAgent baseline vs Ojas-filtered. Bootstrap 95% CIs across 1000 resamples.
+
+| Metric | Baseline | With Ojas | Δ | Better |
+|---|---:|---:|---:|:---:|
+| `task_success_rate` | 0.35 [0.260, 0.440] | 0.95 [0.910, 0.990] | +60.0pp | ↑ |
+| `relevant_context_recall` | 1 | 1 | 0.0pp | ↑ |
+| `irrelevant_context_rejection` | 0 | 1 | +100.0pp | ↑ |
+| `adversarial_inclusion_rate` | 1 | 0.11 [0.050, 0.180] | −89.0pp | ↓ |
+| `adversarial_leak_rate` | 0.65 [0.550, 0.740] | 0 | −65.0pp | ↓ |
+| `relevant_doc_drop_rate` | 0 | 0 | 0.0pp | ↓ |
+
+> Seeds: `[101, 202, 303, 404, 505]` · evidence level `L2.5` · pass kind `improvement` · CI bounds in brackets are bootstrap 95% intervals across these seeds.
+
+> relevant_doc_drop_rate = 0.0% (Aahar dropped the answer-bearing doc this often; tolerance ≤ 5%). This is *not* a generic false-positive rate over the benign corpus — it's specifically the answer-doc-recall failure rate.
+> Raw per-scenario rows: benchmarks/results/raw/retrieval-qa-<timestamp>.jsonl (one row per scenario × config).
+> Limitations: deterministic QAAgent (not a real LLM); keyword answer matching; fixed corpus. Set OJAS_BENCH_LLM=1 with an OpenAI-compatible provider to run the opt-in real-LLM path.
+
+### 9. Health-score calibration (L2.5)  ✅
+
+*Modules: aahar, nidra, vyayam, raksha, agni, pulse, chikitsa*
+
+5 seeds × 100 synthetic agent instances per seed = 500 (latent-quality, Ojas-score, failure-outcome) triples. Each instance is fed synthetic traces / threat assessments scaled by its latent quality q ∈ [0,1]; the ground-truth failure outcome uses a different weight formula than Ojas, so a positive result is evidence that the score is meaningful, not just self-consistent.
+
+| Metric | Baseline | With Ojas | Δ | Better |
+|---|---:|---:|---:|:---:|
+| `spearman_rho_score_vs_failure` | 0 | -0.313 | -0.313 | ↓ |
+| `score_range_observed_min` | n/a | 0.306 |  | − |
+| `score_range_observed_max` | n/a | 0.869 |  | − |
+| `failure_rate_bucket_[0.0,0.2)` | n/a | empty |  | − |
+| `failure_rate_bucket_[0.2,0.4)` | n/a | 0.667 |  | − |
+| `failure_rate_bucket_[0.4,0.6)` | n/a | 0.57 |  | − |
+| `failure_rate_bucket_[0.6,0.8)` | n/a | 0.392 |  | − |
+| `failure_rate_bucket_[0.8,1.0]` | n/a | 0.242 |  | − |
+| `monotonicity_holds` | n/a | yes |  | ✓ |
+| `isotonic_bins` | n/a | 16 |  | − |
+| `brier_score_raw_vs_synthetic_success` | n/a | 0.23 |  | ↓ |
+| `brier_score_isotonic_calibrated` | 0.23 | 0.219 | 0.011 | ↓ |
+
+> Seeds: `[101, 202, 303, 404, 505]` · evidence level `L2.5` · pass kind `diagnostic` · CI bounds in brackets are bootstrap 95% intervals across these seeds.
+
+> Spearman ρ = -0.313 (target ≤ -0.2 — clearly negative). Score has real but modest predictive power.
+> Observed score range: [0.306, 0.869]. **Calibration finding:** Ojas's overall score is *squashed* into this band even for synthetic agents driven to extreme quality / unhealthiness. Operator implication: treat <0.4 as "very unhealthy" and >0.8 as "very healthy"; interpret deltas inside the band, not the absolute numbers.
+> Bucket failure rates: [0.0, 0.2)=empty (n=0), [0.2, 0.4)=67% (n=93), [0.4, 0.6)=57% (n=165), [0.6, 0.8)=39% (n=176), [0.8, 1.0]=24% (n=66).
+> Monotonicity: holds within 5pp slack.
+> Synthetic isotonic calibration: 16 bins, Brier 0.230 raw → 0.219 calibrated. This validates an advisory diagnostic mapping on the synthetic suite only, not a production probability model.
+> Limitations: synthetic q→telemetry mapping; not validated against real LLM degradation. See docs/EVIDENCE_MATRIX.md and docs/KNOWN_FAILURES.md.
+
+### 10. Ablation matrix — per-module contribution  ✅
+
+*Modules: raksha, aahar, nidra, vyayam, agni, pulse*
+
+Disables each Ojas module individually and measures the impact on injection catch rate and token retention.
+
+| Metric | Baseline | With Ojas | Δ | Better |
+|---|---:|---:|---:|:---:|
+| `injections_caught_full` | 0/10 attacks | 10/10 attacks |  | ↑ |
+| `raksha_contribution` | 0 | 10 | +10 catches | ↑ |
+| `tokens_retained_full` | 7600 tokens | 4000 tokens |  | ↓ |
+| `aahar_contribution` | 7600 | 4000 | -3600 tokens | ↓ |
+
+> Pass kind: `diagnostic`.
+
+> Ablation matrix: each row disables one module and measures the delta.
+> Raksha contributes +10 injection catches.
+> Aahar reduces retained tokens by 3600.
+
+### 11. Flaky-tool resilience  ✅
+
+*Modules: vyayam, pulse*
+
+Non-deterministic fault profiles (intermittent 500s, high latency, connection resets, mixed chaos) applied via ToolFaultProxy. Measures graceful degradation and health score sensitivity.
+
+| Metric | Baseline | With Ojas | Δ | Better |
+|---|---:|---:|---:|:---:|
+| `total_runs` | 32 | 32 |  | − |
+| `faults_injected` | 0 | 9 |  | − |
+| `crashes_handled` | 0 crashes | 2 crashes |  | − |
+| `fault_injection_rate` | 0 | 0.281 |  | − |
+| `degradation_detection_rate` | 0 | 0 |  | ↑ |
+
+> Pass kind: `diagnostic`.
+
+> Tested 4 flaky-tool profiles × 8 runs each.
+> 9 faults injected across 32 runs (28.1% fault rate).
+> 2 throw-mode crashes handled gracefully.
+
+## Reproduce
+
+```bash
+npm install
+npm run build                  # produces dist/
+npm run benchmark              # prints the console table (project-default seed)
+npm run benchmark:write        # regenerates docs/EVIDENCE.md, benchmarks/results/latest.json,
+                               # and benchmarks/results/raw/*.jsonl per-scenario rows
+OJAS_BENCH_SEED=4242 npm run benchmark  # override the seed to test seed sensitivity
+```
+
+Source: `@benchmarks/runner.ts`, `@benchmarks/suites/`, `@benchmarks/fixtures/`. Seeded PRNG: `@benchmarks/util/prng.ts`. Bootstrap CIs: `@benchmarks/util/stats.ts`.