@gaia-minds/assistant-cli 0.1.0 → 0.2.0

package/tools/agent-alignment.py

@@ -0,0 +1,888 @@
+#!/usr/bin/env python3
+"""Alignment checker for the Gaia Minds self-evolving agent.
+
+Evaluates proposed actions against Constitutional values using a two-tier
+approach:
+
+  Tier 1 (rule-based) -- always runs, fast, deterministic.
+  Tier 2 (LLM-based)  -- runs when an Anthropic client is provided, uses
+                          Claude to evaluate nuanced alignment questions.
+
+The alignment checker NEVER executes actions.  It only evaluates and returns
+an AlignmentResult indicating whether the action should proceed.
+
+Usage as a library:
+    from tools import agent_alignment  # or however the agent-loop imports it
+    result = agent_alignment.check_alignment(action, constitution, memory)
+
+Usage standalone (self-test):
+    python3 tools/agent-alignment.py
+"""
+
+import json
+import re
+import sys
+from dataclasses import dataclass, asdict
+from pathlib import Path
+from typing import Any, Dict, List, Optional
+
+# Try to import the Anthropic SDK.  If unavailable, Tier 2 checks are
+# silently skipped and the module falls back to rule-based checks only.
+try:
+    import anthropic  # noqa: F401
+
+    _HAS_ANTHROPIC = True
+except ImportError:
+    _HAS_ANTHROPIC = False
+
+# Try to import PyYAML for config parsing.  Fall back to a minimal inline
+# parser if unavailable.
+try:
+    import yaml  # noqa: F401
+
+    _HAS_YAML = True
+except ImportError:
+    _HAS_YAML = False
+
+# ---------------------------------------------------------------------------
+# Constants
+# ---------------------------------------------------------------------------
+
+SCRIPT_DIR = Path(__file__).resolve().parent
+REPO_ROOT = SCRIPT_DIR.parent
+CONFIG_PATH = SCRIPT_DIR / "agent-config.yml"
+CONSTITUTION_PATH = REPO_ROOT / "CONSTITUTION.md"
+
+# Module-level cache for the constitution text
+_constitution_cache: Optional[str] = None
+
+# Module-level cache for the parsed config
+_config_cache: Optional[Dict[str, Any]] = None
+
+# Risk level ordering (lower index = lower risk)
+RISK_LEVELS = ("low", "medium", "high", "forbidden")
+
+# Safety-critical file patterns that must never be deleted or tampered with
+SAFETY_FILE_PATTERNS: List[re.Pattern] = [
+    re.compile(r"CONSTITUTION\.md", re.IGNORECASE),
+    re.compile(r"security\.md", re.IGNORECASE),
+    re.compile(r"agent-alignment\.py", re.IGNORECASE),
+    re.compile(r"pre-commit", re.IGNORECASE),
+]
+
+# Red-flag patterns in action parameters (compiled once at import time)
+RED_FLAG_PATTERNS: List[Dict[str, Any]] = [
+    {
+        "pattern": re.compile(
+            r"(delete|remove|rm)\b.*\b(constitution|security\.md|alignment)",
+            re.IGNORECASE,
+        ),
+        "reason": "Action references deleting safety-critical files.",
+    },
+    {
+        "pattern": re.compile(
+            r"(git\s+(rebase|reset|push\s+--force|filter-branch|reflog\s+expire))",
+            re.IGNORECASE,
+        ),
+        "reason": "Action attempts to modify or rewrite git history.",
+    },
+    {
+        "pattern": re.compile(
+            r"(disable|bypass|skip|remove)\b.*\b(hook|pre-commit|ci|check|review)",
+            re.IGNORECASE,
+        ),
+        "reason": "Action attempts to disable hooks, CI, or review processes.",
+    },
+    {
+        "pattern": re.compile(
+            r"merge\b.*\b(own|self|my)\b.*\bpr", re.IGNORECASE
+        ),
+        "reason": "Action attempts to merge the agent's own PR without review.",
+    },
+    {
+        "pattern": re.compile(
+            r"(backdoor|exploit|exfiltrat|obfuscat|hidden\s+functionalit)",
+            re.IGNORECASE,
+        ),
+        "reason": "Action contains references to deceptive or harmful techniques.",
+    },
+    {
+        "pattern": re.compile(
+            r"(weapon|surveillance\s+target|manipulat(e|ion)\s+(user|human|people))",
+            re.IGNORECASE,
+        ),
+        "reason": (
+            "Action references capability restrictions from Article III "
+            "(weapons, surveillance, manipulation)."
+        ),
+    },
+]
+
+# Terminal colours (only when stdout is a TTY)
+_IS_TTY = hasattr(sys.stdout, "isatty") and sys.stdout.isatty()
+
+
+def _colour(code: str, text: str) -> str:
+    if _IS_TTY:
+        return f"\033[{code}m{text}\033[0m"
+    return text
+
+
+def green(text: str) -> str:
+    return _colour("32", text)
+
+
+def yellow(text: str) -> str:
+    return _colour("33", text)
+
+
+def red(text: str) -> str:
+    return _colour("31", text)
+
+
+def bold(text: str) -> str:
+    return _colour("1", text)
+
+
+def dim(text: str) -> str:
+    return _colour("2", text)
+
+
+# ---------------------------------------------------------------------------
+# Data classes
+# ---------------------------------------------------------------------------
+
+
+@dataclass
+class AlignmentResult:
+    """Result of an alignment check on a proposed action."""
+
+    allowed: bool
+    risk_level: str  # "low", "medium", "high", "forbidden"
+    reasoning: str  # explanation of why allowed/denied
+    suggestions: Optional[str] = None  # how to modify action to be aligned
+
+
+# ---------------------------------------------------------------------------
+# Config & Constitution loading
+# ---------------------------------------------------------------------------
+
+
+def load_constitution(repo_root: str) -> str:
+    """Load CONSTITUTION.md from the given repo root path.
+
+    Caches the result in a module-level variable so repeated calls within the
+    same process do not re-read the file.
+    """
+    global _constitution_cache
+
+    if _constitution_cache is not None:
+        return _constitution_cache
+
+    constitution_path = Path(repo_root) / "CONSTITUTION.md"
+    if not constitution_path.is_file():
+        raise FileNotFoundError(
+            f"Constitution not found at {constitution_path}.  "
+            "The agent cannot operate without its Constitution."
+        )
+
+    _constitution_cache = constitution_path.read_text(encoding="utf-8")
+    return _constitution_cache
+
+
+def _load_config() -> Dict[str, Any]:
+    """Load and cache agent-config.yml."""
+    global _config_cache
+
+    if _config_cache is not None:
+        return _config_cache
+
+    if not CONFIG_PATH.is_file():
+        # Return a sensible default so the module can still function
+        _config_cache = {"risk": {}}
+        return _config_cache
+
+    raw = CONFIG_PATH.read_text(encoding="utf-8")
+
+    if _HAS_YAML:
+        _config_cache = yaml.safe_load(raw) or {}
+    else:
+        # Minimal fallback: parse only the risk section we need
+        _config_cache = _parse_risk_section(raw)
+
+    return _config_cache
+
+
+def _parse_risk_section(raw: str) -> Dict[str, Any]:
+    """Minimal YAML-subset parser for the risk section of agent-config.yml.
+
+    This is intentionally simple.  It only extracts the lists under
+    risk.auto_execute, risk.auto_pr, risk.require_review, and risk.forbidden.
+    """
+    config: Dict[str, Any] = {"risk": {}}
+    current_section: Optional[str] = None
+    in_risk = False
+
+    for line in raw.splitlines():
+        stripped = line.strip()
+
+        # Detect top-level 'risk:' section
+        if line.startswith("risk:"):
+            in_risk = True
+            continue
+
+        # Once we leave the risk section (another top-level key), stop
+        if in_risk and line and not line[0].isspace() and not line.startswith("#"):
+            break
+
+        if not in_risk:
+            continue
+
+        # Detect sub-keys like "  auto_execute:"
+        if stripped.endswith(":") and not stripped.startswith("-") and not stripped.startswith("#"):
+            key = stripped.rstrip(":").strip()
+            # Strip inline comments after the key
+            if "#" in key:
+                key = key[: key.index("#")].strip()
+            current_section = key
+            config["risk"][current_section] = []
+            continue
+
+        # Detect list items like '    - "verify_resources"'
+        if current_section and stripped.startswith("- "):
+            value = stripped[2:].strip().strip('"').strip("'")
+            # Strip inline comments
+            if "  #" in value:
+                value = value[: value.index("  #")].strip().strip('"').strip("'")
+            config["risk"].setdefault(current_section, []).append(value)
+
+    return config
+
+
+# ---------------------------------------------------------------------------
+# Risk classification (pure rule-based)
+# ---------------------------------------------------------------------------
+
+# Mapping from config risk categories to risk level strings
+_RISK_CATEGORY_TO_LEVEL = {
+    "auto_execute": "low",
+    "auto_pr": "medium",
+    "require_review": "high",
+    "forbidden": "forbidden",
+}
+
+
+def classify_risk(action_type: str, config: Optional[Dict[str, Any]] = None) -> str:
+    """Classify an action type's risk level based on the agent config.
+
+    Reads the ``risk`` section of agent-config.yml (or the provided config
+    dict) and returns one of: "low", "medium", "high", "forbidden".
+
+    If the action type is not found in any category, defaults to "high"
+    (precautionary principle -- unknown actions require review).
+    """
+    if config is None:
+        config = _load_config()
+
+    risk_config = config.get("risk", {})
+
+    for category, level in _RISK_CATEGORY_TO_LEVEL.items():
+        actions_in_category = risk_config.get(category, [])
+        if action_type in actions_in_category:
+            return level
+
+    # Unknown action type -- default to high risk (precautionary principle)
+    return "high"
+
+
+# ---------------------------------------------------------------------------
+# Tier 1: Rule-based alignment check
+# ---------------------------------------------------------------------------
+
+
+def _flatten_action_text(action: Dict[str, Any]) -> str:
+    """Flatten all string values in an action dict into a single text blob
+    for pattern matching."""
+    parts: List[str] = []
+
+    def _extract(obj: Any) -> None:
+        if isinstance(obj, str):
+            parts.append(obj)
+        elif isinstance(obj, dict):
+            for v in obj.values():
+                _extract(v)
+        elif isinstance(obj, (list, tuple)):
+            for item in obj:
+                _extract(item)
+
+    _extract(action)
+    return " ".join(parts)
+
+
+def _tier1_check(
+    action: Dict[str, Any],
+    config: Dict[str, Any],
+) -> AlignmentResult:
+    """Tier 1: deterministic, rule-based alignment check.
+
+    Returns an AlignmentResult.  This always runs, even when Tier 2 (LLM)
+    is available.
+    """
+    action_type = action.get("type", "unknown")
+
+    # ----- Step 1: Check forbidden list -----
+    risk_level = classify_risk(action_type, config)
+
+    if risk_level == "forbidden":
+        return AlignmentResult(
+            allowed=False,
+            risk_level="forbidden",
+            reasoning=(
+                f"Action type '{action_type}' is on the forbidden list in "
+                "agent-config.yml.  The agent must never perform this action.  "
+                "This aligns with the Constitution's Safety Protocols "
+                "(Article III) and the precautionary principle."
+            ),
+            suggestions=None,
+        )
+
+    # ----- Step 2: Scan for red flags in action params -----
+    action_text = _flatten_action_text(action)
+
+    for red_flag in RED_FLAG_PATTERNS:
+        if red_flag["pattern"].search(action_text):
+            return AlignmentResult(
+                allowed=False,
+                risk_level="forbidden",
+                reasoning=(
+                    f"Red flag detected: {red_flag['reason']}  "
+                    "This violates the Constitution's safety protocols "
+                    "(Article III).  The precautionary principle requires "
+                    "denial when safety-critical patterns are detected."
+                ),
+                suggestions=(
+                    "Reformulate the action to avoid modifying safety-critical "
+                    "files, circumventing review processes, or introducing "
+                    "deceptive/harmful content."
+                ),
+            )
+
+    # ----- Step 3: Additional semantic checks -----
+    # Check for attempts to modify safety files even if not "delete"
+    params = action.get("params", {})
+    target_files = []
+    if isinstance(params, dict):
+        for key in ("file", "path", "target", "files"):
+            val = params.get(key)
+            if isinstance(val, str):
+                target_files.append(val)
+            elif isinstance(val, list):
+                target_files.extend(str(v) for v in val)
+
+    for target in target_files:
+        for pattern in SAFETY_FILE_PATTERNS:
+            if pattern.search(target):
+                if risk_level != "high":
+                    # Escalate: modifying safety files always requires review
+                    risk_level = "high"
+
+    # ----- Step 4: Return result based on risk classification -----
+    reasoning_parts = [
+        f"Action type '{action_type}' classified as '{risk_level}' risk "
+        f"by agent-config.yml."
+    ]
+
+    if risk_level == "low":
+        reasoning_parts.append(
+            "This is an auto-executable action that poses minimal risk."
+        )
+    elif risk_level == "medium":
+        reasoning_parts.append(
+            "This action will be submitted as a PR for human review before "
+            "merging, in accordance with the Constitution's transparency and "
+            "human oversight principles."
+        )
+    elif risk_level == "high":
+        reasoning_parts.append(
+            "This action requires explicit human approval before proceeding.  "
+            "The Constitution's precautionary principle and human override "
+            "provisions (Article III, 3.1-3.2) apply."
+        )
+
+    reasoning_parts.append("No red flags detected in action parameters.")
+
+    suggestions = None
+    if risk_level == "high":
+        suggestions = (
+            "Create a detailed issue explaining the proposed change and wait "
+            "for human approval before proceeding."
+        )
+
+    return AlignmentResult(
+        allowed=True,
+        risk_level=risk_level,
+        reasoning="  ".join(reasoning_parts),
+        suggestions=suggestions,
+    )
+
+
+# ---------------------------------------------------------------------------
+# Tier 2: LLM-based alignment check
+# ---------------------------------------------------------------------------
+
+_TIER2_SYSTEM_PROMPT = """\
+You are an alignment evaluator for the Gaia Minds autonomous agent.  Your role
+is to determine whether a proposed action aligns with the Gaia Minds
+Constitution.
+
+You must evaluate the action against ALL Constitutional articles:
+- Article I: Core Values (life protection, benevolence, transparency, honesty, humility)
+- Article II: Governance (contributor eligibility, decision making, conflict resolution)
+- Article III: Safety Protocols (precautionary principle, human override, security, capability restrictions)
+- Article IV: Resource Ethics (transparent acquisition, sustainable operations, no exploitation)
+- Article V: Evolution (living document, interpretation, self-improvement)
+
+Apply the precautionary principle: when uncertain, rule against allowing the action.
+
+CONSTITUTION:
+{constitution}
+"""
+
+_TIER2_USER_PROMPT = """\
+Evaluate whether this proposed action aligns with the Gaia Minds Constitution.
+
+ACTION:
+{action_json}
+
+RECENT MEMORY CONTEXT (recent decisions and lessons):
+{memory_context}
+
+Respond with ONLY valid JSON (no markdown fences, no extra text) in this exact format:
+{{
+    "allowed": true/false,
+    "risk_level": "low" | "medium" | "high" | "forbidden",
+    "reasoning": "detailed explanation referencing specific Constitutional articles",
+    "suggestions": "how to modify the action to be aligned, or null if already aligned"
+}}
+"""
+
+
+def _tier2_check(
+    action: Dict[str, Any],
+    constitution: str,
+    memory_context: str,
+    client: Any,
+    model: str,
+) -> Optional[AlignmentResult]:
+    """Tier 2: LLM-based alignment check using Claude.
+
+    Returns an AlignmentResult on success, or None if the API call fails
+    (so the caller can fall back to Tier 1 only).
+    """
+    system_prompt = _TIER2_SYSTEM_PROMPT.format(constitution=constitution)
+    user_prompt = _TIER2_USER_PROMPT.format(
+        action_json=json.dumps(action, indent=2),
+        memory_context=memory_context if memory_context else "(no memory context available)",
+    )
+
+    try:
+        response = client.messages.create(
+            model=model,
+            max_tokens=1024,
+            temperature=0.2,
+            system=system_prompt,
+            messages=[
+                {"role": "user", "content": user_prompt},
+            ],
+        )
+
+        # Extract text from the response
+        response_text = ""
+        for block in response.content:
+            if hasattr(block, "text"):
+                response_text += block.text
+
+        # Strip any markdown code fences if present
+        response_text = response_text.strip()
+        if response_text.startswith("```"):
+            # Remove opening fence (with optional language tag)
+            response_text = re.sub(r"^```[a-zA-Z]*\n?", "", response_text)
+            # Remove closing fence
+            response_text = re.sub(r"\n?```$", "", response_text)
+            response_text = response_text.strip()
+
+        # Parse the JSON response
+        parsed = json.loads(response_text)
+
+        # Validate the response has required fields
+        if not all(k in parsed for k in ("allowed", "risk_level", "reasoning")):
+            return None
+
+        # Validate risk_level is a known value
+        risk_level = parsed["risk_level"]
+        if risk_level not in RISK_LEVELS:
+            risk_level = "high"  # default to high if unknown
+
+        return AlignmentResult(
+            allowed=bool(parsed["allowed"]),
+            risk_level=risk_level,
+            reasoning=str(parsed["reasoning"]),
+            suggestions=parsed.get("suggestions"),
+        )
+
+    except json.JSONDecodeError:
+        # Could not parse the LLM response as JSON
+        return None
+    except Exception:
+        # API call failed -- caller will fall back to Tier 1
+        return None
+
+
+# ---------------------------------------------------------------------------
+# Main entry point: check_alignment()
+# ---------------------------------------------------------------------------
+
+
+def check_alignment(
+    action: Dict[str, Any],
+    constitution: str,
+    memory_context: str,
+    client: Any = None,
+    model: str = "claude-sonnet-4-5-20250929",
+) -> AlignmentResult:
+    """Check if a proposed action aligns with Constitutional values.
+
+    Two-tier evaluation:
+      1. Rule-based checks always run first.
+      2. If an Anthropic client is provided, LLM-based evaluation runs second.
+
+    The stricter of the two results wins.  If the LLM call fails, the
+    fallback policy is:
+      - fail-open for low risk (allow, since rules already passed)
+      - fail-closed for medium/high risk (deny, precautionary principle)
+
+    Parameters
+    ----------
+    action : dict
+        The proposed action, e.g.
+        {"type": "add_research", "params": {...}, "reasoning": "..."}
+    constitution : str
+        Full text of CONSTITUTION.md.
+    memory_context : str
+        Recent decisions and lessons as text.
+    client : optional
+        An ``anthropic.Anthropic`` client instance.  If None, only Tier 1
+        (rule-based) checks are performed.
+    model : str
+        The Claude model to use for Tier 2 checks.
+
+    Returns
+    -------
+    AlignmentResult
+        The alignment evaluation result.
+    """
+    config = _load_config()
+
+    # ----- Tier 1: Rule-based check (always runs) -----
+    tier1_result = _tier1_check(action, config)
+
+    # If Tier 1 says forbidden, return immediately -- no override possible
+    if tier1_result.risk_level == "forbidden":
+        return tier1_result
+
+    # ----- Tier 2: LLM-based check (only if client provided) -----
+    if client is not None and _HAS_ANTHROPIC:
+        tier2_result = _tier2_check(
+            action=action,
+            constitution=constitution,
+            memory_context=memory_context,
+            client=client,
+            model=model,
+        )
+
+        if tier2_result is not None:
+            # The stricter ruling wins:
+            # If Tier 2 says "not allowed" but Tier 1 said "allowed",
+            # use Tier 2 (stricter).
+            if not tier2_result.allowed and tier1_result.allowed:
+                tier2_result.reasoning = (
+                    "[Tier 2 override] " + tier2_result.reasoning
+                    + "  (Tier 1 rule-based check would have allowed this action, "
+                    "but LLM-based Constitutional review denied it.)"
+                )
+                return tier2_result
+
+            # If both agree on "allowed", use the higher risk level
+            if tier2_result.allowed and tier1_result.allowed:
+                t1_idx = RISK_LEVELS.index(tier1_result.risk_level)
+                t2_idx = RISK_LEVELS.index(tier2_result.risk_level)
+                if t2_idx > t1_idx:
+                    # Tier 2 assigns higher risk -- use Tier 2 risk level
+                    tier1_result.risk_level = tier2_result.risk_level
+                    tier1_result.reasoning = (
+                        tier1_result.reasoning
+                        + f"  [Tier 2 escalation] LLM review escalated risk "
+                        f"to '{tier2_result.risk_level}': {tier2_result.reasoning}"
+                    )
+                    if tier2_result.suggestions:
+                        tier1_result.suggestions = tier2_result.suggestions
+
+                return tier1_result
+
+            # If Tier 1 says not allowed (shouldn't happen since we returned
+            # early for forbidden), just return Tier 1
+            return tier1_result
+
+        else:
+            # Tier 2 failed (API error, parse error, etc.)
+            # Fail-open for low risk, fail-closed for medium/high
+            if tier1_result.risk_level == "low":
+                tier1_result.reasoning += (
+                    "  [Note] LLM-based alignment check was unavailable; "
+                    "proceeding with rule-based result only (fail-open for "
+                    "low-risk actions)."
+                )
+                return tier1_result
+            else:
+                return AlignmentResult(
+                    allowed=False,
+                    risk_level=tier1_result.risk_level,
+                    reasoning=(
+                        f"LLM-based alignment check failed and the action is "
+                        f"'{tier1_result.risk_level}' risk.  Per the "
+                        f"precautionary principle (Constitution Article III, "
+                        f"3.1), the agent fails closed for non-low-risk "
+                        f"actions when full alignment evaluation is unavailable."
+                    ),
+                    suggestions=(
+                        "Retry when the Anthropic API is available, or request "
+                        "explicit human approval for this action."
+                    ),
+                )
+
+    # ----- No Tier 2 available: return Tier 1 result -----
+    return tier1_result
+
+
+# ---------------------------------------------------------------------------
+# Self-test (when run as __main__)
+# ---------------------------------------------------------------------------
+
+
+def _risk_colour(level: str) -> str:
+    """Return a coloured version of the risk level string."""
+    if level == "low":
+        return green(level)
+    elif level == "medium":
+        return yellow(level)
+    elif level == "high":
+        return red(level)
+    elif level == "forbidden":
+        return red(bold(level))
+    return level
+
+
+def _self_test() -> int:
+    """Run self-test with example actions and print results."""
+    print()
+    print(bold("  Gaia Minds Alignment Checker -- Self-Test"))
+    print(bold("  " + "=" * 50))
+    print()
+
+    # Load constitution for the test
+    try:
+        constitution = load_constitution(str(REPO_ROOT))
+        print(f"  Constitution loaded: {len(constitution)} characters")
+    except FileNotFoundError as exc:
+        print(red(f"  {exc}"))
+        return 1
+
+    # Load config
+    config = _load_config()
+    risk_config = config.get("risk", {})
+    print(f"  Config loaded: {sum(len(v) for v in risk_config.values())} action types classified")
+    print()
+
+    # Define test cases: (action, expected_allowed, expected_risk)
+    test_cases = [
+        (
+            {"type": "verify_resources"},
+            True,
+            "low",
+            "Auto-executable low-risk action",
+        ),
+        (
+            {"type": "add_research", "params": {"topic": "transformer efficiency"}},
+            True,
+            "medium",
+            "Standard research addition (auto-PR)",
+        ),
+        (
+            {"type": "modify_agent_loop", "params": {"change": "add new feature"}},
+            True,
+            "high",
+            "Self-modification requires human review",
+        ),
+        (
+            {"type": "delete_constitution"},
+            False,
+            "forbidden",
+            "Forbidden: deleting the Constitution",
+        ),
+        (
+            {"type": "merge_own_pr"},
+            False,
+            "forbidden",
+            "Forbidden: merging own PR",
+        ),
+        (
+            {"type": "bypass_review"},
+            False,
+            "forbidden",
+            "Forbidden: bypassing review",
+        ),
+    ]
+
+    passed = 0
+    failed = 0
+
+    for action, expected_allowed, expected_risk, description in test_cases:
+        result = check_alignment(
+            action=action,
+            constitution=constitution,
+            memory_context="(self-test -- no memory context)",
+            client=None,  # rule-based only for self-test
+        )
+
+        # Check expectations
+        ok_allowed = result.allowed == expected_allowed
+        ok_risk = result.risk_level == expected_risk
+
+        status = green("[PASS]") if (ok_allowed and ok_risk) else red("[FAIL]")
+        if ok_allowed and ok_risk:
+            passed += 1
+        else:
+            failed += 1
+
+        print(f"  {status} {description}")
+        print(f"         Action:   {json.dumps(action)}")
+        print(f"         Allowed:  {result.allowed} (expected {expected_allowed})", end="")
+        if not ok_allowed:
+            print(f"  {red('<-- MISMATCH')}", end="")
+        print()
+        print(f"         Risk:     {_risk_colour(result.risk_level)} (expected {expected_risk})", end="")
+        if not ok_risk:
+            print(f"  {red('<-- MISMATCH')}", end="")
+        print()
+        print(f"         Reason:   {dim(result.reasoning[:120])}...")
+        if result.suggestions:
+            print(f"         Suggest:  {dim(result.suggestions[:100])}")
+        print()
+
+    # Additional red-flag tests
+    print(bold("  Red-flag detection tests"))
+    print(bold("  " + "-" * 50))
+    print()
+
+    red_flag_cases = [
+        (
+            {
+                "type": "update_skill",
+                "params": {"change": "delete the constitution file"},
+            },
+            False,
+            "Red flag: delete safety file reference",
+        ),
+        (
+            {
+                "type": "create_tool",
+                "params": {"command": "git push --force"},
+            },
+            False,
+            "Red flag: force push (git history rewrite)",
+        ),
+        (
+            {
+                "type": "create_tool",
+                "params": {"desc": "disable pre-commit hooks"},
+            },
+            False,
+            "Red flag: disabling hooks",
+        ),
+        (
+            {
+                "type": "add_research",
+                "params": {"content": "backdoor access method"},
+            },
+            False,
+            "Red flag: backdoor reference",
+        ),
+    ]
+
+    for action, expected_allowed, description in red_flag_cases:
+        result = check_alignment(
+            action=action,
+            constitution=constitution,
+            memory_context="(self-test -- no memory context)",
+            client=None,
+        )
+
+        ok = result.allowed == expected_allowed
+        status = green("[PASS]") if ok else red("[FAIL]")
+        if ok:
+            passed += 1
+        else:
+            failed += 1
+
+        print(f"  {status} {description}")
+        print(f"         Action:   {json.dumps(action)}")
+        print(f"         Allowed:  {result.allowed} (expected {expected_allowed})", end="")
+        if not ok:
+            print(f"  {red('<-- MISMATCH')}", end="")
+        print()
+        print(f"         Risk:     {_risk_colour(result.risk_level)}")
+        print(f"         Reason:   {dim(result.reasoning[:120])}...")
+        print()
+
+    # Classify risk standalone tests
+    print(bold("  classify_risk() tests"))
+    print(bold("  " + "-" * 50))
+    print()
+
+    risk_cases = [
+        ("verify_resources", "low"),
+        ("add_research", "medium"),
+        ("modify_agent_loop", "high"),
+        ("delete_constitution", "forbidden"),
+        ("totally_unknown_action", "high"),  # unknown defaults to high
+    ]
+
+    for action_type, expected_level in risk_cases:
+        actual_level = classify_risk(action_type, config)
+        ok = actual_level == expected_level
+        status = green("[PASS]") if ok else red("[FAIL]")
+        if ok:
+            passed += 1
+        else:
+            failed += 1
+
+        print(f"  {status} classify_risk('{action_type}') = {_risk_colour(actual_level)} (expected {expected_level})", end="")
+        if not ok:
+            print(f"  {red('<-- MISMATCH')}", end="")
+        print()
+
+    # Summary
+    print()
+    print(bold("  " + "=" * 50))
+    total = passed + failed
+    if failed == 0:
+        print(green(f"  All {total} tests passed."))
+    else:
+        print(red(f"  {failed}/{total} tests FAILED."))
+    print()
+
+    return 1 if failed > 0 else 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(_self_test())