open-classify 0.1.0 → 0.1.2

package/dist/src/enums.js

@@ -19,44 +19,21 @@ export const DOWNSTREAM_MODEL_TIER_VALUES = [
 // Which kind of model/prompt specialization fits the request best. Combined
 // with the tier to look up a concrete model in the catalog.
 export const MODEL_SPECIALIZATION_VALUES = [
-    "agentic_coding",
-    "agentic_workflows",
     "chat",
-    "code_fixing",
-    "code_reasoning",
-    "code_review",
-    "writing",
     "reasoning",
     "planning",
+    "writing",
+    "summarization",
     "coding",
+    "tool_use",
     "computer_use",
-    "debugging",
-    "instruction_following",
-    "question_answering",
-    "subagents",
-    "summarization",
-    "tool_assisted_coding",
-    "vision_input",
-];
-export const SECURITY_DECISION_VALUES = [
-    "allow",
-    "block",
-    "needs_review",
+    "vision",
 ];
-// Overall safety posture on the latest user message. Security short-circuiting
-// is driven by safety.decision, not risk level alone.
-export const SECURITY_RISK_LEVEL_VALUES = [
+// Prompt-injection posture on the latest user message. The pipeline blocks
+// confident high_risk and unknown prompt-injection outputs.
+export const PROMPT_INJECTION_RISK_LEVEL_VALUES = [
     "normal",
     "suspicious",
     "high_risk",
     "unknown",
 ];
-// Specific safety concerns the security classifier can flag. These are
-// advisory; safety.decision controls whether the pipeline blocks or needs review.
-export const SECURITY_SIGNAL_VALUES = [
-    "instruction_attack",
-    "secret_or_private_data_risk",
-    "unsafe_tool_or_action",
-    "untrusted_content_or_code",
-    "injection_or_obfuscation",
-];

package/dist/src/index.js

@@ -1,6 +1,6 @@
 // Public barrel for the Open Classify package. Everything an external caller
 // would need — input types, enums, the registry, the pipeline, the Ollama
-// runner, the catalog loader, the aggregator's confidence threshold — is
+// runner, the catalog loader, the aggregator's certainty threshold — is
 // re-exported here. The build emits a single `index.js` that downstream
 // consumers can import from `open-classify`.
 export * from "./aggregator.js";

package/dist/src/input.js

@@ -9,7 +9,7 @@ import { createHash } from "node:crypto";
  * Gemma 4 E4B supports a native 131,072-token (128K) context window. Open
  * Classify does not use that full window in the reference local runtime: it
  * runs the classifier set in parallel with a configured 4,096-token context.
- * The largest fixed classifier prompt is security at about 1,748 estimated
+ * The largest fixed classifier prompt is prompt_injection at roughly 1,700 estimated
  * tokens using the same 3 chars/token heuristic as the Ollama packer. We round
  * that up to 2,000 fixed-prompt tokens, reserve roughly 400 tokens for output,
  * chat-template variance, and estimation error, then spend the remainder on

package/dist/src/manifest.d.ts

@@ -1,8 +1,10 @@
-import type { AckReplySignal, ClassifierOutput, CustomClassifierOutput, FinalReplySignal, RoutingSignal, RuntimeClassifierManifest, SafetySignal, ToolsSignal } from "./stock.js";
+import type { AckReplySignal, ClassifierOutput, CustomClassifierOutput, FinalReplySignal, PromptInjectionSignal, RoutingSignal, RuntimeClassifierManifest, ToolsSignal } from "./stock.js";
 import type { ClassifierInput, ClassifierRunStatus } from "./types.js";
 import type { DownstreamModelTier, ModelSpecialization } from "./enums.js";
 export type ClassifierName = string;
 export type ClassifierResults = Record<ClassifierName, ClassifierOutput>;
+export declare const CERTAINTY_GATE_MODES: readonly ["min_score", "avg_score", "off"];
+export type CertaintyGateMode = (typeof CERTAINTY_GATE_MODES)[number];
 export type RunClassifier = (name: ClassifierName, input: ClassifierInput, signal: AbortSignal) => Promise<ClassifierOutput>;
 export interface CatalogEntry {
     readonly id: string;
@@ -46,7 +48,7 @@ export interface Envelope {
     readonly ack_reply?: AckReplySignal;
     readonly routing?: RoutingSignal;
     readonly tools?: ToolsSignal;
-    readonly safety?: SafetySignal;
+    readonly prompt_injection?: PromptInjectionSignal;
     readonly custom_outputs: ReadonlyArray<CustomClassifierOutput>;
     readonly model_recommendation: ModelRecommendation;
 }
@@ -71,35 +73,38 @@ export interface PipelineMeta {
 export interface PipelineAudit extends Envelope {
     readonly meta: PipelineMeta;
     readonly fired_by?: string;
+    readonly certainty_gate?: LowCertaintyBlockReason;
 }
-export type AnswerPipelineResult = {
-    readonly action: "answer";
+export type BlockReason = PromptInjectionBlockReason | LowCertaintyBlockReason;
+export interface PromptInjectionBlockReason {
+    readonly kind: "prompt_injection";
+    readonly risk_level: PromptInjectionSignal["risk_level"];
+}
+export interface LowCertaintyBlockReason {
+    readonly kind: "low_certainty";
+    readonly mode: Exclude<CertaintyGateMode, "off">;
+    readonly threshold: number;
+    readonly score: number;
+    readonly classifier_scores: Readonly<Record<string, number>>;
+    readonly low_classifiers: ReadonlyArray<string>;
+}
+export type ReplyPipelineResult = {
+    readonly action: "reply";
     readonly message_id: string;
-    readonly final_reply: FinalReplySignal;
-    readonly reason: "already_answered";
+    readonly reply: {
+        readonly text: string;
+    };
+    readonly reason: "preflight_reply";
     readonly classifier_outputs: ClassifierCustomOutputs;
     readonly audit: Pick<PipelineAudit, "final_reply" | "meta" | "fired_by">;
 };
 export type BlockPipelineResult = {
     readonly action: "block";
     readonly message_id: string;
-    readonly reason: {
-        readonly risk_level?: SafetySignal["risk_level"];
-        readonly signals?: ReadonlyArray<string>;
-    };
-    readonly classifier_outputs: ClassifierCustomOutputs;
-    readonly audit: Pick<PipelineAudit, "safety" | "meta" | "fired_by">;
-};
-export type NeedsReviewPipelineResult = {
-    readonly action: "needs_review";
-    readonly message_id: string;
-    readonly fired_by: string;
-    readonly reason: {
-        readonly risk_level?: SafetySignal["risk_level"];
-        readonly signals?: ReadonlyArray<string>;
-    };
+    readonly fired_by?: string;
+    readonly reason: BlockReason;
     readonly classifier_outputs: ClassifierCustomOutputs;
-    readonly audit: Pick<PipelineAudit, "safety" | "meta" | "fired_by">;
+    readonly audit: Pick<PipelineAudit, "prompt_injection" | "meta" | "fired_by" | "certainty_gate">;
 };
 export type RoutePipelineResult = {
     readonly action: "route";
@@ -108,8 +113,11 @@ export type RoutePipelineResult = {
     readonly classifier_outputs: ClassifierCustomOutputs;
     readonly audit: PipelineAudit;
 };
-export type PipelineResult = AnswerPipelineResult | BlockPipelineResult | NeedsReviewPipelineResult | RoutePipelineResult;
+export type PipelineResult = ReplyPipelineResult | BlockPipelineResult | RoutePipelineResult;
 export interface AggregatorConfig {
+    readonly certaintyThreshold?: number;
+    /** @deprecated Use certaintyThreshold. */
     readonly confidenceThreshold?: number;
+    readonly certaintyGate?: CertaintyGateMode;
 }
 export type ClassifierRegistry = ReadonlyArray<RuntimeClassifierManifest>;

package/dist/src/manifest.js

@@ -1 +1,5 @@
-export {};
+export const CERTAINTY_GATE_MODES = [
+    "min_score",
+    "avg_score",
+    "off",
+];

package/dist/src/ollama.d.ts

@@ -1,7 +1,7 @@
 import { type ClassifierName, type RunClassifier } from "./classifiers.js";
 import { type OpenClassifyConfig } from "./config.js";
 import { classifyOpenClassifyInput } from "./pipeline.js";
-import type { Catalog } from "./manifest.js";
+import type { AggregatorConfig, Catalog } from "./manifest.js";
 import type { OpenClassifyInput } from "./types.js";
 export declare const OLLAMA_DEFAULT_HOST = "http://localhost:11434";
 export declare const OLLAMA_BASE_MODEL = "gemma4:e4b-it-q4_K_M";
@@ -33,6 +33,7 @@ export interface ClassifyWithOllamaConfig extends OllamaClassifierRunnerConfig {
     catalogPath?: string;
     configPath?: string;
     openClassifyConfig?: OpenClassifyConfig;
+    aggregator?: AggregatorConfig;
 }
 export declare class OllamaClassifierError extends Error {
     readonly classifier: ClassifierName;

package/dist/src/ollama.js

@@ -124,6 +124,7 @@ export async function classifyWithOllama(input, config = {}) {
     return classifyOpenClassifyInput(input, {
         runClassifier: createOllamaClassifierRunner(runnerConfig),
         catalog,
+        aggregator: config.aggregator ?? fileConfig?.aggregator,
     });
 }
 async function runOllamaClassifier(name, input, signal, fetchImpl, host, model, options, allowManifestModel) {

package/dist/src/pipeline.d.ts

@@ -3,6 +3,7 @@ import type { AggregatorConfig, Catalog, PipelineResult } from "./manifest.js";
 import type { OpenClassifyInput } from "./types.js";
 export declare const DEFAULT_CLASSIFIER_TIMEOUT_MS = 15000;
 export declare const DEFAULT_CLASSIFIER_RETRY_COUNT = 1;
+export declare const DEFAULT_CERTAINTY_GATE = "min_score";
 export declare class OpenClassifyNormalizationError extends Error {
     constructor(cause: unknown);
 }

package/dist/src/pipeline.js

@@ -1,9 +1,10 @@
-import { composeEnvelope } from "./aggregator.js";
+import { certaintyThreshold, composeEnvelope } from "./aggregator.js";
 import { CLASSIFIER_NAMES, MODULES_BY_NAME, REGISTRY, } from "./classifiers.js";
 import { normalizeOpenClassifyInput, toClassifierInput } from "./input.js";
-import { isCustomManifest } from "./stock.js";
+import { certaintyScore, isCustomManifest } from "./stock.js";
 export const DEFAULT_CLASSIFIER_TIMEOUT_MS = 15_000;
 export const DEFAULT_CLASSIFIER_RETRY_COUNT = 1;
+export const DEFAULT_CERTAINTY_GATE = "min_score";
 export class OpenClassifyNormalizationError extends Error {
     constructor(cause) {
         super(errorMessage(cause), { cause });
@@ -11,10 +12,10 @@ export class OpenClassifyNormalizationError extends Error {
     }
 }
 // Short-circuit gates are intrinsic to specific stock signals — not configured
-// per-manifest. preflight.final_reply ⇒ answer; security.decision in
-// {block, needs_review} ⇒ block / needs_review. Order matters: preflight is
+// per-manifest. preflight.final_reply ⇒ reply; confident high_risk or unknown
+// prompt-injection risk ⇒ block. Order matters: preflight is
 // cheaper to evaluate, so we check it first.
-const SHORT_CIRCUIT_GATES = ["preflight", "security"];
+const SHORT_CIRCUIT_GATES = ["preflight", "prompt_injection"];
 export async function classifyOpenClassifyInput(input, options) {
     let request;
     try {
@@ -36,7 +37,7 @@ export async function classifyOpenClassifyInput(input, options) {
     const classifierInput = toClassifierInput(request);
     const classifierTimeoutMs = options.classifierTimeoutMs ?? DEFAULT_CLASSIFIER_TIMEOUT_MS;
     const classifierRetryCount = options.classifierRetryCount ?? DEFAULT_CLASSIFIER_RETRY_COUNT;
-    const threshold = options.aggregator?.confidenceThreshold ?? 0.6;
+    const threshold = certaintyThreshold(options.aggregator);
     const runs = new Map(CLASSIFIER_NAMES.map((name) => [
         name,
         runClassifierWithRetry(name, classifierInput, options.runClassifier, controller.signal, classifierTimeoutMs, classifierRetryCount),
@@ -65,6 +66,10 @@ export async function classifyOpenClassifyInput(input, options) {
             input: classifierInput,
             config: options.aggregator,
         });
+        const certaintyGate = certaintyGateBlock(options.aggregator, results);
+        if (certaintyGate) {
+            return buildCertaintyGateBlockResult(request, envelope, results, meta, certaintyGate);
+        }
         return buildRouteResult(request, envelope, results, meta);
     }
     finally {
@@ -72,38 +77,67 @@ export async function classifyOpenClassifyInput(input, options) {
     }
 }
 function shortCircuitVerdict(gate, result, threshold) {
-    const confidence = result.confidence ?? 0;
-    if (confidence < threshold)
+    const score = scoreCertainty(result.certainty);
+    if (score < threshold)
         return null;
     if (gate === "preflight") {
         const preflight = result;
         if (preflight.final_reply !== undefined) {
-            return { kind: "answer", final_reply: preflight.final_reply };
+            return { kind: "reply", final_reply: preflight.final_reply };
         }
         return null;
     }
-    if (gate === "security") {
-        const security = result;
-        if (security.decision === "block") {
+    if (gate === "prompt_injection") {
+        const promptInjection = result;
+        if (promptInjection.risk_level === "high_risk" || promptInjection.risk_level === "unknown") {
+            const promptInjectionSignal = extractPromptInjection(promptInjection);
             return {
                 kind: "block",
-                safety: extractSafety(security),
-            };
-        }
-        if (security.decision === "needs_review") {
-            return {
-                kind: "needs_review",
-                safety: extractSafety(security),
+                prompt_injection: promptInjectionSignal,
+                reason: {
+                    kind: "prompt_injection",
+                    risk_level: promptInjectionSignal.risk_level,
+                },
             };
         }
     }
     return null;
 }
-function extractSafety(value) {
+function certaintyGateBlock(config, results) {
+    const mode = config?.certaintyGate ?? DEFAULT_CERTAINTY_GATE;
+    if (mode === "off")
+        return undefined;
+    const threshold = certaintyThreshold(config);
+    const classifier_scores = classifierScores(results);
+    const scores = Object.values(classifier_scores);
+    const score = mode === "min_score"
+        ? Math.min(...scores)
+        : scores.reduce((sum, value) => sum + value, 0) / scores.length;
+    if (score >= threshold)
+        return undefined;
+    return {
+        kind: "low_certainty",
+        mode,
+        threshold,
+        score,
+        classifier_scores,
+        low_classifiers: Object.entries(classifier_scores)
+            .filter(([, value]) => value < threshold)
+            .map(([name]) => name),
+    };
+}
+function classifierScores(results) {
+    return Object.fromEntries(REGISTRY.map((manifest) => [
+        manifest.name,
+        scoreCertainty(results[manifest.name]?.certainty),
+    ]));
+}
+function scoreCertainty(certainty) {
+    return certainty === undefined ? 0 : certaintyScore[certainty];
+}
+function extractPromptInjection(value) {
     return {
-        ...(value.decision === undefined ? {} : { decision: value.decision }),
         risk_level: value.risk_level,
-        signals: value.signals,
     };
 }
 function buildShortCircuitResult(name, verdict, settled, target_message_hash) {
@@ -116,13 +150,13 @@ function buildShortCircuitResult(name, verdict, settled, target_message_hash) {
     };
     const meta = { classifiers: { [name]: entry } };
     const classifier_outputs = classifierCustomOutputs({ [name]: value });
-    if (verdict.kind === "answer") {
+    if (verdict.kind === "reply") {
         const preflight = value;
         return {
-            action: "answer",
+            action: "reply",
             message_id: target_message_hash,
-            final_reply: verdict.final_reply,
-            reason: "already_answered",
+            reply: { text: verdict.final_reply.reply },
+            reason: "preflight_reply",
             classifier_outputs,
             audit: {
                 fired_by: name,
@@ -131,34 +165,15 @@ function buildShortCircuitResult(name, verdict, settled, target_message_hash) {
             },
         };
     }
-    if (verdict.kind === "needs_review") {
-        return {
-            action: "needs_review",
-            message_id: target_message_hash,
-            fired_by: name,
-            reason: {
-                risk_level: verdict.safety.risk_level,
-                signals: verdict.safety.signals,
-            },
-            classifier_outputs,
-            audit: {
-                fired_by: name,
-                safety: verdict.safety,
-                meta,
-            },
-        };
-    }
     return {
         action: "block",
         message_id: target_message_hash,
-        reason: {
-            risk_level: verdict.safety.risk_level,
-            signals: verdict.safety.signals,
-        },
+        fired_by: name,
+        reason: verdict.reason,
         classifier_outputs,
         audit: {
             fired_by: name,
-            safety: verdict.safety,
+            prompt_injection: verdict.prompt_injection,
             meta,
         },
     };
@@ -199,6 +214,21 @@ function buildRouteResult(request, envelope, results, meta) {
         },
     };
 }
+function buildCertaintyGateBlockResult(request, envelope, results, meta, certaintyGate) {
+    return {
+        action: "block",
+        message_id: request.target_message_hash,
+        fired_by: "certainty_gate",
+        reason: certaintyGate,
+        classifier_outputs: classifierCustomOutputs(results),
+        audit: {
+            ...envelope,
+            fired_by: "certainty_gate",
+            certainty_gate: certaintyGate,
+            meta,
+        },
+    };
+}
 function classifierCustomOutputs(results) {
     const out = {};
     for (const manifest of REGISTRY) {

package/dist/src/stock-prompt.js

@@ -26,7 +26,7 @@ function stockSection(manifest) {
         allowed_tools: renderAllowedTools(manifest.tools),
         preflight_output: promptMarkdown("preflight-output.md"),
         routing_output: promptMarkdown("routing-output.md"),
-        security_output: promptMarkdown("security-output.md"),
+        prompt_injection_output: promptMarkdown("prompt-injection-output.md"),
         specialty: promptMarkdown("specialty.md"),
         tier: promptMarkdown("tier.md"),
         tools_output: promptMarkdown("tools-output.md"),

package/dist/src/stock-validation.d.ts

@@ -1,4 +1,4 @@
-import type { JsonClassifierManifest, SafetySignal, ClassifierOutput } from "./stock.js";
+import type { JsonClassifierManifest, ClassifierOutput } from "./stock.js";
 export declare const STOCK_REASON_MAX_CHARS = 120;
 export declare const STOCK_REPLY_MAX_CHARS = 200;
 export declare const STOCK_TOOL_ID_MAX_CHARS = 64;
@@ -19,4 +19,3 @@ export interface LegacyValidateOptions {
     readonly manifest: JsonClassifierManifest;
 }
 export declare function validateClassifierOutputWithManifest(value: unknown, options: LegacyValidateOptions): ClassifierOutput;
-export type { SafetySignal };

package/dist/src/stock-validation.js

@@ -1,7 +1,7 @@
-import { DOWNSTREAM_MODEL_TIER_VALUES, MODEL_SPECIALIZATION_VALUES, SECURITY_DECISION_VALUES, } from "./enums.js";
+import { DOWNSTREAM_MODEL_TIER_VALUES, MODEL_SPECIALIZATION_VALUES, } from "./enums.js";
 import { Ajv } from "ajv/dist/ajv.js";
-import { STOCK_CLASSIFIER_NAMES } from "./stock.js";
-import { ensureNoDuplicates, isRecord, requireConfidence, requireEnum, requireNonEmptyStringMaxLength, requireNonNegativeSafeInteger, requireString, requireStringArray, throwInvalid, } from "./validation.js";
+import { CERTAINTY_VALUES, STOCK_CLASSIFIER_NAMES } from "./stock.js";
+import { ensureNoDuplicates, isRecord, requireEnum, requireNonEmptyStringMaxLength, requireNonNegativeSafeInteger, requireString, requireStringArray, throwInvalid, } from "./validation.js";
 export const STOCK_REASON_MAX_CHARS = 120;
 export const STOCK_REPLY_MAX_CHARS = 200;
 export const STOCK_TOOL_ID_MAX_CHARS = 64;
@@ -9,7 +9,7 @@ export const STOCK_TOOL_DESCRIPTION_MAX_CHARS = 240;
 export const STOCK_MANIFEST_NAME_MAX_CHARS = 80;
 export const STOCK_MANIFEST_VERSION_MAX_CHARS = 40;
 export const STOCK_MANIFEST_PURPOSE_MAX_CHARS = 400;
-const STOCK_SAFETY_RISK_LEVEL_VALUES = [
+const STOCK_PROMPT_INJECTION_RISK_LEVEL_VALUES = [
     "normal",
     "suspicious",
     "high_risk",
@@ -113,8 +113,8 @@ function validateStockOutputForName(name, value, model, tools) {
             return validateModelSpecializationOutput(value, model);
         case "tools":
             return validateToolsOutput(value, model, tools?.map((tool) => tool.id));
-        case "security":
-            return validateSecurityOutput(value, model);
+        case "prompt_injection":
+            return validatePromptInjectionOutput(value, model);
         default: {
             const _exhaustive = name;
             void _exhaustive;
@@ -123,17 +123,19 @@ function validateStockOutputForName(name, value, model, tools) {
     }
 }
 function validateMetadata(value, classifier, model) {
+    if (value.reason === undefined) {
+        throwInvalid(classifier, model, "reason is required");
+    }
+    if (value.certainty === undefined) {
+        throwInvalid(classifier, model, "certainty is required");
+    }
     return {
-        ...(value.reason === undefined
-            ? {}
-            : { reason: truncateText(requireString(value.reason, classifier, model, "reason"), STOCK_REASON_MAX_CHARS) }),
-        ...(value.confidence === undefined
-            ? {}
-            : { confidence: requireConfidence(value.confidence, classifier, model) }),
+        reason: truncateText(requireString(value.reason, classifier, model, "reason"), STOCK_REASON_MAX_CHARS),
+        certainty: requireEnum(value.certainty, CERTAINTY_VALUES, classifier, model, "certainty"),
     };
 }
 function validatePreflightOutput(value, model) {
-    ensureAllowedObjectKeys(value, ["reason", "confidence", "final_reply", "ack_reply"], "preflight", model, "output");
+    ensureAllowedObjectKeys(value, ["reason", "certainty", "final_reply", "ack_reply"], "preflight", model, "output");
     if (value.final_reply !== undefined && value.ack_reply !== undefined) {
         throwInvalid("preflight", model, "final_reply and ack_reply are mutually exclusive");
     }
@@ -163,7 +165,7 @@ function validateReplySignal(value, classifier, model, field) {
     return { reply };
 }
 function validateTierRoutingOutput(value, model) {
-    ensureAllowedObjectKeys(value, ["reason", "confidence", "model_tier"], "routing", model, "output");
+    ensureAllowedObjectKeys(value, ["reason", "certainty", "model_tier"], "routing", model, "output");
     const meta = validateMetadata(value, "routing", model);
     const modelTier = normalizeOptionalEnumValue(value.model_tier);
     return {
@@ -174,7 +176,7 @@ function validateTierRoutingOutput(value, model) {
     };
 }
 function validateModelSpecializationOutput(value, model) {
-    ensureAllowedObjectKeys(value, ["reason", "confidence", "specialization"], "model_specialization", model, "output");
+    ensureAllowedObjectKeys(value, ["reason", "certainty", "specialization"], "model_specialization", model, "output");
     const meta = validateMetadata(value, "model_specialization", model);
     const specialization = normalizeOptionalEnumValue(value.specialization);
     return {
@@ -194,7 +196,7 @@ function normalizeOptionalEnumValue(value) {
     return value;
 }
 function validateToolsOutput(value, model, configuredTools) {
-    ensureAllowedObjectKeys(value, ["reason", "confidence", "tools"], "tools", model, "output");
+    ensureAllowedObjectKeys(value, ["reason", "certainty", "tools"], "tools", model, "output");
     const meta = validateMetadata(value, "tools", model);
     const tools = requireStringArray(value.tools, "tools", model, "tools").map(normalizeTool);
     ensureNoDuplicates(tools, "tools", model, "tools");
@@ -208,39 +210,20 @@ function validateToolsOutput(value, model, configuredTools) {
     }
     return { ...meta, tools };
 }
-function validateSecurityOutput(value, model) {
-    ensureAllowedObjectKeys(value, ["reason", "confidence", "decision", "risk_level", "signals"], "security", model, "output");
-    const meta = validateMetadata(value, "security", model);
-    const decision = value.decision === undefined
-        ? undefined
-        : requireEnum(value.decision, SECURITY_DECISION_VALUES, "security", model, "decision");
-    const riskLevel = requireEnum(value.risk_level, STOCK_SAFETY_RISK_LEVEL_VALUES, "security", model, "risk_level");
-    const signals = requireStringArray(value.signals, "security", model, "signals");
-    ensureNoDuplicates(signals, "security", model, "signals");
-    if ((riskLevel === "normal" || riskLevel === "unknown") && signals.length > 0) {
-        throwInvalid("security", model, `${riskLevel} risk_level must not include signals`);
-    }
-    if (riskLevel !== "normal" && riskLevel !== "unknown" && signals.length === 0) {
-        throwInvalid("security", model, "elevated risk_level must include at least one signal");
-    }
-    if (decision === "block" && riskLevel !== "high_risk") {
-        throwInvalid("security", model, "decision block requires high_risk risk_level");
-    }
-    if (decision === "allow" && riskLevel === "high_risk") {
-        throwInvalid("security", model, "decision allow must not use high_risk risk_level");
-    }
+function validatePromptInjectionOutput(value, model) {
+    ensureAllowedObjectKeys(value, ["reason", "certainty", "risk_level"], "prompt_injection", model, "output");
+    const meta = validateMetadata(value, "prompt_injection", model);
+    const riskLevel = requireEnum(value.risk_level, STOCK_PROMPT_INJECTION_RISK_LEVEL_VALUES, "prompt_injection", model, "risk_level");
     return {
         ...meta,
-        ...(decision === undefined ? {} : { decision }),
         risk_level: riskLevel,
-        signals,
     };
 }
 function validateCustomOutput(value, classifier, model, schema) {
     if (!isRecord(value)) {
         throwInvalid(classifier, model, "output must be a JSON object");
     }
-    ensureAllowedObjectKeys(value, ["reason", "confidence", "output"], classifier, model, "output");
+    ensureAllowedObjectKeys(value, ["reason", "certainty", "output"], classifier, model, "output");
     if (value.output === undefined) {
         throwInvalid(classifier, model, "output is required for custom classifiers");
     }

package/dist/src/stock.d.ts

@@ -1,4 +1,4 @@
-import type { DownstreamModelTier, ModelSpecialization, SecurityDecision } from "./enums.js";
+import type { DownstreamModelTier, ModelSpecialization } from "./enums.js";
 export interface StockClassifierMessageInput {
     readonly role: "user" | "assistant";
     readonly text: string;
@@ -25,14 +25,15 @@ export interface SpecializationSignal {
 export interface ToolsSignal {
     readonly tools: ReadonlyArray<string>;
 }
-export interface SafetySignal {
-    readonly decision?: SecurityDecision;
+export interface PromptInjectionSignal {
     readonly risk_level: "normal" | "suspicious" | "high_risk" | "unknown";
-    readonly signals: ReadonlyArray<string>;
 }
+export type Certainty = "no_signal" | "very_weak" | "weak" | "tentative" | "reasonable" | "strong" | "very_strong" | "near_certain";
+export declare const CERTAINTY_VALUES: readonly ["no_signal", "very_weak", "weak", "tentative", "reasonable", "strong", "very_strong", "near_certain"];
+export declare const certaintyScore: Record<Certainty, number>;
 export interface ClassifierOutputMetadata {
-    readonly reason?: string;
-    readonly confidence?: number;
+    readonly reason: string;
+    readonly certainty: Certainty;
 }
 export interface PreflightClassifierOutput extends ClassifierOutputMetadata {
     readonly final_reply?: FinalReplySignal;
@@ -41,7 +42,7 @@ export interface PreflightClassifierOutput extends ClassifierOutputMetadata {
 export type RoutingClassifierOutput = TierSignal & ClassifierOutputMetadata;
 export type ModelSpecializationClassifierOutput = SpecializationSignal & ClassifierOutputMetadata;
 export type ToolsClassifierOutput = ToolsSignal & ClassifierOutputMetadata;
-export type SecurityClassifierOutput = SafetySignal & ClassifierOutputMetadata;
+export type PromptInjectionClassifierOutput = PromptInjectionSignal & ClassifierOutputMetadata;
 export interface CustomClassifierOutputValue extends ClassifierOutputMetadata {
     readonly output: unknown;
 }
@@ -50,9 +51,9 @@ export interface StockClassifierOutputs {
     readonly routing: RoutingClassifierOutput;
     readonly model_specialization: ModelSpecializationClassifierOutput;
     readonly tools: ToolsClassifierOutput;
-    readonly security: SecurityClassifierOutput;
+    readonly prompt_injection: PromptInjectionClassifierOutput;
 }
-export declare const STOCK_CLASSIFIER_NAMES: readonly ["preflight", "routing", "model_specialization", "tools", "security"];
+export declare const STOCK_CLASSIFIER_NAMES: readonly ["preflight", "routing", "model_specialization", "tools", "prompt_injection"];
 export type StockClassifierName = (typeof STOCK_CLASSIFIER_NAMES)[number];
 export type StockClassifierOutput = StockClassifierOutputs[StockClassifierName];
 export type ClassifierOutput = StockClassifierOutput | CustomClassifierOutputValue;
@@ -94,8 +95,8 @@ export declare function isStockManifest(manifest: RuntimeClassifierManifest): ma
 export declare function isCustomManifest(manifest: RuntimeClassifierManifest): manifest is RuntimeCustomManifest;
 export interface CustomClassifierOutput {
     readonly classifier: string;
-    readonly reason?: string;
-    readonly confidence?: number;
+    readonly reason: string;
+    readonly certainty: Certainty;
     readonly output: unknown;
 }
 export {};

package/dist/src/stock.js

@@ -1,9 +1,29 @@
+export const CERTAINTY_VALUES = [
+    "no_signal",
+    "very_weak",
+    "weak",
+    "tentative",
+    "reasonable",
+    "strong",
+    "very_strong",
+    "near_certain",
+];
+export const certaintyScore = {
+    no_signal: 0.00,
+    very_weak: 0.15,
+    weak: 0.30,
+    tentative: 0.45,
+    reasonable: 0.60,
+    strong: 0.75,
+    very_strong: 0.88,
+    near_certain: 0.97,
+};
 export const STOCK_CLASSIFIER_NAMES = [
     "preflight",
     "routing",
     "model_specialization",
     "tools",
-    "security",
+    "prompt_injection",
 ];
 // Helper: narrow a manifest to its stock kind for callers that know the name.
 export function isStockManifest(manifest) {