Skip to content

Comments

feat: skill trust levels and quarantine system (M25)#424

Merged
bug-ops merged 3 commits intomainfrom
feat/m25/skill-trust-quarantine
Feb 17, 2026
Merged

feat: skill trust levels and quarantine system (M25)#424
bug-ops merged 3 commits intomainfrom
feat/m25/skill-trust-quarantine

Conversation

@bug-ops
Copy link
Owner

@bug-ops bug-ops commented Feb 17, 2026

Summary

  • 4-tier skill trust model: Trusted > Verified > Quarantined > Blocked
  • TrustGateExecutor enforces per-turn restrictions based on minimum trust level across active skills
  • AnomalyDetector with sliding-window threshold counters for quarantined skill monitoring
  • blake3 content hashing for integrity verification on load and hot-reload
  • Quarantine prompt wrapping for structural isolation of untrusted skill bodies
  • Self-learning disabled for skills with trust < Verified
  • SQLite migration 009 with trust CRUD operations
  • CLI commands: /skill trust, /skill block, /skill unblock
  • [skills.trust] config section

Crates modified

Crate Changes
zeph-skills TrustLevel, SkillSource, blake3 hashing, quarantine prompt wrapping
zeph-tools TrustGateExecutor, AnomalyDetector
zeph-memory skill_trust table migration + CRUD
zeph-core TrustConfig, agent loop integration, self-learning gate, CLI commands

Security

Addresses threat model from security analysis:

  • AV-1 (prompt injection): quarantine wrapping with restriction warnings
  • AV-2 (privilege escalation): TrustGateExecutor blocks denied tools
  • AV-3 (self-learning abuse): trust gate in learning.rs
  • AV-4 (hot-reload tampering): hash verification on reload

Test plan

  • 1381 tests pass (35 new tests for trust system)
  • Clippy clean, fmt clean
  • Security audit: 3 critical/high findings fixed, verified by reviewer
  • Performance: no measurable overhead (all checks O(1) on hot path)

Closes #418, closes #419, closes #420, closes #421, closes #422

@github-actions github-actions bot added enhancement New feature or request documentation Improvements or additions to documentation skills SKILL.md system memory Persistence and memory rust core dependencies config size/XL and removed enhancement New feature or request labels Feb 17, 2026
Implement 4-tier trust model (Trusted/Verified/Quarantined/Blocked) for
skills with runtime enforcement via TrustGateExecutor, anomaly detection,
blake3 integrity verification, and quarantine prompt wrapping.

Quarantined skills are denied bash, file_write, and web_scrape tools.
Self-learning is disabled for skills below Verified trust level.
Hot-reload hash mismatch auto-downgrades to Quarantined.

Closes #419, closes #420, closes #421, closes #422
@bug-ops bug-ops force-pushed the feat/m25/skill-trust-quarantine branch from 2fd6f13 to 16a22ef Compare February 17, 2026 02:58
@github-actions github-actions bot added the enhancement New feature or request label Feb 17, 2026
Add mdBook page covering trust model, quarantine enforcement, anomaly
detection, CLI commands, and configuration. Update skills guide and
README with trust system references.
@bug-ops bug-ops merged commit 6408363 into main Feb 17, 2026
20 checks passed
@bug-ops bug-ops deleted the feat/m25/skill-trust-quarantine branch February 17, 2026 03:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

config core dependencies documentation Improvements or additions to documentation enhancement New feature or request memory Persistence and memory rust size/XL skills SKILL.md system

Projects

None yet

1 participant