feat(panic): Panic Response Layer — behavioral destabilization detection

[laurentftech]

Summary

Full implementation of the Panic Response Layer — behavioral destabilization detection orthogonal to EpistemicLease (freshness ≠ panic). The core insight: observe behavioral collapse, not activity level.

Freshness vs Panic — explicit separation

Freshness models epistemic authority decay.
Panic models behavioral destabilization.
Neither implies the other.

An agent can be stale but calm (deep linear work in stale context), or fresh but panicking (rapid confused navigation after a recent orient()). The two dimensions are computed independently; only the panic ceiling (staleDepth floors panicLevel) couples them.

---

Core engine (panic-response.ts)

• PanicLevel L0–L4 with hysteresis (separate up/down thresholds — prevents thrashing)
• Panic ceiling: staleDepth≥2 floors panicLevel≥1; staleDepth=3 floors panicLevel≥2
• Atomic panic-state.json writes (POSIX rename(2)), fail-open reads, 30min session expiry
• buildPanicCheckOutput(): cooldown enforcement, directive mode at interventionCountSinceStable≥3
• revision: number in PanicState — monotonically bumped on every write, enables CAS
• gryphWindowStart?: string — tracks Gryph query window for the panic-check hook path independently from lastOrientAt (which could be hours old). Advanced on each intervention write; 2-min fallback prevents replaying hours of history.

Signal model (epistemic-lease.ts)

Per-call behavioral signals:

Signal	Weight
Trajectory burst (density ≥ 0.60)	+15
Oscillation spike (osc ≥ 0.50)	+10
Stale depth 3 persistence	+25/call
Passive wall-clock decay	−5/min
Locality recovery	−3/call when stable

localityConfidence is shared behavioral state — used by both the freshness engine (burst gate) and the panic engine (stale_depth_3 gate, burst escalation gate). Computed in updateTracker() so it's always current regardless of panic mode. Changes to this metric affect both systems — modify with full blast-radius awareness:

• stale_depth_3 and burst escalation only fire when localityConfidence < 0.5
• Formula: (1 − min(1, density×2)) × (1 − min(1, oscillation))

Refractory period: orient() sets panicRecoverySuppressionUntil (+45s) when score reduces — suppresses upward signals to let recovery land before re-escalating. Subsequent orient() calls during an active refractory replace the deadline (not extend): the window starts fresh from the most recent recovery. Spam orient (delta=0) does not set refractory.

Provenance trace: every panic_score_delta event includes a provenance[] array with per-trigger {name, delta, evidence} entries.

commandEntropy is normalized Shannon entropy over recent shell command signatures:

H = −Σ p(cmd)·log₂(p(cmd))  normalized to [0,1]
Low entropy = retry loop. High entropy = exploratory burst.

The signal is behavioral collapse, not throughput. Raw tool frequency is never a panic signal.

Orient spam protection: −40 normal / −15 rapid (<2min) / 0 spam (≥3 rapid). interventionCountSinceStable resets on stable recovery, orient reset, or 30min session expiry.

Oscillation model fix

computeOscillationScore() now operates over the transition sequence (entries where module actually changed), not the full window. Previous formula scored A→A→A→A as 1.0 (same as confusion loop). Focused single-module work now correctly produces oscillation=0.

Gryph runtime observability (gryph-bridge.ts + gryph-watch.ts)

The MCP blind spot: panic scoring only fires on openlore MCP tool calls. Agents working exclusively via Bash/Edit/Read are invisible to the MCP-path signal model — they can enter behavioral collapse with no panic signal generated. Worse: MCP-path Gryph polling only starts after the first tool call, so sessions that never call openlore tools have zero observability.

Closed by openlore gryph-watch — a standalone observer process whose lifetime is fully decoupled from the MCP server session:

openlore gryph-watch (independent process)
  └── startGryphPolling → while loop → CAS writes to panic-state.json
      └── MCP server reads panic-state.json on each tool call

gryph-watch lifecycle:

• Installed as a UserPromptSubmit hook via openlore setup --hooks — starts on the first user prompt, not the first tool call
• Singleton via PID file (.openlore/gryph-watch.pid) — one per workspace directory
• Auto-detects project directory by walking up from CWD
• Exits on SIGTERM/SIGINT or stdin EOF (parent death detection)
• Silent exit when mode: 'off'

Polling invariants:

• while (!stopped) loop replaces setInterval — eliminates timer drift, stop lifecycle races, orphan timers; sequential await makes overlap structurally impossible
• Single-flight isPolling flag kept as defense-in-depth
• Module-level _pollerRegistry: Map<string, () => void> enforces one-poller-per-workspace at the call site
• Async spawn (non-blocking) — isolated from MCP execution path
• All failures degrade to null — fail-open, never throws

CAS writes prevent multi-writer score regression:

Both gryph-watch and the MCP server write to panic-state.json. Without concurrency control, a slow Gryph query that reads stale state can overwrite the MCP server's fresher write (silent score regression).

• casWritePanicState(directory, expectedRevision, state): reads current revision, checks against expected, writes with revision+1 — all synchronous, atomic within the Node.js event loop (no await between read and write)
• Gryph poll: CAS write → on conflict, re-reads fresh state and recomputes delta → retries once → gives up after 2 failures (tries again next interval)
• MCP path: writePanicState() returns the new revision; synced into tracker.panicRevision so subsequent MCP writes never regress the revision
• panicRevision added to EpistemicTracker and trackerToPanicState()

Gryph signals + decay:

Signal	Condition	Weight
repetitiveRetryBurst	low commandEntropy + failing commands	+15
largePatchWhileStale (>500 LOC write, low entropy)	staleDepth≥2 (MCP-path only)	+30
largePatchWhileStale (>500 LOC write, high entropy)	staleDepth≥2, deliberate refactor	+10
Passive wall-clock decay	elapsed since state.updatedAt	−5/min

Decay is applied inside applySnapshotDelta() before Gryph signal deltas so score can drop between polls when the agent is idle — not just via the MCP path.

OPENLORE_GRYPH_TIMEOUT_MS — per-query budget (default 150ms, min 50ms).
OPENLORE_GRYPH_POLL_INTERVAL_MS — poll interval override (default 15s, min floor 5s).

Centralized constants (panic-constants.ts)

All numeric thresholds, weights, cooldowns, and timing values live in panic-constants.ts as the single source of truth. Tests import and reference these constants directly — no hardcoded magic numbers that silently diverge when thresholds change.

Dual-channel intervention

• MCP channel: panic signal injected into every tool response when panicLevel≥1 (advisory/experimental_blocking modes only)
• PreToolUse hook: openlore panic-check fires before every tool call — closes the tunneling blind spot (agent stops calling openlore → MCP signals can't reach it)
• Gryph background channel: openlore gryph-watch observes continuously, session-lifetime independent
• Anti-wallpaper: advisory→directive mode at interventionCountSinceStable≥3
• L4 enforcement model: experimental_blocking emits {"decision":"block","advisory":true} at L4 and exits 0 — advisory:true is always present; runtime decides enforcement. OpenLore never mandates.

Cooldown preservation

mcp.ts reads disk state before each writePanicState() call to preserve lastHookInterventionAt and gryphWindowStart set by the panic-check process (separate OS process). Previously these fields were silently wiped on every MCP tool call, breaking cooldown enforcement.

Intervention feedback loop

mcp.ts detects orient() calls (via tracker.lastOrientResetAt change) and emits panic_intervention_outcome when orient followed a hook intervention within 5 minutes. Enables retrospective validation of whether interventions actually produced behavioral change from telemetry.

Opt-in panic response (PanicResponseMode)

Panic is disabled by default. Users opt in via .openlore/config.json:

{ "panicResponse": { "mode": "observe" } }

Mode	Panic scoring	State file	Response injection	Hook output	gryph-watch
off (default)	—	—	—	silent exit 0	silent exit 0
observe	✓	✓	—	silent exit 0	✓
advisory	✓	✓	L2+ warning text	advisory JSON	✓
experimental_blocking	✓	✓	L2+ warning text	{"decision":"block","advisory":true} at L4	✓

mode:'off' disables: panic scoring, panic state persistence, panic interventions, panic telemetry, panic hook output, Gryph observation. Behavioral metrics required by the freshness engine (density, oscillation, localityConfidence) continue to be computed in-memory as part of EpistemicLease.

Policy is never stored in EpistemicTracker or panic-state.json — config is the single source of truth. panic-check always exits 0 (fail-open). setup --hooks and setup --panic <mode> are independent commands.

Architecture: policy / state separation

• updatePanic() extracted from updateTracker() and exported — mcp.ts calls it conditionally based on panic mode
• localityConfidence computed in updateTracker() — shared behavioral state reused by freshness and panic; changes affect both systems
• tracker.density and tracker.panicRevision stored after each call so callers can read/sync them post-updateTracker()
• EpistemicTracker contains behavioral/freshness state only — no policy fields
• updateTracker() always runs; only updatePanic() + writePanicState() are gated on mode !== 'off'
• Gryph observation runs as a separate process (gryph-watch), not inside the MCP server

Status line integration

openlore panic-level — read-only command outputting P:L{n} (empty at L0) for status line displays. No side effects, no writes.

{ "statusLine": { "type": "command", "command": "openlore panic-level --directory $(pwd) 2>/dev/null" } }

Trajectory tracking during stale

Trajectory density and oscillation continue accumulating while stale so post-stale burst and behavioral patterns remain observable. Stale state does not freeze the behavioral model.

Runtime safety invariants

- panic-check MUST fail open (always exits 0, on all code paths including errors)
- Gryph absence MUST have zero behavioral impact
- gryph-watch MUST be singleton per workspace (PID file guard)
- gryph-watch poll loop MUST NOT overlap (while loop + isPolling flag)
- CAS writes MUST be atomic within Node.js event loop (no await between read and write)
- Telemetry failure MUST NOT affect tool execution
- panic-state.json corruption MUST resolve to stable state
- Hook execution failure MUST NOT block MCP flow
- panic-check and telemetry CLI commands never call updateTracker — no recursive loop
- mode:'off' disables panic subsystem; freshness metrics continue in-memory
- refractory deadline is replaced (not extended) by subsequent orient() calls
- experimental_blocking payload always carries advisory:true — runtime decides enforcement
- revision monotonically increases across all writers (MCP + gryph-watch)
- lastHookInterventionAt and gryphWindowStart preserved across MCP writes (read-merge-write)

Telemetry + observability

• panic.jsonl domain: panic_level_change, panic_orient_reset, hook_intervention, panic_signal_injected, panic_score_delta (with provenance), gryph_poll, panic_intervention_outcome
• panic_score_delta events carry source: 'gryph' when emitted from gryph-watch; provenance entries include evidence: { source: 'gryph' }
• telemetry.ts rotation: 50MB threshold, keep 5 rotated files
• openlore telemetry panic section: episodes, avg recovery latency, failed recovery rate, hook intercepts, MCP injections, orient spam, Gryph enrichment rate, trigger frequency

Setup integration

• openlore setup --hooks claude|kilo|codex — installs both PreToolUse panic-check hook and UserPromptSubmit gryph-watch hook
• openlore setup --panic <mode> — sets panicResponse.mode in .openlore/config.json; explicit downgrade always allowed
• Both flags work non-interactively (no TTY required when --hooks or --panic used without --tools)

---

Test plan

• panic-response.test.ts: 29 tests — hysteresis, state I/O, fail-open, buildPanicCheckOutput, getPanicSignalText
• epistemic-lease.test.ts: 86 tests — score accumulation, ceiling, orient spam, signal detection, refractory, localityConfidence formula, burst escalation gate, trackerToPanicState
• telemetry.test.ts: 24 tests — computePanicStats, computeRecovery, computeObstinacy with synthetic JSONL events
• gryph-bridge.test.ts: 19 tests — single-flight, stop cleanup, null stability, no-signal no-write, retry burst score update, large patch stale gating, large patch NOT stale (no delta), provenance source:gryph, exception fail-open, null tracker still writes file, score accumulation across polls (decay-aware)
• TypeScript build clean (0 errors)
• 2821/2821 tests pass

🤖 Generated with Claude Code