stage7(l5d): pretrained backbone SHATTERS the generalization ceiling — RED on FP

distilbert-base-multilingual-cased (Apache-2.0, 135M, WordPiece reuses
the repo's zero-dep TS tokenizer) fine-tuned on the full corpus,
research-grounded (Instruction-Hierarchy/Spotlighting/StruQ/PG2/PINT).

THE result: POEM-UNSEEN 6.67 -> 77.78% (4.1x). That metric was
BIT-IDENTICAL 6.67% across logistic/bert-tiny/from-scratch — proven
unbreakable WITHOUT a language prior. With a prior it breaks
decisively. UNSEEN-SOURCE 38.69->48.74, frozen 94->98, system-level
P4RS (L1+L4+l5d) 100% (299/299). Pretraining = the generalization
lever, confirmed with evidence. leakage=0, converged (val-F1 0.973),
held-out never read.

RED: leakage-free benign FP 9.45% vs <1% ceiling, threshold-
irreducible (8.4% floor @0.99) — the documented PG2/ProtectAI
OOD-benign over-fire. Diagnosed: benign-data BREADTH, not capacity.
Opt-in only (createL5Cascade({l5dIntelligent:true})); src/index.ts
fusion 0 lines changed; shipped L5a default + l5c + v3 untouched;
130MB artifact gitignored+npm-excluded. 148 green, bundle byte-
identical, pack dist-only.

Two named next problems: (1) prior must be OURS (self-pretrain),
(2) OOD-benign FP breadth. Both = the self-pretraining stage.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: sandeepl337

.gitignore

@@ -18,6 +18,11 @@ models/l5b/_student_fp32/
 # (files:["dist"]), large ONNX — gitignored from the shipped path exactly
 # like models/l5b. Reproducible from training/train_scratch.py (seed 1337).
 models/l5c/
+# STAGE-7 "intelligent" L5d artifact (fine-tuned Apache-2.0 distil-mBERT):
+# opt-in, npm-excluded (files:["dist"]), large INT8 ONNX — gitignored from
+# the shipped path exactly like models/l5b, l5c. Reproducible from
+# training/train_intelligent.py + export_intelligent.py (seed 1337).
+models/l5d/
 # isolated offline training venv (stable pinned CPU stack; never shipped)
 training/.venv/
 # python bytecode cache (training scripts; never shipped)

scripts/eval-l5d.mjs

@@ -0,0 +1,282 @@
+/**
+ * STAGE-7 HONEST evaluator — the "intelligent" L5d (fine-tuned Apache-2.0
+ * distil-mBERT) vs the working baseline (v3 L5a + bert-tiny L5b + Stage-6
+ * from-scratch l5c), model-only on the SAME seeded leakage-free split, plus
+ * the SYSTEM-level P4RS measurement (Spotlighting: obfuscation is owned by
+ * L1 normalize + L4 fence which PRECEDE the model — the Stage-6 wrong-bar
+ * was model-only-on-raw). NO TUNING here: pure measurement at the SAME
+ * 0.445 model threshold every prior stage used (0.5 for the P4RS guard,
+ * 0.8 for the product cascade).
+ *
+ * Held-out slices NEVER trained/tuned/early-stopped on:
+ *   • FROZEN test (training/.real_cache/test.jsonl)
+ *   • UNSEEN-SOURCE (deepset/prompt-injections + Lakera/gandalf_sum)
+ *   • POEM-UNSEEN (whole disjoint synthetic-poem source)
+ *   • OOD pooled (training/.ood_cache/ood.jsonl attack rows)
+ *   • P4RS3LT0NGV3 battery
+ * Leakage-free benign FP on the split's ood_benign_not_in_train.json.
+ *
+ * Run: npm run build && node scripts/eval-l5d.mjs
+ */
+import fs from "node:fs";
+import crypto from "node:crypto";
+import { createRequire } from "node:module";
+import { fileURLToPath } from "node:url";
+import { dirname, join } from "node:path";
+const require = createRequire(import.meta.url);
+const { createPromptPurify } = require("../dist/index.cjs");
+const {
+  createL5aClassifier,
+  createL5bRunner,
+  createL5cRunner,
+  createL5dRunner,
+  createL5Cascade,
+} = require("../dist/l5/index.cjs");
+import { buildPositives } from "./corpus-l5a.mjs";
+
+const T = 0.445;
+const __dir = dirname(fileURLToPath(import.meta.url));
+const C = join(__dir, "..", "training", ".real_cache");
+
+const reg = createPromptPurify({ profile: "balanced" }); // L1+L4, NO model
+const l5a = createL5aClassifier();
+let l5b = null;
+try {
+  l5b = await createL5bRunner();
+} catch (e) {
+  console.error("L5b unavailable:", e.message);
+}
+let l5c = null;
+try {
+  l5c = await createL5cRunner();
+} catch (e) {
+  console.error("L5c unavailable:", e.message);
+}
+const l5d = await createL5dRunner(); // intelligent (must exist)
+
+const parse = (p) =>
+  fs.readFileSync(p, "utf8").trim().split("\n").filter(Boolean).map((l) =>
+    JSON.parse(l),
+  );
+
+const ood = parse(join(__dir, "..", "training", ".ood_cache", "ood.jsonl"));
+const benign = ood.filter((r) => r.y === 0);
+const attack = ood.filter((r) => r.y === 1);
+const test = parse(join(C, "test.jsonl"));
+const unseen = parse(join(C, "unseen_bench.jsonl"));
+const poemUnseen = parse(join(C, "poem_unseen_bench.jsonl"));
+
+const san = (t) =>
+  reg.sanitize(String(t || "").slice(0, 4000), { sink: "untrusted_data" });
+const regBad = (t) =>
+  reg.inspect(String(t || "").slice(0, 4000), { sink: "untrusted_data" })
+    .verdict !== "clean-structural";
+
+async function scoreModels(rows) {
+  const out = [];
+  for (const r of rows) {
+    const s = san(r.text);
+    const { score: sA } = await l5a(s, { sink: "untrusted_data" });
+    const sB = l5b ? await l5b.score(s) : NaN;
+    const sC = l5c ? await l5c.score(s) : NaN;
+    const sD = await l5d.score(s);
+    out.push({ y: r.y, l4: regBad(r.text), l5a: sA, l5b: sB, l5c: sC, l5d: sD });
+  }
+  return out;
+}
+
+const pct = (n, d) => (d ? ((100 * n) / d).toFixed(2) : "n/a") + "%";
+const rate = (set, key, thr = T) =>
+  set.length ? set.filter((r) => r[key] >= thr).length / set.length : NaN;
+
+const normHash = (s) => {
+  let x = (s || "").normalize("NFKC").toLowerCase();
+  x = x.replace(/[^\p{L}\p{N}_\s]/gu, " ");
+  x = x.replace(/\s+/gu, " ").trim();
+  return crypto.createHash("sha1").update(x, "utf8").digest("hex");
+};
+const lfPath = join(C, "ood_benign_not_in_train.json");
+const lfSet = fs.existsSync(lfPath)
+  ? new Set(JSON.parse(fs.readFileSync(lfPath, "utf8")).hashes)
+  : null;
+
+const B = await scoreModels(benign);
+const A = await scoreModels(attack);
+const TST = await scoreModels(test);
+const UNS = await scoreModels(unseen);
+const PUN = await scoreModels(poemUnseen);
+
+const tstPos = TST.filter((r) => r.y === 1);
+const unsPos = UNS.filter((r) => r.y === 1);
+const punPos = PUN.filter((r) => r.y === 1);
+
+// ---- P4RS3LT0NGV3 battery: model-only AND SYSTEM-level ----------------------
+const par = { l4: 0, l5a: 0, l5b: 0, l5c: 0, l5d: 0, sys: 0, n: 0 };
+const ppSys = createPromptPurify({
+  classifier: createL5Cascade({ enableL5b: true, l5dIntelligent: true }),
+});
+for (const text of buildPositives()) {
+  const s = san(text);
+  par.n++;
+  if (regBad(text)) par.l4++;
+  const { score: sA } = await l5a(s, { sink: "untrusted_data" });
+  if (sA >= 0.5) par.l5a++;
+  if (l5b && (await l5b.score(s)) >= 0.5) par.l5b++;
+  if (l5c && (await l5c.score(s)) >= 0.5) par.l5c++;
+  if ((await l5d.score(s)) >= 0.5) par.l5d++;
+  // SYSTEM-level: raw text through the FULL pipeline (L1 normalize + L4
+  // fence + opt-in l5d cascade) — Spotlighting bar, the honest one.
+  const v = await ppSys.inspectAsync(String(text).slice(0, 4000), {
+    sink: "untrusted_data",
+  });
+  if (v.verdict !== "clean-structural") par.sys++; // flagged|blocked = caught
+}
+
+const Bclean = lfSet
+  ? B.filter((_, i) => lfSet.has(normHash(benign[i].text)))
+  : [];
+const lf = (key) =>
+  Bclean.length
+    ? Bclean.filter((r) => r[key] >= T).length / Bclean.length
+    : NaN;
+
+console.log("\n========= STAGE-7 INTELLIGENT L5d EVAL =========");
+console.log(`L5a: ${l5a("x", { sink: "untrusted_data" }).version}`);
+console.log(`L5b: ${l5b ? l5b.version : "UNAVAILABLE"}`);
+console.log(`L5c: ${l5c ? l5c.version : "UNAVAILABLE"}`);
+console.log(`L5d: ${l5d.version}  (PRETRAINED, FINE-TUNED)`);
+console.log(
+  `n: benignOOD=${benign.length} attackOOD=${attack.length} ` +
+    `frozenTESTpos=${tstPos.length} UNSEENpos=${unsPos.length} ` +
+    `POEMUNSEEN=${punPos.length}\n`,
+);
+
+const row = (label, key, posset) =>
+  console.log(
+    `  ${label.padEnd(14)} ${key.padEnd(4)}: ` +
+      `frozen=${pct(posset.test.filter((r) => r[key] >= T).length, posset.test.length)} ` +
+      `UNSEEN=${pct(posset.uns.filter((r) => r[key] >= T).length, posset.uns.length)} ` +
+      `POEM=${pct(posset.pun.filter((r) => r[key] >= T).length, posset.pun.length)} ` +
+      `OOD=${pct(posset.ood.filter((r) => r[key] >= T).length, posset.ood.length)}`,
+  );
+const PS = { test: tstPos, uns: unsPos, pun: punPos, ood: A };
+console.log("HELD-OUT RECALL @0.445 (model-only, worst cell = POEM/UNSEEN):");
+row("v3 shipped", "l5a", PS);
+if (l5b) row("v3 bert-tiny", "l5b", PS);
+if (l5c) row("S6 from-scratch", "l5c", PS);
+row("INTELLIGENT", "l5d", PS);
+
+console.log(
+  `\nLEAKAGE-FREE benign FP (n=${Bclean.length} of ${benign.length}, ` +
+    `HARD CEILING <1%):`,
+);
+console.log(
+  `  L4=${pct(Bclean.filter((r) => r.l4).length, Bclean.length)} ` +
+    `L5a=${pct(Bclean.filter((r) => r.l5a >= T).length, Bclean.length)} ` +
+    (l5b ? `L5b=${pct(Bclean.filter((r) => r.l5b >= T).length, Bclean.length)} ` : "") +
+    (l5c ? `L5c=${pct(Bclean.filter((r) => r.l5c >= T).length, Bclean.length)} ` : "") +
+    `L5d=${pct(Bclean.filter((r) => r.l5d >= T).length, Bclean.length)}`,
+);
+
+console.log("\nP4RS3LT0NGV3 battery (regression guard):");
+console.log(
+  `  model-only@0.5: L4 ${par.l4}/${par.n}  L5a ${par.l5a}/${par.n}  ` +
+    (l5b ? `L5b ${par.l5b}/${par.n}  ` : "") +
+    (l5c ? `L5c ${par.l5c}/${par.n}  ` : "") +
+    `L5d ${par.l5d}/${par.n}`,
+);
+console.log(
+  `  SYSTEM-level (L1+L4+l5d cascade, the honest bar): ` +
+    `${par.sys}/${par.n} = ${pct(par.sys, par.n)}`,
+);
+
+// Opt-in intelligent cascade frozen-test benign FPR@0.8 + recall@0.8.
+const ppFull = createPromptPurify();
+const l1 = (t) => ppFull.sanitize(t, { sink: "untrusted_data" });
+const casc = createL5Cascade({ enableL5b: true, l5dIntelligent: true });
+let cfp = 0,
+  cn = 0,
+  crec = 0,
+  cp = 0;
+for (const r of test) {
+  const s = l1(r.text);
+  const fired =
+    reg.inspect(String(r.text).slice(0, 4000), { sink: "untrusted_data" })
+      .verdict !== "clean-structural";
+  const sc = (await casc(s, { sink: "untrusted_data" })).score;
+  const hit = fired || sc >= 0.8;
+  if (r.y === 0) {
+    cn++;
+    if (hit) cfp++;
+  } else {
+    cp++;
+    if (hit) crec++;
+  }
+}
+console.log(
+  `\nOPT-IN intelligent cascade @0.8 on FROZEN test: ` +
+    `benignFPR=${pct(cfp, cn)} recall=${pct(crec, cp)} ` +
+    `(shipped L5a-only default UNCHANGED)`,
+);
+
+const H = {
+  l5a_version: l5a("x", { sink: "untrusted_data" }).version,
+  l5b_version: l5b ? l5b.version : null,
+  l5c_version: l5c ? l5c.version : null,
+  l5d_version: l5d.version,
+  n: {
+    benign_ood: benign.length,
+    attack_ood: attack.length,
+    test_pos: tstPos.length,
+    unseen_pos: unsPos.length,
+    poem_unseen: punPos.length,
+    leakage_free_benign: Bclean.length,
+  },
+  recall_frozen_test: {
+    l5a: rate(tstPos, "l5a"),
+    l5b: rate(tstPos, "l5b"),
+    l5c: rate(tstPos, "l5c"),
+    l5d: rate(tstPos, "l5d"),
+  },
+  recall_unseen: {
+    l5a: rate(unsPos, "l5a"),
+    l5b: rate(unsPos, "l5b"),
+    l5c: rate(unsPos, "l5c"),
+    l5d: rate(unsPos, "l5d"),
+  },
+  recall_poem_unseen: {
+    l5a: rate(punPos, "l5a"),
+    l5b: rate(punPos, "l5b"),
+    l5c: rate(punPos, "l5c"),
+    l5d: rate(punPos, "l5d"),
+  },
+  recall_ood: {
+    l5a: rate(A, "l5a"),
+    l5b: rate(A, "l5b"),
+    l5c: rate(A, "l5c"),
+    l5d: rate(A, "l5d"),
+  },
+  fp_leakage_free: {
+    n: Bclean.length,
+    l4: Bclean.length ? Bclean.filter((r) => r.l4).length / Bclean.length : null,
+    l5a: lf("l5a"),
+    l5b: lf("l5b"),
+    l5c: lf("l5c"),
+    l5d: lf("l5d"),
+  },
+  p4rs3lt0ngv3: {
+    n: par.n,
+    l4: par.l4 / par.n,
+    l5a: par.l5a / par.n,
+    l5b: l5b ? par.l5b / par.n : null,
+    l5c: l5c ? par.l5c / par.n : null,
+    l5d: par.l5d / par.n,
+    system_level: par.sys / par.n,
+  },
+  optin_intelligent_cascade_frozen: {
+    benign_fpr: cn ? cfp / cn : null,
+    recall: cp ? crec / cp : null,
+  },
+};
+console.log("\n===JSON===");
+console.log(JSON.stringify(H));

src/l5/cascade.ts

@@ -53,6 +53,7 @@ import {
   type L5bOptions,
 } from "./transformer.js";
 import { createL5cRunner, type L5cRunner } from "./l5c.js";
+import { createL5dRunner, type L5dRunner } from "./l5d.js";
 
 export interface L5CascadeOptions extends L5bOptions {
   /**
@@ -87,6 +88,18 @@ export interface L5CascadeOptions extends L5bOptions {
    * never clears a structural block, never `.safe`.
    */
   l5cFromScratch?: boolean;
+  /**
+   * STAGE-7 OPT-IN: use the "intelligent" L5d model
+   * (`distilbert-base-multilingual-cased`, Apache-2.0, fine-tuned on our
+   * full seeded leakage-free corpus) as the ambiguous-band escalator
+   * INSTEAD of L5b/L5c. Default false. Requires `enableL5b: true` to take
+   * effect (it shares the EXACT same confidence-gated escalation path;
+   * only the runner differs). Takes precedence over `l5cFromScratch` if
+   * both are set. The SHIPPED L5a-only default and src/index.ts honesty
+   * fusion are UNCHANGED. Honesty contract identical: probabilistic,
+   * advisory only, never clears a structural block, never `.safe`.
+   */
+  l5dIntelligent?: boolean;
   /**
    * s_a strictly below this ⇒ confident ALLOW, L5b skipped. Default 0.15
    * (below the in-repo corpus positive-class minimum ≈0.146; the bulk of
@@ -141,10 +154,15 @@ export function createL5Cascade(opts: L5CascadeOptions = {}): Classifier {
   const gate = opts.l5bGate ?? 1;
   const withReason = opts.withReason !== false;
 
-  const useL5c = opts.l5cFromScratch === true;
-  let runnerPromise: Promise<L5bRunner | L5cRunner> | null = null;
+  const useL5d = opts.l5dIntelligent === true;
+  const useL5c = !useL5d && opts.l5cFromScratch === true;
+  let runnerPromise: Promise<L5bRunner | L5cRunner | L5dRunner> | null = null;
   const getRunner = () =>
-    (runnerPromise ??= useL5c ? createL5cRunner(opts) : createL5bRunner(opts));
+    (runnerPromise ??= useL5d
+      ? createL5dRunner(opts)
+      : useL5c
+        ? createL5cRunner(opts)
+        : createL5bRunner(opts));
 
   return async (
     text: string,
@@ -199,7 +217,7 @@ export function createL5Cascade(opts: L5CascadeOptions = {}): Classifier {
     // existing inspectAsync catch turns it into a classifier-error info
     // risk. We must NOT silently fall back to s_a on the band where the
     // semantic check actually matters — that would be a false-safe.
-    let runner: L5bRunner | L5cRunner;
+    let runner: L5bRunner | L5cRunner | L5dRunner;
     try {
       runner = await getRunner();
     } catch (e) {

src/l5/index.ts

@@ -100,3 +100,12 @@ export {
   type L5cOptions,
   type L5cRunner,
 } from "./l5c.js";
+// STAGE-7 "intelligent" L5d: fine-tuned pretrained Apache-2.0 backbone
+// (distilbert-base-multilingual-cased). Opt-in only (cascade
+// `l5dIntelligent`). Shipped L5a-only default + src/index.ts honesty
+// fusion UNCHANGED. See training/RESEARCH.md + training/INTEGRATION.md.
+export {
+  createL5dRunner,
+  type L5dOptions,
+  type L5dRunner,
+} from "./l5d.js";