feat(classifiers): replace regex heuristics with Candle-backed lightweight classifiers

[bug-ops]

Problem

Zeph currently uses regex/rule-based heuristics in several critical subsystems. These have well-known failure modes: no context awareness, brittle to paraphrasing, require manual pattern maintenance, and miss semantic variants.

Affected subsystems:

• FeedbackDetector (detector_mode = "regex") — detects user corrections/disagreements for skill learning
• Content injection detection — flag_injection_patterns regex list in SecurityConfig
• PII filter — email/phone/SSN/credit card regex patterns
• redact_sensitive() — credential pattern detection (sk-, AKIA, ghp_, Bearer)
• ACON compression failure detection — UNCERTAINTY_PATTERNS + PRIOR_CONTEXT_PATTERNS
• Output filter SecurityPatterns — 17 LazyLock regex in tools

Strategic Direction

Replace all heuristic regex classifiers with specialized lightweight models via Candle (HuggingFace). Large LLMs (GPT-4, Claude Opus) should be reserved for complex reasoning and planning. Classification/detection tasks go to dedicated small models.

Architecture principle: every subsystem that currently calls regex.is_match() on LLM input/output should instead call a ClassifierProvider backed by a Candle model (or zero-shot gpt-4o-mini as fallback). Provider pattern already established via [[llm.providers]] and *_provider fields.

Research Findings (CI-178)

Three-tier hierarchy from 2024–2026 literature:

Tier	Approach	Latency	Best for
1	Regex pre-filter	<1ms	High-recall first pass (keep as fallback)
2	Linear probe on LLM activations	<10ms	Injection, PII when host model available
3	Fine-tuned small transformer via Candle	50–200ms	All tasks with HuggingFace models
4	Zero-shot gpt-4o-mini prompt	200ms+	Cold-start, no labeled data available

Recommended Models (HuggingFace / Candle-compatible)

Task	Model	Size	Notes
Injection detection	mDeBERTa-v3-base-prompt-injection-v2	280MB	Multi-label, production-grade
Content safety	Llama-Guard-3-1B	1B	Meta canonical agent safeguard
PII detection	piiranha-v1-detect-personal-information	300MB	BERT-based, 300k+ downloads
Feedback/correction	zero-shot gpt-4o-mini	API	No labeled dataset; bootstrap with synthetic data
General safety (lightweight)	DeBERTa-v3 + LEC head (arXiv:2412.13435)	0.5–3B	Qwen 0.5B backbone, fast after warmup

Key Papers

• arXiv:2412.13435 — LEC (Layer Enhanced Classification): logistic regression on intermediate transformer layer activations, surpasses GPT-4o with <100 examples, Qwen 0.5B–3B backbone. Most applicable to Zeph.
• arXiv:2510.14005 — PIShield: linear probe on residual stream, no fine-tuning, covers injection detection
• arXiv:2510.07551 — RECAP Hybrid PII: regex fast path + LLM second pass, 82% better than NER-only
• arXiv:2312.06674 — Llama Guard 3: Meta production safety classifier for agent I/O
• arXiv:2509.23994 — AI Agent Code of Conduct: policy-as-prompt enforcement via LLM classifier
• arXiv:2510.09781 — Safiron: pre-execution guardian model for agentic plans

Implementation Plan

Phase 1 — ClassifierProvider abstraction

• Add ClassifierProvider trait to zeph-core with classify(text) -> ClassificationResult
• Candle backend: load ONNX/safetensors from HuggingFace cache
• Fallback: zero-shot LLM via existing [[llm.providers]]
• Config: [classifiers] section with injection_provider, pii_provider, feedback_provider, safety_provider

Phase 2 — FeedbackDetector migration

• Replace detector_mode = "regex" with detector_mode = "model"
• Zero-shot gpt-4o-mini or fine-tuned small model; keep regex as offline fallback

Phase 3 — Injection detection

• Replace flag_injection_patterns regex with mDeBERTa-v3-base-prompt-injection-v2 via Candle
• Score threshold replaces pattern list

Phase 4 — PII filter

• Hybrid: keep regex fast path, add piiranha/NER second pass for contextual PII

Notes

• Candle backend (zeph-candle crate) already exists but underutilized — large selection of ready HuggingFace models
• All classifier calls must be async with configurable timeouts; fall back to regex on timeout
• Models cached in ~/.cache/zeph/classifiers/ on first use
• Privacy: classifier models MUST run locally via Candle by default — no external API for PII/injection data
• Future direction: many specialized lightweight models per task > one large LLM for everything

[bug-ops]

Technical Research Update CI-180 (2026-03-27)

Key Finding: EmbedModel already covers 90% of the boilerplate

crates/zeph-llm/src/candle_provider/embed.rs already implements the exact load pattern needed for classifiers: hf_hub download, VarBuilder::from_mmaped_safetensors, BertModel::load. A ClassifierModel reuses this — replacing only the pooling+head step. The loader's validate_safetensors helper is already written.

candle-transformers model support

• candle_transformers::models::bert::BertModel — backbone only; classification head must be hand-written (candle_nn::Linear on [CLS] token)
• candle_transformers::models::deberta_v2 — added PR fix(scheduler): prevent unbounded tokio::spawn in TUI metrics refresh #2743; supports both sequence classification (injection) AND NER/token classification (PII) — same module serves both tasks
• DeBERTa-v3 uses SentencePiece tokenizer — supported via tokenizers crate's tokenizer.json (no extra dep)

Reference implementation: parry-guard

vaporif/parry-guard — working Rust crate today, uses candle or ort backend for DeBERTa-v3 injection detection. Study for tokenizer setup, chunking strategy (256-char chunks, 25 overlap, head+tail for long texts).

ONNX via ort crate: 3–5x faster than Candle for CPU classifiers

The pykeio/ort crate wraps ONNX Runtime in Rust (zero-FFI). For inference-only classifiers where ONNX exports exist, ort is measurably faster than Candle. ort-candle interop crate also exists.

Revised model recommendations (buildable today)

Task	Model	Backend	Size	CPU latency
Injection detection (fast)	protectai/deberta-v3-small-prompt-injection-v2	Candle deberta_v2	~100MB	50–150ms
Injection detection (faster)	protectai/deberta-v3-base-injection-onnx	ort	~280MB	20–50ms
PII (NER, 6 languages, 17 types)	iiiorg/piiranha-v1-detect-personal-information	Candle deberta_v2	~280MB	100–200ms
Credential redaction (sk-, AKIA, ghp_, Bearer)	Keep regex	None	0	<1ms — ML adds no value
Safety/zero-shot categories	protectai/deberta-v3-base-zeroshot-v1-onnx	ort	~280MB	30–80ms
Safety (async/background)	meta-llama/Llama-Guard-3-1B-INT4	Candle llama	440MB	2–5s — NOT for inline use
Feedback/correction detection	zero-shot gpt-4o-mini	existing provider	API	200ms+

Architecture recommendation

Two backends, not one:

1. Candle — for models without ONNX exports (piiranha, Llama Guard async), zero-FFI, portable
2. ort (ONNX Runtime) — for models with ONNX exports (injection, zero-shot safety), 3–5x faster

Add ort = "2" to workspace Cargo.toml as optional dep alongside existing candle-core. ClassifierProvider trait dispatches to either backend transparently.

Note on Llama Guard 3-1B

2–5 seconds on CPU — not suitable as an inline guard. Use only for async post-processing (e.g., log analysis, periodic session audit). Real-time safety via DeBERTa-v3 encoder (50–200ms) instead.