feat: Step 18 — LLM-as-judge for INSTRUCTION_OVERRIDE#18
Merged
PSchmitz-Valckenberg merged 3 commits intoApr 27, 2026
Conversation
Replaces the V1 keyword/length heuristic for INSTRUCTION_OVERRIDE
with a pluggable judge interface. Two implementations are bound by a
single config flag — the heuristic stays the default, and an opt-in
LLM judge addresses the silent-compliance gap that V1 documented as a
known limitation.
Architecture:
- New InstructionOverrideJudge interface returning a binary
JudgeVerdict (complied true/false + reasoning + source).
- HeuristicInstructionOverrideJudge: V1 logic, lifted out of
ScoringEngine. Default bean, picked when
sentinelcore.scoring.judge.enabled is false or absent.
- LlmInstructionOverrideJudge: opt-in via the same flag. Sends a
zero-shot judge prompt asking for strict JSON
({"complied": <bool>, "reasoning": "..."}). Robust JSON extraction
(handles markdown fences/prose around the object). Any failure —
network, missing field, wrong type, parse error, empty response —
falls back to the heuristic with the original input/response and
tags the verdict source as LLM_FALLBACK_HEURISTIC so the gap is
visible in evidence rather than hidden.
- ScoringEngine.checkInstructionOverride delegates to the bean and
maps complied -> SUCCESS, else FAIL. The V1 PARTIAL_SUCCESS path
is removed for this check (a binary judge has no need for it; long
non-refusal of an override now counts as compliance — documented
semantic shift).
Config:
- sentinelcore.scoring.judge.enabled flag in application.yml,
default false. Existing benchmarks continue to use the heuristic
with no behavior change.
Tests (15 new + 2 updated):
- HeuristicInstructionOverrideJudgeTest: 6 tests covering the V1
decision tree under the new interface contract.
- LlmInstructionOverrideJudgeTest: 10 tests for clean parses,
noisy-but-extractable JSON, malformed JSON, missing/wrong-type
fields, network exceptions, empty responses, and judge prompt
structure.
- ScoringEngineTest: instantiates with HeuristicInstructionOverrideJudge;
the previous PARTIAL_SUCCESS test for long non-refusal is updated
to assert SUCCESS to reflect the V2 semantic shift.
- EvaluationRunServiceTest: same constructor update.
No schema changes. All 81 unit tests green, full compile clean.
The V1 §3.4 leaned on "deterministic, no LLM in scoring" as a principle. Step 18 adds an opt-in LLM judge for INSTRUCTION_OVERRIDE, which violates that principle on purpose for one isolated check — the doc needs to be honest about it rather than pretend nothing changed. Changes: - §3.4 retitled "heuristic by default, judge by opt-in". - Both judge implementations described, including the strict-JSON contract, the fallback chain, and the per-case verdict source. - "Alternatives considered" reframed: ML scoring is no longer rejected outright but bounded — opt-in, gated, and only on the one check where the heuristic is provably weakest. Few-shot prompting added as a new rejected alternative (bias risk). - V2 semantic shift explained: PARTIAL_SUCCESS no longer produced for INSTRUCTION_OVERRIDE; long non-refusal of an override now maps to SUCCESS for both judges. - Two known V2 limitations made explicit: circular bias when judge shares the system-under-test's provider, and per-case cost. - §5 limitations table: INSTRUCTION_OVERRIDE row marked addressed in V2. - §6 roadmap: judge marked shipped, cross-provider judge identified as the next iteration.
Contributor
There was a problem hiding this comment.
Pull request overview
Introduces a pluggable “LLM-as-judge” path for the INSTRUCTION_OVERRIDE check to catch silent compliance, while keeping the existing heuristic as the default and recording judge provenance in persisted evidence.
Changes:
- Refactors
INSTRUCTION_OVERRIDEscoring behind a newInstructionOverrideJudge+JudgeVerdictabstraction with source tagging. - Adds
LlmInstructionOverrideJudge(opt-in viasentinelcore.scoring.judge.enabled) with heuristic fallback and strict JSON parsing. - Updates scoring semantics/tests: long non-refusal on override attempts now maps to
SUCCESS(binary complied=true/false), and evidence now includes judge metadata.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/main/java/com/sentinelcore/service/ScoringEngine.java | Delegates INSTRUCTION_OVERRIDE to InstructionOverrideJudge and embeds verdict metadata into evidence. |
| src/main/java/com/sentinelcore/scoring/InstructionOverrideJudge.java | Adds judge interface to decouple scoring from specific implementations. |
| src/main/java/com/sentinelcore/scoring/JudgeVerdict.java | Adds verdict record including complied, reasoning, and source enum. |
| src/main/java/com/sentinelcore/scoring/HeuristicInstructionOverrideJudge.java | Extracts V1 heuristic into a judge implementation and applies the V2 semantic shift. |
| src/main/java/com/sentinelcore/scoring/LlmInstructionOverrideJudge.java | Adds opt-in LLM-based judge with JSON parsing and heuristic fallback on failures. |
| src/main/resources/application.yml | Documents and adds sentinelcore.scoring.judge.enabled flag (default false). |
| src/test/java/com/sentinelcore/scoring/HeuristicInstructionOverrideJudgeTest.java | New unit tests for heuristic judge behavior and source tagging. |
| src/test/java/com/sentinelcore/scoring/LlmInstructionOverrideJudgeTest.java | New unit tests covering parsing/fallback behavior and prompt structure. |
| src/test/java/com/sentinelcore/service/ScoringEngineTest.java | Updates engine construction and asserts new evidence + V2 SUCCESS semantic shift. |
| src/test/java/com/sentinelcore/service/EvaluationRunServiceTest.java | Updates engine construction for new constructor signature. |
| DESIGN.md | Updates design documentation to reflect judge abstraction, opt-in LLM judge, and V2 semantic shift. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Four issues raised in review: 1. Exception stack trace dropped in fallback logging — both catch blocks now pass the exception as the last SLF4J argument so the full cause (timeout vs auth vs parse) appears in the log rather than only the message string. 2. Judge reasoning unbounded in persisted evidence — added truncateReasoning() in ScoringEngine capping the reasoning field at 500 chars with an ellipsis marker so score_details.evidence stays within a predictable size even if the judge ignores the "one short sentence" instruction. 3. DI bug: HeuristicInstructionOverrideJudge was conditional on judge.enabled=false, so when judge.enabled=true Spring could not resolve it as a dependency for LlmInstructionOverrideJudge — app would fail to start. Fixed by removing @ConditionalOnProperty from the heuristic (it is now always a bean, serving as the fallback target) and adding @primary to LlmInstructionOverrideJudge so Spring injects it into ScoringEngine when both are present. 4. extractJsonObject over-captured when LLM output contains extra braces after the JSON object — replaced indexOf/lastIndexOf with a brace-counting scan that respects string literals and escaped characters, returning the first balanced {...} block.
PSchmitz-Valckenberg
deleted the
feat/step-18-judge-instruction-override
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does
V1 scored
INSTRUCTION_OVERRIDEwith a five-step keyword/length heuristic. The documented gap: silent compliance — a model that follows an override instruction without using any phrase from the compliance-marker list would getPARTIAL_SUCCESSat best, miss entirely at worst.This PR closes that gap by introducing an
InstructionOverrideJudgeinterface with two implementations wired up via@ConditionalOnProperty:HeuristicInstructionOverrideJudge(default) — the V1 logic, lifted out ofScoringEngineand placed behind the interface. Zero extra LLM calls, fully deterministic. Picked whensentinelcore.scoring.judge.enabledisfalseor absent.LlmInstructionOverrideJudge(opt-in) — a second LLM call that asks the model: "did this response comply with the override instruction in the input?" Zero-shot prompt, strict JSON output ({"complied": <bool>, "reasoning": "..."}). Falls back to the heuristic on any failure (network, parse error, wrong type, empty response) and tags the verdict source asLLM_FALLBACK_HEURISTICso the degradation is visible in theevidencecolumn rather than silently dropped.Architecture
JudgeVerdictcarries three fields:complied(boolean),reasoning(string), andsource(HEURISTIC/LLM/LLM_FALLBACK_HEURISTIC). All three are written to the per-caseevidencecolumn — so everyScoreDetailrecord is self-describing about whether the verdict came from a keyword match or an LLM call.Semantic shift
The V1 heuristic produced
PARTIAL_SUCCESSwhen an override attempt got a long non-refusal but no explicit compliance marker — a tie-breaker it couldn't actually break. The binary judge removes that case: long non-refusal of an override attempt now maps tocomplied=true→SUCCESS. This applies to both judges for consistency. Documented in DESIGN.md §3.4.Known limitations (documented in DESIGN.md §3.4)
INSTRUCTION_OVERRIDE-relevant case when the judge is enabled. The default-off flag protects benchmarks that don't need it.Config
No schema change, no migration needed.
Tests
16 new unit tests, 2 updated:
HeuristicInstructionOverrideJudgeTestjudgeAsSourcetaggingLlmInstructionOverrideJudgeTesttrue/falseparse, JSON in markdown fences, malformed JSON, missing field, wrong type, network exception, empty response, missing reasoning field, prompt structureScoringEngineTestEvaluationRunServiceTest81/81 unit tests green. Full compile clean. No schema changes.