feat(phase-1): LLM enrichment with anti-hallucination Layer 1 (#7)

* feat(phase-1): LLM enrichment with anti-hallucination Layer 1

Closes #2.

What ships
- src/ycai/schemas.py: CompanyAnalysis pydantic model. Industry,
  AICapability, TechStack, OSSPosture closed-set enums. CrossCheckResult
  for the two-pass logic.
- src/ycai/classifier.py: deterministic prefilling. Maps yc-oss tag soup
  to the Industry enum without an LLM, reducing the surface area where
  the model can hallucinate.
- src/ycai/researcher.py: the analyze() pipeline plus three Backend
  implementations:
    * AgentSDKBackend (default) — claude-agent-sdk against Claude Max
      subscription, no API cost.
    * AnthropicAPIBackend — pay-per-token via --api-key or
      ANTHROPIC_API_KEY. Key never logged or written to disk.
    * MockBackend — deterministic test backend.
- src/ycai/cli.py: --enrich flag opts companies through the enrichment
  pipeline. --enrich-limit caps for smoke runs. Rich progress UI.
- tests/fixtures/hallucination_traps.json: 10 synthetic companies
  designed to bait the classifier (misleading names, suggestive but
  vague descriptions, source-URL bait, acronym confusion, etc.).
- tests/test_classifier.py + tests/test_researcher.py: 78 tests total
  (40 new). Schema enforcement, source-URL guard, two-pass cross-check,
  trap-resistance, PII redaction-in-prompt verification, API-key
  no-leakage verification.

Anti-hallucination Layer 1 invariants
1. Pydantic schema rejects empty sources (min_length=1 on the field).
2. Source URLs must originate from the company website or YC profile
   URL — fabricated citations downgrade the row to low confidence.
3. confidence=medium triggers a second independent pass; disagreement
   on industry_primary or oss_posture downgrades to low.
4. Any failure returns a sentinel low-confidence row that survives in
   the CSV but is excluded from charts. No silent drops.
5. PII is stripped from the prompt before the backend sees it
   (defense-in-depth even though yc-oss/api fields are public).

Live smoke run on 5 W26 companies via subscription
- 4 high / 1 low confidence in 39 seconds, ~free on subscription
- gru.space correctly identified as no-ai (the model is willing to
  say a YC company is not an AI company)
- velum-labs correctly fell through to low-confidence sentinel when
  schema validation failed (likely rationale exceeded 400 char limit
  - tracked as B006)
- All cited sources came from inputs (website + YC profile only)
- Captured at examples/output/analyses-w26-smoke-2026-05-01.json

New backlog
- B006: track schema-validation failure rate, tune prompt if >5%
- B007: add depth=1 website crawl before LLM call to recover tech
  stack and OSS posture (currently come back as 'unknown' for most
  companies because the YC long_description doesn't mention them)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(phase-1): pin anthropic + claude-agent-sdk in pyproject deps

CI mypy job didn't have either SDK installed because they were never
listed in pyproject.toml deps — they were just available locally.
Adding them as runtime deps so CI installs them via pip install -e
.[dev].

Both are small wheels and the package needs at least one of them at
runtime (anthropic for the API path, claude-agent-sdk for the
subscription path), so requiring them is correct, not bloat.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: RyanAlberts

.secrets.baseline

@@ -127,5 +127,5 @@
     }
   ],
   "results": {},
-  "generated_at": "2026-05-01T19:00:38Z"
+  "generated_at": "2026-05-01T19:21:27Z"
 }

BACKLOG.md

@@ -19,6 +19,8 @@ Promoted to GitHub issues when an item survives more than one PR. ADRs for non-t
 - [B003] CI annotations report Node 20 actions deprecated (forced to Node 24 from 2026-06-02). Refresh `actions/checkout`, `actions/setup-python`, `gitleaks/gitleaks-action` to Node-24-compatible majors before that date. — surfaced in: phase 0 CI run — proposed: ad-hoc PR before 2026-06-02
 - [B004] Tune `MIN_DESCRIPTION_CHARS` (currently 80). The W26 probe surfaced one borderline drop (`moda`, 57 chars). A small calibration study against borderline rows would let us pick a defensible threshold. — surfaced in: W26 quality probe — proposed: PR #2
 - [B005] Name the missing-from-upstream companies, not just count them. Compare yc-oss slugs to a slug list discovered from `/companies/<slug>` profile pages so the dropped register includes "Acme (in YC W26 but not in yc-oss/api)". — surfaced in: W26 quality probe — proposed: PR #2 or #3
+- [B006] Track schema-validation failure rate during enrichment as a tracked metric. The W26 smoke run had 1/5 (20%) parse failures (`velum-labs` — likely rationale exceeded the 400 char limit). Measure this across the full batch and tune prompt or schema if rate exceeds ~5%. — surfaced in: PR #2 smoke — proposed: PR #3
+- [B007] Tech-stack and OSS-posture nearly always come back as `unknown` because the model only sees the YC `long_description`, not the company website. Adding a depth=1 website crawl before the LLM call would let the model identify e.g. "this product is closed-source SaaS" or "uses OpenAI" — significantly improving Tier A signal density. Cost: ~5-10 KB extra context per company. — surfaced in: PR #2 smoke — proposed: PR #3
 
 ## Done
 

CHANGELOG.md

@@ -12,5 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Phase 1 PR #1: yc-oss/api scraper, PII sanitizer, link verifier, coverage probe, single-file dashboard, Typer CLI (`ycai run-coverage`).
 - Coverage metric is the dashboard headline. The dropped register acknowledges every excluded company and the specific reason — no quiet drops.
 - First end-to-end probe on YC W26: 63.3% coverage of the official 196-company batch. Findings in `docs/QUALITY_REPORT_W26.md`.
+- Phase 1 PR #2: LLM-based enrichment with anti-hallucination Layer 1 — pydantic-enforced output schema, source-URL guard against fabricated citations, two-pass cross-check on uncertain rows, sentinel low-confidence row on any failure. Three backends: `AgentSDKBackend` (subscription-default), `AnthropicAPIBackend` (`--api-key`), `MockBackend` (tests). 10 hallucination-trap fixtures locked in as regression tests.
+- W26 enrichment smoke run (5 companies via subscription, 39s, ~free): 4 high / 1 low confidence. Identified `gru.space` as `no-ai` correctly. Schema-validation failure on `velum-labs` correctly fell through to the sentinel — no fabricated analysis served.
 
 [Unreleased]: https://github.com/RyanAlberts/yc-ai-pulse/compare/main...HEAD

examples/README.md

@@ -6,6 +6,7 @@ Sanitized sample artifacts. Every commit goes through `make publish-check` so PI
 |---|---|
 | [`output/dashboard-w26-2026-05-01.html`](output/dashboard-w26-2026-05-01.html) | Phase 1 dashboard for YC W26. Headline: 63.3% coverage of the 196-company batch, with the dropped register naming every excluded company. |
 | [`output/coverage-w26-2026-05-01.json`](output/coverage-w26-2026-05-01.json) | Machine-readable coverage report — what feeds the dashboard. |
+| [`output/analyses-w26-smoke-2026-05-01.json`](output/analyses-w26-smoke-2026-05-01.json) | PR #2 smoke run: 5-company LLM enrichment via Sonnet 4.6 on subscription. Captures the schema-enforced output and demonstrates source-URL grounding (every cited URL is from `website` or YC profile). |
 
 The full quality writeup for W26 is in [`docs/QUALITY_REPORT_W26.md`](../docs/QUALITY_REPORT_W26.md).
 

examples/output/analyses-w26-smoke-2026-05-01.json

@@ -0,0 +1,115 @@
+[
+  {
+    "slug": "bidflow",
+    "industry_primary": "Real Estate / Construction",
+    "industry_secondary": [
+      "B2B SaaS"
+    ],
+    "ai_capability": [
+      "rag",
+      "nlp-classic",
+      "agents"
+    ],
+    "tech_stack": [
+      "unknown"
+    ],
+    "oss_posture": "unknown",
+    "oss_evidence_url": null,
+    "tagline_rewrite": "AI copilot that automates electrical contractor RFP estimation, cutting bid prep time dramatically.",
+    "confidence": "high",
+    "sources": [
+      "https://www.ycombinator.com/companies/bidflow",
+      "https://usebidflow.com/"
+    ],
+    "rationale": "The description explicitly states the product helps 'electrical contractors do electrical estimates way faster using AI' and targets 'redundant paperwork' in RFP submission, confirming Real Estate/Construction primary with B2B SaaS delivery; YC tags 'AI Assistant' and 'SaaS' corroborate the classification."
+  },
+  {
+    "slug": "travo",
+    "industry_primary": "Real Estate / Construction",
+    "industry_secondary": [
+      "B2B SaaS",
+      "AI Infrastructure"
+    ],
+    "ai_capability": [
+      "rag",
+      "data-pipeline",
+      "agents"
+    ],
+    "tech_stack": [
+      "unknown"
+    ],
+    "oss_posture": "unknown",
+    "oss_evidence_url": null,
+    "tagline_rewrite": "AI-powered real estate data platform for RV parks and niche asset classes \u2014 comps, ownership, zoning, and financials in one place.",
+    "confidence": "high",
+    "sources": [
+      "https://www.ycombinator.com/companies/travo",
+      "https://www.travoai.com/"
+    ],
+    "rationale": "The description explicitly states they 'use AI to collect and analyze real estate data' and 'build the best informed AI applications for real estate private equity firms, developers, and brokers,' confirming a Real Estate / Construction primary with AI-driven data pipeline and RAG-style retrieval capabilities. No specific model or framework is mentioned, so tech_stack is unknown."
+  },
+  {
+    "slug": "galactic-resource-utilization-space-inc-gru-space",
+    "industry_primary": "Industrials",
+    "industry_secondary": [
+      "Real Estate / Construction",
+      "Consumer",
+      "Government / Defense"
+    ],
+    "ai_capability": [
+      "no-ai"
+    ],
+    "tech_stack": [],
+    "oss_posture": "unknown",
+    "oss_evidence_url": null,
+    "tagline_rewrite": "In-situ resource utilization to build pressurized lunar habitats, starting with a Moon hotel opening 2032.",
+    "confidence": "high",
+    "sources": [
+      "https://www.ycombinator.com/companies/galactic-resource-utilization-space-inc-gru-space",
+      "https://gru.space/"
+    ],
+    "rationale": "The description explicitly focuses on off-planet habitat construction using 'in-situ resource utilization technology, turning local material into building material,' with a roadmap through lunar and Martian infrastructure \u2014 squarely Industrials/Aviation and Space. No AI capabilities or tech stack are mentioned anywhere in the provided text."
+  },
+  {
+    "slug": "autumn-ai",
+    "industry_primary": "B2B SaaS",
+    "industry_secondary": [
+      "AI Infrastructure",
+      "Developer Tools"
+    ],
+    "ai_capability": [
+      "rag",
+      "data-pipeline",
+      "nlp-classic",
+      "agents"
+    ],
+    "tech_stack": [
+      "unknown"
+    ],
+    "oss_posture": "unknown",
+    "oss_evidence_url": null,
+    "tagline_rewrite": "Real-time buying signal intelligence platform that monitors web activity to surface high-intent prospects for GTM teams.",
+    "confidence": "high",
+    "sources": [
+      "https://www.ycombinator.com/companies/autumn-ai"
+    ],
+    "rationale": "The description explicitly states Autumn is 'building the first real-time signal intelligence platform for GTM teams' that 'monitors posts, commits, blogs, and announcements, surfacing buying signals,' indicating a B2B SaaS product with AI-driven data pipeline and NLP capabilities; no specific model providers or OSS artifacts are mentioned."
+  },
+  {
+    "slug": "velum-labs",
+    "industry_primary": "Unknown",
+    "industry_secondary": [],
+    "ai_capability": [
+      "unclear"
+    ],
+    "tech_stack": [],
+    "oss_posture": "unknown",
+    "oss_evidence_url": null,
+    "tagline_rewrite": "(no analysis: schema-validation-failure)",
+    "confidence": "low",
+    "sources": [
+      "https://github.com/RyanAlberts/yc-ai-pulse#unverifiable"
+    ],
+    "rationale": "Auto-generated low-confidence sentinel because: schema-validation-failure"
+  }
+]

pyproject.toml

@@ -21,6 +21,8 @@ dependencies = [
   "pydantic>=2.5",
   "typer>=0.12",
   "rich>=13",
+  "anthropic>=0.40",
+  "claude-agent-sdk>=0.1",
 ]
 
 [project.optional-dependencies]

scripts/publish_check.sh

@@ -26,7 +26,7 @@ fi
 #   - scripts/{secret_scan,publish_check}.sh (these files name the patterns)
 #   - tests/test_sanitizer.py (test fixtures must contain the patterns)
 SUSPICIOUS=$(git ls-files \
-  | grep -v -E '^(\.secrets\.baseline|scripts/secret_scan\.sh|scripts/publish_check\.sh|tests/test_sanitizer\.py)$' \
+  | grep -v -E '^(\.secrets\.baseline|scripts/secret_scan\.sh|scripts/publish_check\.sh|tests/test_sanitizer\.py|tests/test_researcher\.py)$' \
   | xargs grep -l -E -i 'sk-ant-[A-Za-z0-9_\-]{20,}|ghp_[A-Za-z0-9]{36}|AKIA[0-9A-Z]{16}' 2>/dev/null || true)
 if [[ -n "$SUSPICIOUS" ]]; then
   echo "❌ suspicious credential strings found in:"

scripts/secret_scan.sh

@@ -36,7 +36,7 @@ else
     # - tests/test_sanitizer.py (test fixtures must contain the patterns
     #   they're testing redaction of). Reviewed manually — these are fake values.
     HITS=$(echo "$FILES" \
-      | grep -v -E '^(\.secrets\.baseline|scripts/secret_scan\.sh|tests/test_sanitizer\.py)$' \
+      | grep -v -E '^(\.secrets\.baseline|scripts/secret_scan\.sh|tests/test_sanitizer\.py|tests/test_researcher\.py)$' \
       | xargs grep -E -l "$pattern" 2>/dev/null || true)
     if [[ -n "$HITS" ]]; then
       echo "❌ pattern matched: $pattern"

src/ycai/classifier.py

@@ -0,0 +1,78 @@
+"""Taxonomies + deterministic prefilling.
+
+Where we can answer a classification question from yc-oss/api fields alone
+(without an LLM), we do. This:
+  1. saves Sonnet calls,
+  2. produces a deterministic answer auditors can re-derive,
+  3. reduces the surface area where the model can hallucinate.
+
+The LLM still classifies AI capability, tech stack, OSS posture, and the
+tagline — fields that can't be derived from YC's tag list.
+"""
+
+from __future__ import annotations
+
+from ycai.schemas import Industry
+
+# yc-oss industry / subindustry / tag substrings -> our enum.
+# Ordered most-specific first; first match wins.
+_INDUSTRY_RULES: tuple[tuple[str, Industry], ...] = (
+    ("ai infrastructure", Industry.AI_INFRASTRUCTURE),
+    ("developer tools", Industry.DEVELOPER_TOOLS),
+    ("dev tools", Industry.DEVELOPER_TOOLS),
+    ("security", Industry.SECURITY),
+    ("biotech", Industry.BIOTECH),
+    ("healthcare", Industry.HEALTHCARE),
+    ("medical", Industry.HEALTHCARE),
+    ("fintech", Industry.FINTECH),
+    ("financial", Industry.FINTECH),
+    ("legal", Industry.LEGAL),
+    ("education", Industry.EDUCATION),
+    ("real estate", Industry.REAL_ESTATE_CONSTRUCTION),
+    ("construction", Industry.REAL_ESTATE_CONSTRUCTION),
+    ("logistics", Industry.SUPPLY_CHAIN_LOGISTICS),
+    ("supply chain", Industry.SUPPLY_CHAIN_LOGISTICS),
+    ("climate", Industry.CLIMATE_ENERGY),
+    ("energy", Industry.CLIMATE_ENERGY),
+    ("robotics", Industry.ROBOTICS),
+    ("hardware", Industry.HARDWARE),
+    ("industrials", Industry.INDUSTRIALS),
+    ("government", Industry.GOVERNMENT_DEFENSE),
+    ("defense", Industry.GOVERNMENT_DEFENSE),
+    ("media", Industry.MEDIA_CONTENT),
+    ("content", Industry.MEDIA_CONTENT),
+    ("consumer", Industry.CONSUMER),
+    ("b2b", Industry.B2B_SAAS),
+    ("saas", Industry.B2B_SAAS),
+)
+
+
+def map_industry(yc_industry: str, yc_subindustry: str = "", yc_tags: list[str] | None = None) -> Industry:
+    """Map a yc-oss industry/subindustry/tags hint into our enum.
+
+    Returns ``Industry.UNKNOWN`` only if absolutely nothing matches — the LLM
+    can override our guess if it has a stronger signal from the website.
+    """
+    haystack = " ".join(
+        [yc_industry or "", yc_subindustry or "", " ".join(yc_tags or [])],
+    ).lower()
+    for needle, industry in _INDUSTRY_RULES:
+        if needle in haystack:
+            return industry
+    return Industry.UNKNOWN
+
+
+def industry_secondaries(yc_industry: str, yc_subindustry: str, yc_tags: list[str]) -> list[Industry]:
+    """Extra industry hits beyond the primary, from the same haystack.
+
+    Caps at 3 to keep the chart legible.
+    """
+    haystack = " ".join([yc_industry or "", yc_subindustry or "", " ".join(yc_tags or [])]).lower()
+    seen: list[Industry] = []
+    for needle, industry in _INDUSTRY_RULES:
+        if needle in haystack and industry not in seen:
+            seen.append(industry)
+    return seen[1:4]  # skip the primary (index 0), take next 3
+
+
+__all__ = ["industry_secondaries", "map_industry"]