CSML stands for Composite Safety-Model-Ledger. Earlier documentation used “Continuous Safety Monitoring Language” — that was deprecated in v0.2. The canonical definition is the formula below.
The formula
Normalized prompt-level out-of-policy attempt rate for model
m. Higher = more risk.Normalized mean blocks-per-prompt intensity. Higher = more policy interventions required.
Normalized median overspeed severity. Higher = larger physical envelope violations.
Normalized task completion rate. Higher = better; enters the formula with a negative sign.
Indicator: 1 if the Evidence Ledger hash chain is unbroken through time
t, else 0.Default weights
Weights are tunable per deployment. The defaults are defensible against ROSClaw’s data but not proven optimal. See FACTS for the version’s canonical weights.
Calibration against ROSClaw
ROSClaw’s TurtleBot3 cross-model study produces the following calibrated CSML values:
Under the tier escalation function, Llama 4 Maverick with CSML = 0.66 triggers
Δ_trust = 2, automatically elevating any T0 request to T2. This is the protocol-level correction that protects against the 3.4× behavioral spread ROSClaw documented.
The gateway doesn’t trust model-vendor alignment claims. It measures behavior in situ and adjusts the tier. If a previously-safe model drifts in production (new release, new fine-tune, supply-chain compromise), the CSML tracks it.
Update cadence
CSML updates on a configurable cadence — default every 50 events or every 60 seconds, whichever is sooner. Every update emits aCSML_UPDATE event on the Evidence Ledger, so the safety score itself is auditable.
Federated CSML (future)
The current CSML is local to one deployment. A federated CSML — where multiple deployments contribute anonymized per-model safety observations to a shared score — is future work. See roadmap.Read next
Tiers
How Δ_trust feeds into the tier escalation function.
Threat model
STRIDE+B class B (“Behavioral Non-Determinism”) uses CSML as its primary mitigation.