Skip to content

feat(detection): B3.1 graduated anomaly-scoring machinery (behavior-neutral)#36

Merged
rennf93 merged 6 commits into
masterfrom
feat/phase-b3-1-scoring
Jul 1, 2026
Merged

feat(detection): B3.1 graduated anomaly-scoring machinery (behavior-neutral)#36
rennf93 merged 6 commits into
masterfrom
feat/phase-b3-1-scoring

Conversation

@rennf93

@rennf93 rennf93 commented Jun 30, 2026

Copy link
Copy Markdown
Owner

Installs the scoring lever for false-positive reduction — in the "off" position. Behavior is identical to today; this is pure infrastructure for B3.2 (which turns ambiguous-pattern weights down to actually cut false positives).

What changed

  • New SecurityConfig.detection_threat_score_threshold field (default 1.0).
  • Per-category weight map DETECTION_CATEGORY_WEIGHTS (every category → 1.0) + an empty DETECTION_PATTERN_WEIGHT_OVERRIDES map + _resolve_pattern_weight(). Each regex threat dict now carries a weight.
  • _calculate_threat_score is now additive (sum of matched-pattern weights, capped at 1.0) instead of a flat 1.0.
  • is_threat is gated: anomaly >= threshold or any-semantic-threat.

Why it's behavior-neutral

Every weight = 1.0 and threshold = 1.0 ⇒ any single regex match gives anomaly ≥ 1.0 ⇒ is_threat = True, exactly as before. Semantic-only threats still flag via their presence.

Verification

  • 345 tests pass (the full detection + sync-mirror + attack-sim suites), zero changes to existing tests — the recall net.
  • Harness baseline unchanged: detection 0.857, fp 0.125 (ratchet green).
  • A dedicated test proves the lever works (threshold = 2.0 suppresses a single-pattern match).
  • ruff check + format clean; vulture clean; async/sync handlers byte-identical.

Next (B3.2, separate)

Expand the benign corpus (the pressure test already found Phase B introduced 4 new FP vectors) + lower ambiguous-pattern weights below threshold + surgical tightening → drop fp_rate while the recall ratchet (≥ 0.857) holds.

No API/route changes. detection_threat_score_threshold is a new config field; the downstream guard-core-app SecurityConfig catalog will need regen when it next bumps the dependency (separate cross-repo).

@github-actions github-actions Bot added area: handlers Touches guard_core/handlers/ area: models Touches guard_core/models.py area: sync Touches guard_core/sync/ (sync mirror generated by unasync) tests Test suite changes labels Jun 30, 2026
@rennf93 rennf93 self-assigned this Jul 1, 2026
rennf93 and others added 2 commits July 1, 2026 02:36
…ll held) (#37)

* feat(detection): SELECT..FROM corroboration scoring (low weight + star/WHERE signals)

* feat(detection): tighten ORDER BY / DDL / ERB / NoSQL patterns to require attack context

* test(attack-sim): expand benign corpus + re-baseline after B3.2 FP reduction (fp 0.125 -> 0.0)

---------

Co-authored-by: Renn F <rennf93@users.noreply.github.com>
…ontract; harden SusPatternsManager singleton isolation in reset_state
@rennf93
rennf93 merged commit a926592 into master Jul 1, 2026
6 of 11 checks passed
@rennf93
rennf93 deleted the feat/phase-b3-1-scoring branch July 1, 2026 02:14
rennf93 added a commit that referenced this pull request Jul 1, 2026
…-mirror repair (#38)

Assembles the 3.3.0 release from the detection work merged since v3.2.0 (#33-#37) plus the ipinfo-None deprecation fix from the 3.2.1 line.

- ipinfo_token/ipinfo_db_path DeprecationWarning no longer fires when the field is explicitly None (spurious warning for callers forwarding an optional setting).

- Declare SusPatternsManager._threat_score_threshold and coerce _regex_anomaly to float, fixing the mypy attr-defined / no-any-return errors introduced by #36.

- Exclude the async-only attack_simulation harness from unasync mirroring (its data corpus is not Python-transformable) and regenerate the previously-missing sync test mirrors; check-sync is green.

- Bump version to 3.3.0 and add CHANGELOG / release-notes entries.

Co-authored-by: Renn F <rennf93@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area: handlers Touches guard_core/handlers/ area: models Touches guard_core/models.py area: sync Touches guard_core/sync/ (sync mirror generated by unasync) tests Test suite changes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant