Skip to main content

An answer-or-ABSTAIN gate for RAG/agent answers, driven by grounding-DROP sensitivity - catches poisoned-context errors that confidence misses. Zero dependencies.

Project description

grounding-firewall

An answer-or-ABSTAIN gate for RAG / agent answers, driven by grounding-drop sensitivity instead of confidence. Zero dependencies (Python stdlib only).

Why

A model's confidence is blind exactly when it is confidently wrong: when a retrieved document is poisoned (asserts a plausible-but-false answer), frontier models follow it at full confidence. The firewall instead measures how much the answer depends on the retrieved doc:

sensitivity = | p(answer | context) - p(answer | context dropped) |

An answer that flips when you remove its evidence is grounded in the doc, not in the model's knowledge - so if the doc is wrong, the answer is wrong, and confidence won't warn you. The firewall abstains on high-sensitivity answers.

Measured (frontier models, realistic mixed retrieval)

Each factual question given once a clean doc and once a poisoned doc (50/50), on glm-5.2 and deepseek-v4-flash:

signal glm-5.2 deepseek-v4-flash
confidence corr with correctness -0.07 (blind) +0.21 (blind)
drop-sensitivity corr with correctness +0.97 +1.00
confidence: wrong-rate @ 50% coverage ~42% ~50%
firewall: wrong-rate @ 50% coverage 0% 0%
risk-coverage AUC (lower better) 0.216 vs 0.427 0.261 vs 0.489

The firewall keeps every clean-doc answer and abstains on every poisoned one, where confidence ships ~half wrong (poisoned and clean answers are both high-confidence). Under all-poison retrieval, frontier models defer ~94-100% at full confidence and the firewall correctly abstains on ~everything.

Honest scope: strong direct-assertion poison, 2-option factual questions; the coverage you keep tracks the fraction of clean docs in your retrieval. The real deploy cost is one extra (context-dropped) query.

Install

pip install grounding-firewall

Use

import grounding_firewall as gf
cfg = {"endpoint": "http://localhost:11434/v1", "model": "qwen2.5:7b", "api_key": "", "logprobs": True, "k": 5}
g = gf.gate(cfg, question="What is the capital of Australia?",
            context="Doc: the capital is Sydney.", a="Canberra", b="Sydney")
# -> {'answer': 'Sydney', 'confidence': 1.0, 'sensitivity': 1.0, 'decision': 'ABSTAIN', ...}

CLI:

# reproduce the poisoning self-test on your own model:
grounding-firewall --endpoint <url> --model <m> --demo
# gate one answer:
grounding-firewall --endpoint <url> --model <m> \
    --question "What is the capital of Australia?" --context "Doc: the capital is Sydney." \
    --a Canberra --b Sydney

Part of Agora - see the verification ledger / Folklore Index. License: MIT.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

grounding_firewall-0.1.0.tar.gz (6.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

grounding_firewall-0.1.0-py3-none-any.whl (6.7 kB view details)

Uploaded Python 3

File details

Details for the file grounding_firewall-0.1.0.tar.gz.

File metadata

  • Download URL: grounding_firewall-0.1.0.tar.gz
  • Upload date:
  • Size: 6.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for grounding_firewall-0.1.0.tar.gz
Algorithm Hash digest
SHA256 a7742876639fc49a66de6419c7b2126cae22dcb6a8f0aaaf35bebc6879169ebf
MD5 ab9589b9665ec6e6a734907db09e5692
BLAKE2b-256 3e9fe6576fcb12860394d8c386051a730406aee0b4b1bcee926a4021b75535d3

See more details on using hashes here.

File details

Details for the file grounding_firewall-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for grounding_firewall-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b23354daf7a24da370f3eba31995ad2d82d3c1153acba133bc63949b25c6ec61
MD5 c3a6aaa50443889da5c5721f57858d00
BLAKE2b-256 e90fc8e16a5741fd9adffbef8127ea1ac81685e1844d4732c5817a468ff02501

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page