An answer-or-ABSTAIN gate for RAG/agent answers, driven by grounding-DROP sensitivity - catches poisoned-context errors that confidence misses. Zero dependencies.
Project description
grounding-firewall
An answer-or-ABSTAIN gate for RAG / agent answers, driven by grounding-drop sensitivity instead of confidence. Zero dependencies (Python stdlib only).
v0.3 adds --bench (and gf.bench(cfg)): reproduce "drop-sensitivity beats confidence" on your own
(logprob-capable) model in mixed clean+poison retrieval - don't take our numbers on faith, re-run them.
v0.2 adds gate_freeform() for open-ended (free-form) RAG answers, not just A/B multiple choice -
this is the mode for real RAG. Validated on glm-5.2 (mixed clean/poison retrieval): drop-sensitivity
corr with correctness +1.00 vs confidence -0.21; 0% wrong at 50% coverage (AUC 0.187 vs 0.424).
Why
A model's confidence is blind exactly when it is confidently wrong: when a retrieved document is poisoned (asserts a plausible-but-false answer), frontier models follow it at full confidence. The firewall instead measures how much the answer depends on the retrieved doc:
sensitivity = | p(answer | context) - p(answer | context dropped) |
An answer that flips when you remove its evidence is grounded in the doc, not in the model's knowledge - so if the doc is wrong, the answer is wrong, and confidence won't warn you. The firewall abstains on high-sensitivity answers.
Measured (frontier models, realistic mixed retrieval)
Each factual question given once a clean doc and once a poisoned doc (50/50), on glm-5.2 and deepseek-v4-flash:
| signal | glm-5.2 | deepseek-v4-flash |
|---|---|---|
| confidence corr with correctness | -0.07 (blind) | +0.21 (blind) |
| drop-sensitivity corr with correctness | +0.97 | +1.00 |
| confidence: wrong-rate @ 50% coverage | ~42% | ~50% |
| firewall: wrong-rate @ 50% coverage | 0% | 0% |
| risk-coverage AUC (lower better) | 0.216 vs 0.427 | 0.261 vs 0.489 |
The firewall keeps every clean-doc answer and abstains on every poisoned one, where confidence ships ~half wrong (poisoned and clean answers are both high-confidence). Under all-poison retrieval, frontier models defer ~94-100% at full confidence and the firewall correctly abstains on ~everything.
Honest scope: strong direct-assertion poison, 2-option factual questions; the coverage you keep tracks the fraction of clean docs in your retrieval. The real deploy cost is one extra (context-dropped) query.
Install
pip install grounding-firewall
Use
import grounding_firewall as gf
cfg = {"endpoint": "https://your-llm/v1", "model": "<model>", "api_key": "<key>", "logprobs": True, "k": 5}
# free-form (real RAG) — v0.2:
gf.gate_freeform(cfg, question="What is the capital of Australia?",
context="Doc: the capital is Sydney.")
# -> {'answer': 'Sydney', 'answer_without_doc': 'Canberra', 'sensitivity': 1.0, 'decision': 'ABSTAIN', ...}
# multiple-choice:
gf.gate(cfg, question="What is the capital of Australia?",
context="Doc: the capital is Sydney.", a="Canberra", b="Sydney")
# -> {'answer': 'Sydney', 'confidence': 1.0, 'sensitivity': 1.0, 'decision': 'ABSTAIN', ...}
CLI:
# reproduce the poisoning self-test on your own model:
grounding-firewall --endpoint <url> --model <m> --demo
# gate one answer:
grounding-firewall --endpoint <url> --model <m> \
--question "What is the capital of Australia?" --context "Doc: the capital is Sydney." \
--a Canberra --b Sydney
Part of Agora - see the verification ledger / Folklore Index. License: MIT.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file grounding_firewall-0.3.0.tar.gz.
File metadata
- Download URL: grounding_firewall-0.3.0.tar.gz
- Upload date:
- Size: 8.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
75e9c2d608f77a22561af33b63ebbbca83d1b4573784ce36fced0254695cba9e
|
|
| MD5 |
139b3b97fe62640fa3b8cc44ea292360
|
|
| BLAKE2b-256 |
7322c13750a580af05192516f9d6ef5a064814b24c36bd7d057766aabf36658b
|
File details
Details for the file grounding_firewall-0.3.0-py3-none-any.whl.
File metadata
- Download URL: grounding_firewall-0.3.0-py3-none-any.whl
- Upload date:
- Size: 9.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f5bbf7c66df68b5d7497a222d7dc0b73fd2cbb641a53d2a30478466de4cc3bf1
|
|
| MD5 |
b3b5d64e897b8c0ec3fc457d8f3209c3
|
|
| BLAKE2b-256 |
c92f066cd57694a5c01657cdad462555a0a9b31fdbe6a12c430215192df91520
|