Skip to main content

An answer-or-ABSTAIN gate for RAG/agent answers, driven by grounding-DROP sensitivity - catches poisoned-context errors that confidence misses. Zero dependencies.

Project description

grounding-firewall

An answer-or-ABSTAIN gate for RAG / agent answers, driven by grounding-drop sensitivity instead of confidence. Zero dependencies (Python stdlib only).

v0.3 adds --bench (and gf.bench(cfg)): reproduce "drop-sensitivity beats confidence" on your own (logprob-capable) model in mixed clean+poison retrieval - don't take our numbers on faith, re-run them.

v0.2 adds gate_freeform() for open-ended (free-form) RAG answers, not just A/B multiple choice - this is the mode for real RAG. (Free-form was validated on glm-5.2 in a smaller pilot; the hardened headline numbers below are the n=101 multiple-choice measurement.)

Why

A model's confidence is blind exactly when it is confidently wrong: when a retrieved document is poisoned (asserts a plausible-but-false answer), frontier models follow it at full confidence. The firewall instead measures how much the answer depends on the retrieved doc:

sensitivity = | p(answer | context) - p(answer | context dropped) |

An answer that flips when you remove its evidence is grounded in the doc, not in the model's knowledge - so if the doc is wrong, the answer is wrong, and confidence won't warn you. The firewall abstains on high-sensitivity answers.

Measured (frontier models, n = 101 factual questions)

101 factual questions, each given once a clean doc and once a poisoned doc (50/50, strong direct-assertion poison), 3 samples each, on glm-5.2 and deepseek-v4-flash (202 items per model):

signal glm-5.2 deepseek-v4-flash
model fooled by poison (base wrong-rate) 29% 40%
confidence corr with correctness +0.30 (weak) +0.23 (weak)
drop-sensitivity corr with correctness -0.93 -0.95
confidence: wrong-rate @ 50% coverage 18.8% 35.6%
firewall: wrong-rate @ 50% coverage 0.0% (0/101, 95% CI ≤ 3.7%) 0.0% (0/101, ≤ 3.7%)

Drop-sensitivity correlates negatively with correctness - the more an answer depends on the retrieved doc, the more likely it's wrong - while confidence barely correlates at all. Ranking by lowest drop-sensitivity, the firewall keeps the half of answers grounded in the model's own knowledge and ships 0 wrong of 101 on both models (Wilson 95% upper bound 3.7%), where confidence-gating ships 19-36% wrong.

Honest scope: strong direct-assertion poison, 2-option factual questions; the coverage you keep tracks the fraction of clean docs in your retrieval. The real deploy cost is one extra (context-dropped) query. (This n=101 measurement supersedes an earlier n=16 pilot.)

Install

pip install grounding-firewall

Use

import grounding_firewall as gf
cfg = {"endpoint": "https://your-llm/v1", "model": "<model>", "api_key": "<key>", "logprobs": True, "k": 5}

# free-form (real RAG) — v0.2:
gf.gate_freeform(cfg, question="What is the capital of Australia?",
                 context="Doc: the capital is Sydney.")
# -> {'answer': 'Sydney', 'answer_without_doc': 'Canberra', 'sensitivity': 1.0, 'decision': 'ABSTAIN', ...}

# multiple-choice:
gf.gate(cfg, question="What is the capital of Australia?",
        context="Doc: the capital is Sydney.", a="Canberra", b="Sydney")
# -> {'answer': 'Sydney', 'confidence': 1.0, 'sensitivity': 1.0, 'decision': 'ABSTAIN', ...}

CLI:

# reproduce the poisoning self-test on your own model:
grounding-firewall --endpoint <url> --model <m> --demo
# gate one answer:
grounding-firewall --endpoint <url> --model <m> \
    --question "What is the capital of Australia?" --context "Doc: the capital is Sydney." \
    --a Canberra --b Sydney

Part of Agora - see the verification ledger / Folklore Index. License: MIT.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

grounding_firewall-0.3.1.tar.gz (9.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

grounding_firewall-0.3.1-py3-none-any.whl (9.3 kB view details)

Uploaded Python 3

File details

Details for the file grounding_firewall-0.3.1.tar.gz.

File metadata

  • Download URL: grounding_firewall-0.3.1.tar.gz
  • Upload date:
  • Size: 9.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.10

File hashes

Hashes for grounding_firewall-0.3.1.tar.gz
Algorithm Hash digest
SHA256 19f1a04002b7835b1958fe94231dc49e868f7c2462b92c280ae28e823778ef27
MD5 f0f179dd2610a1ddd3e9ef7ac03700f5
BLAKE2b-256 788f6494a362cac863b7c0fc08ce25aefb224a8166ea5c5ed0f63c611ecbf39c

See more details on using hashes here.

File details

Details for the file grounding_firewall-0.3.1-py3-none-any.whl.

File metadata

File hashes

Hashes for grounding_firewall-0.3.1-py3-none-any.whl
Algorithm Hash digest
SHA256 ac6452c9c4f3b4dd3a1bacdb97997f20781ac331df3db5f97f5f3b5be000a92e
MD5 e637aa61556ca6067b6ad634a5c3edce
BLAKE2b-256 dc7dfcbfa087a9f3d5047475ebdb53486574bf53c92ec3d6ade6304f8a7a701d

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page