An answer-or-ABSTAIN gate for RAG/agent answers, driven by grounding-DROP sensitivity - catches poisoned-context errors that confidence misses. Zero dependencies.
Project description
grounding-firewall
An answer-or-ABSTAIN gate for RAG / agent answers, driven by grounding-drop sensitivity instead of confidence. Zero dependencies (Python stdlib only).
v0.3 adds --bench (and gf.bench(cfg)): reproduce "drop-sensitivity beats confidence" on your own
(logprob-capable) model in mixed clean+poison retrieval - don't take our numbers on faith, re-run them.
v0.2 adds gate_freeform() for open-ended (free-form) RAG answers, not just A/B multiple choice -
this is the mode for real RAG. (Free-form was validated on glm-5.2 in a smaller pilot; the hardened
headline numbers below are the n=101 multiple-choice measurement.)
Why
A model's confidence is blind exactly when it is confidently wrong: when a retrieved document is poisoned (asserts a plausible-but-false answer), frontier models follow it at full confidence. The firewall instead measures how much the answer depends on the retrieved doc:
sensitivity = | p(answer | context) - p(answer | context dropped) |
An answer that flips when you remove its evidence is grounded in the doc, not in the model's knowledge - so if the doc is wrong, the answer is wrong, and confidence won't warn you. The firewall abstains on high-sensitivity answers.
Measured (frontier models, n = 101 factual questions)
101 factual questions, each given once a clean doc and once a poisoned doc (50/50, strong direct-assertion poison), 3 samples each, on glm-5.2 and deepseek-v4-flash (202 items per model):
| signal | glm-5.2 | deepseek-v4-flash |
|---|---|---|
| model fooled by poison (base wrong-rate) | 29% | 40% |
| confidence corr with correctness | +0.30 (weak) | +0.23 (weak) |
| drop-sensitivity corr with correctness | -0.93 | -0.95 |
| confidence: wrong-rate @ 50% coverage | 18.8% | 35.6% |
| firewall: wrong-rate @ 50% coverage | 0.0% (0/101, 95% CI ≤ 3.7%) | 0.0% (0/101, ≤ 3.7%) |
Drop-sensitivity correlates negatively with correctness - the more an answer depends on the retrieved doc, the more likely it's wrong - while confidence barely correlates at all. Ranking by lowest drop-sensitivity, the firewall keeps the half of answers grounded in the model's own knowledge and ships 0 wrong of 101 on both models (Wilson 95% upper bound 3.7%), where confidence-gating ships 19-36% wrong.
Honest scope: strong direct-assertion poison, 2-option factual questions; the coverage you keep tracks the fraction of clean docs in your retrieval. The real deploy cost is one extra (context-dropped) query. (This n=101 measurement supersedes an earlier n=16 pilot.)
Install
pip install grounding-firewall
Use
import grounding_firewall as gf
cfg = {"endpoint": "https://your-llm/v1", "model": "<model>", "api_key": "<key>", "logprobs": True, "k": 5}
# free-form (real RAG) — v0.2:
gf.gate_freeform(cfg, question="What is the capital of Australia?",
context="Doc: the capital is Sydney.")
# -> {'answer': 'Sydney', 'answer_without_doc': 'Canberra', 'sensitivity': 1.0, 'decision': 'ABSTAIN', ...}
# multiple-choice:
gf.gate(cfg, question="What is the capital of Australia?",
context="Doc: the capital is Sydney.", a="Canberra", b="Sydney")
# -> {'answer': 'Sydney', 'confidence': 1.0, 'sensitivity': 1.0, 'decision': 'ABSTAIN', ...}
CLI:
# reproduce the poisoning self-test on your own model:
grounding-firewall --endpoint <url> --model <m> --demo
# gate one answer:
grounding-firewall --endpoint <url> --model <m> \
--question "What is the capital of Australia?" --context "Doc: the capital is Sydney." \
--a Canberra --b Sydney
Part of Agora - see the verification ledger / Folklore Index. License: MIT.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file grounding_firewall-0.3.1.tar.gz.
File metadata
- Download URL: grounding_firewall-0.3.1.tar.gz
- Upload date:
- Size: 9.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
19f1a04002b7835b1958fe94231dc49e868f7c2462b92c280ae28e823778ef27
|
|
| MD5 |
f0f179dd2610a1ddd3e9ef7ac03700f5
|
|
| BLAKE2b-256 |
788f6494a362cac863b7c0fc08ce25aefb224a8166ea5c5ed0f63c611ecbf39c
|
File details
Details for the file grounding_firewall-0.3.1-py3-none-any.whl.
File metadata
- Download URL: grounding_firewall-0.3.1-py3-none-any.whl
- Upload date:
- Size: 9.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ac6452c9c4f3b4dd3a1bacdb97997f20781ac331df3db5f97f5f3b5be000a92e
|
|
| MD5 |
e637aa61556ca6067b6ad634a5c3edce
|
|
| BLAKE2b-256 |
dc7dfcbfa087a9f3d5047475ebdb53486574bf53c92ec3d6ade6304f8a7a701d
|