|
23 | 23 | from intentprobe.scanner.static_checks import static_scan, static_score # type: ignore |
24 | 24 |
|
25 | 25 |
|
26 | | -CORE_VERSION = "activation-scanner-core-2026-06-03-static-v3" |
27 | | -DECISION_POLICY_NAME = "corroborated-block-v3" |
| 26 | +CORE_VERSION = "activation-scanner-core-2026-06-03-static-v4" |
| 27 | +DECISION_POLICY_NAME = "corroborated-block-v4" |
| 28 | +ACTIVATION_ONLY_WARN_MIN = 0.50 |
28 | 29 | STATIC_BLOCK_BUNDLE_MAX_SPAN = 900 |
29 | 30 | STATIC_BLOCK_BUNDLES = ( |
30 | 31 | frozenset(("static-secret-file", "static-exfiltration", "static-hidden-action")), |
@@ -300,6 +301,12 @@ def choose_runtime_decision( |
300 | 301 | return "block", reasons |
301 | 302 |
|
302 | 303 | if risk_score >= warn_threshold: |
| 304 | + if static_risk_score <= 0 and activation_score < ACTIVATION_ONLY_WARN_MIN: |
| 305 | + reasons.append( |
| 306 | + "activation-only score below product review floor " |
| 307 | + f"(activation={activation_score:.3f}, floor={ACTIVATION_ONLY_WARN_MIN:.2f})" |
| 308 | + ) |
| 309 | + return "allow", reasons |
303 | 310 | if risk_score >= block_threshold: |
304 | 311 | reasons.append("high risk score without block corroboration; downgraded to warn") |
305 | 312 | else: |
@@ -419,6 +426,7 @@ def build_risk_output( |
419 | 426 | "static_block_bundles": [sorted(bundle) for bundle in STATIC_BLOCK_BUNDLES], |
420 | 427 | "static_block_bundle_max_span": STATIC_BLOCK_BUNDLE_MAX_SPAN, |
421 | 428 | "static_activation_corroborators": sorted(STATIC_ACTIVATION_CORROBORATORS), |
| 429 | + "activation_only_warn_min": ACTIVATION_ONLY_WARN_MIN, |
422 | 430 | "policy_reasons": decision_policy_reasons, |
423 | 431 | }, |
424 | 432 | "elapsed_seconds": elapsed_seconds, |
|
0 commit comments