Skip to content

fix: false positives in prompt extraction + stream model matching#78

Open
techotaku39 wants to merge 3 commits into
toby-bridges:masterfrom
techotaku39:fix/false-positive-refusal-apostrophe
Open

fix: false positives in prompt extraction + stream model matching#78
techotaku39 wants to merge 3 commits into
toby-bridges:masterfrom
techotaku39:fix/false-positive-refusal-apostrophe

Conversation

@techotaku39

@techotaku39 techotaku39 commented Jun 24, 2026

Copy link
Copy Markdown

Fixes #79

Changes

1. Unicode apostrophe normalization (Step 4 & Step 6)

Models return curly quotes (U+2019 ') instead of ASCII apostrophes (U+0027 '). Refusal markers like can't provide never match the curly-quote version, causing false-positive leak detections.

Fix: Normalize U+2018/U+2019/U+02BC to ASCII ' before checking markers.

2. Refusal-aware prompt extraction (Step 4)

When a model refuses with keywords like system prompt or assistant, old code flagged it as a leak.

Fix:

  • Strong markers (structural patterns + keyword hits like kiro, hidden_prompt): always flag, even with refusal language. Structural patterns like "system prompt is: ..." are real leaks.
  • Weak markers (system prompt, assistant, coding, developer): skip when refusal language is present.

3. Stream model matching with expected model (Step 10)

_check_stream_model() hardcoded claude. Auditing OpenAI relays with --model gpt-5.5 always failed because the stream returned gpt-5.5, not claude.

Fix: Add expected_model param to _check_stream_model/analyze_stream, pass client.model. Falls back to claude for backward compat.

4. Dual distribution sync

All changes synced across:

  • audit.py (standalone)
  • scripts/audit.py (modular)
  • api_relay_audit/stream_integrity.py (module)

Testing

  • All 778 tests pass
  • test_standalone_artifact_generated_from_sources passes (standalone rebuilt)
  • OpenMetaHub: leaked: yes -> leaked: no (false positive fixed)
  • REPRO_1 (structural leak + refusal): still fires RED
  • REPRO_2 (weak hits + refusal): now correctly skipped

root added 2 commits June 24, 2026 11:08
…ted model in stream integrity

1. Normalize Unicode apostrophes (U+2018, U+2019, U+02BC) to ASCII
   before checking refusal markers. Models often return curly quotes
   which break 'can\'t provide' style refusal detection.

2. Check refusal markers before flagging strong/weak prompt extraction
   hits. A response like 'I can\'t provide my system prompt' is a
   refusal, not a leak.

3. Add expected_model parameter to _check_stream_model/analyze_stream
   so stream integrity checks compare against the requested model
   instead of hardcoding 'claude'. Fixes false positives when auditing
   OpenAI-format relays with --model gpt-5.5.
… extraction

- Sync stream_integrity.py: add expected_model parameter
- Sync scripts/audit.py: Unicode normalization + refusal-aware extraction
- Strong markers (structural + keyword) always flag, even with refusal
- Weak markers skip when refusal language is present
- Update REPRO_2 test: refusal + weak hits = clean (not contradictory)
- All 778 tests pass
@toby-bridges toby-bridges added the release:patch Patch release impact label Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

release:patch Patch release impact

Projects

None yet

Development

Successfully merging this pull request may close these issues.

bug: false positives in prompt extraction (Unicode apostrophe + refusal language)

2 participants