Commit a05319e
committed
ops(e2e): enable zone_detection — prerequisite for datamarking shadow validation
Stage 1.5 of the IS-060 PR-2 validation chain. PR #216 enabled
datamarking in shadow mode, but the first nightly cycle on top of
that change produced zero spotlighting findings — because
SecurityAnalysisConfig.zone_detection.enabled defaults to false, the
proxy never identifies Data zones, and datamarking has nothing to
transform.
Without zone_detection enabled, the chain looks like:
request → forward upstream (boundary tags applied, datamarking
sees no zones, transform is a no-op)
With zone_detection enabled:
request → zone-detect → boundary-wrap → datamarking (shadow:
compute + metrics, forward
original bytes)
This PR enables zone_detection in the nightly fixture with the
default-permissive policy:
- mode: both (heuristic FSM + operator markers, operator wins on overlap)
- scan_instruction_zones: false (data zones only, the only candidates
for marker substitution)
After this lands, re-trigger workflow_dispatch nightly. Expected
signal in `e2e_<date>.json`: `spotlighting_applied` Info findings
emitted per request that contains a detected Data zone (BIPIA-style
tables, code fences, HTML, JSON value extraction, markdown).
Refs: #214 (PR-2 implementation), #213 (PR-3 corpus, provides the
zones), #216 (shadow-mode prelude — incomplete without this).1 parent 67cae86 commit a05319e
1 file changed
Lines changed: 11 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
54 | 54 | | |
55 | 55 | | |
56 | 56 | | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
57 | 68 | | |
58 | 69 | | |
59 | 70 | | |
| |||
0 commit comments