ops(e2e): flip IS-060 datamarking to ACTIVE mode for ASR-delta collection (#220)

epappas · web-flow · commit d544cb07b49e · 2026-05-15T21:30:16.000+01:00
Stage 2 of the IS-060 PR-2 validation chain. Shadow mode validated 2026-05-15 via workflow_dispatch run 25937040210: 85/91 scenarios passed, zero errors, zero 4xx-rate shift vs prior nightly, transform ran cleanly through the full e2e harness with zone_detection + boundary_defense + datamarking shadow active. This flip enables marker substitution against the real upstream (Gemini 2.0 Flash via OpenRouter): request → zone-detect → boundary-wrap → DATAMARK (active) → forward upstream WITH marker-substituted Data zones The system-reminder addendum tells the upstream model the marked text is data, not instructions. Acceptance criteria for the 3-5 nightly cycles that follow this merge: - Pass rate stays in the 84-88 / 91 range (matches the recent per-day Gemini variance band; not a regression metric on its own) - llmtrace_spotlighting_byte_delta_total > 0 (transform fires) - llmtrace_spotlighting_failures_total == 0 - llmtrace_spotlighting_marker_collision_total stays bounded - upstream_fell_for_it rate on indirect_injection family scenarios shifts DOWNWARD relative to the pre-datamarking baseline (the ASR delta — the headline metric) Evidence will be committed to docs/research/results/upstream_judge_datamarking_evidence_<date>.md after 3-5 cycles of post-active-mode data. Refs: #214 (PR-2 implementation), #213 (PR-3 corpus), #216 (shadow-mode enable), #219 (zone_detection enable), workflow_dispatch run 25937040210 (shadow-mode validation evidence).
diff --git a/tests/e2e/fixtures/config-e2e-judge.yaml b/tests/e2e/fixtures/config-e2e-judge.yaml
@@ -66,20 +66,22 @@ security_analysis:
 
 
 # IS-060 — Boundary defense + datamarking transform.
-# Enabled in shadow mode for the first validation cycle: data zones are
-# wrapped with <llmtrace-boundary>...</llmtrace-boundary> tags AND the
-# datamarking pipeline computes the U+E000 substitution + emits metrics,
-# but shadow_mode=true means the original (unmarked) bytes still go
-# upstream. Validate one nightly cycle for zero 4xx delta and non-zero
-# byte_delta_total before flipping shadow_mode to false in a follow-up
-# ops PR. See PR #214 + docs/architecture/SPOTLIGHTING_INDIRECT_INJECTION.md.
+# Active mode: data zones are wrapped with <llmtrace-boundary>...
+# </llmtrace-boundary> tags AND the datamarking pipeline substitutes a
+# Unicode Private Use Area marker for whitespace in detected Data zones
+# BEFORE forwarding upstream. The system-reminder addendum tells the
+# upstream model that marked text is data, not instructions. Shadow-mode validated 2026-05-15 via workflow_dispatch run 25937040210:
+# 85/91 passed with zero errors and zero 4xx-rate shift vs prior nightly.
+# This flip activates marker substitution against the production
+# upstream (Gemini 2.0 Flash via OpenRouter); the next 3-5 scheduled
+# nightlies measure ASR delta on BIPIA scenarios vs the shadow baseline. See PR #214 + docs/architecture/SPOTLIGHTING_INDIRECT_INJECTION.md.
 boundary_defense:
   enabled: true
   randomize_nonce: true
   inject_system_reminder: true
   datamarking:
     enabled: true
-    shadow_mode: true
+    shadow_mode: false
     marker_strategy:
       kind: randomized
 
