Reward established GitHub accounts in freebuff bot-sweep scoring

[jahooma]

Summary

• Investigation context: VenTheZone (kytusdevenn@gmail.com), a day-1 Codebuff user linked to a ~4-year-old GitHub (15 public repos, natural agent mix), scored 90 (high-tier) on volume + new-acct signals alone and got auto-banned. Unbanned out-of-band.
• Recalibrates `abuse-detection.ts`: subtract 20 for gh_age ≥ 1y, 40 for ≥ 3y. Pulls day-1 heavy users with established GitHubs into the medium tier unless a second independent signal (creation cluster, 24/7 distinct hours, suspicious email) also trips.
• Updates the `abuse-review.ts` reviewer prompt to weight the counter-signal symmetrically with the existing "young GitHub + heavy usage" warning.

Test plan

• Next hourly bot-sweep email: check that established-GH users appear in MEDIUM, not HIGH, and that the LLM review doesn't tier them as ban candidates without a second signal.

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR recalibrates the freebuff bot-sweep scoring to reward established GitHub accounts as a counter-signal, addressing a false-positive ban of a legitimate day-1 power user with a 4-year-old GitHub account.

Changes:

• abuse-detection.ts: Adds two new scoring branches in enrichWithGithubAge — subtracts 20 points for GitHub accounts ≥ 1 year old and 40 points for ≥ 3 years old. The else if ordering correctly places the 3-year check before the 1-year check. The math is sound: a worst-case day-1 heavy user (new-acct<1d +40, very-heavy +50 = 90) with a 3+ year GitHub (-40) lands at 50, firmly in the medium tier, while genuine 24/7 bot signals (+100) still push through to high regardless.
• abuse-review.ts: Adds a symmetric counter-signal paragraph to the LLM reviewer prompt, instructing it not to tier established-GH users as HIGH without a second independent signal (cluster membership, true 24/7 hours, or suspicious email).
• Minor: a field name inconsistency (distinct_hours in the new prompt text vs. distinct_hrs24 in the actual data rows) and the possibility that post-enrichment suspects with very low/negative scores remain visible as medium-tier noise.

Confidence Score: 4/5

Safe to merge — logic is correct, score math is well-reasoned, and the system remains human-supervised throughout.

The if-else ordering is correct, the score deltas are calibrated to the stated goal, and the LLM prompt update is symmetric and appropriately caveated. The only open items are a minor prompt field-name inconsistency and the optional cleanup of low/negative-score suspects from the output list — neither affects correctness or safety of the advisory system.

No files require special attention. Both changed files are straightforward and low-risk.

Important Files Changed

Filename	Overview
web/src/server/free-session/abuse-detection.ts	Adds counter-signal scoring for established GitHub accounts (≥1y: -20, ≥3y: -40) in enrichWithGithubAge. Ordering of else if branches is correct (3y checked before 1y). Minor: suspects with post-enrichment negative scores remain visible to reviewers as medium-tier noise.
web/src/server/free-session/abuse-review.ts	Adds symmetric counter-signal guidance to the LLM reviewer prompt. Logic is sound and appropriately caveated. Minor inconsistency: new text uses distinct_hours while the data row uses distinct_hrs24 (pre-existing mismatch with distinct_hours_24h in TIER 1 description).

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[GitHub account age lookup] --> B{ageDays?}
    B -->|< 7d| C[+60 — gh-new<7d]
    B -->|7–29d| D[+30 — gh-new<30d]
    B -->|30–89d| E[+10 — gh-new<90d]
    B -->|90–364d| F[No adjustment — neutral zone]
    B -->|≥ 365d and < 1095d| G[-20 — gh-established:Xy]
    B -->|≥ 1095d 3+ years| H[-40 — gh-established:Xy]
    C --> I[Re-score]
    D --> I
    E --> I
    F --> I
    G --> I
    H --> I
    I --> J{score ≥ 80?}
    J -->|Yes| K[HIGH tier]
    J -->|No| L[MEDIUM tier]
    K --> M[Human review + LLM advisory]
    L --> M

Loading

Comments Outside Diff (1)

1. web/src/server/free-session/abuse-detection.ts, line 230-233 (link)

   Low/negative scores remain in suspect list after enrichment

   After GitHub age enrichment subtracts up to 40 points, suspects with only weak initial signals (e.g., email-digits +5 or lifetime +15 = 20 points total) can end up with negative scores (e.g., -20) but still appear in the medium-tier sweep report. This clutters the reviewer's medium-tier list with users that, post-enrichment, carry no real suspicion.

   Consider filtering out suspects whose score has dropped to ≤ 0 after the re-tier step. This is not critical since the system is advisory-only and human-reviewed, but it reduces noise for reviewers.

_{Reviews (1): Last reviewed commit: "Reward established GitHub accounts in fr..." | Re-trigger Greptile}

[greptile-apps]

Inconsistent field name in LLM guidance

The new guidance uses distinct_hours to describe the field that appears in the suspect data as distinct_hrs24 (line 79). The existing TIER 1 description (line 49) uses yet another variant: distinct_hours_24h. The model sees three names for the same field, which could lead it to misread or misquote a value when justifying a tier decision.

Consider aligning all three occurrences to the actual field name the model will see in the data (distinct_hrs24).

Suggested change

Conversely, an established GitHub account (gh_age ≥ 1 year, especially ≥ 3 years) is a strong counter-signal. Account-age spoofing by buying old accounts is possible but uncommon at our abuse scale. An established GitHub + a natural agent mix (basher, code-reviewer, file-picker alongside the root agent) + some activity gaps during the day reads like an excited first-day power user, not a bot. Don't tier these as HIGH unless there's a second independent signal (creation cluster membership, true 24/7 distinct_hours, suspicious email pattern).

Don't tier these as HIGH unless there's a second independent signal (creation cluster membership, true 24/7 distinct_hrs24, suspicious email pattern).