diff --git a/web/src/server/free-session/abuse-detection.ts b/web/src/server/free-session/abuse-detection.ts index a9aac00f9..cbe7a2b72 100644 --- a/web/src/server/free-session/abuse-detection.ts +++ b/web/src/server/free-session/abuse-detection.ts @@ -297,6 +297,17 @@ async function enrichWithGithubAge( } else if (ageDays < 90) { s.flags.push(`gh-new<90d:${ageDays.toFixed(0)}d`) s.score += 10 + } else if (ageDays >= 365 * 3) { + // Established GitHub accounts are a strong counter-signal: buying + // a 3+ year old account is rare at our abuse scale. Subtract enough + // to pull a day-1 heavy user (new-acct<1d + very-heavy = 90) back + // below the high-tier threshold without fully clearing them — + // genuine 24/7 patterns still surface. + s.flags.push(`gh-established:${(ageDays / 365).toFixed(1)}y`) + s.score -= 40 + } else if (ageDays >= 365) { + s.flags.push(`gh-established:${(ageDays / 365).toFixed(1)}y`) + s.score -= 20 } } } diff --git a/web/src/server/free-session/abuse-review.ts b/web/src/server/free-session/abuse-review.ts index 55192903b..b7d39f46e 100644 --- a/web/src/server/free-session/abuse-review.ts +++ b/web/src/server/free-session/abuse-review.ts @@ -41,6 +41,8 @@ You will see: A very young GitHub account (gh_age < 7d, especially < 1d) combined with heavy usage is one of the strongest bot signals we have: real developers almost never create a GitHub account on the same day they start running an agent. Weigh this heavily in tiering. +Conversely, an established GitHub account (gh_age ≥ 1 year, especially ≥ 3 years) is a strong counter-signal. Account-age spoofing by buying old accounts is possible but uncommon at our abuse scale. An established GitHub + a natural agent mix (basher, code-reviewer, file-picker alongside the root agent) + some activity gaps during the day reads like an excited first-day power user, not a bot. Don't tier these as HIGH unless there's a second independent signal (creation cluster membership, true 24/7 distinct_hours, suspicious email pattern). + Produce a markdown report with three sections: ## TIER 1 — HIGH CONFIDENCE (ban)