From caddaa1fe8fdb7618aac0af64d0992e3becb00a9 Mon Sep 17 00:00:00 2001
From: James Grugett <jahooma@gmail.com>
Date: Tue, 21 Apr 2026 22:00:51 -0700
Subject: [PATCH] Reward established GitHub accounts in freebuff bot-sweep
 scoring
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Prevents false-positive high-tier flags for first-day power users
whose linked GitHub is years old. A day-1 account running heavy
freebuff usage previously scored 90 (high) on volume + new-acct
signals alone. Established GH subtracts -20 (≥1y) or -40 (≥3y),
pulling these profiles into the medium tier unless an independent
signal (creation cluster, 24/7 distinct hours, suspicious email)
also trips. Reviewer prompt updated to weight the counter-signal.
---
 web/src/server/free-session/abuse-detection.ts | 11 +++++++++++
 web/src/server/free-session/abuse-review.ts    |  2 ++
 2 files changed, 13 insertions(+)

diff --git a/web/src/server/free-session/abuse-detection.ts b/web/src/server/free-session/abuse-detection.ts
index a9aac00f9..cbe7a2b72 100644
--- a/web/src/server/free-session/abuse-detection.ts
+++ b/web/src/server/free-session/abuse-detection.ts
@@ -297,6 +297,17 @@ async function enrichWithGithubAge(
       } else if (ageDays < 90) {
         s.flags.push(`gh-new<90d:${ageDays.toFixed(0)}d`)
         s.score += 10
+      } else if (ageDays >= 365 * 3) {
+        // Established GitHub accounts are a strong counter-signal: buying
+        // a 3+ year old account is rare at our abuse scale. Subtract enough
+        // to pull a day-1 heavy user (new-acct<1d + very-heavy = 90) back
+        // below the high-tier threshold without fully clearing them —
+        // genuine 24/7 patterns still surface.
+        s.flags.push(`gh-established:${(ageDays / 365).toFixed(1)}y`)
+        s.score -= 40
+      } else if (ageDays >= 365) {
+        s.flags.push(`gh-established:${(ageDays / 365).toFixed(1)}y`)
+        s.score -= 20
       }
     }
   }
diff --git a/web/src/server/free-session/abuse-review.ts b/web/src/server/free-session/abuse-review.ts
index 55192903b..b7d39f46e 100644
--- a/web/src/server/free-session/abuse-review.ts
+++ b/web/src/server/free-session/abuse-review.ts
@@ -41,6 +41,8 @@ You will see:
 
 A very young GitHub account (gh_age < 7d, especially < 1d) combined with heavy usage is one of the strongest bot signals we have: real developers almost never create a GitHub account on the same day they start running an agent. Weigh this heavily in tiering.
 
+Conversely, an established GitHub account (gh_age ≥ 1 year, especially ≥ 3 years) is a strong counter-signal. Account-age spoofing by buying old accounts is possible but uncommon at our abuse scale. An established GitHub + a natural agent mix (basher, code-reviewer, file-picker alongside the root agent) + some activity gaps during the day reads like an excited first-day power user, not a bot. Don't tier these as HIGH unless there's a second independent signal (creation cluster membership, true 24/7 distinct_hours, suspicious email pattern).
+
 Produce a markdown report with three sections:
 
 ## TIER 1 — HIGH CONFIDENCE (ban)