v0.45.0 — top-K precision 0.20 → 0.70 + verifier-first output (v0.44+v0.45)
The structural-weakness release. Combined v0.44 + v0.45 ship; v0.44.0 tagged in git, single GitHub release page at v0.45.0.
v0.44 fixes the ranking bug that held MIN top-10 flat at 0.20 for 16+ releases. v0.45 wires verifier-first output sorting — the "Snaffler can't match this" pitch from the v0.36 audit research.
Headline
MIN top-10 = 0.70. Chart was flat at 0.20 for 16+ releases. First movement since the v0.18 era.
| Benchmark | top-10 before | top-10 after | recall |
|---|---|---|---|
| MSF3 (Windows AD) | 0.20 | 0.80 (4×) | 0.90 |
| CredData | 0.70 | 0.70 | 1.00 |
| MSF2 (Linux server) | 1.00 | 1.00 | 1.00 |
| engagement_corpus | 0.40 | 0.90 | 0.91 |
| DiskForge | 0.50 | 0.50 | 1.00 |
| MIN top-10 | 0.20 | 0.70 | — |
| MIN recall | 0.90 | 0.90 (preserved) | — |
MSF3 top-10 diagnostic — what's there now:
```
- BOOTSECT.BAK FP (Yellow probability)
- id_rsa (Administrator/.ssh) TP Black
- id_rsa (vagrant/.ssh) TP Black
- Winre.wim FP (Yellow)
5-10. authorized_keys, environment, etc. TP Black
```
Real SSH credentials dominate the top-10 where Boxstarter installer noise used to be.
What v0.44 fixed
The v0.21 MSF3 validation found Green-tier Relay rules drown credentials when given ranking weight. The fix was `_TIER_PSEUDO_P[Green] = 0.0`. But the ranking used `max(path_probability, cascade_tier_pseudo_p)` — the path classifier's high probability on `.ps1/.vbs/.config` files overrode the rule engine's explicit "this is Relay only" signal.
The v0.21 lesson never wired through. It's been hiding behind the max() for 16 releases.
v0.44 step 2: when `cascade_tier == "Green"` explicitly, short-circuit per_file_evidence to 0.0. Yellow/Red/Black still use max-of-signals.
v0.44 step 1: port the v0.22 filename-frequency dedup penalty from harness-only into production `cmd_score_paths`. Operators get the same logic the harness was claiming.
What v0.45 ships
Verifier-first output sort. Snaffler finds files; ShareSift finds files AND tells operators which contain credentials that authenticate right now. The research-pass note from v0.36 audit called this "the single best operator pitch."
```bash
verified.jsonl now sorted by default
sharesift verify --input hits.jsonl --output verified.jsonl
to-snaffler-tsv default-sorts (--no-sort to preserve input order)
sharesift to-snaffler-tsv --input verified.jsonl --output ranked.tsv
Re-sort an arbitrary JSONL by the verifier-first key
cat engagement/*/hits.jsonl > combined.jsonl
sharesift sort --input combined.jsonl --output ranked.jsonl
```
Sort key (descending priority):
- verification_status — passed > failed > inconclusive > skipped
- content_tier — Black > Red > Yellow > Green
- rank_score — v0.44's dedup-penalized signal
- path — stable tiebreaker
Behavioral assertion: a verified-PASSED Yellow ranks above an unverified Black. Verification beats tier.
Install
```bash
pipx install 'sharesift[smb,network-enum]' # full pentester stack
pipx install 'sharesift[smb]' # single-share only
pipx install sharesift # Stage 1 only
```
What's queued
- v0.46+ — PyInstaller single-file binary (still 1.5GB bundle problem), GhostWriter / SysReptor exporters from the engagement DB, path-prefix dedup penalty (extend v0.44 dedup to known-noise apps), status heartbeat, Markdown report bundle
Full backlog: `docs/pentester_backlog.md`.
Docs
- Snaffler benchmark with v0.44 results — full head-to-head + top-K post-v0.44 numbers
- CHANGELOG
- Harness history — v0.44.0 entry documents the first MIN top-10 movement in 16+ releases
1290 passing tests + 21 live SMB integration tests, 0 regressions across the v0.44+v0.45 arc.