v0.3.16 — noise reduction + TP/risk split UX
SYNAPTIC Sentinel v0.3.16
Noise reduction + TP/risk split UX win (Cycles 108-109). Packages 3 substantial features accumulated since v0.3.15: a Coordinator-level scout exclude-list that cuts ~80% of structural noise from scan output, plus a new `priorityScore` concept that explicitly separates the LLM's confidence% from a real urgency-of-action signal — fixing the empirical user-confusion "the TP% reads as priority alongside severity" reported in the SENTINEL evaluation handoff.
What changed
-
DG-117 A — Scout exclude-list post-hoc filter (Cycle 108). The Coordinator now drops findings whose `location.path` contains a noise segment before stage 2 (dedup + fp_known). Initial set: `fixtures`, `fixtures`, `node_modules`, `dist`, `build`, `out`, `coverage`, `vendor`, `pycache`. Deliberate decision: no `test`/`tests` segment (would over-reach and silence legitimate auth/validation tests). Applies to ALL 5 scouts via Coordinator — no per-binary flag-syntax conversion.
-
DG-117.0.1 hotfix decimal — Empirical extension (Cycle 108). Baseline-6 revealed 3 noise patterns the initial set missed: `tests/benchmark/ground-truth.json`, `.scanners//...` (CLI-installer artifacts), and `.test.` / `.spec.` filenames. Added 2 segments (`benchmark`, `.scanners`) + new `DEFAULT_EXCLUDED_FILENAME_SUBSTRINGS = ['.test.', '.spec.']` matched against the last path segment. `isPathExcluded` signature extended to 3 args (backward-compatible). Result in SENTINEL workspace: 34 findings → 4 (-88% noise; only 2 real-code FPs + 2 meta-noise survive).
-
DG-118 A — TP/risk split (Cycle 109, backlog #5 from user-handoff). New field `Finding.priorityScore?: 'urgent' | 'high' | 'medium' | 'low' | 'noise'` computed deterministically by `computePriorityScore(severity, classification?)` with this matrix:
Severity ↓ \ Triage → TP INC (demote) Untriaged FP critical urgent high urgent noise high high medium high noise medium medium low medium noise low low low low noise info low low low noise The sidebar now shows TWO badges side-by-side at the head of each card (severity + priority, deliberately different colors) plus a state badge on the right showing only `TP`/`INC`/`FP`/`NEW` — the confidence% is moved to a secondary line in the brain section with the explicit label `LLM confidence: N%`.
Empirical validation cross-workspace
Baseline-7 in `SYNAPTIC_SAAS`:
- 37 findings with `priorityScore` populated 37/37
- All 5 priority tiers present: urgent=2, high=16, medium=15, low=2, noise=2
- Sanity matrix PASS: `noise ⇔ FP`, `urgent ⇔ critical+TP`, `(low, inconclusive) → low (floor)`, `(medium, inconclusive) → low (demote)`, `(high, inconclusive) → medium (demote)`
- DG-115 A override directive (prismjs) INTACT — no regression
- Severity↔priority divergence visualized correctly (e.g. CVE-2026-41650 medium-severity / low-priority due to INC demote)
Known design tradeoffs (honest, anti-optimismo)
- `priorityScore` is per-finding; SCA grouped remediations (DG-113 A) show 1 action per package family. Observed during Baseline-7: `high=16` priority counts is dominated by ~14 protobufjs CVEs that collapse to one `Upgrade protobufjs to 7.5.8 / 8.2.0` remediation action. The two views disagree on "how much work." Surfacing priority at the group level is a future improvement candidate (`DG-future-group-priority`).
- Severity ↔ priority divergence is by design, not a bug — that is the point of the split. The UI distinguishes them via different colors + position.
- Hardcoded exclude-list (no `.sentinelignore` yet). If your project has a directory legitimately named `fixtures` / `benchmark` / `vendor` (production code), findings there are silenced. User-configurable exclude deferred to future sub-DG.
- Exclude post-hoc filter doesn't save scout CPU — scouts still scan the noise paths; Coordinator just discards afterwards. Acceptable for current workspace sizes.
- `inconclusive`-but-well-reasoned SAST taint verdicts carried over from v0.3.15 — unchanged, success by design.
Schema changes (additive, backward-compatible)
- `FindingSchema`: `priorityScore?: 'urgent' | 'high' | 'medium' | 'low' | 'noise'` optional. Findings persisted in `colony.db` from earlier scans accept the absence; the UI falls back gracefully to severity-only rendering when missing.
- `ScanOutcome.suppressedCount` now aggregates path-excluded findings + stage 2 dedup + fp_known suppression.
- New export from `@synaptic-sentinel/core`: `computePriorityScore`, `PriorityScoreSchema`, `PRIORITY_SCORES`, `isPathExcluded`, `DEFAULT_EXCLUDED_PATH_SEGMENTS`, `DEFAULT_EXCLUDED_FILENAME_SUBSTRINGS`.
Installation
`vsce publish` to the VS Code Marketplace is not part of this release — the Marketplace listing is on v0.3.3 and 14 GitHub-only releases (v0.3.4 → v0.3.16) accumulate user-side publishing operations. To install in VS Code:
```
code --install-extension synaptic-sentinel-0.3.16.vsix
```
…or use Install from VSIX... in the Extensions view.
Artifact
- `synaptic-sentinel-0.3.16.vsix` — 1838 files / 3.2 MB / 3,351,025 bytes
- SHA-256: `c83380b4f0a0812e243949b2d69c0c711005a14dc081a290065bf19106fcfdb3`
Verification
- `pnpm verify` VERDE: 62 test files / 763 tests + manifest gate (18 checks) + activation gate (9 commands + 15 subscriptions)
- Test growth from v0.3.15: +56 tests (707 → 763) = +15 exclude (DG-117 A) + +12 hotfix extension (DG-117.0.1) + +29 priority-score matrix + webview render (DG-118 A)