CONCEPT Cited by 1 source
Anomaly-gated config update¶
Definition¶
An anomaly-gated config update is a deployment discipline for learned or computed configuration artefacts in which each new version is compared against the previously-published version before being allowed to take effect. If more than a fraction A of entries change in a way deemed "dangerous," the entire update is rejected and the previous version is retained. Different classes of change are given different treatments — some are allowed freely (safe additions), some are explicitly allowed even though they look destructive (natural evolution), and only a specific dangerous-direction delta counts as an anomaly.
Why it matters for learned config¶
Learned or computed configuration — MIQPS, classifier thresholds, feature importances, routing tables, rate-limit tiers — is derived from upstream data. When the upstream data is flawed (transient rendering failures, pages that changed mid-analysis, an infra outage producing garbage signals), the derived config can be silently wrong. Without a gate, the bad config gets published, runtime consumers load it, and the system starts misbehaving.
The gate catches this before publication.
Pinterest's three-rule MIQPS anomaly detection¶
The canonical wiki instance (Source: sources/2026-04-20-pinterest-smarter-url-normalization-at-scale-how-miqps-powers-content-deduplication):
| Change | Classification | Rationale |
|---|---|---|
| Parameter was non-neutral, now neutral | Anomaly | "The dangerous case — it means we would start stripping a parameter that we previously determined was important." |
| Parameter was neutral, now non-neutral | Not anomaly | "We discovered a new important parameter, and the worst case is keeping slightly more parameters than necessary." |
| Pattern disappeared entirely | Not anomaly | "Patterns can naturally disappear as a domain's URL structure evolves." |
Rule: "If more than A% of existing patterns are flagged as anomalous, the entire MIQPS update is rejected and the previous version is retained."
The key insight — asymmetric rules match asymmetric costs¶
The rule set embodies an asymmetric-cost model:
- Stripping a non-neutral parameter silently merges distinct items → corrupts catalog identity. Catastrophic.
- Keeping a neutral parameter wastes a render slot. Tolerable.
- Pattern disappearing reflects real-world domain evolution. Fine.
A symmetric gate (flag any change) would be wrong: it would either reject every legitimate update or tolerate dangerous changes. The direction of the change — which way the classification flipped — is the signal, not its magnitude.
This is the general principle: anomaly-rule classifications should mirror the asymmetric cost structure of the underlying decisions.
Contrast with unconditional publish¶
Without anomaly gating, the publish pipeline looks like:
compute new config → publish → runtime reloads → behaviour changes
A transient upstream failure (rendering infra flapping for an hour during MIQPS compute) produces a degenerate new config (say, every parameter flips to neutral because no render succeeded), that degenerate config is published, and runtime starts stripping every parameter. Every URL becomes the same. Catalog explodes.
With anomaly gating:
compute new config → diff against previous → count anomalies →
if count > A% of entries: reject, keep previous
else: publish
The degenerate-config attack is caught at step 2.
Contrast with canary / gradual rollout¶
Anomaly gating and canary rollout solve related but different problems:
- Anomaly gating catches bad config at publish time by comparing against the previous published version. Never lets bad config out.
- Canary rollout catches bad config at rollout time by letting a small fraction of runtime traffic use the new config and measuring its effect. Lets bad config out but limits blast radius.
For MIQPS, anomaly gating is sufficient because the artefact is small and the "dangerous change" is precisely characterised. For general config / code deployment, canary rollout is typically needed on top.
Generalisation¶
Anomaly gates for learned config apply wherever:
- The config is derived from upstream data that can be transiently bad.
- Changes have asymmetric cost — one direction of change is dangerous, the other tolerable.
- A previous good version is available for comparison.
Examples:
- Dictionary-based compression (see concepts/shared-dictionary-compression) — new dictionary must not break decoding of old content.
- Feature-importance tables for rule-based anti-abuse systems — moving critical features out of the high-importance tier is dangerous.
- Routing tables — disappearing prefixes are fine, disappearing entire regions is not.
- Rate-limit tiers — expanding limits is usually safe, contracting below current consumption is dangerous.
Seen in¶
- sources/2026-04-20-pinterest-smarter-url-normalization-at-scale-how-miqps-powers-content-deduplication — Pinterest MIQPS, canonical wiki instance.
Related¶
- concepts/offline-compute-online-lookup — the broader architecture; anomaly gating sits between the "compute" and "publish" phases.
- concepts/neutral-vs-non-neutral-parameter — the MIQPS-specific change semantics.
- systems/pinterest-miqps
- patterns/conservative-anomaly-gated-config-update — the pattern formulation.
- companies/pinterest