6.5 KiB
6.5 KiB
RMI RAG Modernization — 2026 Standards
======================================
Design document for upgrading RMI's RAG system to production-grade
modern standards. Based on audit of all 40+ endpoints, 4 pipelines,
9 collections, and 3 embedders.
Current State Audit
Collections (crypto_embeddings.py)
wallet_profiles, token_analysis, scam_patterns, forensic_reports, market_intel, contract_audits, known_scams, news_articles, transaction_patterns
Embedders (INCONSISTENT — 3 different models)
- nomic-embed-text (768d) — rag_engine.py, smart_ai_engine.py
- bge-m3 (1024d) — rag_ingestion.py, rag_supreme.py
- bge-small-en-v1.5 (384d) — crypto_embeddings.py (primary)
Pipelines (4 separate, overlapping)
- rag_engine.py — Qdrant REST API, nomic-embed-text, 5 collections
- rag_service.py — FAISS ANN, bge-small, 9 collections, 3-pillar search
- rag_supreme.py — 15-win pipeline, bge-m3, 5 Qdrant collections
- rag_firehose.py — continuous ingestion engine (designed, not fully wired)
Gaps Identified
- NO historical scam ingestion (Rekt DB, Chainabuse, DeFi hacks)
- NO structured chunking — raw text embedding, no overlap
- NO evaluation running (RAGAS mentioned, not active)
- Embedding model inconsistency across pipelines
- Firehose sources not wired (cadences defined, fetchers missing)
- NO query transformation in production path
- NO feedback loop active
- Redis SCARD bug (FIXED 2026-06-17)
- FAISS disk indexes exist but Redis backing data evicted for 7/9 collections
Modern Standards (2025-2026 Industry Consensus)
1. Chunking Strategy
- DEFAULT: Recursive character splitting, 512 tokens, 15% overlap
- For code: add class/function boundary separators
- For news: sentence-based chunking preserves coherence
- For scam reports: semantic chunking on topic boundaries
- Overlap: 10-20% (test for your domain — some studies show no benefit)
2. Embedding Models
- STANDARDIZE on bge-m3 (1024d) — best open-source, multilingual
- Fallback: bge-small-en-v1.5 (384d) for fast/local
- Multi-head: different dims for different content types
- Contract code: 128d structural features (already in crypto_embeddings.py)
- Scam patterns: 384d behavioral embedding
- News/articles: 1024d semantic (bge-m3)
- Wallet profiles: 64d behavioral fingerprint
3. Retrieval Architecture
- HYBRID: Dense (70%) + BM25/Sparse (30%) — 5-15% recall improvement
- RRF fusion (Reciprocal Rank Fusion) — proven best for hybrid
- Cross-encoder rerank: top-20 → rerank → top-5
- MMR dedup: remove near-duplicate results
- Query expansion: generate 3 variants, fuse results
4. Ingestion Pipeline (UNIFIED)
- SINGLE entry point: POST /api/v1/rag/ingest
- Pipeline: Parse → Chunk → Dedup → Classify → Embed → Store → Index
- Dedup: content hash in Redis (MD5 of normalized text)
- Quality filter: skip docs below quality threshold
- Rate limiting: per-collection docs/minute
- Batch embedding: groups of 25-50, async
5. Historical Data Sources (NEW)
- Rekt DB (de.fi/rekt-database) — 3,000+ DeFi hacks since 2020
- Chainabuse — scam reports with addresses
- TRM Labs Crypto Crime Report — annual typologies
- Elliptic State of Crypto Scams — annual report
- Chainalysis Crypto Crime Report — annual trends
- SlowMist Hacked Archive — detailed exploit analysis
- Immunefi Bug Bounty Reports — vulnerability patterns
- CertiK Audit Findings — smart contract vulnerabilities
- Solana Compromised Accounts — known drained wallets
- Etherscan Labels — 115K+ labeled addresses (already have)
6. Evaluation Framework
- RAGAS metrics: faithfulness, answer_relevancy, context_precision, context_recall
- Golden test set: 50 known scam queries with expected answers
- Run weekly, alert on regression
- Track: Hit@5, MRR, NDCG@10
7. Feedback Loop
- Scanner hits → boost source weight
- False positives → penalize
- User corrections → update embeddings
- Track helpful docs, boost in future searches
Implementation Plan
Phase 1: Standardize & Consolidate (NOW)
- Standardize embedder: bge-m3 (1024d) primary, bge-small (384d) fallback
- Add recursive chunking to ingest pipeline
- Wire firehose sources (Rekt DB, Chainabuse, Etherscan labels)
- Add content hash dedup to all ingestion paths
Phase 2: Historical Data Ingestion (THIS WEEK)
- Build Rekt DB scraper → forensic_reports collection
- Build Chainabuse scraper → known_scams collection
- Ingest TRM/Elliptic/Chainalysis annual reports → market_intel
- Ingest SlowMist/Immunefi/CertiK findings → contract_audits
Phase 3: Evaluation & Feedback (NEXT WEEK)
- Activate RAGAS evaluation pipeline
- Build golden test set (50 queries)
- Wire feedback loop (scanner hits → boost)
- Add query transformation (HyDE, expansion)
Phase 4: Advanced Retrieval (ONGOING)
- Cross-encoder reranking (bge-reranker-v2-m3)
- Parent-child retrieval for long documents
- Multi-modal: code + text + transaction patterns
- Streaming response for agentic investigation
New Unified Ingestion Pipeline
POST /api/v1/rag/ingest
{
"documents": [...],
"collection": "known_scams",
"source": "rekt_db",
"chunking": "recursive" // or "semantic", "sentence", "none"
}
Pipeline:
1. PARSE — extract text, metadata, entities
2. CHUNK — recursive split (512 tokens, 15% overlap)
3. DEDUP — MD5 hash check against Redis
4. QUALITY — score content, skip if < threshold
5. CLASSIFY — route to correct collection
6. EMBED — batch embed via bge-m3 (Ollama)
7. STORE — Redis (hot) + FAISS (index) + R2 (cold)
8. INDEX — update ANN index version
New Collections to Add
| Collection | Source | Dims | Purpose |
|---|---|---|---|
| defi_hacks | Rekt DB, SlowMist | 1024d | Historical DeFi exploits |
| rug_timeline | Chainabuse, SENTINEL | 1024d | Rug pull chronology |
| vuln_patterns | Immunefi, CertiK | 1024d | Smart contract vulnerabilities |
| crime_reports | TRM, Elliptic, Chainalysis | 1024d | Annual crime typologies |
| compromised_wallets | Solana, Etherscan | 384d | Known drained addresses |
| exploit_techniques | All sources | 1024d | How hacks were executed |
Success Metrics
- RAG total_docs: 2,473 → 50,000+ (20x)
- Collections with data: 2/9 → 9/9 + 6 new
- Embedding consistency: 3 models → 1 primary + 1 fallback
- Ingestion cadence: ad-hoc → continuous (firehose)
- Evaluation: none → weekly RAGAS
- Chunking: none → recursive 512-token
- Dedup: none → content hash
- Cold storage: partial → full R2 permanence