Skip to main content
FinWatch treats fraud detection rules as code. Rules are plain-text .ws files that can be stored in a Git repository, reviewed in pull requests, and deployed automatically when merged. This guide covers everything you need to know about managing the rule lifecycle using Git — FinWatch’s native approach.

Why GitOps for Fraud Rules?

Traditional fraud detection platforms manage rules through web UIs or proprietary configuration systems. This creates several problems:
  • No audit trail. Who changed the rule? When? Why? Most UIs don’t track this well.
  • No review process. A single analyst can change a rule that blocks millions of dollars in transactions, with no second pair of eyes.
  • No rollback. If a rule change causes false positives, reverting is manual and error-prone.
  • No testing. There’s no staging environment, no CI pipeline, no way to test a rule change before it goes live.
GitOps solves all of these:

Setting Up a Rules Repository

Creating the Repository

Create a dedicated Git repository for your fraud detection rules:
Key conventions:
  • One rule per .ws file. Always.
  • Organize by category. Group rules by the type of fraud pattern they detect.
  • Include a README. Document the purpose of each category and any team-specific conventions.
  • Store variable definitions alongside rules. This keeps everything in one place.

Initial Commit


Connecting FinWatch to Your Repository

FinWatch connects to your Git repository using two environment variables:

Configuration

Or in Docker:

What Happens at Startup

When FinWatch starts with a Git repository configured:
  1. Validation: Checks that Git is installed on the system. If not, startup fails with a fatal error.
  2. Clone or Update: If the local directory doesn’t exist, clones the repository. If it exists but isn’t a valid Git repo, removes it and re-clones. If it’s already a valid repo, pulls the latest changes.
  3. Process Existing Scripts: Scans the directory for all .ws files and compiles them into the instruction database.
  4. Start Periodic Sync: Begins polling the remote repository for changes every 30 seconds.
  5. Start File Watcher: Monitors the local directory for file system changes using fsnotify.

The Rule Lifecycle

The complete lifecycle of a fraud detection rule in a GitOps workflow:

Step 1: Write the Rule

Create a new .ws file on a feature branch:
Write the rule:

Step 2: Commit with a Clear Message

Commit message best practices:
  • First line: Short summary of what changed.
  • Body: Explain the thresholds, the reasoning behind score/verdict choices, and any regulatory context.
  • Reference: Link to the fraud investigation ticket or compliance requirement that prompted the rule.

Step 3: Open a Pull Request

Push the branch and open a PR:
Your PR should include:
  • Description: What fraud pattern does this rule detect? Why is it needed?
  • Thresholds justification: Why 10 transactions? Why 24 hours? Why $100 minimum?
  • Testing evidence: Show test transactions that trigger and don’t trigger the rule.
  • Scoring rationale: Why 0.5 and not 0.8?

Step 4: Review

Your team reviews the rule. Common review checklist:
  • Rule name is descriptive and follows PascalCase convention.
  • Description is clear and written for a non-technical audience.
  • Conditions are logically correct and cover the intended pattern.
  • Cheap conditions are placed before expensive ones (performance).
  • Score is appropriate for the confidence level.
  • Reason is specific and actionable.
  • No typos in field names.
  • Time windows are appropriate (not too large, not too small).

Step 5: Merge and Auto-Deploy

Once approved, merge the PR to main. Within 30 seconds (the default polling interval), FinWatch:
  1. Pulls the latest changes from the repository.
  2. Detects the new .ws file.
  3. Compiles the rule.
  4. Adds it to the active rule set.
No restart required. No manual deployment. The rule is live.

File Watching

FinWatch uses two complementary mechanisms to detect rule changes:

Git Polling (Remote Changes)

The GitManager periodically polls the remote repository for new commits:
  • Default interval: Every 30 seconds.
  • Mechanism: Executes git pull on the tracked branch.
  • Behavior: If new commits are found, the updated/new .ws files are automatically recompiled.

File System Watching (Local Changes)

For immediate feedback during development, FinWatch also watches the local directory using the fsnotify library:
  • Events monitored: File creation, modification, and deletion.
  • File filter: Only .ws files trigger recompilation.
  • Behavior: When a .ws file is saved locally, FinWatch recompiles it within seconds.
This dual approach means:
  • In production: The Git polling mechanism picks up merged changes.
  • In development: Saving a file locally triggers immediate recompilation, giving you instant feedback.

Validation and Error Handling

What Happens When a Malformed Rule is Pushed

If a .ws file with a syntax error is committed and pushed, FinWatch will:
  1. Pull the change.
  2. Attempt to compile the rule.
  3. Log a parse error with the specific line and column number:
  4. Skip the malformed rule. Other valid rules continue to function normally.
  5. Not crash. A single bad rule does not bring down the engine.

Common Parse Errors

Pre-Merge Validation

To catch errors before they reach production, add a validation step to your CI pipeline. You can use FinWatch’s parser as a linter:

Rolling Back a Rule

One of the strongest advantages of GitOps is the ability to roll back changes instantly.

Revert a Specific Commit

FinWatch picks up the revert within 30 seconds, and the rule is removed or restored to its previous state.

Revert to a Known-Good State

Emergency: Delete a Rule

If a rule is causing immediate harm (blocking legitimate transactions), the fastest fix is to delete the file:
FinWatch will stop evaluating the deleted rule within 30 seconds.

Team Workflows

Branch Naming Convention

Required PR Labels

Consider labeling PRs to categorize changes:
  • new-rule — Adding a new rule.
  • tune — Adjusting thresholds or scores.
  • critical — Changes that affect block verdicts.
  • compliance — Changes driven by regulatory requirements.

Review Requirements

  • Any rule change: At least one peer review from an engineer.
  • block verdict rules: Additional review from a compliance officer or fraud analyst.
  • Score changes above 0.8: Requires senior engineer approval.
  • Variable list updates: Can be approved by the compliance team directly.

Tagging Releases

Tag your rule set after significant changes:
Tags provide clear rollback targets and make it easy to track which rule set was active at any point in time.

Triggering a Manual Sync

If you need FinWatch to pull changes immediately (without waiting for the 30-second polling interval), use the Git sync API endpoint:
This triggers an immediate git pull and recompilation of any changed .ws files.

Checking Repository Status

Returns the current Git repository status, including the current branch, latest commit, and sync status.

Next Steps