Multi-country anomaly burst detector: candidate coordinated censorship campaigns

Single-country anomaly detectors (DBSCAN, STL) catch local events. This burst detector catches CROSS-COUNTRY synchronized events — K>=3 countries flipping anomalous on the same day. Pipeline: 90d lookback, mirror the live DBSCAN scoring (45d rolling window, eps=75th-pct kNN, min_samples=3) over 3,718 (country, day) cells, group 820 flips by day, flag days with K>=3 distinct countries as candidate bursts, mine the underlying evidence to find the modal shared domain / blocking method / signal type as the hypothesized common factor. Significance: under independence per-country flip rates, p_any = 1 - (1 - product(rates))^N_days, Bonferroni-corrected over N_days. First run: 73 bursts in 90 days, 33 significant at p_adj < 0.05. Largest burst (2026-05-03, K=58, p_adj=0.0000) hypothesizes shared_domain:chat.openai.com — almost certainly OONI's coordinated probe sweep, not coordinated censorship (the exact failure mode we flag honestly). More-credible candidate bursts: protonvpn.com spread across 23-26 countries 2026-04-12 to 04-14 (anti-circumvention pattern), recurring twitter.com (K=22-24) and facebook.com (K=22-31) bursts. Sidecar at /opt/voidly-ai/ml-deploy/anomaly_bursts_v1.json. Live at GET /v1/atlas/anomaly-bursts + GET /v1/atlas/anomaly-bursts/{burst_id}. Cron daily 05:30 UTC. Honest caveats: co-occurrence != coordination (could be coincidence, shared infra failure, or OONI methodology change), 6h bucketing collapsed to day because upstream observed_at is day-granular, independence assumption is wrong (neighbors correlate), DBSCAN AUC is only 0.65 so the flip signal itself is noisy.