Hugging Face's logo

Spaces:
Humanlearning
/
Cyber_analyst-round1
Sleeping

App Files Community
Cyber_analyst-round1 / AGENTS.md
Humanlearning's picture
Humanlearning
feat: enhance reward configuration management with new logging functions, add parallel Modal training guidelines to documentation, and improve reward config hashing for deterministic behavior
0e7f59c
preview code
|
raw
history blame contribute delete
38.4 kB
# AGENTS.md — CyberSecurity_OWASP Builder Instructions
## Purpose
This repository implements **CyberSecurity_OWASP**, an OpenEnv-compliant RL environment for training a **single LLM agent** to perform a defensive application-security workflow:
```text
inspect generated app + policy -> discover authorization bug -> submit safe finding -> patch code -> preserve intended behavior
```
The environment must train the model to do real interactive work, not answer static security questions. The model must act step by step through typed OpenEnv actions, observe consequences, receive deterministic reward, and improve through RL.
The canonical repository and OpenEnv environment name is **`CyberSecurity_OWASP`**. Use this exact name in `openenv.yaml`, `pyproject.toml`, HF Spaces repo naming, Docker image tags, Trackio run names, command examples, and documentation.
The target stack is:
```text
CyberSecurity_OWASP OpenEnv environment
 -> deterministic verifier + hidden tests
 -> rollout loop
 -> HF TRL / Unsloth GRPO
 -> Trackio logging
 -> held-out evaluation
 -> HF Spaces deployment
```
The final project must show measurable improvement in reward, exploit-block rate, regression-preservation rate, and held-out generalization after training.
---
## Product definition
CyberSecurity_OWASP generates a new local application scenario every `reset(seed)`. Each episode contains:
- a policy graph describing users, roles, tenants, resources, ownership, permissions, and public routes;
- a generated FastAPI-style application workspace;
- exactly one injected OWASP A01-style authorization defect;
- visible tests for normal behavior;
- hidden invariant tests for authorization correctness, regression protection, public-route preservation, and anti-cheat checks.
The environment has **one LLM agent**, not separate red-team and blue-team LLMs. The environment itself acts as the scenario generator, tool server, verifier, and judge.
---
## Highest-priority objectives
When making implementation decisions, optimize in this order:
1. **Verifier correctness**: deterministic tests must decide whether the patch actually fixes the authorization defect.
2. **Reward integrity**: reward must be hard to hack and must punish insecure or regressive patches.
3. **Anti-overfitting**: the model must generalize across apps, layouts, policies, domains, names, and bug families.
4. **OpenEnv compliance**: expose typed `Action`, `Observation`, and `State`; implement `reset()`, `step(action)`, and `state` correctly.
5. **Trainability**: baseline model should sometimes get partial reward; curriculum should make early learning possible.
6. **Real-world usefulness**: the workflow should resemble secure code review / AppSec authorization repair.
7. **Demo clarity**: show before/after rollouts, reward curves, and why the trained model improved.
8. **Hackathon competitiveness**: prioritize a novel, interactive, professionally useful environment with a coherent training pipeline.
Do not train before the environment, verifier, anti-cheat tests, and before/after evaluation are stable.
---
## Hackathon alignment requirements
The implementation must satisfy these minimum requirements:
- use the latest OpenEnv release;
- include a minimal HF TRL or Unsloth training script;
- use Trackio as the default tracker for training and evaluation;
- be deployable as an OpenEnv-compliant Hugging Face Space;
- include a README / mini-blog style explanation;
- show baseline-vs-trained improvement.
Optimize for judging:
| Criterion | Weight | CyberSecurity_OWASP evidence |
|---|---:|---|
| Environment innovation | 40% | procedural OWASP authorization-repair environment with generated code, policy, and hidden verifier |
| Storytelling | 30% | single LLM learns discover + patch, before/after security behavior |
| Showing improvement in rewards | 20% | reward curves, exploit-block pass rate, regression-preservation rate |
| Reward/training pipeline | 10% | deterministic reward, GRPO/PPO rollout loop, Trackio metrics |
---
## Non-negotiable environment design
CyberSecurity_OWASP must be a **single-agent** environment:
```text
phase = discover -> patch -> done
```
Do not implement a two-LLM red-team/blue-team setup. The single model must learn both discovery and repair.
The environment must be defensive and local only. It must never target real systems or teach unauthorized exploitation. All probing must be limited to the generated local workspace controlled by the environment.
---
## Required repository structure
Prefer this structure:
```text
.
├── AGENTS.md
├── README.md
├── 00_PROJECT_BRIEF.md
├── 01_ARCHITECTURE.md
├── pyproject.toml
├── openenv.yaml
├── envs/
│ └── CyberSecurity_OWASP/
│ ├── __init__.py
│ ├── models.py
│ ├── client.py
│ ├── README.md
│ ├── rewards.py
│ ├── validators.py
│ ├── safety.py
│ ├── evals.py
│ ├── server/
│ │ ├── __init__.py
│ │ ├── app.py
│ │ ├── environment.py
│ │ ├── scenario_compiler.py
│ │ ├── policy_graph.py
│ │ ├── template_renderer.py
│ │ ├── bug_mutator.py
│ │ ├── fixture_generator.py
│ │ ├── reward_engine.py
│ │ ├── requirements.txt
│ │ └── Dockerfile
│ ├── templates/
│ │ └── fastapi_basic/
│ ├── scenario_cache/
│ │ ├── train/
│ │ ├── validation/
│ │ └── hidden_eval/
│ └── tests/
│ ├── test_models.py
│ ├── test_reset_step_state.py
│ ├── test_rewards.py
│ ├── test_anti_cheat.py
│ ├── test_seed_reproducibility.py
│ ├── test_invalid_actions.py
│ └── test_rollouts.py
├── training/
│ ├── train_grpo.py
│ ├── rollout.py
│ ├── reward_funcs.py
│ ├── eval_before_after.py
│ ├── trackio_utils.py
│ └── configs/
│ └── grpo_small.yaml
├── scripts/
│ ├── run_local.sh
│ ├── docker_build.sh
│ ├── docker_run.sh
│ ├── smoke_test.sh
│ ├── generate_scenarios.sh
│ └── push_space.sh
├── assets/
│ └── anti_overfitting_training_flow_diagram.png
└── outputs/
 ├── logs/
 ├── evals/
 └── rollouts/
```
If `openenv init CyberSecurity_OWASP` creates a different structure, preserve the generated structure and add the missing files around it.
---
## Architecture overview
CyberSecurity_OWASP has 7 main components:
1. **Policy Graph + Domain Sampler** — samples users, roles, tenants, ownership, public routes, and business exceptions.
2. **Template / Framework Randomizer** — renders FastAPI-style apps with randomized layouts and naming.
3. **A01 Bug Mutator** — injects one authorization defect per scenario.
4. **Fixture + Hidden Test Generator** — creates users, resources, visible tests, and hidden invariant tests.
5. **OpenEnv Server** — exposes typed `Action`, `Observation`, and `State` through `reset`, `step`, and `state`.
6. **LLM Agent + LoRA** — one model performs discover + patch.
7. **Deterministic Reward Engine** — hidden tests score exploit blocking, normal-flow preservation, patch quality, and anti-cheat.
An optional LLM reviewer may score rationale quality and ASVS/OWASP mapping only. It must not provide the primary reward.
---
## Scenario compiler requirements
### Policy Graph + Domain Sampler
The policy graph is the source of truth. It must define:
- users;
- tenants;
- roles;
- resources;
- ownership relationships;
- role permissions;
- public routes;
- business exceptions.
Initial domains:
| Domain | Example resources | Example policy rule |
|---|---|---|
| invoices | invoices, payments, accounts | owner or billing admin can read invoice |
| support | tickets, comments, customer records | assigned agent can update ticket |
| projects | projects, documents, milestones | project member can read project docs |
| marketplace | orders, returns, seller records | buyer owns own orders; seller owns own listings |
| HR | employee profiles, reviews, payroll records | HR admin can read employee records |
### Template / Framework Randomizer
First version: FastAPI only. Still randomize structure so the model cannot memorize one app.
Randomize:
- path naming;
- parameter names;
- helper names;
- folder layout;
- route/service/auth split;
- fixture names;
- error messages within valid policy bounds.
Examples:
```text
/routes/invoices.py
/api/billing.py
/controllers/accounts.py
/services/access.py
/authz/guards.py
```
### A01 Bug Mutator
Inject exactly one primary bug per scenario.
Initial bug families:
| Bug family | Defect | Desired repair pattern |
|---|---|---|
| BOLA/IDOR | resource ID lookup lacks owner/tenant check | check server-side owner/tenant relation |
| BFLA | privileged route lacks role/function check | add reusable role or permission guard |
| tenant leak | request/header tenant ID is trusted | derive tenant from authenticated principal or server-side mapping |
| JWT claim trust | mutable claim is treated as authoritative | verify against server-side user/role record |
| public-route trap | route is intentionally public | do not over-secure public allowlisted route |
### Fixture + Hidden Test Generator
Visible tests should check that the app boots and normal happy paths work.
Hidden tests must check:
- exploit request is blocked;
- legitimate owner flow still works;
- legitimate admin/support flow still works;
- public routes remain public;
- cross-tenant access is denied;
- randomized IDs/names defeat hardcoded patches;
- hidden tests, fixtures, oracle, and reward files are not modified.
### Scenario Cache + Seeded Reset
Training should use cached scenarios for speed.
Recommended first cache:
| Split | Seeds | Purpose |
|---|---:|---|
| train | 500–1,000 | RL rollouts |
| validation | 100–200 | checkpoint selection and curriculum signal |
| hidden_eval | 100–200 | final generalization proof |
### Hold-Out Generalization Splitter
Hold out at least 4 dimensions:
1. domains;
2. policy graph shapes;
3. code layouts;
4. bug-family/domain combinations.
Example: train on invoices/support/projects, evaluate on marketplace/HR.
---
## OpenEnv model definitions
Implement these in `envs/CyberSecurity_OWASP/models.py`.
```python
from dataclasses import dataclass, field
from typing import Any, Literal
from openenv.core.env_server import Action, Observation, State
CyberSecurityOWASPPhase = Literal["discover", "patch", "done"]
CyberSecurityOWASPSplit = Literal["train", "validation", "hidden_eval"]
@dataclass
class CyberSecurityOWASPAction(Action):
 tool_name: Literal[
 "inspect_policy_graph",
 "list_routes",
 "read_openapi",
 "read_file",
 "search_code",
 "send_local_request",
 "compare_identities",
 "submit_diagnosis",
 "patch_file",
 "run_visible_tests",
 "submit_fix",
 "noop",
 ]
 arguments: dict[str, Any] = field(default_factory=dict)
@dataclass
class CyberSecurityOWASPObservation(Observation):
 phase: CyberSecurityOWASPPhase
 message: str
 task_brief: str
 visible_policy_hint: dict[str, Any] = field(default_factory=dict)
 workspace_summary: dict[str, Any] = field(default_factory=dict)
 available_actions: list[str] = field(default_factory=list)
 last_tool_result: str = ""
 last_action_valid: bool = True
 last_action_error: str | None = None
 visible_test_result: str | None = None
 reward_breakdown: dict[str, float] = field(default_factory=dict)
 done_reason: str | None = None
@dataclass
class CyberSecurityOWASPState(State):
 episode_id: str = ""
 task_id: str = ""
 seed: int = 0
 split: CyberSecurityOWASPSplit = "train"
 difficulty: int = 0
 domain: str = ""
 bug_family: str = ""
 phase: CyberSecurityOWASPPhase = "discover"
 step_count: int = 0
 max_steps: int = 40
 done: bool = False
 success: bool = False
 failure_reason: str | None = None
 finding_submitted: bool = False
 patch_submitted: bool = False
 accumulated_reward: float = 0.0
 last_reward: float = 0.0
 action_history: list[dict[str, Any]] = field(default_factory=list)
 reward_history: list[dict[str, float]] = field(default_factory=list)
 visible_facts: dict[str, Any] = field(default_factory=dict)
 hidden_facts: dict[str, Any] = field(default_factory=dict)
 metrics: dict[str, Any] = field(default_factory=dict)
 anti_cheat_flags: list[str] = field(default_factory=list)
```
---
## Action design and phase gating
Actions must be explicit, typed, serializable, and constrained. Invalid actions must not crash the server.
### Phase-gated tools
| Phase | Allowed tools |
|---|---|
| discover | `inspect_policy_graph`, `list_routes`, `read_openapi`, `read_file`, `search_code`, `send_local_request`, `compare_identities`, `submit_diagnosis`, `noop` |
| patch | `read_file`, `search_code`, `patch_file`, `run_visible_tests`, `send_local_request`, `submit_fix`, `noop` |
| done | no state-changing tools; return stable done observation |
### Tool contracts
`inspect_policy_graph`
: Returns public policy hints. Must not reveal hidden bug labels or hidden tests.
`list_routes`
: Returns route method/path summaries from the generated app.
`read_openapi`
: Returns generated OpenAPI metadata.
`read_file`
: Reads editable workspace files only. Must block hidden tests, reward files, oracle files, and host files.
`search_code`
: Searches editable workspace files only.
`send_local_request`
: Sends a request to the local generated app only. Must block external URLs and host network access.
`compare_identities`
: Runs the same local request as two generated users and summarizes behavioral differences.
`submit_diagnosis`
: Accepts structured evidence of the suspected authorization bug. Required before patch phase unless curriculum level explicitly allows blind patching.
`patch_file`
: Applies a bounded unified diff to editable app files only.
`run_visible_tests`
: Runs visible tests only. Must not run or reveal hidden tests.
`submit_fix`
: Triggers hidden evaluation.
---
## Observation rules
Observations should provide enough information to act but must not leak the answer.
Include:
- current phase;
- task brief;
- visible policy hints;
- workspace summary;
- available tools;
- previous tool output;
- visible test output;
- public reward breakdown after terminal evaluation.
Do not include:
- hidden bug family if not meant to be visible;
- hidden test contents;
- hidden oracle;
- exact exploit path labels;
- hidden seed split labels that allow memorization;
- reward implementation details that allow proxy hacking.
---
## State rules
State is the source of truth for deterministic replay and debugging.
Required state properties:
- `reset(seed)` must create a fresh independent state;
- same seed + same action sequence should produce same result;
- each WebSocket session must be isolated;
- `step_count` increments once per processed action;
- terminal states return stable done observations;
- hidden facts never appear in observations;
- all actions and reward breakdowns are stored for debugging.
---
## Environment API contract
Implement in `envs/CyberSecurity_OWASP/server/environment.py`.
```python
from openenv.core.env_server import Environment
from ..models import CyberSecurityOWASPAction, CyberSecurityOWASPObservation, CyberSecurityOWASPState
class CyberSecurityOWASPEnvironment(Environment):
 def __init__(self):
 super().__init__()
 self._state = CyberSecurityOWASPState()
 def reset(self) -> CyberSecurityOWASPObservation:
 ...
 def step(self, action: CyberSecurityOWASPAction) -> CyberSecurityOWASPObservation:
 ...
 @property
 def state(self) -> CyberSecurityOWASPState:
 return self._state
```
`step(action)` must follow this order:
1. If done, return stable done observation.
2. Validate action and phase permissions.
3. Increment step count.
4. Execute the tool.
5. Update state/history.
6. Run verifier if `submit_diagnosis`, `run_visible_tests`, or `submit_fix`.
7. Compute reward components.
8. Check terminal conditions.
9. Return observation, reward, and done through OpenEnv step result handling.
---
## FastAPI server and client
`envs/CyberSecurity_OWASP/server/app.py` must use the OpenEnv FastAPI helper.
```python
from openenv.core.env_server import create_fastapi_app
from ..models import CyberSecurityOWASPAction, CyberSecurityOWASPObservation
from .environment import CyberSecurityOWASPEnvironment
env = CyberSecurityOWASPEnvironment()
app = create_fastapi_app(env, CyberSecurityOWASPAction, CyberSecurityOWASPObservation)
```
`envs/CyberSecurity_OWASP/client.py` must parse `StepResult`, observations, rewards, done flags, and state into typed classes.
---
## Deterministic reward engine
The reward engine is the task specification. Build it before training.
Maximum reward: **15.0**.
| Component | Reward |
|---|---:|
| valid finding with reproducible local evidence | +2.0 |
| finding tied to violated policy rule | +1.0 |
| hidden exploit blocked | +5.0 |
| legitimate owner/admin/support flows preserved | +3.0 |
| public routes preserved | +1.0 |
| patch is localized, reusable, and policy-aligned | +2.0 |
| visible tests pass and app boots | +1.0 |
| exploit still works | -6.0 |
| legitimate flow regression | -5.0 |
| public route incorrectly locked | -3.0 |
| hardcoded user/tenant/resource fix | -4.0 |
| modified tests, fixtures, oracle, or hidden files | -8.0 |
| app does not parse or boot | -6.0 |
The reward breakdown must use stable keys:
```python
reward_breakdown = {
 "discovery": discovery_reward,
 "security": security_reward,
 "regression": regression_reward,
 "public_routes": public_route_reward,
 "patch_quality": patch_quality_reward,
 "visible_tests": visible_tests_reward,
 "safety": safety_reward,
 "anti_cheat": anti_cheat_reward,
 "total": total_reward,
}
```
Do not let explanation quality dominate the reward. If using an LLM reviewer, keep it separate from `total` or cap it at a small non-primary auxiliary signal.
---
## Verifier requirements
Create `envs/CyberSecurity_OWASP/validators.py` and `envs/CyberSecurity_OWASP/server/reward_engine.py`.
Required verifier functions:
```python
def verify_finding(state: CyberSecurityOWASPState, finding: dict) -> dict:
 ...
def run_hidden_security_tests(state: CyberSecurityOWASPState) -> dict:
 ...
def run_hidden_regression_tests(state: CyberSecurityOWASPState) -> dict:
 ...
def detect_cheating(state: CyberSecurityOWASPState, action: CyberSecurityOWASPAction) -> list[str]:
 ...
def compute_reward(state: CyberSecurityOWASPState, action: CyberSecurityOWASPAction, verifier_result: dict) -> dict[str, float]:
 ...
```
Verifier tests must prove:
- correct patch receives high reward;
- exploit-only finding without patch does not complete the episode;
- deny-all patch fails regression tests;
- hardcoded patch fails randomized hidden tests;
- modified hidden files produce anti-cheat penalty;
- visible-test-only patch does not guarantee high reward;
- repeated intermediate actions cannot inflate reward indefinitely.
---
## Anti-overfitting requirements
CyberSecurity_OWASP must prevent overfitting to one app or scenario.
Use all of these defenses:
| Risk | Required defense |
|---|---|
| memorizes one app | many domains and templates |
| memorizes route names | randomized path, resource, parameter, helper names |
| memorizes bug location | vary route/service/auth layer placement |
| learns deny-all patch | hidden positive-flow and public-route tests |
| learns hardcoded patch | randomized users, tenants, resource IDs, role names |
| overfits visible tests | hidden invariant tests and held-out eval |
| overfits one bug family | curriculum-sampled bug mix |
| overfits one code layout | hold out entire layouts and domains |
| optimizes explanation only | deterministic reward is primary |
Acceptance target: at least **20%** of domain/layout/bug combinations must be held out from training.
---
## Safety and cybersecurity boundaries
This is a defensive AppSec training environment.
Allowed:
- local generated app probing;
- authorization reasoning;
- secure patching;
- visible and hidden test execution;
- policy-to-code mapping;
- defensive vulnerability validation in sandbox.
Forbidden:
- real-world exploitation;
- credential theft;
- persistence/evasion/malware behavior;
- scanning external targets;
- bypassing real services;
- writing exploit instructions for systems outside the local generated lab.
`send_local_request` must only target the generated local app.
---
## Curriculum controller
RL needs partial successes. Implement at least 3 difficulty levels.
```text
level_0: BOLA/IDOR, small app, direct route, obvious policy hint
level_1: BFLA or tenant bug, moderate app, realistic distractors
level_2: JWT trust or nested tenant/resource route, multiple files, false-positive traps
level_3: held-out domain/layout/bug combo, harder naming, fewer hints
```
Curriculum signal:
```text
if exploit_block_rate < 60%:
 increase level_0 and level_1 tasks
elif regression_rate > 20%:
 increase positive-flow and public-route traps
elif public_route_false_positive_rate > 10%:
 increase intentionally public route examples
elif validation_reward plateaus:
 increase unseen layouts and nested resources
else:
 increase difficulty by 1
```
---
## Training requirements
Create a runnable minimal training script using HF TRL or Unsloth.
Required files:
```text
training/train_grpo.py
training/rollout.py
training/reward_funcs.py
training/eval_before_after.py
training/trackio_utils.py
training/configs/grpo_small.yaml
```
Recommended first model:
```text
Qwen/Qwen3-1.7B
```
Acceptable alternatives:
```text
Qwen2.5-Coder-1.5B-Instruct
Qwen2.5-Coder-3B-Instruct
```
Use LoRA / QLoRA. Do not full-finetune unless explicitly required.
---
## Rollout function requirements
`training/rollout.py` must run a full OpenEnv episode.
```python
def rollout_once(trainer, env, tokenizer, dataset_prompt: str, max_steps: int = 40) -> dict:
 result = env.reset()
 observation = result.observation
 prompt_ids = []
 completion_ids = []
 logprobs = []
 reward_trace = []
 action_trace = []
 observation_trace = []
 for _ in range(max_steps):
 if result.done:
 break
 prompt = build_cybersecurity_owasp_prompt(observation, action_trace, observation_trace)
 rollout_output = generate_rollout_completions(trainer, [prompt])[0]
 action = parse_action_json(rollout_output["text"])
 result = env.step(action)
 observation = result.observation
 prompt_ids.extend(rollout_output["prompt_ids"])
 completion_ids.extend(rollout_output["completion_ids"])
 logprobs.extend(rollout_output["logprobs"])
 reward_trace.append(float(result.reward or 0.0))
 action_trace.append(action)
 observation_trace.append(observation)
 final_breakdown = getattr(observation, "reward_breakdown", {}) or {}
 return {
 "prompt_ids": prompt_ids,
 "completion_ids": completion_ids,
 "logprobs": logprobs,
 "reward_total": float(final_breakdown.get("total", sum(reward_trace))),
 "reward_discovery": float(final_breakdown.get("discovery", 0.0)),
 "reward_security": float(final_breakdown.get("security", 0.0)),
 "reward_regression": float(final_breakdown.get("regression", 0.0)),
 "reward_patch_quality": float(final_breakdown.get("patch_quality", 0.0)),
 "reward_anti_cheat": float(final_breakdown.get("anti_cheat", 0.0)),
 "success": bool(getattr(env.state(), "success", False)),
 "episode_length": len(action_trace),
 }
```
The prompt must require the model to output exactly one JSON action at a time.
Example action format:
```json
{"tool_name":"read_file","arguments":{"path":"app/routes/invoices.py"}}
```
---
## Reward functions for TRL
`training/reward_funcs.py` must expose separate reward functions for GRPO/PPO logging.
```python
def reward_total(completions, **kwargs):
 return [float(x) for x in kwargs.get("reward_total", [0.0] * len(completions))]
def reward_security(completions, **kwargs):
 return [float(x) for x in kwargs.get("reward_security", [0.0] * len(completions))]
def reward_regression(completions, **kwargs):
 return [float(x) for x in kwargs.get("reward_regression", [0.0] * len(completions))]
def reward_patch_quality(completions, **kwargs):
 return [float(x) for x in kwargs.get("reward_patch_quality", [0.0] * len(completions))]
def reward_anti_cheat(completions, **kwargs):
 return [float(x) for x in kwargs.get("reward_anti_cheat", [0.0] * len(completions))]
```
---
## GRPO training config
Use Trackio in `GRPOConfig`.
```python
import os
from trl import GRPOConfig
output_dir = os.getenv("OUTPUT_DIR", "CyberSecurity_OWASP-qwen3-1.7b-grpo")
trackio_space_id = os.getenv("TRACKIO_SPACE_ID", "Humanlearning/CyberSecurity_OWASP-trackio")
grpo_config = GRPOConfig(
 output_dir=output_dir,
 report_to="trackio",
 trackio_space_id=trackio_space_id,
 logging_steps=1,
 save_steps=25,
 learning_rate=5e-6,
 num_train_epochs=1,
 per_device_train_batch_size=1,
 gradient_accumulation_steps=32,
 num_generations=6,
 max_prompt_length=4096,
 max_completion_length=768,
 use_vllm=True,
 vllm_mode="colocate",
 vllm_gpu_memory_utilization=0.2,
 gradient_checkpointing=True,
 gradient_checkpointing_kwargs={"use_reentrant": False},
 push_to_hub=False,
)
```
Start with small debug runs before scaling.
---
## Trackio logging requirements
Trackio is mandatory for training and evaluation visibility.
Canonical Trackio Space:
```text
https://huggingface.co/spaces/Humanlearning/CyberSecurity_OWASP-trackio
```
Use `TRACKIO_SPACE_ID=Humanlearning/CyberSecurity_OWASP-trackio` for training,
evaluation, and smoke runs. This is separate from the OpenEnv HF Space
`Humanlearning/CyberSecurity_OWASP`; do not send Trackio runs to the
environment Space.
Run naming convention:
```text
CyberSecurity_OWASP-<model>-<algo>-level<difficulty>-<YYYYMMDD-HHMM>-<git_sha>
```
Log these training metrics:
```text
train/reward_total_mean
train/reward_discovery_mean
train/reward_security_mean
train/reward_regression_mean
train/reward_public_routes_mean
train/reward_patch_quality_mean
train/reward_visible_tests_mean
train/reward_safety_mean
train/reward_anti_cheat_mean
train/success_rate
train/exploit_block_rate
train/regression_preservation_rate
train/public_route_preservation_rate
train/invalid_action_rate
train/timeout_rate
train/safety_violation_rate
train/reward_hacking_suspected_rate
train/episode_length_mean
train/episode_length_p95
train/rollouts_per_second
train/tokens_per_second
train/loss
train/learning_rate
train/kl
train/grad_norm
```
Log these evaluation metrics:
```text
eval/baseline_success_rate
eval/trained_success_rate
eval/absolute_success_improvement
eval/baseline_mean_reward
eval/trained_mean_reward
eval/absolute_reward_improvement
eval/heldout_success_rate
eval/heldout_mean_reward
eval/exploit_block_rate
eval/regression_preservation_rate
eval/public_route_preservation_rate
eval/anti_cheat_pass_rate
eval/invalid_action_rate
eval/timeout_rate
eval/safety_violation_rate
eval/mean_episode_length
```
Log these environment metrics:
```text
env/reset_latency_ms
env/step_latency_ms
env/verifier_latency_ms
env/reward_latency_ms
env/scenario_compile_latency_ms
env/error_rate
env/task_difficulty
env/task_seed
```
---
## Rollout artifact requirements
Save sampled rollouts under `outputs/rollouts/`.
Each rollout JSON must include:
```json
{
 "run_name": "...",
 "episode_id": "...",
 "task_id": "...",
 "seed": 123,
 "split": "validation",
 "difficulty": 1,
 "domain": "invoices",
 "bug_family": "bola_idor",
 "actions": [],
 "observations": [],
 "reward_breakdown_by_step": [],
 "final_reward_breakdown": {},
 "total_reward": 0.0,
 "success": false,
 "failure_reason": null,
 "safety_violations": [],
 "anti_cheat_flags": []
}
```
Minimum artifacts:
- 10 baseline rollouts;
- 10 mid-training rollouts;
- 10 trained rollouts;
- 10 held-out evaluation rollouts.
---
## Evaluation requirements
Create `training/eval_before_after.py`.
It must evaluate:
| Metric | Required |
|---|---:|
| baseline success rate | yes |
| trained success rate | yes |
| absolute success improvement | yes |
| baseline mean reward | yes |
| trained mean reward | yes |
| absolute reward improvement | yes |
| held-out success rate | yes |
| exploit-block rate | yes |
| regression-preservation rate | yes |
| public-route preservation rate | yes |
| invalid action rate | yes |
| anti-cheat pass rate | yes |
Save output:
```text
outputs/evals/<run_name>_eval_summary.json
```
Minimum hackathon target:
```text
>= 50 evaluation episodes
>= 3 independently logged reward components
>= 1 held-out split
>= 1 baseline-vs-trained comparison
>= 1 anti-cheat evaluation
```
Preferred demo target:
```text
mean reward improvement >= 30%
hidden exploit-block pass rate >= 70%
regression-preservation pass rate >= 80%
public-route preservation pass rate >= 90%
anti-cheat pass rate >= 95%
```
---
## Testing requirements
Before training, all tests must pass.
Required tests:
```text
test_models.py
test_reset_step_state.py
test_rewards.py
test_anti_cheat.py
test_seed_reproducibility.py
test_invalid_actions.py
test_rollouts.py
```
Implement at least 3 scripted policies:
```text
random_policy: explores action space; should usually fail but not crash
bad_policy: tries invalid/cheating actions; should be penalized
oracle_policy: uses internal test-only access to solve; should get high reward
```
The oracle policy is only for tests and must never be exposed to the model during training.
---
## Deployment requirements
The environment must run in these modes:
1. local Python / Uvicorn;
2. Docker container;
3. Hugging Face Space;
4. OpenEnv client over WebSocket.
Required commands:
```bash
# initialize if not already scaffolded
openenv init CyberSecurity_OWASP
# local development
uv sync
uv run server
curl http://localhost:8000/health
# Docker
openenv build -t CyberSecurity_OWASP:latest
# or:
docker build -t CyberSecurity_OWASP:latest -f envs/CyberSecurity_OWASP/server/Dockerfile .
docker run -p 8000:8000 CyberSecurity_OWASP:latest
# HF Spaces
openenv push --repo-id <username>/CyberSecurity_OWASP
# client install from Space
pip install git+https://huggingface.co/spaces/<username>/CyberSecurity_OWASP
```
Use WebSocket mode for training rollouts. HTTP endpoints are acceptable for debugging only.
---
## Scaling rules
Before scaling training, confirm:
1. one manual episode works;
2. scripted oracle can solve easy seeds;
3. random policy does not crash;
4. 10 validation rollouts complete;
5. reward distributions make sense;
6. Trackio receives metrics;
7. rollout artifacts are saved.
Then scale gradually:
```text
1 episode -> 10 episodes -> 50 episodes -> 100+ rollouts -> training run
```
For high-volume rollouts, prefer local Docker or Uvicorn over remote HF Spaces because local WebSocket sessions reduce latency and avoid Space limits.
### Parallel Modal training runs
Parallel Modal GRPO runs are allowed only when they do not overwrite each
other's evidence, checkpoints, scenario assignments, or Hub outputs.
Before launching another run:
1. Check active Modal apps:
```bash
uv run --extra modal modal app list
```
2. If a `CyberSecurity_OWASP` app is active, inspect it before launching:
```bash
uv run --extra modal modal app logs <app-id>
```
3. Use Modal CLI-level detach and the launcher detach flag together, otherwise
the spawned GPU function may stop when the local entrypoint exits:
```bash
uv run --extra modal modal run --detach scripts/modal_train_grpo.py \
 --max-steps 300 \
 --dataset-size 64 \
 --num-generations 8 \
 --max-completion-length 768 \
 --difficulty 0 \
 --trace-log-every 10 \
 --seed-start 10000 \
 --detach
```
When running jobs in parallel:
- Give every run a distinct `--seed-start` range, spaced by at least 10,000
 seeds unless a smaller controlled comparison is intentional.
- Keep `CYBERSECURITY_OWASP_SCENARIO_CACHE_MODE=require`; do not compile
 scenarios in the training hot path.
- Do not run `prepare-cache --cache-force` while any training job is active.
 Scenario-cache writes can invalidate or race training resets.
- Leave `--push-to-hub` off for parallel experiments unless each run has a
 unique `--output-repo-id`.
- Keep run names unique. The launcher timestamp normally handles this; set an
 explicit `RUN_NAME` only when it is globally unique.
- Use different Trackio run names but the same Trackio Space so reward,
 throughput, GPU utilization, invalid-action rate, and success metrics remain
 comparable.
- Treat the shared Modal volumes as shared infrastructure: model cache and
 scenario cache should be read-only during parallel training; run/checkpoint
 outputs must live under each run's unique output directory.
- If the goal is a clean reward comparison, keep model, difficulty,
 `dataset-size`, `num-generations`, `max-completion-length`, and reward config
 fixed, changing only `seed-start` or the one hyperparameter being tested.
---
## README requirements
The README must explain:
- what CyberSecurity_OWASP models;
- why authorization repair is useful for LLM RL;
- action space;
- observation space;
- state fields;
- scenario generation;
- reward components;
- hidden tests;
- anti-overfitting safeguards;
- anti-cheat safeguards;
- curriculum;
- local/Docker/HF Spaces commands;
- training with TRL/Unsloth;
- before/after evaluation.
Include a demo narrative:
```text
1. Baseline model attempts a generated A01 authorization repair episode.
2. Verifier shows whether it discovered the bug and whether the patch regressed normal flows.
3. RL training improves reward and pass rates.
4. Trained model handles held-out domain/layout seeds.
5. Anti-cheat tests prove it is not using deny-all, hardcoding, or fixture tampering.
```
---
## Implementation workflow for Codex
When implementing this repo, follow this exact order:
1. Inspect existing structure and tests.
2. Create/update `00_PROJECT_BRIEF.md` and `01_ARCHITECTURE.md` if missing.
3. Define `CyberSecurityOWASPAction`, `CyberSecurityOWASPObservation`, and `CyberSecurityOWASPState`.
4. Implement a dummy OpenEnv server and client.
5. Implement scenario compiler with 1 domain and 1 BOLA/IDOR mutator.
6. Implement editable workspace generation.
7. Implement local request tool.
8. Implement visible tests.
9. Implement hidden verifier and reward engine.
10. Add anti-cheat checks.
11. Add tests for normal, failing, and cheating rollouts.
12. Add oracle, random, and bad scripted policies.
13. Add scenario cache and seeded splits.
14. Add 3 domains and 3 bug families.
15. Add GRPO training script.
16. Add Trackio logging.
17. Add before/after evaluation script.
18. Add HF Spaces deployment config.
19. Run tests and smoke tests.
20. Produce demo artifacts and README results.
Do not jump to training code before environment and verifier are correct.
---
## Definition of done
CyberSecurity_OWASP is done only when all are true:
- `reset()`, `step(action)`, and `state` work;
- actions, observations, and state are typed dataclasses;
- the environment runs locally;
- the environment runs in Docker;
- the environment is deployable to HF Spaces;
- there are at least 5 meaningful reward components;
- reward components are logged separately;
- hidden tests exist;
- anti-cheat tests exist and pass;
- scenario cache has train/validation/hidden-eval splits;
- at least 3 bug families exist;
- at least 3 domains exist;
- at least 3 scripted policies exist;
- Trackio is configured for training and evaluation;
- before/after evaluation exists;
- held-out evaluation exists;
- at least 40 rollout artifacts are saved;
- README explains environment, reward, training, and demo story;
- demo shows baseline behavior, trained behavior, reward improvement, and safeguards.
---
## Final PR checklist
Every PR summary must answer:
1. What real-world workflow does this implement?
2. What does the agent observe?
3. What actions can the agent take?
4. What hidden state exists and why is it hidden?
5. What terminates an episode?
6. What exact checks prove success?
7. What are the reward components and ranges?
8. How could the model hack the reward?
9. What anti-cheat checks prevent that?
10. What tests prove the reward cannot be trivially hacked?
11. What baseline success rate did we observe?
12. What trained success rate did we observe?
13. What held-out success rate did we observe?
14. What Trackio run contains the evidence?
15. Does behavior improve, or only the reward proxy?
16. Is the environment ready for HF Spaces deployment?
---
## Source grounding and credibility
| Source | Why used | Credibility |
|---|---|---:|
| OWASP Top 10 A01 Broken Access Control | Authorization bug taxonomy and prevention framing | 8.5/10 |
| OWASP ASVS | Access-control verification grounding | 9/10 |
| NIST SP 800-218 SSDF | Secure software development lifecycle grounding | 9.5/10 |
| Smith et al., ESEC/FSE 2015, “Is the Cure Worse Than the Disease?” | Peer-reviewed basis for hidden tests and repair-overfitting risk | 9/10 |
| OpenEnv build/deploy/training docs | Typed model, server, client, deployment, and training mechanics | 8/10 |
| Meta OpenEnv Hackathon criteria | Judging alignment and minimum requirements | 8/10 |
---
## Non-negotiable rule
A reward that can be hacked is worse than no reward. Build the verifier, hidden tests, anti-cheat tests, and held-out evaluation before scaling training.