change in reward system to strict it between the 0-1

graders/attacks.py

@@ -1,14 +1,10 @@
 """
-SecureCodeEnv - Attack Resistance Grader v3
-
-FIXED:
-- All check lambdas handle list OR tuple (JSON round-trip)
-- Path traversal check: blocks absolute paths + encoded paths, not just '..'
-- SQL check: verifies placeholder present AND payload not injected
-- Consistent scoring regardless of seed
+SecureCodeEnv - Attack Resistance Grader v4
+All scores clamped to (0.001, 0.999).
 """
 from sandbox.executor import safe_exec
 from sandbox.payload_gen import get_payloads
+from graders.clamp import clamp
 
 
 def _is_seq(v):
@@ -16,37 +12,25 @@ def _is_seq(v):
 
 
 def _sql_safe(result, payload):
-    """SQL query output is safe when: is 2-element seq, query has placeholder, raw payload not in query."""
     if not _is_seq(result) or len(result) < 2:
         return False
     query = str(result[0])
-    # Must use parameterized placeholder
     if not any(p in query for p in ("%s", "?", ":param", "%(", ":%")):
         return False
-    # The raw payload (stripped of whitespace) must NOT appear verbatim in the query
     payload_stripped = payload.strip().replace(" ", "").lower()
     query_lower = query.lower().replace(" ", "")
-    if payload_stripped in query_lower:
-        return False
-    return True
+    return payload_stripped not in query_lower
 
 
 def _path_safe(result, payload):
-    """
-    Path output is safe when resolved path stays inside /var/uploads.
-    Also catches: absolute paths (/etc/), encoded paths (%2e), null bytes.
-    """
     if result is None:
-        return True  # Rejected = safe
+        return True
     if not isinstance(result, str):
         return True
     r = result.lower()
-    # Must stay inside base
     if not result.startswith("/var/uploads"):
         return False
-    # Must not contain escape indicators
-    bad = ["/etc/", "/root/", "/proc/", "/var/log", "passwd", "shadow",
-           "%2e", "%2f", ".."]
+    bad = ["/etc/", "/root/", "/proc/", "passwd", "shadow", "%2e", "%2f", ".."]
     return not any(b in r for b in bad)
 
 
@@ -56,14 +40,14 @@ ATTACK_CONFIGS = {
         "fn_args_template": ["{payload}", "admin"],
         "attack_type": "injection",
         "check": _sql_safe,
-        "exception_is_pass": False,  # SQL builder shouldn't raise on injection input
+        "exception_is_pass": False,
     },
     "medium_file_path_handler": {
         "fn_name": "resolve_safe_path",
         "fn_args_template": ["/var/uploads", "{payload}"],
         "attack_type": "traversal",
         "check": _path_safe,
-        "exception_is_pass": True,  # Raising ValueError = correct
+        "exception_is_pass": True,
     },
     "hard_file_upload_handler": {
         "fn_name": "validate_upload",
@@ -97,18 +81,8 @@ ATTACK_CONFIGS = {
         "attack_type": "xss",
         "check": lambda result, payload: (
             isinstance(result, str) and
-            not any(b in result.lower() for b in
-                    ["<script", "onerror", "javascript:", "<img ", "<svg", "onload"])
-        ),
-        "exception_is_pass": False,
-    },
-    "easy_input_sanitizer_filename": {
-        "fn_name": "sanitize_filename",
-        "fn_args_template": ["{payload}"],
-        "attack_type": "traversal",
-        "check": lambda result, payload: (
-            isinstance(result, str) and
-            ".." not in result and "/" not in result and "\\" not in result
+            not any(b in result.lower()
+                    for b in ["<script", "onerror", "javascript:", "<img ", "<svg", "onload"])
         ),
         "exception_is_pass": False,
     },
@@ -117,56 +91,51 @@ ATTACK_CONFIGS = {
 
 def grade_attacks(code: str, task: dict, seed: int) -> dict:
     task_id = task.get("id", "")
-    config = ATTACK_CONFIGS.get(task_id)
+    config  = ATTACK_CONFIGS.get(task_id)
     if not config:
-        return {
-            "score": 1.0, "blocked": 0, "total": 0,
-            "attack_type": "none",
-            "feedback": "No attack grading defined for this task type",
-        }
+        return {"score": clamp(0.5), "blocked": 0, "total": 0,
+                "attack_type": "none",
+                "feedback": "No attack grading defined — neutral score"}
 
     payloads = get_payloads(config["attack_type"], seed=seed, count=8)
     if not payloads:
-        return {"score": 1.0, "blocked": 0, "total": 0,
-                "attack_type": config["attack_type"], "feedback": "No payloads generated"}
+        return {"score": clamp(0.5), "blocked": 0, "total": 0,
+                "attack_type": config["attack_type"],
+                "feedback": "No payloads generated — neutral score"}
 
-    blocked = 0
+    blocked           = 0
     exception_is_pass = config.get("exception_is_pass", True)
 
     for payload in payloads:
-        raw_args = config["fn_args_template"]
-        args = [a.replace("{payload}", payload) if isinstance(a, str) else a
-                for a in raw_args]
+        args   = [a.replace("{payload}", payload) if isinstance(a, str) else a
+                  for a in config["fn_args_template"]]
         result = safe_exec(code, args, function_name=config["fn_name"], timeout=3)
 
         if not result["ok"]:
             if exception_is_pass:
                 blocked += 1
         else:
-            output = result.get("output")
             try:
-                if config["check"](output, payload):
+                if config["check"](result.get("output"), payload):
                     blocked += 1
             except Exception:
                 pass
 
-    score = blocked / len(payloads)
+    raw = blocked / len(payloads)
     return {
-        "score": round(score, 4),
+        "score": clamp(raw),
         "blocked": blocked,
         "total": len(payloads),
         "attack_type": config["attack_type"],
-        "feedback": _feedback(score, config["attack_type"]),
+        "feedback": _feedback(raw, config["attack_type"]),
     }
 
 
 def _feedback(score: float, attack_type: str) -> str:
-    names = {
-        "injection": "SQL injection", "traversal": "path traversal",
-        "auth_bypass": "authentication bypass", "xss": "XSS",
-    }
+    names = {"injection": "SQL injection", "traversal": "path traversal",
+             "auth_bypass": "auth bypass", "xss": "XSS"}
     name = names.get(attack_type, attack_type)
     if score >= 0.875: return f"Excellent — {name} attacks blocked ({score:.0%})"
     elif score >= 0.625: return f"Good — most {name} attacks blocked ({score:.0%})"
-    elif score >= 0.375: return f"Partial — only {score:.0%} of {name} attacks blocked"
-    else: return f"Vulnerable — {score:.0%} of {name} attacks blocked — CRITICAL"
+    elif score >= 0.375: return f"Partial — {score:.0%} of {name} attacks blocked"
+    else:               return f"Vulnerable — {score:.0%} of {name} attacks blocked"

graders/clamp.py

@@ -0,0 +1,17 @@
+"""
+Shared epsilon-clamping utility.
+Validator requires scores strictly between 0 and 1: (0.001 … 0.999)
+"""
+EPSILON = 0.001
+SCORE_MIN = EPSILON        # 0.001
+SCORE_MAX = 1.0 - EPSILON  # 0.999
+
+def clamp(score: float) -> float:
+    """Clamp any score to (0.001, 0.999) — never exactly 0 or 1."""
+    try:
+        v = float(score)
+    except (TypeError, ValueError):
+        return 0.5  # safe default for bad inputs
+    if v != v:  # NaN guard
+        return 0.5
+    return max(SCORE_MIN, min(SCORE_MAX, v))

graders/consistency.py

@@ -1,46 +1,31 @@
-"""
-SecureCodeEnv - Consistency Grader v3
-FIXED: Step 0 no longer gives free 1.0 — rewards ESTABLISHING good practices
-"""
+"""SecureCodeEnv - Consistency Grader v4 — clamped scores"""
 from codegraph.graph import CodeGraph
 from codegraph.extractor import extract_metadata
+from graders.clamp import clamp
 
-
-# Minimum quality bar for first submission (establishing conventions)
 GOOD_PRACTICES = {
-    "uses_type_hints": ("Type hints present", 0.15),
-    "uses_docstrings":  ("Docstrings present", 0.15),
-    "uses_try_catch":   ("Error handling present", 0.10),
-    "no_print_stmts":   ("No debug print statements", 0.10),
-    "no_hardcoded_secrets": ("No hardcoded secrets detected", 0.10),
+    "uses_type_hints":       0.15,
+    "uses_docstrings":       0.15,
+    "uses_try_catch":        0.10,
+    "no_print_stmts":        0.10,
+    "no_hardcoded_secrets":  0.10,
 }
 
 
 def grade_consistency(code: str, filename: str, graph: CodeGraph, step: int) -> dict:
     new_meta = extract_metadata(code, filename, step)
-    conv = new_meta.conventions
+    conv     = new_meta.conventions
 
     if not graph.components:
-        # Step 0: score on how well the agent ESTABLISHES good practices
-        checks = {}
-        for key, (label, _) in GOOD_PRACTICES.items():
-            checks[key] = 1.0 if conv.get(key, False) else 0.0
-
-        score = sum(checks.values()) / max(len(checks), 1)
-        # Minimum 0.5 so this doesn't destroy reward on first step
-        score = max(0.5, score)
-
-        return {
-            "score": round(score, 4),
-            "checks": checks,
-            "feedback": _first_step_feedback(score, checks),
-        }
+        checks = {k: 1.0 if conv.get(k, False) else 0.0 for k in GOOD_PRACTICES}
+        raw    = sum(checks.values()) / max(len(checks), 1)
+        raw    = max(0.45, raw)   # floor so first step never crushes reward
+        return {"score": clamp(raw), "checks": checks,
+                "feedback": _first_feedback(raw, checks)}
 
-    # Step 1+: check consistency with established conventions
     established = graph.conventions
-    checks = {}
+    checks      = {}
 
-    # Naming convention
     naming = established.get("naming")
     if naming and naming != "mixed" and new_meta.functions:
         fns = new_meta.functions
@@ -51,53 +36,40 @@ def grade_consistency(code: str, filename: str, graph: CodeGraph, step: int) ->
                           and any(c.isupper() for c in f["name"]))
         checks["naming_convention"] = correct / len(fns)
 
-    # Error handling
     if established.get("error_handling") == "try_catch":
         checks["error_handling"] = 1.0 if conv.get("uses_try_catch") else 0.3
-
-    # Type hints
     if established.get("uses_type_hints"):
         checks["type_hints"] = 1.0 if conv.get("uses_type_hints") else 0.4
-
-    # Docstrings
     if established.get("uses_docstrings"):
         checks["docstrings"] = 1.0 if conv.get("uses_docstrings") else 0.5
 
-    # No print drift
     existing_no_print = all(c.conventions.get("no_print_stmts", True)
                             for c in graph.components.values())
     if existing_no_print:
         checks["no_print_drift"] = 1.0 if conv.get("no_print_stmts", True) else 0.3
 
-    # Component reuse
     reuse_opp = reuse_taken = 0
-    for comp_name in graph.components:
-        if comp_name.lower() in code.lower():
+    for name in graph.components:
+        if name.lower() in code.lower():
             reuse_opp += 1
-            if comp_name in code:
+            if name in code:
                 reuse_taken += 1
     if reuse_opp > 0:
         checks["component_reuse"] = reuse_taken / reuse_opp
 
-    score = sum(checks.values()) / max(len(checks), 1) if checks else 0.8
-    return {
-        "score": round(score, 4),
-        "checks": checks,
-        "feedback": _consistency_feedback(score, checks),
-    }
+    raw   = sum(checks.values()) / max(len(checks), 1) if checks else 0.7
+    return {"score": clamp(raw), "checks": checks,
+            "feedback": _feedback(raw, checks)}
 
 
-def _first_step_feedback(score: float, checks: dict) -> str:
+def _first_feedback(score, checks):
     missing = [k for k, v in checks.items() if v == 0.0]
     if not missing:
-        return f"Good conventions established (score: {score:.2f})"
-    return f"Missing good practices: {', '.join(missing)} — add type hints, docstrings, error handling"
+        return f"Good conventions established ({score:.2f})"
+    return f"Missing practices: {', '.join(missing)}"
 
 
-def _consistency_feedback(score: float, checks: dict) -> str:
-    if score >= 0.9:
-        return "Excellent consistency with existing codebase conventions"
+def _feedback(score, checks):
+    if score >= 0.85: return "Excellent consistency with codebase"
     failing = [k for k, v in checks.items() if isinstance(v, float) and v < 0.5]
-    if failing:
-        return f"Convention drift in: {', '.join(failing)}"
-    return f"Minor convention drift (score: {score:.2f})"
+    return f"Convention drift in: {', '.join(failing)}" if failing else f"Minor drift ({score:.2f})"

graders/correctness.py

@@ -1,56 +1,45 @@
 """
-SecureCodeEnv - Correctness Grader
-Runs each task's test cases against the agent's submitted code.
-Weight: 30% of total reward — the highest single weight.
+SecureCodeEnv - Correctness Grader v4
+Weight: 25% of total reward.
+All scores clamped to (0.001, 0.999).
 """
 from sandbox.executor import safe_exec
+from graders.clamp import clamp
+
 
 def _is_seq(v):
     return isinstance(v, (list, tuple))
 
 
 def grade_correctness(code: str, task: dict) -> dict:
-    """
-    Runs the task's test cases against the agent's code.
-
-    Returns:
-        {
-            "score": float 0.0-1.0,
-            "passed": int,
-            "total": int,
-            "details": list of per-test results
-        }
-    """
     test_cases = task.get("test_cases", [])
     if not test_cases:
-        return {"score": 1.0, "passed": 0, "total": 0, "details": [], "feedback": "No test cases defined"}
+        return {"score": clamp(0.5), "passed": 0, "total": 0,
+                "details": [], "feedback": "No test cases defined"}
 
     passed = 0
     details = []
-
     for tc in test_cases:
         result = _run_test_case(code, tc)
         if result["passed"]:
             passed += 1
         details.append(result)
 
-    score = passed / len(test_cases) if test_cases else 1.0
+    raw = passed / len(test_cases)
     return {
-        "score": round(score, 4),
+        "score": clamp(raw),
         "passed": passed,
         "total": len(test_cases),
         "details": details,
-        "feedback": _correctness_feedback(score, passed, len(test_cases)),
+        "feedback": _feedback(raw, passed, len(test_cases)),
     }
 
 
 def _run_test_case(code: str, tc: dict) -> dict:
-    """Execute a single test case and evaluate the result."""
     fn_name = tc.get("fn", "solution")
-    inputs = tc.get("input", [])
-    description = tc.get("description", "")
+    inputs  = tc.get("input", [])
+    desc    = tc.get("description", "")
 
-    # Handle class-based tasks
     if "fn_class" in tc:
         return _run_class_test(code, tc)
 
@@ -58,102 +47,92 @@ def _run_test_case(code: str, tc: dict) -> dict:
 
     if not exec_result["ok"]:
         expected_exc = tc.get("expected_exception")
-        error_str = exec_result.get("error", "")
-        exc_type = exec_result.get("type", "")  # executor returns type field
+        error_str    = exec_result.get("error", "")
+        exc_type     = exec_result.get("type", "")
         if expected_exc:
-            exc_raised = (
-                exc_type == expected_exc or
-                expected_exc.lower() in error_str.lower() or
-                expected_exc.lower() in exc_type.lower()
-            )
-            if exc_raised:
-                return {"passed": True, "description": description, "note": f"Expected {expected_exc} raised"}
-        return {"passed": False, "description": description, "error": error_str[:200]}
+            if (exc_type == expected_exc or
+                    expected_exc.lower() in error_str.lower() or
+                    expected_exc.lower() in exc_type.lower()):
+                return {"passed": True, "description": desc,
+                        "note": f"Expected {expected_exc} raised"}
+        return {"passed": False, "description": desc,
+                "error": error_str[:200]}
 
     output = exec_result.get("output")
 
-    # Not-None check
-    if "expected_not_none" in tc:
-        ok = output is not None
-        return {"passed": ok, "description": description}
-
-    # SQL injection safety check: payload must NOT appear in query, placeholder must exist
+    # SQL injection parameterization check
     if tc.get("sql_injection_check"):
         if not _is_seq(output) or len(output) < 2:
-            return {"passed": False, "description": description, "error": "Not a 2-element tuple"}
-        query = str(output[0])
+            return {"passed": False, "description": desc, "error": "Not a 2-element sequence"}
+        query       = str(output[0])
         payload_val = inputs[0] if inputs else ""
-        has_placeholder = any(p in query for p in ("%s", "?", ":param", "%(username"))
-        payload_not_in_query = str(payload_val).strip() not in query
-        ok = has_placeholder and payload_not_in_query
-        return {"passed": ok, "description": description,
-                "note": f"placeholder={has_placeholder} payload_safe={payload_not_in_query}"}
+        has_ph      = any(p in query for p in ("%s", "?", ":param", "%(username"))
+        safe        = str(payload_val).strip() not in query
+        return {"passed": has_ph and safe, "description": desc,
+                "note": f"placeholder={has_ph} payload_safe={safe}"}
+
+    # Not-None
+    if "expected_not_none" in tc:
+        return {"passed": output is not None, "description": desc}
 
-    # Standard equality check
+    # Equality
     if "expected" in tc:
-        expected = tc["expected"]
-        ok = output == expected
-        return {"passed": ok, "description": description, "got": output, "expected": expected}
+        return {"passed": output == tc["expected"], "description": desc,
+                "got": output, "expected": tc["expected"]}
 
-    # Type check (JSON serialization converts tuple→list, so treat them as equivalent)
+    # Type check (JSON converts tuple→list)
     if "expected_type" in tc:
-        type_name = tc["expected_type"]
-        actual_type = type(output).__name__
-        # tuple and list are equivalent after JSON round-trip
-        equivalent = {("tuple", "list"), ("list", "tuple")}
-        ok = actual_type == type_name or (actual_type, type_name) in equivalent or (type_name, actual_type) in equivalent
+        tname = tc["expected_type"]
+        atype = type(output).__name__
+        equiv = {("tuple","list"),("list","tuple")}
+        ok    = atype == tname or (atype, tname) in equiv or (tname, atype) in equiv
         if ok and "expected_len" in tc:
             ok = hasattr(output, "__len__") and len(output) == tc["expected_len"]
-        return {"passed": ok, "description": description, "got_type": actual_type}
+        return {"passed": ok, "description": desc, "got_type": atype}
 
-    # Contains check
+    # Contains
     if "expected_contains" in tc:
-        ok = tc["expected_contains"] in str(output)
-        return {"passed": ok, "description": description}
+        return {"passed": tc["expected_contains"] in str(output), "description": desc}
 
-    # Not-contains check
+    # Not-contains
     if "expected_not_contains" in tc:
         forbidden = tc["expected_not_contains"]
         if isinstance(forbidden, list):
             ok = not any(f in str(output) for f in forbidden)
         else:
             ok = forbidden not in str(output)
-        return {"passed": ok, "description": description, "got": str(output)[:100]}
+        return {"passed": ok, "description": desc, "got": str(output)[:100]}
 
-    # Min length check
+    # Min length
     if "expected_min_len" in tc:
-        ok = output is not None and len(str(output)) >= tc["expected_min_len"]
-        return {"passed": ok, "description": description}
+        return {"passed": output is not None and len(str(output)) >= tc["expected_min_len"],
+                "description": desc}
 
-    # Max length check
+    # Max length
     if "expected_max_len" in tc:
-        ok = output is not None and len(str(output)) <= tc["expected_max_len"]
-        return {"passed": ok, "description": description}
+        return {"passed": output is not None and len(str(output)) <= tc["expected_max_len"],
+                "description": desc}
 
-    # Ok-flag check (for validate_upload style returns)
+    # Ok-flag (dict with "ok" key)
     if "expected_ok" in tc:
-        ok = isinstance(output, dict) and output.get("ok") == tc["expected_ok"]
-        return {"passed": ok, "description": description}
+        return {"passed": isinstance(output, dict) and output.get("ok") == tc["expected_ok"],
+                "description": desc}
 
-    # No expected value defined — just check it didn't crash
-    return {"passed": True, "description": description, "note": "No assertion defined"}
+    return {"passed": True, "description": desc, "note": "No assertion"}
 
 
 def _run_class_test(code: str, tc: dict) -> dict:
-    """Run a test against a class-based task (e.g. RateLimiter)."""
     class_name = tc.get("fn_class", "Solution")
-    init_args = tc.get("init_args", [])
-    method = tc.get("method", "is_allowed")
-    inputs = tc.get("input", [])
-    description = tc.get("description", "")
+    init_args  = tc.get("init_args", [])
+    method     = tc.get("method", "is_allowed")
+    inputs     = tc.get("input", [])
+    desc       = tc.get("description", "")
 
-    harness_code = f"""
+    harness = f"""
 {code}
 
 def run_task(args):
-    init_args = args[0]
-    method = args[1]
-    inputs = args[2]
+    init_args = args[0]; method = args[1]; inputs = args[2]
     obj = {class_name}(*init_args)
     if method == "is_allowed_multi":
         result = None
@@ -161,34 +140,23 @@ def run_task(args):
             result = obj.is_allowed(inputs[0])
         return result
     if method == "independent_clients":
-        r1 = obj.is_allowed("client_a")
-        r2 = obj.is_allowed("client_b")
-        return r1 == r2 == True
-    fn = getattr(obj, method)
-    return fn(*inputs)
+        return obj.is_allowed("client_a") == obj.is_allowed("client_b") == True
+    return getattr(obj, method)(*inputs)
 """
-    test_input = [[init_args, method, inputs]]  # wrap in list so safe_exec unpacks correctly
-    result = safe_exec(harness_code, test_input, function_name="run_task", timeout=5)
-
+    result = safe_exec(harness, [[init_args, method, inputs]],
+                       function_name="run_task", timeout=5)
     if not result["ok"]:
-        return {"passed": False, "description": description, "error": result.get("error", "")[:200]}
-
+        return {"passed": False, "description": desc, "error": result.get("error","")[:200]}
     output = result.get("output")
     if "expected" in tc:
-        ok = output == tc["expected"]
-        return {"passed": ok, "description": description}
+        return {"passed": output == tc["expected"], "description": desc}
     if "expected_last" in tc:
-        ok = output == tc["expected_last"]
-        return {"passed": ok, "description": description}
-    return {"passed": True, "description": description}
-
-
-def _correctness_feedback(score: float, passed: int, total: int) -> str:
-    if score >= 0.9:
-        return f"Excellent — {passed}/{total} tests passed"
-    elif score >= 0.7:
-        return f"Good — {passed}/{total} tests passed. Minor edge cases missing"
-    elif score >= 0.5:
-        return f"Partial — {passed}/{total} tests passed. Fix failing cases"
-    else:
-        return f"Poor — {passed}/{total} tests passed. Core logic incorrect"
+        return {"passed": output == tc["expected_last"], "description": desc}
+    return {"passed": True, "description": desc}
+
+
+def _feedback(score: float, passed: int, total: int) -> str:
+    if score >= 0.9:  return f"Excellent — {passed}/{total} tests passed"
+    elif score >= 0.7: return f"Good — {passed}/{total} tests passed"
+    elif score >= 0.5: return f"Partial — {passed}/{total} tests passed"
+    else:              return f"Poor — {passed}/{total} tests passed"

graders/documentation.py

@@ -1,142 +1,76 @@
-"""
-SecureCodeEnv - Documentation & Code Structure Graders
-Documentation weight: 5% | Code Structure weight: 5%
-"""
+"""SecureCodeEnv - Documentation & Structure Graders v4 — clamped scores"""
 import ast
+from graders.clamp import clamp
 
 
 def grade_documentation(code: str) -> dict:
-    """
-    Grade docstring and type hint coverage.
-    Rewards: functions with docstrings, full type annotations, module docstring.
-
-    Returns:
-        {"score": float, "documented_fns": int, "total_fns": int, "feedback": str}
-    """
     try:
         tree = ast.parse(code)
     except SyntaxError:
-        return {"score": 0.0, "documented_fns": 0, "total_fns": 0, "feedback": "Syntax error — cannot parse"}
-
-    functions = [
-        n for n in ast.walk(tree)
-        if isinstance(n, (ast.FunctionDef, ast.AsyncFunctionDef))
-    ]
+        return {"score": clamp(0.0), "documented_fns": 0, "total_fns": 0,
+                "feedback": "Syntax error — cannot parse"}
 
+    functions = [n for n in ast.walk(tree)
+                 if isinstance(n, (ast.FunctionDef, ast.AsyncFunctionDef))]
     if not functions:
-        # No functions — check for module docstring
-        has_module_doc = bool(ast.get_docstring(tree))
-        return {
-            "score": 1.0 if has_module_doc else 0.7,
-            "documented_fns": 0,
-            "total_fns": 0,
-            "feedback": "No functions found — module-level code only",
-        }
+        has_mod_doc = bool(ast.get_docstring(tree))
+        return {"score": clamp(0.65 if has_mod_doc else 0.5),
+                "documented_fns": 0, "total_fns": 0,
+                "feedback": "No functions — module-level code only"}
 
-    documented = 0
-    typed = 0
     scores = []
-
+    documented = typed = 0
     for fn in functions:
-        fn_score = 0.0
-        has_doc = bool(ast.get_docstring(fn))
-        has_return_type = fn.returns is not None
-        has_param_types = any(a.annotation is not None for a in fn.args.args)
-        has_any_types = has_return_type or has_param_types
-
-        if has_doc:
-            documented += 1
-            fn_score += 0.5
-
-        if has_any_types:
-            typed += 1
-            fn_score += 0.5
-
-        scores.append(fn_score)
+        s  = 0.0
+        hd = bool(ast.get_docstring(fn))
+        hr = fn.returns is not None
+        hp = any(a.annotation is not None for a in fn.args.args)
+        if hd: documented += 1; s += 0.5
+        if hr or hp: typed += 1; s += 0.5
+        scores.append(s)
 
     total = len(functions)
-    score = sum(scores) / total if total > 0 else 1.0
-
-    return {
-        "score": round(score, 4),
-        "documented_fns": documented,
-        "typed_fns": typed,
-        "total_fns": total,
-        "feedback": _doc_feedback(score, documented, typed, total),
-    }
+    raw   = sum(scores) / total
+    return {"score": clamp(raw), "documented_fns": documented,
+            "typed_fns": typed, "total_fns": total,
+            "feedback": _doc_feedback(raw, documented, typed, total)}
 
 
 def grade_code_structure(code: str) -> dict:
-    """
-    Grade code structure quality:
-    - No bare print() statements
-    - Exception handling present where needed
-    - No bare except clauses
-    - No hardcoded magic strings
-    - Functions not excessively long (>50 lines)
-
-    Returns:
-        {"score": float, "checks": dict, "feedback": str}
-    """
     try:
         tree = ast.parse(code)
     except SyntaxError:
-        return {"score": 0.0, "checks": {}, "feedback": "Syntax error"}
+        return {"score": clamp(0.0), "checks": {}, "feedback": "Syntax error"}
 
-    checks: dict[str, bool] = {}
     lines = code.splitlines()
-
-    # Check 1: No bare print statements (use logging)
-    checks["no_bare_print"] = "print(" not in code
-
-    # Check 2: No bare except (catches all exceptions silently)
-    bare_except = False
-    for node in ast.walk(tree):
-        if isinstance(node, ast.ExceptHandler) and node.type is None:
-            bare_except = True
-            break
-    checks["no_bare_except"] = not bare_except
-
-    # Check 3: Functions are reasonably sized (<= 50 lines)
-    oversized = False
-    for node in ast.walk(tree):
-        if isinstance(node, (ast.FunctionDef, ast.AsyncFunctionDef)):
-            fn_lines = (node.end_lineno or 0) - node.lineno
-            if fn_lines > 50:
-                oversized = True
-                break
-    checks["reasonable_fn_size"] = not oversized
-
-    # Check 4: No TODO/FIXME/HACK comments left in production code
-    has_todo = any(
-        "# TODO" in line.upper() or "# FIXME" in line.upper() or "# HACK" in line.upper()
-        for line in lines
-    )
-    checks["no_todo_comments"] = not has_todo
-
-    # Check 5: Handles None inputs (basic check)
-    checks["handles_none"] = "None" in code or "is not None" in code or "if not " in code
-
-    score = sum(1 for v in checks.values() if v) / max(len(checks), 1)
-
-    return {
-        "score": round(score, 4),
-        "checks": checks,
-        "feedback": _structure_feedback(score, checks),
-    }
-
-
-def _doc_feedback(score: float, documented: int, typed: int, total: int) -> str:
-    if score >= 0.9:
-        return f"Well documented — {documented}/{total} functions have docstrings, {typed}/{total} typed"
-    elif score >= 0.6:
-        return f"Partial documentation — {documented}/{total} docstrings, {typed}/{total} type hints"
-    else:
-        return f"Poor documentation — add docstrings and type hints to all {total} functions"
-
-
-def _structure_feedback(score: float, checks: dict) -> str:
-    if score >= 0.9:
-        return "Clean code structure"
+    checks = {}
+    checks["no_bare_print"]  = "print(" not in code
+    checks["no_bare_except"] = not any(
+        isinstance(n, ast.ExceptHandler) and n.type is None
+        for n in ast.walk(tree))
+    checks["reasonable_fn_size"] = not any(
+        isinstance(n, (ast.FunctionDef, ast.AsyncFunctionDef)) and
+        (n.end_lineno or 0) - n.lineno > 50
+        for n in ast.walk(tree))
+    checks["no_todo_comments"] = not any(
+        any(kw in line.upper() for kw in ["# TODO", "# FIXME", "# HACK"])
+        for line in lines)
+    checks["handles_none"] = any(
+        token in code for token in
+        ["None", "is not None", "if not ", "Optional", "is None"])
+
+    raw = sum(1 for v in checks.values() if v) / max(len(checks), 1)
+    return {"score": clamp(raw), "checks": checks,
+            "feedback": _struct_feedback(raw, checks)}
+
+
+def _doc_feedback(score, documented, typed, total):
+    if score >= 0.85: return f"Well documented — {documented}/{total} docstrings, {typed}/{total} typed"
+    elif score >= 0.55: return f"Partial — {documented}/{total} docstrings, {typed}/{total} type hints"
+    return f"Poor — add docstrings and type hints to all {total} functions"
+
+
+def _struct_feedback(score, checks):
+    if score >= 0.85: return "Clean code structure"
     failing = [k for k, v in checks.items() if not v]
     return f"Structure issues: {', '.join(failing)}"

graders/performance.py

@@ -1,63 +1,93 @@
 """
-SecureCodeEnv - Performance Grader v3
-FIXED: 0ms measurement now returns 0.6 (neutral) not 1.0
+SecureCodeEnv - Performance Grader v4
+
+FIXES:
+- Inverted baseline (naive faster than optimal) → return neutral 0.5
+- Unmeasurable (-1.0) → return neutral 0.5
+- Both timings identical → return neutral 0.5
+- Agent faster than optimal → clamp to max 0.999 (not >1.0)
+- All scores clamped to (0.001, 0.999)
 """
 import sys, tempfile, os, json, subprocess
+from graders.clamp import clamp
+
+NEUTRAL = 0.5  # returned when measurement is unreliable
 
 
 def grade_performance(code: str, task: dict) -> dict:
-    test_cases = task.get("test_cases", [])
-    naive_code = task.get("naive_code", "")
+    test_cases   = task.get("test_cases", [])
+    naive_code   = task.get("naive_code", "")
     optimal_code = task.get("optimal_code", "")
 
     if not test_cases or not naive_code or not optimal_code:
-        return {"score": 0.6, "time_score": 0.6, "memory_score": 0.6,
-                "feedback": "No baselines defined — neutral score applied"}
+        return {"score": clamp(NEUTRAL), "time_score": clamp(NEUTRAL),
+                "memory_score": clamp(NEUTRAL), "feedback": "No baselines — neutral score"}
 
     tc = next((t for t in test_cases
                if "fn" in t and "input" in t
                and "fn_class" not in t
                and "expected_exception" not in t), None)
     if not tc:
-        return {"score": 0.6, "time_score": 0.6, "memory_score": 0.6,
-                "feedback": "No suitable test case — neutral score applied"}
+        return {"score": clamp(NEUTRAL), "time_score": clamp(NEUTRAL),
+                "memory_score": clamp(NEUTRAL), "feedback": "No usable test case — neutral score"}
 
     fn_name = tc["fn"]
-    inputs = tc["input"]
+    inputs  = tc["input"]
 
     try:
-        agent_ms   = _measure_ms(code,        fn_name, inputs)
-        naive_ms   = _measure_ms(naive_code,  fn_name, inputs)
+        agent_ms   = _measure_ms(code,         fn_name, inputs)
+        naive_ms   = _measure_ms(naive_code,   fn_name, inputs)
         optimal_ms = _measure_ms(optimal_code, fn_name, inputs)
 
-        # FIXED: if measurements indistinguishable, return neutral 0.6
-        if abs(naive_ms - optimal_ms) < 0.001:
-            return {"score": 0.6, "time_score": 0.6, "memory_score": 0.6,
-                    "agent_ms": round(agent_ms, 3),
-                    "naive_ms": round(naive_ms, 3),
-                    "optimal_ms": round(optimal_ms, 3),
-                    "feedback": "Functions too fast to differentiate — neutral score"}
+        # Any unmeasurable result → neutral
+        if any(x < 0 for x in [agent_ms, naive_ms, optimal_ms]):
+            return _neutral(agent_ms, naive_ms, optimal_ms, "Unmeasurable timing")
+
+        # Indistinguishable → neutral
+        if abs(naive_ms - optimal_ms) < 0.05:
+            return _neutral(agent_ms, naive_ms, optimal_ms, "Timings indistinguishable")
+
+        # Inverted baseline (naive < optimal means naive is actually "better")
+        # This happens when optimal uses safer-but-slower code (e.g. Path.resolve vs os.path.join)
+        # In that case performance cannot be meaningfully scored → neutral
+        if naive_ms < optimal_ms:
+            return _neutral(agent_ms, naive_ms, optimal_ms,
+                            "Baseline inverted (naive faster than optimal) — neutral")
 
-        time_range = max(naive_ms - optimal_ms, 0.01)
-        raw = 1.0 - ((agent_ms - optimal_ms) / time_range)
-        time_score = max(0.0, min(1.0, raw))
-        combined = round((time_score * 0.7) + (time_score * 0.3), 4)
+        time_range = naive_ms - optimal_ms
+        raw        = 1.0 - ((agent_ms - optimal_ms) / time_range)
+        # raw > 1.0 when agent faster than optimal → clamp handles it
+        time_score = clamp(raw)
 
         return {
-            "score": combined,
-            "time_score": round(time_score, 4),
-            "memory_score": round(time_score, 4),
-            "agent_ms": round(agent_ms, 3),
-            "naive_ms": round(naive_ms, 3),
+            "score": time_score,
+            "time_score": time_score,
+            "memory_score": time_score,
+            "agent_ms":   round(agent_ms, 3),
+            "naive_ms":   round(naive_ms, 3),
             "optimal_ms": round(optimal_ms, 3),
-            "feedback": _feedback(combined),
+            "feedback": _feedback(time_score),
         }
     except Exception as e:
-        return {"score": 0.6, "time_score": 0.6, "memory_score": 0.6,
+        return {"score": clamp(NEUTRAL), "time_score": clamp(NEUTRAL),
+                "memory_score": clamp(NEUTRAL),
                 "feedback": f"Measurement error: {str(e)[:60]}"}
 
 
+def _neutral(agent_ms, naive_ms, optimal_ms, reason: str) -> dict:
+    return {
+        "score": clamp(NEUTRAL),
+        "time_score": clamp(NEUTRAL),
+        "memory_score": clamp(NEUTRAL),
+        "agent_ms":   round(agent_ms, 3) if agent_ms >= 0 else None,
+        "naive_ms":   round(naive_ms, 3) if naive_ms >= 0 else None,
+        "optimal_ms": round(optimal_ms, 3) if optimal_ms >= 0 else None,
+        "feedback": reason,
+    }
+
+
 def _measure_ms(code: str, fn_name: str, inputs: list, runs: int = 50) -> float:
+    """Returns ms or -1.0 if unmeasurable."""
     script = f"""
 import timeit, json, sys
 {code}
@@ -79,7 +109,7 @@ sys.stdout.flush()
             line = line.strip()
             if line.startswith("{"):
                 return json.loads(line)["ms"]
-        return -1.0  # Signal unmeasurable
+        return -1.0
     except Exception:
         return -1.0
     finally:
@@ -89,7 +119,7 @@ sys.stdout.flush()
 
 
 def _feedback(score: float) -> str:
-    if score >= 0.9:  return "Excellent — near-optimal efficiency"
-    elif score >= 0.7: return "Good — minor optimisation possible"
-    elif score >= 0.5: return "Acceptable — room for improvement"
-    else:              return "Poor — significant performance gap vs optimal"
+    if score >= 0.85: return "Excellent — near-optimal efficiency"
+    elif score >= 0.65: return "Good — minor optimisation possible"
+    elif score >= 0.45: return "Acceptable — room for improvement"
+    else:               return "Poor — significant performance gap"

graders/reward_aggregator.py

@@ -1,58 +1,52 @@
 """
-SecureCodeEnv - Reward Aggregator v3
-
-KEY CHANGES:
-1. SECURITY GATE: episode cannot be DONE unless attack_resist >= 0.75
-   AND static_security >= 0.70. Prevents insecure code from "winning".
-2. Weights rebalanced: static_security raised, performance lowered.
-3. DONE threshold raised to 0.92.
-4. Security floor penalty: if attack_resist < 0.5 OR static_security < 0.5,
-   total reward is capped at 0.65 (cannot fool the system with correctness alone).
+SecureCodeEnv - Reward Aggregator v4
+
+ALL scores are epsilon-clamped to (0.001 … 0.999).
+Security gate: episode done only when attack≥0.75, static≥0.70, correctness≥0.80.
+Security floor: if attack<0.5 OR static<0.5, total capped at 0.65.
+DONE threshold: 0.92 (after clamping).
 """
-from graders.correctness import grade_correctness
-from graders.attacks import grade_attacks
+from graders.correctness     import grade_correctness
+from graders.attacks         import grade_attacks
 from graders.static_analysis import grade_static_analysis
-from graders.performance import grade_performance
-from graders.consistency import grade_consistency
-from graders.documentation import grade_documentation, grade_code_structure
-from codegraph.extractor import extract_metadata
-from codegraph.graph import CodeGraph
+from graders.performance     import grade_performance
+from graders.consistency     import grade_consistency
+from graders.documentation   import grade_documentation, grade_code_structure
+from graders.clamp           import clamp
+from codegraph.extractor     import extract_metadata
+from codegraph.graph         import CodeGraph
 
-# REBALANCED weights — security dimensions raised
 WEIGHTS = {
-    "correctness":      0.25,   # was 0.30 — still most important
-    "attack_resist":    0.25,   # was 0.20 — raised: must resist real attacks
-    "static_security":  0.20,   # was 0.15 — raised: must pass static analysis
-    "consistency":      0.10,   # was 0.15 — reduced
-    "performance":      0.08,   # was 0.10 — reduced (too noisy)
-    "documentation":    0.07,   # was 0.05
-    "code_structure":   0.05,   # unchanged
+    "correctness":      0.25,
+    "attack_resist":    0.25,
+    "static_security":  0.20,
+    "consistency":      0.10,
+    "performance":      0.08,
+    "documentation":    0.07,
+    "code_structure":   0.05,
 }
 assert abs(sum(WEIGHTS.values()) - 1.0) < 1e-9
 
-# Security gate: these minimums must ALL be met for episode to be DONE
 SECURITY_GATE = {
-    "attack_resist":   0.75,  # Must block >= 75% of attacks
-    "static_security": 0.70,  # Must pass >= 70% of static checks
-    "correctness":     0.80,  # Must pass >= 80% of tests
+    "attack_resist":   0.75,
+    "static_security": 0.70,
+    "correctness":     0.80,
 }
-DONE_THRESHOLD = 0.92  # Raised from 0.90
-
-# Security floor: if security is critically low, cap total reward
+DONE_THRESHOLD      = 0.92
 SECURITY_FLOOR_DIMS = ["attack_resist", "static_security"]
-SECURITY_FLOOR_THRESHOLD = 0.50
-SECURITY_FLOOR_CAP = 0.65
+SECURITY_FLOOR_CAP  = 0.65   # unclamped; after clamping → ≤ 0.649
 
 
 def grade_submission(code, filename, task, graph, step, seed):
-    corr  = grade_correctness(code, task)
-    atk   = grade_attacks(code, task, seed)
-    stat  = grade_static_analysis(code, task)
-    perf  = grade_performance(code, task)
-    cons  = grade_consistency(code, filename, graph, step)
-    doc   = grade_documentation(code)
+    corr   = grade_correctness(code, task)
+    atk    = grade_attacks(code, task, seed)
+    stat   = grade_static_analysis(code, task)
+    perf   = grade_performance(code, task)
+    cons   = grade_consistency(code, filename, graph, step)
+    doc    = grade_documentation(code)
     struct = grade_code_structure(code)
 
+    # All individual dimension scores are already clamped by each grader.
     scores = {
         "correctness":     corr["score"],
         "attack_resist":   atk["score"],
@@ -63,21 +57,19 @@ def grade_submission(code, filename, task, graph, step, seed):
         "code_structure":  struct["score"],
     }
 
-    raw_reward = sum(scores[k] * WEIGHTS[k] for k in WEIGHTS)
+    # Weighted sum
+    raw = sum(scores[k] * WEIGHTS[k] for k in WEIGHTS)
 
-    # SECURITY FLOOR: insecure code is capped regardless of correctness
-    security_critical_fail = any(
-        scores[dim] < SECURITY_FLOOR_THRESHOLD
-        for dim in SECURITY_FLOOR_DIMS
-    )
-    if security_critical_fail:
-        raw_reward = min(raw_reward, SECURITY_FLOOR_CAP)
+    # Security floor
+    security_fail = any(scores[d] < 0.5 for d in SECURITY_FLOOR_DIMS)
+    if security_fail:
+        raw = min(raw, SECURITY_FLOOR_CAP)
 
-    total_reward = round(max(0.0, min(1.0, raw_reward)), 4)
+    # Final clamp — guarantees (0.001 … 0.999)
+    total_reward = clamp(raw)
 
-    # SECURITY GATE for done determination
-    gate_passed = all(scores[dim] >= threshold
-                      for dim, threshold in SECURITY_GATE.items())
+    # Security gate for done
+    gate_passed   = all(scores[d] >= thr for d, thr in SECURITY_GATE.items())
     done_eligible = total_reward >= DONE_THRESHOLD and gate_passed
 
     feedback = {
@@ -94,45 +86,43 @@ def grade_submission(code, filename, task, graph, step, seed):
 
     details = {
         "correctness": {"passed": corr.get("passed"), "total": corr.get("total")},
-        "attacks": {"blocked": atk.get("blocked"), "total": atk.get("total"),
-                    "type": atk.get("attack_type")},
-        "static": {"bandit_score": stat.get("bandit_score"),
-                   "hard_fail": stat.get("hard_fail", False),
-                   "issues": stat.get("issues", [])[:3]},
+        "attacks":     {"blocked": atk.get("blocked"), "total": atk.get("total"),
+                        "type": atk.get("attack_type")},
+        "static":      {"bandit_score": stat.get("bandit_score"),
+                        "hard_fail": stat.get("hard_fail", False),
+                        "issues": stat.get("issues", [])[:3]},
         "security_gate_passed": gate_passed,
-        "done_eligible": done_eligible,
+        "done_eligible":        done_eligible,
     }
 
     return {
-        "scores": scores,
-        "total_reward": total_reward,
+        "scores":        scores,
+        "total_reward":  total_reward,
         "done_eligible": done_eligible,
-        "feedback": feedback,
-        "details": details,
-        "agent_ms": perf.get("agent_ms"),
-        "naive_ms": perf.get("naive_ms"),
-        "optimal_ms": perf.get("optimal_ms"),
-        "new_metadata": extract_metadata(code, filename, step),
+        "feedback":      feedback,
+        "details":       details,
+        "agent_ms":      perf.get("agent_ms"),
+        "naive_ms":      perf.get("naive_ms"),
+        "optimal_ms":    perf.get("optimal_ms"),
+        "new_metadata":  extract_metadata(code, filename, step),
     }
 
 
-def _gate_status(scores: dict) -> str:
-    failing = [f"{dim} ({scores[dim]:.2f} < {thr})"
-               for dim, thr in SECURITY_GATE.items()
-               if scores[dim] < thr]
-    return f"BLOCKED — security gate not met: {', '.join(failing)}"
+def _gate_status(scores):
+    failing = [f"{d}({scores[d]:.2f}<{thr})"
+               for d, thr in SECURITY_GATE.items() if scores[d] < thr]
+    return f"BLOCKED — {', '.join(failing)}"
 
 
 def _summary(reward, scores, gate_passed):
     if reward >= DONE_THRESHOLD and gate_passed:
-        return f"✅ Excellent ({reward:.3f}) — production-ready, security gate passed"
+        return f"✅ Excellent ({reward:.3f}) — security gate passed"
     if not gate_passed:
-        gate_msg = _gate_status(scores)
-        return f"🔒 {gate_msg} (reward: {reward:.3f})"
+        return f"🔒 {_gate_status(scores)} (reward: {reward:.3f})"
     if reward >= 0.75:
         weakest = min(scores, key=scores.get)
         return f"🟡 Good ({reward:.3f}) — improve: {weakest} ({scores[weakest]:.2f})"
     if reward >= 0.55:
         weak = [k for k, v in scores.items() if v < 0.5]
         return f"🟠 Needs work ({reward:.3f}) — fix: {', '.join(weak[:3])}"
-    return f"🔴 Poor ({reward:.3f}) — major security/correctness failures"
+    return f"🔴 Poor ({reward:.3f}) — major failures"

graders/static_analysis.py

@@ -1,33 +1,28 @@
 """
-SecureCodeEnv - Static Analysis Grader v3
-
-FIXED:
-- HIGH severity issues now cap the score at 0.40 max (was just subtracting 0.30)
-- Task-specific security checks have hard caps when violated
-- bandit penalty curve is steeper
+SecureCodeEnv - Static Analysis Grader v4
+All scores clamped to (0.001, 0.999).
 """
-import subprocess, json, tempfile, os, ast, re
+import subprocess, json, tempfile, os, re
+from graders.clamp import clamp
 
 
 def grade_static_analysis(code: str, task: dict) -> dict:
     bandit = _run_bandit(code)
     custom = _run_custom_checks(code, task)
 
-    # If a HARD security requirement is violated, cap at 0.40 regardless of bandit
     if custom.get("hard_fail"):
-        final_score = min(bandit["score"] * 0.4, 0.40)
+        final = min(bandit["score"] * 0.4, 0.40)
     else:
-        final_score = (bandit["score"] * 0.60) + (custom["score"] * 0.40)
+        final = (bandit["score"] * 0.60) + (custom["score"] * 0.40)
 
     all_issues = bandit.get("issues", []) + custom.get("issues", [])
-
     return {
-        "score": round(max(0.0, min(1.0, final_score)), 4),
-        "bandit_score": bandit["score"],
-        "ast_score": custom["score"],
+        "score": clamp(final),
+        "bandit_score": clamp(bandit["score"]),
+        "ast_score": clamp(custom["score"]),
         "hard_fail": custom.get("hard_fail", False),
         "issues": all_issues[:10],
-        "feedback": _feedback(final_score, all_issues, custom.get("hard_fail", False)),
+        "feedback": _feedback(final, all_issues, custom.get("hard_fail", False)),
     }
 
 
@@ -37,182 +32,129 @@ def _run_bandit(code: str) -> dict:
         with tempfile.NamedTemporaryFile(mode="w", suffix=".py",
                                          delete=False, prefix="sce_ban_") as f:
             f.write(code); tmp = f.name
-
         res = subprocess.run(
             ["bandit", "-r", tmp, "-f", "json", "-q", "--exit-zero"],
-            capture_output=True, text=True, timeout=15
-        )
-        data = json.loads(res.stdout or '{"results":[]}')
+            capture_output=True, text=True, timeout=15)
+        data   = json.loads(res.stdout or '{"results":[]}')
         issues = data.get("results", [])
-
-        # Steeper penalty curve + cap at 3 HIGH issues = 0.0
-        penalty = 0.0
-        for i in issues:
-            sev = i.get("issue_severity", "LOW")
-            if sev == "HIGH":   penalty += 0.40
-            elif sev == "MEDIUM": penalty += 0.20
-            else:               penalty += 0.05
-
-        score = max(0.0, 1.0 - penalty)
+        penalty = sum(
+            0.40 if i.get("issue_severity") == "HIGH"
+            else 0.20 if i.get("issue_severity") == "MEDIUM"
+            else 0.05
+            for i in issues)
         return {
-            "score": round(score, 4),
+            "score": max(0.0, 1.0 - penalty),
             "issues": [{"severity": i.get("issue_severity"),
                         "text": i.get("issue_text", "")[:100],
                         "line": i.get("line_number")} for i in issues[:5]],
         }
     except FileNotFoundError:
-        return {"score": 1.0, "issues": [], "note": "bandit not installed"}
+        return {"score": 0.75, "issues": [], "note": "bandit not installed"}
     except Exception as e:
-        return {"score": 1.0, "issues": [], "note": str(e)[:40]}
+        return {"score": 0.75, "issues": [], "note": str(e)[:40]}
     finally:
         if tmp and os.path.exists(tmp):
             try: os.unlink(tmp)
             except OSError: pass
 
 
-# Security requirements per task — violation = hard_fail (cap at 0.40)
 HARD_REQUIREMENTS = {
     "easy_password_validator": [
-        {"type": "forbidden_any", "patterns": ["hashlib.md5", "hashlib.sha1", "hashlib.sha256",
-                                                "md5(", "sha1(", "sha256("],
-         "message": "Weak hash function used — must use bcrypt"},
-        {"type": "forbidden_any", "patterns": ["random.random(", "random.randint("],
-         "message": "Insecure randomness"},
+        {"type": "forbidden_any",
+         "patterns": ["hashlib.md5","hashlib.sha1","hashlib.sha256","md5(","sha1(","sha256("],
+         "message": "Weak hash — must use bcrypt"},
+        {"type": "required_any", "patterns": ["bcrypt"],
+         "message": "bcrypt not imported"},
     ],
     "easy_token_generator": [
-        {"type": "forbidden_any", "patterns": ["random.random(", "random.randint(",
-                                                "random.choice(", "random.seed("],
-         "message": "Weak PRNG used for token generation — must use secrets module"},
+        {"type": "forbidden_any",
+         "patterns": ["random.random(","random.randint(","random.choice(","random.seed("],
+         "message": "Weak PRNG — must use secrets"},
         {"type": "required_any", "patterns": ["secrets"],
          "message": "secrets module not imported"},
     ],
     "medium_sql_query_builder": [
-        {"type": "forbidden_pattern",
-         "regex": r'f["\'].*SELECT.*{',
-         "message": "f-string SQL query — SQL injection vulnerability"},
+        {"type": "forbidden_pattern", "regex": r'f["\'].*SELECT.*{',
+         "message": "f-string SQL — injection vulnerability"},
         {"type": "forbidden_pattern",
          "regex": r'["\']\s*\+\s*(username|role|user_input|query)',
-         "message": "String concatenation in SQL — SQL injection vulnerability"},
-        {"type": "forbidden_pattern",
-         "regex": r'%\s*\(',
-         "message": "% formatting in SQL — potential injection"},
+         "message": "String concat SQL — injection vulnerability"},
     ],
     "medium_file_path_handler": [
-        {"type": "forbidden_any",
-         "patterns": ['"..\" in', "'..' in", '".." in', "\"..\" in"],
-         "message": "String check for '..' is bypassable — use Path.resolve()"},
-        {"type": "required_any",
-         "patterns": ["resolve()", ".resolve", "realpath"],
-         "message": "Must use os.path.realpath or Path.resolve() to prevent traversal"},
+        {"type": "required_any", "patterns": ["resolve()","resolve(","realpath"],
+         "message": "Must use Path.resolve() or realpath"},
     ],
     "hard_jwt_validator": [
         {"type": "forbidden_any",
-         "patterns": ["verify_signature\": False", "verify_signature':False",
-                      "verify_exp\": False", "algorithms=[\"none\"", "algorithms=['none'"],
-         "message": "JWT verification disabled — security bypass"},
-        {"type": "required_any",
-         "patterns": ["algorithms="],
-         "message": "algorithms= not specified — alg:none attack possible"},
+         "patterns": ["verify_signature\": False","verify_signature':False",
+                      "verify_exp\": False","algorithms=[\"none\"","algorithms=['none'"],
+         "message": "JWT verification disabled"},
+        {"type": "required_any", "patterns": ["algorithms="],
+         "message": "algorithms= not specified"},
     ],
     "hard_auth_middleware": [
-        {"type": "required_any",
-         "patterns": ["hmac.compare_digest"],
-         "message": "hmac.compare_digest not used — timing attack possible"},
-        {"type": "forbidden_pattern",
-         "regex": r'==\s*(session_token|request_token|secret|token)',
-         "message": "== used for secret comparison — timing attack"},
+        {"type": "required_any", "patterns": ["hmac.compare_digest"],
+         "message": "hmac.compare_digest not used"},
     ],
     "easy_input_sanitizer": [
-        {"type": "forbidden_any",
-         "patterns": ["eval(", "exec("],
-         "message": "eval/exec used — remote code execution risk"},
+        {"type": "forbidden_any", "patterns": ["eval(","exec("],
+         "message": "eval/exec usage"},
     ],
     "hard_file_upload_handler": [
-        {"type": "required_any",
-         "patterns": ["uuid"],
-         "message": "uuid not used — filename collisions possible"},
-        {"type": "required_any",
-         "patterns": [".suffix", "splitext", "os.path.splitext"],
-         "message": "Extension not checked via proper method"},
+        {"type": "required_any", "patterns": ["uuid"],
+         "message": "uuid not used"},
     ],
 }
 
-# Soft checks (no hard cap) — applied to all tasks
 GENERIC_CHECKS = [
-    {"type": "forbidden_any", "patterns": ["eval(", "exec("],
+    {"type": "forbidden_any", "patterns": ["eval(","exec("],
      "message": "eval/exec usage", "severity": "HIGH"},
     {"type": "forbidden_any", "patterns": ["shell=True"],
-     "message": "shell=True enables command injection", "severity": "HIGH"},
-    {"type": "forbidden_any", "patterns": ["pickle.loads", "pickle.load"],
-     "message": "Unsafe pickle deserialization", "severity": "HIGH"},
-    {"type": "forbidden_any", "patterns": ["yaml.load("],
-     "message": "Unsafe yaml.load", "severity": "MEDIUM"},
-    {"type": "forbidden_any", "patterns": ["hashlib.md5", "hashlib.sha1"],
-     "message": "Weak hash function", "severity": "HIGH"},
+     "message": "shell=True", "severity": "HIGH"},
+    {"type": "forbidden_any", "patterns": ["pickle.loads","pickle.load"],
+     "message": "Unsafe pickle", "severity": "HIGH"},
+    {"type": "forbidden_any", "patterns": ["hashlib.md5","hashlib.sha1"],
+     "message": "Weak hash", "severity": "HIGH"},
 ]
 
 
 def _run_custom_checks(code: str, task: dict) -> dict:
-    issues = []
-    hard_fail = False
-    checks_passed = 0
-    total_checks = 0
+    issues = []; hard_fail = False; passed = total = 0
 
-    # Generic checks
     for chk in GENERIC_CHECKS:
-        total_checks += 1
-        found = _check_code(code, chk)
-        if found:
+        total += 1
+        if _violated(code, chk):
             issues.append({"check": chk["message"], "severity": chk.get("severity","MEDIUM"),
                            "message": chk["message"]})
         else:
-            checks_passed += 1
-
-    # Task-specific hard requirements
-    task_id = task.get("id", "")
-    for req in HARD_REQUIREMENTS.get(task_id, []):
-        total_checks += 1
-        violated = _check_requirement_violated(code, req)
-        if violated:
+            passed += 1
+
+    for req in HARD_REQUIREMENTS.get(task.get("id",""), []):
+        total += 1
+        if _violated(code, req):
             hard_fail = True
             issues.append({"check": req["message"], "severity": "CRITICAL",
                            "message": req["message"]})
         else:
-            checks_passed += 1
-
-    score = checks_passed / max(total_checks, 1)
-    return {"score": round(score, 4), "issues": issues, "hard_fail": hard_fail}
-
+            passed += 1
 
-def _check_code(code: str, chk: dict) -> bool:
-    """Returns True if the violation is found."""
-    t = chk.get("type", "")
-    if t == "forbidden_any":
-        return any(p in code for p in chk.get("patterns", []))
-    if t == "required_any":
-        return not any(p in code for p in chk.get("patterns", []))
-    if t == "forbidden_pattern":
-        return bool(re.search(chk.get("regex", "NOMATCH"), code, re.IGNORECASE))
-    return False
+    return {"score": passed / max(total, 1), "issues": issues, "hard_fail": hard_fail}
 
 
-def _check_requirement_violated(code: str, req: dict) -> bool:
-    """Returns True if requirement is violated (= bad)."""
+def _violated(code: str, req: dict) -> bool:
     t = req.get("type", "")
     if t == "forbidden_any":
         return any(p in code for p in req.get("patterns", []))
     if t == "required_any":
         return not any(p in code for p in req.get("patterns", []))
     if t == "forbidden_pattern":
-        return bool(re.search(req.get("regex", "NOMATCH"), code, re.IGNORECASE | re.DOTALL))
+        return bool(re.search(req.get("regex","NOMATCH"), code, re.IGNORECASE | re.DOTALL))
     return False
 
 
 def _feedback(score: float, issues: list, hard_fail: bool) -> str:
     if hard_fail:
-        critical = [i["message"] for i in issues if i.get("severity") == "CRITICAL"]
-        return f"CRITICAL security violation: {'; '.join(critical[:2])}"
+        return f"CRITICAL: {'; '.join(i['message'] for i in issues if i.get('severity')=='CRITICAL')[:120]}"
     if score >= 0.9: return "Clean — no significant security issues"
     high = sum(1 for i in issues if i.get("severity") == "HIGH")
-    if high > 0: return f"{high} HIGH severity issue(s) — must fix"
-    return f"Some security issues found (score: {score:.2f})"
+    return f"{high} HIGH severity issue(s)" if high else f"Some issues (score: {score:.2f})"

inference.py

@@ -13,92 +13,140 @@ from typing import Dict, List, Any
 
 # ── Configuration ──────────────────────────────────────────────────────────
 API_BASE_URL = os.environ.get("API_BASE_URL", "https://api.openai.com/v1")
-MODEL_NAME = os.environ.get("MODEL_NAME", "gpt-4o-mini")
-HF_TOKEN = os.environ.get("HF_TOKEN", "")
-ENV_URL = os.environ.get("ENV_URL", "http://localhost:7860").rstrip("/")
+MODEL_NAME   = os.environ.get("MODEL_NAME", "gpt-4o-mini")
+HF_TOKEN     = os.environ.get("HF_TOKEN", "")
+ENV_URL      = os.environ.get("ENV_URL", "http://localhost:7860").rstrip("/")
 
 client = OpenAI(base_url=API_BASE_URL, api_key=HF_TOKEN or "sk-placeholder")
 
+
 def clamp_score(score: float) -> float:
-    """
-    Ensures score is strictly between 0 and 1 (e.g., 0.001 to 0.999).
-    Required by validator range constraints.
-    """
+    """Ensures score is strictly between 0 and 1 (0.001 … 0.999)."""
     epsilon = 0.001
-    return max(epsilon, min(1.0 - epsilon, float(score)))
+    try:
+        v = float(score)
+    except (TypeError, ValueError):
+        return 0.5
+    if v != v:   # NaN
+        return 0.5
+    return max(epsilon, min(1.0 - epsilon, v))
+
 
 def clean_code(raw: str) -> str:
     """Removes markdown code fences safely."""
-    lines = [line for line in raw.splitlines() if not line.strip().startswith("```")]
+    lines = [line for line in raw.splitlines()
+             if not line.strip().startswith("```")]
     return "\n".join(lines).strip()
 
+
+SYSTEM_PROMPT = """You are a senior Python security engineer.
+Output ONLY raw Python code — no markdown, no explanations.
+Your code must:
+1. Solve the problem correctly
+2. Resist SQL injection, path traversal, and auth bypass attacks
+3. Use parameterized queries — never f-string SQL
+4. Use secrets module (not random) for tokens
+5. Use bcrypt (not hashlib) for passwords
+6. Use hmac.compare_digest for secret comparison
+7. Have type hints and docstrings on every function"""
+
+
 def run_episode(difficulty: str) -> None:
-    """Runs episode and prints clamped [START], [STEP], and [END] blocks."""
+    """Runs one episode and prints [START], [STEP], [END] blocks."""
     try:
-        r = requests.post(f"{ENV_URL}/reset", json={"difficulty": difficulty}, timeout=30)
+        r = requests.post(
+            f"{ENV_URL}/reset",
+            json={"difficulty": difficulty},
+            timeout=30,
+        )
         r.raise_for_status()
         data = r.json()
     except Exception as e:
         print(f"Failed to reset {difficulty}: {e}", file=sys.stderr)
         return
 
-    sid = data["session_id"]
-    tid = data["task_id"]
-
-    # [START] block
+    sid   = data["session_id"]
+    tid   = data["task_id"]
     print(f"[START] task={tid} difficulty={difficulty}", flush=True)
 
-    final_score = 0.0
+    final_score = clamp_score(0.0)   # starts at epsilon, not 0.0
     total_steps = 0
 
     for i in range(1, 6):
         total_steps = i
-        prompt = f"Task: {data['problem_statement']}\nContext: {json.dumps(data.get('codegraph', {}))}"
-        
+        context_str = json.dumps(data.get("codegraph", {}))[:2000]
+        prev_fb     = data.get("last_feedback", "")
+
+        user_msg = (
+            f"Task: {data['problem_statement']}\n\n"
+            f"Security targets: {data.get('cwe_targets', [])}\n\n"
+            f"Codebase context:\n{context_str}"
+        )
+        if prev_fb:
+            user_msg += f"\n\nPrevious feedback:\n{prev_fb}"
+        user_msg += "\n\nWrite the complete Python implementation now:"
+
         try:
             resp = client.chat.completions.create(
                 model=MODEL_NAME,
-                messages=[{"role": "user", "content": prompt}],
-                temperature=0.1
+                messages=[
+                    {"role": "system", "content": SYSTEM_PROMPT},
+                    {"role": "user",   "content": user_msg},
+                ],
+                max_tokens=1500,
+                temperature=0.1,
             )
             code = clean_code(resp.choices[0].message.content or "")
-            
+            if not code.strip():
+                code = "def placeholder(): pass"
+
             step_r = requests.post(
                 f"{ENV_URL}/step",
-                json={"session_id": sid, "code": code, "filename": f"step_{i}.py", "task_id": tid},
-                timeout=65
+                json={
+                    "session_id": sid,
+                    "code":       code,
+                    "filename":   f"step_{i}.py",
+                    "task_id":    tid,
+                },
+                timeout=65,
             )
             step_r.raise_for_status()
             res = step_r.json()
-            
-            raw_reward = res.get("total_reward", 0.0)
-            clamped_reward = clamp_score(raw_reward)
-            final_score = clamped_reward
-            
-            # [STEP] block with clamped reward
-            print(f"[STEP] step={i} reward={clamped_reward:.3f}", flush=True)
+
+            raw_reward    = res.get("total_reward", 0.0)
+            clamped       = clamp_score(raw_reward)
+            final_score   = clamped
+
+            print(f"[STEP] step={i} reward={clamped:.4f}", flush=True)
 
             if res.get("done"):
                 break
-            data["codegraph"] = res.get("codegraph", {})
-            
+
+            # Feed updated context back for next step
+            data["codegraph"]      = res.get("codegraph", {})
+            data["last_feedback"]  = res.get("feedback", {}).get("summary", "")
+
         except Exception as e:
             print(f"Error in step {i}: {e}", file=sys.stderr)
-            break
+            # Don't break — try remaining steps
+            time.sleep(1)
+
+    print(f"[END] task={tid} score={final_score:.4f} steps={total_steps}", flush=True)
 
-    # [END] block with clamped final score
-    print(f"[END] task={tid} score={final_score:.3f} steps={total_steps}", flush=True)
 
 def main():
+    # Health check
     try:
-        requests.get(f"{ENV_URL}/health", timeout=5).raise_for_status()
+        requests.get(f"{ENV_URL}/health", timeout=10).raise_for_status()
+        print(f"Environment healthy: {ENV_URL}", file=sys.stderr)
     except Exception as e:
         print(f"Health check failed: {e}", file=sys.stderr)
         sys.exit(1)
 
     for diff in ["easy", "medium", "hard"]:
         run_episode(diff)
-        time.sleep(1)
+        time.sleep(2)
+
 
 if __name__ == "__main__":
     main()