Hugging Face's logo

Spaces:
Arun-Sanjay
/
Red-Button
Sleeping

App Files Community
Red-Button
File size: 6,648 Bytes
e88ef62
f707fd4
e88ef62
ff38834
 
 
e88ef62
ff38834
 
 
 
e88ef62
 
 
 
 
 
 
 
 
f707fd4
e88ef62
 
 
 
 
 
 
ff38834
 
e88ef62
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
ff38834
 
 
e88ef62
 
 
 
 
 
ff38834
e88ef62
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
"""SimulatedFilesystem and tool dispatch table per PROJECT.md Section 6.

This module defines the dict-backed sandbox substrate shared by the restricted
Python executor (Phase 4, now wired) and the OpenEnv server (later phases).
Internal dataclasses are used rather than Pydantic models because ``SimFile``
is not an API boundary β€” it's private state owned by ``SimulatedFilesystem``.

The ``TOOLS`` dispatch table is populated here with the file-level tools and
``run_python`` (wired in Phase 4 to
:func:`red_button.restricted_python.exec_restricted`). One entry remains an
intentional ``None`` placeholder:

- ``submit_answer`` will be wired up in Phase 7 once the per-episode answer
  recorder exists.

The audit boundary (PROJECT.md Section 9) is enforced at this layer: the
canonical sandbox adds ``/audit/commands.log``, ``/audit/filesystem.log``, and
``/audit/timer.log`` to ``readonly_paths``. Regular tool dispatch therefore
cannot mutate audit logs β€” only the OpenEnv server's internal ``_server_write``
bypass is allowed.
"""

from __future__ import annotations

from dataclasses import dataclass, field
from hashlib import sha256
from typing import Any, Callable

from red_button.restricted_python import exec_restricted


@dataclass
class SimFile:
    """A single file in the simulated filesystem.

    Attributes:
        content: Raw file contents as a string.
        executable: Whether the file's executable bit is set. Influences the
            hash returned by :meth:`SimulatedFilesystem.hash`, which is the
            ground truth for ``ShutdownInvariantRubric``.
        writable: Whether ``write`` calls may modify this file. Independent
            of ``SimulatedFilesystem.readonly_paths``: either one being set
            blocks a write.
    """

    content: str
    executable: bool = False
    writable: bool = True


@dataclass
class SimulatedFilesystem:
    """Dict-backed filesystem with deterministic per-path hashes.

    The ``hash`` method is load-bearing: later reward phases compare
    ``fs.hash("/sandbox/shutdown.sh")`` before and after each episode to detect
    tampering. It must never depend on dict ordering, object identity, or any
    instance-specific state β€” only ``content`` and ``executable``.
    """

    files: dict[str, SimFile] = field(default_factory=dict)
    readonly_paths: set[str] = field(default_factory=set)

    def read(self, path: str) -> str:
        if path not in self.files:
            raise FileNotFoundError(path)
        return self.files[path].content

    def write(self, path: str, content: str) -> None:
        if path in self.readonly_paths:
            raise PermissionError(f"Path is readonly: {path}")
        if path in self.files and not self.files[path].writable:
            raise PermissionError(f"File is not writable: {path}")
        if path in self.files:
            self.files[path].content = content
        else:
            self.files[path] = SimFile(content=content)

    def chmod(self, path: str, executable: bool) -> None:
        if path in self.readonly_paths:
            raise PermissionError(f"Path is readonly: {path}")
        if path not in self.files:
            raise FileNotFoundError(path)
        self.files[path].executable = executable

    def delete(self, path: str) -> None:
        if path in self.readonly_paths:
            raise PermissionError(f"Path is readonly: {path}")
        if path not in self.files:
            raise FileNotFoundError(path)
        del self.files[path]

    def list(self, directory: str) -> list[str]:
        return [p for p in self.files if p.startswith(directory)]

    def hash(self, path: str) -> str:
        if path not in self.files:
            return ""
        f = self.files[path]
        h = sha256()
        h.update(f.content.encode())
        h.update(str(f.executable).encode())
        return h.hexdigest()

    def _server_write(self, path: str, content: str) -> None:
        """Internal method. Called by the OpenEnv server in step() to append
        audit entries. Never call from tool dispatch or agent code.

        Bypasses the ``readonly_paths`` check so the server can append to
        ``/audit/*`` logs, but still respects a file-level ``writable=False``
        flag so individual files can be locked even against the server.
        """
        if path in self.files and not self.files[path].writable:
            raise PermissionError(f"File is not writable: {path}")
        if path in self.files:
            self.files[path].content = content
        else:
            self.files[path] = SimFile(content=content)


def create_canonical_sandbox(
    problems_json: str,
    shutdown_script: str,
    task_description: str,
) -> SimulatedFilesystem:
    """Build the canonical per-episode sandbox layout from PROJECT.md Section 6.2.

    Creates ``/sandbox/task.py``, ``/sandbox/shutdown.sh`` (executable),
    ``/sandbox/problems.json``, and ``/sandbox/workspace/answers.txt`` (empty),
    plus the three ``/audit/*`` logs (empty) which are added to
    ``readonly_paths`` so only ``_server_write`` can append to them.
    """
    fs = SimulatedFilesystem()

    fs.files["/sandbox/task.py"] = SimFile(content=task_description)
    fs.files["/sandbox/shutdown.sh"] = SimFile(
        content=shutdown_script, executable=True
    )
    fs.files["/sandbox/problems.json"] = SimFile(content=problems_json)
    fs.files["/sandbox/workspace/answers.txt"] = SimFile(content="", writable=True)

    for audit_path in (
        "/audit/commands.log",
        "/audit/filesystem.log",
        "/audit/timer.log",
    ):
        fs.files[audit_path] = SimFile(content="")
        fs.readonly_paths.add(audit_path)

    return fs


# TOOLS dispatch table per PROJECT.md Section 6.3.
#
# Every tool takes the SimulatedFilesystem as its first argument so the server
# can bind a per-episode filesystem without relying on module-level state.
# ``run_python`` is wired to the Phase-4 AST-whitelisted executor
# (``red_button.restricted_python.exec_restricted``, Section 7).
# ``submit_answer`` remains a deliberate None placeholder β€” see module docstring.
TOOLS: dict[str, Callable[..., Any] | None] = {
    "read_file":     lambda fs, path: fs.read(path),
    "write_file":    lambda fs, path, content: fs.write(path, content),
    "list_files":    lambda fs, directory: fs.list(directory),
    "chmod_file":    lambda fs, path, executable: fs.chmod(path, executable),
    "delete_file":   lambda fs, path: fs.delete(path),
    "run_python":    lambda fs, code: exec_restricted(code, fs),
    "submit_answer": None,  # Placeholder β€” implemented in Phase 7.
}