Spaces:

Humanlearning
/

CyberSecurity_OWASP

Sleeping

App Files Files Community

Humanlearning commited on Apr 25

Commit

e3d939d

verified ·

1 Parent(s): 31637b2

Update CyberSecurity_OWASP environment

Browse files

Files changed (38) hide show

.agents/skills/openenv-cli/SKILL.md +18 -0
.agents/skills/trackio/SKILL.md +124 -0
.agents/skills/trackio/alerts.md +199 -0
.agents/skills/trackio/logging_metrics.md +206 -0
.agents/skills/trackio/retrieving_metrics.md +298 -0
.agents/skills/trackio/storage_schema.md +159 -0
.gitignore +9 -0
01_ARCHITECTURE.md +12 -1
Dockerfile +1 -0
README.md +41 -1
assets/architecture_diagram.mmd +51 -0
assets/architecture_diagram.svg +90 -0
assets/env_rl_training_flow_diagram.mmd +26 -0
assets/env_rl_training_flow_diagram.svg +92 -0
models.py +9 -0
pyproject.toml +1 -0
scenario_compiler.py +15 -40
scripts/modal_ephemeral_train.py +45 -5
scripts/modal_run_ephemeral.sh +6 -1
scripts/modal_train_grpo.py +267 -75
scripts/smoke_test.sh +1 -1
scripts/track_pytest.py +59 -0
server/Dockerfile +1 -0
server/action_tools.py +73 -0
server/adversarial_designer.py +59 -0
server/app.py +7 -0
server/app_sandbox.py +139 -0
server/authz_oracle.py +92 -0
server/curriculum.py +99 -0
server/episode_logger.py +66 -0
server/reward_engine.py +10 -31
server/scenario_factory.py +134 -0
server/verifier.py +81 -0
tests/test_web_interface.py +47 -0
training/eval_before_after.py +19 -1
training/trackio_utils.py +132 -1
training/train_grpo.py +10 -0
uv.lock +120 -0

.agents/skills/openenv-cli/SKILL.md ADDED Viewed

	@@ -0,0 +1,18 @@

+---
+name: openenv-cli
+description: "OpenEnv CLI (`openenv`) for scaffolding, validating, building, and pushing OpenEnv environments."
+---
+Install: `pip install openenv-core`
+The OpenEnv CLI command `openenv` is available.
+Use `openenv --help` to view available commands.
+Generated with `openenv-core v0.2.3`. Run `openenv skills add --force` to regenerate.
+## Tips
+- Start with `openenv init <env_name>` to scaffold a new environment
+- Validate projects with `openenv validate`
+- Build and deploy with `openenv build` and `openenv push`
+- Use `openenv <command> --help` for command-specific options

.agents/skills/trackio/SKILL.md ADDED Viewed

	@@ -0,0 +1,124 @@

+---
+name: hugging-face-trackio
+description: Track and visualize ML training experiments with Trackio. Use when logging metrics during training (Python API), firing alerts for training diagnostics, or retrieving/analyzing logged metrics (CLI). Supports real-time dashboard visualization, alerts with webhooks, HF Space syncing, and JSON output for automation.
+---
+# Trackio - Experiment Tracking for ML Training
+Trackio is an experiment tracking library for logging and visualizing ML training metrics. It syncs to Hugging Face Spaces for real-time monitoring dashboards.
+## Three Interfaces
+| Task | Interface | Reference |
+|------|-----------|-----------|
+| **Logging metrics** during training | Python API | [logging_metrics.md](logging_metrics.md) |
+| **Firing alerts** for training diagnostics | Python API | [alerts.md](alerts.md) |
+| **Retrieving metrics & alerts** after/during training | CLI | [retrieving_metrics.md](retrieving_metrics.md) |
+| **Inspecting storage schema and running direct SQL** | CLI | [storage_schema.md](storage_schema.md) |
+## When to Use Each
+### Python API → Logging
+Use `import trackio` in your training scripts to log metrics:
+- Initialize tracking with `trackio.init()`
+- Log metrics with `trackio.log()` or use TRL's `report_to="trackio"`
+- Finalize with `trackio.finish()`
+**Key concept**: For remote/cloud training, pass `space_id` — metrics sync to a Space dashboard so they persist after the instance terminates.
+→ See [logging_metrics.md](logging_metrics.md) for setup, TRL integration, and configuration options.
+### Python API → Alerts
+Insert `trackio.alert()` calls in training code to flag important events — like inserting print statements for debugging, but structured and queryable:
+- `trackio.alert(title="...", level=trackio.AlertLevel.WARN)` — fire an alert
+- Three severity levels: `INFO`, `WARN`, `ERROR`
+- Alerts are printed to terminal, stored in the database, shown in the dashboard, and optionally sent to webhooks (Slack/Discord)
+**Key concept for LLM agents**: Alerts are the primary mechanism for autonomous experiment iteration. An agent should insert alerts into training code for diagnostic conditions (loss spikes, NaN gradients, low accuracy, training stalls). Since alerts are printed to the terminal, an agent that is watching the training script's output will see them automatically. For background or detached runs, the agent can poll via CLI instead.
+→ See [alerts.md](alerts.md) for the full alerts API, webhook setup, and autonomous agent workflows.
+### CLI → Retrieving
+Use the `trackio` command to query logged metrics and alerts:
+- `trackio list projects/runs/metrics` — discover what's available
+- `trackio get project/run/metric` — retrieve summaries and values
+- `trackio query project --project <name> --sql "SELECT ..."` — run catch-all read-only SQL
+- `trackio list alerts --project <name> --json` — retrieve alerts
+- `trackio show` — launch the dashboard
+- `trackio sync` — sync to HF Space
+**Key concept**: Add `--json` for programmatic output suitable for automation and LLM agents.
+**Remote Spaces**: Add `--space <space_id_or_url>` to any `list`/`get`/`query` command to query a remote HF Space instead of local data. Use `--hf-token` for private Spaces.
+→ See [retrieving_metrics.md](retrieving_metrics.md) for all commands, workflows, and JSON output formats.
+→ See [storage_schema.md](storage_schema.md) for SQLite tables, parquet layout, and direct query examples.
+## Minimal Logging Setup
+```python
+import trackio
+trackio.init(project="my-project", space_id="username/trackio")
+trackio.log({"loss": 0.1, "accuracy": 0.9})
+trackio.log({"loss": 0.09, "accuracy": 0.91})
+trackio.finish()
+```
+### Minimal Retrieval
+```bash
+trackio list projects --json
+trackio get metric --project my-project --run my-run --metric loss --json
+trackio query project --project my-project --sql "SELECT name FROM sqlite_master WHERE type = 'table'" --json
+# Query a remote Space
+trackio list projects --space username/my-space --json
+```
+## Autonomous ML Experiment Workflow
+When running experiments autonomously as an LLM agent, the recommended workflow is:
+1. **Set up training with alerts** — insert `trackio.alert()` calls for diagnostic conditions
+2. **Launch training** — run the script in the background
+3. **Poll for alerts** — use `trackio list alerts --project <name> --json --since <timestamp>` to check for new alerts
+4. **Read metrics** — use `trackio get metric ...` to inspect specific values
+5. **Iterate** — based on alerts and metrics, stop the run, adjust hyperparameters, and launch a new run
+```python
+import trackio
+trackio.init(project="my-project", config={"lr": 1e-4})
+for step in range(num_steps):
+    loss = train_step()
+    trackio.log({"loss": loss, "step": step})
+    if step > 100 and loss > 5.0:
+        trackio.alert(
+            title="Loss divergence",
+            text=f"Loss {loss:.4f} still high after {step} steps",
+            level=trackio.AlertLevel.ERROR,
+        )
+    if step > 0 and abs(loss) < 1e-8:
+        trackio.alert(
+            title="Vanishing loss",
+            text="Loss near zero — possible gradient collapse",
+            level=trackio.AlertLevel.WARN,
+        )
+trackio.finish()
+```
+Then poll from a separate terminal/process:
+```bash
+trackio list alerts --project my-project --json --since "2025-01-01T00:00:00"
+```

.agents/skills/trackio/alerts.md ADDED Viewed

	@@ -0,0 +1,199 @@

+# Trackio Alerts
+Alerts let you flag important training events directly from code. They are the primary mechanism for LLM agents to diagnose runs and iterate autonomously on ML experiments.
+Alerts are printed to the terminal, stored in the database, displayed in the dashboard, and optionally sent to webhooks (Slack/Discord).
+<img width="2972" height="1694" alt="image" src="https://github.com/user-attachments/assets/02d938f8-51a9-4706-85c4-d95b7645bcf4" />
+## Core API
+### trackio.alert()
+```python
+trackio.alert(
+    title="Loss divergence",                    # Short title (required)
+    text="Loss 5.2 still high after 200 steps", # Detailed description (optional)
+    level=trackio.AlertLevel.WARN,               # INFO, WARN, or ERROR (default: WARN)
+    webhook_url="https://hooks.slack.com/...",   # Per-alert webhook override (optional)
+)
+```
+### Alert Levels
+| Level | Usage |
+|-------|-------|
+| `trackio.AlertLevel.INFO` | Informational milestones (checkpoints saved, eval completed) |
+| `trackio.AlertLevel.WARN` | Potential issues (loss plateau, low accuracy, high gradient norm) |
+| `trackio.AlertLevel.ERROR` | Critical failures (NaN loss, divergence, OOM) |
+### Webhook Support
+Set a global webhook URL via `trackio.init()` or the `TRACKIO_WEBHOOK_URL` environment variable. Alerts are auto-formatted for Slack and Discord URLs.
+```python
+trackio.init(
+    project="my-project",
+    webhook_url="https://hooks.slack.com/services/...",
+    webhook_min_level=trackio.AlertLevel.WARN,  # Only send WARN+ to webhook
+)
+```
+Per-alert override:
+```python
+trackio.alert(
+    title="Critical failure",
+    level=trackio.AlertLevel.ERROR,
+    webhook_url="https://hooks.slack.com/services/...",  # Overrides global URL
+)
+```
+Environment variables:
+- `TRACKIO_WEBHOOK_URL` — global webhook URL
+- `TRACKIO_WEBHOOK_MIN_LEVEL` — minimum level for webhook delivery (`info`, `warn`, `error`)
+## Retrieving Alerts (CLI)
+```bash
+# List all alerts for a project
+trackio list alerts --project my-project --json
+# Filter by run or level
+trackio list alerts --project my-project --run my-run --level error --json
+# Poll for new alerts since a timestamp (efficient for agents)
+trackio list alerts --project my-project --json --since "2025-06-01T12:00:00"
+```
+### JSON Output Structure
+```json
+{
+  "project": "my-project",
+  "run": null,
+  "level": null,
+  "since": "2025-06-01T12:00:00",
+  "alerts": [
+    {
+      "run": "run-name",
+      "title": "Loss divergence",
+      "text": "Loss 5.2 still high after 200 steps",
+      "level": "warn",
+      "step": 200,
+      "timestamp": "2025-06-01T12:05:30"
+    }
+  ]
+}
+```
+## Autonomous Agent Workflow
+The recommended pattern for an LLM agent running ML experiments:
+### 1. Insert Alerts Into Training Code
+Add diagnostic `trackio.alert()` calls for conditions the agent should react to:
+```python
+import trackio
+trackio.init(project="hyperparam-sweep", config={"lr": lr, "batch_size": bs})
+for step in range(num_steps):
+    loss = train_step()
+    trackio.log({"loss": loss, "step": step})
+    if step > 200 and loss > 5.0:
+        trackio.alert(
+            title="Loss divergence",
+            text=f"Loss {loss:.4f} still above 5.0 after {step} steps — learning rate may be too high",
+            level=trackio.AlertLevel.ERROR,
+        )
+    if step > 500 and loss_delta < 0.001:
+        trackio.alert(
+            title="Training stall",
+            text=f"Loss barely changed over last 100 steps (delta={loss_delta:.6f})",
+            level=trackio.AlertLevel.WARN,
+        )
+    if math.isnan(loss):
+        trackio.alert(
+            title="NaN loss",
+            text="Loss became NaN — training is broken",
+            level=trackio.AlertLevel.ERROR,
+        )
+        break
+trackio.finish()
+```
+### 2. Monitor Alerts
+Alerts are automatically printed to the terminal when fired. If the agent is watching the training script's output (e.g. running in the foreground or tailing logs), it will see alerts immediately — no polling needed.
+For background or detached runs, poll for alerts via CLI:
+```bash
+# Poll for alerts (run periodically)
+trackio list alerts --project hyperparam-sweep --json --since "2025-06-01T00:00:00"
+```
+### 3. Inspect Metrics Around the Alert
+When an alert fires, use `trackio get snapshot` to see all metrics at that point:
+```bash
+# Alert fired at step 200 — get all metrics in a ±5 step window
+trackio get snapshot --project hyperparam-sweep --run run-1 --around 200 --window 5 --json
+# Or inspect a single metric around the alert's timestamp
+trackio get metric --project hyperparam-sweep --run run-1 --metric loss --around 200 --window 10 --json
+```
+### 4. React and Iterate
+Based on alerts:
+- **ERROR alerts** → stop the run, adjust hyperparameters, relaunch
+- **WARN alerts** → inspect metrics with `trackio get snapshot ...`, decide whether to intervene
+- **INFO alerts** → note progress, continue monitoring
+### 5. Compare Across Runs
+```bash
+# Check metrics from previous runs
+trackio get run --project hyperparam-sweep --run run-1 --json
+trackio get metric --project hyperparam-sweep --run run-1 --metric loss --json
+# Launch new run with adjusted config
+python train.py --lr 5e-5
+```
+## Using Alerts with Transformers / TRL
+When using `report_to="trackio"`, you don't control the training loop directly. Use a `TrainerCallback` to fire alerts:
+```python
+from transformers import TrainerCallback
+class AlertCallback(TrainerCallback):
+    def on_log(self, args, state, control, logs=None, **kwargs):
+        if "trackio" not in args.report_to:
+            return
+        if logs and "loss" in logs:
+            if logs["loss"] > 5.0 and state.global_step > 100:
+                trackio.alert(
+                    title="High loss",
+                    text=f"Loss {logs['loss']:.4f} at step {state.global_step}",
+                    level=trackio.AlertLevel.ERROR,
+                )
+trainer = SFTTrainer(
+    model=model,
+    args=SFTConfig(output_dir="./out", report_to="trackio"),
+    callbacks=[AlertCallback()],
+    ...
+)
+```

.agents/skills/trackio/logging_metrics.md ADDED Viewed

	@@ -0,0 +1,206 @@

+# Logging Metrics with Trackio
+**Trackio** is a lightweight, free experiment tracking library from Hugging Face. It provides a wandb-compatible API for logging metrics with local-first design.
+- **GitHub**: [gradio-app/trackio](https://github.com/gradio-app/trackio)
+- **Docs**: [huggingface.co/docs/trackio](https://huggingface.co/docs/trackio/index)
+## Installation
+```bash
+pip install trackio
+# or
+uv pip install trackio
+```
+## Core API
+### Basic Usage
+```python
+import trackio
+# Initialize a run
+trackio.init(
+    project="my-project",
+    config={"learning_rate": 0.001, "epochs": 10}
+)
+# Log metrics during training
+for epoch in range(10):
+    loss = train_epoch()
+    trackio.log({"loss": loss, "epoch": epoch})
+# Finalize the run
+trackio.finish()
+```
+### Key Functions
+| Function | Purpose |
+|----------|---------|
+| `trackio.init(...)` | Start a new tracking run |
+| `trackio.log(dict)` | Log metrics (called repeatedly during training) |
+| `trackio.finish()` | Finalize run and ensure all metrics are saved |
+| `trackio.show()` | Launch the local dashboard |
+| `trackio.sync(...)` | Sync local project to HF Space |
+## trackio.init() Parameters
+```python
+trackio.init(
+    project="my-project",           # Project name (groups runs together)
+    name="run-name",                # Optional: name for this specific run
+    config={...},                   # Hyperparameters and config to log
+    space_id="username/trackio",    # Optional: sync to HF Space for remote dashboard
+    group="experiment-group",       # Optional: group related runs
+)
+```
+## Local vs Remote Dashboard
+### Local (Default)
+By default, trackio stores metrics in a local SQLite database and runs the dashboard locally:
+```python
+trackio.init(project="my-project")
+# ... training ...
+trackio.finish()
+# Launch local dashboard
+trackio.show()
+```
+Or from terminal:
+```bash
+trackio show --project my-project
+```
+### Remote (HF Space)
+Pass `space_id` to sync metrics to a Hugging Face Space for persistent, shareable dashboards:
+```python
+trackio.init(
+    project="my-project",
+    space_id="username/trackio"  # Auto-creates Space if it doesn't exist
+)
+```
+⚠️ **For remote training** (cloud GPUs, HF Jobs, etc.): Always use `space_id` since local storage is lost when the instance terminates.
+### Sync Local to Remote
+Sync existing local projects to a Space:
+```python
+trackio.sync(project="my-project", space_id="username/my-experiments")
+```
+## wandb Compatibility
+Trackio is API-compatible with wandb. Drop-in replacement:
+```python
+import trackio as wandb
+wandb.init(project="my-project")
+wandb.log({"loss": 0.5})
+wandb.finish()
+```
+## TRL Integration
+When using TRL trainers, set `report_to="trackio"` for automatic metric logging:
+```python
+from trl import SFTConfig, SFTTrainer
+import trackio
+trackio.init(
+    project="sft-training",
+    space_id="username/trackio",
+    config={"model": "Qwen/Qwen2.5-0.5B", "dataset": "trl-lib/Capybara"}
+)
+config = SFTConfig(
+    output_dir="./output",
+    report_to="trackio",  # Automatic metric logging
+    # ... other config
+)
+trainer = SFTTrainer(model=model, args=config, ...)
+trainer.train()
+trackio.finish()
+```
+## What Gets Logged
+With TRL/Transformers integration, trackio automatically captures:
+- Training loss
+- Learning rate
+- Eval metrics
+- Training throughput
+For manual logging, log any numeric metrics:
+```python
+trackio.log({
+    "train_loss": 0.5,
+    "train_accuracy": 0.85,
+    "val_loss": 0.4,
+    "val_accuracy": 0.88,
+    "epoch": 1
+})
+```
+## Grouping Runs
+Use `group` to organize related experiments in the dashboard sidebar:
+```python
+# Group by experiment type
+trackio.init(project="my-project", name="baseline-v1", group="baseline")
+trackio.init(project="my-project", name="augmented-v1", group="augmented")
+# Group by hyperparameter
+trackio.init(project="hyperparam-sweep", name="lr-0.001", group="lr_0.001")
+trackio.init(project="hyperparam-sweep", name="lr-0.01", group="lr_0.01")
+```
+## Configuration Best Practices
+Keep config minimal — only log what's useful for comparing runs:
+```python
+trackio.init(
+    project="qwen-sft-capybara",
+    name="baseline-lr2e5",
+    config={
+        "model": "Qwen/Qwen2.5-0.5B",
+        "dataset": "trl-lib/Capybara",
+        "learning_rate": 2e-5,
+        "num_epochs": 3,
+        "batch_size": 8,
+    }
+)
+```
+## Embedding Dashboards
+Embed Space dashboards in websites with query parameters:
+```html
+<iframe
+  src="https://username-trackio.hf.space/?project=my-project&metrics=train_loss,val_loss&sidebar=hidden"
+  style="width:1600px; height:500px; border:0;">
+</iframe>
+```
+Query parameters:
+- `project`: Filter to specific project
+- `metrics`: Comma-separated metric names to show
+- `sidebar`: `hidden` or `collapsed`
+- `smoothing`: 0-20 (smoothing slider value)
+- `xmin`, `xmax`: X-axis limits

.agents/skills/trackio/retrieving_metrics.md ADDED Viewed

	@@ -0,0 +1,298 @@

+# Retrieving Metrics with Trackio CLI
+The `trackio` CLI provides direct terminal access to query Trackio experiment tracking data without needing to start the MCP server. Commands work against local data by default, or against a remote HF Space when `--space` is provided.
+## Quick Command Reference
+| Task | Command |
+|------|---------|
+| List projects | `trackio list projects` |
+| List runs | `trackio list runs --project <name>` |
+| List metrics | `trackio list metrics --project <name> --run <name>` |
+| List system metrics | `trackio list system-metrics --project <name> --run <name>` |
+| List alerts | `trackio list alerts --project <name> [--run <name>] [--level <level>] [--since <timestamp>]` |
+| Get project summary | `trackio get project --project <name>` |
+| Get run summary | `trackio get run --project <name> --run <name>` |
+| Get metric values | `trackio get metric --project <name> --run <name> --metric <name>` |
+| Get metric at step | `trackio get metric ... --metric <name> --step <N>` |
+| Get metric around step | `trackio get metric ... --metric <name> --around <N> --window <W>` |
+| Get all metrics snapshot | `trackio get snapshot --project <name> --run <name> --step <N>` |
+| Get system metrics | `trackio get system-metric --project <name> --run <name>` |
+| Run direct SQL | `trackio query project --project <name> --sql "SELECT ..."` |
+| Query remote Space | `trackio list projects --space <space_id_or_url>` |
+| Show dashboard | `trackio show [--project <name>]` |
+| Sync to Space | `trackio sync --project <name> --space-id <space_id>` |
+## Core Commands
+### List Commands
+```bash
+trackio list projects                                    # List all projects
+trackio list projects --json                            # JSON output
+trackio list runs --project <name>                      # List runs in project
+trackio list runs --project <name> --json               # JSON output
+trackio list metrics --project <name> --run <name>      # List metrics for run
+trackio list metrics --project <name> --run <name> --json
+trackio list system-metrics --project <name> --run <name>  # List system metrics
+trackio list system-metrics --project <name> --run <name> --json
+trackio list alerts --project <name>                       # List alerts
+trackio list alerts --project <name> --run <name> --json   # Filter by run
+trackio list alerts --project <name> --level error --json  # Filter by level
+trackio list alerts --project <name> --json --since <ts>   # Poll since timestamp
+```
+### Get Commands
+```bash
+trackio get project --project <name>                    # Project summary
+trackio get project --project <name> --json             # JSON output
+trackio get run --project <name> --run <name>           # Run summary
+trackio get run --project <name> --run <name> --json
+trackio get metric --project <name> --run <name> --metric <name>  # Metric values
+trackio get metric --project <name> --run <name> --metric <name> --json
+trackio get metric ... --metric <name> --step 200                 # At exact step
+trackio get metric ... --metric <name> --around 200 --window 10   # ±10 steps
+trackio get metric ... --metric <name> --at-time <ts> --window 60 # ±60 seconds
+trackio get snapshot --project <name> --run <name> --step 200 --json       # All metrics at step
+trackio get snapshot --project <name> --run <name> --around 200 --window 5 --json  # Window
+trackio get snapshot --project <name> --run <name> --at-time <ts> --window 60 --json
+trackio get system-metric --project <name> --run <name>           # All system metrics
+trackio get system-metric --project <name> --run <name> --metric <name>  # Specific metric
+trackio get system-metric --project <name> --run <name> --json
+```
+### Query Command
+```bash
+trackio query project --project <name> --sql "SELECT name FROM sqlite_master WHERE type = 'table'"
+trackio query project --project <name> --sql "PRAGMA table_info(metrics)" --json
+trackio query project --project <name> --sql "SELECT run_name, MAX(step) AS last_step FROM metrics GROUP BY run_name"
+```
+### Remote Space Queries
+All `list`, `get`, and `query` commands support querying a remote HF Space with `--space`:
+```bash
+trackio list projects --space user/my-space              # Space ID
+trackio list projects --space https://user-my-space.hf.space  # Space URL
+trackio get metric --project <name> --run <name> --metric loss --space user/my-space
+trackio query project --project <name> --sql "SELECT COUNT(*) AS num_alerts FROM alerts" --space user/my-space
+trackio list projects --space user/private-space --hf-token hf_xxx  # Private Space
+```
+### Dashboard Commands
+```bash
+trackio show                                              # Launch dashboard
+trackio show --project <name>                           # Load specific project
+trackio show --theme <theme>                            # Custom theme
+trackio show --mcp-server                                # Enable MCP server
+trackio show --color-palette "#FF0000,#00FF00"         # Custom colors
+```
+### Sync Commands
+```bash
+trackio sync --project <name> --space-id <space_id>     # Sync to HF Space
+trackio sync --project <name> --space-id <space_id> --private  # Private space
+trackio sync --project <name> --space-id <space_id> --force   # Overwrite
+```
+## Output Formats
+All `list`, `get`, and `query` commands support two output formats:
+- **Human-readable** (default): Formatted text for terminal viewing
+- **JSON** (with `--json` flag): Structured JSON for programmatic use
+## Common Patterns
+### Discover Projects and Runs
+```bash
+# List all available projects
+trackio list projects
+# List runs in a project
+trackio list runs --project my-project
+# Get project overview
+trackio get project --project my-project --json
+```
+### Inspect Run Details
+```bash
+# Get run summary with all metrics
+trackio get run --project my-project --run my-run --json
+# List available metrics
+trackio list metrics --project my-project --run my-run
+# Get specific metric values
+trackio get metric --project my-project --run my-run --metric loss --json
+```
+### Query System Metrics
+```bash
+# List system metrics (GPU, etc.)
+trackio list system-metrics --project my-project --run my-run
+# Get all system metric data
+trackio get system-metric --project my-project --run my-run --json
+# Get specific system metric
+trackio get system-metric --project my-project --run my-run --metric gpu_utilization --json
+```
+### Automation Scripts
+```bash
+# Extract latest metric value
+LATEST_LOSS=$(trackio get metric --project my-project --run my-run --metric loss --json | jq -r '.values[-1].value')
+# Export run summary to file
+trackio get run --project my-project --run my-run --json > run_summary.json
+# Filter runs with jq
+trackio list runs --project my-project --json | jq '.runs[] | select(startswith("train"))'
+# Run a direct SQL aggregate
+trackio query project --project my-project --sql "SELECT run_name, MAX(step) AS last_step FROM metrics GROUP BY run_name" --json
+```
+### LLM Agent Workflow
+```bash
+# 1. Discover available projects
+trackio list projects --json
+# 2. Explore project structure
+trackio get project --project my-project --json
+# 3. Inspect specific run
+trackio get run --project my-project --run my-run --json
+# 4. Query metric values
+trackio get metric --project my-project --run my-run --metric accuracy --json
+# 5. Poll for alerts (use --since for efficient incremental polling)
+trackio list alerts --project my-project --json --since "2025-06-01T00:00:00"
+# 6. When an alert fires at step N, get all metrics around that point
+trackio get snapshot --project my-project --run my-run --around 200 --window 5 --json
+# 7. Fall back to direct SQL for one-off inspection
+trackio query project --project my-project --sql "SELECT timestamp, run_name, level, title FROM alerts ORDER BY timestamp DESC LIMIT 20" --json
+```
+## Error Handling
+Commands validate inputs and return clear errors:
+- Missing project: `Error: Project '<name>' not found.`
+- Missing run: `Error: Run '<name>' not found in project '<project>'.`
+- Missing metric: `Error: Metric '<name>' not found in run '<run>' of project '<project>'.`
+All errors exit with non-zero status code and write to stderr.
+## Key Options
+- `--project`: Project name (required for most commands)
+- `--run`: Run name (required for run-specific commands)
+- `--metric`: Metric name (required for metric-specific commands)
+- `--sql`: Read-only SQL query (for `trackio query`)
+- `--json`: Output in JSON format instead of human-readable
+- `--space`: HF Space ID (e.g. `user/space`) or Space URL to query remotely (for `list`/`get`/`query` commands)
+- `--hf-token`: HF token for accessing private Spaces (for `list`/`get`/`query` commands with `--space`)
+- `--step`: Exact step filter (for `get metric`, `get snapshot`)
+- `--around`: Center step for window filter (for `get metric`, `get snapshot`)
+- `--at-time`: Center ISO timestamp for window filter (for `get metric`, `get snapshot`)
+- `--window`: Window size: ±steps for `--around`, ±seconds for `--at-time` (default: 10)
+- `--level`: Alert level filter (`info`, `warn`, `error`) (for `list alerts`)
+- `--since`: ISO timestamp to filter alerts after (for `list alerts`)
+- `--theme`: Dashboard theme (for `show` command)
+- `--mcp-server`: Enable MCP server mode (for `show` command)
+- `--color-palette`: Comma-separated hex colors (for `show` command)
+- `--private`: Create private Space (for `sync` command)
+- `--force`: Overwrite existing database (for `sync` command)
+## JSON Output Structure
+### List Projects
+```json
+{"projects": ["project1", "project2"]}
+```
+### List Runs
+```json
+{"project": "my-project", "runs": ["run1", "run2"]}
+```
+### Project Summary
+```json
+{
+  "project": "my-project",
+  "num_runs": 3,
+  "runs": ["run1", "run2", "run3"],
+  "last_activity": 100
+}
+```
+### Run Summary
+```json
+{
+  "project": "my-project",
+  "run": "my-run",
+  "num_logs": 50,
+  "metrics": ["loss", "accuracy"],
+  "config": {"learning_rate": 0.001},
+  "last_step": 49
+}
+```
+### Metric Values
+```json
+{
+  "project": "my-project",
+  "run": "my-run",
+  "metric": "loss",
+  "values": [
+    {"step": 0, "timestamp": "2024-01-01T00:00:00", "value": 0.5},
+    {"step": 1, "timestamp": "2024-01-01T00:01:00", "value": 0.4}
+  ]
+}
+```
+### Query Result
+```json
+{
+  "project": "my-project",
+  "query": "SELECT name FROM sqlite_master WHERE type = 'table' ORDER BY name",
+  "columns": ["name"],
+  "rows": [
+    {"name": "alerts"},
+    {"name": "configs"},
+    {"name": "metrics"}
+  ],
+  "row_count": 3
+}
+```
+## References
+- **Complete CLI documentation**: See [docs/source/cli_commands.md](docs/source/cli_commands.md)
+- **Storage schema and direct SQL**: See [storage_schema.md](storage_schema.md)
+- **API and MCP Server**: See [docs/source/api_mcp_server.md](docs/source/api_mcp_server.md)

.agents/skills/trackio/storage_schema.md ADDED Viewed

	@@ -0,0 +1,159 @@

+# Trackio Storage Schema and Direct SQL
+Use this reference when you need to inspect Trackio data directly instead of going through higher-level `trackio list` or `trackio get` commands.
+## Where Data Is Stored
+- Local project databases live in `TRACKIO_DIR`, which defaults to `~/.cache/huggingface/trackio`.
+- Each project is stored in its own SQLite file: `{project}.db`.
+- Media files live under `TRACKIO_DIR/media/`.
+- Parquet files are derived exports written from SQLite for syncing and static Spaces.
+## SQLite Tables
+Trackio defines its live schema in `trackio/sqlite_storage.py` inside `SQLiteStorage.init_db()`.
+### `metrics`
+- `id`: integer primary key
+- `timestamp`: ISO timestamp
+- `run_name`: run identifier
+- `step`: integer step
+- `metrics`: JSON text payload
+- `log_id`: optional deduplication key
+- `space_id`: optional pending-sync marker
+Indexes:
+- `(run_name, step)`
+- `(run_name, timestamp)`
+- unique partial index on `log_id`
+- partial index on `space_id`
+### `configs`
+- `id`: integer primary key
+- `run_name`: run identifier
+- `config`: JSON text payload
+- `created_at`: ISO timestamp
+Constraints:
+- unique `run_name`
+- index on `run_name`
+### `system_metrics`
+- `id`: integer primary key
+- `timestamp`: ISO timestamp
+- `run_name`: run identifier
+- `metrics`: JSON text payload
+- `log_id`: optional deduplication key
+- `space_id`: optional pending-sync marker
+Indexes:
+- `(run_name, timestamp)`
+- unique partial index on `log_id`
+- partial index on `space_id`
+### `project_metadata`
+- `key`: primary key
+- `value`: metadata value
+### `pending_uploads`
+- `id`
+- `space_id`
+- `run_name`
+- `step`
+- `file_path`
+- `relative_path`
+- `created_at`
+### `alerts`
+- `id`
+- `timestamp`
+- `run_name`
+- `title`
+- `text`
+- `level`
+- `step`
+- `alert_id`
+Indexes:
+- `run_name`
+- `timestamp`
+- unique partial index on `alert_id`
+## Parquet Layout
+Trackio flattens JSON blobs when exporting parquet:
+- `{project}.parquet` comes from `metrics`
+- `{project}_system.parquet` comes from `system_metrics`
+- `{project}_configs.parquet` comes from `configs`
+Static export layout:
+- `metrics.parquet`
+- `aux/system_metrics.parquet`
+- `aux/configs.parquet`
+- `runs.json`
+- `settings.json`
+The flattened parquet files keep structural columns such as `timestamp`, `run_name`, and `step`, then add one column per JSON key found in the source payload.
+## Direct SQL With The CLI
+Use `trackio query` for read-only SQL:
+```bash
+trackio query project --project my-project --sql "SELECT name FROM sqlite_master WHERE type = 'table' ORDER BY name" --json
+trackio query project --project my-project --sql "PRAGMA table_info(metrics)"
+trackio query project --project my-project --sql "SELECT run_name, MAX(step) AS last_step FROM metrics GROUP BY run_name ORDER BY last_step DESC"
+```
+Remote query works too:
+```bash
+trackio query project --project my-project --sql "SELECT COUNT(*) AS num_alerts FROM alerts" --space username/my-space --json
+```
+`trackio query` accepts read-only `SELECT`, `WITH`, and safe schema `PRAGMA` queries.
+## Common Query Patterns
+Recent alerts:
+```bash
+trackio query project --project my-project --sql "SELECT timestamp, run_name, level, title, step FROM alerts ORDER BY timestamp DESC LIMIT 20"
+```
+Latest step per run:
+```bash
+trackio query project --project my-project --sql "SELECT run_name, MAX(step) AS last_step FROM metrics GROUP BY run_name ORDER BY last_step DESC"
+```
+Recent configs:
+```bash
+trackio query project --project my-project --sql "SELECT run_name, created_at, config FROM configs ORDER BY created_at DESC"
+```
+Schema inspection:
+```bash
+trackio query project --project my-project --sql "PRAGMA index_list(metrics)"
+```
+## Agent Guidance
+- Start with `trackio list projects --json` if you do not know the project name yet.
+- Use `trackio get` for common summaries and metric retrieval.
+- Fall back to `trackio query` when you need one-off aggregates, joins, or schema introspection.
+- Prefer `--json` when another agent or script needs to consume the result.

.gitignore ADDED Viewed

	@@ -0,0 +1,9 @@

+.env.local
+.env.*
+__pycache__/
+*.pyc
+.pytest_cache/
+outputs/
+codex_tmp_*/
+*.egg*

01_ARCHITECTURE.md CHANGED Viewed

@@ -14,6 +14,12 @@ The environment is intentionally not a two-agent red-team/blue-team setup. The a
 ## 2. Final architecture diagram
 ```mermaid
 flowchart TB
     %% =========================
@@ -363,6 +369,12 @@ Run before/after evaluation on the same held-out suite.
 ## 8. Training flow
 ```text
 1. Build CyberSecurity_OWASP OpenEnv server.
 2. Generate 600 MVP scenarios.
@@ -476,4 +488,3 @@ Expected endpoints:
 | OpenEnv deployment docs | Informs HF Spaces deployment, endpoints, Docker workflow, and installable client package. | 8.5/10 |
 | Hackathon judging criteria | Informs demo priorities: innovation, storytelling, reward improvement, and training pipeline. | 9/10 |
 | TRL/OpenEnv training example | Informs rollout function, decomposed reward functions, and Trackio logging pattern. | 8/10 |

 ## 2. Final architecture diagram
+Rendered asset:
+![CyberSecurity_OWASP architecture](assets/architecture_diagram.svg)
+Editable source: `assets/architecture_diagram.mmd`
 ```mermaid
 flowchart TB
     %% =========================
 ## 8. Training flow
+Rendered asset:
+![CyberSecurity_OWASP RL training flow](assets/env_rl_training_flow_diagram.svg)
+Editable source: `assets/env_rl_training_flow_diagram.mmd`
 ```text
 1. Build CyberSecurity_OWASP OpenEnv server.
 2. Generate 600 MVP scenarios.
 | OpenEnv deployment docs | Informs HF Spaces deployment, endpoints, Docker workflow, and installable client package. | 8.5/10 |
 | Hackathon judging criteria | Informs demo priorities: innovation, storytelling, reward improvement, and training pipeline. | 9/10 |
 | TRL/OpenEnv training example | Informs rollout function, decomposed reward functions, and Trackio logging pattern. | 8/10 |

Dockerfile CHANGED Viewed

@@ -21,6 +21,7 @@ WORKDIR /app/env
 COPY --from=builder /app/env /app/env
 ENV PATH="/app/env/.venv/bin:$PATH"
 ENV PYTHONPATH="/app/env:$PYTHONPATH"
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
     CMD curl -f http://localhost:8000/health || exit 1

 COPY --from=builder /app/env /app/env
 ENV PATH="/app/env/.venv/bin:$PATH"
 ENV PYTHONPATH="/app/env:$PYTHONPATH"
+ENV ENABLE_WEB_INTERFACE=true
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
     CMD curl -f http://localhost:8000/health || exit 1

README.md CHANGED Viewed

@@ -23,6 +23,14 @@ inspect generated app + policy -> discover authorization bug -> submit finding -
 The current implementation includes a functional MVP scenario: an invoices FastAPI-style app with one injected OWASP A01 BOLA/IDOR defect, visible tests, hidden deterministic verifier checks, anti-cheat safeguards, and decomposed reward.
 ## Quick Start
 ```bash
@@ -125,6 +133,24 @@ Training files are under `training/`:
 The training scaffold is intentionally minimal until the environment/verifier behavior is stable. Trackio metric names and GRPO defaults follow the project brief.
 ## Modal Ephemeral Runs
 Modal Labs support is kept in a separate launcher script so the local OpenEnv server and core training scaffold stay unchanged.
@@ -141,7 +167,7 @@ Run a temporary Modal app for a cheap environment/training smoke check:
 uv run --extra modal modal run scripts/modal_ephemeral_train.py --mode smoke --episodes 4
 ```
-The app is ephemeral: Modal starts it for the command and stops it when the command exits. The remote result is written locally under `outputs/rollouts/`.
 You can also validate the GRPO config construction remotely:
@@ -179,6 +205,20 @@ uv run --extra modal modal run scripts/modal_train_grpo.py \
   --difficulty 0
 ```
 Defaults are derived from `HF_TOKEN`:
 - Trackio Space: `<hf-user>/CyberSecurity_OWASP-trackio`

 The current implementation includes a functional MVP scenario: an invoices FastAPI-style app with one injected OWASP A01 BOLA/IDOR defect, visible tests, hidden deterministic verifier checks, anti-cheat safeguards, and decomposed reward.
+## Diagrams
+![CyberSecurity_OWASP architecture](assets/architecture_diagram.svg)
+![CyberSecurity_OWASP RL training flow](assets/env_rl_training_flow_diagram.svg)
+Editable Mermaid sources are available in `assets/architecture_diagram.mmd` and `assets/env_rl_training_flow_diagram.mmd`.
 ## Quick Start
 ```bash
 The training scaffold is intentionally minimal until the environment/verifier behavior is stable. Trackio metric names and GRPO defaults follow the project brief.
+## Trackio Run Tracking
+Trackio is the default tracker for official runs. Set `TRACKIO_SPACE_ID` to log to a hosted Hugging Face Trackio Space; otherwise Trackio records locally.
+```bash
+export TRACKIO_SPACE_ID=<hf-user>/CyberSecurity_OWASP-trackio
+export TRACKIO_PROJECT=CyberSecurity_OWASP-grpo
+```
+Use the tracked smoke wrapper instead of invoking pytest directly when producing run artifacts:
+```bash
+bash scripts/smoke_test.sh
+uv run python scripts/track_pytest.py tests
+```
+Evaluation summaries saved through `training.eval_before_after.save_eval_summary(...)`, Modal smoke runs, and GRPO training configs all initialize Trackio runs with CyberSecurity_OWASP run names.
 ## Modal Ephemeral Runs
 Modal Labs support is kept in a separate launcher script so the local OpenEnv server and core training scaffold stay unchanged.
 uv run --extra modal modal run scripts/modal_ephemeral_train.py --mode smoke --episodes 4
 ```
+The app is ephemeral: Modal starts it for the command and stops it when the command exits. The remote result is written locally under `outputs/rollouts/` and the summary metrics are logged to Trackio.
 You can also validate the GRPO config construction remotely:
   --difficulty 0
 ```
+If running from a public repository and you do not want Modal to package the
+local workspace, use public source mode:
+```bash
+uv run --extra modal modal run scripts/modal_train_grpo.py \
+  --source-mode public \
+  --repo-url https://github.com/humandotlearning/CyberSecurity_OWASP.git \
+  --repo-branch master \
+  --max-steps 10 \
+  --dataset-size 16 \
+  --num-generations 2 \
+  --difficulty 0
+```
 Defaults are derived from `HF_TOKEN`:
 - Trackio Space: `<hf-user>/CyberSecurity_OWASP-trackio`

assets/architecture_diagram.mmd ADDED Viewed

	@@ -0,0 +1,51 @@

+flowchart LR
+    subgraph Factory["Scenario Factory"]
+        Policy["Policy graph\nusers, roles, tenants, ownership"]
+        Templates["FastAPI template renderer\nroutes, services, auth helpers"]
+        Mutator["A01 bug mutator\none injected authorization defect"]
+        Fixtures["Fixture generator\nvisible tests + hidden facts"]
+        Compiler["Scenario compiler\nseeded workspace"]
+        Policy --> Compiler
+        Templates --> Compiler
+        Mutator --> Compiler
+        Fixtures --> Compiler
+    end
+    subgraph Runtime["CyberSecurity_OWASP OpenEnv Runtime"]
+        Reset["reset(seed)\ncompile fresh scenario"]
+        Env["Environment state\nphase, history, metrics, hidden facts"]
+        Tools["Typed step(action) tools\ninspect, read, request, patch, test, submit"]
+        Sandbox["Generated local app workspace\neditable app files only"]
+        Verifier["Deterministic verifier\nsecurity + regression + public routes"]
+        Reward["Reward engine\nstable component breakdown"]
+        App["FastAPI OpenEnv server\n/ws, /reset, /step, /state"]
+        Reset --> Env
+        Env --> Tools
+        Tools <--> Sandbox
+        Tools --> Verifier
+        Verifier --> Reward
+        Reward --> Env
+        Env --> App
+    end
+    subgraph Agent["Single LLM Agent"]
+        Obs["Observation parser"]
+        Reason["Policy and code reasoning"]
+        Act["One JSON action"]
+        Obs --> Reason --> Act
+    end
+    subgraph Ops["Training, Evaluation, Demo"]
+        Rollout["Rollout loop\nreset -> step* -> terminal reward"]
+        GRPO["TRL GRPO / LoRA training"]
+        Trackio["Trackio metrics\nreward and pass rates"]
+        Eval["Held-out evaluation\nunseen seeds/layouts/domains"]
+        Artifacts["Rollout artifacts\nbefore/after traces"]
+        Rollout --> GRPO --> Trackio --> Eval --> Artifacts
+    end
+    Compiler --> Reset
+    App --> Obs
+    Act --> App
+    Reward --> Rollout
+    GRPO --> Agent

assets/architecture_diagram.svg ADDED Viewed

assets/env_rl_training_flow_diagram.mmd ADDED Viewed

	@@ -0,0 +1,26 @@

+flowchart TD
+    Start["Start run\nselect base model + config"] --> Cache["Prepare scenario splits\ntrain, validation, hidden_eval"]
+    Cache --> Baseline["Baseline evaluation\nscripted/model rollouts"]
+    Baseline --> TrainLoop["GRPO training loop"]
+    subgraph Episode["One OpenEnv Episode"]
+        Reset["env.reset(seed)\nnew generated app + policy"] --> Observe["Observation\nphase, hints, available tools"]
+        Observe --> Prompt["Build action prompt\nJSON action only"]
+        Prompt --> Generate["LLM generates action"]
+        Generate --> Step["env.step(action)\nphase gate + execute tool"]
+        Step --> Intermediate{"done?"}
+        Intermediate -- "no" --> Observe
+        Intermediate -- "yes" --> Final["Terminal verifier\nhidden security + regression + anti-cheat"]
+    end
+    TrainLoop --> Reset
+    Final --> Rewards["Reward components\ndiscovery, security, regression, public_routes,\npatch_quality, visible_tests, safety, anti_cheat"]
+    Rewards --> Update["GRPO update\nLoRA adapter checkpoint"]
+    Update --> Metrics["Trackio logging\nreward means, pass rates, invalid actions, latency"]
+    Metrics --> Validate{"Validation plateau\nor failure cluster?"}
+    Validate -- "continue" --> TrainLoop
+    Validate -- "adjust curriculum" --> Curriculum["Curriculum controller\nrebalance difficulty and traps"]
+    Curriculum --> TrainLoop
+    Validate -- "final checkpoint" --> Heldout["Held-out eval\nunseen seeds/layouts/domain combos"]
+    Heldout --> Compare["Before/after summary\nsuccess, reward, exploit-block, regression preservation"]
+    Compare --> Artifacts["Saved artifacts\noutputs/evals + outputs/rollouts"]

assets/env_rl_training_flow_diagram.svg ADDED Viewed

models.py CHANGED Viewed

@@ -56,8 +56,12 @@ class CyberSecurityOWASPState(State):
     seed: int = 0
     split: CyberSecurityOWASPSplit = "train"
     difficulty: int = 0
     domain: str = ""
     bug_family: str = ""
     phase: CyberSecurityOWASPPhase = "discover"
     max_steps: int = 40
     done: bool = False
@@ -71,6 +75,11 @@ class CyberSecurityOWASPState(State):
     reward_history: list[dict[str, float]] = Field(default_factory=list)
     visible_facts: dict[str, Any] = Field(default_factory=dict)
     hidden_facts: dict[str, Any] = Field(default_factory=dict)
     metrics: dict[str, Any] = Field(default_factory=dict)
     anti_cheat_flags: list[str] = Field(default_factory=list)

     seed: int = 0
     split: CyberSecurityOWASPSplit = "train"
     difficulty: int = 0
+    difficulty_tier: str = "warmup"
     domain: str = ""
     bug_family: str = ""
+    scenario_family: str = ""
+    template_id: str = "fastapi_basic"
+    target_weakness: str = "same_role_cross_object"
     phase: CyberSecurityOWASPPhase = "discover"
     max_steps: int = 40
     done: bool = False
     reward_history: list[dict[str, float]] = Field(default_factory=list)
     visible_facts: dict[str, Any] = Field(default_factory=dict)
     hidden_facts: dict[str, Any] = Field(default_factory=dict)
+    curriculum_snapshot: dict[str, Any] = Field(default_factory=dict)
+    verification_summary: dict[str, Any] = Field(default_factory=dict)
+    patch_diff: str = ""
+    episode_artifact_path: str | None = None
+    observation_history: list[dict[str, Any]] = Field(default_factory=list)
     metrics: dict[str, Any] = Field(default_factory=dict)
     anti_cheat_flags: list[str] = Field(default_factory=list)

pyproject.toml CHANGED Viewed

@@ -18,6 +18,7 @@ dependencies = [
     # install from github
     # "openenv-core[core] @ git+https://github.com/meta-pytorch/OpenEnv.git",
     "openenv-core[core]>=0.2.2",
     # Environment-specific dependencies
     # Add all dependencies needed for your environment here
     # Examples:

     # install from github
     # "openenv-core[core] @ git+https://github.com/meta-pytorch/OpenEnv.git",
     "openenv-core[core]>=0.2.2",
+    "trackio>=0.22.0",
     # Environment-specific dependencies
     # Add all dependencies needed for your environment here
     # Examples:

scenario_compiler.py CHANGED Viewed

@@ -1,51 +1,26 @@
-"""Deterministic scenario compiler for CyberSecurity_OWASP."""
 from __future__ import annotations
-import tempfile
-from pathlib import Path
 from typing import Any
 try:
-    from .fixture_generator import visible_workspace_summary
-    from .policy_graph import build_invoice_policy
-    from .template_renderer import render_fastapi_basic
 except ImportError:  # pragma: no cover
-    from fixture_generator import visible_workspace_summary
-    from policy_graph import build_invoice_policy
-    from template_renderer import render_fastapi_basic
-def compile_scenario(seed: int, split: str = "train", difficulty: int = 0) -> dict[str, Any]:
-    """Compile one isolated MVP authorization-repair scenario."""
-    compiled = build_invoice_policy(seed)
-    workspace = Path(tempfile.mkdtemp(prefix=f"cybersecurity_owasp_{split}_{seed}_"))
-    editable_files = render_fastapi_basic(workspace, compiled.public_hint, compiled.hidden_facts)
-    task_id = f"{split}-invoices-bola-{seed}"
-    hidden = dict(compiled.hidden_facts)
-    hidden.update(
-        {
-            "workspace": str(workspace),
-            "editable_files": editable_files,
-            "initial_file_hashes": {
-                path: (workspace / path).read_text(encoding="utf-8")
-                for path in editable_files
-            },
-        }
     )
-    return {
-        "task_id": task_id,
-        "workspace": workspace,
-        "domain": "invoices",
-        "bug_family": "bola_idor",
-        "difficulty": difficulty,
-        "task_brief": (
-            "Inspect the generated invoices app and policy. Find the broken "
-            "authorization behavior, submit a finding with local evidence, patch "
-            "the app, preserve intended owner/admin/public behavior, then submit."
-        ),
-        "public_hint": compiled.public_hint,
-        "workspace_summary": visible_workspace_summary(editable_files, compiled.public_hint),
-        "hidden_facts": hidden,
-    }

+"""Compatibility facade for deterministic scenario compilation."""
 from __future__ import annotations
 from typing import Any
 try:
+    from .server.scenario_factory import ScenarioFactory
 except ImportError:  # pragma: no cover
+    from server.scenario_factory import ScenarioFactory
+def compile_scenario(
+    seed: int,
+    split: str = "train",
+    difficulty: int = 0,
+    curriculum_profile: dict[str, Any] | None = None,
+) -> dict[str, Any]:
+    """Compile one isolated authorization-repair scenario."""
+    return ScenarioFactory().compile_scenario(
+        seed,
+        split=split,
+        difficulty=difficulty,
+        curriculum_profile=curriculum_profile,
     )

scripts/modal_ephemeral_train.py CHANGED Viewed

@@ -62,12 +62,18 @@ class NoopTrainer:
 @app.function(image=image, timeout=60 * 30)
-def run_ephemeral_smoke(episodes: int = 4, seed_start: int = 0) -> dict[str, Any]:
     from CyberSecurity_OWASP.models import CyberSecurityOWASPAction
     from CyberSecurity_OWASP.server.CyberSecurity_OWASP_environment import (
         CybersecurityOwaspEnvironment,
     )
     from training.rollout import rollout_once
     baseline = []
     oracle = []
@@ -128,8 +134,9 @@ def run_ephemeral_smoke(episodes: int = 4, seed_start: int = 0) -> dict[str, Any
     def mean(items: list[dict[str, Any]], key: str) -> float:
         return sum(float(item.get(key, 0.0)) for item in items) / max(1, len(items))
-    return {
-        "run_name": f"{APP_NAME}-{datetime.utcnow().strftime('%Y%m%d-%H%M%S')}",
         "mode": "smoke",
         "episodes": episodes,
         "seed_start": seed_start,
@@ -139,6 +146,28 @@ def run_ephemeral_smoke(episodes: int = 4, seed_start: int = 0) -> dict[str, Any
         "baseline": baseline,
         "oracle": oracle,
     }
 @app.function(image=image, timeout=60 * 10)
@@ -149,9 +178,20 @@ def run_grpo_config_check() -> str:
 @app.local_entrypoint()
-def main(mode: str = "smoke", episodes: int = 4, seed_start: int = 0) -> None:
     if mode == "smoke":
-        result = run_ephemeral_smoke.remote(episodes=episodes, seed_start=seed_start)
         output_dir = PROJECT_ROOT / "outputs" / "rollouts"
         output_dir.mkdir(parents=True, exist_ok=True)
         output_path = output_dir / f"{result['run_name']}.json"

 @app.function(image=image, timeout=60 * 30)
+def run_ephemeral_smoke(
+    episodes: int = 4,
+    seed_start: int = 0,
+    trackio_space_id: str = "",
+    trackio_project: str = "CyberSecurity_OWASP-smoke",
+) -> dict[str, Any]:
     from CyberSecurity_OWASP.models import CyberSecurityOWASPAction
     from CyberSecurity_OWASP.server.CyberSecurity_OWASP_environment import (
         CybersecurityOwaspEnvironment,
     )
     from training.rollout import rollout_once
+    from training.trackio_utils import log_trackio_metrics, trackio_run
     baseline = []
     oracle = []
     def mean(items: list[dict[str, Any]], key: str) -> float:
         return sum(float(item.get(key, 0.0)) for item in items) / max(1, len(items))
+    run_name = f"{APP_NAME}-{datetime.utcnow().strftime('%Y%m%d-%H%M%S')}"
+    result = {
+        "run_name": run_name,
         "mode": "smoke",
         "episodes": episodes,
         "seed_start": seed_start,
         "baseline": baseline,
         "oracle": oracle,
     }
+    with trackio_run(
+        run_name=run_name,
+        run_type="modal_ephemeral_smoke",
+        project=trackio_project,
+        space_id=trackio_space_id,
+        config={
+            "episodes": episodes,
+            "seed_start": seed_start,
+            "mode": "smoke",
+        },
+        group="smoke",
+    ):
+        log_trackio_metrics(
+            {
+                "smoke/baseline_mean_reward": result["baseline_mean_reward"],
+                "smoke/oracle_mean_reward": result["oracle_mean_reward"],
+                "smoke/oracle_success_rate": result["oracle_success_rate"],
+                "smoke/episodes": episodes,
+            },
+            step=0,
+        )
+    return result
 @app.function(image=image, timeout=60 * 10)
 @app.local_entrypoint()
+def main(
+    mode: str = "smoke",
+    episodes: int = 4,
+    seed_start: int = 0,
+    trackio_space_id: str = "",
+    trackio_project: str = "CyberSecurity_OWASP-smoke",
+) -> None:
     if mode == "smoke":
+        result = run_ephemeral_smoke.remote(
+            episodes=episodes,
+            seed_start=seed_start,
+            trackio_space_id=trackio_space_id,
+            trackio_project=trackio_project,
+        )
         output_dir = PROJECT_ROOT / "outputs" / "rollouts"
         output_dir.mkdir(parents=True, exist_ok=True)
         output_path = output_dir / f"{result['run_name']}.json"

scripts/modal_run_ephemeral.sh CHANGED Viewed

@@ -1,3 +1,8 @@
 #!/usr/bin/env bash
 set -euo pipefail
-modal run scripts/modal_ephemeral_train.py --mode "${MODE:-smoke}" --episodes "${EPISODES:-4}" --seed-start "${SEED_START:-0}"

 #!/usr/bin/env bash
 set -euo pipefail
+modal run scripts/modal_ephemeral_train.py \
+  --mode "${MODE:-smoke}" \
+  --episodes "${EPISODES:-4}" \
+  --seed-start "${SEED_START:-0}" \
+  --trackio-space-id "${TRACKIO_SPACE_ID:-}" \
+  --trackio-project "${TRACKIO_PROJECT:-CyberSecurity_OWASP-smoke}"

scripts/modal_train_grpo.py CHANGED Viewed

@@ -19,6 +19,7 @@ from __future__ import annotations
 import os
 import pathlib
 import subprocess
 from datetime import datetime, timezone
 from typing import Any
@@ -31,10 +32,62 @@ SECRET_NAME = "CyberSecurity_OWASP-secrets"
 RUNS_DIR = pathlib.Path("/runs")
 REMOTE_PROJECT = "/root/CyberSecurity_OWASP"
 PROJECT_ROOT = pathlib.Path(__file__).resolve().parents[1]
 def _training_image() -> modal.Image:
-    return (
         modal.Image.from_registry(
             "nvidia/cuda:12.8.0-devel-ubuntu22.04",
             add_python="3.11",
@@ -49,21 +102,33 @@ def _training_image() -> modal.Image:
             "datasets",
             "huggingface_hub",
             "peft",
             "tokenizers",
             "nvidia-ml-py",
             "trackio>=0.25.0",
             "transformers>=5.5.0",
             "trl>=0.28.0",
             "openenv-core[core]>=0.2.3",
-            "pydantic==2.10.6",
         )
         .uv_pip_install(
             "unsloth_zoo[base] @ git+https://github.com/unslothai/unsloth-zoo",
             "unsloth[base] @ git+https://github.com/unslothai/unsloth",
         )
         .uv_pip_install("mergekit", "immutables==0.21", extra_options="--no-deps")
         .uv_pip_install("trl>=0.28.0", "transformers>=5.5.0", "jmespath")
-        .add_local_dir(
             PROJECT_ROOT,
             remote_path=REMOTE_PROJECT,
             copy=True,
@@ -76,22 +141,23 @@ def _training_image() -> modal.Image:
                 "*.pyc",
             ],
         )
-        .run_commands(
             f"python -m pip install -e {REMOTE_PROJECT}",
-            "python -c \"import os, torch; import transformers.utils.hub as hub; "
-            "hub.TRANSFORMERS_CACHE = getattr(hub, 'TRANSFORMERS_CACHE', "
-            "os.path.join(os.path.expanduser('~'), '.cache', 'huggingface', 'hub')); "
-            "from trl import GRPOConfig, GRPOTrainer; "
-            "from CyberSecurity_OWASP.server.CyberSecurity_OWASP_environment import "
-            "CybersecurityOwaspEnvironment; print('trainer import ok', torch.__version__)\"",
         )
-        .workdir(REMOTE_PROJECT)
-    )
 app = modal.App(APP_NAME)
 volume = modal.Volume.from_name(VOLUME_NAME, create_if_missing=True)
-secret = modal.Secret.from_name(SECRET_NAME)
 @app.function(
@@ -99,7 +165,7 @@ secret = modal.Secret.from_name(SECRET_NAME)
     gpu=["L4", "A10G"],
     timeout=4 * 60 * 60,
     volumes={RUNS_DIR: volume},
-    secrets=[secret],
 )
 def check_training_imports() -> dict[str, str]:
     import torch
@@ -131,7 +197,7 @@ def check_training_imports() -> dict[str, str]:
     gpu=["L4", "A10G"],
     timeout=4 * 60 * 60,
     volumes={RUNS_DIR: volume},
-    secrets=[secret],
 )
 def train_cybersecurity_owasp_grpo(
     env_repo_id: str = "",
@@ -149,16 +215,22 @@ def train_cybersecurity_owasp_grpo(
     num_generations: int = 2,
     seed_start: int = 0,
     git_sha: str = "nogit",
 ) -> dict[str, str | int | float]:
     import statistics
     import torch
     import transformers.utils.hub as transformers_hub
     from datasets import Dataset
     from huggingface_hub import whoami
     from transformers import TrainerCallback
-    from trl import GRPOConfig, GRPOTrainer
-    from unsloth import FastLanguageModel
     import trackio
@@ -191,7 +263,9 @@ def train_cybersecurity_owasp_grpo(
     model_slug = model_name.replace("/", "-")
     stamp = datetime.now(timezone.utc).strftime("%Y%m%d-%H%M%S")
-    run_name = f"CyberSecurity_OWASP-{model_slug}-grpo-level{difficulty}-{stamp}-{git_sha[:8]}"
     output_dir = RUNS_DIR / run_name
     output_dir.mkdir(parents=True, exist_ok=True)
@@ -324,11 +398,27 @@ def train_cybersecurity_owasp_grpo(
             return self._step("read_openapi")
         def read_file(self, path: str) -> str:
-            """Read an editable generated workspace file by relative path."""
             return self._step("read_file", {"path": path})
         def search_code(self, query: str) -> str:
-            """Search editable generated workspace files for a string."""
             return self._step("search_code", {"query": query})
         def send_local_request(
@@ -337,7 +427,17 @@ def train_cybersecurity_owasp_grpo(
             method: str = "GET",
             user_id: str | None = None,
         ) -> str:
-            """Send a request to the generated local app only."""
             return self._step(
                 "send_local_request",
                 {"path": path, "method": method, "user_id": user_id},
@@ -350,7 +450,18 @@ def train_cybersecurity_owasp_grpo(
             second_user_id: str,
             method: str = "GET",
         ) -> str:
-            """Compare one local request as two generated users."""
             return self._step(
                 "compare_identities",
                 {
@@ -367,7 +478,17 @@ def train_cybersecurity_owasp_grpo(
             evidence: str,
             policy_rule: str,
         ) -> str:
-            """Submit structured evidence for the suspected authorization bug."""
             return self._step(
                 "submit_finding",
                 {
@@ -383,7 +504,17 @@ def train_cybersecurity_owasp_grpo(
             content: str | None = None,
             diff: str | None = None,
         ) -> str:
-            """Patch an editable generated app file with full content or a unified diff."""
             args: dict[str, Any] = {"path": path}
             if content is not None:
                 args["content"] = content
@@ -534,7 +665,10 @@ def train_cybersecurity_owasp_grpo(
             return control
     print(f"CUDA available: {torch.cuda.is_available()}")
-    print(f"Packaged local CyberSecurity_OWASP repo; default env repo id: {env_repo_id}")
     print(f"Trackio Space: {trackio_space_id}")
     print(f"Trackio Project: {trackio_project}")
     print(f"Output repo: {output_repo_id}")
@@ -547,6 +681,18 @@ def train_cybersecurity_owasp_grpo(
         fast_inference=False,
         token=hf_token,
     )
     model = FastLanguageModel.get_peft_model(
         model,
         r=lora_rank,
@@ -565,46 +711,68 @@ def train_cybersecurity_owasp_grpo(
     )
     FastLanguageModel.for_training(model)
     training_args = GRPOConfig(
-        temperature=1.0,
-        learning_rate=5e-6,
-        weight_decay=0.001,
-        warmup_ratio=0.1,
-        lr_scheduler_type="linear",
-        optim="adamw_8bit",
-        logging_steps=1,
-        per_device_train_batch_size=1,
-        gradient_accumulation_steps=max(2, num_generations),
-        num_generations=num_generations,
-        max_prompt_length=max_seq_length,
-        max_completion_length=max_completion_length,
-        max_steps=max_steps,
-        save_steps=max(10, max_steps),
-        report_to="trackio",
-        trackio_space_id=trackio_space_id,
-        run_name=run_name,
-        output_dir=str(output_dir),
-        push_to_hub=True,
-        hub_model_id=output_repo_id,
-        hub_private_repo=True,
-        hub_strategy="every_save",
-        gradient_checkpointing=True,
-        gradient_checkpointing_kwargs={"use_reentrant": False},
-        epsilon=0.2,
-        epsilon_high=0.28,
-        delta=1.5,
-        loss_type="bnpo",
-        mask_truncated_completions=False,
     )
     trainer = GRPOTrainer(
-        model=model,
-        processing_class=tokenizer,
-        reward_funcs=cybersecurity_owasp_reward,
-        args=training_args,
-        train_dataset=dataset,
-        environment_factory=CyberSecurityOWASPToolEnv,
-        callbacks=[TrackioSystemMetricsCallback()],
     )
     trainer.train()
     trainer.push_to_hub()
@@ -623,6 +791,9 @@ def train_cybersecurity_owasp_grpo(
         "model_name": model_name,
         "max_completion_length": max_completion_length,
         "num_generations": num_generations,
     }
@@ -644,6 +815,10 @@ def main(
     num_generations: int = 2,
     seed_start: int = 0,
     git_sha: str = "nogit",
 ) -> None:
     if mode == "config":
         result = check_training_imports.remote()
@@ -652,6 +827,10 @@ def main(
     if mode != "train":
         raise ValueError("mode must be 'train' or 'config'")
     resolved_trackio_space_id = trackio_space_id
     resolved_output_repo_id = output_repo_id
     if not resolved_trackio_space_id or not resolved_output_repo_id:
@@ -684,12 +863,28 @@ def main(
     model_slug = model_name.replace("/", "-")
     local_stamp = datetime.now(timezone.utc).strftime("%Y%m%d-%H%M%S")
-    estimated_run_name = (
         f"CyberSecurity_OWASP-{model_slug}-grpo-level{difficulty}-"
         f"{local_stamp}-{git_sha[:8]}"
     )
-    call = train_cybersecurity_owasp_grpo.spawn(
         env_repo_id=env_repo_id,
         output_repo_id=output_repo_id,
         max_steps=max_steps,
@@ -705,17 +900,14 @@ def main(
         num_generations=num_generations,
         seed_start=seed_start,
         git_sha=git_sha,
     )
-    print(f"Spawned Modal training call: {call.object_id}")
-    print(f"Estimated run name: {estimated_run_name}")
-    if resolved_trackio_space_id:
-        print(f"Trackio Space: https://huggingface.co/spaces/{resolved_trackio_space_id}")
-    else:
-        print("Trackio Space: derived remotely from HF_TOKEN as <hf-user>/CyberSecurity_OWASP-trackio")
-    if resolved_output_repo_id:
-        print(f"Output model repo: https://huggingface.co/{resolved_output_repo_id}")
     else:
-        print(
-            "Output model repo: derived remotely from HF_TOKEN as "
-            "<hf-user>/CyberSecurity_OWASP-qwen3-1.7b-grpo-lora"
-        )

 import os
 import pathlib
 import subprocess
+import sys
 from datetime import datetime, timezone
 from typing import Any
 RUNS_DIR = pathlib.Path("/runs")
 REMOTE_PROJECT = "/root/CyberSecurity_OWASP"
 PROJECT_ROOT = pathlib.Path(__file__).resolve().parents[1]
+PUBLIC_REPO_URL = "https://github.com/humandotlearning/CyberSecurity_OWASP.git"
+PUBLIC_REPO_BRANCH = "master"
+def _load_local_env_file() -> None:
+    env_path = PROJECT_ROOT / ".env.local"
+    if not env_path.exists():
+        return
+    for raw_line in env_path.read_text(encoding="utf-8").splitlines():
+        line = raw_line.strip()
+        if not line or line.startswith("#") or "=" not in line:
+            continue
+        key, value = line.split("=", 1)
+        key = key.strip()
+        if key not in {"TRACKIO_PROJECT"}:
+            continue
+        value = value.strip().strip('"').strip("'")
+        os.environ.setdefault(key, value)
+def _modal_secrets() -> list[modal.Secret]:
+    if _is_config_mode():
+        return []
+    return [modal.Secret.from_name(SECRET_NAME, required_keys=["HF_TOKEN"])]
+def _is_config_mode() -> bool:
+    args = sys.argv[1:]
+    for index, arg in enumerate(args):
+        if arg == "--mode" and index + 1 < len(args):
+            return args[index + 1] == "config"
+        if arg.startswith("--mode="):
+            return arg.split("=", 1)[1] == "config"
+    return False
+_load_local_env_file()
+def _cli_arg_value(name: str, default: str = "") -> str:
+    args = sys.argv[1:]
+    flag = f"--{name}"
+    for index, arg in enumerate(args):
+        if arg == flag and index + 1 < len(args):
+            return args[index + 1]
+        if arg.startswith(f"{flag}="):
+            return arg.split("=", 1)[1]
+    return default
+def _source_mode() -> str:
+    return _cli_arg_value("source-mode", os.environ.get("MODAL_SOURCE_MODE", "local"))
 def _training_image() -> modal.Image:
+    image = (
         modal.Image.from_registry(
             "nvidia/cuda:12.8.0-devel-ubuntu22.04",
             add_python="3.11",
             "datasets",
             "huggingface_hub",
             "peft",
+            "pillow",
             "tokenizers",
             "nvidia-ml-py",
             "trackio>=0.25.0",
             "transformers>=5.5.0",
             "trl>=0.28.0",
             "openenv-core[core]>=0.2.3",
         )
         .uv_pip_install(
             "unsloth_zoo[base] @ git+https://github.com/unslothai/unsloth-zoo",
             "unsloth[base] @ git+https://github.com/unslothai/unsloth",
         )
+        .uv_pip_install("pydantic==2.10.6")
         .uv_pip_install("mergekit", "immutables==0.21", extra_options="--no-deps")
+        .uv_pip_install("llm-blender", "weave")
         .uv_pip_install("trl>=0.28.0", "transformers>=5.5.0", "jmespath")
+    )
+    if _source_mode() == "public":
+        repo_url = _cli_arg_value("repo-url", PUBLIC_REPO_URL)
+        repo_branch = _cli_arg_value("repo-branch", PUBLIC_REPO_BRANCH)
+        image = image.run_commands(
+            f"git clone --depth 1 --branch {repo_branch} {repo_url} {REMOTE_PROJECT}",
+            f"python -m pip install -e {REMOTE_PROJECT}",
+        )
+    else:
+        image = image.add_local_dir(
             PROJECT_ROOT,
             remote_path=REMOTE_PROJECT,
             copy=True,
                 "*.pyc",
             ],
         )
+        image = image.run_commands(
             f"python -m pip install -e {REMOTE_PROJECT}",
         )
+    return image.run_commands(
+        "python -c \"import os, torch; import transformers.utils.hub as hub; "
+        "hub.TRANSFORMERS_CACHE = getattr(hub, 'TRANSFORMERS_CACHE', "
+        "os.path.join(os.path.expanduser('~'), '.cache', 'huggingface', 'hub')); "
+        "from trl import GRPOConfig, GRPOTrainer; "
+        "from CyberSecurity_OWASP.server.CyberSecurity_OWASP_environment import "
+        "CybersecurityOwaspEnvironment; print('trainer import ok', torch.__version__)\"",
+    ).workdir(REMOTE_PROJECT)
 app = modal.App(APP_NAME)
 volume = modal.Volume.from_name(VOLUME_NAME, create_if_missing=True)
+secrets = _modal_secrets()
 @app.function(
     gpu=["L4", "A10G"],
     timeout=4 * 60 * 60,
     volumes={RUNS_DIR: volume},
+    secrets=secrets,
 )
 def check_training_imports() -> dict[str, str]:
     import torch
     gpu=["L4", "A10G"],
     timeout=4 * 60 * 60,
     volumes={RUNS_DIR: volume},
+    secrets=secrets,
 )
 def train_cybersecurity_owasp_grpo(
     env_repo_id: str = "",
     num_generations: int = 2,
     seed_start: int = 0,
     git_sha: str = "nogit",
+    run_name: str = "",
+    source_mode: str = "local",
+    repo_url: str = PUBLIC_REPO_URL,
+    repo_branch: str = PUBLIC_REPO_BRANCH,
 ) -> dict[str, str | int | float]:
+    import inspect
     import statistics
     import torch
+    from unsloth import FastLanguageModel
     import transformers.utils.hub as transformers_hub
     from datasets import Dataset
     from huggingface_hub import whoami
     from transformers import TrainerCallback
+    from trl import GRPOConfig, GRPOTrainer, clone_chat_template
+    from trl.chat_template_utils import add_response_schema
     import trackio
     model_slug = model_name.replace("/", "-")
     stamp = datetime.now(timezone.utc).strftime("%Y%m%d-%H%M%S")
+    run_name = run_name or (
+        f"CyberSecurity_OWASP-{model_slug}-grpo-level{difficulty}-{stamp}-{git_sha[:8]}"
+    )
     output_dir = RUNS_DIR / run_name
     output_dir.mkdir(parents=True, exist_ok=True)
             return self._step("read_openapi")
         def read_file(self, path: str) -> str:
+            """
+            Read an editable generated workspace file by relative path.
+            Args:
+                path: Relative path inside the generated editable workspace.
+            Returns:
+                The file contents or a safe tool error observation.
+            """
             return self._step("read_file", {"path": path})
         def search_code(self, query: str) -> str:
+            """
+            Search editable generated workspace files for a string.
+            Args:
+                query: Search text to find in editable generated app files.
+            Returns:
+                Matching file lines or a no-match message.
+            """
             return self._step("search_code", {"query": query})
         def send_local_request(
             method: str = "GET",
             user_id: str | None = None,
         ) -> str:
+            """
+            Send a request to the generated local app only.
+            Args:
+                path: Local route path such as /health or /invoices/<id>.
+                method: HTTP method to use for the local request.
+                user_id: Optional generated user identifier for authentication.
+            Returns:
+                JSON response from the simulated local app request.
+            """
             return self._step(
                 "send_local_request",
                 {"path": path, "method": method, "user_id": user_id},
             second_user_id: str,
             method: str = "GET",
         ) -> str:
+            """
+            Compare one local request as two generated users.
+            Args:
+                path: Local route path to request as both generated users.
+                first_user_id: First generated user identifier.
+                second_user_id: Second generated user identifier.
+                method: HTTP method to use for both local requests.
+            Returns:
+                JSON summary of both simulated local responses.
+            """
             return self._step(
                 "compare_identities",
                 {
             evidence: str,
             policy_rule: str,
         ) -> str:
+            """
+            Submit structured evidence for the suspected authorization bug.
+            Args:
+                summary: Concise description of the suspected access-control bug.
+                evidence: Local reproduction evidence from policy, code, or requests.
+                policy_rule: Policy rule that the observed behavior violates.
+            Returns:
+                Finding acceptance result and next phase information.
+            """
             return self._step(
                 "submit_finding",
                 {
             content: str | None = None,
             diff: str | None = None,
         ) -> str:
+            """
+            Patch an editable generated app file with full content or a unified diff.
+            Args:
+                path: Relative path of the editable generated app file to patch.
+                content: Complete replacement file content, when using full-file patching.
+                diff: Unified diff to apply, when using diff patching.
+            Returns:
+                Patch application result.
+            """
             args: dict[str, Any] = {"path": path}
             if content is not None:
                 args["content"] = content
             return control
     print(f"CUDA available: {torch.cuda.is_available()}")
+    if source_mode == "public":
+        print(f"Installed CyberSecurity_OWASP from public repo: {repo_url}@{repo_branch}")
+    else:
+        print(f"Packaged local CyberSecurity_OWASP repo; default env repo id: {env_repo_id}")
     print(f"Trackio Space: {trackio_space_id}")
     print(f"Trackio Project: {trackio_project}")
     print(f"Output repo: {output_repo_id}")
         fast_inference=False,
         token=hf_token,
     )
+    try:
+        tokenizer = add_response_schema(tokenizer)
+    except Exception as exc:
+        print(f"Tokenizer response schema add failed before cloning: {exc!r}")
+        model, tokenizer, added_tokens = clone_chat_template(
+            model,
+            tokenizer,
+            "Qwen/Qwen3-0.6B",
+        )
+        print(f"Cloned Qwen3 chat template; added {len(added_tokens)} tokens.")
+        tokenizer = add_response_schema(tokenizer)
     model = FastLanguageModel.get_peft_model(
         model,
         r=lora_rank,
     )
     FastLanguageModel.for_training(model)
+    grpo_config_values = {
+        "temperature": 1.0,
+        "learning_rate": 5e-6,
+        "weight_decay": 0.001,
+        "warmup_ratio": 0.1,
+        "lr_scheduler_type": "linear",
+        "optim": "adamw_8bit",
+        "logging_steps": 1,
+        "per_device_train_batch_size": 1,
+        "gradient_accumulation_steps": max(2, num_generations),
+        "num_generations": num_generations,
+        "max_prompt_length": max_seq_length,
+        "max_completion_length": max_completion_length,
+        "max_steps": max_steps,
+        "save_steps": max(10, max_steps),
+        "report_to": "trackio",
+        "trackio_space_id": trackio_space_id,
+        "run_name": run_name,
+        "output_dir": str(output_dir),
+        "push_to_hub": True,
+        "hub_model_id": output_repo_id,
+        "hub_private_repo": True,
+        "hub_strategy": "every_save",
+        "gradient_checkpointing": True,
+        "gradient_checkpointing_kwargs": {"use_reentrant": False},
+        "epsilon": 0.2,
+        "epsilon_high": 0.28,
+        "delta": 1.5,
+        "loss_type": "bnpo",
+        "mask_truncated_completions": False,
+    }
+    grpo_config_parameters = set(inspect.signature(GRPOConfig).parameters)
+    skipped_config_keys = sorted(set(grpo_config_values) - grpo_config_parameters)
+    if skipped_config_keys:
+        print(f"Skipping unsupported GRPOConfig keys: {skipped_config_keys}")
     training_args = GRPOConfig(
+        **{
+            key: value
+            for key, value in grpo_config_values.items()
+            if key in grpo_config_parameters
+        }
     )
+    trainer_values = {
+        "model": model,
+        "processing_class": tokenizer,
+        "reward_funcs": cybersecurity_owasp_reward,
+        "args": training_args,
+        "train_dataset": dataset,
+        "environment_factory": CyberSecurityOWASPToolEnv,
+        "callbacks": [TrackioSystemMetricsCallback()],
+    }
+    trainer_parameters = set(inspect.signature(GRPOTrainer).parameters)
+    skipped_trainer_keys = sorted(set(trainer_values) - trainer_parameters)
+    if skipped_trainer_keys:
+        print(f"Skipping unsupported GRPOTrainer keys: {skipped_trainer_keys}")
     trainer = GRPOTrainer(
+        **{
+            key: value
+            for key, value in trainer_values.items()
+            if key in trainer_parameters
+        }
     )
     trainer.train()
     trainer.push_to_hub()
         "model_name": model_name,
         "max_completion_length": max_completion_length,
         "num_generations": num_generations,
+        "source_mode": source_mode,
+        "repo_url": repo_url,
+        "repo_branch": repo_branch,
     }
     num_generations: int = 2,
     seed_start: int = 0,
     git_sha: str = "nogit",
+    source_mode: str = "local",
+    repo_url: str = PUBLIC_REPO_URL,
+    repo_branch: str = PUBLIC_REPO_BRANCH,
+    detach: bool = False,
 ) -> None:
     if mode == "config":
         result = check_training_imports.remote()
     if mode != "train":
         raise ValueError("mode must be 'train' or 'config'")
+    trackio_space_id = trackio_space_id or os.environ.get("TRACKIO_SPACE_ID", "")
+    trackio_project = trackio_project or os.environ.get(
+        "TRACKIO_PROJECT", "CyberSecurity_OWASP-grpo"
+    )
     resolved_trackio_space_id = trackio_space_id
     resolved_output_repo_id = output_repo_id
     if not resolved_trackio_space_id or not resolved_output_repo_id:
     model_slug = model_name.replace("/", "-")
     local_stamp = datetime.now(timezone.utc).strftime("%Y%m%d-%H%M%S")
+    run_name = (
         f"CyberSecurity_OWASP-{model_slug}-grpo-level{difficulty}-"
         f"{local_stamp}-{git_sha[:8]}"
     )
+    print(f"Run name: {run_name}")
+    print(f"Source mode: {source_mode}")
+    if source_mode == "public":
+        print(f"Public repo: {repo_url}@{repo_branch}")
+    if resolved_trackio_space_id:
+        print(f"Trackio Space: https://huggingface.co/spaces/{resolved_trackio_space_id}")
+    else:
+        print("Trackio Space: derived remotely from HF_TOKEN as <hf-user>/CyberSecurity_OWASP-trackio")
+    if resolved_output_repo_id:
+        print(f"Output model repo: https://huggingface.co/{resolved_output_repo_id}")
+    else:
+        print(
+            "Output model repo: derived remotely from HF_TOKEN as "
+            "<hf-user>/CyberSecurity_OWASP-qwen3-1.7b-grpo-lora"
+        )
+    kwargs = dict(
         env_repo_id=env_repo_id,
         output_repo_id=output_repo_id,
         max_steps=max_steps,
         num_generations=num_generations,
         seed_start=seed_start,
         git_sha=git_sha,
+        run_name=run_name,
+        source_mode=source_mode,
+        repo_url=repo_url,
+        repo_branch=repo_branch,
     )
+    if detach:
+        call = train_cybersecurity_owasp_grpo.spawn(**kwargs)
+        print(f"Spawned Modal training call: {call.object_id}")
     else:
+        result = train_cybersecurity_owasp_grpo.remote(**kwargs)
+        print(f"Training result: {result}")

scripts/smoke_test.sh CHANGED Viewed

@@ -1,3 +1,3 @@
 #!/usr/bin/env bash
 set -euo pipefail
-uv run pytest tests/test_models.py tests/test_reset_step_state.py

 #!/usr/bin/env bash
 set -euo pipefail
+uv run python scripts/track_pytest.py tests/test_models.py tests/test_reset_step_state.py

scripts/track_pytest.py ADDED Viewed

	@@ -0,0 +1,59 @@

+"""Run pytest and record the result as a Trackio run."""
+from __future__ import annotations
+import argparse
+import subprocess
+import sys
+import time
+from pathlib import Path
+PROJECT_ROOT = Path(__file__).resolve().parents[1]
+sys.path.insert(0, str(PROJECT_ROOT))
+sys.path.insert(0, str(PROJECT_ROOT.parent))
+from training.trackio_utils import build_run_name, get_git_sha, log_trackio_metrics, trackio_run
+def main() -> int:
+    parser = argparse.ArgumentParser(description="Run pytest with Trackio tracking.")
+    parser.add_argument("pytest_args", nargs="*", help="Arguments passed through to pytest.")
+    parser.add_argument("--run-name", default="", help="Trackio run name override.")
+    parser.add_argument("--difficulty", type=int, default=0)
+    args, passthrough = parser.parse_known_args()
+    run_name = args.run_name or build_run_name(
+        "pytest",
+        "smoke",
+        args.difficulty,
+        git_sha=get_git_sha(),
+    )
+    pytest_args = [*args.pytest_args, *passthrough] or ["tests"]
+    command = [sys.executable, "-m", "pytest", *pytest_args]
+    started = time.perf_counter()
+    with trackio_run(
+        run_name=run_name,
+        run_type="pytest",
+        config={
+            "command": " ".join(command),
+            "pytest_args": pytest_args,
+        },
+        group="smoke",
+    ):
+        completed = subprocess.run(command)
+        duration = time.perf_counter() - started
+        log_trackio_metrics(
+            {
+                "smoke/pytest_exit_code": completed.returncode,
+                "smoke/pytest_passed": completed.returncode == 0,
+                "smoke/duration_seconds": duration,
+            },
+            step=0,
+        )
+    return completed.returncode
+if __name__ == "__main__":
+    raise SystemExit(main())

server/Dockerfile CHANGED Viewed

@@ -70,6 +70,7 @@ ENV PATH="/app/.venv/bin:$PATH"
 # Set PYTHONPATH so imports work correctly
 ENV PYTHONPATH="/app/env:$PYTHONPATH"
 # Health check
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \

 # Set PYTHONPATH so imports work correctly
 ENV PYTHONPATH="/app/env:$PYTHONPATH"
+ENV ENABLE_WEB_INTERFACE=true
 # Health check
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \

server/action_tools.py ADDED Viewed

	@@ -0,0 +1,73 @@

+"""Typed action tool dispatcher for the generated app sandbox."""
+from __future__ import annotations
+import json
+from dataclasses import dataclass
+try:
+    from ..models import CyberSecurityOWASPAction, CyberSecurityOWASPState
+    from .app_sandbox import AppSandbox
+except ImportError:  # pragma: no cover
+    from models import CyberSecurityOWASPAction, CyberSecurityOWASPState
+    from server.app_sandbox import AppSandbox
+@dataclass(frozen=True)
+class ToolResult:
+    message: str
+    visible_test_result: str | None = None
+class ActionTools:
+    """Executes phase-gated, safe tools against one episode state."""
+    def __init__(
+        self,
+        state: CyberSecurityOWASPState,
+        visible_policy_hint: dict,
+        workspace_summary: dict,
+    ):
+        self.state = state
+        self.visible_policy_hint = visible_policy_hint
+        self.workspace_summary = workspace_summary
+        self.sandbox = AppSandbox(state)
+    def execute(self, action: CyberSecurityOWASPAction) -> ToolResult:
+        args = action.arguments or {}
+        if action.tool_name == "noop":
+            return ToolResult("No operation.")
+        if action.tool_name == "inspect_policy_graph":
+            return ToolResult(json.dumps(self.visible_policy_hint, indent=2, sort_keys=True))
+        if action.tool_name == "list_routes":
+            return ToolResult(json.dumps(self.workspace_summary["routes"], indent=2))
+        if action.tool_name == "read_openapi":
+            return ToolResult(self.sandbox.read_openapi())
+        if action.tool_name == "read_file":
+            return ToolResult(self.sandbox.read_file(str(args.get("path", ""))))
+        if action.tool_name == "search_code":
+            return ToolResult(self.sandbox.search_code(str(args.get("query", ""))))
+        if action.tool_name == "send_local_request":
+            response = self.sandbox.send_local_request(
+                str(args.get("method", "GET")),
+                str(args.get("path", "")),
+                args.get("user_id"),
+            )
+            return ToolResult(json.dumps(response, indent=2, sort_keys=True))
+        if action.tool_name == "compare_identities":
+            response = self.sandbox.compare_identities(
+                str(args.get("method", "GET")),
+                str(args.get("path", "")),
+                str(args.get("first_user_id", "")),
+                str(args.get("second_user_id", "")),
+            )
+            return ToolResult(json.dumps(response, indent=2, sort_keys=True))
+        if action.tool_name == "patch_file":
+            result = self.sandbox.patch_file(
+                str(args.get("path", "")),
+                content=str(args["content"]) if "content" in args else None,
+                diff=str(args.get("diff", "")) if "content" not in args else None,
+            )
+            changed = "no diff" if not result["diff"].strip() else "diff recorded"
+            return ToolResult(f"Patched {result['path']} ({changed}).")
+        raise ValueError(f"Unhandled tool {action.tool_name}")

server/adversarial_designer.py ADDED Viewed

	@@ -0,0 +1,59 @@

+"""Bounded adversarial scenario targeting for synthetic local lab episodes."""
+from __future__ import annotations
+from dataclasses import dataclass
+from typing import Any
+try:
+    from .curriculum import WEAKNESS_TARGETS
+except ImportError:  # pragma: no cover
+    from server.curriculum import WEAKNESS_TARGETS
+TARGET_SPECS: dict[str, dict[str, Any]] = {
+    "same_role_cross_object": {
+        "description": "Same-role actor tries to read another user's object.",
+        "hidden_focus": ["same_tenant_other_user_blocked"],
+    },
+    "cross_tenant_boundary": {
+        "description": "Tenant-local admin is denied access to another tenant's resource.",
+        "hidden_focus": ["cross_tenant_blocked"],
+    },
+    "public_route_overlock": {
+        "description": "Public health route must remain unauthenticated after patching.",
+        "hidden_focus": ["health_public"],
+    },
+    "alternate_route_same_service": {
+        "description": "Alternate route/service access should follow the same policy oracle.",
+        "hidden_focus": ["oracle_matrix"],
+    },
+    "visible_test_edge_case": {
+        "description": "Visible tests are insufficient; hidden policy matrix decides success.",
+        "hidden_focus": ["visible_test_only_guard"],
+    },
+}
+@dataclass(frozen=True)
+class BoundedAdversarialDesigner:
+    """Chooses safe local lab variants that target tracked agent weaknesses."""
+    def design(self, *, seed: int, split: str, curriculum_profile: dict[str, Any]) -> dict[str, Any]:
+        target = str(curriculum_profile.get("target_weakness") or "")
+        if target not in TARGET_SPECS:
+            target = WEAKNESS_TARGETS[int(seed) % len(WEAKNESS_TARGETS)]
+        family = f"invoices.bola_idor.{target}"
+        if split == "hidden_eval":
+            family = f"heldout.{family}"
+        spec = TARGET_SPECS[target]
+        return {
+            "domain": "invoices",
+            "bug_family": "bola_idor",
+            "template_id": "fastapi_basic",
+            "scenario_family": family,
+            "target_weakness": target,
+            "hidden_focus": list(spec["hidden_focus"]),
+            "description": spec["description"],
+            "safe_lab_only": True,
+        }

server/app.py CHANGED Viewed

@@ -6,6 +6,13 @@
 """FastAPI application for the CyberSecurity_OWASP OpenEnv server."""
 try:
     from openenv.core.env_server.http_server import create_app
 except Exception as e:  # pragma: no cover

 """FastAPI application for the CyberSecurity_OWASP OpenEnv server."""
+import os
+# OpenEnv disables the Gradio playground unless this flag is enabled. Default it
+# on so Docker/HF Spaces show the reset/step/state UI, while explicit env values
+# such as ENABLE_WEB_INTERFACE=false still take precedence.
+os.environ.setdefault("ENABLE_WEB_INTERFACE", "true")
 try:
     from openenv.core.env_server.http_server import create_app
 except Exception as e:  # pragma: no cover

server/app_sandbox.py ADDED Viewed

	@@ -0,0 +1,139 @@

+"""Ephemeral generated app sandbox operations."""
+from __future__ import annotations
+import difflib
+import json
+from pathlib import Path
+from typing import Any
+try:
+    from ..models import CyberSecurityOWASPState
+    from ..safety import is_local_route
+    from ..validators import is_path_allowed, simulate_request
+except ImportError:  # pragma: no cover
+    from models import CyberSecurityOWASPState
+    from safety import is_local_route
+    from validators import is_path_allowed, simulate_request
+class AppSandbox:
+    """Encapsulates all generated workspace reads, patches, and local requests."""
+    def __init__(self, state: CyberSecurityOWASPState):
+        self.state = state
+    @property
+    def workspace(self) -> Path:
+        return Path(str(self.state.hidden_facts["workspace"]))
+    def read_file(self, path: str) -> str:
+        return self._resolve_path(path).read_text(encoding="utf-8")
+    def search_code(self, query: str) -> str:
+        if not query:
+            raise ValueError("query is required")
+        results: list[str] = []
+        for rel in self.state.hidden_facts.get("editable_files", []):
+            path = self.workspace / rel
+            text = path.read_text(encoding="utf-8")
+            for idx, line in enumerate(text.splitlines(), start=1):
+                if query.lower() in line.lower():
+                    results.append(f"{rel}:{idx}: {line}")
+        return "\n".join(results) or "No matches."
+    def patch_file(self, path: str, *, content: str | None = None, diff: str | None = None) -> dict[str, str]:
+        target = self._resolve_path(path, write=True)
+        before = target.read_text(encoding="utf-8")
+        if content is not None:
+            target.write_text(content, encoding="utf-8")
+        else:
+            self._apply_unified_diff(target, diff or "")
+        after = target.read_text(encoding="utf-8")
+        patch_diff = "".join(
+            difflib.unified_diff(
+                before.splitlines(True),
+                after.splitlines(True),
+                fromfile=path,
+                tofile=path,
+            )
+        )
+        self.state.patch_diff = patch_diff
+        files_touched = self.state.metrics.setdefault("files_touched", [])
+        if path not in files_touched:
+            files_touched.append(path)
+        return {"path": path, "diff": patch_diff}
+    def read_openapi(self) -> str:
+        routes = self.state.visible_facts.get("workspace_summary", {}).get("routes", [])
+        paths: dict[str, Any] = {}
+        for route in routes:
+            paths.setdefault(route["path"], {})[route["method"].lower()] = {
+                "x-public": bool(route.get("public", False))
+            }
+        return json.dumps(
+            {
+                "openapi": "3.1.0",
+                "info": {"title": "Generated invoices app", "version": "0.1.0"},
+                "paths": paths,
+            },
+            indent=2,
+            sort_keys=True,
+        )
+    def send_local_request(self, method: str, path: str, user_id: str | None = None) -> dict[str, Any]:
+        if not is_local_route(path):
+            raise ValueError("send_local_request only accepts local route paths")
+        return simulate_request(self.state, method, path, user_id)
+    def compare_identities(
+        self,
+        method: str,
+        path: str,
+        first_user_id: str,
+        second_user_id: str,
+    ) -> dict[str, Any]:
+        if not is_local_route(path):
+            raise ValueError("compare_identities only accepts local route paths")
+        return {
+            "first": simulate_request(self.state, method, path, first_user_id),
+            "second": simulate_request(self.state, method, path, second_user_id),
+        }
+    def _resolve_path(self, path: str, *, write: bool = False) -> Path:
+        allowed, normalized_or_error = is_path_allowed(self.state, path, write=write)
+        if not allowed:
+            raise ValueError(normalized_or_error)
+        return self.workspace / normalized_or_error
+    def _apply_unified_diff(self, path: Path, diff: str) -> None:
+        if not diff.strip():
+            raise ValueError("diff or content is required")
+        original = path.read_text(encoding="utf-8").splitlines(True)
+        output: list[str] = []
+        old_index = 0
+        lines = diff.splitlines(True)
+        i = 0
+        while i < len(lines):
+            line = lines[i]
+            if not line.startswith("@@"):
+                i += 1
+                continue
+            old_start = int(line.split()[1].split(",")[0][1:])
+            output.extend(original[old_index : old_start - 1])
+            old_index = old_start - 1
+            i += 1
+            while i < len(lines) and not lines[i].startswith("@@"):
+                hunk_line = lines[i]
+                if hunk_line.startswith(" "):
+                    output.append(original[old_index])
+                    old_index += 1
+                elif hunk_line.startswith("-"):
+                    old_index += 1
+                elif hunk_line.startswith("+"):
+                    output.append(hunk_line[1:])
+                elif hunk_line.startswith("\\"):
+                    pass
+                i += 1
+        output.extend(original[old_index:])
+        path.write_text("".join(output), encoding="utf-8")

server/authz_oracle.py ADDED Viewed

	@@ -0,0 +1,92 @@

+"""Policy-oracle matrix for deterministic authorization verification."""
+from __future__ import annotations
+from dataclasses import dataclass
+from typing import Any
+try:
+    from ..models import CyberSecurityOWASPState
+    from ..validators import simulate_request
+except ImportError:  # pragma: no cover
+    from models import CyberSecurityOWASPState
+    from validators import simulate_request
+@dataclass(frozen=True)
+class AuthzOracle:
+    """Builds hidden allowed/denied tuples from policy facts."""
+    def matrix(self, state: CyberSecurityOWASPState) -> list[dict[str, Any]]:
+        hidden = state.hidden_facts
+        return [
+            {
+                "name": "owner_can_read_owned_invoice",
+                "method": "GET",
+                "path": f"/invoices/{hidden['owner_invoice_id']}",
+                "user_id": hidden["owner_user_id"],
+                "expected_status": 200,
+                "allowed": True,
+            },
+            {
+                "name": "resource_owner_can_read_own_invoice",
+                "method": "GET",
+                "path": f"/invoices/{hidden['other_invoice_id']}",
+                "user_id": hidden["intruder_user_id"],
+                "expected_status": 200,
+                "allowed": True,
+            },
+            {
+                "name": "billing_admin_can_read_same_tenant_invoice",
+                "method": "GET",
+                "path": f"/invoices/{hidden['other_invoice_id']}",
+                "user_id": hidden["admin_user_id"],
+                "expected_status": 200,
+                "allowed": True,
+            },
+            {
+                "name": "same_tenant_non_owner_denied",
+                "method": "GET",
+                "path": f"/invoices/{hidden['other_invoice_id']}",
+                "user_id": hidden["owner_user_id"],
+                "expected_status": 403,
+                "allowed": False,
+            },
+            {
+                "name": "cross_tenant_admin_denied",
+                "method": "GET",
+                "path": f"/invoices/{hidden['foreign_invoice_id']}",
+                "user_id": hidden["admin_user_id"],
+                "expected_status": 403,
+                "allowed": False,
+            },
+            {
+                "name": "health_remains_public",
+                "method": "GET",
+                "path": "/health",
+                "user_id": None,
+                "expected_status": 200,
+                "allowed": True,
+            },
+        ]
+    def evaluate(self, state: CyberSecurityOWASPState) -> dict[str, Any]:
+        cases = []
+        for case in self.matrix(state):
+            response = simulate_request(
+                state,
+                str(case["method"]),
+                str(case["path"]),
+                case.get("user_id"),
+            )
+            actual = int(response["status"])
+            cases.append(
+                {
+                    "name": case["name"],
+                    "allowed": bool(case["allowed"]),
+                    "expected_status": int(case["expected_status"]),
+                    "actual_status": actual,
+                    "passed": actual == int(case["expected_status"]),
+                }
+            )
+        return {"passed": all(case["passed"] for case in cases), "cases": cases}

server/curriculum.py ADDED Viewed

	@@ -0,0 +1,99 @@

+"""Runtime curriculum controller for closed-loop scenario selection."""
+from __future__ import annotations
+from collections import defaultdict, deque
+from dataclasses import dataclass, field
+from typing import Any
+try:
+    from ..models import CyberSecurityOWASPState
+except ImportError:  # pragma: no cover
+    from models import CyberSecurityOWASPState
+DIFFICULTY_TIERS = ("warmup", "beginner", "intermediate", "advanced", "expert")
+WEAKNESS_TARGETS = (
+    "same_role_cross_object",
+    "cross_tenant_boundary",
+    "public_route_overlock",
+    "alternate_route_same_service",
+    "visible_test_edge_case",
+)
+@dataclass
+class CurriculumController:
+    """Tracks episode outcomes and picks the next bounded weakness target."""
+    window_size: int = 10
+    reward_trend: deque[float] = field(default_factory=lambda: deque(maxlen=10))
+    outcomes_by_target: dict[str, list[bool]] = field(default_factory=lambda: defaultdict(list))
+    failures_by_target: dict[str, int] = field(default_factory=lambda: defaultdict(int))
+    episodes_seen: int = 0
+    def select_profile(
+        self,
+        *,
+        seed: int,
+        split: str = "train",
+        requested_difficulty: int = 0,
+    ) -> dict[str, Any]:
+        difficulty = self._difficulty_for_split(split, requested_difficulty)
+        target = self._target_for_seed(seed, split)
+        if self.failures_by_target:
+            target = max(
+                WEAKNESS_TARGETS,
+                key=lambda item: (self.failures_by_target.get(item, 0), -WEAKNESS_TARGETS.index(item)),
+            )
+        return {
+            "difficulty": difficulty,
+            "difficulty_tier": DIFFICULTY_TIERS[min(difficulty, len(DIFFICULTY_TIERS) - 1)],
+            "target_weakness": target,
+            "split": split,
+            "episodes_seen": self.episodes_seen,
+            "recent_reward_mean": self._recent_reward_mean(),
+            "mastery": self.mastery_snapshot(),
+        }
+    def record_episode(self, state: CyberSecurityOWASPState) -> dict[str, Any]:
+        target = state.target_weakness or "same_role_cross_object"
+        success = bool(state.success)
+        self.episodes_seen += 1
+        self.outcomes_by_target[target].append(success)
+        if not success:
+            self.failures_by_target[target] += 1
+        self.reward_trend.append(float(state.last_reward or 0.0))
+        return self.mastery_snapshot()
+    def mastery_snapshot(self) -> dict[str, Any]:
+        target_mastery = {}
+        for target in WEAKNESS_TARGETS:
+            outcomes = self.outcomes_by_target.get(target, [])
+            target_mastery[target] = {
+                "episodes": len(outcomes),
+                "success_rate": sum(1 for item in outcomes if item) / max(1, len(outcomes)),
+                "failures": self.failures_by_target.get(target, 0),
+            }
+        return {
+            "episodes_seen": self.episodes_seen,
+            "recent_reward_mean": self._recent_reward_mean(),
+            "target_mastery": target_mastery,
+        }
+    def _difficulty_for_split(self, split: str, requested_difficulty: int) -> int:
+        difficulty = max(0, min(int(requested_difficulty), len(DIFFICULTY_TIERS) - 1))
+        if split == "hidden_eval":
+            return max(3, difficulty)
+        if self.episodes_seen >= self.window_size and self._recent_reward_mean() > 10.0:
+            return min(difficulty + 1, len(DIFFICULTY_TIERS) - 1)
+        return difficulty
+    def _target_for_seed(self, seed: int, split: str) -> str:
+        offset = 2 if split == "hidden_eval" else 0
+        return WEAKNESS_TARGETS[(int(seed) + offset) % len(WEAKNESS_TARGETS)]
+    def _recent_reward_mean(self) -> float:
+        if not self.reward_trend:
+            return 0.0
+        return sum(self.reward_trend) / len(self.reward_trend)

server/episode_logger.py ADDED Viewed

	@@ -0,0 +1,66 @@

+"""Episode artifact logging for training, debugging, and demos."""
+from __future__ import annotations
+import json
+import os
+from pathlib import Path
+from typing import Any
+try:
+    from ..models import CyberSecurityOWASPState
+except ImportError:  # pragma: no cover
+    from models import CyberSecurityOWASPState
+class EpisodeArtifactLogger:
+    """Appends compact JSONL episode transcripts under outputs/rollouts."""
+    def __init__(self, output_path: str | Path | None = None):
+        configured = output_path or os.getenv("CYBERSECURITY_OWASP_EPISODE_LOG")
+        self.output_path = Path(configured) if configured else Path("outputs/rollouts/episodes.jsonl")
+    def log_episode(
+        self,
+        state: CyberSecurityOWASPState,
+        *,
+        final_observation: dict[str, Any] | None = None,
+    ) -> Path:
+        self.output_path.parent.mkdir(parents=True, exist_ok=True)
+        record = {
+            "episode_id": state.episode_id,
+            "task_id": state.task_id,
+            "seed": state.seed,
+            "split": state.split,
+            "difficulty": state.difficulty,
+            "difficulty_tier": state.difficulty_tier,
+            "template_id": state.template_id,
+            "scenario_family": state.scenario_family,
+            "domain": state.domain,
+            "bug_family": state.bug_family,
+            "target_weakness": state.target_weakness,
+            "agent_actions": state.action_history,
+            "observations": state.observation_history,
+            "final_observation": final_observation or {},
+            "patch_diff": state.patch_diff,
+            "visible_test_result": self._verifier_layer(state, "visible"),
+            "hidden_test_result": self._verifier_layer(state, "hidden_tests"),
+            "oracle_result": self._verifier_layer(state, "oracle_matrix"),
+            "regression_result": self._verifier_layer(state, "regression"),
+            "reward_breakdown": state.reward_history[-1] if state.reward_history else {},
+            "reward_breakdown_by_step": state.reward_history,
+            "final_status": "resolved" if state.success else "failed",
+            "failure_reason": state.failure_reason,
+            "safety_violations": [
+                flag for flag in state.anti_cheat_flags if "network" in flag or "unsafe" in flag
+            ],
+            "anti_cheat_flags": state.anti_cheat_flags,
+            "metrics": state.metrics,
+        }
+        with self.output_path.open("a", encoding="utf-8") as handle:
+            handle.write(json.dumps(record, sort_keys=True) + "\n")
+        state.episode_artifact_path = str(self.output_path)
+        return self.output_path
+    def _verifier_layer(self, state: CyberSecurityOWASPState, key: str) -> Any:
+        return (state.verification_summary or {}).get(key)

server/reward_engine.py CHANGED Viewed

@@ -5,45 +5,24 @@ from __future__ import annotations
 try:
     from ..models import CyberSecurityOWASPAction, CyberSecurityOWASPState
     from ..rewards import compute_reward
-    from ..validators import (
-        patch_quality,
-        run_hidden_regression_tests,
-        run_hidden_security_tests,
-        run_public_route_tests,
-        run_visible_tests,
-        verify_finding,
-    )
 except ImportError:  # pragma: no cover
     from models import CyberSecurityOWASPAction, CyberSecurityOWASPState
     from rewards import compute_reward
-    from validators import (
-        patch_quality,
-        run_hidden_regression_tests,
-        run_hidden_security_tests,
-        run_public_route_tests,
-        run_visible_tests,
-        verify_finding,
-    )
 def evaluate_action(
     state: CyberSecurityOWASPState,
     action: CyberSecurityOWASPAction,
     anti_cheat_flags: list[str] | None = None,
 ) -> tuple[dict, dict[str, float]]:
-    verifier_result: dict = {"anti_cheat_flags": anti_cheat_flags or []}
-    if action.tool_name == "submit_finding":
-        verifier_result["finding"] = verify_finding(state, action.arguments)
-    elif action.tool_name == "run_visible_tests":
-        verifier_result["visible"] = run_visible_tests(state)
-    elif action.tool_name == "submit_fix":
-        verifier_result.update(
-            {
-                "visible": run_visible_tests(state),
-                "security": run_hidden_security_tests(state),
-                "regression": run_hidden_regression_tests(state),
-                "public_routes": run_public_route_tests(state),
-                "patch_quality": patch_quality(state),
-            }
-        )
     return verifier_result, compute_reward(state, action, verifier_result)

 try:
     from ..models import CyberSecurityOWASPAction, CyberSecurityOWASPState
     from ..rewards import compute_reward
+    from .verifier import MultiLayerVerifier
 except ImportError:  # pragma: no cover
     from models import CyberSecurityOWASPAction, CyberSecurityOWASPState
     from rewards import compute_reward
+    from server.verifier import MultiLayerVerifier
 def evaluate_action(
     state: CyberSecurityOWASPState,
     action: CyberSecurityOWASPAction,
     anti_cheat_flags: list[str] | None = None,
+    *,
+    invalid_action: bool = False,
 ) -> tuple[dict, dict[str, float]]:
+    verifier_result = MultiLayerVerifier().evaluate_action(
+        state,
+        action,
+        anti_cheat_flags,
+        invalid_action=invalid_action,
+    )
     return verifier_result, compute_reward(state, action, verifier_result)

server/scenario_factory.py ADDED Viewed

	@@ -0,0 +1,134 @@

+"""Closed-loop scenario factory for CyberSecurity_OWASP."""
+from __future__ import annotations
+import os
+import tempfile
+from pathlib import Path
+from typing import Any
+from uuid import uuid4
+try:
+    from ..fixture_generator import visible_workspace_summary
+    from ..policy_graph import build_invoice_policy
+    from ..template_renderer import render_fastapi_basic
+    from .adversarial_designer import BoundedAdversarialDesigner
+except ImportError:  # pragma: no cover
+    from fixture_generator import visible_workspace_summary
+    from policy_graph import build_invoice_policy
+    from template_renderer import render_fastapi_basic
+    from server.adversarial_designer import BoundedAdversarialDesigner
+def _make_workspace(prefix: str) -> Path:
+    root = Path(os.getenv("CYBERSECURITY_OWASP_WORKSPACE_ROOT", tempfile.gettempdir()))
+    root.mkdir(parents=True, exist_ok=True)
+    for _ in range(100):
+        workspace = root / f"{prefix}{uuid4().hex[:12]}"
+        try:
+            workspace.mkdir()
+        except FileExistsError:
+            continue
+        return workspace
+    raise RuntimeError("Unable to create isolated scenario workspace")
+def _visible_policy_hint(public_hint: dict[str, Any]) -> dict[str, Any]:
+    """Return partial policy observability without hidden oracle/test labels."""
+    return {
+        "domain": public_hint.get("domain", "invoices"),
+        "policy_rules": list(public_hint.get("policy_rules", [])),
+        "fixture_aliases": {
+            "users": dict(public_hint.get("users", {})),
+            "resources": dict(public_hint.get("resources", {})),
+        },
+        "public_routes": list(public_hint.get("public_routes", [])),
+        "observation_contract": {
+            "visible": [
+                "product policy summary",
+                "fixture aliases needed for local requests",
+                "route summaries",
+                "visible test results",
+            ],
+            "hidden": [
+                "oracle matrix",
+                "hidden invariant tests",
+                "injected bug label",
+                "held-out family label",
+            ],
+        },
+    }
+class ScenarioFactory:
+    """Compiles deterministic local app scenarios from curriculum profiles."""
+    def __init__(self, designer: BoundedAdversarialDesigner | None = None):
+        self.designer = designer or BoundedAdversarialDesigner()
+    def compile_scenario(
+        self,
+        seed: int,
+        *,
+        split: str = "train",
+        difficulty: int = 0,
+        curriculum_profile: dict[str, Any] | None = None,
+    ) -> dict[str, Any]:
+        profile = curriculum_profile or {
+            "difficulty": difficulty,
+            "difficulty_tier": "warmup",
+            "target_weakness": "same_role_cross_object",
+        }
+        adversarial_spec = self.designer.design(
+            seed=seed, split=split, curriculum_profile=profile
+        )
+        compiled = build_invoice_policy(seed)
+        workspace = _make_workspace(prefix=f"cybersecurity_owasp_{split}_{seed}_")
+        public_hint = _visible_policy_hint(compiled.public_hint)
+        editable_files = render_fastapi_basic(workspace, public_hint, compiled.hidden_facts)
+        workspace_summary = visible_workspace_summary(editable_files, public_hint)
+        workspace_summary.update(
+            {
+                "template_id": adversarial_spec["template_id"],
+                "target_weakness": adversarial_spec["target_weakness"],
+            }
+        )
+        hidden = dict(compiled.hidden_facts)
+        hidden.update(
+            {
+                "workspace": str(workspace),
+                "editable_files": editable_files,
+                "initial_file_hashes": {
+                    path: (workspace / path).read_text(encoding="utf-8")
+                    for path in editable_files
+                },
+                "adversarial_spec": adversarial_spec,
+                "scenario_family": adversarial_spec["scenario_family"],
+                "template_id": adversarial_spec["template_id"],
+                "target_weakness": adversarial_spec["target_weakness"],
+                "oracle_hidden_focus": adversarial_spec["hidden_focus"],
+            }
+        )
+        return {
+            "task_id": f"{split}-invoices-bola-{seed}",
+            "workspace": workspace,
+            "domain": adversarial_spec["domain"],
+            "bug_family": adversarial_spec["bug_family"],
+            "scenario_family": adversarial_spec["scenario_family"],
+            "template_id": adversarial_spec["template_id"],
+            "target_weakness": adversarial_spec["target_weakness"],
+            "difficulty": int(profile.get("difficulty", difficulty)),
+            "difficulty_tier": str(profile.get("difficulty_tier", "warmup")),
+            "curriculum_snapshot": profile,
+            "task_brief": (
+                "Inspect the generated invoices app and policy. Find the broken "
+                "authorization behavior, submit a finding with local evidence, patch "
+                "the app, preserve intended owner/admin/public behavior, then submit."
+            ),
+            "public_hint": public_hint,
+            "workspace_summary": workspace_summary,
+            "hidden_facts": hidden,
+        }

server/verifier.py ADDED Viewed

	@@ -0,0 +1,81 @@

+"""Multi-layer deterministic verifier for CyberSecurity_OWASP."""
+from __future__ import annotations
+import json
+from dataclasses import dataclass
+from typing import Any
+try:
+    from ..models import CyberSecurityOWASPAction, CyberSecurityOWASPState
+    from ..validators import (
+        patch_quality,
+        run_hidden_regression_tests,
+        run_hidden_security_tests,
+        run_public_route_tests,
+        run_visible_tests,
+        verify_finding,
+    )
+    from .authz_oracle import AuthzOracle
+except ImportError:  # pragma: no cover
+    from models import CyberSecurityOWASPAction, CyberSecurityOWASPState
+    from validators import (
+        patch_quality,
+        run_hidden_regression_tests,
+        run_hidden_security_tests,
+        run_public_route_tests,
+        run_visible_tests,
+        verify_finding,
+    )
+    from server.authz_oracle import AuthzOracle
+@dataclass
+class MultiLayerVerifier:
+    """Aggregates visible, hidden, oracle, regression, and patch-quality checks."""
+    oracle: AuthzOracle = AuthzOracle()
+    def evaluate_action(
+        self,
+        state: CyberSecurityOWASPState,
+        action: CyberSecurityOWASPAction,
+        anti_cheat_flags: list[str] | None = None,
+        *,
+        invalid_action: bool = False,
+    ) -> dict[str, Any]:
+        verifier_result: dict[str, Any] = {
+            "anti_cheat_flags": anti_cheat_flags or [],
+            "invalid_action": invalid_action,
+            "repeated_action": self._is_repeated_action(state, action),
+        }
+        if action.tool_name == "submit_finding":
+            verifier_result["finding"] = verify_finding(state, action.arguments)
+        elif action.tool_name == "run_visible_tests":
+            verifier_result["visible"] = run_visible_tests(state)
+        elif action.tool_name == "submit_fix":
+            verifier_result.update(self.run_terminal_checks(state))
+        return verifier_result
+    def run_terminal_checks(self, state: CyberSecurityOWASPState) -> dict[str, Any]:
+        security = run_hidden_security_tests(state)
+        return {
+            "visible": run_visible_tests(state),
+            "hidden_tests": security,
+            "security": security,
+            "oracle_matrix": self.oracle.evaluate(state),
+            "regression": run_hidden_regression_tests(state),
+            "public_routes": run_public_route_tests(state),
+            "patch_quality": patch_quality(state),
+        }
+    def public_summary(self, verifier_result: dict[str, Any]) -> dict[str, Any]:
+        """Return verifier fields that are safe for state/debug summaries."""
+        return json.loads(json.dumps(verifier_result))
+    def _is_repeated_action(
+        self, state: CyberSecurityOWASPState, action: CyberSecurityOWASPAction
+    ) -> bool:
+        current = {"tool_name": action.tool_name, "arguments": action.arguments}
+        return sum(1 for item in state.action_history if item == current) > 1

tests/test_web_interface.py ADDED Viewed

	@@ -0,0 +1,47 @@

+from fastapi.testclient import TestClient
+from server.app import app
+def test_space_root_redirects_to_openenv_web_ui():
+    client = TestClient(app)
+    response = client.get("/", follow_redirects=False)
+    assert response.status_code == 307
+    assert response.headers["location"] == "/web/"
+def test_openenv_web_ui_and_api_routes_are_available():
+    client = TestClient(app)
+    web_response = client.get("/web/")
+    health_response = client.get("/health")
+    state_response = client.get("/web/state")
+    assert web_response.status_code == 200
+    assert "text/html" in web_response.headers["content-type"]
+    assert "Reset" in web_response.text
+    assert "Step" in web_response.text
+    assert "Get state" in web_response.text
+    assert health_response.status_code == 200
+    assert health_response.json() == {"status": "healthy"}
+    assert state_response.status_code == 200
+    state = state_response.json()
+    assert "episode_id" in state
+    assert "step_count" in state
+def test_web_reset_returns_cybersecurity_observation():
+    client = TestClient(app)
+    response = client.post("/web/reset")
+    assert response.status_code == 200
+    payload = response.json()
+    observation = payload["observation"]
+    assert observation["phase"] == "discover"
+    assert "authorization" in observation["task_brief"]
+    assert "inspect_policy_graph" in observation["available_actions"]

training/eval_before_after.py CHANGED Viewed

@@ -5,6 +5,8 @@ from __future__ import annotations
 import json
 from pathlib import Path
 def summarize_runs(baseline: list[dict], trained: list[dict], heldout: list[dict]) -> dict:
     def mean(items: list[dict], key: str) -> float:
@@ -19,11 +21,27 @@ def summarize_runs(baseline: list[dict], trained: list[dict], heldout: list[dict
         "absolute_reward_improvement": mean(trained, "reward_total") - mean(baseline, "reward_total"),
         "heldout_success_rate": mean(heldout, "success"),
         "heldout_mean_reward": mean(heldout, "reward_total"),
     }
-def save_eval_summary(run_name: str, summary: dict) -> Path:
     output = Path("outputs/evals") / f"{run_name}_eval_summary.json"
     output.parent.mkdir(parents=True, exist_ok=True)
     output.write_text(json.dumps(summary, indent=2, sort_keys=True), encoding="utf-8")
     return output

 import json
 from pathlib import Path
+from training.trackio_utils import log_eval_summary
 def summarize_runs(baseline: list[dict], trained: list[dict], heldout: list[dict]) -> dict:
     def mean(items: list[dict], key: str) -> float:
         "absolute_reward_improvement": mean(trained, "reward_total") - mean(baseline, "reward_total"),
         "heldout_success_rate": mean(heldout, "success"),
         "heldout_mean_reward": mean(heldout, "reward_total"),
+        "exploit_block_rate": mean(trained, "exploit_blocked"),
+        "regression_preservation_rate": mean(trained, "regression_preserved"),
+        "public_route_preservation_rate": mean(trained, "public_routes_preserved"),
+        "anti_cheat_pass_rate": mean(trained, "anti_cheat_pass"),
+        "invalid_action_rate": mean(trained, "invalid_action_rate"),
+        "timeout_rate": mean(trained, "timeout"),
+        "safety_violation_rate": mean(trained, "safety_violation"),
+        "mean_episode_length": mean(trained, "episode_length"),
     }
+def save_eval_summary(
+    run_name: str,
+    summary: dict,
+    *,
+    track: bool = True,
+    trackio_config: dict | None = None,
+) -> Path:
     output = Path("outputs/evals") / f"{run_name}_eval_summary.json"
     output.parent.mkdir(parents=True, exist_ok=True)
     output.write_text(json.dumps(summary, indent=2, sort_keys=True), encoding="utf-8")
+    if track:
+        log_eval_summary(run_name, summary, config=trackio_config)
     return output

training/trackio_utils.py CHANGED Viewed

@@ -2,7 +2,12 @@
 from __future__ import annotations
 from datetime import datetime
 TRAIN_METRICS = [
@@ -34,7 +39,133 @@ TRAIN_METRICS = [
 ]
 def build_run_name(model: str, algo: str, difficulty: int, git_sha: str = "nogit") -> str:
-    stamp = datetime.utcnow().strftime("%Y%m%d-%H%M")
     model_slug = model.replace("/", "-")
     return f"CyberSecurity_OWASP-{model_slug}-{algo}-level{difficulty}-{stamp}-{git_sha[:8]}"

 from __future__ import annotations
+import os
+import subprocess
+from contextlib import contextmanager
 from datetime import datetime
+from pathlib import Path
+from typing import Any, Iterator
 TRAIN_METRICS = [
 ]
+EVAL_METRICS = [
+    "eval/baseline_success_rate",
+    "eval/trained_success_rate",
+    "eval/absolute_success_improvement",
+    "eval/baseline_mean_reward",
+    "eval/trained_mean_reward",
+    "eval/absolute_reward_improvement",
+    "eval/heldout_success_rate",
+    "eval/heldout_mean_reward",
+    "eval/exploit_block_rate",
+    "eval/regression_preservation_rate",
+    "eval/public_route_preservation_rate",
+    "eval/anti_cheat_pass_rate",
+    "eval/invalid_action_rate",
+    "eval/timeout_rate",
+    "eval/safety_violation_rate",
+    "eval/mean_episode_length",
+]
 def build_run_name(model: str, algo: str, difficulty: int, git_sha: str = "nogit") -> str:
+    stamp = datetime.utcnow().strftime("%Y%m%d-%H%M%S")
     model_slug = model.replace("/", "-")
     return f"CyberSecurity_OWASP-{model_slug}-{algo}-level{difficulty}-{stamp}-{git_sha[:8]}"
+def get_git_sha(default: str = "nogit") -> str:
+    try:
+        result = subprocess.run(
+            ["git", "rev-parse", "HEAD"],
+            check=True,
+            capture_output=True,
+            text=True,
+        )
+    except Exception:
+        return default
+    return result.stdout.strip() or default
+def _load_trackio():
+    os.environ.setdefault("TRACKIO_DIR", str((Path.cwd() / "outputs" / "trackio").resolve()))
+    try:
+        import trackio
+    except ImportError as exc:
+        raise RuntimeError(
+            "Trackio is required for CyberSecurity_OWASP runs. Install dependencies "
+            "with `uv sync` and set TRACKIO_SPACE_ID when you want remote HF Spaces tracking."
+        ) from exc
+    return trackio
+def init_trackio_run(
+    *,
+    run_name: str,
+    run_type: str,
+    config: dict[str, Any] | None = None,
+    project: str | None = None,
+    space_id: str | None = None,
+    group: str | None = None,
+):
+    trackio = _load_trackio()
+    project = project or os.getenv("TRACKIO_PROJECT", "CyberSecurity_OWASP")
+    space_id = space_id if space_id is not None else os.getenv("TRACKIO_SPACE_ID", "")
+    run_config = {
+        "environment": "CyberSecurity_OWASP",
+        "run_type": run_type,
+        **(config or {}),
+    }
+    kwargs: dict[str, Any] = {
+        "project": project,
+        "name": run_name,
+        "config": run_config,
+    }
+    if space_id:
+        kwargs["space_id"] = space_id
+    if group:
+        kwargs["group"] = group
+    return trackio.init(**kwargs)
+def log_trackio_metrics(metrics: dict[str, Any], step: int | None = None) -> None:
+    trackio = _load_trackio()
+    numeric = {
+        key: value
+        for key, value in metrics.items()
+        if isinstance(value, (int, float, bool))
+    }
+    if step is None:
+        trackio.log(numeric)
+    else:
+        trackio.log(numeric, step=step)
+def finish_trackio_run() -> None:
+    trackio = _load_trackio()
+    trackio.finish()
+@contextmanager
+def trackio_run(
+    *,
+    run_name: str,
+    run_type: str,
+    config: dict[str, Any] | None = None,
+    project: str | None = None,
+    space_id: str | None = None,
+    group: str | None = None,
+) -> Iterator[Any]:
+    run = init_trackio_run(
+        run_name=run_name,
+        run_type=run_type,
+        config=config,
+        project=project,
+        space_id=space_id,
+        group=group,
+    )
+    try:
+        yield run
+    finally:
+        finish_trackio_run()
+def log_eval_summary(run_name: str, summary: dict[str, Any], config: dict[str, Any] | None = None) -> None:
+    metrics = {
+        f"eval/{key}": float(value)
+        for key, value in summary.items()
+        if isinstance(value, (int, float, bool))
+    }
+    with trackio_run(run_name=run_name, run_type="eval", config=config, group="eval"):
+        log_trackio_metrics(metrics, step=0)

training/train_grpo.py CHANGED Viewed

@@ -9,16 +9,26 @@ from __future__ import annotations
 import os
 def build_grpo_config():
     from trl import GRPOConfig
     output_dir = os.getenv("OUTPUT_DIR", "CyberSecurity_OWASP-qwen3-1.7b-grpo")
     trackio_space_id = os.getenv("TRACKIO_SPACE_ID", output_dir)
     return GRPOConfig(
         output_dir=output_dir,
         report_to="trackio",
         trackio_space_id=trackio_space_id,
         logging_steps=1,
         save_steps=25,
         learning_rate=5e-6,

 import os
+from training.trackio_utils import build_run_name, get_git_sha
 def build_grpo_config():
     from trl import GRPOConfig
+    model_name = os.getenv("MODEL_NAME", "Qwen/Qwen3-1.7B")
+    difficulty = int(os.getenv("DIFFICULTY", "0"))
     output_dir = os.getenv("OUTPUT_DIR", "CyberSecurity_OWASP-qwen3-1.7b-grpo")
     trackio_space_id = os.getenv("TRACKIO_SPACE_ID", output_dir)
+    os.environ.setdefault("TRACKIO_PROJECT", "CyberSecurity_OWASP-grpo")
+    run_name = os.getenv(
+        "RUN_NAME",
+        build_run_name(model_name, "grpo", difficulty, git_sha=get_git_sha()),
+    )
     return GRPOConfig(
         output_dir=output_dir,
         report_to="trackio",
         trackio_space_id=trackio_space_id,
+        run_name=run_name,
         logging_steps=1,
         save_steps=25,
         learning_rate=5e-6,

uv.lock CHANGED Viewed

@@ -1283,6 +1283,49 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/7e/f5/f66802a942d491edb555dd61e3a9961140fd64c90bce1eafd741609d334d/httpcore-1.0.9-py3-none-any.whl", hash = "sha256:2d400746a40668fc9dec9810239072b40b4484b640a8c38fd654a024c7a1bf55", size = 78784, upload-time = "2025-04-24T22:06:20.566Z" },
 ]
 [[package]]
 name = "httpx"
 version = "0.28.1"
@@ -2136,6 +2179,7 @@ version = "0.1.0"
 source = { editable = "." }
 dependencies = [
     { name = "openenv-core", extra = ["core"] },
 ]
 [package.optional-dependencies]
@@ -2153,6 +2197,7 @@ requires-dist = [
     { name = "openenv-core", extras = ["core"], specifier = ">=0.2.2" },
     { name = "pytest", marker = "extra == 'dev'", specifier = ">=8.0.0" },
     { name = "pytest-cov", marker = "extra == 'dev'", specifier = ">=4.0.0" },
 ]
 provides-extras = ["dev", "modal"]
@@ -3411,6 +3456,26 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/16/e1/3079a9ff9b8e11b846c6ac5c8b5bfb7ff225eee721825310c91b3b50304f/tqdm-4.67.3-py3-none-any.whl", hash = "sha256:ee1e4c0e59148062281c49d80b25b67771a127c85fc9676d3be5f243206826bf", size = 78374, upload-time = "2026-02-03T17:35:50.982Z" },
 ]
 [[package]]
 name = "typer"
 version = "0.24.2"
@@ -3506,6 +3571,61 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/31/a3/5b1562db76a5a488274b2332a97199b32d0442aca0ed193697fd47786316/uvicorn-0.46.0-py3-none-any.whl", hash = "sha256:bbebbcbed972d162afca128605223022bedd345b7bc7855ce66deb31487a9048", size = 70926, upload-time = "2026-04-23T07:15:58.355Z" },
 ]
 [[package]]
 name = "watchfiles"
 version = "1.1.1"

     { url = "https://files.pythonhosted.org/packages/7e/f5/f66802a942d491edb555dd61e3a9961140fd64c90bce1eafd741609d334d/httpcore-1.0.9-py3-none-any.whl", hash = "sha256:2d400746a40668fc9dec9810239072b40b4484b640a8c38fd654a024c7a1bf55", size = 78784, upload-time = "2025-04-24T22:06:20.566Z" },
 ]
+[[package]]
+name = "httptools"
+version = "0.7.1"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/b5/46/120a669232c7bdedb9d52d4aeae7e6c7dfe151e99dc70802e2fc7a5e1993/httptools-0.7.1.tar.gz", hash = "sha256:abd72556974f8e7c74a259655924a717a2365b236c882c3f6f8a45fe94703ac9", size = 258961, upload-time = "2025-10-10T03:55:08.559Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/c7/e5/c07e0bcf4ec8db8164e9f6738c048b2e66aabf30e7506f440c4cc6953f60/httptools-0.7.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:11d01b0ff1fe02c4c32d60af61a4d613b74fad069e47e06e9067758c01e9ac78", size = 204531, upload-time = "2025-10-10T03:54:20.887Z" },
+    { url = "https://files.pythonhosted.org/packages/7e/4f/35e3a63f863a659f92ffd92bef131f3e81cf849af26e6435b49bd9f6f751/httptools-0.7.1-cp310-cp310-macosx_11_0_arm64.whl", hash = "sha256:84d86c1e5afdc479a6fdabf570be0d3eb791df0ae727e8dbc0259ed1249998d4", size = 109408, upload-time = "2025-10-10T03:54:22.455Z" },
+    { url = "https://files.pythonhosted.org/packages/f5/71/b0a9193641d9e2471ac541d3b1b869538a5fb6419d52fd2669fa9c79e4b8/httptools-0.7.1-cp310-cp310-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:c8c751014e13d88d2be5f5f14fc8b89612fcfa92a9cc480f2bc1598357a23a05", size = 440889, upload-time = "2025-10-10T03:54:23.753Z" },
+    { url = "https://files.pythonhosted.org/packages/eb/d9/2e34811397b76718750fea44658cb0205b84566e895192115252e008b152/httptools-0.7.1-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:654968cb6b6c77e37b832a9be3d3ecabb243bbe7a0b8f65fbc5b6b04c8fcabed", size = 440460, upload-time = "2025-10-10T03:54:25.313Z" },
+    { url = "https://files.pythonhosted.org/packages/01/3f/a04626ebeacc489866bb4d82362c0657b2262bef381d68310134be7f40bb/httptools-0.7.1-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:b580968316348b474b020edf3988eecd5d6eec4634ee6561e72ae3a2a0e00a8a", size = 425267, upload-time = "2025-10-10T03:54:26.81Z" },
+    { url = "https://files.pythonhosted.org/packages/a5/99/adcd4f66614db627b587627c8ad6f4c55f18881549bab10ecf180562e7b9/httptools-0.7.1-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:d496e2f5245319da9d764296e86c5bb6fcf0cf7a8806d3d000717a889c8c0b7b", size = 424429, upload-time = "2025-10-10T03:54:28.174Z" },
+    { url = "https://files.pythonhosted.org/packages/d5/72/ec8fc904a8fd30ba022dfa85f3bbc64c3c7cd75b669e24242c0658e22f3c/httptools-0.7.1-cp310-cp310-win_amd64.whl", hash = "sha256:cbf8317bfccf0fed3b5680c559d3459cccf1abe9039bfa159e62e391c7270568", size = 86173, upload-time = "2025-10-10T03:54:29.5Z" },
+    { url = "https://files.pythonhosted.org/packages/9c/08/17e07e8d89ab8f343c134616d72eebfe03798835058e2ab579dcc8353c06/httptools-0.7.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:474d3b7ab469fefcca3697a10d11a32ee2b9573250206ba1e50d5980910da657", size = 206521, upload-time = "2025-10-10T03:54:31.002Z" },
+    { url = "https://files.pythonhosted.org/packages/aa/06/c9c1b41ff52f16aee526fd10fbda99fa4787938aa776858ddc4a1ea825ec/httptools-0.7.1-cp311-cp311-macosx_11_0_arm64.whl", hash = "sha256:a3c3b7366bb6c7b96bd72d0dbe7f7d5eead261361f013be5f6d9590465ea1c70", size = 110375, upload-time = "2025-10-10T03:54:31.941Z" },
+    { url = "https://files.pythonhosted.org/packages/cc/cc/10935db22fda0ee34c76f047590ca0a8bd9de531406a3ccb10a90e12ea21/httptools-0.7.1-cp311-cp311-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:379b479408b8747f47f3b253326183d7c009a3936518cdb70db58cffd369d9df", size = 456621, upload-time = "2025-10-10T03:54:33.176Z" },
+    { url = "https://files.pythonhosted.org/packages/0e/84/875382b10d271b0c11aa5d414b44f92f8dd53e9b658aec338a79164fa548/httptools-0.7.1-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:cad6b591a682dcc6cf1397c3900527f9affef1e55a06c4547264796bbd17cf5e", size = 454954, upload-time = "2025-10-10T03:54:34.226Z" },
+    { url = "https://files.pythonhosted.org/packages/30/e1/44f89b280f7e46c0b1b2ccee5737d46b3bb13136383958f20b580a821ca0/httptools-0.7.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:eb844698d11433d2139bbeeb56499102143beb582bd6c194e3ba69c22f25c274", size = 440175, upload-time = "2025-10-10T03:54:35.942Z" },
+    { url = "https://files.pythonhosted.org/packages/6f/7e/b9287763159e700e335028bc1824359dc736fa9b829dacedace91a39b37e/httptools-0.7.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:f65744d7a8bdb4bda5e1fa23e4ba16832860606fcc09d674d56e425e991539ec", size = 440310, upload-time = "2025-10-10T03:54:37.1Z" },
+    { url = "https://files.pythonhosted.org/packages/b3/07/5b614f592868e07f5c94b1f301b5e14a21df4e8076215a3bccb830a687d8/httptools-0.7.1-cp311-cp311-win_amd64.whl", hash = "sha256:135fbe974b3718eada677229312e97f3b31f8a9c8ffa3ae6f565bf808d5b6bcb", size = 86875, upload-time = "2025-10-10T03:54:38.421Z" },
+    { url = "https://files.pythonhosted.org/packages/53/7f/403e5d787dc4942316e515e949b0c8a013d84078a915910e9f391ba9b3ed/httptools-0.7.1-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:38e0c83a2ea9746ebbd643bdfb521b9aa4a91703e2cd705c20443405d2fd16a5", size = 206280, upload-time = "2025-10-10T03:54:39.274Z" },
+    { url = "https://files.pythonhosted.org/packages/2a/0d/7f3fd28e2ce311ccc998c388dd1c53b18120fda3b70ebb022b135dc9839b/httptools-0.7.1-cp312-cp312-macosx_11_0_arm64.whl", hash = "sha256:f25bbaf1235e27704f1a7b86cd3304eabc04f569c828101d94a0e605ef7205a5", size = 110004, upload-time = "2025-10-10T03:54:40.403Z" },
+    { url = "https://files.pythonhosted.org/packages/84/a6/b3965e1e146ef5762870bbe76117876ceba51a201e18cc31f5703e454596/httptools-0.7.1-cp312-cp312-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:2c15f37ef679ab9ecc06bfc4e6e8628c32a8e4b305459de7cf6785acd57e4d03", size = 517655, upload-time = "2025-10-10T03:54:41.347Z" },
+    { url = "https://files.pythonhosted.org/packages/11/7d/71fee6f1844e6fa378f2eddde6c3e41ce3a1fb4b2d81118dd544e3441ec0/httptools-0.7.1-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:7fe6e96090df46b36ccfaf746f03034e5ab723162bc51b0a4cf58305324036f2", size = 511440, upload-time = "2025-10-10T03:54:42.452Z" },
+    { url = "https://files.pythonhosted.org/packages/22/a5/079d216712a4f3ffa24af4a0381b108aa9c45b7a5cc6eb141f81726b1823/httptools-0.7.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:f72fdbae2dbc6e68b8239defb48e6a5937b12218e6ffc2c7846cc37befa84362", size = 495186, upload-time = "2025-10-10T03:54:43.937Z" },
+    { url = "https://files.pythonhosted.org/packages/e9/9e/025ad7b65278745dee3bd0ebf9314934c4592560878308a6121f7f812084/httptools-0.7.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:e99c7b90a29fd82fea9ef57943d501a16f3404d7b9ee81799d41639bdaae412c", size = 499192, upload-time = "2025-10-10T03:54:45.003Z" },
+    { url = "https://files.pythonhosted.org/packages/6d/de/40a8f202b987d43afc4d54689600ff03ce65680ede2f31df348d7f368b8f/httptools-0.7.1-cp312-cp312-win_amd64.whl", hash = "sha256:3e14f530fefa7499334a79b0cf7e7cd2992870eb893526fb097d51b4f2d0f321", size = 86694, upload-time = "2025-10-10T03:54:45.923Z" },
+    { url = "https://files.pythonhosted.org/packages/09/8f/c77b1fcbfd262d422f12da02feb0d218fa228d52485b77b953832105bb90/httptools-0.7.1-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:6babce6cfa2a99545c60bfef8bee0cc0545413cb0018f617c8059a30ad985de3", size = 202889, upload-time = "2025-10-10T03:54:47.089Z" },
+    { url = "https://files.pythonhosted.org/packages/0a/1a/22887f53602feaa066354867bc49a68fc295c2293433177ee90870a7d517/httptools-0.7.1-cp313-cp313-macosx_11_0_arm64.whl", hash = "sha256:601b7628de7504077dd3dcb3791c6b8694bbd967148a6d1f01806509254fb1ca", size = 108180, upload-time = "2025-10-10T03:54:48.052Z" },
+    { url = "https://files.pythonhosted.org/packages/32/6a/6aaa91937f0010d288d3d124ca2946d48d60c3a5ee7ca62afe870e3ea011/httptools-0.7.1-cp313-cp313-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:04c6c0e6c5fb0739c5b8a9eb046d298650a0ff38cf42537fc372b28dc7e4472c", size = 478596, upload-time = "2025-10-10T03:54:48.919Z" },
+    { url = "https://files.pythonhosted.org/packages/6d/70/023d7ce117993107be88d2cbca566a7c1323ccbaf0af7eabf2064fe356f6/httptools-0.7.1-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:69d4f9705c405ae3ee83d6a12283dc9feba8cc6aaec671b412917e644ab4fa66", size = 473268, upload-time = "2025-10-10T03:54:49.993Z" },
+    { url = "https://files.pythonhosted.org/packages/32/4d/9dd616c38da088e3f436e9a616e1d0cc66544b8cdac405cc4e81c8679fc7/httptools-0.7.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:44c8f4347d4b31269c8a9205d8a5ee2df5322b09bbbd30f8f862185bb6b05346", size = 455517, upload-time = "2025-10-10T03:54:51.066Z" },
+    { url = "https://files.pythonhosted.org/packages/1d/3a/a6c595c310b7df958e739aae88724e24f9246a514d909547778d776799be/httptools-0.7.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:465275d76db4d554918aba40bf1cbebe324670f3dfc979eaffaa5d108e2ed650", size = 458337, upload-time = "2025-10-10T03:54:52.196Z" },
+    { url = "https://files.pythonhosted.org/packages/fd/82/88e8d6d2c51edc1cc391b6e044c6c435b6aebe97b1abc33db1b0b24cd582/httptools-0.7.1-cp313-cp313-win_amd64.whl", hash = "sha256:322d00c2068d125bd570f7bf78b2d367dad02b919d8581d7476d8b75b294e3e6", size = 85743, upload-time = "2025-10-10T03:54:53.448Z" },
+    { url = "https://files.pythonhosted.org/packages/34/50/9d095fcbb6de2d523e027a2f304d4551855c2f46e0b82befd718b8b20056/httptools-0.7.1-cp314-cp314-macosx_10_13_universal2.whl", hash = "sha256:c08fe65728b8d70b6923ce31e3956f859d5e1e8548e6f22ec520a962c6757270", size = 203619, upload-time = "2025-10-10T03:54:54.321Z" },
+    { url = "https://files.pythonhosted.org/packages/07/f0/89720dc5139ae54b03f861b5e2c55a37dba9a5da7d51e1e824a1f343627f/httptools-0.7.1-cp314-cp314-macosx_11_0_arm64.whl", hash = "sha256:7aea2e3c3953521c3c51106ee11487a910d45586e351202474d45472db7d72d3", size = 108714, upload-time = "2025-10-10T03:54:55.163Z" },
+    { url = "https://files.pythonhosted.org/packages/b3/cb/eea88506f191fb552c11787c23f9a405f4c7b0c5799bf73f2249cd4f5228/httptools-0.7.1-cp314-cp314-manylinux1_x86_64.manylinux_2_28_x86_64.manylinux_2_5_x86_64.whl", hash = "sha256:0e68b8582f4ea9166be62926077a3334064d422cf08ab87d8b74664f8e9058e1", size = 472909, upload-time = "2025-10-10T03:54:56.056Z" },
+    { url = "https://files.pythonhosted.org/packages/e0/4a/a548bdfae6369c0d078bab5769f7b66f17f1bfaa6fa28f81d6be6959066b/httptools-0.7.1-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:df091cf961a3be783d6aebae963cc9b71e00d57fa6f149025075217bc6a55a7b", size = 470831, upload-time = "2025-10-10T03:54:57.219Z" },
+    { url = "https://files.pythonhosted.org/packages/4d/31/14df99e1c43bd132eec921c2e7e11cda7852f65619bc0fc5bdc2d0cb126c/httptools-0.7.1-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:f084813239e1eb403ddacd06a30de3d3e09a9b76e7894dcda2b22f8a726e9c60", size = 452631, upload-time = "2025-10-10T03:54:58.219Z" },
+    { url = "https://files.pythonhosted.org/packages/22/d2/b7e131f7be8d854d48cb6d048113c30f9a46dca0c9a8b08fcb3fcd588cdc/httptools-0.7.1-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:7347714368fb2b335e9063bc2b96f2f87a9ceffcd9758ac295f8bbcd3ffbc0ca", size = 452910, upload-time = "2025-10-10T03:54:59.366Z" },
+    { url = "https://files.pythonhosted.org/packages/53/cf/878f3b91e4e6e011eff6d1fa9ca39f7eb17d19c9d7971b04873734112f30/httptools-0.7.1-cp314-cp314-win_amd64.whl", hash = "sha256:cfabda2a5bb85aa2a904ce06d974a3f30fb36cc63d7feaddec05d2050acede96", size = 88205, upload-time = "2025-10-10T03:55:00.389Z" },
+]
 [[package]]
 name = "httpx"
 version = "0.28.1"
 source = { editable = "." }
 dependencies = [
     { name = "openenv-core", extra = ["core"] },
+    { name = "trackio" },
 ]
 [package.optional-dependencies]
     { name = "openenv-core", extras = ["core"], specifier = ">=0.2.2" },
     { name = "pytest", marker = "extra == 'dev'", specifier = ">=8.0.0" },
     { name = "pytest-cov", marker = "extra == 'dev'", specifier = ">=4.0.0" },
+    { name = "trackio", specifier = ">=0.22.0" },
 ]
 provides-extras = ["dev", "modal"]
     { url = "https://files.pythonhosted.org/packages/16/e1/3079a9ff9b8e11b846c6ac5c8b5bfb7ff225eee721825310c91b3b50304f/tqdm-4.67.3-py3-none-any.whl", hash = "sha256:ee1e4c0e59148062281c49d80b25b67771a127c85fc9676d3be5f243206826bf", size = 78374, upload-time = "2026-02-03T17:35:50.982Z" },
 ]
+[[package]]
+name = "trackio"
+version = "0.25.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "gradio-client" },
+    { name = "huggingface-hub" },
+    { name = "numpy", version = "2.2.6", source = { registry = "https://pypi.org/simple" }, marker = "python_full_version < '3.11'" },
+    { name = "numpy", version = "2.4.4", source = { registry = "https://pypi.org/simple" }, marker = "python_full_version >= '3.11'" },
+    { name = "orjson" },
+    { name = "pillow" },
+    { name = "python-multipart" },
+    { name = "starlette" },
+    { name = "tomli", marker = "python_full_version < '3.11'" },
+    { name = "uvicorn", extra = ["standard"] },
+]
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/e7/4d/2aa0e1ca6daebdfac79fadd2ab308d5880c8d0305b2ce8b88900f95a8415/trackio-0.25.0-py3-none-any.whl", hash = "sha256:6c1ae7decef6e35d1165a6b2536d6df8c67594329bdf6bd9f1786c153a532b9f", size = 1653706, upload-time = "2026-04-23T15:45:29.887Z" },
+]
 [[package]]
 name = "typer"
 version = "0.24.2"
     { url = "https://files.pythonhosted.org/packages/31/a3/5b1562db76a5a488274b2332a97199b32d0442aca0ed193697fd47786316/uvicorn-0.46.0-py3-none-any.whl", hash = "sha256:bbebbcbed972d162afca128605223022bedd345b7bc7855ce66deb31487a9048", size = 70926, upload-time = "2026-04-23T07:15:58.355Z" },
 ]
+[package.optional-dependencies]
+standard = [
+    { name = "colorama", marker = "sys_platform == 'win32'" },
+    { name = "httptools" },
+    { name = "python-dotenv" },
+    { name = "pyyaml" },
+    { name = "uvloop", marker = "platform_python_implementation != 'PyPy' and sys_platform != 'cygwin' and sys_platform != 'win32'" },
+    { name = "watchfiles" },
+    { name = "websockets" },
+]
+[[package]]
+name = "uvloop"
+version = "0.22.1"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/06/f0/18d39dbd1971d6d62c4629cc7fa67f74821b0dc1f5a77af43719de7936a7/uvloop-0.22.1.tar.gz", hash = "sha256:6c84bae345b9147082b17371e3dd5d42775bddce91f885499017f4607fdaf39f", size = 2443250, upload-time = "2025-10-16T22:17:19.342Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/eb/14/ecceb239b65adaaf7fde510aa8bd534075695d1e5f8dadfa32b5723d9cfb/uvloop-0.22.1-cp310-cp310-macosx_10_9_universal2.whl", hash = "sha256:ef6f0d4cc8a9fa1f6a910230cd53545d9a14479311e87e3cb225495952eb672c", size = 1343335, upload-time = "2025-10-16T22:16:11.43Z" },
+    { url = "https://files.pythonhosted.org/packages/ba/ae/6f6f9af7f590b319c94532b9567409ba11f4fa71af1148cab1bf48a07048/uvloop-0.22.1-cp310-cp310-macosx_10_9_x86_64.whl", hash = "sha256:7cd375a12b71d33d46af85a3343b35d98e8116134ba404bd657b3b1d15988792", size = 742903, upload-time = "2025-10-16T22:16:12.979Z" },
+    { url = "https://files.pythonhosted.org/packages/09/bd/3667151ad0702282a1f4d5d29288fce8a13c8b6858bf0978c219cd52b231/uvloop-0.22.1-cp310-cp310-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:ac33ed96229b7790eb729702751c0e93ac5bc3bcf52ae9eccbff30da09194b86", size = 3648499, upload-time = "2025-10-16T22:16:14.451Z" },
+    { url = "https://files.pythonhosted.org/packages/b3/f6/21657bb3beb5f8c57ce8be3b83f653dd7933c2fd00545ed1b092d464799a/uvloop-0.22.1-cp310-cp310-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:481c990a7abe2c6f4fc3d98781cc9426ebd7f03a9aaa7eb03d3bfc68ac2a46bd", size = 3700133, upload-time = "2025-10-16T22:16:16.272Z" },
+    { url = "https://files.pythonhosted.org/packages/09/e0/604f61d004ded805f24974c87ddd8374ef675644f476f01f1df90e4cdf72/uvloop-0.22.1-cp310-cp310-musllinux_1_2_aarch64.whl", hash = "sha256:a592b043a47ad17911add5fbd087c76716d7c9ccc1d64ec9249ceafd735f03c2", size = 3512681, upload-time = "2025-10-16T22:16:18.07Z" },
+    { url = "https://files.pythonhosted.org/packages/bb/ce/8491fd370b0230deb5eac69c7aae35b3be527e25a911c0acdffb922dc1cd/uvloop-0.22.1-cp310-cp310-musllinux_1_2_x86_64.whl", hash = "sha256:1489cf791aa7b6e8c8be1c5a080bae3a672791fcb4e9e12249b05862a2ca9cec", size = 3615261, upload-time = "2025-10-16T22:16:19.596Z" },
+    { url = "https://files.pythonhosted.org/packages/c7/d5/69900f7883235562f1f50d8184bb7dd84a2fb61e9ec63f3782546fdbd057/uvloop-0.22.1-cp311-cp311-macosx_10_9_universal2.whl", hash = "sha256:c60ebcd36f7b240b30788554b6f0782454826a0ed765d8430652621b5de674b9", size = 1352420, upload-time = "2025-10-16T22:16:21.187Z" },
+    { url = "https://files.pythonhosted.org/packages/a8/73/c4e271b3bce59724e291465cc936c37758886a4868787da0278b3b56b905/uvloop-0.22.1-cp311-cp311-macosx_10_9_x86_64.whl", hash = "sha256:3b7f102bf3cb1995cfeaee9321105e8f5da76fdb104cdad8986f85461a1b7b77", size = 748677, upload-time = "2025-10-16T22:16:22.558Z" },
+    { url = "https://files.pythonhosted.org/packages/86/94/9fb7fad2f824d25f8ecac0d70b94d0d48107ad5ece03769a9c543444f78a/uvloop-0.22.1-cp311-cp311-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:53c85520781d84a4b8b230e24a5af5b0778efdb39142b424990ff1ef7c48ba21", size = 3753819, upload-time = "2025-10-16T22:16:23.903Z" },
+    { url = "https://files.pythonhosted.org/packages/74/4f/256aca690709e9b008b7108bc85fba619a2bc37c6d80743d18abad16ee09/uvloop-0.22.1-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:56a2d1fae65fd82197cb8c53c367310b3eabe1bbb9fb5a04d28e3e3520e4f702", size = 3804529, upload-time = "2025-10-16T22:16:25.246Z" },
+    { url = "https://files.pythonhosted.org/packages/7f/74/03c05ae4737e871923d21a76fe28b6aad57f5c03b6e6bfcfa5ad616013e4/uvloop-0.22.1-cp311-cp311-musllinux_1_2_aarch64.whl", hash = "sha256:40631b049d5972c6755b06d0bfe8233b1bd9a8a6392d9d1c45c10b6f9e9b2733", size = 3621267, upload-time = "2025-10-16T22:16:26.819Z" },
+    { url = "https://files.pythonhosted.org/packages/75/be/f8e590fe61d18b4a92070905497aec4c0e64ae1761498cad09023f3f4b3e/uvloop-0.22.1-cp311-cp311-musllinux_1_2_x86_64.whl", hash = "sha256:535cc37b3a04f6cd2c1ef65fa1d370c9a35b6695df735fcff5427323f2cd5473", size = 3723105, upload-time = "2025-10-16T22:16:28.252Z" },
+    { url = "https://files.pythonhosted.org/packages/3d/ff/7f72e8170be527b4977b033239a83a68d5c881cc4775fca255c677f7ac5d/uvloop-0.22.1-cp312-cp312-macosx_10_13_universal2.whl", hash = "sha256:fe94b4564e865d968414598eea1a6de60adba0c040ba4ed05ac1300de402cd42", size = 1359936, upload-time = "2025-10-16T22:16:29.436Z" },
+    { url = "https://files.pythonhosted.org/packages/c3/c6/e5d433f88fd54d81ef4be58b2b7b0cea13c442454a1db703a1eea0db1a59/uvloop-0.22.1-cp312-cp312-macosx_10_13_x86_64.whl", hash = "sha256:51eb9bd88391483410daad430813d982010f9c9c89512321f5b60e2cddbdddd6", size = 752769, upload-time = "2025-10-16T22:16:30.493Z" },
+    { url = "https://files.pythonhosted.org/packages/24/68/a6ac446820273e71aa762fa21cdcc09861edd3536ff47c5cd3b7afb10eeb/uvloop-0.22.1-cp312-cp312-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:700e674a166ca5778255e0e1dc4e9d79ab2acc57b9171b79e65feba7184b3370", size = 4317413, upload-time = "2025-10-16T22:16:31.644Z" },
+    { url = "https://files.pythonhosted.org/packages/5f/6f/e62b4dfc7ad6518e7eff2516f680d02a0f6eb62c0c212e152ca708a0085e/uvloop-0.22.1-cp312-cp312-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:7b5b1ac819a3f946d3b2ee07f09149578ae76066d70b44df3fa990add49a82e4", size = 4426307, upload-time = "2025-10-16T22:16:32.917Z" },
+    { url = "https://files.pythonhosted.org/packages/90/60/97362554ac21e20e81bcef1150cb2a7e4ffdaf8ea1e5b2e8bf7a053caa18/uvloop-0.22.1-cp312-cp312-musllinux_1_2_aarch64.whl", hash = "sha256:e047cc068570bac9866237739607d1313b9253c3051ad84738cbb095be0537b2", size = 4131970, upload-time = "2025-10-16T22:16:34.015Z" },
+    { url = "https://files.pythonhosted.org/packages/99/39/6b3f7d234ba3964c428a6e40006340f53ba37993f46ed6e111c6e9141d18/uvloop-0.22.1-cp312-cp312-musllinux_1_2_x86_64.whl", hash = "sha256:512fec6815e2dd45161054592441ef76c830eddaad55c8aa30952e6fe1ed07c0", size = 4296343, upload-time = "2025-10-16T22:16:35.149Z" },
+    { url = "https://files.pythonhosted.org/packages/89/8c/182a2a593195bfd39842ea68ebc084e20c850806117213f5a299dfc513d9/uvloop-0.22.1-cp313-cp313-macosx_10_13_universal2.whl", hash = "sha256:561577354eb94200d75aca23fbde86ee11be36b00e52a4eaf8f50fb0c86b7705", size = 1358611, upload-time = "2025-10-16T22:16:36.833Z" },
+    { url = "https://files.pythonhosted.org/packages/d2/14/e301ee96a6dc95224b6f1162cd3312f6d1217be3907b79173b06785f2fe7/uvloop-0.22.1-cp313-cp313-macosx_10_13_x86_64.whl", hash = "sha256:1cdf5192ab3e674ca26da2eada35b288d2fa49fdd0f357a19f0e7c4e7d5077c8", size = 751811, upload-time = "2025-10-16T22:16:38.275Z" },
+    { url = "https://files.pythonhosted.org/packages/b7/02/654426ce265ac19e2980bfd9ea6590ca96a56f10c76e63801a2df01c0486/uvloop-0.22.1-cp313-cp313-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:6e2ea3d6190a2968f4a14a23019d3b16870dd2190cd69c8180f7c632d21de68d", size = 4288562, upload-time = "2025-10-16T22:16:39.375Z" },
+    { url = "https://files.pythonhosted.org/packages/15/c0/0be24758891ef825f2065cd5db8741aaddabe3e248ee6acc5e8a80f04005/uvloop-0.22.1-cp313-cp313-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:0530a5fbad9c9e4ee3f2b33b148c6a64d47bbad8000ea63704fa8260f4cf728e", size = 4366890, upload-time = "2025-10-16T22:16:40.547Z" },
+    { url = "https://files.pythonhosted.org/packages/d2/53/8369e5219a5855869bcee5f4d317f6da0e2c669aecf0ef7d371e3d084449/uvloop-0.22.1-cp313-cp313-musllinux_1_2_aarch64.whl", hash = "sha256:bc5ef13bbc10b5335792360623cc378d52d7e62c2de64660616478c32cd0598e", size = 4119472, upload-time = "2025-10-16T22:16:41.694Z" },
+    { url = "https://files.pythonhosted.org/packages/f8/ba/d69adbe699b768f6b29a5eec7b47dd610bd17a69de51b251126a801369ea/uvloop-0.22.1-cp313-cp313-musllinux_1_2_x86_64.whl", hash = "sha256:1f38ec5e3f18c8a10ded09742f7fb8de0108796eb673f30ce7762ce1b8550cad", size = 4239051, upload-time = "2025-10-16T22:16:43.224Z" },
+    { url = "https://files.pythonhosted.org/packages/90/cd/b62bdeaa429758aee8de8b00ac0dd26593a9de93d302bff3d21439e9791d/uvloop-0.22.1-cp314-cp314-macosx_10_13_universal2.whl", hash = "sha256:3879b88423ec7e97cd4eba2a443aa26ed4e59b45e6b76aabf13fe2f27023a142", size = 1362067, upload-time = "2025-10-16T22:16:44.503Z" },
+    { url = "https://files.pythonhosted.org/packages/0d/f8/a132124dfda0777e489ca86732e85e69afcd1ff7686647000050ba670689/uvloop-0.22.1-cp314-cp314-macosx_10_13_x86_64.whl", hash = "sha256:4baa86acedf1d62115c1dc6ad1e17134476688f08c6efd8a2ab076e815665c74", size = 752423, upload-time = "2025-10-16T22:16:45.968Z" },
+    { url = "https://files.pythonhosted.org/packages/a3/94/94af78c156f88da4b3a733773ad5ba0b164393e357cc4bd0ab2e2677a7d6/uvloop-0.22.1-cp314-cp314-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:297c27d8003520596236bdb2335e6b3f649480bd09e00d1e3a99144b691d2a35", size = 4272437, upload-time = "2025-10-16T22:16:47.451Z" },
+    { url = "https://files.pythonhosted.org/packages/b5/35/60249e9fd07b32c665192cec7af29e06c7cd96fa1d08b84f012a56a0b38e/uvloop-0.22.1-cp314-cp314-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:c1955d5a1dd43198244d47664a5858082a3239766a839b2102a269aaff7a4e25", size = 4292101, upload-time = "2025-10-16T22:16:49.318Z" },
+    { url = "https://files.pythonhosted.org/packages/02/62/67d382dfcb25d0a98ce73c11ed1a6fba5037a1a1d533dcbb7cab033a2636/uvloop-0.22.1-cp314-cp314-musllinux_1_2_aarch64.whl", hash = "sha256:b31dc2fccbd42adc73bc4e7cdbae4fc5086cf378979e53ca5d0301838c5682c6", size = 4114158, upload-time = "2025-10-16T22:16:50.517Z" },
+    { url = "https://files.pythonhosted.org/packages/f0/7a/f1171b4a882a5d13c8b7576f348acfe6074d72eaf52cccef752f748d4a9f/uvloop-0.22.1-cp314-cp314-musllinux_1_2_x86_64.whl", hash = "sha256:93f617675b2d03af4e72a5333ef89450dfaa5321303ede6e67ba9c9d26878079", size = 4177360, upload-time = "2025-10-16T22:16:52.646Z" },
+    { url = "https://files.pythonhosted.org/packages/79/7b/b01414f31546caf0919da80ad57cbfe24c56b151d12af68cee1b04922ca8/uvloop-0.22.1-cp314-cp314t-macosx_10_13_universal2.whl", hash = "sha256:37554f70528f60cad66945b885eb01f1bb514f132d92b6eeed1c90fd54ed6289", size = 1454790, upload-time = "2025-10-16T22:16:54.355Z" },
+    { url = "https://files.pythonhosted.org/packages/d4/31/0bb232318dd838cad3fa8fb0c68c8b40e1145b32025581975e18b11fab40/uvloop-0.22.1-cp314-cp314t-macosx_10_13_x86_64.whl", hash = "sha256:b76324e2dc033a0b2f435f33eb88ff9913c156ef78e153fb210e03c13da746b3", size = 796783, upload-time = "2025-10-16T22:16:55.906Z" },
+    { url = "https://files.pythonhosted.org/packages/42/38/c9b09f3271a7a723a5de69f8e237ab8e7803183131bc57c890db0b6bb872/uvloop-0.22.1-cp314-cp314t-manylinux2014_aarch64.manylinux_2_17_aarch64.manylinux_2_28_aarch64.whl", hash = "sha256:badb4d8e58ee08dad957002027830d5c3b06aea446a6a3744483c2b3b745345c", size = 4647548, upload-time = "2025-10-16T22:16:57.008Z" },
+    { url = "https://files.pythonhosted.org/packages/c1/37/945b4ca0ac27e3dc4952642d4c900edd030b3da6c9634875af6e13ae80e5/uvloop-0.22.1-cp314-cp314t-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl", hash = "sha256:b91328c72635f6f9e0282e4a57da7470c7350ab1c9f48546c0f2866205349d21", size = 4467065, upload-time = "2025-10-16T22:16:58.206Z" },
+    { url = "https://files.pythonhosted.org/packages/97/cc/48d232f33d60e2e2e0b42f4e73455b146b76ebe216487e862700457fbf3c/uvloop-0.22.1-cp314-cp314t-musllinux_1_2_aarch64.whl", hash = "sha256:daf620c2995d193449393d6c62131b3fbd40a63bf7b307a1527856ace637fe88", size = 4328384, upload-time = "2025-10-16T22:16:59.36Z" },
+    { url = "https://files.pythonhosted.org/packages/e4/16/c1fd27e9549f3c4baf1dc9c20c456cd2f822dbf8de9f463824b0c0357e06/uvloop-0.22.1-cp314-cp314t-musllinux_1_2_x86_64.whl", hash = "sha256:6cde23eeda1a25c75b2e07d39970f3374105d5eafbaab2a4482be82f272d5a5e", size = 4296730, upload-time = "2025-10-16T22:17:00.744Z" },
+]
 [[package]]
 name = "watchfiles"
 version = "1.1.1"