Spaces:

Nomearod
/

agentbench

Running

App Files Files Community

Nomearod Claude Opus 4.6 (1M context) commited on Mar 31

Commit

4717d76

1 Parent(s): 79e4ae8

feat(security): add security config models to AppConfig

Browse files

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Files changed (3) hide show

agent_bench/core/config.py +39 -0
configs/default.yaml +25 -0
tests/test_security_config.py +58 -0

agent_bench/core/config.py CHANGED Viewed

@@ -90,6 +90,44 @@ class EvaluationConfig(BaseModel):
     golden_dataset: str = "agent_bench/evaluation/datasets/tech_docs_golden.json"
 class AppConfig(BaseModel):
     agent: AgentConfig = AgentConfig()
     provider: ProviderConfig = ProviderConfig()
@@ -99,6 +137,7 @@ class AppConfig(BaseModel):
     embedding: EmbeddingConfig = EmbeddingConfig()
     serving: ServingConfig = ServingConfig()
     evaluation: EvaluationConfig = EvaluationConfig()
 # --- Task config ---

     golden_dataset: str = "agent_bench/evaluation/datasets/tech_docs_golden.json"
+class InjectionConfig(BaseModel):
+    enabled: bool = True
+    action: str = "block"  # block | warn | flag
+    tiers: list[str] = ["heuristic", "classifier"]
+    classifier_url: str = ""
+class PIIConfig(BaseModel):
+    enabled: bool = True
+    mode: str = "redact"  # redact | detect_only | passthrough
+    redact_patterns: list[str] = [
+        "EMAIL", "PHONE", "SSN", "CREDIT_CARD", "IP_ADDRESS",
+    ]
+    use_ner: bool = False
+    ner_entities: list[str] = ["PERSON"]
+class OutputConfig(BaseModel):
+    enabled: bool = True
+    pii_check: bool = True
+    url_check: bool = True
+    blocklist: list[str] = []
+class AuditConfig(BaseModel):
+    enabled: bool = True
+    path: str = "logs/audit.jsonl"
+    max_size_mb: int = 100
+    rotate: bool = True
+class SecurityConfig(BaseModel):
+    injection: InjectionConfig = InjectionConfig()
+    pii: PIIConfig = PIIConfig()
+    output: OutputConfig = OutputConfig()
+    audit: AuditConfig = AuditConfig()
 class AppConfig(BaseModel):
     agent: AgentConfig = AgentConfig()
     provider: ProviderConfig = ProviderConfig()
     embedding: EmbeddingConfig = EmbeddingConfig()
     serving: ServingConfig = ServingConfig()
     evaluation: EvaluationConfig = EvaluationConfig()
+    security: SecurityConfig = SecurityConfig()
 # --- Task config ---

configs/default.yaml CHANGED Viewed

@@ -55,3 +55,28 @@ serving:
 evaluation:
   judge_provider: openai
   golden_dataset: agent_bench/evaluation/datasets/tech_docs_golden.json

 evaluation:
   judge_provider: openai
   golden_dataset: agent_bench/evaluation/datasets/tech_docs_golden.json
+security:
+  injection:
+    enabled: true
+    action: block
+    tiers:
+      - heuristic
+      - classifier
+    classifier_url: ""
+  pii:
+    enabled: true
+    mode: redact
+    redact_patterns: [EMAIL, PHONE, SSN, CREDIT_CARD, IP_ADDRESS]
+    use_ner: false
+    ner_entities: [PERSON]
+  output:
+    enabled: true
+    pii_check: true
+    url_check: true
+    blocklist: []
+  audit:
+    enabled: true
+    path: logs/audit.jsonl
+    max_size_mb: 100
+    rotate: true

tests/test_security_config.py ADDED Viewed

	@@ -0,0 +1,58 @@

+"""Tests for security configuration models."""
+from agent_bench.core.config import AppConfig
+class TestSecurityConfig:
+    def test_security_config_has_defaults(self):
+        """SecurityConfig is present on AppConfig with sane defaults."""
+        config = AppConfig()
+        assert config.security.injection.enabled is True
+        assert config.security.injection.action == "block"
+        assert config.security.injection.tiers == ["heuristic", "classifier"]
+        assert config.security.pii.enabled is True
+        assert config.security.pii.mode == "redact"
+        assert "EMAIL" in config.security.pii.redact_patterns
+        assert config.security.pii.use_ner is False
+        assert config.security.output.enabled is True
+        assert config.security.output.pii_check is True
+        assert config.security.output.url_check is True
+        assert config.security.output.blocklist == []
+        assert config.security.audit.enabled is True
+        assert config.security.audit.path == "logs/audit.jsonl"
+    def test_security_config_from_yaml(self, tmp_path):
+        """Security config loads from YAML correctly."""
+        import yaml
+        config_data = {
+            "security": {
+                "injection": {"enabled": False, "action": "warn"},
+                "pii": {"mode": "passthrough", "use_ner": True},
+                "audit": {"path": "custom/audit.jsonl", "max_size_mb": 50},
+            }
+        }
+        yaml_path = tmp_path / "test.yaml"
+        yaml_path.write_text(yaml.dump(config_data))
+        from agent_bench.core.config import load_config
+        config = load_config(path=yaml_path)
+        assert config.security.injection.enabled is False
+        assert config.security.injection.action == "warn"
+        assert config.security.pii.mode == "passthrough"
+        assert config.security.pii.use_ner is True
+        assert config.security.audit.path == "custom/audit.jsonl"
+        assert config.security.audit.max_size_mb == 50
+    def test_injection_action_values(self):
+        """Injection action accepts block, warn, flag."""
+        from agent_bench.core.config import InjectionConfig
+        for action in ("block", "warn", "flag"):
+            cfg = InjectionConfig(action=action)
+            assert cfg.action == action
+    def test_pii_mode_values(self):
+        """PII mode accepts redact, detect_only, passthrough."""
+        from agent_bench.core.config import PIIConfig
+        for mode in ("redact", "detect_only", "passthrough"):
+            cfg = PIIConfig(mode=mode)
+            assert cfg.mode == mode