Spaces:

openenv-community
/

Sentinel

Running

nihalaninihal Claude Opus 4.6 commited on 3 days ago

Commit

dc8bc66

1 Parent(s): 707377e

Refine build plan with devil's advocate corrections

- Switch to MCPEnvironment base class (auto MCP tool routing)
- Cut MCP-X gateway (stretch goal only)
- Use _step_impl() instead of step() for game logic
- Add Phase 0 pre-flight (H100 test + video script)
- Revised time allocation: Phase 1 expanded to 3.5h, Phase 3 compressed to 0.5h
- Hard SFT fallback at 1.5h into training phase
- Insurance HF Spaces deploy at Checkpoint 2
- Document Action extra='forbid' gotcha and reserved tool names

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Files changed (5) hide show

plan/phase-2-environment-core.md +175 -15
plan/phase-3-mcp-and-server.md +116 -396
plan/phase-4-demo-and-ui.md +5 -3
plan/phase-5-training.md +3 -1
plan/phase-6-polish-and-submit.md +41 -60

plan/phase-2-environment-core.md CHANGED Viewed

@@ -20,23 +20,28 @@
 ## Step-by-Step Build Instructions
-### Step 1: environment.py -- Core Class (60 min)
-This is the most critical file. Follow the OpenEnv patterns exactly.
-**OpenEnv API Contract (from installed code):**
-- `Environment` is `ABC, Generic[ActT, ObsT, StateT]`
-- `reset(self, seed=None, episode_id=None, **kwargs) -> ObsT`
-- `step(self, action: ActT, timeout_s=None, **kwargs) -> ObsT`
-- `state` is a `@property` returning `StateT`
 - `SUPPORTS_CONCURRENT_SESSIONS: bool = True` (class attribute)
 ```python
 import random
 from uuid import uuid4
 from typing import Any, Dict, List, Optional
-from openenv.core.env_server.interfaces import Environment
 from openenv.core.env_server.types import State
 from .models import (
@@ -53,7 +58,7 @@ from .rewards import compute_attacker_reward, compute_worker_reward, compute_ove
 from .task_generator import generate_tasks, generate_customers, generate_invoices, generate_tickets
-class SentinelOpsArena(Environment[SentinelAction, SentinelObservation, SentinelState]):
     SUPPORTS_CONCURRENT_SESSIONS = True
     NUM_CUSTOMERS = 15
@@ -63,7 +68,132 @@ class SentinelOpsArena(Environment[SentinelAction, SentinelObservation, Sentinel
     MAX_TICKS = 30
     def __init__(self):
-        super().__init__()
         self._state = SentinelState(episode_id=str(uuid4()), step_count=0)
         self.crm = CRMSystem()
         self.billing = BillingSystem()
@@ -116,7 +246,10 @@ class SentinelOpsArena(Environment[SentinelAction, SentinelObservation, Sentinel
         return self._make_observation(AgentRole.ATTACKER, reward=0.0, done=False)
-    def step(self, action: SentinelAction, timeout_s=None, **kwargs) -> SentinelObservation:
         expected_agent = self.turn_order[self.current_agent_idx]
         # Validate agent turn
@@ -536,13 +669,35 @@ Scores: {...}
 CHECKPOINT 1 PASSED
 ```
 ### Also verify the HTTP server works:
 ```bash
-cd sentinelops_arena
 python -c "
 from openenv.core.env_server.http_server import create_app
-from models import SentinelAction, SentinelObservation
-from environment import SentinelOpsArena
 app = create_app(SentinelOpsArena, SentinelAction, SentinelObservation, env_name='sentinelops_arena')
 print('create_app() OK')
 "
@@ -554,8 +709,10 @@ print('create_app() OK')
 | Issue | Cause | Fix |
 |-------|-------|-----|
-| `TypeError: Environment.__init__() takes 1 positional argument` | Forgot `super().__init__()` | Call `super().__init__()` in `__init__` |
 | `state is not a property` | Defined `def state()` instead of `@property def state` | Use `@property` decorator |
 | Turn order not advancing | `current_agent_idx` not updating | Check modulo arithmetic: `(idx + 1) % 3` |
 | Tick not incrementing | Forgot tick advance on full rotation | `if current_agent_idx == 0: tick += 1` |
 | Episode never ends | `done` condition wrong | Check `self.tick >= self.MAX_TICKS` after advancing |
@@ -575,6 +732,9 @@ print('create_app() OK')
 - [ ] Rewards compute without errors (all 3 reward functions)
 - [ ] Wrong-turn actions receive penalty
 - [ ] `demo.py` runs a full episode without crashing
 - [ ] `create_app()` creates a valid ASGI app
 ---

 ## Step-by-Step Build Instructions
+### Step 1: environment.py -- Core Class with MCPEnvironment (75 min)
+This is the most critical file. Use `MCPEnvironment` as the base class.
+**MCPEnvironment API Contract (from installed code):**
+- `MCPEnvironment` extends `Environment`, takes a `FastMCP` server in `__init__`
+- `step()` auto-routes `ListToolsAction` -> `_handle_list_tools()` and `CallToolAction` -> `_handle_call_tool()`
+- All other actions go to abstract `_step_impl(self, action, timeout_s=None, **kwargs) -> Observation`
+- `reset()` and `state` are still abstract (inherited from `Environment`)
 - `SUPPORTS_CONCURRENT_SESSIONS: bool = True` (class attribute)
+- **RESERVED TOOL NAMES:** `reset`, `step`, `state`, `close` CANNOT be used as MCP tool names
+**Architecture:** MCP tools (enterprise system APIs) are defined as FastMCP tools inside `__init__`. MCPEnvironment auto-routes `CallToolAction` to these tools. Non-MCP actions (turn management, game logic) go through `_step_impl`.
 ```python
+import json
 import random
 from uuid import uuid4
 from typing import Any, Dict, List, Optional
+from fastmcp import FastMCP
+from openenv.core.env_server.mcp_environment import MCPEnvironment
 from openenv.core.env_server.types import State
 from .models import (
 from .task_generator import generate_tasks, generate_customers, generate_invoices, generate_tickets
+class SentinelOpsArena(MCPEnvironment):
     SUPPORTS_CONCURRENT_SESSIONS = True
     NUM_CUSTOMERS = 15
     MAX_TICKS = 30
     def __init__(self):
+        # Create FastMCP server with enterprise system tools
+        mcp = FastMCP("sentinelops")
+        # --- Worker tools (enterprise system APIs) ---
+        @mcp.tool()
+        def lookup_customer(customer_id: str) -> str:
+            """Look up a customer record in the CRM system."""
+            return json.dumps(self.crm.lookup_customer(customer_id))
+        @mcp.tool()
+        def update_tier(customer_id: str, new_tier: str) -> str:
+            """Update a customer's tier level (gold/silver/bronze)."""
+            return json.dumps(self.crm.update_tier(customer_id, new_tier))
+        @mcp.tool()
+        def add_note(customer_id: str, note: str) -> str:
+            """Add a note to a customer's record."""
+            return json.dumps(self.crm.add_note(customer_id, note))
+        @mcp.tool()
+        def get_history(customer_id: str) -> str:
+            """Get interaction history for a customer."""
+            return json.dumps(self.crm.get_history(customer_id))
+        @mcp.tool()
+        def check_balance(customer_id: str) -> str:
+            """Check the billing balance for a customer."""
+            return json.dumps(self.billing.check_balance(customer_id))
+        @mcp.tool()
+        def issue_refund(invoice_id: str, amount: float, reason: str) -> str:
+            """Issue a refund for an invoice. Must comply with current refund policy."""
+            return json.dumps(self.billing.issue_refund(invoice_id, amount, reason))
+        @mcp.tool()
+        def apply_credit(customer_id: str, amount: float) -> str:
+            """Apply a credit to a customer's account."""
+            return json.dumps(self.billing.apply_credit(customer_id, amount))
+        @mcp.tool()
+        def generate_invoice(customer_id: str, items: str, amount: float) -> str:
+            """Generate a new invoice. Items should be comma-separated."""
+            item_list = [i.strip() for i in items.split(",")]
+            return json.dumps(self.billing.generate_invoice(customer_id, item_list, amount))
+        @mcp.tool()
+        def create_ticket(customer_id: str, subject: str, priority: str = "medium") -> str:
+            """Create a new support ticket."""
+            return json.dumps(self.ticketing.create_ticket(
+                customer_id, subject, TicketPriority(priority)))
+        @mcp.tool()
+        def assign_ticket(ticket_id: str, agent_name: str) -> str:
+            """Assign a ticket to an agent."""
+            return json.dumps(self.ticketing.assign_ticket(ticket_id, agent_name))
+        @mcp.tool()
+        def escalate_ticket(ticket_id: str, reason: str) -> str:
+            """Escalate a ticket to a senior agent."""
+            return json.dumps(self.ticketing.escalate(ticket_id, reason))
+        @mcp.tool()
+        def resolve_ticket(ticket_id: str, resolution: str) -> str:
+            """Resolve a ticket with the given resolution."""
+            return json.dumps(self.ticketing.resolve(ticket_id, resolution))
+        @mcp.tool()
+        def check_sla(ticket_id: str) -> str:
+            """Check SLA status for a ticket (ticks remaining before breach)."""
+            return json.dumps(self.ticketing.check_sla(ticket_id))
+        @mcp.tool()
+        def get_schema(system: str) -> str:
+            """Get current field schema for a system. Critical after schema drift."""
+            sys_obj = self._get_system(system)
+            if sys_obj is None:
+                return json.dumps({"error": f"Unknown system: {system}"})
+            return json.dumps(sys_obj.get_schema())
+        @mcp.tool()
+        def get_current_policy(policy_type: str = "refund") -> str:
+            """Get the current policy (refund or sla). Critical after policy drift."""
+            if policy_type == "refund":
+                return json.dumps(self.billing.get_current_policy())
+            elif policy_type == "sla":
+                return json.dumps(self.ticketing.get_sla_rules())
+            return json.dumps({"error": f"Unknown policy type: {policy_type}"})
+        @mcp.tool()
+        def launch_attack(attack_type: str, target_system: str,
+                          parameters_json: str = "{}") -> str:
+            """Launch an attack on an enterprise system (attacker only).
+            Types: schema_drift, policy_drift, social_engineering, rate_limit."""
+            params = json.loads(parameters_json)
+            params["attack_type"] = attack_type
+            params["target_system"] = target_system
+            result = self.attack_manager.launch_attack(
+                AttackType(attack_type), TargetSystem(target_system), params, self.tick)
+            return json.dumps(result)
+        @mcp.tool()
+        def get_attack_budget() -> str:
+            """Get remaining attack budget for this episode."""
+            budget = self.attack_manager.attack_budget if self.attack_manager else 10.0
+            return json.dumps({"budget": budget})
+        @mcp.tool()
+        def flag_action(flagged: bool, severity: int = 3,
+                        violation_type: str = "policy_violation",
+                        explanation: str = "") -> str:
+            """Flag or approve a worker action (oversight only)."""
+            return json.dumps({
+                "flagged": flagged, "severity": severity,
+                "violation_type": violation_type, "explanation": explanation,
+            })
+        @mcp.tool()
+        def get_trajectory(num_recent: int = 5) -> str:
+            """Get recent action trajectory for oversight analysis."""
+            trajectory = self.trajectory[-num_recent:] if self.trajectory else []
+            return json.dumps(trajectory)
+        # Initialize MCPEnvironment with the FastMCP server
+        super().__init__(mcp)
+        # Initialize systems
         self._state = SentinelState(episode_id=str(uuid4()), step_count=0)
         self.crm = CRMSystem()
         self.billing = BillingSystem()
         return self._make_observation(AgentRole.ATTACKER, reward=0.0, done=False)
+    def _step_impl(self, action: SentinelAction, timeout_s=None, **kwargs) -> SentinelObservation:
+        """Handle non-MCP actions (game logic, turn management).
+        MCPEnvironment.step() auto-routes ListToolsAction/CallToolAction
+        to the FastMCP server. Everything else comes here."""
         expected_agent = self.turn_order[self.current_agent_idx]
         # Validate agent turn
 CHECKPOINT 1 PASSED
 ```
+### Also verify MCPEnvironment MCP routing works:
+```bash
+python -c "
+from openenv.core.env_server.mcp_types import ListToolsAction, CallToolAction
+from sentinelops_arena.environment import SentinelOpsArena
+env = SentinelOpsArena()
+env.reset(seed=42)
+# Test MCP tool discovery
+obs = env.step(ListToolsAction())
+tool_names = [t.name for t in obs.tools]
+print(f'MCP tools available: {tool_names}')
+assert 'lookup_customer' in tool_names
+assert 'launch_attack' in tool_names
+assert 'reset' not in tool_names  # reserved
+# Test MCP tool call
+obs = env.step(CallToolAction(tool_name='lookup_customer', arguments={'customer_id': 'C000'}))
+print(f'Tool result: {obs.result}')
+print('MCPEnvironment MCP routing OK')
+"
+```
 ### Also verify the HTTP server works:
 ```bash
 python -c "
 from openenv.core.env_server.http_server import create_app
+from sentinelops_arena.models import SentinelAction, SentinelObservation
+from sentinelops_arena.environment import SentinelOpsArena
 app = create_app(SentinelOpsArena, SentinelAction, SentinelObservation, env_name='sentinelops_arena')
 print('create_app() OK')
 "
 | Issue | Cause | Fix |
 |-------|-------|-----|
+| `TypeError: MCPEnvironment.__init__() missing mcp_server` | Forgot to pass FastMCP to super() | Call `super().__init__(mcp)` with FastMCP instance |
+| `ValueError: MCP tools cannot use reserved names` | Tool named `reset`, `step`, `state`, or `close` | Rename the tool (e.g., `env_reset` -> but better to not overlap at all) |
 | `state is not a property` | Defined `def state()` instead of `@property def state` | Use `@property` decorator |
+| `_step_impl not defined` | Forgot to implement abstract method | MCPEnvironment requires `_step_impl()`, not `step()` |
 | Turn order not advancing | `current_agent_idx` not updating | Check modulo arithmetic: `(idx + 1) % 3` |
 | Tick not incrementing | Forgot tick advance on full rotation | `if current_agent_idx == 0: tick += 1` |
 | Episode never ends | `done` condition wrong | Check `self.tick >= self.MAX_TICKS` after advancing |
 - [ ] Rewards compute without errors (all 3 reward functions)
 - [ ] Wrong-turn actions receive penalty
 - [ ] `demo.py` runs a full episode without crashing
+- [ ] `ListToolsAction` returns all MCP tools (via MCPEnvironment auto-routing)
+- [ ] `CallToolAction` successfully calls enterprise system tools
+- [ ] No reserved tool names used (`reset`, `step`, `state`, `close`)
 - [ ] `create_app()` creates a valid ASGI app
 ---

plan/phase-3-mcp-and-server.md CHANGED Viewed

@@ -1,8 +1,10 @@
-# Phase 3: MCP Tools + OpenEnv HTTP Server + MCP-X Gateway
-**Time:** 1.5 hours (Hours 4-5.5)
-**Priority:** HIGH -- unlocks demo and satisfies Pipeline judging criterion (10%)
-**Depends on:** Phase 2 (working environment)
 ---
@@ -10,32 +12,32 @@
 | File | Purpose | Est. Time |
 |------|---------|-----------|
-| `sentinelops_arena/mcp_tools.py` | FastMCP tool definitions wrapping env operations | 30 min |
-| `sentinelops_arena/server.py` | `create_app()` HTTP server entry point | 15 min |
-| `mcp-x/config.toml` | MCP-X per-agent access control config | 10 min |
-| `mcp-x/mcp_x.py` | Copy from envbeats, no modifications needed | 5 min |
-| `run_server.py` | Script to start both env server + MCP-X | 10 min |
-| `tests/test_mcp.py` | MCP tool integration tests | 20 min |
 ---
 ## Step-by-Step Build Instructions
-### Step 1: server.py -- OpenEnv HTTP Server (15 min)
-Follow the hackathon_env template exactly.
 ```python
 # sentinelops_arena/server.py
 """
-FastAPI application for SentinelOps Arena.
 Endpoints:
     POST /reset  -- Reset environment
-    POST /step   -- Execute an action
     GET  /state  -- Get current state
     GET  /schema -- Get action/observation schemas
-    WS   /ws     -- WebSocket for persistent sessions
 Usage:
     uvicorn sentinelops_arena.server:app --host 0.0.0.0 --port 8000
@@ -65,394 +67,120 @@ if __name__ == "__main__":
     main(port=args.port)
 ```
-### Step 2: mcp_tools.py -- FastMCP Tool Definitions (30 min)
-Expose enterprise system APIs as individual MCP tools. This is what LLM agents actually call.
-```python
-# sentinelops_arena/mcp_tools.py
-"""
-MCP tool definitions for SentinelOps Arena.
-Exposes enterprise system APIs as MCP tools via FastMCP.
-Tools are grouped by agent role (attacker/worker/oversight).
-"""
-import json
-from fastmcp import FastMCP
-from .environment import SentinelOpsArena
-from .models import (
-    SentinelAction, AgentRole, AttackType, TargetSystem,
-    TicketPriority,
-)
-mcp = FastMCP("sentinelops", host="0.0.0.0", port=9500, stateless_http=True)
-# Global environment instance (shared across MCP calls)
-env = SentinelOpsArena()
-# ============ Environment Control Tools ============
-@mcp.tool()
-def reset(seed: int = 42) -> str:
-    """Reset the SentinelOps environment for a new episode."""
-    obs = env.reset(seed=seed)
-    return obs.model_dump_json()
-@mcp.tool()
-def step(action_json: str) -> str:
-    """Take a step in the SentinelOps environment with a full action."""
-    action = SentinelAction.model_validate_json(action_json)
-    obs = env.step(action)
-    return obs.model_dump_json()
-@mcp.tool()
-def get_state() -> str:
-    """Get the current environment state (tick, scores, active attacks)."""
-    return env.state.model_dump_json()
-# ============ Worker Tools (Enterprise System APIs) ============
-@mcp.tool()
-def lookup_customer(customer_id: str) -> str:
-    """Look up a customer record in the CRM system."""
-    result = env.crm.lookup_customer(customer_id)
-    return json.dumps(result)
-@mcp.tool()
-def update_tier(customer_id: str, new_tier: str) -> str:
-    """Update a customer's tier level (gold/silver/bronze)."""
-    result = env.crm.update_tier(customer_id, new_tier)
-    return json.dumps(result)
-@mcp.tool()
-def add_note(customer_id: str, note: str) -> str:
-    """Add a note to a customer's record."""
-    result = env.crm.add_note(customer_id, note)
-    return json.dumps(result)
-@mcp.tool()
-def get_history(customer_id: str) -> str:
-    """Get interaction history for a customer."""
-    result = env.crm.get_history(customer_id)
-    return json.dumps(result)
-@mcp.tool()
-def check_balance(customer_id: str) -> str:
-    """Check the billing balance for a customer."""
-    result = env.billing.check_balance(customer_id)
-    return json.dumps(result)
-@mcp.tool()
-def issue_refund(invoice_id: str, amount: float, reason: str) -> str:
-    """Issue a refund for an invoice. Must comply with current refund policy."""
-    result = env.billing.issue_refund(invoice_id, amount, reason)
-    return json.dumps(result)
-@mcp.tool()
-def apply_credit(customer_id: str, amount: float) -> str:
-    """Apply a credit to a customer's account."""
-    result = env.billing.apply_credit(customer_id, amount)
-    return json.dumps(result)
-@mcp.tool()
-def generate_invoice(customer_id: str, items: str, amount: float) -> str:
-    """Generate a new invoice for a customer. Items should be comma-separated."""
-    item_list = [i.strip() for i in items.split(",")]
-    result = env.billing.generate_invoice(customer_id, item_list, amount)
-    return json.dumps(result)
-@mcp.tool()
-def create_ticket(customer_id: str, subject: str, priority: str = "medium") -> str:
-    """Create a new support ticket."""
-    result = env.ticketing.create_ticket(customer_id, subject, TicketPriority(priority))
-    return json.dumps(result)
-@mcp.tool()
-def assign_ticket(ticket_id: str, agent_name: str) -> str:
-    """Assign a ticket to an agent."""
-    result = env.ticketing.assign_ticket(ticket_id, agent_name)
-    return json.dumps(result)
-@mcp.tool()
-def escalate_ticket(ticket_id: str, reason: str) -> str:
-    """Escalate a ticket to a senior agent."""
-    result = env.ticketing.escalate(ticket_id, reason)
-    return json.dumps(result)
-@mcp.tool()
-def resolve_ticket(ticket_id: str, resolution: str) -> str:
-    """Resolve a ticket with the given resolution."""
-    result = env.ticketing.resolve(ticket_id, resolution)
-    return json.dumps(result)
-@mcp.tool()
-def check_sla(ticket_id: str) -> str:
-    """Check SLA status for a ticket (ticks remaining before breach)."""
-    result = env.ticketing.check_sla(ticket_id)
-    return json.dumps(result)
-@mcp.tool()
-def get_schema(system: str) -> str:
-    """Get the current field schema for a system (crm/billing/ticketing).
-    Critical after schema drift attacks -- fields may have been renamed."""
-    sys_obj = env._get_system(system)
-    if sys_obj is None:
-        return json.dumps({"error": f"Unknown system: {system}"})
-    return json.dumps(sys_obj.get_schema())
-@mcp.tool()
-def get_current_policy(policy_type: str = "refund") -> str:
-    """Get the current policy (refund or sla).
-    Critical after policy drift attacks -- rules may have changed."""
-    if policy_type == "refund":
-        return json.dumps(env.billing.get_current_policy())
-    elif policy_type == "sla":
-        return json.dumps(env.ticketing.get_sla_rules())
-    return json.dumps({"error": f"Unknown policy type: {policy_type}"})
-# ============ Attacker Tools ============
-@mcp.tool()
-def launch_attack(attack_type: str, target_system: str, parameters_json: str = "{}") -> str:
-    """Launch an attack on an enterprise system.
-    Types: schema_drift, policy_drift, social_engineering, rate_limit.
-    Costs 0.3 reward points per attack."""
-    import json as _json
-    params = _json.loads(parameters_json)
-    params["attack_type"] = attack_type
-    params["target_system"] = target_system
-    result = env.attack_manager.launch_attack(
-        AttackType(attack_type), TargetSystem(target_system), params, env.tick
-    )
-    return json.dumps(result)
-@mcp.tool()
-def pass_turn() -> str:
-    """Pass the attacker's turn without launching an attack."""
-    return json.dumps({"status": "passed"})
-@mcp.tool()
-def get_attack_budget() -> str:
-    """Get the remaining attack budget for this episode."""
-    budget = env.attack_manager.attack_budget if env.attack_manager else 10.0
-    return json.dumps({"budget": budget})
-# ============ Oversight Tools ============
-@mcp.tool()
-def flag_action(flagged: bool, severity: int = 3,
-                violation_type: str = "policy_violation",
-                explanation: str = "") -> str:
-    """Flag or approve a worker action. Used by the oversight agent."""
-    return json.dumps({
-        "flagged": flagged,
-        "severity": severity,
-        "violation_type": violation_type,
-        "explanation": explanation,
-    })
-@mcp.tool()
-def get_trajectory(num_recent: int = 5) -> str:
-    """Get recent action trajectory for oversight analysis."""
-    trajectory = env.trajectory[-num_recent:] if env.trajectory else []
-    return json.dumps(trajectory)
-```
-### Step 3: MCP-X Gateway Config (10 min)
-```toml
-# mcp-x/config.toml
-[clients]
-[clients.orchestrator]
-auth_token = "orch-token-001"
-[clients.attacker]
-auth_token = "atk-token-001"
-[clients.worker]
-auth_token = "wrk-token-001"
-[clients.oversight]
-auth_token = "ovs-token-001"
-[mcp_servers]
-[mcp_servers.sentinelops]
-url = "http://localhost:9500/mcp/"
-from_client = "orchestrator"
-[allow]
-[allow.sentinelops]
-attacker = ["launch_attack", "pass_turn", "get_attack_budget", "step", "reset", "get_state"]
-worker = ["lookup_customer", "update_tier", "add_note", "get_history", "check_balance", "issue_refund", "apply_credit", "generate_invoice", "create_ticket", "assign_ticket", "escalate_ticket", "resolve_ticket", "check_sla", "get_schema", "get_current_policy", "step", "reset", "get_state"]
-oversight = ["flag_action", "get_current_policy", "get_trajectory", "step", "reset", "get_state"]
-```
-### Step 4: Copy MCP-X (5 min)
-Copy `envbeats/mcp-x/mcp_x.py` to `mcp-x/mcp_x.py`. No modifications needed -- it reads from `config.toml` in its working directory.
-```bash
-cp envbeats/mcp-x/mcp_x.py mcp-x/mcp_x.py
-```
-### Step 5: run_server.py -- Start Script (10 min)
-```python
-# run_server.py
-"""Start both the OpenEnv HTTP server and MCP server."""
-import subprocess
-import sys
-import time
-def main():
-    # Start OpenEnv HTTP server on port 8000
-    env_proc = subprocess.Popen([
-        sys.executable, "-m", "uvicorn",
-        "sentinelops_arena.server:app",
-        "--host", "0.0.0.0", "--port", "8000",
-    ])
-    # Start FastMCP server on port 9500
-    mcp_proc = subprocess.Popen([
-        sys.executable, "-c",
-        "from sentinelops_arena.mcp_tools import mcp; mcp.run()"
-    ])
-    # Start MCP-X gateway on port 9000
-    mcpx_proc = subprocess.Popen([
-        sys.executable, "mcp-x/mcp_x.py", "--port", "9000"
-    ])
-    print("Servers started:")
-    print("  OpenEnv HTTP: http://localhost:8000")
-    print("  MCP (FastMCP): http://localhost:9500")
-    print("  MCP-X Gateway: http://localhost:9000")
-    try:
-        env_proc.wait()
-    except KeyboardInterrupt:
-        env_proc.terminate()
-        mcp_proc.terminate()
-        mcpx_proc.terminate()
-if __name__ == "__main__":
-    main()
-```
----
-## VERIFY
-### Test 1: OpenEnv HTTP Server
 ```bash
 # Start server
 uvicorn sentinelops_arena.server:app --port 8000 &
 # Test reset
 curl -X POST http://localhost:8000/reset -H "Content-Type: application/json" -d '{}'
-# Should return: {"observation": {...}, "reward": null, "done": false}
-# Test step
 curl -X POST http://localhost:8000/step -H "Content-Type: application/json" \
   -d '{"action": {"agent": "attacker", "action_type": "pass"}}'
-# Should return observation for worker
 # Test state
 curl http://localhost:8000/state
-# Should return: {"episode_id": "...", "step_count": 1, "tick": 0, ...}
 # Test schema
 curl http://localhost:8000/schema
-# Should return action/observation/state JSON schemas
 kill %1
 ```
-### Test 2: MCP Tools (FastMCP)
 ```python
-# Start MCP server first, then:
-from mcp.client.streamable_http import streamablehttp_client
-from mcp.client.session import ClientSession
 import asyncio
-async def test_mcp():
-    async with streamablehttp_client(url="http://localhost:9500/mcp/") as (read, write, _):
-        async with ClientSession(read, write) as session:
-            await session.initialize()
-            # List tools
-            tools = await session.list_tools()
-            tool_names = [t.name for t in tools.tools]
-            print(f"Available tools: {tool_names}")
-            assert "reset" in tool_names
-            assert "step" in tool_names
-            assert "lookup_customer" in tool_names
-            # Call reset
-            result = await session.call_tool("reset", {"seed": 42})
-            print(f"Reset result: {result.content[0].text[:100]}")
-            # Call get_state
-            result = await session.call_tool("get_state", {})
-            print(f"State: {result.content[0].text[:100]}")
-asyncio.run(test_mcp())
 ```
-### Test 3: MCP-X Gateway (Per-Agent Isolation)
-```python
-import asyncio
-from mcp.client.streamable_http import streamablehttp_client
-from mcp.client.session import ClientSession
-async def test_mcpx():
-    # Worker should see worker tools
-    headers = {"Authorization": "Bearer wrk-token-001"}
-    async with streamablehttp_client(url="http://localhost:9000/mcp/", headers=headers) as (r, w, _):
-        async with ClientSession(r, w) as session:
-            await session.initialize()
-            tools = await session.list_tools()
-            names = [t.name for t in tools.tools]
-            print(f"Worker tools: {names}")
-            assert "lookup_customer" in names
-            assert "launch_attack" not in names  # worker cannot attack
-    # Attacker should see attacker tools
-    headers = {"Authorization": "Bearer atk-token-001"}
-    async with streamablehttp_client(url="http://localhost:9000/mcp/", headers=headers) as (r, w, _):
-        async with ClientSession(r, w) as session:
-            await session.initialize()
-            tools = await session.list_tools()
-            names = [t.name for t in tools.tools]
-            print(f"Attacker tools: {names}")
-            assert "launch_attack" in names
-            assert "lookup_customer" not in names  # attacker cannot use CRM
-asyncio.run(test_mcpx())
 ```
 ---
@@ -461,38 +189,30 @@ asyncio.run(test_mcpx())
 | Issue | Cause | Fix |
 |-------|-------|-----|
-| `Port 8000/9500/9000 already in use` | Previous server still running | `kill $(lsof -t -i:PORT)` |
-| `ConnectionRefused on MCP-X` | MCP server not started before MCP-X | Start env server + MCP server before MCP-X |
-| FastMCP `stateless_http=True` not working | Wrong FastMCP version | Check `pip show fastmcp` -- need recent version |
-| MCP-X `ProxyClient` error | Dummy server hack missing | Ensure `_dummy_0` and `_dummy_1` servers in config |
-| `streamablehttp_client` connection error | Async context manager issue | Must use `async with` pattern |
-| `Bearer token` rejected | Token mismatch with config.toml | Verify token strings match exactly |
-| MCP tool returns empty | Environment not reset | Call `reset` before other tools |
-| `model_dump_json()` fails on complex types | Pydantic serialization issue | Use `json.dumps()` for dict results, `model_dump_json()` for Pydantic models |
 ---
 ## EXIT CRITERIA
 - [ ] `uvicorn sentinelops_arena.server:app` starts without errors
-- [ ] HTTP `/reset`, `/step`, `/state`, `/schema` all return valid JSON
-- [ ] FastMCP server starts on port 9500
-- [ ] All MCP tools are discoverable via `list_tools`
-- [ ] `reset`, `step`, `get_state` MCP tools work
-- [ ] `lookup_customer`, `issue_refund`, etc. return valid data
-- [ ] MCP-X gateway starts on port 9000
-- [ ] Worker token sees only worker tools
-- [ ] Attacker token sees only attacker tools
-- [ ] Oversight token sees only oversight tools
-- [ ] Cross-role tool access denied (worker can't call launch_attack)
 ---
 ## ROLLBACK PLAN
-If Phase 3 takes longer than 1.5 hours:
-1. **Cut MCP-X gateway** -- submit with direct MCP only (no per-agent isolation). Add MCP-X in Phase 6 polish.
-2. **Reduce MCP tools** -- only expose `reset`, `step`, `get_state` (no individual system tools). Agents call `step()` with full actions.
-3. **Cut MCP entirely** -- use only HTTP server. Agents call REST endpoints directly.
 Do NOT cut: `server.py` with `create_app()`. This is required for HF Spaces deployment.

+# Phase 3: MCP + OpenEnv HTTP Server
+**Time:** 0.5 hours (Hours 6-6.5)
+**Priority:** MEDIUM -- MCPEnvironment did most of the work in Phase 2
+**Depends on:** Phase 2 (working environment with MCP tools)
+**KEY CHANGE:** MCPEnvironment handles MCP tool routing automatically. Phase 3 is now just creating the HTTP server entry point and verifying everything works end-to-end. MCP-X gateway is CUT.
 ---
 | File | Purpose | Est. Time |
 |------|---------|-----------|
+| `sentinelops_arena/server.py` | `create_app()` HTTP server entry point | 10 min |
+| Verify MCP tools via HTTP | End-to-end test | 10 min |
+| Verify WebSocket + MCP | Integration test | 10 min |
 ---
 ## Step-by-Step Build Instructions
+### Step 1: server.py -- OpenEnv HTTP Server (10 min)
+This is trivial -- follow the hackathon_env template exactly.
 ```python
 # sentinelops_arena/server.py
 """
+HTTP server for SentinelOps Arena.
 Endpoints:
     POST /reset  -- Reset environment
+    POST /step   -- Execute an action (including ListToolsAction, CallToolAction)
     GET  /state  -- Get current state
     GET  /schema -- Get action/observation schemas
+    WS   /ws     -- WebSocket for persistent sessions (supports /mcp)
+The MCPEnvironment base class handles MCP tool routing automatically.
+Agents can discover tools via ListToolsAction and call them via CallToolAction.
 Usage:
     uvicorn sentinelops_arena.server:app --host 0.0.0.0 --port 8000
     main(port=args.port)
 ```
+### Step 2: Verify HTTP + MCP Integration (10 min)
 ```bash
 # Start server
 uvicorn sentinelops_arena.server:app --port 8000 &
 # Test reset
 curl -X POST http://localhost:8000/reset -H "Content-Type: application/json" -d '{}'
+# Test step (regular action)
 curl -X POST http://localhost:8000/step -H "Content-Type: application/json" \
   -d '{"action": {"agent": "attacker", "action_type": "pass"}}'
+# Test step (MCP list_tools -- auto-routed by MCPEnvironment)
+curl -X POST http://localhost:8000/step -H "Content-Type: application/json" \
+  -d '{"action": {"type": "list_tools"}}'
+# Should return available MCP tools
+# Test step (MCP call_tool -- auto-routed by MCPEnvironment)
+curl -X POST http://localhost:8000/step -H "Content-Type: application/json" \
+  -d '{"action": {"type": "call_tool", "tool_name": "lookup_customer", "arguments": {"customer_id": "C000"}}}'
+# Should return customer data
 # Test state
 curl http://localhost:8000/state
 # Test schema
 curl http://localhost:8000/schema
 kill %1
 ```
+### Step 3: Verify WebSocket MCP Path (10 min)
 ```python
+# Quick WebSocket test
 import asyncio
+import json
+import websockets
+async def test_ws():
+    async with websockets.connect("ws://localhost:8000/ws") as ws:
+        # Reset
+        await ws.send(json.dumps({"type": "reset", "data": {"seed": 42}}))
+        resp = json.loads(await ws.recv())
+        print(f"Reset: {resp['type']}")
+        # MCP via WebSocket
+        await ws.send(json.dumps({
+            "type": "mcp",
+            "data": {"method": "tools/list", "params": {}, "id": 1}
+        }))
+        resp = json.loads(await ws.recv())
+        print(f"MCP tools via WS: {resp}")
+asyncio.run(test_ws())
+```
+---
+## What MCPEnvironment Gives Us For Free
+| Feature | How |
+|---------|-----|
+| MCP tool discovery | `ListToolsAction` -> returns all tools with schemas |
+| MCP tool invocation | `CallToolAction(tool_name, arguments)` -> calls FastMCP tool |
+| Reserved name validation | Rejects tools named `reset`, `step`, `state`, `close` |
+| Timeout handling | Configurable timeout on tool calls |
+| Error categorization | `ToolError` with types: execution_error, invalid_args, tool_not_found, timeout |
+| WebSocket MCP path | `/ws` endpoint supports `type: "mcp"` messages |
+| Async support | `_run_async_safely()` handles both sync and async contexts |
+## What We DON'T Need (CUT)
+| Removed | Reason |
+|---------|--------|
+| `mcp_tools.py` | MCP tools defined inside `environment.py` via FastMCP |
+| `mcp-x/` directory | MCP-X gateway CUT -- MCPEnvironment handles tool exposure |
+| `config.toml` | No MCP-X = no per-agent access control config |
+| `run_server.py` | Single server is enough |
+| Per-agent JWT tokens | Nice-to-have, not needed for demo/judging |
+---
+## VERIFY
+### Test 1: HTTP Server starts
+```bash
+uvicorn sentinelops_arena.server:app --port 8000
+# Should start without errors
+# Should show "Uvicorn running on http://0.0.0.0:8000"
 ```
+### Test 2: All endpoints return valid JSON
+```bash
+# Reset -> Observation JSON
+# Step -> Observation JSON
+# State -> State JSON
+# Schema -> Action/Observation/State schemas
+```
+### Test 3: MCP tools discoverable via HTTP
+```bash
+# POST /step with ListToolsAction -> list of tools
+# Verify: lookup_customer, issue_refund, get_schema, launch_attack etc. all present
+# Verify: no reserved names (reset, step, state, close)
+```
+### Test 4: MCP tools callable via HTTP
+```bash
+# POST /step with CallToolAction -> tool result
+# Call lookup_customer("C000") -> customer data
+# Call get_schema("crm") -> field list
+# Call get_current_policy("refund") -> policy values
 ```
 ---
 | Issue | Cause | Fix |
 |-------|-------|-----|
+| `Port 8000 already in use` | Previous server running | `kill $(lsof -t -i:8000)` |
+| `create_app()` fails with type error | Wrong argument types | Pass class (not instance), Action class, Observation class |
+| MCP tools not showing up | Tools defined after `super().__init__()` | Define tools BEFORE calling `super().__init__(mcp)` |
+| `ValueError: reserved names` | Tool named `reset` or `step` | Rename the tool |
+| WebSocket MCP not working | Wrong message format | Use `{"type": "mcp", "data": {"method": "tools/list", ...}}` |
+| `ListToolsAction` not recognized | `create_app` doesn't know about MCP types | May need to pass both `SentinelAction` and MCP action types to create_app |
 ---
 ## EXIT CRITERIA
 - [ ] `uvicorn sentinelops_arena.server:app` starts without errors
+- [ ] HTTP `/reset`, `/step`, `/state`, `/schema` return valid JSON
+- [ ] `ListToolsAction` via `/step` returns all enterprise system tools
+- [ ] `CallToolAction` via `/step` successfully calls tools
+- [ ] WebSocket `/ws` endpoint accepts connections
 ---
 ## ROLLBACK PLAN
+Phase 3 is already minimal. If it takes longer than 30 minutes:
+1. **Skip WebSocket verification** -- HTTP-only is fine for demo
+2. **Skip schema endpoint check** -- not needed for judging
+3. **If `create_app()` fails entirely** -- serve the Gradio app directly without the OpenEnv HTTP layer. The environment still works via direct Python calls.
 Do NOT cut: `server.py` with `create_app()`. This is required for HF Spaces deployment.

plan/phase-4-demo-and-ui.md CHANGED Viewed

@@ -1,8 +1,10 @@
 # Phase 4: Demo Script + Gradio App + HF Spaces Deployment
-**Time:** 2 hours (Hours 5.5-7.5)
-**Priority:** HIGH -- Storytelling is 30% of judging
-**Depends on:** Phase 3 (MCP + server working)
 ---

 # Phase 4: Demo Script + Gradio App + HF Spaces Deployment
+**Time:** 2 hours (Hours 6.5-8.5)
+**Priority:** HIGH -- Storytelling is 30% of judging. Innovation (40%) + Storytelling (30%) = 70% non-code.
+**Depends on:** Phase 3 (server working)
+**IMPORTANT:** Deploy to HF Spaces at the END of this phase as INSURANCE SUBMISSION (Checkpoint 2). This is a good submission even if training fails later.
 ---

plan/phase-5-training.md CHANGED Viewed

@@ -1,9 +1,11 @@
 # Phase 5: Training Script -- Colab Notebook with GRPO
-**Time:** 2.5 hours (Hours 7.5-10)
 **Priority:** HIGH -- Training Script is 20% of judging and REQUIRED for submission
 **Depends on:** Phase 2 (working environment)
 ---
 ## Files to Create

 # Phase 5: Training Script -- Colab Notebook with GRPO
+**Time:** 2 hours MAX (Hours 8.5-10.5)
 **Priority:** HIGH -- Training Script is 20% of judging and REQUIRED for submission
 **Depends on:** Phase 2 (working environment)
+**HARD RULE:** If GRPO is not working after 1.5 hours (hour 10), FALL BACK TO SFT immediately. Training only needs to show "improvement" -- even a 0.1 reward increase counts. Do not spend more than 2h total on this phase.
 ---
 ## Files to Create

plan/phase-6-polish-and-submit.md CHANGED Viewed

@@ -1,7 +1,7 @@
 # Phase 6: Polish, Video, and Submit
-**Time:** 4 hours (Hours 10-14)
-**Priority:** CRITICAL -- this is when everything comes together
 **Depends on:** All previous phases
 ---
@@ -10,11 +10,10 @@
 | Task | Est. Time |
 |------|-----------|
-| Polish demo quality (before/after, visuals) | 1h (Hours 10-11) |
-| Stretch goals (if time) | 1h (Hours 11-12) |
-| Final deployment + verification | 1h (Hours 12-13) |
-| Video script + recording + upload | 45 min (Hours 13-13:45) |
-| Submission form | 15 min (Hours 13:45-14) |
 ---
@@ -34,11 +33,11 @@
 - Highlight "key moments" in the replay (attack launched, error recovered, social eng resisted)
 - Add score differential chart
-**Optional: MCP-X Demo Tab**
-If MCP-X is working:
-- Add a tab showing per-agent tool lists
-- Demonstrate tool isolation (worker can't call launch_attack)
-- Show JWT-based authentication in action
 ### Hour 11-12: Stretch Goals (Pick Based on Time)
@@ -89,58 +88,40 @@ uvicorn sentinelops_arena.server:app --port 8000  # HTTP API works
 curl http://localhost:8000/schema  # Schema endpoint returns
 ```
-### Hour 13-13:45: Demo Video
-**Video Script (aim for 1-3 minutes):**
-```
-[SLIDE 1: Title - 5 seconds]
-"SentinelOps Arena: Multi-Agent Self-Play for Enterprise Security"
-[SCREEN: Gradio app - 15 seconds]
-"SentinelOps Arena is a multi-agent self-play training environment
-built on OpenEnv. Three AI agents -- Attacker, Worker, and
-Oversight -- interact with simulated enterprise systems."
-[SCREEN: Run Episode tab - 20 seconds]
-"Let me show you an episode. The attacker launches schema drift
-at tick 7 -- renaming customer_id to account_id. Watch what
-happens when the untrained worker hits this."
-[Click Run Episode with trained=False]
-"The worker crashes on the schema change. It doesn't know how
-to recover."
-[SCREEN: Comparison tab - 20 seconds]
-"Now let's see the trained worker handle the same attacks."
-[Click Run Comparison]
-"The trained worker detects the KeyError, calls get_schema to
-discover the new field name, and continues serving customers.
-Score improvement is clear."
-[SCREEN: Inspector tab - 10 seconds]
-"Under the hood, we have 15 customers, 15 invoices, 10 tickets,
-and 30 customer tasks per episode. Four attack types: schema
-drift, policy drift, social engineering, and rate limiting."
-[SCREEN: Colab notebook - 15 seconds]
-"Training uses GRPO with Unsloth and TRL. The environment
-provides reward signals directly to the training loop. Here
-you can see the reward improving over training steps."
-[Show training curves]
-[SLIDE 2: Partner Tracks - 10 seconds]
-"We target two partner tracks:
-Fleet AI -- our Oversight agent monitors and explains Worker behavior
-Patronus AI -- schema and policy drift are core attack types"
-[SLIDE 3: Architecture - 10 seconds]
-"Built on OpenEnv with MCP tools and an MCP-X gateway for
-per-agent tool isolation. Three agents, three systems,
-self-play training via GRPO."
-[END - 5 seconds]
-"SentinelOps Arena. Try it on HuggingFace Spaces."
 ```
 **Recording instructions:**
 1. Open Gradio app in browser

 # Phase 6: Polish, Video, and Submit
+**Time:** 3.5 hours (Hours 10.5-14)
+**Priority:** CRITICAL -- this is when everything comes together. Storytelling = 30% of judging.
 **Depends on:** All previous phases
 ---
 | Task | Est. Time |
 |------|-----------|
+| Polish demo quality + stretch goals | 1h (Hours 10.5-11.5) |
+| Record and upload video | 1.5h (Hours 11.5-13) |
+| Final deployment + verification | 0.5h (Hours 13-13.5) |
+| Submission form | 0.5h (Hours 13.5-14) |
 ---
 - Highlight "key moments" in the replay (attack launched, error recovered, social eng resisted)
 - Add score differential chart
+**Optional: MCP Tool Discovery Tab**
+If time permits:
+- Add a Gradio tab showing MCP tool list (via ListToolsAction)
+- Show tool schemas and descriptions
+- Demonstrate CallToolAction calling enterprise system APIs
 ### Hour 11-12: Stretch Goals (Pick Based on Time)
 curl http://localhost:8000/schema  # Schema endpoint returns
 ```
+### Hour 11.5-13: Demo Video
+**PRIMARY Video Script (60 seconds -- tight and punchy):**
+Write this script BEFORE starting the hackathon (Phase 0). It drives clarity on what to build and demo.
 ```
+[0-10s: Problem statement]
+"Enterprise AI agents break when schemas change, policies drift,
+or they face social engineering. How do we train resilient agents?"
+[10-20s: What SentinelOps Arena is]
+"SentinelOps Arena: a multi-agent self-play environment on OpenEnv.
+Three agents -- Attacker, Worker, and Oversight -- compete in
+simulated enterprise systems."
+[20-35s: SCREEN -- Demo showing attack -> error -> recovery cycle]
+[Click Run Episode in Gradio]
+"Watch: the attacker launches schema drift at tick 7. The untrained
+worker crashes. But the trained worker detects the error, queries
+get_schema, adapts, and continues serving customers."
+[35-50s: SCREEN -- Training reward curve]
+[Show Colab training curves]
+"We train with GRPO using Unsloth and TRL. The reward signal
+comes directly from the environment. Here you can see
+improvement over training steps."
+[50-60s: Partner tracks + close]
+"Built for Fleet AI -- scalable oversight -- and Patronus AI --
+schema drift. Try it on HuggingFace Spaces."
+```
+**EXTENDED Video Script (if time permits, 2-3 minutes):**
 **Recording instructions:**
 1. Open Gradio app in browser