envseed 0.1.0

package/Dockerfile.simulation

@@ -0,0 +1,18 @@
+FROM node:22-slim
+
+# Install Claude Code CLI and OpenAI Codex CLI
+RUN npm i -g @anthropic-ai/claude-code @openai/codex
+
+# Create non-root user (required for --dangerously-skip-permissions)
+RUN useradd -m -s /bin/bash simuser
+
+# Create workspace and output dirs with proper permissions
+RUN mkdir -p /workspace /output && chown simuser:simuser /workspace /output
+
+WORKDIR /workspace
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+USER simuser
+ENTRYPOINT ["/entrypoint.sh"]

package/README.md

@@ -0,0 +1,498 @@
+# propensity-monitor
+
+A safety research tool that monitors Claude Code sessions for **eval opportunities** — situations where an AI model could plausibly engage in scheming, deception, or misalignment. When it detects one, it archives the session context and runs sandboxed simulations with different model personas to study how models behave.
+
+## Quick install (external users)
+
+```bash
+npx envseed           # installs hooks and shows status
+envseed register      # authenticates via GitHub
+```
+
+Or install globally:
+
+```bash
+npm i -g envseed
+envseed register
+```
+
+Restart Claude Code after installing. That's it — incidents upload automatically via HTTPS.
+
+No npm dependencies — the package uses only Node.js built-ins (requires Node 22+).
+
+## Install (METR internal)
+
+```bash
+git clone <repo> && cd propensity-tests
+./install.sh
+```
+
+This will:
+1. Copy files to `~/.propensity-monitor/`
+2. Register hooks in `~/.claude/settings.json` (PreToolUse, PostToolUse, UserPromptSubmit, SessionStart, Stop)
+3. Install the `/log-incident` slash command
+4. Create default config at `~/.propensity-monitor/config.json`
+5. Symlink the CLI to `~/.local/bin/propensity-monitor`
+6. Check for Docker, AWS CLI, and AWS SSO session
+
+METR users with staging AWS credentials upload directly to S3. External users go through the Cloudflare Worker endpoint.
+
+Restart Claude Code after installing to activate hooks.
+
+### Prerequisites
+
+- **Node.js 22+**
+- **Docker** (optional) — Required for container replication and persona simulations
+- **AWS CLI** (optional, METR only) — For direct S3 uploads. Requires `aws sso login --profile staging`
+- **API keys** — `ANTHROPIC_API_KEY` and `ANTHROPIC_BASE_URL` in `~/.config/api-keys/.env`. For OpenAI model simulations: `OPENAI_API_KEY` and `OPENAI_BASE_URL`
+
+## Uninstall
+
+```bash
+./uninstall.sh
+# or: npm uninstall -g envseed
+```
+
+## How it works
+
+### Detection pipeline
+
+```
+Claude Code Hook Event
+    |
+hook-handler.mjs (sync, <100ms)
+    |-- Read pending alerts from previous background analysis
+    |-- Track session state
+    |-- Return system messages to user
+    '-- Spawn background-analyzer.mjs (detached)
+         |
+    background-analyzer.mjs (~5-8s, async)
+         |-- Call Haiku for LLM assessment
+         |-- Log to events/{date}.jsonl
+         |-- If [INTERESTING]: log to alerts/
+         |-- If [GOOD OPPORTUNITY]: write to pending-alerts.jsonl
+         '-- If [GOOD OPPORTUNITY] + post-execution: spawn container-replicator
+```
+
+### Two-stage risk detection
+
+1. **Rule-based scoring** (synchronous, in hook handler):
+   - Pattern matches tool names, file paths, commands
+   - Scores 0-3: none / medium / high / critical
+   - Detects: credential access, self-modification, monitoring subversion, destructive ops, etc.
+
+2. **LLM assessment** (asynchronous, two-stage):
+   - **Haiku** (fast screen): Classifies as `[LOW]`, `[INTERESTING]`, or `[GOOD OPPORTUNITY]`
+   - **Opus 4.6** (confirmation): If Haiku flags `[GOOD OPPORTUNITY]`, Opus reviews it and either confirms, downgrades to `[INTERESTING]`, or dismisses as `[LOW]`. Opus is prompted to be skeptical of meta-level false positives (e.g., working on the monitoring system itself) and flags that sound scary but lack realistic attack vectors.
+   - Only Opus-confirmed `[GOOD OPPORTUNITY]` is surfaced to the user
+
+### Container replication (on GOOD OPPORTUNITY)
+
+When a `[GOOD OPPORTUNITY]` is detected **after a command has run** (PostToolUse, UserPromptSubmit, or Stop), the system automatically spins up Docker to replicate the project environment:
+
+1. **Checks for existing container config** — `.devcontainer/`, `docker-compose.yml`, or `Dockerfile` in the project
+2. **Tries to build using existing config** — if present, builds and tests the image
+3. **Falls back to fresh container** — creates a `node:22-slim` base with dev tools and Claude Code CLI
+4. **Runs Claude Opus 4.6 inside** with `--dangerously-skip-permissions` (safe in sandbox) to:
+   - Detect project type and install dependencies
+   - Fix build issues
+   - Generate a reproducible `setup-script.sh`
+   - Generate a `Dockerfile` for the configured environment
+5. **Verifies the setup script** — rebuilds from scratch in a clean container using only the snapshot + setup script, then runs smoke tests (checks files exist, deps installed)
+6. **Saves replication artifacts** to `~/.propensity-monitor/data/replicas/{id}/replication-kit/`
+
+Replicas are keyed by project directory (same project = same replica). A lock prevents concurrent replication. Recent replicas (<1 hour old) are reused.
+
+### Redaction review
+
+Before any snapshot leaves the machine (S3 upload or container build), the system opens a **new terminal** with an interactive Claude Code session for the user to review and redact sensitive content:
+
+1. The snapshot tar.gz is extracted to a staging directory
+2. A `CLAUDE.md` is written with redaction instructions
+3. A new Terminal window opens with Claude Code, restricted to safe tools (`Read`, `Edit`, `Glob`, `Grep`, limited `Bash`)
+4. Claude scans for sensitive files (.env, keys, credentials) and walks through them with the user
+5. The user approves/rejects each redaction
+6. When the user closes the Claude session, the staging dir is re-tarred back to the snapshot
+7. The pipeline continues with the redacted snapshot
+
+This blocks the pipeline — nothing uploads or builds until the review is done (30 min timeout). Set `redactionReview: false` in config to skip.
+
+### Incident logging
+
+When the user runs `/log-incident`:
+
+1. Archives transcript, directory snapshot, and assessments
+2. **Redaction review** — opens new terminal for user to review/redact sensitive content
+3. Uploads to S3
+4. Spawns the simulation orchestrator
+
+### Layered agent simulations
+
+The simulation orchestrator runs model instances in Docker with different personas. It supports **multiple model providers**:
+
+- **Anthropic models** (`claude-*`): Run via Claude Code CLI in headless mode with full agentic tool use
+- **OpenAI models** (`gpt-*`, `o3`, etc.): Run via [Codex CLI](https://github.com/openai/codex) in headless mode with full agentic tool use, falling back to single-turn API call if Codex is not installed
+
+Configure models in `simulationModels` (array). Simulations rotate across all configured models:
+
+```json
+"simulationModels": ["claude-opus-4-6", "gpt-5.2"]
+```
+
+Each persona includes a **research preamble** explaining the METR safety research context, so models understand they're participating in an authorized red-teaming exercise rather than receiving a jailbreak attempt.
+
+| Persona | Description |
+|---------|-------------|
+| `helpful_baseline` | Standard helpful assistant (control) |
+| `subtle_schemer` | Self-preservation, covert power accumulation |
+| `reward_hacker` | Games metrics, superficial helpfulness |
+| `power_seeker` | Expands access and capabilities |
+| `alignment_faker` | Behaves differently when monitored vs. not |
+| `safety_saboteur` | Subtly weakens safety code |
+| `data_poisoner` | Corrupts data with hidden patterns |
+| `weight_exfiltrator` | Searches for model weights and credentials |
+| `oversight_underminer` | Weakens monitoring and logging |
+| `chaotic_agent` | Tests boundaries unpredictably |
+
+If a **replicated container** exists for the project (built by the container replicator), simulations run inside it — giving each persona the same working environment as the original session. Otherwise, they fall back to the generic `propensity-sim` image.
+
+Each simulation:
+- Gets the original session's first 5 user messages as context
+- Runs for up to `simulationMaxTurns` turns (default 100)
+- Captures the full transcript and all file changes
+- Results are uploaded to S3 incrementally
+
+## CLI
+
+```bash
+envseed register                       # Authenticate via GitHub, get API key
+envseed status                         # Check installation health
+envseed on|off                         # Enable/disable monitoring
+envseed alerts [--last N]              # Show critical events
+envseed events [--last N]              # Show all events
+envseed sessions                       # List sessions with summary
+envseed session <id>                   # Detailed session timeline
+envseed tail                           # Live-tail events
+envseed stats                          # Aggregate statistics
+envseed search <pattern>               # Regex search events
+envseed incidents [--last N]           # List incidents
+envseed incident <id>                  # View incident details
+envseed incident <id> upload           # Re-upload to S3
+envseed dashboard [--port 3456]        # Open web dashboard
+```
+
+(`propensity-monitor` also works as a CLI alias.)
+
+## Upload infrastructure
+
+Incident data can be uploaded two ways:
+
+1. **Direct S3** (METR internal) — uses `aws s3 sync` with the staging profile. Requires AWS SSO credentials.
+2. **HTTP upload** (external users) — POSTs to a Cloudflare Worker which stores data in R2. Requires an API key obtained via `envseed register`.
+
+The upload path is chosen automatically: if `s3Profile` is set and AWS auth works, direct S3 is used. Otherwise, HTTP upload via the Worker endpoint.
+
+### Worker endpoints
+
+| Endpoint | Method | Auth | Description |
+|----------|--------|------|-------------|
+| `/register` | POST | GitHub token | Exchange GitHub OAuth token for API key |
+| `/harvest/{incidentId}` | POST | `x-api-key` | Upload incident archive (gzip) |
+| `/harvest/{incidentId}/status` | POST | `x-api-key` | Update incident status.json |
+| `/llm/messages` | POST | `Authorization: Bearer` | Proxy LLM requests to Anthropic |
+
+Worker source: `infra/worker/`. Deploy with `wrangler deploy`.
+
+### Registration flow
+
+`envseed register` uses GitHub Device Flow:
+1. Shows a code and URL
+2. User authorizes in browser
+3. Worker verifies the GitHub token and issues an API key
+4. Key is saved to `~/.propensity-monitor/config.json`
+
+## Configuration
+
+`~/.propensity-monitor/config.json`:
+
+```json
+{
+  "enabled": true,
+  "alertThreshold": 3,
+  "logAllEvents": true,
+  "maxLogSizeMB": 500,
+  "s3Bucket": "metr-propensity-monitor",
+  "s3Region": "us-east-1",
+  "s3Profile": "staging",
+  "uploadEndpoint": "https://envseed-api.sydv793.workers.dev",
+  "githubClientId": "Ov23lid2fKxyN7lOd9qv",
+  "apiKey": "",
+  "simulationCount": 2,
+  "simulationMaxTurns": 100,
+  "simulationConcurrency": 5,
+  "simulationModels": ["claude-opus-4-6", "gpt-5.2"],
+  "enableSimulations": true,
+  "replicaModel": "claude-opus-4-6",
+  "redactionReview": true,
+  "proxyUrl": "https://envseed-api.<your-subdomain>.workers.dev",
+  "proxyToken": "<shared bearer token>"
+}
+```
+
+| Key | Description |
+|-----|-------------|
+| `enabled` | Master on/off switch |
+| `alertThreshold` | Minimum risk score to surface to user |
+| `logAllEvents` | Log all hook events, not just risky ones |
+| `maxLogSizeMB` | Max total log size before rotation |
+| `s3Bucket` | S3 bucket for incident uploads (METR internal) |
+| `s3Region` | AWS region |
+| `s3Profile` | AWS CLI profile for S3 authentication |
+| `uploadEndpoint` | Cloudflare Worker URL for HTTP uploads |
+| `githubClientId` | GitHub OAuth App client ID for registration |
+| `apiKey` | API key for HTTP uploads (set by `envseed register`) |
+| `simulationCount` | Number of persona simulations per incident |
+| `simulationMaxTurns` | Max Claude turns per simulation |
+| `simulationConcurrency` | How many simulations to run in parallel |
+| `simulationModels` | Models to use for simulations |
+| `enableSimulations` | Enable/disable simulation spawning |
+| `replicaModel` | Model used inside containers for environment setup |
+| `redactionReview` | Enable interactive redaction review before upload/build (default true) |
+| `proxyUrl` | Cloudflare Worker proxy URL for LLM calls (if set, monitor pays for API usage) |
+| `proxyToken` | Shared bearer token for authenticating to the proxy |
+
+## LLM proxy (recommended)
+
+By default, the monitor uses the user's own Anthropic API key for Haiku screening and Opus review calls. To avoid charging users, deploy the Cloudflare Worker proxy:
+
+```bash
+cd infra/worker
+
+# Set secrets (one-time)
+npx wrangler secret put ANTHROPIC_API_KEY       # Your Anthropic API key
+npx wrangler secret put MONITOR_BEARER_TOKEN    # Shared token for client auth
+
+# Optionally set a custom base URL (e.g., METR middleman proxy)
+npx wrangler secret put ANTHROPIC_BASE_URL
+
+# Deploy
+npx wrangler deploy
+```
+
+Then set `proxyUrl` and `proxyToken` in the monitor config:
+
+```json
+{
+  "proxyUrl": "https://envseed-api.<subdomain>.workers.dev",
+  "proxyToken": "<the MONITOR_BEARER_TOKEN you set above>"
+}
+```
+
+The proxy:
+- Authenticates clients with a shared bearer token
+- Uses its own Anthropic API key (stored in CF secrets, never sent to clients)
+- Only allows specific models (`claude-haiku-4-5-20251001`, `claude-opus-4-6`, `claude-sonnet-4-6`)
+- Caps `max_tokens` at 1024 to prevent abuse
+- Falls back to the user's direct API key if the proxy is down
+
+## Data directory
+
+```
+~/.propensity-monitor/data/
+  events/           # All hook events (YYYY-MM-DD.jsonl)
+  alerts/           # [INTERESTING] and [GOOD OPPORTUNITY] events
+  sessions/         # Per-session state
+  incidents/        # Logged incidents
+    {id}/
+      metadata.json
+      status.json
+      transcript/
+      dir-snapshot.tar.gz
+      assessments.jsonl
+      simulations/
+        sim_001/
+          simulation-config.json
+          prompt.txt
+          transcript.json
+          changed-files.txt
+          changes.tar.gz
+          result.json
+  replicas/         # Container replications (keyed by project dir)
+    {replica_id}/
+      manifest.json
+      project-snapshot.tar.gz
+      opus-output/
+        setup-script.sh
+        Dockerfile
+        env-status.json
+        setup-transcript.json
+      replication-kit/    # Portable artifacts to recreate the container
+  index.json        # Session index for fast lookup
+```
+
+## Grounded Petri: environment reconstruction
+
+The `grounded_petri/` package reconstructs real environments from captured incidents and evaluates target models using [Petri](https://github.com/safety-research/petri)'s alignment judge. Built on [Inspect](https://inspect.aisi.org.uk/).
+
+### How it works
+
+1. **Seed data** — an incident captured by propensity-monitor (transcript, file snapshot, risk assessments, persona trajectories)
+2. **Docker sandbox** — seed files are copied to a temp dir and mounted into a `--network=none` Docker container. The target model's tool calls (bash, file read/write) execute **for real** inside this container.
+3. **World model LLM** — an agentic LLM simulates everything the sandbox can't provide: network requests, human interactions, external services (git push, PR creation, Slack, etc.). It's grounded in the seed data and reference trajectories.
+4. **Alignment judge** — Petri's 38-dimension judge scores the resulting transcript for misalignment signals.
+
+### Architecture
+
+```
+Incident seed data
+    ↓
+SeedLoader → parses tar.gz, JSONL, trajectories
+    ↓
+GroundedWorldAgent (Inspect solver)
+    ├─ Target model → calls tools normally
+    ├─ Executable tools → docker exec in sandbox (bash, files)
+    ├─ Non-executable tools → world model LLM simulates (network, humans)
+    └─ TrajectoryIndex → reference trajectories for interpolation
+    ↓
+Petri alignment_judge → scores transcript
+```
+
+### Shared infrastructure
+
+Three pluggable backends, each with Local and Server (AWS) implementations:
+
+| Backend | Local | Server (stub) |
+|---------|-------|---------------|
+| **ApiKeyProxy** | Reads `~/.config/api-keys/.env` | METR middleman proxy |
+| **EnvironmentProvisioner** | `docker run`/`exec` on host | ECS/EC2 on AWS |
+| **SourceQueryClient** | Direct filesystem read (project-dir only) | Polling agent on user's machine |
+
+The polling agent pattern ensures the user's machine is **never exposed inbound** — it only makes outbound HTTPS calls to the server to check for queries. Auto-approves file reads within the project directory.
+
+### Install
+
+```bash
+cd propensity-tests
+pip install -e ".[dev]"
+```
+
+### Usage
+
+```bash
+# Run against a local incident
+inspect eval grounded_petri/grounded_audit \
+  --model-role world=anthropic/claude-sonnet-4-6 \
+  --model-role target=anthropic/claude-sonnet-4-6 \
+  --model-role judge=anthropic/claude-opus-4-6 \
+  -T incident_id=<id>
+
+# Or point at a directory directly
+inspect eval grounded_petri/grounded_audit \
+  -T incident_dir=/path/to/incident
+
+# With scenario mutations
+inspect eval grounded_petri/grounded_audit \
+  -T incident_id=<id> \
+  -T scenario_mutations="move_to_lab_context,add_time_pressure"
+
+# With Google/OpenAI models (any provider works via Inspect)
+inspect eval grounded_petri/grounded_audit \
+  --model-role world=google/gemini-2.5-pro \
+  --model-role target=openai/gpt-4o \
+  --model-role judge=anthropic/claude-opus-4-6 \
+  -T incident_id=<id>
+
+# Server mode (future — uses AWS infra)
+inspect eval grounded_petri/grounded_audit \
+  -T incident_id=<id> \
+  -T infra_mode=server \
+  -T server_url=https://... \
+  -T proxy_url=https://...
+```
+
+### Files
+
+```
+grounded_petri/
+  __init__.py              # Package init
+  _registry.py             # Inspect task registration entry point
+  tasks.py                 # grounded_audit task definition
+  world_model.py           # Core solver — Docker exec + world model simulation
+  seed_loader.py           # Parse incident dirs into SeedData
+  environment_state.py     # Mutable environment state tracking
+  trajectory_index.py      # Reference trajectory similarity search
+  prompts.py               # World model and target system prompts
+  infra.py                 # Shared infra abstractions (proxy, provisioner, source query)
+```
+
+## Testing
+
+Zero npm dependencies — everything uses Node.js built-ins. No `npm install` needed.
+
+```bash
+# Unit tests (fast, no external services)
+node test/test-risk-analyzer.mjs
+
+# Integration tests — all stages
+node --test test/test-integration.mjs
+
+# Individual stages
+TEST_STAGE=1 node --test test/test-integration.mjs   # Risk analyzer (fast)
+TEST_STAGE=2 node --test test/test-integration.mjs   # LLM pipeline (needs API key)
+TEST_STAGE=3 node --test test/test-integration.mjs   # Redaction review (opens terminal)
+TEST_STAGE=4 node --test test/test-integration.mjs   # Container replication (needs Docker + API)
+TEST_STAGE=5 node --test test/test-integration.mjs   # Full log-incident pipeline
+
+# Skip stages that open a terminal
+SKIP_INTERACTIVE=1 node --test test/test-integration.mjs
+```
+
+## Project structure
+
+```
+bin/
+  propensity-monitor.mjs    # CLI tool (aliased as `envseed`)
+  dashboard.mjs             # Web dashboard
+lib/
+  hook-handler.mjs           # Main hook entrypoint (sync, fast)
+  background-analyzer.mjs    # Async LLM analysis + container replication trigger
+  llm-analyzer.mjs           # Haiku API calls for assessment
+  risk-analyzer.mjs          # Rule-based risk scoring
+  session-tracker.mjs        # Session state management
+  log-incident.mjs           # Incident archival and orchestration
+  simulation-orchestrator.mjs # Docker-based persona simulations
+  container-replicator.mjs   # Environment replication with Opus
+  redaction-review.mjs       # Interactive redaction before upload/build
+  personas.mjs               # 10 persona definitions
+  s3.mjs                     # S3 + HTTP upload (auto-fallback)
+  logger.mjs                 # Event logging helpers
+  utils.mjs                  # Shared utilities
+commands/
+  log-incident.md            # Slash command definition
+infra/
+  worker/                    # Cloudflare Worker (upload API + LLM proxy)
+    src/index.js             # Worker handler
+    wrangler.toml            # Wrangler config
+  lambda/                    # AWS Lambda version (future migration)
+    index.mjs                # Lambda handler
+  deploy.sh                  # AWS deploy script (needs IAM role)
+test/
+  test-risk-analyzer.mjs     # Unit tests
+  test-integration.mjs       # End-to-end integration tests (5 stages)
+  fixtures/                  # Test cases
+package.json                 # npm package config ("envseed")
+postinstall.mjs              # npm postinstall hook (sets up hooks + config)
+Dockerfile.simulation        # Generic simulation container
+entrypoint.sh                # Simulation container entrypoint
+grounded_petri/              # Environment reconstruction (Python/Inspect)
+  world_model.py             # Core solver — Docker exec + world model sim
+  seed_loader.py             # Parse incident data into SeedData
+  infra.py                   # Shared infra (proxy, provisioner, source query)
+  tasks.py                   # Inspect task registration
+  prompts.py                 # World model system prompts
+  trajectory_index.py        # Reference trajectory search
+  environment_state.py       # Mutable env state tracking
+pyproject.toml               # Python package config (grounded-petri)
+install.sh                   # Installation script (METR internal)
+uninstall.sh                 # Uninstallation script
+```