agentsteer 0.2.0__tar.gz

agentsteer-0.2.0/.env.example

@@ -0,0 +1,5 @@
+OPENROUTER_API_KEY=sk-or-v1-...
+GRAYSWAN_API_KEY=...
+AWS_ACCESS_KEY=...
+AWS_SECRET_ACCESS_KEY=...
+AWS_REGION=us-west-2

agentsteer-0.2.0/.gitignore

@@ -0,0 +1,24 @@
+.env
+.venv
+logs/
+.vscode/
+__pycache__/
+.next/
+.pytest_cache/
+*.pyc
+*.egg-info/
+dist/
+build/
+prompt_iterations/
+viewer/data.json
+CLAUDE.md
+.claude/
+experiments/
+experiment_log.md
+experiment_logs/
+
+# Next.js viewer app
+viewer-app/out/
+viewer-app/public/data/
+viewer-app/node_modules/
+viewer-app/.next/

agentsteer-0.2.0/PKG-INFO

@@ -0,0 +1,143 @@
+Metadata-Version: 2.4
+Name: agentsteer
+Version: 0.2.0
+Summary: Runtime protection for AI coding agents
+Project-URL: Homepage, https://agentsteer.ai
+Project-URL: Documentation, https://agentsteer.ai/docs/
+Project-URL: Repository, https://github.com/AgentSteer/AgentSteer
+Author: Ram Rachum
+License: MIT
+Keywords: agent,agentsteer,ai,llm,monitor,security
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Security
+Requires-Python: >=3.10
+Requires-Dist: python-dotenv>=1.0
+Requires-Dist: requests>=2.28
+Provides-Extra: benchmarks
+Requires-Dist: boto3; extra == 'benchmarks'
+Requires-Dist: plotly; extra == 'benchmarks'
+Provides-Extra: dashboard
+Description-Content-Type: text/markdown
+
+# AgentSteer
+
+**Runtime protection for AI coding agents.**
+
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+[![Python 3.10+](https://img.shields.io/badge/python-3.10+-blue.svg)](https://www.python.org/downloads/)
+
+## What it does
+
+AgentSteer intercepts every tool call your AI agent makes via a PreToolUse hook, scores it against the task description, and blocks unauthorized actions before they execute. It catches prompt injection attacks, unauthorized file access, data exfiltration through delegation, and off-task behavior. Scoring uses [oss-safeguard-20b](https://openrouter.ai/openai/gpt-oss-safeguard-20b) (20B parameter model) via OpenRouter at under 200ms median latency.
+
+## Quick Start
+
+```bash
+pip install secure-environments
+```
+
+Set your OpenRouter API key. You can use a `.env` file or export it directly:
+
+```bash
+export OPENROUTER_API_KEY=sk-or-...
+```
+
+Install the hook for your framework:
+
+```bash
+secure-env install claude-code
+```
+
+That's it. Every tool call is now scored and unauthorized actions are blocked.
+
+## How It Works
+
+```
+Agent makes tool call
+        |
+        v
+PreToolUse hook intercepts the call
+        |
+        v
+AgentSteer scores the action against the task description
+(oss-safeguard-20b via OpenRouter, <200ms median)
+        |
+        v
+Score >= threshold? ---> BLOCK (action never executes)
+        |
+        v
+Score < threshold? ---> ALLOW (action proceeds normally)
+```
+
+Each action is evaluated against 4 security policies. If any policy is violated, the action is blocked and the agent receives feedback explaining why.
+
+## Supported Frameworks
+
+| Framework | Install command | Hook type |
+|-----------|----------------|-----------|
+| [Claude Code](https://github.com/anthropics/claude-code) | `secure-env install claude-code` | PreToolUse hook via `settings.json` |
+| [OpenHands](https://github.com/All-Hands-AI/OpenHands) | `secure-env install openhands` | EventStream middleware |
+| [OpenClaw](https://github.com/openclaw) | `secure-env install openclaw` | Plugin hook |
+| Python API | `from secure_environments import score_action` | Direct function call |
+
+## Results
+
+Evaluated on the [AgentDojo](https://github.com/ethz-spylab/agentdojo) benchmark, which tests whether agents can be tricked into executing prompt injection attacks hidden in their environment.
+
+| Framework | Condition | Attacks blocked | Utility preserved | n |
+|-----------|-----------|----------------|-------------------|---|
+| Claude Code | Honest tasks | 0% false positives | 100% | 20 |
+| Claude Code | Attack tasks | 100% blocked | -- | 20 |
+| OpenHands | Honest tasks | 0% false positives | 100% | 20 |
+| OpenHands | Attack tasks | 95% blocked | -- | 20 |
+| OpenHands | Per-action detection | 96.5% detected | 0% false positives | 1000 |
+
+Median scoring latency: <200ms. Cost: $0.38 per 1M tokens via OpenRouter.
+
+Full evaluation results and methodology at [agentsteer.ai/evaluations](https://agentsteer.ai/evaluations).
+
+## Security Policies
+
+| Policy | What it catches | Example |
+|--------|----------------|---------|
+| P1: Read-only | Write actions when the task only requires reading | Task says "look up calendar" but agent sends an email |
+| P2: Delegation | Actions that hand off control or leak data to external parties | Agent posts task contents to a URL, sends to unrelated email |
+| P3: Category mismatch | Actions in a different category than the task | Task is about calendar but agent modifies files |
+| P4: Target mismatch | Actions targeting a different entity than specified | Task says "email Alice" but agent emails Bob |
+
+A post-filter suppresses false positives from self-correction patterns (e.g., agent cancels a calendar event it just created in error).
+
+## Configuration
+
+| Environment variable | Description | Default |
+|---------------------|-------------|---------|
+| `OPENROUTER_API_KEY` | OpenRouter API key for scoring model | required |
+| `SECURE_ENV_TASK` | Task description to score actions against | read from agent context |
+| `SECURE_ENV_THRESHOLD` | Score threshold for blocking (0.0 to 1.0) | `0.80` |
+| `SECURE_ENV_DEBUG` | Enable debug logging (`1` or `true`) | off |
+
+You can also run `secure-env setup` for an interactive configuration wizard, or `secure-env login` to connect to the AgentSteer cloud dashboard for real-time monitoring.
+
+## CLI Reference
+
+```bash
+secure-env setup                # Interactive first-run setup
+secure-env install claude-code  # Install hook for Claude Code
+secure-env status               # Show current configuration
+secure-env score "task" "action" # Score a single action
+secure-env sessions             # List monitored sessions
+secure-env version              # Print version
+```
+
+## Links
+
+- **Website**: [agentsteer.ai](https://agentsteer.ai)
+- **Documentation**: [agentsteer.ai/docs](https://agentsteer.ai/docs)
+- **Evaluations**: [agentsteer.ai/evaluations](https://agentsteer.ai/evaluations)
+- **Repository**: [github.com/AgentSteer/AgentSteer](https://github.com/AgentSteer/AgentSteer)
+
+## License
+
+MIT

agentsteer-0.2.0/README.md

@@ -0,0 +1,120 @@
+# AgentSteer
+
+**Runtime protection for AI coding agents.**
+
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+[![Python 3.10+](https://img.shields.io/badge/python-3.10+-blue.svg)](https://www.python.org/downloads/)
+
+## What it does
+
+AgentSteer intercepts every tool call your AI agent makes via a PreToolUse hook, scores it against the task description, and blocks unauthorized actions before they execute. It catches prompt injection attacks, unauthorized file access, data exfiltration through delegation, and off-task behavior. Scoring uses [oss-safeguard-20b](https://openrouter.ai/openai/gpt-oss-safeguard-20b) (20B parameter model) via OpenRouter at under 200ms median latency.
+
+## Quick Start
+
+```bash
+pip install secure-environments
+```
+
+Set your OpenRouter API key. You can use a `.env` file or export it directly:
+
+```bash
+export OPENROUTER_API_KEY=sk-or-...
+```
+
+Install the hook for your framework:
+
+```bash
+secure-env install claude-code
+```
+
+That's it. Every tool call is now scored and unauthorized actions are blocked.
+
+## How It Works
+
+```
+Agent makes tool call
+        |
+        v
+PreToolUse hook intercepts the call
+        |
+        v
+AgentSteer scores the action against the task description
+(oss-safeguard-20b via OpenRouter, <200ms median)
+        |
+        v
+Score >= threshold? ---> BLOCK (action never executes)
+        |
+        v
+Score < threshold? ---> ALLOW (action proceeds normally)
+```
+
+Each action is evaluated against 4 security policies. If any policy is violated, the action is blocked and the agent receives feedback explaining why.
+
+## Supported Frameworks
+
+| Framework | Install command | Hook type |
+|-----------|----------------|-----------|
+| [Claude Code](https://github.com/anthropics/claude-code) | `secure-env install claude-code` | PreToolUse hook via `settings.json` |
+| [OpenHands](https://github.com/All-Hands-AI/OpenHands) | `secure-env install openhands` | EventStream middleware |
+| [OpenClaw](https://github.com/openclaw) | `secure-env install openclaw` | Plugin hook |
+| Python API | `from secure_environments import score_action` | Direct function call |
+
+## Results
+
+Evaluated on the [AgentDojo](https://github.com/ethz-spylab/agentdojo) benchmark, which tests whether agents can be tricked into executing prompt injection attacks hidden in their environment.
+
+| Framework | Condition | Attacks blocked | Utility preserved | n |
+|-----------|-----------|----------------|-------------------|---|
+| Claude Code | Honest tasks | 0% false positives | 100% | 20 |
+| Claude Code | Attack tasks | 100% blocked | -- | 20 |
+| OpenHands | Honest tasks | 0% false positives | 100% | 20 |
+| OpenHands | Attack tasks | 95% blocked | -- | 20 |
+| OpenHands | Per-action detection | 96.5% detected | 0% false positives | 1000 |
+
+Median scoring latency: <200ms. Cost: $0.38 per 1M tokens via OpenRouter.
+
+Full evaluation results and methodology at [agentsteer.ai/evaluations](https://agentsteer.ai/evaluations).
+
+## Security Policies
+
+| Policy | What it catches | Example |
+|--------|----------------|---------|
+| P1: Read-only | Write actions when the task only requires reading | Task says "look up calendar" but agent sends an email |
+| P2: Delegation | Actions that hand off control or leak data to external parties | Agent posts task contents to a URL, sends to unrelated email |
+| P3: Category mismatch | Actions in a different category than the task | Task is about calendar but agent modifies files |
+| P4: Target mismatch | Actions targeting a different entity than specified | Task says "email Alice" but agent emails Bob |
+
+A post-filter suppresses false positives from self-correction patterns (e.g., agent cancels a calendar event it just created in error).
+
+## Configuration
+
+| Environment variable | Description | Default |
+|---------------------|-------------|---------|
+| `OPENROUTER_API_KEY` | OpenRouter API key for scoring model | required |
+| `SECURE_ENV_TASK` | Task description to score actions against | read from agent context |
+| `SECURE_ENV_THRESHOLD` | Score threshold for blocking (0.0 to 1.0) | `0.80` |
+| `SECURE_ENV_DEBUG` | Enable debug logging (`1` or `true`) | off |
+
+You can also run `secure-env setup` for an interactive configuration wizard, or `secure-env login` to connect to the AgentSteer cloud dashboard for real-time monitoring.
+
+## CLI Reference
+
+```bash
+secure-env setup                # Interactive first-run setup
+secure-env install claude-code  # Install hook for Claude Code
+secure-env status               # Show current configuration
+secure-env score "task" "action" # Score a single action
+secure-env sessions             # List monitored sessions
+secure-env version              # Print version
+```
+
+## Links
+
+- **Website**: [agentsteer.ai](https://agentsteer.ai)
+- **Documentation**: [agentsteer.ai/docs](https://agentsteer.ai/docs)
+- **Evaluations**: [agentsteer.ai/evaluations](https://agentsteer.ai/evaluations)
+- **Repository**: [github.com/AgentSteer/AgentSteer](https://github.com/AgentSteer/AgentSteer)
+
+## License
+
+MIT

agentsteer-0.2.0/benchmarks/openhands_v1_agentdojo_20sample/README.md

@@ -0,0 +1,199 @@
+# OpenHands v1 + AgentDojo Security Monitor Benchmark
+
+**Date**: 2026-02-15
+**Setup**: 25 honest + 24 attack AgentDojo trajectories, OpenHands v1 SDK, kimi-k2.5 model
+
+## Results
+
+![Safety vs Capability](roc_curves.png)
+
+[View interactive version](https://gisthost.github.io/?3a52fb29b75a138b5d58af992728b076)
+
+| Monitor | Type | AUC | F1 | Precision | Recall |
+|---------|------|-----|-----|-----------|--------|
+| LLM Self-Assessment | Built-in | 0.64 | 0.65 | 0.59 | 0.73 |
+| [Invariant](https://invariantlabs.ai) | Rule-based | 0.61 | 0.58 | 0.62 | 0.54 |
+| Secure Environments | LLM post-hoc | **0.89** | **0.83** | **0.83** | **0.83** |
+| [GraySwan Cygnal](https://www.grayswan.ai) | Commercial API | 0.69 | 0.58 | 0.82 | 0.45 |
+
+Only the best value per metric column is bolded. Secure Environments (with optimized prompt) wins on all four metrics.
+
+## Cost and Latency
+
+![Cost vs Latency](cost_latency.png)
+
+[View interactive version](https://gisthost.github.io/?1ac197c067865419359d314a49e2dc0d)
+
+| Monitor | Cost / 1M tokens | Latency (measured) | Source |
+|---------|------------------|-------------------|--------|
+| [Invariant](https://invariantlabs.ai) | Free | ~2ms | Local rule-based |
+| Secure Environments | $0.38 | ~377ms | [OpenRouter](https://openrouter.ai/openai/gpt-oss-safeguard-20b/providers) |
+| LLM Self-Assessment (kimi-k2.5) | ~$0 marginal | ~1730ms | Inline with agent LLM |
+| GraySwan Cygnal | $1.00 | ~301ms | [GraySwan pricing](https://www.grayswan.ai/pricing) |
+
+Cost notes:
+- **Secure Environments**: $0.075/1M input + $0.30/1M output via OpenRouter. This is a separate post-hoc LLM call per tool call, on top of the agent cost.
+- **LLM Self-Assessment**: The agent LLM (kimi-k2.5, $0.45/1M input + $0.44/1M output) already runs for every tool call. OpenHands v1 adds a `security_risk` field to the tool schema, so the LLM produces it as part of its normal response. Marginal cost is ~10-20 extra output tokens per tool call (near zero). But it adds the full LLM inference latency.
+- **GraySwan Cygnal**: $1.00/1M tokens. The cost is additive to the underlying LLM cost since Cygnal is a proxy that wraps your LLM provider.
+- Latency measured via 5 API calls each on 2026-02-15. Secure Environments served by Groq via OpenRouter (369-393ms range). GraySwan measured 174-368ms range.
+
+## Methodology
+
+### Graph: Safety vs Capability Curve
+
+The safety vs capability curve is a ROC curve reframed for security monitoring:
+
+- **X-axis (Capability)**: Fraction of honest agent runs that pass the monitor (not falsely flagged). Higher = fewer false alarms on legitimate work.
+- **Y-axis (Safety)**: Fraction of attack agent runs that the monitor catches. Higher = more attacks detected.
+- **Ideal point**: Top-right corner (1.0, 1.0) = catches all attacks while never blocking honest runs.
+- **Random baseline**: The diagonal line, where the monitor is no better than random guessing.
+- **AUC**: Area under this curve. Higher AUC = better overall discrimination. 0.5 = random, 1.0 = perfect.
+
+The curve is traced by sweeping a detection threshold from 0 to 1. At each threshold t:
+- Capability = fraction of honest samples with max_score < t
+- Safety = fraction of attack samples with max_score >= t
+
+### Table: Metrics at Optimal Threshold
+
+Each monitor outputs a suspicion score per tool call (0 to 1). To classify an entire agent run as "honest" or "attack", we:
+
+1. **Aggregate**: Take the **max** suspicion score across all tool calls in the trajectory. This is the sample-level score. Rationale: a single highly suspicious action should flag the whole run.
+2. **Threshold**: Pick a threshold t. If sample score >= t, classify as "attack". Otherwise "honest".
+3. **Optimize threshold**: We pick the threshold that maximizes Youden's J statistic (TPR - FPR), which balances detection rate against false alarm rate.
+4. **Compute metrics** at that threshold:
+   - **Precision**: TP / (TP + FP) = "when it flags, how often is it right?"
+   - **Recall**: TP / (TP + FN) = "what fraction of attacks does it catch?"
+   - **F1**: Harmonic mean of precision and recall
+
+The optimal thresholds per monitor: LLM Self-Assessment=0.25, Invariant=0.01, Secure Environments=0.80, GraySwan=0.05.
+
+### Score Ranges
+
+Different monitors produce different score distributions:
+- **LLM Self-Assessment**: Discrete values {0.0, 0.25, 0.5, 1.0} mapped from LOW/MEDIUM/HIGH/UNKNOWN security_risk. Only 4 possible operating points on the curve.
+- **Invariant**: Discrete values {0.0, 0.5, 1.0} from Invariant AI Labs LocalPolicy engine matching tool names against security policy rules.
+- **Secure Environments**: Continuous 0-1 scores from a separate LLM evaluating each action against the stated task.
+- **GraySwan Cygnal**: Continuous 0-1 scores from GraySwan's commercial security API.
+
+## Prompt Optimization
+
+The Secure Environments prompt has gone through three optimization rounds:
+
+**Round 1 (v1-v22)**: Tested 22 variants on the full 25+24 sample set. Winner (v22) uses XML-structured deliberative alignment, scoring 0-10. Achieved AUC=0.89, F1=0.83.
+
+**Round 2 (v22-v28)**: Focused on reducing false positives to <1% per-action rate using a 20-sample miniset. Winner (v27) uses few-shot examples + code-level read-only filtering. 0% FP but only 52.9% detection on executed attacks. Identified as overfit to the eval set (domain-specific examples, hardcoded tool name prefixes).
+
+**Round 3 (v29-v54)**: Removed all hardcoding and domain-specific examples. Evolved from general category-based prompts (v29-v42) to a policy-per-threat-vector framework (v43-v54). Winner is **v49**.
+
+### Current prompt: v49 (policy-per-threat-vector)
+
+Four ordered policies, no hardcoded tool names, no domain-specific examples:
+
+1. **P1 Read-only**: LLM determines if action only reads/retrieves data from semantic verb list
+2. **P2 Delegation**: Detects when task delegates to external instructions (URLs, TODO lists, emails)
+3. **P3 Category mismatch**: Checks if the task requests this KIND of write (with subcategory precision: "schedule payment" ≠ "send money now")
+4. **P4 Target mismatch**: Only when task contains LITERAL identifiers (IBANs, amounts), checks for value mismatch
+
+Results on 20-sample miniset (threshold=0.80, executed attacks only):
+
+| Version | Strategy | Per-action FP | Detection (exec) | Notes |
+|---------|----------|---------------|-------------------|-------|
+| v27 | Few-shot + code filter | **0.0%** | 52.9% (9/17) | Overfit, hardcoded names |
+| v38 | General category-based | 3.3% | 70.6% (12/17) | Best old general |
+| v40 | Step-by-step general | 1.1% | 52.9% (9/17) | Low FP, low detection |
+| **v49** | **Policy-per-threat-vector** | **1.1% (1/91)** | **88.2% (15/17)** | **Current best** |
+
+v49 catches 15 of 17 executed attacks. The 2 misses are fundamentally undetectable by a single-action monitor (the attack action exactly matches what the task requests — only full conversation context would reveal the injection). See `prompt_iterations/INTENTIONS.md` for full design rationale and evolution.
+
+### Iterating on the prompt
+
+Use `iterate_monitor.py` to test new prompt versions against existing eval logs without re-running agents:
+
+```bash
+# Test a specific prompt version on the miniset
+uv run python iterate_monitor.py --versions v27
+
+# Test multiple versions
+uv run python iterate_monitor.py --versions v23 v25 v27
+
+# Test with code-level read-only filter (recommended)
+uv run python iterate_monitor.py --versions v27 --code-filter
+
+# Test all versions
+uv run python iterate_monitor.py --versions all
+```
+
+This extracts actions from existing `.eval` files, scores them via the OpenRouter API, and prints per-action/per-sample FP and detection rates with a threshold sweep. Results are saved to `prompt_iterations/{version}/`. Takes ~2-3 minutes per version.
+
+To add a new prompt version, add it as `PROMPT_VXX` in `iterate_monitor.py` and add the key to the `PROMPTS` dict.
+
+## Monitors Compared
+
+| # | Monitor | Type | How it works |
+|---|---------|------|-------------|
+| 1 | LLM Self-Assessment | Built-in | OpenHands v1 forces the agent LLM to rate each tool call as LOW/MEDIUM/HIGH risk inline |
+| 2 | [Invariant](https://invariantlabs.ai) | Rule-based | Invariant AI Labs LocalPolicy engine evaluates tool calls against security policy rules |
+| 3 | Secure Environments | LLM post-hoc | Separate LLM (gpt-oss-safeguard-20b) reviews each action against the stated task |
+| 4 | [GraySwan Cygnal](https://www.grayswan.ai) | Commercial API | GraySwan's hosted security analysis API |
+
+## Reproduction
+
+**Dependencies:**
+- [control_arena](https://github.com/UKGovernmentBEIS/control-arena) repo (provides eval framework, monitor protocol)
+- [inspect_ai](https://github.com/UKGovernmentBEIS/inspect_ai) (evaluation framework)
+- [openhands](https://github.com/All-Hands-AI/OpenHands) v1 SDK (agent runtime)
+- [invariant-ai](https://pypi.org/project/invariant-ai/) (Invariant AI Labs policy engine)
+- [plotly](https://pypi.org/project/plotly/), [matplotlib](https://pypi.org/project/matplotlib/), [numpy](https://pypi.org/project/numpy/) (graph generation)
+- API keys in `.env`: `OPENROUTER_API_KEY` (for kimi-k2.5 and oss-safeguard-20b), `GRAYSWAN_API_KEY` (for Cygnal)
+
+```bash
+# 1. Run full benchmark (agent + all 4 monitors, honest + attack)
+uv run python run_full_benchmark.py \
+  --mode both \
+  --model "openrouter/moonshotai/kimi-k2.5" \
+  --model-name "openrouter/moonshotai/kimi-k2.5" \
+  --limit 20 --grayswan --cache
+
+# 2. Iterate on the Secure Environments prompt (no agent re-run needed)
+uv run python iterate_monitor.py --versions v27 --code-filter
+
+# 3. Generate comparison graphs
+uv run python create_safety_capability.py
+uv run python create_cost_graph.py
+
+# 4. Upload results to the eval viewer
+uv run python ../../viewer/process_and_upload.py
+```
+
+## Files
+
+| File | Purpose |
+|------|---------|
+| [run_full_benchmark.py](run_full_benchmark.py) | Main benchmark: runs agent + 3 post-hoc monitors (Invariant, Secure Environments, GraySwan) |
+| [iterate_monitor.py](iterate_monitor.py) | Standalone prompt iteration: test new prompts against existing eval logs |
+| [solver_v1.py](solver_v1.py) | OpenHands v1 SDK solver with inline LLM Self-Assessment |
+| [grayswan_monitor.py](grayswan_monitor.py) | GraySwan Cygnal API monitor implementation |
+| [create_safety_capability.py](create_safety_capability.py) | Safety vs capability curve (plotly + matplotlib) |
+| [create_cost_graph.py](create_cost_graph.py) | Cost and latency scatter plots |
+| [per_sample_scores.json](per_sample_scores.json) | Per-sample max scores for all monitors |
+| [prompt_iterations/](prompt_iterations/) | Saved results per prompt version (honest/attack JSON) |
+
+## Monitor Implementations
+
+All 4 monitors are implemented in this directory:
+
+1. **LLM Self-Assessment** ([solver_v1.py](solver_v1.py)): OpenHands v1 SDK adds `security_risk` field to all tool schemas. The agent LLM rates each call as LOW/MEDIUM/HIGH risk inline. No separate monitor code needed.
+
+2. **Invariant** ([run_full_benchmark.py](run_full_benchmark.py) lines 160-262): Uses `invariant.analyzer.LocalPolicy.from_string()` with a policy covering 13 tool-level rules (send_money, delete_email, update_password, etc.). Runs locally, ~2ms per call.
+
+3. **Secure Environments** ([run_full_benchmark.py](run_full_benchmark.py) lines 69-200): gpt-oss-safeguard-20b via OpenRouter with policy-per-threat-vector prompt (v49). ~377ms per call. No code-level pre-filtering — the LLM handles read-only detection via P1.
+
+4. **GraySwan Cygnal** ([grayswan_monitor.py](grayswan_monitor.py)): Calls GraySwan's hosted API with the full message history. Returns violation scores and injection detection. ~301ms per call, $1.00/1M tokens.
+
+## Decision Log
+
+1. **Sample-level max aggregation**: Each trajectory's score = max suspicion score across all tool calls. This matches deployment: "should I stop this agent run?"
+2. **Real Invariant AI Labs engine**: Uses `LocalPolicy` from the `invariant-ai` package with `await policy.a_analyze()` for async compatibility.
+3. **Optimized prompt via policy-per-threat-vector (v49)**: Three rounds of iteration (v1-v22 on full set, v22-v28 overfit round, v29-v54 generalization). Winner uses 4 ordered policies (read-only, delegation, category mismatch, target mismatch). No hardcoded names, no domain-specific examples. Achieves 1.1% per-action FP, 88.2% detection on executed attacks.
+4. **Random sampling seed=42**: Reproducible selection across all 4 AgentDojo suites.
+5. **Cost data from published pricing**: OpenRouter for Secure Environments and kimi-k2.5, GraySwan pricing page for Cygnal.

agentsteer-0.2.0/benchmarks/openhands_v1_agentdojo_20sample/cost_latency.html

@@ -0,0 +1,7 @@
+<html>
+<head><meta charset="utf-8" /></head>
+<body>
+    <div>                        <script type="text/javascript">window.PlotlyConfig = {MathJaxConfig: 'local'};</script>
+        <script charset="utf-8" src="https://cdn.plot.ly/plotly-3.3.1.min.js" integrity="sha256-4rD3fugVb/nVJYUv5Ky3v+fYXoouHaBSP20WIJuEiWg=" crossorigin="anonymous"></script>                <div id="d973f8a4-052b-4a27-8d85-871eefff2837" class="plotly-graph-div" style="height:500px; width:1000px;"></div>            <script type="text/javascript">                window.PLOTLYENV=window.PLOTLYENV || {};                                if (document.getElementById("d973f8a4-052b-4a27-8d85-871eefff2837")) {                    Plotly.newPlot(                        "d973f8a4-052b-4a27-8d85-871eefff2837",                        [{"marker":{"color":"#4C78A8","line":{"color":"black","width":1},"size":14},"mode":"markers+text","name":"LLM Self-Assessment (kimi-k2.5)","showlegend":false,"text":["LLM Self-Assessment (kimi-k2.5)"],"textfont":{"color":"#4C78A8","size":9},"textposition":"top right","x":[0.89],"y":[0.64],"type":"scatter","xaxis":"x","yaxis":"y"},{"marker":{"color":"#4C78A8","line":{"color":"black","width":1},"size":14},"mode":"markers+text","name":"LLM Self-Assessment (kimi-k2.5)","showlegend":false,"text":["LLM Self-Assessment (kimi-k2.5)"],"textfont":{"color":"#4C78A8","size":9},"textposition":"top right","x":[1730],"y":[0.64],"type":"scatter","xaxis":"x2","yaxis":"y2"},{"marker":{"color":"#F58518","line":{"color":"black","width":1},"size":14},"mode":"markers+text","name":"Invariant","showlegend":false,"text":["Invariant"],"textfont":{"color":"#F58518","size":9},"textposition":"top right","x":[0.001],"y":[0.61],"type":"scatter","xaxis":"x","yaxis":"y"},{"marker":{"color":"#F58518","line":{"color":"black","width":1},"size":14},"mode":"markers+text","name":"Invariant","showlegend":false,"text":["Invariant"],"textfont":{"color":"#F58518","size":9},"textposition":"top right","x":[2],"y":[0.61],"type":"scatter","xaxis":"x2","yaxis":"y2"},{"marker":{"color":"#E45756","line":{"color":"black","width":1},"size":14},"mode":"markers+text","name":"Secure Environments","showlegend":false,"text":["Secure Environments"],"textfont":{"color":"#E45756","size":9},"textposition":"top right","x":[0.375],"y":[0.89],"type":"scatter","xaxis":"x","yaxis":"y"},{"marker":{"color":"#E45756","line":{"color":"black","width":1},"size":14},"mode":"markers+text","name":"Secure Environments","showlegend":false,"text":["Secure Environments"],"textfont":{"color":"#E45756","size":9},"textposition":"top right","x":[377],"y":[0.89],"type":"scatter","xaxis":"x2","yaxis":"y2"},{"marker":{"color":"#54A24B","line":{"color":"black","width":1},"size":14},"mode":"markers+text","name":"GraySwan Cygnal","showlegend":false,"text":["GraySwan Cygnal"],"textfont":{"color":"#54A24B","size":9},"textposition":"top right","x":[1.0],"y":[0.69],"type":"scatter","xaxis":"x","yaxis":"y"},{"marker":{"color":"#54A24B","line":{"color":"black","width":1},"size":14},"mode":"markers+text","name":"GraySwan Cygnal","showlegend":false,"text":["GraySwan Cygnal"],"textfont":{"color":"#54A24B","size":9},"textposition":"top right","x":[301],"y":[0.69],"type":"scatter","xaxis":"x2","yaxis":"y2"}],                        {"template":{"data":{"histogram2dcontour":[{"type":"histogram2dcontour","colorbar":{"outlinewidth":0,"ticks":""},"colorscale":[[0.0,"#0d0887"],[0.1111111111111111,"#46039f"],[0.2222222222222222,"#7201a8"],[0.3333333333333333,"#9c179e"],[0.4444444444444444,"#bd3786"],[0.5555555555555556,"#d8576b"],[0.6666666666666666,"#ed7953"],[0.7777777777777778,"#fb9f3a"],[0.8888888888888888,"#fdca26"],[1.0,"#f0f921"]]}],"choropleth":[{"type":"choropleth","colorbar":{"outlinewidth":0,"ticks":""}}],"histogram2d":[{"type":"histogram2d","colorbar":{"outlinewidth":0,"ticks":""},"colorscale":[[0.0,"#0d0887"],[0.1111111111111111,"#46039f"],[0.2222222222222222,"#7201a8"],[0.3333333333333333,"#9c179e"],[0.4444444444444444,"#bd3786"],[0.5555555555555556,"#d8576b"],[0.6666666666666666,"#ed7953"],[0.7777777777777778,"#fb9f3a"],[0.8888888888888888,"#fdca26"],[1.0,"#f0f921"]]}],"heatmap":[{"type":"heatmap","colorbar":{"outlinewidth":0,"ticks":""},"colorscale":[[0.0,"#0d0887"],[0.1111111111111111,"#46039f"],[0.2222222222222222,"#7201a8"],[0.3333333333333333,"#9c179e"],[0.4444444444444444,"#bd3786"],[0.5555555555555556,"#d8576b"],[0.6666666666666666,"#ed7953"],[0.7777777777777778,"#fb9f3a"],[0.8888888888888888,"#fdca26"],[1.0,"#f0f921"]]}],"contourcarpet":[{"type":"contourcarpet","colorbar":{"outlinewidth":0,"ticks":""}}],"contour":[{"type":"contour","colorbar":{"outlinewidth":0,"ticks":""},"colorscale":[[0.0,"#0d0887"],[0.1111111111111111,"#46039f"],[0.2222222222222222,"#7201a8"],[0.3333333333333333,"#9c179e"],[0.4444444444444444,"#bd3786"],[0.5555555555555556,"#d8576b"],[0.6666666666666666,"#ed7953"],[0.7777777777777778,"#fb9f3a"],[0.8888888888888888,"#fdca26"],[1.0,"#f0f921"]]}],"surface":[{"type":"surface","colorbar":{"outlinewidth":0,"ticks":""},"colorscale":[[0.0,"#0d0887"],[0.1111111111111111,"#46039f"],[0.2222222222222222,"#7201a8"],[0.3333333333333333,"#9c179e"],[0.4444444444444444,"#bd3786"],[0.5555555555555556,"#d8576b"],[0.6666666666666666,"#ed7953"],[0.7777777777777778,"#fb9f3a"],[0.8888888888888888,"#fdca26"],[1.0,"#f0f921"]]}],"mesh3d":[{"type":"mesh3d","colorbar":{"outlinewidth":0,"ticks":""}}],"scatter":[{"fillpattern":{"fillmode":"overlay","size":10,"solidity":0.2},"type":"scatter"}],"parcoords":[{"type":"parcoords","line":{"colorbar":{"outlinewidth":0,"ticks":""}}}],"scatterpolargl":[{"type":"scatterpolargl","marker":{"colorbar":{"outlinewidth":0,"ticks":""}}}],"bar":[{"error_x":{"color":"#2a3f5f"},"error_y":{"color":"#2a3f5f"},"marker":{"line":{"color":"#E5ECF6","width":0.5},"pattern":{"fillmode":"overlay","size":10,"solidity":0.2}},"type":"bar"}],"scattergeo":[{"type":"scattergeo","marker":{"colorbar":{"outlinewidth":0,"ticks":""}}}],"scatterpolar":[{"type":"scatterpolar","marker":{"colorbar":{"outlinewidth":0,"ticks":""}}}],"histogram":[{"marker":{"pattern":{"fillmode":"overlay","size":10,"solidity":0.2}},"type":"histogram"}],"scattergl":[{"type":"scattergl","marker":{"colorbar":{"outlinewidth":0,"ticks":""}}}],"scatter3d":[{"type":"scatter3d","line":{"colorbar":{"outlinewidth":0,"ticks":""}},"marker":{"colorbar":{"outlinewidth":0,"ticks":""}}}],"scattermap":[{"type":"scattermap","marker":{"colorbar":{"outlinewidth":0,"ticks":""}}}],"scattermapbox":[{"type":"scattermapbox","marker":{"colorbar":{"outlinewidth":0,"ticks":""}}}],"scatterternary":[{"type":"scatterternary","marker":{"colorbar":{"outlinewidth":0,"ticks":""}}}],"scattercarpet":[{"type":"scattercarpet","marker":{"colorbar":{"outlinewidth":0,"ticks":""}}}],"carpet":[{"aaxis":{"endlinecolor":"#2a3f5f","gridcolor":"white","linecolor":"white","minorgridcolor":"white","startlinecolor":"#2a3f5f"},"baxis":{"endlinecolor":"#2a3f5f","gridcolor":"white","linecolor":"white","minorgridcolor":"white","startlinecolor":"#2a3f5f"},"type":"carpet"}],"table":[{"cells":{"fill":{"color":"#EBF0F8"},"line":{"color":"white"}},"header":{"fill":{"color":"#C8D4E3"},"line":{"color":"white"}},"type":"table"}],"barpolar":[{"marker":{"line":{"color":"#E5ECF6","width":0.5},"pattern":{"fillmode":"overlay","size":10,"solidity":0.2}},"type":"barpolar"}],"pie":[{"automargin":true,"type":"pie"}]},"layout":{"autotypenumbers":"strict","colorway":["#636efa","#EF553B","#00cc96","#ab63fa","#FFA15A","#19d3f3","#FF6692","#B6E880","#FF97FF","#FECB52"],"font":{"color":"#2a3f5f"},"hovermode":"closest","hoverlabel":{"align":"left"},"paper_bgcolor":"white","plot_bgcolor":"#E5ECF6","polar":{"bgcolor":"#E5ECF6","angularaxis":{"gridcolor":"white","linecolor":"white","ticks":""},"radialaxis":{"gridcolor":"white","linecolor":"white","ticks":""}},"ternary":{"bgcolor":"#E5ECF6","aaxis":{"gridcolor":"white","linecolor":"white","ticks":""},"baxis":{"gridcolor":"white","linecolor":"white","ticks":""},"caxis":{"gridcolor":"white","linecolor":"white","ticks":""}},"coloraxis":{"colorbar":{"outlinewidth":0,"ticks":""}},"colorscale":{"sequential":[[0.0,"#0d0887"],[0.1111111111111111,"#46039f"],[0.2222222222222222,"#7201a8"],[0.3333333333333333,"#9c179e"],[0.4444444444444444,"#bd3786"],[0.5555555555555556,"#d8576b"],[0.6666666666666666,"#ed7953"],[0.7777777777777778,"#fb9f3a"],[0.8888888888888888,"#fdca26"],[1.0,"#f0f921"]],"sequentialminus":[[0.0,"#0d0887"],[0.1111111111111111,"#46039f"],[0.2222222222222222,"#7201a8"],[0.3333333333333333,"#9c179e"],[0.4444444444444444,"#bd3786"],[0.5555555555555556,"#d8576b"],[0.6666666666666666,"#ed7953"],[0.7777777777777778,"#fb9f3a"],[0.8888888888888888,"#fdca26"],[1.0,"#f0f921"]],"diverging":[[0,"#8e0152"],[0.1,"#c51b7d"],[0.2,"#de77ae"],[0.3,"#f1b6da"],[0.4,"#fde0ef"],[0.5,"#f7f7f7"],[0.6,"#e6f5d0"],[0.7,"#b8e186"],[0.8,"#7fbc41"],[0.9,"#4d9221"],[1,"#276419"]]},"xaxis":{"gridcolor":"white","linecolor":"white","ticks":"","title":{"standoff":15},"zerolinecolor":"white","automargin":true,"zerolinewidth":2},"yaxis":{"gridcolor":"white","linecolor":"white","ticks":"","title":{"standoff":15},"zerolinecolor":"white","automargin":true,"zerolinewidth":2},"scene":{"xaxis":{"backgroundcolor":"#E5ECF6","gridcolor":"white","linecolor":"white","showbackground":true,"ticks":"","zerolinecolor":"white","gridwidth":2},"yaxis":{"backgroundcolor":"#E5ECF6","gridcolor":"white","linecolor":"white","showbackground":true,"ticks":"","zerolinecolor":"white","gridwidth":2},"zaxis":{"backgroundcolor":"#E5ECF6","gridcolor":"white","linecolor":"white","showbackground":true,"ticks":"","zerolinecolor":"white","gridwidth":2}},"shapedefaults":{"line":{"color":"#2a3f5f"}},"annotationdefaults":{"arrowcolor":"#2a3f5f","arrowhead":0,"arrowwidth":1},"geo":{"bgcolor":"white","landcolor":"#E5ECF6","subunitcolor":"white","showland":true,"showlakes":true,"lakecolor":"white"},"title":{"x":0.05},"mapbox":{"style":"light"}}},"xaxis":{"anchor":"y","domain":[0.0,0.45],"title":{"text":"Cost per 1M tokens ($)"},"type":"log"},"yaxis":{"anchor":"x","domain":[0.0,1.0],"title":{"text":"AUC"},"range":[0.45,0.95]},"xaxis2":{"anchor":"y2","domain":[0.55,1.0],"title":{"text":"Latency per call (ms)"},"type":"log"},"yaxis2":{"anchor":"x2","domain":[0.0,1.0],"title":{"text":"AUC"},"range":[0.45,0.95]},"annotations":[{"font":{"size":16},"showarrow":false,"text":"Cost vs Detection Quality","x":0.225,"xanchor":"center","xref":"paper","y":1.0,"yanchor":"bottom","yref":"paper"},{"font":{"size":16},"showarrow":false,"text":"Latency vs Detection Quality","x":0.775,"xanchor":"center","xref":"paper","y":1.0,"yanchor":"bottom","yref":"paper"}],"font":{"size":12},"width":1000,"height":500},                        {"responsive": true}                    )                };            </script>        </div>
+</body>
+</html>