benchleak 0.1.0__tar.gz

benchleak-0.1.0/.claude/settings.local.json

@@ -0,0 +1,26 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(python3 -m venv .venv)",
+      "Bash(.venv/bin/python -m pip install --upgrade pip -q)",
+      "Bash(python3 -c \"import pypdf\")",
+      "Bash(python3 -c \"import pdfminer\")",
+      "Bash(.venv/bin/pip install *)",
+      "Bash(.venv/bin/python -c ' *)",
+      "Bash(.venv/bin/python *)",
+      "Bash(git add *)",
+      "Bash(git commit *)",
+      "Bash(git push *)",
+      "Bash(echo \"exit code: $?\")",
+      "Bash(brew --prefix xz)",
+      "Bash(pyenv --version)",
+      "Bash(echo \"venv python -> $\\(readlink -f .venv/bin/python 2>/dev/null || .venv/bin/python -c 'import sys;print\\(sys.executable\\)'\\)\")",
+      "Bash(LDFLAGS=\"-L/opt/homebrew/opt/xz/lib\" CPPFLAGS=\"-I/opt/homebrew/opt/xz/include\" pyenv install -f 3.10.11)",
+      "Bash(/Users/mouadbouchnaf/.pyenv/versions/3.10.11/bin/python3.10 -c \"import lzma; print\\('base lzma ok'\\)\")",
+      "Bash(grep -E \"reference.txt|data/|\\\\.py$|RECORD\")",
+      "Bash(.venv/bin/twine check *)",
+      "WebFetch(domain:pypi.org)",
+      "Bash(unzip -p dist/*.whl '*/METADATA')"
+    ]
+  }
+}

benchleak-0.1.0/.gitignore

@@ -0,0 +1,231 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[codz]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#   Usually these files are written by a python script from a template
+#   before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py.cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+# Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+# uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+# poetry.lock
+# poetry.toml
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#   pdm recommends including project-wide configuration in pdm.toml, but excluding .pdm-python.
+#   https://pdm-project.org/en/latest/usage/project/#working-with-version-control
+# pdm.lock
+# pdm.toml
+.pdm-python
+.pdm-build/
+
+# pixi
+#   Similar to Pipfile.lock, it is generally recommended to include pixi.lock in version control.
+# pixi.lock
+#   Pixi creates a virtual environment in the .pixi directory, just like venv module creates one
+#   in the .venv directory. It is recommended not to include this directory in version control.
+.pixi
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# Redis
+*.rdb
+*.aof
+*.pid
+
+# RabbitMQ
+mnesia/
+rabbitmq/
+rabbitmq-data/
+
+# ActiveMQ
+activemq-data/
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.envrc
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#   JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#   be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#   and can be added to the global gitignore or merged into this file.  For a more nuclear
+#   option (not recommended) you can uncomment the following to ignore the entire idea folder.
+# .idea/
+
+# Abstra
+#   Abstra is an AI-powered process automation framework.
+#   Ignore directories containing user credentials, local state, and settings.
+#   Learn more at https://abstra.io/docs
+.abstra/
+
+# Visual Studio Code
+#   Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore 
+#   that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
+#   and can be added to the global gitignore or merged into this file. However, if you prefer, 
+#   you could uncomment the following to ignore the entire vscode folder
+# .vscode/
+# Temporary file for partial code execution
+tempCodeRunnerFile.py
+
+# Ruff stuff:
+.ruff_cache/
+
+# PyPI configuration file
+.pypirc
+
+# Marimo
+marimo/_static/
+marimo/_lsp/
+__marimo__/
+
+# Streamlit
+.streamlit/secrets.toml
+
+# benchleak
+# JetBrains IDE config
+.idea/
+# Model weights and HuggingFace caches
+*.safetensors
+*.bin
+.cache/huggingface/
+# Reference papers (kept local, not committed)
+papers/
+# Generated contamination reports
+reports/
+*.DS_Store

benchleak-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 bouchnam
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

benchleak-0.1.0/PKG-INFO

@@ -0,0 +1,156 @@
+Metadata-Version: 2.4
+Name: benchleak
+Version: 0.1.0
+Summary: Detect benchmark contamination in large language models
+Project-URL: Homepage, https://github.com/bouchnam/benchleak
+Project-URL: Repository, https://github.com/bouchnam/benchleak
+Author: Mouad Bouchnaf
+License: Apache-2.0
+License-File: LICENSE
+Keywords: benchmark,contamination,evaluation,llm,memorization
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Science/Research
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Scientific/Engineering :: Artificial Intelligence
+Requires-Python: >=3.10
+Requires-Dist: datasets>=2.18
+Requires-Dist: numpy>=1.24
+Requires-Dist: rich>=13.0
+Requires-Dist: scipy>=1.11
+Requires-Dist: torch>=2.0
+Requires-Dist: transformers>=4.40
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: ruff>=0.4; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# benchleak 🔍
+
+> **Did this model train on the test set? Find out in one command.**
+
+When a model scores 90% on GSM8K or MATH, was it genuinely capable or did it
+memorise the benchmark during training? Benchleak answers that with a
+mathematical membership-inference test on the model's own token probabilities.
+No LLM judges, no API calls, runs locally on any HuggingFace causal LM.
+
+## Status
+
+🚧 **Early alpha.** The **pre-training** detector (Min-K% Prob) is implemented and
+runnable end to end. The SFT and RL-post-training detectors are planned but **not
+yet built**, so don't expect them yet.
+
+## Install
+
+```bash
+pip install benchleak
+```
+
+This pulls in `torch`, `transformers`, and `datasets`. To work from a clone
+instead, run `pip install -e .` in the repo root.
+
+## Usage
+
+```bash
+benchleak --model Qwen/Qwen2.5-0.5B --benchmark gsm8k
+```
+
+The model can be any HuggingFace-format causal LM, given as a Hub id or a local
+checkpoint directory. GGUF, llama.cpp, and Ollama formats are not supported.
+
+### Private or gated models
+
+For a repository that requires authentication, provide a HuggingFace token. Any
+of these work:
+
+```bash
+huggingface-cli login                  # cached credential, picked up automatically
+export HF_TOKEN=hf_xxx                  # environment variable
+benchleak --model my/private-model --benchmark gsm8k --hf-token hf_xxx
+```
+
+### Speed
+
+Scoring runs one forward pass per sample. On a CPU-only machine the default
+`--limit 200` can take many minutes; use a smaller `--limit` for a quick look, or
+`--device cuda` / `--device mps` to use a GPU.
+
+```
+benchleak: pre-training contamination report
+====================================================
+Model:       Qwen/Qwen2.5-0.5B
+Benchmark:   gsm8k
+Detector:    min-k% prob
+Samples:     200 benchmark vs 200 reference
+
+Separation (AUC):   0.71   [HIGH]
+Significance (p):   3.2e-08
+Flag thresholds:    AUC >= 0.6, p < 0.05
+
+Verdict: LIKELY CONTAMINATED
+```
+
+Known benchmarks (`gsm8k`, `math`, `arc-challenge`, `truthfulqa`) work by name. For
+any other Hub dataset, pass the path plus its text column(s):
+
+```bash
+benchleak --model my/model --benchmark some/dataset --field question --field answer
+```
+
+## How it works
+
+The benchmark is scored against a **reference set** of text the model is not
+expected to have memorised. Min-K% Prob assigns each text the mean log-probability
+of its least-likely *k%* of tokens. Memorised text has fewer surprising tokens
+and scores higher. The tool then measures how strongly the benchmark's scores separate
+from the reference's, reported as an AUC (`U / nm` from a Mann-Whitney test) with
+a significance p-value. AUC ≈ 0.5 means the benchmark looks like fresh data; AUC
+well above 0.5 is the memorisation signature of contamination.
+
+A small reference set ships with the tool so it runs out of the box. For the
+cleanest signal, supply your own domain-matched reference data with
+`--reference my_reference.txt` (one passage per line).
+
+For the full reasoning (why a reference set is needed, the choice of test, and
+where the method can mislead), see [docs/how-it-works.md](docs/how-it-works.md).
+
+| Phase | Method | Status |
+|-------|--------|--------|
+| Pre-training | Min-K% probability (Shi et al. 2024) | ✅ implemented |
+| SFT | Self-prompt calibration (Fu et al. 2024) | ⏳ planned |
+| RL post-training | Self-Critique entropy (Tao et al. 2025) | ⏳ planned |
+
+## Caveats
+
+- A verdict needs **≥ 5 samples per side**; the significance test cannot reach
+  p < 0.05 below that.
+- The bundled reference is general-domain prose. Comparing it against a
+  narrow-domain benchmark (e.g. math) can confound *domain* with *memorisation*;
+  prefer a domain-matched `--reference` for results you intend to publish.
+
+## Troubleshooting
+
+**`ModuleNotFoundError: No module named '_lzma'`** when loading a benchmark. The
+`datasets` library needs Python's `lzma` module, which is absent from some Python
+builds (commonly pyenv on macOS compiled without the `xz` library). Install `xz`
+and rebuild Python:
+
+```bash
+brew install xz
+LDFLAGS="-L$(brew --prefix xz)/lib" CPPFLAGS="-I$(brew --prefix xz)/include" \
+  pyenv install -f <your-python-version>
+```
+
+Then reuse or recreate your virtual environment. benchleak detects this case and
+prints the same guidance.
+
+## Citation
+
+Implements methods from:
+- Shi et al., 2024. *Detecting Pretraining Data from Large Language Models* (arXiv:2310.16789)
+- Fu et al., 2024. *Membership Inference via Self-Prompt Calibration*
+- Tao et al., 2025. *Detecting Data Contamination from RL Post-training* (arXiv:2510.09259)
+
+## License
+
+Apache-2.0

benchleak-0.1.0/README.md

@@ -0,0 +1,129 @@
+# benchleak 🔍
+
+> **Did this model train on the test set? Find out in one command.**
+
+When a model scores 90% on GSM8K or MATH, was it genuinely capable or did it
+memorise the benchmark during training? Benchleak answers that with a
+mathematical membership-inference test on the model's own token probabilities.
+No LLM judges, no API calls, runs locally on any HuggingFace causal LM.
+
+## Status
+
+🚧 **Early alpha.** The **pre-training** detector (Min-K% Prob) is implemented and
+runnable end to end. The SFT and RL-post-training detectors are planned but **not
+yet built**, so don't expect them yet.
+
+## Install
+
+```bash
+pip install benchleak
+```
+
+This pulls in `torch`, `transformers`, and `datasets`. To work from a clone
+instead, run `pip install -e .` in the repo root.
+
+## Usage
+
+```bash
+benchleak --model Qwen/Qwen2.5-0.5B --benchmark gsm8k
+```
+
+The model can be any HuggingFace-format causal LM, given as a Hub id or a local
+checkpoint directory. GGUF, llama.cpp, and Ollama formats are not supported.
+
+### Private or gated models
+
+For a repository that requires authentication, provide a HuggingFace token. Any
+of these work:
+
+```bash
+huggingface-cli login                  # cached credential, picked up automatically
+export HF_TOKEN=hf_xxx                  # environment variable
+benchleak --model my/private-model --benchmark gsm8k --hf-token hf_xxx
+```
+
+### Speed
+
+Scoring runs one forward pass per sample. On a CPU-only machine the default
+`--limit 200` can take many minutes; use a smaller `--limit` for a quick look, or
+`--device cuda` / `--device mps` to use a GPU.
+
+```
+benchleak: pre-training contamination report
+====================================================
+Model:       Qwen/Qwen2.5-0.5B
+Benchmark:   gsm8k
+Detector:    min-k% prob
+Samples:     200 benchmark vs 200 reference
+
+Separation (AUC):   0.71   [HIGH]
+Significance (p):   3.2e-08
+Flag thresholds:    AUC >= 0.6, p < 0.05
+
+Verdict: LIKELY CONTAMINATED
+```
+
+Known benchmarks (`gsm8k`, `math`, `arc-challenge`, `truthfulqa`) work by name. For
+any other Hub dataset, pass the path plus its text column(s):
+
+```bash
+benchleak --model my/model --benchmark some/dataset --field question --field answer
+```
+
+## How it works
+
+The benchmark is scored against a **reference set** of text the model is not
+expected to have memorised. Min-K% Prob assigns each text the mean log-probability
+of its least-likely *k%* of tokens. Memorised text has fewer surprising tokens
+and scores higher. The tool then measures how strongly the benchmark's scores separate
+from the reference's, reported as an AUC (`U / nm` from a Mann-Whitney test) with
+a significance p-value. AUC ≈ 0.5 means the benchmark looks like fresh data; AUC
+well above 0.5 is the memorisation signature of contamination.
+
+A small reference set ships with the tool so it runs out of the box. For the
+cleanest signal, supply your own domain-matched reference data with
+`--reference my_reference.txt` (one passage per line).
+
+For the full reasoning (why a reference set is needed, the choice of test, and
+where the method can mislead), see [docs/how-it-works.md](docs/how-it-works.md).
+
+| Phase | Method | Status |
+|-------|--------|--------|
+| Pre-training | Min-K% probability (Shi et al. 2024) | ✅ implemented |
+| SFT | Self-prompt calibration (Fu et al. 2024) | ⏳ planned |
+| RL post-training | Self-Critique entropy (Tao et al. 2025) | ⏳ planned |
+
+## Caveats
+
+- A verdict needs **≥ 5 samples per side**; the significance test cannot reach
+  p < 0.05 below that.
+- The bundled reference is general-domain prose. Comparing it against a
+  narrow-domain benchmark (e.g. math) can confound *domain* with *memorisation*;
+  prefer a domain-matched `--reference` for results you intend to publish.
+
+## Troubleshooting
+
+**`ModuleNotFoundError: No module named '_lzma'`** when loading a benchmark. The
+`datasets` library needs Python's `lzma` module, which is absent from some Python
+builds (commonly pyenv on macOS compiled without the `xz` library). Install `xz`
+and rebuild Python:
+
+```bash
+brew install xz
+LDFLAGS="-L$(brew --prefix xz)/lib" CPPFLAGS="-I$(brew --prefix xz)/include" \
+  pyenv install -f <your-python-version>
+```
+
+Then reuse or recreate your virtual environment. benchleak detects this case and
+prints the same guidance.
+
+## Citation
+
+Implements methods from:
+- Shi et al., 2024. *Detecting Pretraining Data from Large Language Models* (arXiv:2310.16789)
+- Fu et al., 2024. *Membership Inference via Self-Prompt Calibration*
+- Tao et al., 2025. *Detecting Data Contamination from RL Post-training* (arXiv:2510.09259)
+
+## License
+
+Apache-2.0

benchleak-0.1.0/benchleak/__init__.py

@@ -0,0 +1,3 @@
+"""benchleak: detect benchmark contamination in large language models."""
+
+__version__ = "0.1.0"

benchleak-0.1.0/benchleak/cli.py

@@ -0,0 +1,83 @@
+"""Command line interface for benchleak.
+
+    benchleak --model Qwen/Qwen2.5-0.5B --benchmark gsm8k
+
+Loads a HuggingFace model and a benchmark, scores both the benchmark and a
+reference set with the Min-K% pre-training detector, and prints a contamination
+report. Exits non-zero when the benchmark is flagged as likely contaminated.
+"""
+
+from __future__ import annotations
+
+import argparse
+import os
+import sys
+
+from . import __version__
+from .core import scan
+from .data import load_reference
+from .detectors.pretrain import DEFAULT_K, MinKProbDetector
+from .loading import load_benchmark, load_model, resolve_spec
+from .report import format_report
+
+
+def build_parser() -> argparse.ArgumentParser:
+    parser = argparse.ArgumentParser(
+        prog="benchleak",
+        description="Detect pre-training benchmark contamination in an LLM (Min-K% Prob).",
+    )
+    parser.add_argument("--model", required=True, help="HuggingFace model id, e.g. Qwen/Qwen2.5-0.5B")
+    parser.add_argument("--benchmark", required=True, help="benchmark name (gsm8k, math, ...) or a Hub dataset path")
+    parser.add_argument("--reference", help="path to a reference-text file (one passage per line); defaults to the bundled set")
+    parser.add_argument("--field", action="append", dest="fields", help="benchmark text column(s); repeatable. Required for an unknown benchmark")
+    parser.add_argument("--config", help="dataset config/subset name")
+    parser.add_argument("--split", help="dataset split (default depends on the benchmark)")
+    parser.add_argument("--limit", type=int, default=200, help="max samples per side (default: 200)")
+    parser.add_argument("--k", type=float, default=DEFAULT_K, help=f"Min-K%% percentage (default: {DEFAULT_K})")
+    parser.add_argument("--max-length", type=int, default=2048, help="truncate texts to this many tokens (default: 2048)")
+    parser.add_argument("--device", help="device to place the model on, e.g. cuda or mps")
+    parser.add_argument("--dtype", default="auto", help="model dtype passed to transformers (default: auto)")
+    parser.add_argument(
+        "--hf-token",
+        default=os.environ.get("HF_TOKEN"),
+        help="HuggingFace token for private/gated models; defaults to the HF_TOKEN env var or a cached huggingface-cli login",
+    )
+    parser.add_argument("--version", action="version", version=f"benchleak {__version__}")
+    return parser
+
+
+def run(args: argparse.Namespace) -> int:
+    spec = resolve_spec(args.benchmark, config=args.config, split=args.split, fields=args.fields)
+
+    print(f"Loading model {args.model} ...", file=sys.stderr)
+    model, tokenizer = load_model(args.model, device=args.device, dtype=args.dtype, token=args.hf_token)
+
+    print(f"Loading benchmark {spec.path} ({spec.split}) ...", file=sys.stderr)
+    benchmark_texts = load_benchmark(spec, limit=args.limit)
+    reference_texts = load_reference(args.reference, limit=args.limit)
+
+    detector = MinKProbDetector(model, tokenizer, k=args.k, max_length=args.max_length)
+    print(f"Scoring {len(benchmark_texts)} benchmark + {len(reference_texts)} reference samples ...", file=sys.stderr)
+    result = scan(
+        detector,
+        benchmark_texts,
+        reference_texts,
+        detector_name="min-k% prob",
+        benchmark_name=args.benchmark,
+    )
+
+    print(format_report(result, model_id=args.model))
+    return 1 if result.contaminated else 0
+
+
+def main(argv: list[str] | None = None) -> int:
+    args = build_parser().parse_args(argv)
+    try:
+        return run(args)
+    except Exception as exc:  # surface a clean message instead of a traceback
+        print(f"error: {exc}", file=sys.stderr)
+        return 2
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())