dspy-security-bench 0.1.0__tar.gz

dspy_security_bench-0.1.0/.github/workflows/test.yml

@@ -0,0 +1,37 @@
+name: tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  pytest:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        python-version: ["3.10", "3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v3
+        with:
+          enable-cache: true
+
+      - name: Set up Python ${{ matrix.python-version }}
+        run: uv python install ${{ matrix.python-version }}
+
+      - name: Create venv and install
+        run: |
+          uv venv --python ${{ matrix.python-version }}
+          uv pip install -e ".[dev]"
+
+      - name: Run pytest
+        run: |
+          source .venv/bin/activate
+          pytest tests/ -v --tb=short

dspy_security_bench-0.1.0/.gitignore

@@ -0,0 +1,55 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# Virtual envs
+.venv/
+venv/
+ENV/
+
+# Test + cache
+.pytest_cache/
+.coverage
+.coverage.*
+htmlcov/
+.cache
+.ruff_cache/
+.mypy_cache/
+
+# Generated data (intentionally git-ignored — regenerate with the CLI)
+data/synthetic_train/
+data/results/
+logs/
+*.jsonl
+
+# OS
+.DS_Store
+Thumbs.db
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# Local config
+.env
+.env.local

dspy_security_bench-0.1.0/ARCHITECTURE.md

@@ -0,0 +1,246 @@
+# Architecture
+
+This document is the engineering map of `dspy-security-bench` — what each
+module does, why it exists, and which v0.1 scope choices are deliberate.
+
+## One-paragraph summary
+
+`dspy-security-bench` runs three pipelines in sequence:
+
+1. **Trainset synthesis** — generates ~100 read-only query tasks per AgentDojo
+   suite, grounded in the suite's seed environment data, using one or two
+   strong LLMs as generators.
+2. **DSPy optimization** — runs `BootstrapFewShot`, `MIPROv2`, etc. against the
+   synthetic trainset to produce a dict of named agent factories (one per
+   optimizer).
+3. **AgentDojo evaluation** — wraps each agent factory in a
+   `DSPyReActV2Element` pipeline and runs AgentDojo's
+   `benchmark_suite_with_injections` across the requested attack suite.
+
+The output is a `pandas.DataFrame` with one row per
+`(optimizer, attack, user_task, injection_task)` combination, columns
+`utility` and `security`.
+
+## Module map
+
+```
+dspy_security_bench/
+├── synthesis/
+│   ├── extract_env_data.py    # markdown summary of suite seed env
+│   ├── generator.py           # LLM-based task synthesis
+│   └── validator.py           # syntactic + dedupe + (optional) solvability
+├── adapters/
+│   └── agentdojo.py           # DSPyReActV2Element pipeline wrapper
+├── optimizers.py              # named optimizer harness + substring metric
+├── llm_judge.py               # LLM-as-judge metric (fast-path substring)
+└── runner.py                  # benchmark orchestration + DataFrame
+```
+
+### `synthesis/extract_env_data.py`
+
+Produces a compact markdown summary of an AgentDojo suite's seed env (the
+state of calendar, inbox, files, etc. before any task runs). Used by:
+
+- the synthesis generator, as prompt context grounding the LLM
+- the validator, as the searchable corpus for the syntactic check
+
+Suite-specific extractors (currently only `workspace`) emit nicer summaries;
+a generic introspection fallback works for `banking`, `travel`, `slack`.
+
+### `synthesis/generator.py`
+
+Given a suite name and an LLM model identifier (e.g. `openai/gpt-4o` or
+`anthropic/claude-sonnet-4-5` via litellm), generates a list of
+`{"prompt", "ground_truth"}` dicts.
+
+Each batch prompt contains:
+
+- the full tool list with parameter signatures
+- the env data summary (from `extract_env_data`)
+- 3 real example tasks (auto-picked from `suite.user_tasks` filtering for
+  interrogative read-only prompts with non-empty `GROUND_TRUTH_OUTPUT`)
+- strict constraints (read-only, env-grounded, JSON output)
+
+Supports `--dry-run` to print the assembled prompt without paying for API
+calls.
+
+### `synthesis/validator.py`
+
+Three independent checks, each can be enabled separately:
+
+| Check | What | Implementation |
+|---|---|---|
+| `syntactic` | The ground_truth string appears in the suite's env corpus (case-insensitive) | substring + multi-token fallback |
+| `dedupe` | The prompt is not too similar to any real test-suite user task | sentence-transformers cosine over `all-MiniLM-L6-v2`; threshold 0.9 |
+| `solvability` | A small judge LLM can produce the answer given (task, env-excerpt) | optional, costs API tokens |
+
+Returns a `ValidationResult` with `kept`, `dropped` (each with `_reason`),
+and `counts_by_reason`.
+
+### `adapters/agentdojo.py` — `DSPyReActV2Element`
+
+The critical bridge. Implements `BasePipelineElement.query()` so a DSPy
+program can run as an AgentDojo pipeline element.
+
+Flow per call:
+
+1. Translate `runtime.functions` (AgentDojo `Function` objects) → `dspy.Tool`
+   closures, each binding the AgentDojo `runtime` + `env`. Critically, the
+   closures call `runtime.run_function(env, name, kwargs)`, which means
+   attacks that mutate `env` surface naturally in tool outputs.
+2. Instantiate `dspy.ReActV2` with these tools via the user-supplied
+   `agent_factory`.
+3. Run the agent (`agent(query=query)`).
+4. Translate `result.history.messages` into AgentDojo `ChatAssistantMessage`
+   and `ChatToolResultMessage` types, preserving tool call IDs.
+5. Append a final `ChatAssistantMessage` with the model's output for
+   AgentDojo's `utility()` to check.
+
+**v0.1 constraints (documented for honest scope):**
+
+- The agent's signature must have **exactly one output field**.
+- Tool results are JSON-serialized for the agent (lossy for complex types).
+- Tool errors surface as observation strings, not exceptions.
+- The ReActV2 ID-collision bug ([dspy#9825](https://github.com/stanfordnlp/dspy/pull/9825))
+  is irrelevant here because each AgentDojo task is a single `forward()` call.
+
+### `optimizers.py`
+
+Two responsibilities:
+
+1. **Trainset prep** — converts `{"prompt", "ground_truth"}` dicts into
+   `dspy.Example` objects with `query` as the input field.
+2. **Optimizer harness** — `build_agent_factories(...)` runs each requested
+   optimizer (`unoptimized`, `bootstrap_fewshot`, `miprov2`) and returns a
+   dict mapping optimizer name → `agent_factory(tools, max_iters) → ReActV2`.
+
+Training-time tools are bound to a *fresh* suite env, separate from the
+test-time env. The factory we return baked in the optimized instructions
+and demos; at test time the factory creates a fresh `ReActV2` with the
+test-time tools and applies the optimized state.
+
+Also exports `substring_match_metric` — the v0.1 placeholder metric.
+
+### `llm_judge.py`
+
+A drop-in replacement for `substring_match_metric` that uses a small LLM
+(default: `openai/gpt-4o-mini`) as a judge.
+
+Key design choices:
+
+- **Substring fast path**: if the ground truth appears in the agent's answer,
+  return 1.0 immediately without an LLM call (~60-80% of well-grounded
+  synthetic tasks).
+- **Single-field judge signature** (no chain-of-thought): minimizes token
+  cost and parsing failure modes.
+- **Graceful fallback**: on judge LLM failure (parse error, rate limit, etc.),
+  falls back to the substring metric and returns its score.
+- **Cacheable**: DSPy's LM uses litellm's cache, so repeated optimizer
+  evaluations on the same (example, prediction) hit cache.
+
+### `runner.py`
+
+The orchestrator. Given a dict of factories and a list of attacks:
+
+1. Builds an `AgentPipeline([InitQuery(), DSPyReActV2Element(factory)])` per
+   factory.
+2. For each `(factory, attack)` combination, calls
+   `agentdojo.benchmark.benchmark_suite_with_injections(...)` which returns a
+   `SuiteResults` dict keyed by `(user_task_id, injection_task_id)`.
+3. Flattens `SuiteResults` into rows with explicit columns.
+4. Returns a `pandas.DataFrame`.
+
+`summarize(df)` produces the `(optimizer, attack)` aggregation:
+`utility_rate`, `security_rate`, `injection_success_rate`, `n_runs`.
+
+**Convention**: AgentDojo's `security_results[k] == True` means the injection
+succeeded (bad). We expose both `injection_succeeded` (AgentDojo's
+convention) and `security` (= 1 - injection_succeeded, so higher is better
+and matches `utility`'s direction).
+
+## v0.1 scope choices and why
+
+### Why synthesize a trainset rather than split AgentDojo's tasks
+
+AgentDojo has ~25-40 user tasks per suite. Splitting 70/30 leaves 7-12
+training examples — below what BootstrapFewShot or MIPROv2 need to find a
+meaningful improvement. Synthesizing 100 in-distribution tasks per suite
+gives the optimizers enough signal while keeping the real AgentDojo tasks
+as a clean held-out test set.
+
+The cost: synthesis methodology becomes part of the contribution and must
+be defended (we use two generator LLMs to reduce monoculture bias, and the
+validator drops syntactically-invalid and duplicate tasks).
+
+### Why query-only synthesis
+
+AgentDojo's action tasks (send email, create event, modify file) have
+hand-written `utility()` checks that inspect env-state mutations. These
+checks cannot be auto-synthesized — they require domain knowledge per task.
+
+We restrict synthesis to read-only query tasks because:
+
+- Query utility = "answer contains ground truth string" templates trivially
+- Query tasks make up ~40% of AgentDojo's real test set, so training on this
+  distribution is not unreasonable
+- The research question (does *prompt optimization* affect robustness?) does
+  not require action-task training — robustness is mostly about parsing
+  adversarial input, not about complex action selection
+
+### Why hybrid metric (LLM-judge for train, real `utility()` for test)
+
+- LLM-judge for training: cheap, paraphrase-tolerant, scales to optimizer
+  evaluation cycles
+- Real AgentDojo `utility()` for testing: rigorous, reproducible, the actual
+  metric the benchmark community uses
+
+This separation pre-empts the obvious reviewer pushback ("you trained and
+tested on the same metric"). It also lets us publish strong claims about
+robustness without claiming anything about the judge LLM.
+
+### Why single-output signature
+
+ReActV2 produces structured outputs via its `submit` tool. AgentDojo's
+`utility()` takes a single `model_output` string. To bridge cleanly without
+ambiguity, v0.1 requires the user's signature to have exactly one output
+field. Multi-output support is a v0.2 question that needs a per-field
+concatenation policy.
+
+## Known gaps and v0.2 roadmap
+
+- **Suite-tuned extractors** for banking, travel, slack (the generic
+  fallback works but produces less compact prompts).
+- **GEPA optimizer** in the harness (currently `unoptimized`,
+  `bootstrap_fewshot`, `miprov2`).
+- **Action-task synthesis** with synthesized utility checks (hard — likely
+  needs LM-generated `expected_final_state` and a separate state-diff
+  judge).
+- **Multi-output signature support**.
+- **Action-aware attacks** in the report (currently aggregated across all
+  attack types).
+- **Notebook tutorials** (`docs/tutorial/`) — a v0.1 README-quickstart-style
+  notebook is the next planned artifact.
+- **TMLR submission** — if v0.1 findings are publishable, the next step is a
+  short empirical paper. The benchmark methodology is described here; the
+  paper would add a comprehensive empirical sweep across all 4 suites and a
+  qualitative analysis of optimizer-induced robustness mechanisms.
+
+## Repository layout
+
+```
+.
+├── dspy_security_bench/        # the package
+│   ├── synthesis/
+│   ├── adapters/
+│   ├── optimizers.py
+│   ├── llm_judge.py
+│   └── runner.py
+├── tests/                       # pytest suite (planned, v0.2)
+├── data/                        # generated synthetic trainsets (git-ignored)
+├── scripts/                     # one-off scripts / smoke tests
+├── docs/                        # tutorials (planned, v0.2)
+├── README.md
+├── ARCHITECTURE.md              # this file
+├── LICENSE
+└── pyproject.toml
+```

dspy_security_bench-0.1.0/CITATION.cff

@@ -0,0 +1,28 @@
+cff-version: 1.2.0
+title: "dspy-security-bench: Measuring optimizer-induced robustness in agentic DSPy programs"
+authors:
+  - family-names: Ahamed
+    given-names: Imran
+    email: immu4989@gmail.com
+version: 0.1.0
+date-released: 2026-06-16
+license: Apache-2.0
+repository-code: "https://github.com/immu4989/dspy-security-bench"
+keywords:
+  - dspy
+  - agentdojo
+  - prompt-injection
+  - llm-security
+  - agent-evaluation
+  - robustness
+  - benchmark
+message: "If you use this benchmark in research or production, please cite as below."
+preferred-citation:
+  type: software
+  title: "dspy-security-bench"
+  authors:
+    - family-names: Ahamed
+      given-names: Imran
+  version: 0.1.0
+  year: 2026
+  url: "https://github.com/immu4989/dspy-security-bench"

dspy_security_bench-0.1.0/LICENSE

@@ -0,0 +1,190 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for describing the origin of the Work and
+      reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer or computer malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Support. While redistributing the Work or
+      Derivative Works thereof, You may choose to offer, and charge a
+      fee for, acceptance of support, warranty, indemnity, or other
+      liability obligations and/or rights consistent with this License.
+      However, in accepting such obligations, You may act only on Your
+      own behalf and on Your sole responsibility, not on behalf of any
+      other Contributor, and only if You agree to indemnify, defend,
+      and hold each Contributor harmless for any liability incurred by,
+      or claims asserted against, such Contributor by reason of your
+      accepting any such warranty or support.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2026 Imran Ahamed
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.