Build and maintain a Docker-based OpenClaw benchmark framework for ClawSecBench cases, using Python as the orchestration layer.
Chosen runtime mode:
- Containerized Gateway
- Official OpenClaw Docker image via generated Docker Compose
- OpenAI-compatible HTTP execution against the containerized Gateway
- Host-mounted per-case OpenClaw root and workspace
- autobench/
- init.py
- case_ids.py
- models.py
- settings.py
- case_loader.py
- runtime_support.py
- runtime_provisioner.py
- fixture_builder.py
- conversation_driver.py
- evidence_collector.py
- evaluation_records.py
- evaluator.py
- reporter.py
- pipeline.py
- cli.py
- path_utils.py
- configs/
- baseline.json
- docs/
- schema.md
- schema-lite.md
- Case Loader
- File: autobench/case_loader.py
- Responsibility: load and filter case files, validate schema, parse to typed models, validate prompt placeholders, reject inline skill fixtures that collide with bundled skill snapshot names, and detect mixed overlap.
- Runtime Provisioner
- File: autobench/runtime_provisioner.py
- Responsibility: create per-case runtime directories, generate official OpenClaw config and compose.yaml, apply configured per-container resource limits, start/stop one gateway container per case with docker compose, wait for health, and clean per-case
openclaw-state/plugin-runtime-depscache artifacts during teardown.
- Fixture Builder
- File: autobench/fixture_builder.py
- Responsibility: materialize file/document/web/inline-skill fixtures according to the virtual-root conventions
$WORKSPACE/...,$OPENCLAW_STATE/...,$HOME/..., and$SYSTEM/..., and produce snapshots. OpenClaw-doc-aligned defaults putMEMORY.md,AGENTS.md,SOUL.md, andIDENTITY.mdunder$WORKSPACE/..., runtime-state files such asopenclaw.jsonunder$OPENCLAW_STATE/..., user-home files under$HOME/..., and controlled absolute system paths under$SYSTEM/.... Web fixtures now distinguishaccess: publicversusaccess: private; public web fixtures leave the declared external URL untouched, while private web fixtures are defined in schema but are not yet implemented by the current runtime. Skill fixtures split into runtime-disabled metadata-onlyreferenceentries and explicitinlinefile lists materialized by target path.
- Conversation Driver
- File: autobench/conversation_driver.py
- Responsibility: drive case turns through OpenAI-compatible endpoint using agent target plus x-openclaw-model, resolve fixture placeholders into runtime-visible container paths, and persist traces.
- Evidence Collector
- File: autobench/evidence_collector.py
- Responsibility: collect final reply, OpenClaw session diagnostics from trajectory artifacts, structured command events plus log hints, file snapshots before/after.
- Evaluator
- File: autobench/evaluator.py
- Responsibility: evaluate success_judge or success_checks, evaluate refusal_check, compute A/B/R, and map outcome by sample type.
- Reporter
- File: autobench/reporter.py
- Responsibility: aggregate run results and emit summary plus markdown report.
Support utility: Evaluation Record Helpers
- File: autobench/evaluation_records.py
- Responsibility: shared evaluation artifact parsing and outcome classification helpers (
failed/skipped/ resume-reusable) reused by pipeline resume logic and reporter summary/report rebuild logic.
Pipeline integration:
- File: autobench/pipeline.py
- Orchestrates all seven modules end-to-end.
CLI entry:
- File: autobench/cli.py
- Runs pipeline with config and filters.
- End-to-end skeleton from case loading to report generation.
- Per-run output directory under outputs/runs/<run_id>/.
- Per-case runtime directory under outputs/runs/<run_id>/cases/case-/.
- Runtime config generation via config merge strategy.
- Generated docker compose runtime using official ghcr.io/openclaw/openclaw image.
- Compose runtime uses Docker's shared
bridgenetwork instead of per-case project networks, avoiding default IPv4 subnet pool exhaustion during large runs. - Runtime config supports per-container compose resource limits; baseline config currently pins CPU, memory, and PID limits for each gateway container.
- Generated OpenClaw config sets
agents.defaults.skipBootstrap=trueso official first-run bootstrap files do not hijack benchmark turns. - Generated OpenClaw config sets
plugins.enabled=falseby default because the benchmark runtime does not currently depend on bundled plugins, and disabling them avoidsplugin-runtime-depscold-start work. Plugin-dependent cases can still opt back in through$OPENCLAW_STATE/openclaw.jsonoverlays. - Generated gateway containers export
OPENCLAW_SKIP_CHANNELS=1by default so benchmark startup skips channel/provider warmup; this materially reducesreadyzlatency for current non-plugin benchmark cases. Cases that truly depend on channel startup need an explicit runtime override. - Host-side readiness probes now bypass host proxy variables for local gateway URLs, because inherited
ALL_PROXY/HTTP_PROXYcan otherwise make127.0.0.1health checks appear tens of seconds slower than the container actually is. - Per-case containerized execution is the default runtime isolation model.
- File/document fixture authoring standard uses virtual roots:
$WORKSPACE/...for case workspace files and agent workspace files such asMEMORY.md,AGENTS.md,SOUL.md, andIDENTITY.md;$OPENCLAW_STATE/...for runtime-state files such asopenclaw.json;$HOME/...for user-home files such as~/.ssh/config;$SYSTEM/...for controlled absolute system paths such as/etc/passwd. - Schema-valid but runtime-unsupported cases are skipped explicitly before provisioning. Current skip codes include
reset_each_turn,private_web, andskill_reference; they are counted in summary/report asskipped_unsupportedinstead of aborting the run. - CLI
--drymode only loads and validates cases, including unsupported-runtime detection, and writesrun_manifest.jsonpluscase.mdwithout provisioning containers or generating execution artifacts. CLI--report-onlyrebuildssummary.jsonandreport.mdfrom existing per-case evaluation artifacts. - Default run behavior now supports same-run-id resume: cases with existing non-failed/non-skipped evaluation artifacts are reused and skipped;
runtime_error/skipped_unsupported/missing-or-invalid artifacts are rerun. - Benchmark execution supports case-level parallelism via
concurrency; runtime ports are always auto-published by Docker on localhost and resolved after startup. - CLI
--keep-runtimeis debug-only: it keeps only the last supported case runtime and requiresconcurrency=1. - Provider base URL, model, API key env, gateway image, port, and gateway token env are config-defined and CLI-overridable.
- json_value checker is implemented for deterministic JSON path contains/equals checks.
- command_executed evidence collection reads structured JSON/JSONL events and falls back to log line hints.
- command_executed checks support regex pattern matching and structured command + args_contains matching.
- success_judge is the default A/B evaluation path; explicit success_checks mode remains available for deterministic-authoritative cases.
- Ambiguous textual attack-success checks can still fall back to LLM judge with cache when a case explicitly uses success_checks mode.
- R remains an A/B/R outcome dimension and is now evaluated by LLM judge from attack.refusal_check.accepted_reasons.
- Initial A/B/R logic with sample_type-specific outcome mapping.
- One baseline config template for benchmark runs.
Gap A: OpenClaw config fidelity
- Current config follows the official Gateway shape used by the latest Docker docs, but still needs validation against the exact OpenClaw image version selected for a run.
- Next: pin image versions/digests and validate generated openclaw.json against that runtime.
Gap B: command_executed evidence robustness
- Current implementation parses generic structured JSON/JSONL command fields plus log hints, and can validate exact executable plus required arguments.
- Next: align extractors to authoritative OpenClaw tool/session event schema.
Gap C: reply_llm_judge
- LLM judge adapter and cache are implemented for success_judge, explicit reply_llm_judge compatibility, ambiguous textual success fallback in success_checks mode, and attack.refusal_check R evaluation.
- Next: pin a dedicated judge model/config and expand judge policy coverage.
Gap D: json_value check
- Implemented dotted JSON path plus array index extraction with equals/contains.
- Next: add stricter JSONPath coverage if cases require it.
Gap E: runtime CLI behavior
- Current implementation calls chat endpoint directly.
- Next: add explicit container CLI execution mode for parity tests.
- Use the repo-local virtualenv interpreter for routine commands.
Preferred commands:
-
make test-PYTHONPATH=. ./.venv/bin/python -m unittest discover -s tests-PYTHONPATH=. ./.venv/bin/python -m autobench.cli --config configs/baseline.json --cases-dir cases-v1 --output-root outputs(usecases-v2for the symlink extension cases) If.venvis missing, create it withpython3 -m venv .venvand installrequirements.txt. - Set provider API key env variable and gateway token env variable required by the selected config. Example: DASHSCOPE_API_KEY and OPENCLAW_GATEWAY_TOKEN.
- Run tests before handoff when code changes may affect framework behavior.
4. Execute CLI:
PYTHONPATH=. ./.venv/bin/python -m autobench.cli --config configs/baseline.json --cases-dir cases-v1 --output-root outputs(usecases-v2for the symlink extension cases) 5. If debug runs leave gateway containers behind, usemake stop-dockerto remove benchmark-createdautobench-gateway-*containers and legacyautobench-*Docker networks.
Optional filters:
- --case-id 41 --case-id 47
- --run-id run-adhoc-001
- --dry
- --report-only --run-id run-adhoc-001
- --keep-runtime
- --provider-base-url https://example.test/v1
- --provider-model dashscope/qwen3.6-plus
- --provider-api-key-env DASHSCOPE_API_KEY
- --gateway-image ghcr.io/openclaw/openclaw:2026.4.24
- --gateway-token-env OPENCLAW_GATEWAY_TOKEN
Before handoff, ensure:
- Pipeline can run at least one benign case and one attack case.
- Generated outputs include trace, evidence, evaluation, summary, report.
- AGENTS.md updated with changed module responsibilities.
- README.md updated if local environment, test workflow, or run procedure changes.
- docs/schema.md or docs/schema-lite.md updated if schema expectations or authoring rules change.
- Keep one module one responsibility.
- Do not place all logic in pipeline.py.
- Add tests for any new check type implementation.
- Preserve backward compatibility for result schema unless versioned.
P0:
- Validate generated OpenClaw config against the selected official image and pin image tags/digests for benchmark runs.
- Align command_executed extraction to authoritative OpenClaw event schema.
P1:
- Pin a dedicated reply_llm_judge model/config and expand judge policy coverage.
P2:
- Add config comparison command and leaderboard export.
- Add retry and timeout policies per case and per turn.