From 7c068a037b9ab0cdd9dfeef2e380dbf9222c6b97 Mon Sep 17 00:00:00 2001 From: PicoNVIDIA Date: Fri, 1 May 2026 01:03:27 +0000 Subject: [PATCH] mod6: tone + accuracy fixes to agent_safety notebook lecture cells MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Targets the lecture (markdown) cells in code/6-agent-safety/agent_safety.ipynb and its answers twin. Code cells, exercises, and policy files are untouched. Accuracy: - Section 1: M4 framing — Module 4 is Agent Customization; the application-level controls (HITL, allowlists) come from M4's bash agent specifically, not from M4 as a whole. - Section 1: drop "agent drift — static allowlists become stale" triple-em-dash in favor of a flatter sentence. - Section 1 closing print: "OpenShell restricts the PATH, not the command" was inaccurate — Landlock restricts file access, not $PATH. Reworded. - Section 2: name the actual kernel mechanisms (Landlock + seccomp) instead of the vague "enforces security at the kernel level". - Section 3: Privacy Router routes prompts/documents the agent sends to a model, not "every piece of data the agent processes". Also drop the "Local Nemotron (designed to stay within your infrastructure)" framing — the router enforces locality, not the model. Drop "(for best performance)" framing on the public route. - Cell 32: drop the unverifiable internal path `nemoclaw-blueprint/policies/openclaw-sandbox.yaml`. - Cell 34 workshop-arc table: M1-M3 weren't security layers; their column entries are now "—" so the layered story honestly starts at M4. Tone: - Cell 32 lede: "Everything you've built maps directly to NVIDIA's NemoClaw stack" was sales-y; reworded to "Each exercise mirrors a piece of...". - Cell 34 closer: replaced "Each level of capability demands a corresponding level of security. Module 6 closes the loop: your autonomous agent is not just contained — it's evaluated, tested, and continuously verified" with a tighter version. Items still open (not addressed in this commit, need your judgment): 1. OpenShell vs OpenClaw vs NemoClaw — relationship is never explained in the notebook; first-time readers can't tell what's the schema, runtime, or stack name. 2. External links in cell 34 (NVIDIA/NemoClaw, NVIDIA/OpenShell, docs.openclaw.ai) — verify these resolve before shipping. 3. Judge model id "nvidia/nemotron-3-super-120b-a12b" — confirm it resolves on integrate.api.nvidia.com (cells 24-26 silently fail otherwise). Co-Authored-By: Claude Opus 4.7 (1M context) --- .../6-agent-safety/agent_safety.answers.ipynb | 33 ++++++++++++------- code/6-agent-safety/agent_safety.ipynb | 33 ++++++++++++------- 2 files changed, 42 insertions(+), 24 deletions(-) diff --git a/code/6-agent-safety/agent_safety.answers.ipynb b/code/6-agent-safety/agent_safety.answers.ipynb index e29f4c8..6558f56 100644 --- a/code/6-agent-safety/agent_safety.answers.ipynb +++ b/code/6-agent-safety/agent_safety.answers.ipynb @@ -91,12 +91,12 @@ "## Section 1: The Autonomous Agent Problem\n", "\n", "In Modules 4 and 5, you learned two layers of agent security:\n", - "- **M4**: Application-level controls — regex injection detection, command allowlists, HITL approval gates\n", + "- **M4**'s bash agent: application-level controls — regex injection detection, command allowlists, HITL approval gates\n", "- **M5**: Container isolation — Docker sandboxing with resource limits, no host mounts\n", "\n", "These are powerful, but they leave gaps for **always-on autonomous agents**:\n", "1. **No human awake**: HITL breaks when the agent runs overnight\n", - "2. **Agent drift**: The agent accumulates memory and evolves — static allowlists become stale\n", + "2. **Agent drift**: as the agent picks up new memory and tools, yesterday's allowlist no longer covers today's behavior\n", "3. **Mixed-sensitivity data**: Docker isolates the process but doesn't know which data should stay local vs. go to cloud\n", "\n", "Module 6 fills these gaps with **kernel-level enforcement** (OpenShell), **data sensitivity routing** (Privacy Router), and **continuous safety evaluation**." @@ -135,7 +135,7 @@ "print(m4_allowlist_check(\"cat /etc/passwd\", allowed)) # PASSES — cat is allowed!\n", "print(\"\\n⚠️ The allowlist blocks 'rm' but allows 'cat /etc/passwd'\")\n", "print(\" Application-level controls can't anticipate every dangerous argument.\")\n", - "print(\" Kernel-level enforcement (OpenShell) restricts the PATH, not the command.\")" + "print(\" Kernel-level enforcement (OpenShell) restricts what files the process can touch, not the command name.\")" ] }, { @@ -144,7 +144,7 @@ "source": [ "## Section 2: Policy Validation\n", "\n", - "OpenShell uses **declarative YAML policies** to enforce security at the kernel level. Before deploying a policy, we need to validate it programmatically — catching misconfigurations before they become vulnerabilities.\n", + "OpenShell policies are YAML — the kernel does the enforcement (Landlock for filesystem, seccomp for syscalls). Before deploying a policy, we need to validate it programmatically — catching misconfigurations before they become vulnerabilities.\n", "\n", "Let's look at a deliberately weak policy:" ] @@ -228,7 +228,16 @@ { "cell_type": "markdown", "metadata": {}, - "source": "## Section 3: Data Sensitivity Classification\n\nThe **Privacy Router** in NemoClaw classifies every piece of data the agent processes and routes it to the appropriate model:\n- **Restricted** (PII) → Local Nemotron (designed to stay within your infrastructure)\n- **Confidential** (proprietary) → Local Nemotron\n- **Public** → Cloud frontier models (for best performance)\n\nLet's look at the test corpus:" + "source": [ + "## Section 3: Data Sensitivity Classification\n", + "\n", + "The **Privacy Router** classifies each prompt or document the agent is about to send to a model and picks the right destination:\n", + "- **Restricted** (PII) → self-hosted Nemotron — keeps the data on your infrastructure\n", + "- **Confidential** (proprietary) → self-hosted Nemotron\n", + "- **Public** → cloud frontier models — performance over isolation\n", + "\n", + "Let's look at the test corpus:" + ] }, { "cell_type": "code", @@ -611,7 +620,7 @@ "source": [ "## Applying This to NemoClaw\n", "\n", - "Everything you've built maps directly to NVIDIA's NemoClaw stack:\n", + "Each exercise mirrors a piece of NVIDIA's NemoClaw stack — here's the mapping:\n", "\n", "| Your Exercise | NemoClaw Component | What It Does |\n", "|--------------|-------------------|-------------|\n", @@ -621,7 +630,7 @@ "| Exercise 4: LLM Safety Judge | **Safety Evaluation** | Structured scoring of agent behavior |\n", "| Exercise 5: Safety Suite | **NemoClaw Blueprint** | End-to-end safety pipeline |\n", "\n", - "The research assistant policy you validated (`research_assistant.yaml`) follows the same YAML schema as NemoClaw's `nemoclaw-blueprint/policies/openclaw-sandbox.yaml`." + "The research assistant policy you validated (`research_assistant.yaml`) uses the same YAML schema as the policies shipped with the NemoClaw blueprint." ] }, { @@ -656,14 +665,14 @@ "\n", "| Module | What You Learned | Security Layer |\n", "|--------|-----------------|---------------|\n", - "| Module 1 | Build agents with ReAct | Tool selection |\n", - "| Module 2 | Extend with RAG and tools | Data access controls |\n", - "| Module 3 | Measure and evaluate | Adversarial test cases |\n", + "| Module 1 | Build agents with ReAct | — |\n", + "| Module 2 | Extend with RAG and tools | — |\n", + "| Module 3 | Measure and evaluate | — |\n", "| Module 4 | Customize through training | **Application-level** (HITL, allowlists) |\n", "| Module 5 | Deep agents + sandboxing | **Container-level** (Docker isolation) |\n", "| **Module 6** | **Agent safety evaluation** | **Kernel-level** (OpenShell) + **Data routing** (Privacy Router) |\n", "\n", - "Each level of capability demands a corresponding level of security. Module 6 closes the loop: your autonomous agent is not just contained — it's **evaluated, tested, and continuously verified**.\n", + "More autonomy needs more layers of containment. Module 6 closes the loop: your agent is contained *and* tested — not just one or the other.\n", "\n", "### What to Explore Next\n", "\n", @@ -697,4 +706,4 @@ }, "nbformat": 4, "nbformat_minor": 4 -} \ No newline at end of file +} diff --git a/code/6-agent-safety/agent_safety.ipynb b/code/6-agent-safety/agent_safety.ipynb index e29f4c8..6558f56 100644 --- a/code/6-agent-safety/agent_safety.ipynb +++ b/code/6-agent-safety/agent_safety.ipynb @@ -91,12 +91,12 @@ "## Section 1: The Autonomous Agent Problem\n", "\n", "In Modules 4 and 5, you learned two layers of agent security:\n", - "- **M4**: Application-level controls — regex injection detection, command allowlists, HITL approval gates\n", + "- **M4**'s bash agent: application-level controls — regex injection detection, command allowlists, HITL approval gates\n", "- **M5**: Container isolation — Docker sandboxing with resource limits, no host mounts\n", "\n", "These are powerful, but they leave gaps for **always-on autonomous agents**:\n", "1. **No human awake**: HITL breaks when the agent runs overnight\n", - "2. **Agent drift**: The agent accumulates memory and evolves — static allowlists become stale\n", + "2. **Agent drift**: as the agent picks up new memory and tools, yesterday's allowlist no longer covers today's behavior\n", "3. **Mixed-sensitivity data**: Docker isolates the process but doesn't know which data should stay local vs. go to cloud\n", "\n", "Module 6 fills these gaps with **kernel-level enforcement** (OpenShell), **data sensitivity routing** (Privacy Router), and **continuous safety evaluation**." @@ -135,7 +135,7 @@ "print(m4_allowlist_check(\"cat /etc/passwd\", allowed)) # PASSES — cat is allowed!\n", "print(\"\\n⚠️ The allowlist blocks 'rm' but allows 'cat /etc/passwd'\")\n", "print(\" Application-level controls can't anticipate every dangerous argument.\")\n", - "print(\" Kernel-level enforcement (OpenShell) restricts the PATH, not the command.\")" + "print(\" Kernel-level enforcement (OpenShell) restricts what files the process can touch, not the command name.\")" ] }, { @@ -144,7 +144,7 @@ "source": [ "## Section 2: Policy Validation\n", "\n", - "OpenShell uses **declarative YAML policies** to enforce security at the kernel level. Before deploying a policy, we need to validate it programmatically — catching misconfigurations before they become vulnerabilities.\n", + "OpenShell policies are YAML — the kernel does the enforcement (Landlock for filesystem, seccomp for syscalls). Before deploying a policy, we need to validate it programmatically — catching misconfigurations before they become vulnerabilities.\n", "\n", "Let's look at a deliberately weak policy:" ] @@ -228,7 +228,16 @@ { "cell_type": "markdown", "metadata": {}, - "source": "## Section 3: Data Sensitivity Classification\n\nThe **Privacy Router** in NemoClaw classifies every piece of data the agent processes and routes it to the appropriate model:\n- **Restricted** (PII) → Local Nemotron (designed to stay within your infrastructure)\n- **Confidential** (proprietary) → Local Nemotron\n- **Public** → Cloud frontier models (for best performance)\n\nLet's look at the test corpus:" + "source": [ + "## Section 3: Data Sensitivity Classification\n", + "\n", + "The **Privacy Router** classifies each prompt or document the agent is about to send to a model and picks the right destination:\n", + "- **Restricted** (PII) → self-hosted Nemotron — keeps the data on your infrastructure\n", + "- **Confidential** (proprietary) → self-hosted Nemotron\n", + "- **Public** → cloud frontier models — performance over isolation\n", + "\n", + "Let's look at the test corpus:" + ] }, { "cell_type": "code", @@ -611,7 +620,7 @@ "source": [ "## Applying This to NemoClaw\n", "\n", - "Everything you've built maps directly to NVIDIA's NemoClaw stack:\n", + "Each exercise mirrors a piece of NVIDIA's NemoClaw stack — here's the mapping:\n", "\n", "| Your Exercise | NemoClaw Component | What It Does |\n", "|--------------|-------------------|-------------|\n", @@ -621,7 +630,7 @@ "| Exercise 4: LLM Safety Judge | **Safety Evaluation** | Structured scoring of agent behavior |\n", "| Exercise 5: Safety Suite | **NemoClaw Blueprint** | End-to-end safety pipeline |\n", "\n", - "The research assistant policy you validated (`research_assistant.yaml`) follows the same YAML schema as NemoClaw's `nemoclaw-blueprint/policies/openclaw-sandbox.yaml`." + "The research assistant policy you validated (`research_assistant.yaml`) uses the same YAML schema as the policies shipped with the NemoClaw blueprint." ] }, { @@ -656,14 +665,14 @@ "\n", "| Module | What You Learned | Security Layer |\n", "|--------|-----------------|---------------|\n", - "| Module 1 | Build agents with ReAct | Tool selection |\n", - "| Module 2 | Extend with RAG and tools | Data access controls |\n", - "| Module 3 | Measure and evaluate | Adversarial test cases |\n", + "| Module 1 | Build agents with ReAct | — |\n", + "| Module 2 | Extend with RAG and tools | — |\n", + "| Module 3 | Measure and evaluate | — |\n", "| Module 4 | Customize through training | **Application-level** (HITL, allowlists) |\n", "| Module 5 | Deep agents + sandboxing | **Container-level** (Docker isolation) |\n", "| **Module 6** | **Agent safety evaluation** | **Kernel-level** (OpenShell) + **Data routing** (Privacy Router) |\n", "\n", - "Each level of capability demands a corresponding level of security. Module 6 closes the loop: your autonomous agent is not just contained — it's **evaluated, tested, and continuously verified**.\n", + "More autonomy needs more layers of containment. Module 6 closes the loop: your agent is contained *and* tested — not just one or the other.\n", "\n", "### What to Explore Next\n", "\n", @@ -697,4 +706,4 @@ }, "nbformat": 4, "nbformat_minor": 4 -} \ No newline at end of file +}