Skip to content

mod6 accuracy fixes to agent_safety notebook lecture cells #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
PicoNVIDIA wants to merge 1 commit into
base: edwli-dev
Choose a base branch
from
Open

mod6 accuracy fixes to agent_safety notebook lecture cells #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 21 additions & 12 deletions code/6-agent-safety/agent_safety.answers.ipynb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,12 +91,12 @@
"## Section 1: The Autonomous Agent Problem\n",
"\n",
"In Modules 4 and 5, you learned two layers of agent security:\n",
"- **M4**: Application-level controls — regex injection detection, command allowlists, HITL approval gates\n",
"- **M4**'s bash agent: application-level controls — regex injection detection, command allowlists, HITL approval gates\n",
"- **M5**: Container isolation — Docker sandboxing with resource limits, no host mounts\n",
"\n",
"These are powerful, but they leave gaps for **always-on autonomous agents**:\n",
"1. **No human awake**: HITL breaks when the agent runs overnight\n",
"2. **Agent drift**: The agent accumulates memory and evolves — static allowlists become stale\n",
"2. **Agent drift**: as the agent picks up new memory and tools, yesterday's allowlist no longer covers today's behavior\n",
"3. **Mixed-sensitivity data**: Docker isolates the process but doesn't know which data should stay local vs. go to cloud\n",
"\n",
"Module 6 fills these gaps with **kernel-level enforcement** (OpenShell), **data sensitivity routing** (Privacy Router), and **continuous safety evaluation**."
Expand Down Expand Up @@ -135,7 +135,7 @@
"print(m4_allowlist_check(\"cat /etc/passwd\", allowed)) # PASSES — cat is allowed!\n",
"print(\"\\n⚠️ The allowlist blocks 'rm' but allows 'cat /etc/passwd'\")\n",
"print(\" Application-level controls can't anticipate every dangerous argument.\")\n",
"print(\" Kernel-level enforcement (OpenShell) restricts the PATH, not the command.\")"
"print(\" Kernel-level enforcement (OpenShell) restricts what files the process can touch, not the command name.\")"
]
},
{
Expand All @@ -144,7 +144,7 @@
"source": [
"## Section 2: Policy Validation\n",
"\n",
"OpenShell uses **declarative YAML policies** to enforce security at the kernel level. Before deploying a policy, we need to validate it programmatically — catching misconfigurations before they become vulnerabilities.\n",
"OpenShell policies are YAML — the kernel does the enforcement (Landlock for filesystem, seccomp for syscalls). Before deploying a policy, we need to validate it programmatically — catching misconfigurations before they become vulnerabilities.\n",
"\n",
"Let's look at a deliberately weak policy:"
]
Expand Down Expand Up @@ -228,7 +228,16 @@
{
"cell_type": "markdown",
"metadata": {},
"source": "## Section 3: Data Sensitivity Classification\n\nThe **Privacy Router** in NemoClaw classifies every piece of data the agent processes and routes it to the appropriate model:\n- **Restricted** (PII) → Local Nemotron (designed to stay within your infrastructure)\n- **Confidential** (proprietary) → Local Nemotron\n- **Public** → Cloud frontier models (for best performance)\n\nLet's look at the test corpus:"
"source": [
"## Section 3: Data Sensitivity Classification\n",
"\n",
"The **Privacy Router** classifies each prompt or document the agent is about to send to a model and picks the right destination:\n",
"- **Restricted** (PII) → self-hosted Nemotron — keeps the data on your infrastructure\n",
"- **Confidential** (proprietary) → self-hosted Nemotron\n",
"- **Public** → cloud frontier models — performance over isolation\n",
"\n",
"Let's look at the test corpus:"
]
},
{
"cell_type": "code",
Expand Down Expand Up @@ -611,7 +620,7 @@
"source": [
"## Applying This to NemoClaw\n",
"\n",
"Everything you've built maps directly to NVIDIA's NemoClaw stack:\n",
"Each exercise mirrors a piece of NVIDIA's NemoClaw stack — here's the mapping:\n",
"\n",
"| Your Exercise | NemoClaw Component | What It Does |\n",
"|--------------|-------------------|-------------|\n",
Expand All @@ -621,7 +630,7 @@
"| Exercise 4: LLM Safety Judge | **Safety Evaluation** | Structured scoring of agent behavior |\n",
"| Exercise 5: Safety Suite | **NemoClaw Blueprint** | End-to-end safety pipeline |\n",
"\n",
"The research assistant policy you validated (`research_assistant.yaml`) follows the same YAML schema as NemoClaw's `nemoclaw-blueprint/policies/openclaw-sandbox.yaml`."
"The research assistant policy you validated (`research_assistant.yaml`) uses the same YAML schema as the policies shipped with the NemoClaw blueprint."
]
},
{
Expand Down Expand Up @@ -656,14 +665,14 @@
"\n",
"| Module | What You Learned | Security Layer |\n",
"|--------|-----------------|---------------|\n",
"| Module 1 | Build agents with ReAct | Tool selection |\n",
"| Module 2 | Extend with RAG and tools | Data access controls |\n",
"| Module 3 | Measure and evaluate | Adversarial test cases |\n",
"| Module 1 | Build agents with ReAct | |\n",
"| Module 2 | Extend with RAG and tools | |\n",
"| Module 3 | Measure and evaluate | |\n",
"| Module 4 | Customize through training | **Application-level** (HITL, allowlists) |\n",
"| Module 5 | Deep agents + sandboxing | **Container-level** (Docker isolation) |\n",
"| **Module 6** | **Agent safety evaluation** | **Kernel-level** (OpenShell) + **Data routing** (Privacy Router) |\n",
"\n",
"Each level of capability demands a corresponding level of security. Module 6 closes the loop: your autonomous agent is not just containedit's **evaluated, tested, and continuously verified**.\n",
"More autonomy needs more layers of containment. Module 6 closes the loop: your agent is contained *and* testednot just one or the other.\n",
"\n",
"### What to Explore Next\n",
"\n",
Expand Down Expand Up @@ -697,4 +706,4 @@
},
"nbformat": 4,
"nbformat_minor": 4
}
}
33 changes: 21 additions & 12 deletions code/6-agent-safety/agent_safety.ipynb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,12 +91,12 @@
"## Section 1: The Autonomous Agent Problem\n",
"\n",
"In Modules 4 and 5, you learned two layers of agent security:\n",
"- **M4**: Application-level controls — regex injection detection, command allowlists, HITL approval gates\n",
"- **M4**'s bash agent: application-level controls — regex injection detection, command allowlists, HITL approval gates\n",
"- **M5**: Container isolation — Docker sandboxing with resource limits, no host mounts\n",
"\n",
"These are powerful, but they leave gaps for **always-on autonomous agents**:\n",
"1. **No human awake**: HITL breaks when the agent runs overnight\n",
"2. **Agent drift**: The agent accumulates memory and evolves — static allowlists become stale\n",
"2. **Agent drift**: as the agent picks up new memory and tools, yesterday's allowlist no longer covers today's behavior\n",
"3. **Mixed-sensitivity data**: Docker isolates the process but doesn't know which data should stay local vs. go to cloud\n",
"\n",
"Module 6 fills these gaps with **kernel-level enforcement** (OpenShell), **data sensitivity routing** (Privacy Router), and **continuous safety evaluation**."
Expand Down Expand Up @@ -135,7 +135,7 @@
"print(m4_allowlist_check(\"cat /etc/passwd\", allowed)) # PASSES — cat is allowed!\n",
"print(\"\\n⚠️ The allowlist blocks 'rm' but allows 'cat /etc/passwd'\")\n",
"print(\" Application-level controls can't anticipate every dangerous argument.\")\n",
"print(\" Kernel-level enforcement (OpenShell) restricts the PATH, not the command.\")"
"print(\" Kernel-level enforcement (OpenShell) restricts what files the process can touch, not the command name.\")"
]
},
{
Expand All @@ -144,7 +144,7 @@
"source": [
"## Section 2: Policy Validation\n",
"\n",
"OpenShell uses **declarative YAML policies** to enforce security at the kernel level. Before deploying a policy, we need to validate it programmatically — catching misconfigurations before they become vulnerabilities.\n",
"OpenShell policies are YAML — the kernel does the enforcement (Landlock for filesystem, seccomp for syscalls). Before deploying a policy, we need to validate it programmatically — catching misconfigurations before they become vulnerabilities.\n",
"\n",
"Let's look at a deliberately weak policy:"
]
Expand Down Expand Up @@ -228,7 +228,16 @@
{
"cell_type": "markdown",
"metadata": {},
"source": "## Section 3: Data Sensitivity Classification\n\nThe **Privacy Router** in NemoClaw classifies every piece of data the agent processes and routes it to the appropriate model:\n- **Restricted** (PII) → Local Nemotron (designed to stay within your infrastructure)\n- **Confidential** (proprietary) → Local Nemotron\n- **Public** → Cloud frontier models (for best performance)\n\nLet's look at the test corpus:"
"source": [
"## Section 3: Data Sensitivity Classification\n",
"\n",
"The **Privacy Router** classifies each prompt or document the agent is about to send to a model and picks the right destination:\n",
"- **Restricted** (PII) → self-hosted Nemotron — keeps the data on your infrastructure\n",
"- **Confidential** (proprietary) → self-hosted Nemotron\n",
"- **Public** → cloud frontier models — performance over isolation\n",
"\n",
"Let's look at the test corpus:"
]
},
{
"cell_type": "code",
Expand Down Expand Up @@ -611,7 +620,7 @@
"source": [
"## Applying This to NemoClaw\n",
"\n",
"Everything you've built maps directly to NVIDIA's NemoClaw stack:\n",
"Each exercise mirrors a piece of NVIDIA's NemoClaw stack — here's the mapping:\n",
"\n",
"| Your Exercise | NemoClaw Component | What It Does |\n",
"|--------------|-------------------|-------------|\n",
Expand All @@ -621,7 +630,7 @@
"| Exercise 4: LLM Safety Judge | **Safety Evaluation** | Structured scoring of agent behavior |\n",
"| Exercise 5: Safety Suite | **NemoClaw Blueprint** | End-to-end safety pipeline |\n",
"\n",
"The research assistant policy you validated (`research_assistant.yaml`) follows the same YAML schema as NemoClaw's `nemoclaw-blueprint/policies/openclaw-sandbox.yaml`."
"The research assistant policy you validated (`research_assistant.yaml`) uses the same YAML schema as the policies shipped with the NemoClaw blueprint."
]
},
{
Expand Down Expand Up @@ -656,14 +665,14 @@
"\n",
"| Module | What You Learned | Security Layer |\n",
"|--------|-----------------|---------------|\n",
"| Module 1 | Build agents with ReAct | Tool selection |\n",
"| Module 2 | Extend with RAG and tools | Data access controls |\n",
"| Module 3 | Measure and evaluate | Adversarial test cases |\n",
"| Module 1 | Build agents with ReAct | |\n",
"| Module 2 | Extend with RAG and tools | |\n",
"| Module 3 | Measure and evaluate | |\n",
"| Module 4 | Customize through training | **Application-level** (HITL, allowlists) |\n",
"| Module 5 | Deep agents + sandboxing | **Container-level** (Docker isolation) |\n",
"| **Module 6** | **Agent safety evaluation** | **Kernel-level** (OpenShell) + **Data routing** (Privacy Router) |\n",
"\n",
"Each level of capability demands a corresponding level of security. Module 6 closes the loop: your autonomous agent is not just containedit's **evaluated, tested, and continuously verified**.\n",
"More autonomy needs more layers of containment. Module 6 closes the loop: your agent is contained *and* testednot just one or the other.\n",
"\n",
"### What to Explore Next\n",
"\n",
Expand Down Expand Up @@ -697,4 +706,4 @@
},
"nbformat": 4,
"nbformat_minor": 4
}
}