mirror of
https://github.com/microsoft/agent-framework.git
synced 2026-06-16 21:04:09 +08:00
14d779c0fb
* updated import naming and comment from review * Add approval replay None call-id test Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
85 lines
3.0 KiB
Markdown
85 lines
3.0 KiB
Markdown
# FIDES security samples
|
|
|
|
This folder contains two runnable FIDES samples that use
|
|
`agent_framework.foundry.FoundryChatClient`. Keep this README as the quick
|
|
entry point for choosing and running a sample; use
|
|
[FIDES_DEVELOPER_GUIDE.md](FIDES_DEVELOPER_GUIDE.md) for the architecture,
|
|
security model, middleware behavior, and API reference.
|
|
|
|
## What each sample demonstrates
|
|
|
|
| Sample | Focus | Demonstrates |
|
|
|--------|-------|--------------|
|
|
| `email_security_example.py` | Prompt injection defense | `SecureAgentConfig`, Foundry-backed email handling, `quarantined_llm`, and approval on policy violations |
|
|
| `repo_confidentiality_example.py` | Data exfiltration prevention | Confidentiality labels, Foundry-backed repository access, `max_allowed_confidentiality`, and approval before leaking private data |
|
|
|
|
## Prerequisites
|
|
|
|
Run these samples from the `python/` directory with the repo development
|
|
environment available.
|
|
|
|
- Azure CLI authentication: `az login`
|
|
- `FOUNDRY_PROJECT_ENDPOINT` set in your environment
|
|
- `FOUNDRY_MODEL` set in your environment for the main agent deployment
|
|
- Local dev environment installed (for example, `uv sync --dev`)
|
|
|
|
Both samples use `FOUNDRY_MODEL` for the main agent and keep the quarantine
|
|
client pinned to `gpt-4o-mini`.
|
|
|
|
## Suppressing the experimental warning
|
|
|
|
The FIDES APIs in these samples are still experimental. Each sample includes a
|
|
short commented `warnings.filterwarnings(...)` snippet near the imports.
|
|
Uncomment it if you want to suppress the FIDES warning before using the
|
|
experimental APIs locally.
|
|
|
|
## Running the samples
|
|
|
|
### `email_security_example.py`
|
|
|
|
This sample simulates an inbox containing trusted and untrusted emails,
|
|
including prompt-injection attempts that try to force a privileged `send_email`
|
|
tool call.
|
|
|
|
Run it with:
|
|
|
|
```bash
|
|
uv run samples/02-agents/security/email_security_example.py --cli
|
|
uv run samples/02-agents/security/email_security_example.py --devui
|
|
```
|
|
|
|
What to look for:
|
|
|
|
- Untrusted email bodies are handled through the FIDES security flow
|
|
- `quarantined_llm` processes hidden content in isolation
|
|
- DevUI requests approval if the agent tries a blocked privileged action
|
|
|
|
### `repo_confidentiality_example.py`
|
|
|
|
This sample simulates a public issue that tries to trick the agent into reading
|
|
private repository secrets and posting them to a public channel.
|
|
|
|
Run it with:
|
|
|
|
```bash
|
|
uv run samples/02-agents/security/repo_confidentiality_example.py --cli
|
|
uv run samples/02-agents/security/repo_confidentiality_example.py --devui
|
|
```
|
|
|
|
What to look for:
|
|
|
|
- Reading public content keeps the context public
|
|
- Reading private content taints the context as private
|
|
- Posting private data to a public destination triggers an approval request
|
|
|
|
## Where to find the details
|
|
|
|
For the full FIDES design and API details, see
|
|
[FIDES_DEVELOPER_GUIDE.md](FIDES_DEVELOPER_GUIDE.md), which covers:
|
|
|
|
- integrity and confidentiality labels
|
|
- label propagation and auto-hiding behavior
|
|
- policy enforcement middleware
|
|
- security tools such as `quarantined_llm` and `inspect_variable`
|
|
- `SecureAgentConfig` and manual integration patterns
|