* Python: Information-flow control based prompt injection defense (#5024) * fides integration * documentation * documentation * documentation * human-approval on policy violation * numenous hyena 'works' * IFC based implementation * minor edits in documentation * rebasing the branch and running the email example * Add security tests for IFC middleware * Fix Role.TOOL NameError in approval handling * tiered labelling scheme * 3 tier labelling scheme in middleware * Adapt security middleware to list[Content] tool results * Refactor SecureAgentConfig as context provider and address Copilot review comments * Update FIDES docs to reflect context provider pattern and update code for ContextProvider rename * Fix security examples: use OpenAIChatClient instead of non-existent AzureOpenAIChatClient * Address PR review: consolidate security modules, remove ContentLineage, update docs * remove unrelated files * remove comment from _tools.py and rename decision file * Fix CI failures: Bandit B110, broken md links, hosted approval passthrough * apply template to decision doc 0024 * minor fixes to decision doc 0024 --------- Co-authored-by: Aashish <t-akolluri@microsoft.com> * Python: follow up FIDES security flow (#5330) * Python: follow up FIDES security flow Refine the secure approval path, mark the security classes with the FIDES experimental feature label, and clean up the related docs/tests. Also fix workspace-level validation regressions uncovered while running the full Python check suite. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Python: remove FIDES GitHub MCP sample Drop the GitHub MCP security sample from the FIDES follow-up branch while keeping the remaining security docs and samples intact. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Address PR review: fix paths and update FIDES implementation (#5352) * Python: updated import naming and comment from review (#5421) * updated import naming and comment from review * Add approval replay None call-id test Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * Python: Address PR 5331 comments and track sesssion while calling Agent in email_security_example (#5446) * Address PR review: fix paths and update FIDES implementation * Address PR comments and add session tracking in email example in samples * Fix session creation and resolve merge conflict in docstring example * Resolve merge conflict in docstring example * Python: add test for empty-message pruning in approval result replacement (#5617) Adds test coverage for the second-pass logic in `_replace_approval_contents_with_results` that removes messages whose `contents` list becomes empty after first-pass content removal. Addresses review comment on PR #5331: https://github.com/microsoft/agent-framework/pull/5331#discussion_r3129039445 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --------- Co-authored-by: shrutitople <shruti.tople@gmail.com> Co-authored-by: Aashish <t-akolluri@microsoft.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
3.0 KiB
FIDES security samples
This folder contains two runnable FIDES samples that use
agent_framework.foundry.FoundryChatClient. Keep this README as the quick
entry point for choosing and running a sample; use
FIDES_DEVELOPER_GUIDE.md for the architecture,
security model, middleware behavior, and API reference.
What each sample demonstrates
| Sample | Focus | Demonstrates |
|---|---|---|
email_security_example.py |
Prompt injection defense | SecureAgentConfig, Foundry-backed email handling, quarantined_llm, and approval on policy violations |
repo_confidentiality_example.py |
Data exfiltration prevention | Confidentiality labels, Foundry-backed repository access, max_allowed_confidentiality, and approval before leaking private data |
Prerequisites
Run these samples from the python/ directory with the repo development
environment available.
- Azure CLI authentication:
az login FOUNDRY_PROJECT_ENDPOINTset in your environmentFOUNDRY_MODELset in your environment for the main agent deployment- Local dev environment installed (for example,
uv sync --dev)
Both samples use FOUNDRY_MODEL for the main agent and keep the quarantine
client pinned to gpt-4o-mini.
Suppressing the experimental warning
The FIDES APIs in these samples are still experimental. Each sample includes a
short commented warnings.filterwarnings(...) snippet near the imports.
Uncomment it if you want to suppress the FIDES warning before using the
experimental APIs locally.
Running the samples
email_security_example.py
This sample simulates an inbox containing trusted and untrusted emails,
including prompt-injection attempts that try to force a privileged send_email
tool call.
Run it with:
uv run samples/02-agents/security/email_security_example.py --cli
uv run samples/02-agents/security/email_security_example.py --devui
What to look for:
- Untrusted email bodies are handled through the FIDES security flow
quarantined_llmprocesses hidden content in isolation- DevUI requests approval if the agent tries a blocked privileged action
repo_confidentiality_example.py
This sample simulates a public issue that tries to trick the agent into reading private repository secrets and posting them to a public channel.
Run it with:
uv run samples/02-agents/security/repo_confidentiality_example.py --cli
uv run samples/02-agents/security/repo_confidentiality_example.py --devui
What to look for:
- Reading public content keeps the context public
- Reading private content taints the context as private
- Posting private data to a public destination triggers an approval request
Where to find the details
For the full FIDES design and API details, see FIDES_DEVELOPER_GUIDE.md, which covers:
- integrity and confidentiality labels
- label propagation and auto-hiding behavior
- policy enforcement middleware
- security tools such as
quarantined_llmandinspect_variable SecureAgentConfigand manual integration patterns