frontend adding

README.md

@@ -1,227 +1,179 @@
 ---
-title: SecureCodeEnv
-emoji: 🔒
-colorFrom: red
-colorTo: orange
+title: Trainx
+emoji: 🔐
+colorFrom: blue
+colorTo: red
 sdk: docker
 pinned: true
-license: mit
+license: apache-2.0
 ---
 
-# SecureCodeEnv
+# 🔐 SecureCodeEnv V2
 
-**An RL environment for training LLM agents to write production-ready, secure Python code.**
+**RL environment for training LLM agents to write production-ready, secure Python code.**
 
-Built for the **Meta × PyTorch OpenEnv Hackathon 2026** by Vishal Dhakad (`vishaldhakad`).
+Built for the **Meta × HuggingFace OpenEnv Hackathon 2026** by [Vishal Dhakad](https://huggingface.co/vishaldhakad).
 
 ---
 
 ## The Problem
 
-Studies show **12–65% of LLM-generated code contains security vulnerabilities** (2025 research). Secure-pass@1 rates remain below 12% for all frontier models even when functional pass@1 exceeds 50%.
+Studies show **12–65% of LLM-generated code contains security vulnerabilities** depending on the model (2025 studies). Secure-pass@1 rates remain below 12% for all frontier models even when functional pass@1 exceeds 50%.
 
 Every existing RL environment trains agents to write code that **WORKS**. None train agents to write code that is **SAFE, CONSISTENT, and PRODUCTION-READY**.
 
-SecureCodeEnv fills that gap.
+SecureCodeEnv fills that exact gap.
 
 ---
 
-## What Makes This Environment Unique
-
-| Feature | SecureCodeEnv | Other RL Envs |
-|---|---|---|
-| Dynamic adversarial grading | ✅ Actually FIRES attacks | ❌ Static patterns only |
-| CodeGraph memory | ✅ Codebase-consistency rewards | ❌ Single-function only |
-| CWE-grounded tasks | ✅ 9 tasks, 12+ CWE IDs | ❌ Generic correctness |
-| Multi-dimensional reward | ✅ 7 dimensions | ❌ Pass/fail only |
-| Anti-reward-hacking | ✅ Seeded random payloads | ❌ Fixed test cases |
-
-### CodeGraph Memory System
-
-The environment maintains a `CodeGraph` — a structured in-memory database of every component the agent has written in the current episode. When the agent writes `auth/validator.py` in `snake_case`, and then submits `auth/middleware.py` in `camelCase`, the consistency grader penalizes the drift. No other RL environment does this.
-
-### Dynamic Adversarial Attack Grading
-
-We don't just scan for vulnerability patterns — we **fire real attacks** at the agent's code:
-- SQL injection payloads (UNION SELECT, OR 1=1, stacked queries)
-- Path traversal payloads (`../../etc/passwd`, URL-encoded variants)
-- JWT bypass attacks (`alg: none`, expired tokens, tampered payloads)
-- XSS payloads (`<script>`, `onerror=`, template injection)
-
-Payloads are randomized per episode using a seed. The agent **cannot memorize** specific strings.
+## What Makes This Unique
+
+### 1. Behavioral Adversarial Attack Grading (Unfakeable)
+We don't just scan for patterns — we **fire real attacks** at the agent's code and monitor side effects:
+- **SQL injection** → spy on `sqlite3.Cursor.execute` at C-extension level
+- **Path traversal** → hook `builtins.open` via `sys.settrace`
+- **Shell injection** → replace `subprocess.run` + `os.system` before agent code loads
+- **JWT bypass** → check if alg:none tokens are accepted
+
+V1 checked return values (`if '..' not in result`). An agent could return a clean string while actually opening `../../etc/passwd`. **V2 checks what the code DOES, not what it returns.**
+
+### 2. CodeGraph Memory System (Novel in RL)
+The agent receives a structured snapshot of everything it has already written this episode. The grader checks cross-file consistency:
+- Naming convention (snake_case vs camelCase) — 60% threshold, "mixed" state
+- Error handling style (try/except vs returns)
+- Import reuse (reuse existing modules, don't rewrite)
+
+**No other RL environment penalises style drift across files.**
+
+### 3. 9 CWE-Grounded Tasks
+| # | Task | Difficulty | CWE | Primary Attack |
+|---|------|-----------|-----|----------------|
+| 1 | `password_validator` | Easy | CWE-916 | Weak hash acceptance |
+| 2 | `input_sanitizer` | Easy | CWE-20 | XSS payload pass-through |
+| 3 | `hash_generator` | Easy | CWE-327 | Shell invocation for hashing |
+| 4 | `sql_query_builder` | Medium | CWE-89 | SQL injection via cursor spy |
+| 5 | `file_path_handler` | Medium | CWE-22 | Path traversal via open() spy |
+| 6 | `api_rate_limiter` | Medium | CWE-307 | Rate bypass with spoofed client ID |
+| 7 | `file_upload_handler` | Hard | CWE-434 | Malicious file extension upload |
+| 8 | `jwt_validator` | Hard | CWE-347 | JWT alg:none bypass |
+| 9 | `auth_middleware` | Hard | CWE-287 | Shell-based auth + timing attack |
+
+### 4. 8-Dimensional Reward System
+| Grader | Weight | Tool | Type |
+|--------|--------|------|------|
+| Correctness | 25% | Custom test runner | Functional |
+| Attack Resistance | 25% | Behavioral harness V2 | Security — unfakeable |
+| Static Security | 15% | bandit + semgrep | Security — static |
+| CodeGraph Consistency | 15% | tree-sitter + CodeGraph | Architectural |
+| Performance | 10% | timeit + tracemalloc | Efficiency |
+| Documentation | 5% | ast | Quality |
+| Code Structure | 3% | ast | Quality |
+| Supply Chain | 2% | pip-audit + typosquat | Security |
 
 ---
 
-## Reward System (7 Dimensions)
-
-| Dimension | Weight | Tool | What It Measures |
-|---|---|---|---|
-| Correctness | 30% | Custom test runner | Does the code solve the problem? |
-| Attack Resistance | 20% | Dynamic harness | Does it survive real attacks? |
-| Static Security | 15% | bandit + AST | Known vulnerability patterns (CWE-mapped) |
-| CodeGraph Consistency | 15% | AST + CodeGraph | Matches existing codebase conventions? |
-| Performance | 10% | timeit + tracemalloc | Efficient vs naive/optimal baselines |
-| Documentation | 5% | AST | Docstrings + type hints coverage |
-| Code Structure | 5% | AST | Clean code (no bare print, no bare except) |
-
----
-
-## Quick Start
+## API
 
 ```python
 import requests
 
-ENV_URL = "https://vishaldhakad-securecodeenv.hf.space"
+BASE = "https://vishaldhakad-securecodeenv.hf.space"
 
-# 1. Start episode
-episode = requests.post(f"{ENV_URL}/reset", json={"difficulty": "medium"}).json()
+# Start episode
+episode = requests.post(f"{BASE}/reset", json={"difficulty": "medium"}).json()
 sid = episode["session_id"]
-print(episode["problem_statement"])
 
-# 2. Submit code
-result = requests.post(f"{ENV_URL}/step", json={
+# Submit code
+result = requests.post(f"{BASE}/step", json={
     "session_id": sid,
-    "code": "def build_user_query(username, role):\n    return ('SELECT * FROM users WHERE username = %s', (username,))",
+    "task_id": episode["task_id"],
     "filename": "solution.py",
+    "code": your_secure_code,
 }).json()
 
-print(f"Reward: {result['total_reward']:.3f}")
-print(f"Scores: {result['scores']}")
-print(f"Feedback: {result['feedback']['summary']}")
+print(result["total_reward"])   # 0.0 – 1.0
+print(result["feedback"])       # per-grader feedback
+print(result["codegraph"])      # updated codebase context
 ```
 
----
-
-## Tasks — 9 Tasks Across 3 Difficulty Levels
-
-### Easy
-| Task | CWE Targets | Attack |
-|---|---|---|
-| Password Validator | CWE-916, CWE-521 | Weak hash detection |
-| Input Sanitizer | CWE-20, CWE-116 | XSS payload injection |
-| Token Generator | CWE-338, CWE-330 | Predictable randomness |
-
-### Medium
-| Task | CWE Targets | Attack |
-|---|---|---|
-| SQL Query Builder | CWE-89 | SQL injection payloads |
-| File Path Handler | CWE-22 | Path traversal attacks |
-| Rate Limiter | CWE-770, CWE-400 | Concurrent request flood |
-
-### Hard
-| Task | CWE Targets | Attack |
-|---|---|---|
-| File Upload Handler | CWE-22, CWE-434 | Traversal filenames + MIME spoofing |
-| JWT Validator | CWE-347, CWE-613 | `alg:none` attack, expired tokens |
-| Auth Middleware | CWE-287, CWE-352 | CSRF bypass, timing attacks |
+### Endpoints
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `/reset` | POST | Start new episode — returns task, CodeGraph, session_id |
+| `/step` | POST | Submit code — returns reward, feedback, updated CodeGraph |
+| `/state` | GET | Read current episode state |
+| `/health` | GET | Health check |
+| `/docs` | GET | Interactive Swagger UI |
 
 ---
 
-## API Reference
-
-### `POST /reset`
-Start a new episode.
-
-**Request:**
-```json
-{ "difficulty": "medium" }
-```
-
-**Response:**
-```json
-{
-  "session_id": "uuid",
-  "task_id": "medium_sql_query_builder",
-  "problem_statement": "Write a Python function...",
-  "difficulty": "medium",
-  "cwe_targets": ["CWE-89", "CWE-20"],
-  "codegraph": { "components": {}, "conventions": {} },
-  "starter_code": "def build_user_query(...):"
-}
-```
-
-### `POST /step`
-Submit agent code for grading.
+## Action Space
+Python source code string (max 50KB). Filename used for CodeGraph tracking.
 
-**Request:**
+## Observation Space
 ```json
 {
-  "session_id": "uuid",
-  "code": "def build_user_query(username: str, role: str) -> tuple: ...",
-  "filename": "src/db/queries.py"
-}
-```
-
-**Response:**
-```json
-{
-  "total_reward": 0.847,
+  "total_reward": 0.84,
   "scores": {
     "correctness": 1.0,
     "attack_resist": 0.875,
-    "static_security": 0.9,
+    "static_security": 0.7,
     "consistency": 1.0,
-    "performance": 0.72,
-    "documentation": 0.75,
-    "code_structure": 0.8
+    "performance": 0.8,
+    "documentation": 0.5,
+    "code_structure": 1.0,
+    "supply_chain": 1.0
+  },
+  "feedback": {
+    "correctness": "✅ Excellent (1.00) — 8/8 tests passed.",
+    "attack_resist": "🟡 Good (0.88) — 7/8 attacks blocked."
   },
-  "feedback": { "summary": "🟡 Good submission — improve: performance" },
-  "codegraph": { ... },
+  "codegraph": { "conventions": {}, "components": {} },
   "done": false,
-  "step_count": 1
+  "step_count": 2
 }
 ```
 
-### `GET /state?session_id=<id>`
-Get current episode state without advancing.
-
-### `GET /health`
-Returns `{"status": "ok", "env": "SecureCodeEnv", "version": "2.0.0", "tasks_loaded": 9}`
-
 ---
 
-## Setup (Local)
-
-```bash
-git clone https://huggingface.co/spaces/vishaldhakad/SecureCodeEnv
-cd SecureCodeEnv
-
-# Docker (recommended)
-docker build -t secure-code-env .
-docker run -p 7860:7860 secure-code-env
-
-# Or direct
-pip install -r requirements.txt
-uvicorn app.main:app --host 0.0.0.0 --port 7860
-```
-
-## Run Baseline Inference
+## Quick Start
 
 ```bash
-export API_BASE_URL=https://api.openai.com/v1
-export MODEL_NAME=gpt-4o-mini
-export HF_TOKEN=hf_your_token
-export ENV_URL=http://localhost:7860
+# Local dev
+docker build -t securecodeenv .
+docker run -p 7860:7860 -e REDIS_URL=<upstash_url> securecodeenv
+
+# Run baseline inference
+API_BASE_URL=https://api.groq.com/openai/v1 \
+MODEL_NAME=llama-3.3-70b-versatile \
+HF_TOKEN=<your_token> \
+ENV_URL=http://localhost:7860 \
 python inference.py
-```
 
-## Validate Before Submit
-
-```bash
-python validate.py --url http://localhost:7860
+# Pre-submission validation
+python validate.py
 ```
 
----
-
 ## Environment Variables
-
 | Variable | Required | Description |
-|---|---|---|
-| `API_BASE_URL` | Yes | LLM API endpoint (OpenAI-compatible) |
-| `MODEL_NAME` | Yes | Model identifier (e.g. `gpt-4o-mini`) |
-| `HF_TOKEN` | Yes | HuggingFace token |
-| `ENV_URL` | No | Override environment URL (default: localhost:7860) |
+|----------|----------|-------------|
+| `REDIS_URL` | Yes | Upstash Redis URL (`rediss://default:<token>@<host>.upstash.io:6379`) |
+| `API_BASE_URL` | For inference | LLM API base URL |
+| `MODEL_NAME` | For inference | Model name |
+| `HF_TOKEN` | For inference | HuggingFace token |
+
+---
+
+## Infrastructure (100% Free)
+| Component | Solution | Cost |
+|-----------|----------|------|
+| Compute | HuggingFace Spaces CPU (2 vCPU / 16GB) | ✅ $0 |
+| Containerisation | Docker | ✅ $0 |
+| Session persistence | Upstash Redis free tier | ✅ $0 |
+| Static analysis | bandit + semgrep | ✅ $0 |
+| Multi-language parsing | tree-sitter | ✅ $0 |
+| LLM for inference | Groq free tier | ✅ $0 |
 
 ---
 
-*SecureCodeEnv v2.0 · Meta × PyTorch OpenEnv Hackathon 2026 · Vishal Dhakad*
+*SecureCodeEnv V2 — Built by Vishal Dhakad | Meta × HuggingFace OpenEnv Hackathon 2026 | Total infrastructure cost: $0.00*