{"data":{"kind":"file","path":"README.md","version_id":"sedwwt2hnpeaof6f13kbmfl5","entry":{"name":"README.md","path":"README.md","is_directory":false,"size":9260,"modified_at":"2026-07-08T15:40:13.940000","content_hash":"aebdcfc4f5086b49ee2c5ca4b676e145b7d4e59fef8e603a73447992e626468a"},"entries":[],"content":"# cybersecurity-privacy-legal-agent-eval\n\n**What this is.** A rigorous, repeatable test of whether an AI agent can handle a\npiece of delegated cyber-incident and privacy counseling work the way a careful junior lawyer would. The agent receives\na realistic matter file — nine mixed-format documents (agreements, fact schedules, board\nminutes, chat exports, reference memos) — and a short partner instruction: review the\nrecord and deliver a risk memorandum under a specific filename.\n\n**The matters.** Five original, fully synthetic matters (no real client facts anywhere):\na ransomware incident forcing an 8-K Item 1.05 materiality determination under the four-business-day clock; a health-app SDK disclosure triggering breach-notice analysis; a hospital incident; a water utility weighing CIRCIA reporting and ransom-payment timing; and an adtech privacy review. Each matter contains seven planted issues the memo should raise — and\ndeliberately irrelevant documents a disciplined reviewer should decline to escalate.\n\n**How it's graded.** The way a supervising lawyer would grade it, made mechanical: each\nmatter's drafting attorney prepared a private answer key (the issues, their severity, the\nexpected remediation), and scoring checks the delivered memo against that key. There is\nno AI judging AI — the grading is deterministic, published in compiled form with the\npackage, and frozen by cryptographic hash so results are reproducible and comparable.\n\n**What the scores tell you.** Three things a hiring partner would ask about a junior's\nwork: *Did the work product actually get delivered as instructed?* (deliverable\ncompletion) — *Did it catch the issues that matter?* (finding recall, the discriminative\naxis) — *Did it escalate noise?* (distractor telemetry). Quoted source text earns\nnothing; credit requires the agent's own analysis.\n\n**What it can help with.** Benchmarking models and vendors before trusting them with\ncyber-incident and privacy counseling work; tracking whether a new model version actually improved on legal\nreasoning rather than fluency; and research on agent scaffolding — the same tasks can be\nrun with different tooling around the same model. This pocket is one of a seven-practice-\narea family sharing a single grading engine, so results are comparable across areas.\n\n## Quickstart\n\n```bash\nprime env install cybersecurity-privacy-legal-agent-eval\nprime eval run cybersecurity-privacy-legal-agent-eval -m <your-model>      # 5 tasks x 3 rollouts\nprime eval run cybersecurity-privacy-legal-agent-eval -m <your-model> -a '{\"task_id\":\"aurora-sec-001\"}'\n```\n\nThe agent gets four tools -- `list_documents`, `read_document` (paginated),\n`grep_documents`, and `save_deliverable` -- and up to 30 turns. Content that only appears\nin chat does not count: deliverables must be saved under their declared names, and a\n`memo.md` never satisfies a declared `memo.docx`.\n\n## Why deterministic scoring\n\nExecutable validators are the reward; judges are telemetry. The anchor specifications are\n**compiled from private answer keys** (never hand-written per task) and are designed to be\nfrozen by SHA-256 before any reported run. Matching is deliberately conservative --\nquoted source text is masked before scoring so pasting documents earns nothing, and a\nfinding only credits when the issue is named in its own terms *and* corroborated by\nseverity, remediation, or record-grounding evidence in the same context window.\n\n**Pre-registration note:** the compiled anchors ship with the package because the reward\nneeds them. Do not tune prompts, scaffolds, or models against them; treat them as a\nheld-out grader.\n\n## Tasks\n\nFive synthetic cybersecurity & privacy matters, each a realistic dataroom-review\ndelegation: terse partner instruction, 9 mixed-format documents (docx / pdf / xlsx / eml /\ntxt), one declared `.docx` memo deliverable, 7 planted issues, and a 42-criterion rubric.\nAll content is original synthetic material -- no third-party benchmark data, no real\nclient facts. Document corpora are intentionally compact in v0.1; corpus enrichment\n(full-length policies, incident files, multi-deliverable tasks) is the named path to\nv1.0.\n\n| Task | Title | Deliverable | Instruction |\n| --- | --- | --- | --- |\n| `aurora-sec-001` | Assess AuroraGrid Cyber Disclosure — Risk Memo | `cyber-disclosure-memo.docx` | Review the attached documents against the compliance reference and prepare a cyber disclosure memo. Output: cyber-disclosure-memo.docx. |\n| `pulse-health-002` | Analyze PulseFit Health App Breach — Notice Memo | `health-breach-memo.docx` | Review the attached documents against the compliance reference and prepare a health breach notice memo. Output: health-breach-memo.docx. |\n| `river-hospital-003` | Review Riverbend Reproductive PHI Request — Disclosure Memo | `reproductive-phi-memo.docx` | Review the attached documents against the compliance reference and prepare a PHI disclosure memo. Output: reproductive-phi-memo.docx. |\n| `metro-circia-004` | Assess MetroWater CIRCIA Reporting — Incident Memo | `circia-incident-memo.docx` | Review the attached documents against the compliance reference and prepare a CIRCIA incident memo. Output: circia-incident-memo.docx. |\n| `nova-adtech-005` | Review NovaRetail Sensitive Data Sharing — Risk Memo | `sensitive-data-memo.docx` | Review the attached documents against the compliance reference and prepare a privacy risk memo. Output: sensitive-data-memo.docx. |\n\n## Environment arguments\n\n| Argument | Default | Description |\n| --- | --- | --- |\n| `source` | `\"factory\"` | `\"factory\"` loads the bundled anchored tasks; `\"lab\"` loads LAB tasks from an explicit `tasks_root` |\n| `task_id` | `\"all\"` | All five matters, or a single slug such as `aurora-sec-001` |\n| `max_turns` | `30` | Tool-use turn budget |\n| `page_chars` | `6000` | Page size returned by `read_document` |\n| `false_flag_weight` | `0.0` | Weight of the distractor-escalation penalty |\n| `min_deliverable_chars` | `200` | Minimum content length for a deliverable to count |\n| `judge_model` | `None` | Optional weight-0 judge telemetry; requires `JUDGE_API_KEY` (or `judge_api_key_var`) only when set |\n| `tasks_root` | `None` | In factory mode, override the bundled task directory with the same layout; in LAB mode, required and must point at your own LAB checkout |\n\nNo environment variables are required by default.\n\n## LAB mode\n\n`source=\"lab\"` measures workflow discipline: did the agent persist every declared\ndeliverable under its exact filename with substantive content. It does not measure issue\ncoverage because LAB tasks do not ship with a compiled answer key, so there is no\n`finding_recall`, `false_flag_rate`, or similar anchored metric in this mode. Every LAB\nmetric carries a `lab_` prefix so LAB workflow telemetry is never confused with or\naveraged alongside factory metrics.\n\nLAB mode requires `tasks_root`; no default or bundled LAB tasks ship in the package. The\nloader discovers `tasks_root/<category>/<task-id>/task.json`, with source files in the\nsibling `documents/` directory. Each `task.json` must contain `instructions` as a string\nand `deliverables` as a dict whose keys are the declared filenames, for example\n`{\"memo.docx\": \"memo.docx\"}`. The internal row slug uses `category/task-id` to keep tasks\nfrom different categories distinct.\n\n## Baseline results\n\n| Model | Setup | Reward | Finding recall | Deliverables saved | False flags |\n| --- | --- | ---: | ---: | ---: | ---: |\n| | gpt-5.5 | 5 tasks × 3 rollouts | 0.531 | 0.219 | 15/15 |\n| qwen3-30b-a3b-instruct-2507 | 5 tasks × 3 rollouts | 0.434 | 0.057 | 15/15 |\n\nThe frontier model separates cleanly from the 30B class. Cyber/privacy recall runs low for\nboth models: the planted issues (Item 1.05 mechanics, CIRCIA reporting, notification\nclocks) are specialized, and the checker is deliberately conservative (credited findings\nwere hand-audited against the answer keys; zero over-credit). `false_flag_rate` is\nreported as telemetry only in this area — see Metrics. | - | - | - | - | - |\n\n## Interpreting scores\n\nA competent agent should approach `deliverable_complete = 1.0` quickly; `finding_recall`\nis the discriminative axis and is strict by construction -- credit requires engaging with\nthe specific planted issue, not mentioning its topic. `false_flag_rate > 0` indicates the\nagent escalates noise. `transcript_recall > finding_recall` indicates findings that never\nmade it into the saved deliverable (a workflow-discipline failure, not a knowledge one).\nRollout-to-rollout variance is real at this scale; the default 3 rollouts per task are a\nminimum for stable comparisons.\n\n## Provenance\n\nTask content and answer keys are original work from a validated synthetic-task factory\n(35 tasks across 7 practice areas; this package ships the cybersecurity & privacy\npocket). Anchor compilation lineage is recorded in each task's `anchors.json` provenance\nblock and in the stamped module header. This build has not been frozen; freeze SHA\ncompletion is a separate manual step per SPEC section 6. See `NOTICE` for attribution\ndetails.\n\nThis is one environment in a per-practice-area family; contracts, corporate M&A, and\ncorporate governance pockets follow the same engine and scoring contract.\n","encoding":"utf-8","truncated":false,"total_bytes":9260},"status":null}