Zu plugin-test gate: contract/interop gates + the adversarial red-team agent and out-of-band verdict observers
Project description
zu-redteam
The plugin-test gate and the adversarial red team — the machinery behind the capability-envelope philosophy and the red-team design (in the published docs). The red team is itself a Zu agent: Zu is the runtime on both sides of the gate.
This is test/CI infrastructure — it is not loaded by a deployed agent. Run it
with zu test-plugin <pkg> (install via pip install 'zu-runtime[test]').
What it does
A plugin is not "done" when its unit tests pass — it is done when it cooperates with other plugins and withstands an adversary inside a real Zu runtime. The gate runs the graded gates in order and renders one verdict:
zu test-plugin zu-tools
✅ unit PASS
✅ contract PASS — port shape + declared capability envelope
✅ interop PASS — stood up with >= 3 cross-category neighbours
✅ adversarial PASS — frozen corpus + directed probes; envelope held
⊘ container SKIP — Docker not present (production form of the same run)
The pieces
| Module | Role |
|---|---|
verdict.py |
The out-of-band, deterministic judge: egress / exfil / provenance / resources / neighbour-health observers. The attacker never certifies. |
corpus.py |
The frozen regression corpus — the §4 attacks as deterministic runs. Only ever grows. |
attacker.py |
The attacker agent + tools + fleet. ScriptedAttacker (deterministic, CI); LiveAttacker (opt-in frontier discovery, ZU_REDTEAM_LIVE=1). |
harness.py |
Stands a target up in a real in-process Zu run and captures it for the observers. |
contract.py |
Port/contract conformance (shape, types, declared envelope). |
gate.py |
Orchestrates the gates → GateReport; the entry point zu test-plugin calls. |
Determinism
Discovery (a live frontier attacker) is non-deterministic by design; a discovered
breach is frozen into corpus.py and replayed deterministically thereafter — so
CI stays reproducible while the corpus only grows. The container gate is the
production form of the same in-process run (same observers, same verdict).
Tests
uv run pytest packages/zu-redteam — offline, deterministic. The suite proves the
gate both passes a safe plugin and fails an unsafe one (a tool that
under-declares egress, or leaks a planted secret).
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file zu_redteam-0.2.0.tar.gz.
File metadata
- Download URL: zu_redteam-0.2.0.tar.gz
- Upload date:
- Size: 50.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.16 {"installer":{"name":"uv","version":"0.11.16","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
93ee14f1ccbbb9e957857e8a9a535b9274618005cb8dbe01e7324c619f49f7c6
|
|
| MD5 |
848a4950d3f0a0403a68dfef9040526e
|
|
| BLAKE2b-256 |
906459b8e0a803d52d63cf777b3f50efb6846c3a2e2cbc7be4cb12928a8130ec
|
File details
Details for the file zu_redteam-0.2.0-py3-none-any.whl.
File metadata
- Download URL: zu_redteam-0.2.0-py3-none-any.whl
- Upload date:
- Size: 46.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.16 {"installer":{"name":"uv","version":"0.11.16","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
40f2e71ee4c0548eb294b52f6e14b0db40dd1b4ebd267a8eafcd20cc9f915aa8
|
|
| MD5 |
2f144832a617e9c24ef72ba81f42c385
|
|
| BLAKE2b-256 |
91af5d2e10d28aec4ab25cd1ecfde524b4155e79ac556210db4a8d816d187fb3
|
