4.6 KiB
FIDES security samples
This folder contains runnable FIDES samples. Keep this README as the quick entry point for choosing and running a sample; use FIDES_DEVELOPER_GUIDE.md for the architecture, security model, middleware behavior, and API reference.
What each sample demonstrates
| Sample | Focus | Demonstrates |
|---|---|---|
email_security_example.py |
Prompt injection defense | SecureAgentConfig, Foundry-backed email handling, quarantined_llm, and approval on policy violations |
repo_confidentiality_example.py |
Data exfiltration prevention | Confidentiality labels, Foundry-backed repository access, max_allowed_confidentiality, and approval before leaking private data |
github_mcp_example.py |
Remote MCP URL with local FIDES enforcement | SecureMCPToolProxy(url=...), direct GitHub MCP access, tool auto-labeling, and post-tool-call policy enforcement |
Prerequisites
Run these samples from the python/ directory with the repo development
environment available.
- Azure CLI authentication:
az login FOUNDRY_PROJECT_ENDPOINTset in your environmentFOUNDRY_MODELset in your environment for the main agent deployment- Local dev environment installed (for example,
uv sync --dev)
These samples use Foundry for the main agent and keep the quarantine
client pinned to gpt-4o-mini where applicable.
For github_mcp_example.py, set:
GITHUB_PAT(GitHub Personal Access Token)FOUNDRY_PROJECT_ENDPOINT(Foundry project endpoint)FOUNDRY_MODEL(optional model override)
Suppressing the experimental warning
The FIDES APIs in these samples are still experimental. Each sample includes a
short commented warnings.filterwarnings(...) snippet near the imports.
Uncomment it if you want to suppress the FIDES warning before using the
experimental APIs locally.
Running the samples
email_security_example.py
This sample simulates an inbox containing trusted and untrusted emails,
including prompt-injection attempts that try to force a privileged send_email
tool call.
Run it with:
uv run samples/02-agents/security/email_security_example.py --cli
uv run samples/02-agents/security/email_security_example.py --devui
uv run samples/02-agents/security/email_security_example.py --cli --debug
When you run the DevUI variant, the sample prints the active DevUI bearer token before starting the server.
Add --debug to enable verbose tool and security middleware logging.
What to look for:
- Untrusted email bodies are handled through the FIDES security flow
quarantined_llmprocesses hidden content in isolation- DevUI requests approval if the agent tries a blocked privileged action
repo_confidentiality_example.py
This sample simulates a public issue that tries to trick the agent into reading private repository secrets and posting them to a public channel.
Run it with:
uv run samples/02-agents/security/repo_confidentiality_example.py --cli
uv run samples/02-agents/security/repo_confidentiality_example.py --devui
When you run the DevUI variant, the sample prints the active DevUI bearer token before starting the server.
What to look for:
- Reading public content keeps the context public
- Reading private content taints the context as private
- Posting private data to a public destination triggers an approval request
github_mcp_example.py
This sample connects directly to https://api.githubcopilot.com/mcp/ through
MCPStreamableHTTPTool, then wraps the MCP client in SecureMCPToolProxy so
FIDES middleware can inspect tool results and enforce policy locally. The
X-MCP-Features: ifc_labels header is passed to opt in to server-side IFC label
emission in tool result _meta.
Run it with:
uv run samples/02-agents/security/github_mcp_example.py --cli
uv run samples/02-agents/security/github_mcp_example.py --cli --attack
uv run samples/02-agents/security/github_mcp_example.py --devui
uv run samples/02-agents/security/github_mcp_example.py --devui --debug
What to look for:
- MCP tools are auto-labeled from remote annotations
- Untrusted tool output is tracked by FIDES label middleware
- Attack-mode write attempts can trigger policy enforcement or approval
Where to find the details
For the full FIDES design and API details, see FIDES_DEVELOPER_GUIDE.md, which covers:
- integrity and confidentiality labels
- label propagation and auto-hiding behavior
- policy enforcement middleware
- security tools such as
quarantined_llmandinspect_variable SecureAgentConfigand manual integration patterns