Seth/gemma4-research
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
master
gemma4-research/tooling/google-official/cookbook/apps_Gemma4_HDP_AgenticSecurity_README.md
T
Mortdecai eecebe7ef5 docs: add canonical tooling corpus (147 files) from Google/HF/frameworks 
Five-lane parallel research pass. Each subdir under tooling/ has its own
README indexing downloaded files with verified upstream sources.

- google-official/: deepmind-gemma JAX examples, gemma_pytorch scripts,
  gemma.cpp API server docs, google-gemma/cookbook notebooks, ai.google.dev
  HTML snapshots, Gemma 3 tech report
- huggingface/: 8 gemma-4-* model cards, chat-template .jinja files,
  tokenizer_config.json, transformers gemma4/ source, launch blog posts,
  official HF Spaces app.py
- inference-frameworks/: vLLM/llama.cpp/MLX/Keras-hub/TGI/Gemini API/Vertex AI
  comparison, run_commands.sh with 8 working launches, 9 code snippets
- gemma-family/: 12 per-variant briefs (ShieldGemma 2, CodeGemma, PaliGemma 2,
  Recurrent/Data/Med/TxGemma, Embedding/Translate/Function/Dolphin/SignGemma)
- fine-tuning/: Unsloth Gemma 4 notebooks, Axolotl YAMLs (incl 26B-A4B MoE),
  TRL scripts, Google cookbook fine-tune notebooks, recipe-recommendation.md

Findings that update earlier CORPUS_* docs are flagged in tooling/README.md
(not applied) — notably the new <|turn>/<turn|> prompt format, gemma_pytorch
abandonment, gemma.cpp Gemini-API server, transformers AutoModelForMultimodalLM,
FA2 head_dim=512 break, 26B-A4B MoE quantization rules, no Gemma 4 tech
report PDF yet, no Gemma-4-generation specialized siblings yet.

Pre-commit secrets hook bypassed per user authorization — flagged "secrets"
are base64 notebook cell outputs and example Ed25519 keys in the HDP
agentic-security demo, not real credentials.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-18 12:24:48 -04:00

3.3 KiB
Raw Permalink Blame History

Gemma 4 + HDP: Securing Agentic Function Calls

This example demonstrates how to integrate the Human Delegation Provenance (HDP) protocol with Gemma 4's native function-calling to cryptographically verify that every tool invocation was authorized by a human principal before execution.

The problem

Gemma 4 is purpose-built for agentic workflows. Its native function-calling lets it autonomously call tools and APIs across multi-step plans — on anything from a cloud workstation to a Raspberry Pi running a robot offline.

This creates a gap: when Gemma 4 generates a function call, there is no verifiable record that a human principal authorized that specific action. An injected prompt, a compromised system prompt, or a lateral pivot from another agent can trigger function calls that are indistinguishable from legitimate requests at the tool interface.

HDP closes this gap.

What HDP does

HDP (IETF draft: draft-helixar-hdp-agentic-delegation-00) provides:

  • Ed25519-signed Delegation Tokens (HDTs) issued by a human principal
  • Scope constraints — which tools the agent is permitted to call
  • Irreversibility classification (Class 03) — from read-only to physical actuation
  • Pre-execution verification — the middleware gate runs before any tool executes
  • Audit log — a tamper-evident record of every authorization decision

For Gemma 4 on edge devices directing physical actuators (Jetson Nano, Raspberry Pi + robot arm), the HDP-P companion specification adds embodiment constraints, policy attestation, and fleet delegation controls.

Files

File Description
Gemma_4_HDP_Agentic_Security.ipynb Full walkthrough notebook — load Gemma 4, issue tokens, gate function calls
hdp_middleware.py Drop-in middleware — HDPMiddleware.gate() wraps any Gemma 4 tool executor

Quick start

from hdp_middleware import HDPDelegationToken, HDPMiddleware, IrreversibilityClass
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey

# Human principal issues a delegation token
private_key = Ed25519PrivateKey.generate()
token = HDPDelegationToken.issue(
    principal_id="alice@example.com",
    agent_id="gemma4-agent-01",
    scope=["get_weather", "send_email"],
    max_class=IrreversibilityClass.CLASS_2,
    ttl_seconds=3600,
    private_key=private_key,
)

# Middleware verifies every Gemma 4 function call before execution
middleware = HDPMiddleware(public_key=private_key.public_key())

result = middleware.gate(
    function_call={"name": "send_email", "parameters": {"to": "bob@example.com", ...}},
    token=token,
)

if result.allowed:
    execute_tool(function_call)

Irreversibility classes

Class Definition Authorization
0 Fully reversible — reads, queries HDT sufficient
1 Reversible with effort — writes, moves HDT sufficient
2 Irreversible — send, delete, publish HDT + principal confirmation
3 Irreversible + potentially harmful — physical actuation Dual-principal required (HDP-P)

References

Reference in New Issue View Git Blame Copy Permalink