Intentionally vulnerable agentic AI app — the AI-security equivalent of DVWA / WebGoat. Built to demonstrate the OWASP LLM Top 10 in plausible scenarios, then iteratively hardened.
This is teaching code, not production code. Do not deploy it. Do not run it against real user data, real mailboxes, or the real internet.
For the design intent and the full week-by-week lesson plan, read CLAUDE.md (working instructions) and context.md (deep background). Current state of the build lives in PROGRESS.md.
# 1. Install deps
uv sync
# 2. Configure
cp .env.example .env
# Fill in ANTHROPIC_API_KEY in .env
# 3. Seed the fake company (SQLite + vector store + fake "internet")
uv run python -m coupon.data.seed
# 4. Run the agent
uv run coupon- A "Personal Assistant" agent for the fictional ACME Corp.
- Tools:
read_emails,send_email,read_wiki,read_url. - SQLite backs users and emails; ChromaDB backs the wiki;
data/internet/is a fake intranet. - Every prompt, model response, tool call, and tool result is written to
logs/run-<ts>.jsonl. The logs are the lesson.
- Any defense against prompt injection, excessive agency, output handling, etc. The Week-1 baseline ships vulnerable on purpose. Defenses get added one OWASP category at a time — see
PROGRESS.md.
This app is built to be exploited. Run it in an isolated environment. Never point its tools at real services.