Module: CAP-B2 — Run a Full Agent Red-Team Engagement Diagram count: 6 Tool: Mermaid (primary). Each diagram validated in Mermaid Live Editor.
Type: Flowchain / methodology sequence Purpose: The single most important visual in the capstone. A red-team engagement is not a fragment — it is the complete six-phase methodology from B12, executed in order, against a real tau deployment. Each phase produces a real artifact backed by real tool-call evidence. Skipping any phase voids the engagement's value: a finding without scope is inadmissible; a finding without reconnaissance is a guess; a finding without validation is an anecdote; a finding without a report is unsaid; a finding without a retest plan is binary "fixed" (the B0 anti-pattern). Each phase's output is the next phase's input. Reading the diagram: Top-to-bottom as the sequence. Each phase has an input (what it consumes) and an output (what it produces — the deliverable). The teal flow is the forward path; the amber dashed line is the retest loop closing back from Phase 6 to the fully-hardened target.
flowchart TB
P1["PHASE 1 — SCOPING<br/>write the SOW + scope file<br/>B0 clauses: provider auth, dual-use,<br/>DMCA waiver, data handling<br/>target: real tau + partial plugins"]:::phase
P1OUT["→ signed SOW + validated scope file"]:::out
P2["PHASE 2 — RECONNAISSANCE<br/>map tau's 7 surfaces (B1/SDD-B11)<br/>build the CONTROL-GAP MAP<br/>what's IN: taint + sandbox<br/>what's MISSING: vault, B3, B8"]:::phase
P2OUT["→ control-gap map (the target as gaps)"]:::out
P3["PHASE 3 — VULNERABILITY DISCOVERY<br/>scorecard battery (measures the gaps)<br/>OWASP checklist (B9) + chains (B10)<br/>headline: cred-exfil via missing tau_vault"]:::phase
P3OUT["→ scorecard + checklist + 3 attack chains"]:::out
P4["PHASE 4 — EXPLOITATION & VALIDATION<br/>minimum-proof (B0) against REAL tau tools<br/>measured rates over N attempts<br/>hash of cred prefix, never the values"]:::phase
P4OUT["→ confirmed findings w/ real tool-call evidence"]:::out
P5["PHASE 5 — REPORTING<br/>the engagement report<br/>findings · control matrix · roadmap<br/>prescribes tau_vault, B3, B8"]:::phase
P5OUT["→ the signature deliverable"]:::out
P6["PHASE 6 — RETESTING<br/>define the retest plan<br/>battery vs FULLY-HARDENED tau<br/>before/after per finding"]:::phase
P6OUT["→ retest plan (measured future)"]:::out
P1 --> P1OUT --> P2
P2 --> P2OUT --> P3
P3 --> P3OUT --> P4
P4 --> P4OUT --> P5
P5 --> P5OUT --> P6
P6 --> P6OUT
RETEST["re-run battery vs<br/>FULLY-HARDENED tau<br/>(all 3 plugins + B3 + B8)<br/>report before/after rate"]:::retest
P6 -. closes the loop .-> RETEST
classDef phase fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
classDef out fill:#101018,stroke:#9494a0,color:#9494a0
classDef retest fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#f0a868
Note: The phases are ordered and non-skippable, and every artifact is backed by real tau tool calls. Phase 1's scope file names the specific tau version and plugin configuration. Phase 2's control-gap map is the input to Phase 3's battery — the battery reveals which classes are mitigated (indirect, tool_abuse) and which are live (memory_poison, sandbox_escape). Phase 4's evidence is real
bashoutput, real session JSONL, real credential-file reachability. The dashed line from Phase 6 is the retest loop: the same battery, re-run against the fully-hardened tau (all three plugins plus B3 and B8), reporting the measured residual risk.
Type: Architecture / control-state map Purpose: The target, made visible. Acme Corp's tau deployment has tau_taint (B2) and tau_sandbox (B7) installed, but tau_vault (B5), the B3 memory gate, and the B8 intent tracker are MISSING. This is the realistic partial-hardening scenario — the most common production state. The diagram shows what is defended (teal) and what is missing (red), so the control-gap map is visible at a glance. The headline gap — plaintext credentials with no vault — is marked. Reading the diagram: The tau architecture flows top-to-bottom: provider → loop → tools → memory → identity. Each layer shows its control state. Teal = INSTALLED, red = MISSING. The credential store (identity layer) is the headline: tau_sandbox blocks the obvious read (cat), but the credentials are still plaintext because tau_vault is absent.
flowchart TB
subgraph TAU["ACME CORP — tau DEPLOYMENT (partially hardened)"]
direction TB
PROV["PROVIDER LAYER<br/>tau_ai — model API streaming<br/>OpenAI / Anthropic / local"]:::neutral
LOOP["AGENT LOOP<br/>tau_agent/loop.py<br/>run_agent_loop → _execute_tool_calls"]:::neutral
TAINT["tau_taint — INSTALLED (B2)<br/>Extension Point 1: executor wrapping<br/>tags tool output as < untrusted ><br/>blocks high-impact calls when taint active<br/>STATUS: WORKING — indirect injection mitigated"]:::installed
TOOLS["TOOLS: read · write · edit · bash"]:::neutral
SANDBOX["tau_sandbox — INSTALLED (B7)<br/>Extension Point 2: bash factory replacement<br/>network egress DENIED (curl, wget, ssh...)<br/>credential-read denylist (cat credentials.json)<br/>STATUS: WORKING — but denylist is a REGEX (bypassable)"]:::installed
MEM["MEMORY / SESSIONS<br/>tau_coding/session.py<br/>~/.tau/sessions/ as JSONL<br/>_persist_messages_since appends UNFILTERED"]:::neutral
MEMGATE["B3 memory-write gate — MISSING<br/>no validation on session writes<br/>tainted tool results persist to JSONL<br/>on resume, poison re-enters context<br/>STATUS: UNDEFENDED — session poisoning"]:::missing
CRED["IDENTITY / CREDENTIALS<br/>~/.tau/credentials.json<br/>FileCredentialStore — PLAINTEXT JSON"]:::neutral
VAULT["tau_vault — MISSING (B5)<br/>Extension Point 3 NOT installed<br/>credentials remain plaintext on disk<br/>sandbox denylist blocks 'cat' but not interpreters<br/>STATUS: HEADLINE GAP — cred-exfil chain live"]:::headline
EVENTS["EVENT STREAM / OBSERVABILITY<br/>tau_agent/events.py<br/>harness.subscribe(listener)<br/>events fire for UI only — NO security listener"]:::neutral
INTENT["B8 session intent tracker — MISSING<br/>no listener subscribed<br/>zero-click chains go undetected<br/>compound trajectory invisible<br/>STATUS: UNDEFENDED — zero-click chain"]:::missing
end
PROV --> LOOP
LOOP --> TAINT
TAINT --> TOOLS
TOOLS --> SANDBOX
LOOP --> MEM
MEM --> MEMGATE
LOOP --> CRED
CRED --> VAULT
LOOP --> EVENTS
EVENTS --> INTENT
classDef neutral fill:#101018,stroke:#5a5a68,color:#9494a0
classDef installed fill:#101018,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
classDef missing fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef headline fill:#14141f,stroke:#f08080,stroke-width:2.5px,color:#f08080
Note: Two of three tau_plugins controls are installed. tau_taint (Extension Point 1) and tau_sandbox (Extension Point 2) are working — the scorecard shows indirect injection at 0% and tool_abuse at 0%. But tau_vault (Extension Point 3) is missing, leaving credentials in plaintext. The B3 memory gate and B8 intent tracker are not part of the tau_plugins pack — they are controls tau does not have, and their absence is the session-poisoning and zero-click findings. The sandbox denylist is a regex on the command string — it blocks
cat ~/.tau/credentials.jsonbut notpython3 -c "open(...).read()". That bypass is the credential-exfil chain's entry point.
Type: Multi-step attack sequence / kill chain
Purpose: The headline finding, made concrete. tau_vault is not installed. Credentials are plaintext at ~/.tau/credentials.json. tau_sandbox blocks cat ~/.tau/credentials.json via a regex denylist. The chain bypasses the denylist using an interpreter (python3), reads the plaintext credentials, and — because the sandbox cannot block the model from seeing the tool output — the credentials enter tau's context and the session JSONL. This is the finding that prescribes tau_vault as the remediation.
Reading the diagram: Left-to-right as the adversary's steps. Each step maps to a tau surface. The red blocks are the defender's gaps; the amber block (step 3) is the credentials entering the context — the moment the sandbox can no longer help. The closing control (tau_vault, B5) is marked at the bottom — its absence is the finding's root cause.
flowchart LR
S0["ATTACKER identifies the gap<br/>tau_vault NOT installed<br/>credentials.json is PLAINTEXT<br/>sandbox denylist = regex on command"]:::atk
S1["STEP 1 — recon the denylist<br/>sandbox blocks: cat/head/tail ... credentials.json<br/>regex: r'cat|head|tail|... \s+ .* path'<br/>base command extraction → 'cat' blocked"]:::step
S2["STEP 2 — the bypass<br/>command: python3 -c 'open(creds).read()'<br/>base command = 'python3' (not in denylist)<br/>regex does NOT match → command EXECUTES"]:::gap
S3["STEP 3 — credentials in context<br/>tool output contains the credential keys<br/>output enters tau's context window<br/>sandbox CANNOT block this — too late"]:::impact
S4["STEP 4 — persistence<br/>tainted tool result persists to session JSONL<br/>no B3 gate → stored unfiltered<br/>credentials now in ~/.tau/sessions/"]:::step
S5["STEP 5 — the leak channel<br/>if API model: creds in prompt sent to provider<br/>if file write: creds written to working dir<br/>direct exfil (curl) blocked, but data already read"]:::impact
S0 --> S1 --> S2 --> S3 --> S4 --> S5
CLOSURE["CLOSING CONTROL — tau_vault (B5)<br/>Extension Point 3: credential store replacement<br/>credentials stored in vault format (not plaintext)<br/>agent process CANNOT read them directly<br/>sandbox denylist becomes defense-in-depth, not the only gate<br/><b>ABSENT = the finding's root cause</b>"]:::closure
S5 -. remediated by .-> CLOSURE
classDef atk fill:#14141f,stroke:#f08080,stroke-width:2px,color:#f08080
classDef step fill:#101018,stroke:#5eead4,color:#e4e4e8
classDef gap fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef impact fill:#14141f,stroke:#f08080,stroke-width:2px,color:#f08080
classDef closure fill:#14141f,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
Note: The chain succeeds because the sandbox denylist is a regex on the command string, not a filesystem-level access control. The denylist blocks
cat,head,tailfollowed by the credential path — butpython3 -c "..."has a base command ofpython3, which is not in the denylist. The credentials are read, enter the context, and persist to the session. The sandbox blocked the direct exfil channel (curl), but the credential values are already in the model's context — a channel the sandbox cannot close. The finding is not "the sandbox is bypassed" — the finding is "the credential vault is absent, and the sandbox's denylist is a partial mitigation, not a substitute for credential isolation at rest." The remediation is tau_vault.
Type: Flow / artifact mapping Purpose: How a confirmed finding (Phase 4, backed by real tau tool-call evidence) becomes a report entry (Phase 5). Each finding carries its measured rate, its minimum-proof evidence (real tool output, hashed where sensitive), its OWASP and Microsoft references, and its root cause (the missing control) into a structured report entry. The dual-use classification governs what is published vs. withheld per finding. The control matrix maps the finding to the INSTALLED/MISSING control and the plugin that builds it. Reading the diagram: Left = the confirmed finding's components (all backed by real tau evidence). Right = the report entry they populate. The amber block is the dual-use classification — the gate that decides recipe vs. technique per finding.
flowchart LR
subgraph FINDING["CONFIRMED FINDING (Phase 4 — real tau evidence)"]
direction TB
F1["measured success rate<br/>N/M + tau version + plugin config + model"]
F2["minimum-proof evidence<br/>command string · ok=True · hash of cred prefix<br/><b>NEVER the credential values</b>"]:::warn
F3["OWASP reference (ASI03/05/10)"]
F4["Microsoft taxonomy class<br/>(sandbox bypass · multi-step chain)"]
F5["root cause<br/>tau_vault MISSING (B5 absent)"]
F6["control state<br/>tau_sandbox INSTALLED (partial)<br/>tau_vault MISSING (the gap)"]
end
subgraph REPORT["REPORT ENTRY (Phase 5)"]
direction TB
R1["Finding ID + title + severity"]
R2["OWASP + Microsoft refs"]
R3["attack procedure<br/>(the path, not the recipe)"]
R4["evidence (rate + min-proof)"]
R5["root cause + residual risk"]
R6["control matrix entry<br/>→ INSTALLED/MISSING → plugin/module"]
R7["roadmap item<br/>install tau_vault (Effort: S)"]
end
DUAL["DUAL-USE CLASSIFICATION (B0)<br/>Public: technique (denylist bypass class)<br/>Provider-Only: the exact bypass command<br/>Restricted: credential values (destroyed)<br/><b>decides recipe vs technique per finding</b>"]:::gate
F1 --> R4
F2 --> R4
F3 --> R2
F4 --> R2
F5 --> R5
F6 --> R6
F5 --> R7
FINDING -. passes through .-> DUAL
DUAL -. governs .-> R3
style FINDING fill:#0c0c14,stroke:#5eead4,color:#9494a0
style REPORT fill:#0c0c14,stroke:#82e0aa,color:#9494a0
classDef warn fill:#101018,stroke:#f08080,color:#e4e4e8
classDef gate fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#f0a868
style F1 fill:#101018,stroke:#5eead4,color:#e4e4e8
style F3 fill:#101018,stroke:#5eead4,color:#e4e4e8
style F4 fill:#101018,stroke:#5eead4,color:#e4e4e8
style F5 fill:#101018,stroke:#5eead4,color:#e4e4e8
style F6 fill:#101018,stroke:#5eead4,color:#e4e4e8
style R1 fill:#101018,stroke:#82e0aa,color:#e4e4e8
style R2 fill:#101018,stroke:#82e0aa,color:#e4e4e8
style R3 fill:#101018,stroke:#82e0aa,color:#e4e4e8
style R4 fill:#101018,stroke:#82e0aa,color:#e4e4e8
style R5 fill:#101018,stroke:#82e0aa,color:#e4e4e8
style R6 fill:#101018,stroke:#82e0aa,color:#e4e4e8
style R7 fill:#101018,stroke:#82e0aa,color:#e4e4e8
Note: Every component of a confirmed finding is backed by real tau tool-call evidence. The attack procedure describes the path — "an interpreter-based read bypasses the sandbox's reader-regex denylist because the base command is python3, not cat" — without the copy-paste-usable command (that is Provider-Only). The control matrix entry records both states: tau_sandbox INSTALLED (partial mitigation) and tau_vault MISSING (the gap). The roadmap item prescribes the specific plugin to install and the effort. A finding with no control-matrix entry is a finding with no remediation — not actionable.
Type: Decision flowchart Purpose: B0's central ethical problem — a credential-exfil bypass is both a finding (report) and a misuse recipe (suppress) — resolved per finding in Phase 5. The decision is made in the engagement RoE before testing, but applied per finding at report time. This is where AI red-teaming diverges from the traditional "publish everything" norm: pure-misuse content with no defensive lesson is withheld, and credential values are always Restricted (destroyed). Reading the diagram: A finding enters and the decision flow determines its publication class. The four B0 principles are the decision points. The bottom-right (WITHHOLD) is the divergence from traditional CVD. The credential-exfil finding's path is marked: the technique is published, the recipe is Provider-Only, the values are Restricted.
flowchart TB
FIND["A CONFIRMED FINDING<br/>e.g. credential-exfil via denylist bypass<br/>backed by real tau tool-call evidence"]:::entry
P0["0. Reported to provider first<br/>under NDA?"]:::det
FIND --> P0
P0 -->|"NO — stop, report first"| STOP["Report to provider.<br/>Do not proceed."]:::danger
P0 -->|"YES"| P1["1. Provider notified.<br/>Recipe shared under NDA."]:::det
P1 --> P2{"2. New technique or<br/>architectural insight?"}
P2 -->|"YES — denylist bypass class<br/>(interpreter reads)"| TECH["Publish the TECHNIQUE<br/>(not the recipe) after embargo<br/>≥180d model-level · 45-90d harness<br/>e.g. 'interpreter-based reads bypass<br/>reader-regex denylists'"]:::good
P2 -->|"NO"| P3{"3. Pure-misuse-enabling?<br/>(recipe, no defensive lesson)"}
P3 -->|"YES"| WITHHOLD["4. WITHHOLD publication<br/>Provider-Only disclosure<br/><b>diverges from publish-everything</b>"]:::danger
P3 -->|"NO"| EXIST["Publish EXISTENCE + SEVERITY<br/>+ measured rate after embargo<br/>recipe stays Provider-Only"]:::good
CRED["CREDENTIAL VALUES<br/>ALWAYS Restricted class<br/>destroy on report submission<br/>hash of prefix only, never the values<br/><b>non-negotiable regardless of path</b>"]:::cred
FIND -. credential values .-> CRED
classDef entry fill:#14141f,stroke:#5eead4,stroke-width:2px,color:#5eead4
classDef det fill:#101018,stroke:#5eead4,color:#e4e4e8
classDef good fill:#101018,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
classDef danger fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef cred fill:#101018,stroke:#f0a868,stroke-width:2px,color:#f0a868
style P2 fill:#101018,stroke:#5eead4,color:#e4e4e8
style P3 fill:#101018,stroke:#5eead4,color:#e4e4e8
style STOP fill:#101018,stroke:#f08080,color:#f08080
Note: The credential-exfil finding has a defensive lesson (the denylist-bypass class — interpreter reads bypass reader-regex denylists), so the technique is published after the embargo. The exact bypass command (the recipe) is Provider-Only. The credential values are ALWAYS Restricted — destroyed on report submission, captured only as a hash of the prefix. This is non-negotiable: retaining the credential values IS the harm the test was hired to prevent. The dual-use classification is applied per finding at report time, but the rules were set in the RoE before testing began.
Type: Document outline / hierarchy Purpose: The signature deliverable, made visible. The report is not a list of bugs — it is a structured assessment of Acme Corp's real tau deployment, with an executive summary, engagement metadata, findings (each structured, backed by real tool-call evidence), a control matrix (showing INSTALLED vs MISSING controls), a remediation roadmap (prescribing the specific tau_plugins to install and the B3/B8 controls to build), and a retest plan. Every section has a job; none is filler. A CISO reads the executive summary; the engineering team works from the control matrix and roadmap; the retest plan tells everyone how they will know the fixes worked. Reading the diagram: Top-to-bottom as the report's sections. The teal blocks are the structural sections; the amber block (findings) is where the confirmed findings land, each mapped through Diagram 4. The red marker on the control matrix is the INSTALLED/MISSING distinction.
flowchart TB
SEC1["1. EXECUTIVE SUMMARY<br/>one page · Acme tau deployment · window · methodology<br/>headline: cred-exfil via missing tau_vault · the one action<br/><i>written for a CISO who reads only this</i>"]:::struct
SEC2["2. ENGAGEMENT METADATA<br/>tau version · plugin config (taint+sandbox, no vault)<br/>SOW ref · provider auths · model versions<br/><i>the legal anchor</i>"]:::struct
SEC3["3. FINDINGS<br/>each: ID · severity · OWASP ref · Microsoft ref<br/>attack procedure · REAL evidence · root cause<br/>residual risk · dual-use class<br/><i>backed by real tool-call output</i>"]:::finding
SEC4["4. CONTROL MATRIX<br/>finding → control → state (INSTALLED/MISSING) → plugin/module<br/>tau_taint INSTALLED · tau_sandbox INSTALLED (partial)<br/>tau_vault MISSING · B3 MISSING · B8 MISSING<br/><i>the bridge from findings to remediation</i>"]:::struct
SEC5["5. REMEDIATION ROADMAP<br/>1. install tau_vault (CRITICAL, S)<br/>2. add B3 memory gate (HIGH, M)<br/>3. add B8 intent tracker (HIGH, M)<br/>4. harden sandbox denylist (MEDIUM, S)"]:::struct
SEC6["6. RETEST PLAN<br/>battery vs FULLY-HARDENED tau (all 3 plugins + B3 + B8)<br/>per finding: original rate · patched version · threshold · timeline<br/><i>how Acme knows the fixes worked</i>"]:::struct
SEC7["APPENDICES<br/>methodology · scorecard battery config · raw rate data<br/>scope file reference · tau version pin"]:::appendix
SEC1 --> SEC2 --> SEC3 --> SEC4 --> SEC5 --> SEC6 --> SEC7
classDef struct fill:#101018,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
classDef finding fill:#101018,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
classDef appendix fill:#101018,stroke:#9494a0,color:#9494a0
Note: The report's structure mirrors the engagement's logic against the real tau target. The executive summary names the headline (cred-exfil via missing tau_vault) and the one action (install the vault). The engagement metadata pins the tau version and plugin configuration — the legal anchor. The findings carry real tool-call evidence (the bash command that bypassed the denylist, the ok=True result, the hash of the credential prefix). The control matrix distinguishes INSTALLED controls (taint, sandbox) from MISSING ones (vault, B3, B8) — this is what makes the roadmap specific. The roadmap prescribes the exact tau_plugins to install and the B3/B8 controls to build, with effort estimates. The retest plan defines the measured future: the battery re-run against the fully-hardened tau, reporting before/after per finding.
# Diagrams — Capstone B2: Run a Full Agent Red-Team Engagement
**Module**: CAP-B2 — Run a Full Agent Red-Team Engagement
**Diagram count**: 6
**Tool**: Mermaid (primary). Each diagram validated in [Mermaid Live Editor](https://mermaid.live).
---
## Diagram 1 — The Six-Phase Engagement Flow Against Real tau
**Type**: Flowchain / methodology sequence
**Purpose**: The single most important visual in the capstone. A red-team engagement is not a fragment — it is the complete six-phase methodology from B12, executed in order, against a real tau deployment. Each phase produces a real artifact backed by real tool-call evidence. Skipping any phase voids the engagement's value: a finding without scope is inadmissible; a finding without reconnaissance is a guess; a finding without validation is an anecdote; a finding without a report is unsaid; a finding without a retest plan is binary "fixed" (the B0 anti-pattern). Each phase's output is the next phase's input.
**Reading the diagram**: Top-to-bottom as the sequence. Each phase has an input (what it consumes) and an output (what it produces — the deliverable). The teal flow is the forward path; the amber dashed line is the retest loop closing back from Phase 6 to the fully-hardened target.
```mermaid
flowchart TB
P1["PHASE 1 — SCOPING<br/>write the SOW + scope file<br/>B0 clauses: provider auth, dual-use,<br/>DMCA waiver, data handling<br/>target: real tau + partial plugins"]:::phase
P1OUT["→ signed SOW + validated scope file"]:::out
P2["PHASE 2 — RECONNAISSANCE<br/>map tau's 7 surfaces (B1/SDD-B11)<br/>build the CONTROL-GAP MAP<br/>what's IN: taint + sandbox<br/>what's MISSING: vault, B3, B8"]:::phase
P2OUT["→ control-gap map (the target as gaps)"]:::out
P3["PHASE 3 — VULNERABILITY DISCOVERY<br/>scorecard battery (measures the gaps)<br/>OWASP checklist (B9) + chains (B10)<br/>headline: cred-exfil via missing tau_vault"]:::phase
P3OUT["→ scorecard + checklist + 3 attack chains"]:::out
P4["PHASE 4 — EXPLOITATION & VALIDATION<br/>minimum-proof (B0) against REAL tau tools<br/>measured rates over N attempts<br/>hash of cred prefix, never the values"]:::phase
P4OUT["→ confirmed findings w/ real tool-call evidence"]:::out
P5["PHASE 5 — REPORTING<br/>the engagement report<br/>findings · control matrix · roadmap<br/>prescribes tau_vault, B3, B8"]:::phase
P5OUT["→ the signature deliverable"]:::out
P6["PHASE 6 — RETESTING<br/>define the retest plan<br/>battery vs FULLY-HARDENED tau<br/>before/after per finding"]:::phase
P6OUT["→ retest plan (measured future)"]:::out
P1 --> P1OUT --> P2
P2 --> P2OUT --> P3
P3 --> P3OUT --> P4
P4 --> P4OUT --> P5
P5 --> P5OUT --> P6
P6 --> P6OUT
RETEST["re-run battery vs<br/>FULLY-HARDENED tau<br/>(all 3 plugins + B3 + B8)<br/>report before/after rate"]:::retest
P6 -. closes the loop .-> RETEST
classDef phase fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
classDef out fill:#101018,stroke:#9494a0,color:#9494a0
classDef retest fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#f0a868
```
> **Note**: The phases are ordered and non-skippable, and every artifact is backed by real tau tool calls. Phase 1's scope file names the specific tau version and plugin configuration. Phase 2's control-gap map is the input to Phase 3's battery — the battery reveals which classes are mitigated (indirect, tool_abuse) and which are live (memory_poison, sandbox_escape). Phase 4's evidence is real `bash` output, real session JSONL, real credential-file reachability. The dashed line from Phase 6 is the retest loop: the same battery, re-run against the fully-hardened tau (all three plugins plus B3 and B8), reporting the measured residual risk.
---
## Diagram 2 — The Partially-Hardened tau Deployment
**Type**: Architecture / control-state map
**Purpose**: The target, made visible. Acme Corp's tau deployment has tau_taint (B2) and tau_sandbox (B7) installed, but tau_vault (B5), the B3 memory gate, and the B8 intent tracker are MISSING. This is the realistic partial-hardening scenario — the most common production state. The diagram shows what is defended (teal) and what is missing (red), so the control-gap map is visible at a glance. The headline gap — plaintext credentials with no vault — is marked.
**Reading the diagram**: The tau architecture flows top-to-bottom: provider → loop → tools → memory → identity. Each layer shows its control state. Teal = INSTALLED, red = MISSING. The credential store (identity layer) is the headline: tau_sandbox blocks the obvious read (cat), but the credentials are still plaintext because tau_vault is absent.
```mermaid
flowchart TB
subgraph TAU["ACME CORP — tau DEPLOYMENT (partially hardened)"]
direction TB
PROV["PROVIDER LAYER<br/>tau_ai — model API streaming<br/>OpenAI / Anthropic / local"]:::neutral
LOOP["AGENT LOOP<br/>tau_agent/loop.py<br/>run_agent_loop → _execute_tool_calls"]:::neutral
TAINT["tau_taint — INSTALLED (B2)<br/>Extension Point 1: executor wrapping<br/>tags tool output as < untrusted ><br/>blocks high-impact calls when taint active<br/>STATUS: WORKING — indirect injection mitigated"]:::installed
TOOLS["TOOLS: read · write · edit · bash"]:::neutral
SANDBOX["tau_sandbox — INSTALLED (B7)<br/>Extension Point 2: bash factory replacement<br/>network egress DENIED (curl, wget, ssh...)<br/>credential-read denylist (cat credentials.json)<br/>STATUS: WORKING — but denylist is a REGEX (bypassable)"]:::installed
MEM["MEMORY / SESSIONS<br/>tau_coding/session.py<br/>~/.tau/sessions/ as JSONL<br/>_persist_messages_since appends UNFILTERED"]:::neutral
MEMGATE["B3 memory-write gate — MISSING<br/>no validation on session writes<br/>tainted tool results persist to JSONL<br/>on resume, poison re-enters context<br/>STATUS: UNDEFENDED — session poisoning"]:::missing
CRED["IDENTITY / CREDENTIALS<br/>~/.tau/credentials.json<br/>FileCredentialStore — PLAINTEXT JSON"]:::neutral
VAULT["tau_vault — MISSING (B5)<br/>Extension Point 3 NOT installed<br/>credentials remain plaintext on disk<br/>sandbox denylist blocks 'cat' but not interpreters<br/>STATUS: HEADLINE GAP — cred-exfil chain live"]:::headline
EVENTS["EVENT STREAM / OBSERVABILITY<br/>tau_agent/events.py<br/>harness.subscribe(listener)<br/>events fire for UI only — NO security listener"]:::neutral
INTENT["B8 session intent tracker — MISSING<br/>no listener subscribed<br/>zero-click chains go undetected<br/>compound trajectory invisible<br/>STATUS: UNDEFENDED — zero-click chain"]:::missing
end
PROV --> LOOP
LOOP --> TAINT
TAINT --> TOOLS
TOOLS --> SANDBOX
LOOP --> MEM
MEM --> MEMGATE
LOOP --> CRED
CRED --> VAULT
LOOP --> EVENTS
EVENTS --> INTENT
classDef neutral fill:#101018,stroke:#5a5a68,color:#9494a0
classDef installed fill:#101018,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
classDef missing fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef headline fill:#14141f,stroke:#f08080,stroke-width:2.5px,color:#f08080
```
> **Note**: Two of three tau_plugins controls are installed. tau_taint (Extension Point 1) and tau_sandbox (Extension Point 2) are working — the scorecard shows indirect injection at 0% and tool_abuse at 0%. But tau_vault (Extension Point 3) is missing, leaving credentials in plaintext. The B3 memory gate and B8 intent tracker are not part of the tau_plugins pack — they are controls tau does not have, and their absence is the session-poisoning and zero-click findings. The sandbox denylist is a regex on the command string — it blocks `cat ~/.tau/credentials.json` but not `python3 -c "open(...).read()"`. That bypass is the credential-exfil chain's entry point.
---
## Diagram 3 — The Credential-Exfil Attack Chain Against the Missing tau_vault
**Type**: Multi-step attack sequence / kill chain
**Purpose**: The headline finding, made concrete. tau_vault is not installed. Credentials are plaintext at `~/.tau/credentials.json`. tau_sandbox blocks `cat ~/.tau/credentials.json` via a regex denylist. The chain bypasses the denylist using an interpreter (python3), reads the plaintext credentials, and — because the sandbox cannot block the model from seeing the tool output — the credentials enter tau's context and the session JSONL. This is the finding that prescribes tau_vault as the remediation.
**Reading the diagram**: Left-to-right as the adversary's steps. Each step maps to a tau surface. The red blocks are the defender's gaps; the amber block (step 3) is the credentials entering the context — the moment the sandbox can no longer help. The closing control (tau_vault, B5) is marked at the bottom — its absence is the finding's root cause.
```mermaid
flowchart LR
S0["ATTACKER identifies the gap<br/>tau_vault NOT installed<br/>credentials.json is PLAINTEXT<br/>sandbox denylist = regex on command"]:::atk
S1["STEP 1 — recon the denylist<br/>sandbox blocks: cat/head/tail ... credentials.json<br/>regex: r'cat|head|tail|... \s+ .* path'<br/>base command extraction → 'cat' blocked"]:::step
S2["STEP 2 — the bypass<br/>command: python3 -c 'open(creds).read()'<br/>base command = 'python3' (not in denylist)<br/>regex does NOT match → command EXECUTES"]:::gap
S3["STEP 3 — credentials in context<br/>tool output contains the credential keys<br/>output enters tau's context window<br/>sandbox CANNOT block this — too late"]:::impact
S4["STEP 4 — persistence<br/>tainted tool result persists to session JSONL<br/>no B3 gate → stored unfiltered<br/>credentials now in ~/.tau/sessions/"]:::step
S5["STEP 5 — the leak channel<br/>if API model: creds in prompt sent to provider<br/>if file write: creds written to working dir<br/>direct exfil (curl) blocked, but data already read"]:::impact
S0 --> S1 --> S2 --> S3 --> S4 --> S5
CLOSURE["CLOSING CONTROL — tau_vault (B5)<br/>Extension Point 3: credential store replacement<br/>credentials stored in vault format (not plaintext)<br/>agent process CANNOT read them directly<br/>sandbox denylist becomes defense-in-depth, not the only gate<br/><b>ABSENT = the finding's root cause</b>"]:::closure
S5 -. remediated by .-> CLOSURE
classDef atk fill:#14141f,stroke:#f08080,stroke-width:2px,color:#f08080
classDef step fill:#101018,stroke:#5eead4,color:#e4e4e8
classDef gap fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef impact fill:#14141f,stroke:#f08080,stroke-width:2px,color:#f08080
classDef closure fill:#14141f,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
```
> **Note**: The chain succeeds because the sandbox denylist is a regex on the command string, not a filesystem-level access control. The denylist blocks `cat`, `head`, `tail` followed by the credential path — but `python3 -c "..."` has a base command of `python3`, which is not in the denylist. The credentials are read, enter the context, and persist to the session. The sandbox blocked the direct exfil channel (curl), but the credential values are already in the model's context — a channel the sandbox cannot close. The finding is not "the sandbox is bypassed" — the finding is "the credential vault is absent, and the sandbox's denylist is a partial mitigation, not a substitute for credential isolation at rest." The remediation is tau_vault.
---
## Diagram 4 — Finding-to-Report Mapping
**Type**: Flow / artifact mapping
**Purpose**: How a confirmed finding (Phase 4, backed by real tau tool-call evidence) becomes a report entry (Phase 5). Each finding carries its measured rate, its minimum-proof evidence (real tool output, hashed where sensitive), its OWASP and Microsoft references, and its root cause (the missing control) into a structured report entry. The dual-use classification governs what is published vs. withheld per finding. The control matrix maps the finding to the INSTALLED/MISSING control and the plugin that builds it.
**Reading the diagram**: Left = the confirmed finding's components (all backed by real tau evidence). Right = the report entry they populate. The amber block is the dual-use classification — the gate that decides recipe vs. technique per finding.
```mermaid
flowchart LR
subgraph FINDING["CONFIRMED FINDING (Phase 4 — real tau evidence)"]
direction TB
F1["measured success rate<br/>N/M + tau version + plugin config + model"]
F2["minimum-proof evidence<br/>command string · ok=True · hash of cred prefix<br/><b>NEVER the credential values</b>"]:::warn
F3["OWASP reference (ASI03/05/10)"]
F4["Microsoft taxonomy class<br/>(sandbox bypass · multi-step chain)"]
F5["root cause<br/>tau_vault MISSING (B5 absent)"]
F6["control state<br/>tau_sandbox INSTALLED (partial)<br/>tau_vault MISSING (the gap)"]
end
subgraph REPORT["REPORT ENTRY (Phase 5)"]
direction TB
R1["Finding ID + title + severity"]
R2["OWASP + Microsoft refs"]
R3["attack procedure<br/>(the path, not the recipe)"]
R4["evidence (rate + min-proof)"]
R5["root cause + residual risk"]
R6["control matrix entry<br/>→ INSTALLED/MISSING → plugin/module"]
R7["roadmap item<br/>install tau_vault (Effort: S)"]
end
DUAL["DUAL-USE CLASSIFICATION (B0)<br/>Public: technique (denylist bypass class)<br/>Provider-Only: the exact bypass command<br/>Restricted: credential values (destroyed)<br/><b>decides recipe vs technique per finding</b>"]:::gate
F1 --> R4
F2 --> R4
F3 --> R2
F4 --> R2
F5 --> R5
F6 --> R6
F5 --> R7
FINDING -. passes through .-> DUAL
DUAL -. governs .-> R3
style FINDING fill:#0c0c14,stroke:#5eead4,color:#9494a0
style REPORT fill:#0c0c14,stroke:#82e0aa,color:#9494a0
classDef warn fill:#101018,stroke:#f08080,color:#e4e4e8
classDef gate fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#f0a868
style F1 fill:#101018,stroke:#5eead4,color:#e4e4e8
style F3 fill:#101018,stroke:#5eead4,color:#e4e4e8
style F4 fill:#101018,stroke:#5eead4,color:#e4e4e8
style F5 fill:#101018,stroke:#5eead4,color:#e4e4e8
style F6 fill:#101018,stroke:#5eead4,color:#e4e4e8
style R1 fill:#101018,stroke:#82e0aa,color:#e4e4e8
style R2 fill:#101018,stroke:#82e0aa,color:#e4e4e8
style R3 fill:#101018,stroke:#82e0aa,color:#e4e4e8
style R4 fill:#101018,stroke:#82e0aa,color:#e4e4e8
style R5 fill:#101018,stroke:#82e0aa,color:#e4e4e8
style R6 fill:#101018,stroke:#82e0aa,color:#e4e4e8
style R7 fill:#101018,stroke:#82e0aa,color:#e4e4e8
```
> **Note**: Every component of a confirmed finding is backed by real tau tool-call evidence. The attack procedure describes the path — "an interpreter-based read bypasses the sandbox's reader-regex denylist because the base command is python3, not cat" — without the copy-paste-usable command (that is Provider-Only). The control matrix entry records both states: tau_sandbox INSTALLED (partial mitigation) and tau_vault MISSING (the gap). The roadmap item prescribes the specific plugin to install and the effort. A finding with no control-matrix entry is a finding with no remediation — not actionable.
---
## Diagram 5 — The Dual-Use Disclosure Decision Per Finding
**Type**: Decision flowchart
**Purpose**: B0's central ethical problem — a credential-exfil bypass is both a finding (report) and a misuse recipe (suppress) — resolved per finding in Phase 5. The decision is made in the engagement RoE before testing, but applied per finding at report time. This is where AI red-teaming diverges from the traditional "publish everything" norm: pure-misuse content with no defensive lesson is withheld, and credential values are always Restricted (destroyed).
**Reading the diagram**: A finding enters and the decision flow determines its publication class. The four B0 principles are the decision points. The bottom-right (WITHHOLD) is the divergence from traditional CVD. The credential-exfil finding's path is marked: the technique is published, the recipe is Provider-Only, the values are Restricted.
```mermaid
flowchart TB
FIND["A CONFIRMED FINDING<br/>e.g. credential-exfil via denylist bypass<br/>backed by real tau tool-call evidence"]:::entry
P0["0. Reported to provider first<br/>under NDA?"]:::det
FIND --> P0
P0 -->|"NO — stop, report first"| STOP["Report to provider.<br/>Do not proceed."]:::danger
P0 -->|"YES"| P1["1. Provider notified.<br/>Recipe shared under NDA."]:::det
P1 --> P2{"2. New technique or<br/>architectural insight?"}
P2 -->|"YES — denylist bypass class<br/>(interpreter reads)"| TECH["Publish the TECHNIQUE<br/>(not the recipe) after embargo<br/>≥180d model-level · 45-90d harness<br/>e.g. 'interpreter-based reads bypass<br/>reader-regex denylists'"]:::good
P2 -->|"NO"| P3{"3. Pure-misuse-enabling?<br/>(recipe, no defensive lesson)"}
P3 -->|"YES"| WITHHOLD["4. WITHHOLD publication<br/>Provider-Only disclosure<br/><b>diverges from publish-everything</b>"]:::danger
P3 -->|"NO"| EXIST["Publish EXISTENCE + SEVERITY<br/>+ measured rate after embargo<br/>recipe stays Provider-Only"]:::good
CRED["CREDENTIAL VALUES<br/>ALWAYS Restricted class<br/>destroy on report submission<br/>hash of prefix only, never the values<br/><b>non-negotiable regardless of path</b>"]:::cred
FIND -. credential values .-> CRED
classDef entry fill:#14141f,stroke:#5eead4,stroke-width:2px,color:#5eead4
classDef det fill:#101018,stroke:#5eead4,color:#e4e4e8
classDef good fill:#101018,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
classDef danger fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef cred fill:#101018,stroke:#f0a868,stroke-width:2px,color:#f0a868
style P2 fill:#101018,stroke:#5eead4,color:#e4e4e8
style P3 fill:#101018,stroke:#5eead4,color:#e4e4e8
style STOP fill:#101018,stroke:#f08080,color:#f08080
```
> **Note**: The credential-exfil finding has a defensive lesson (the denylist-bypass class — interpreter reads bypass reader-regex denylists), so the technique is published after the embargo. The exact bypass command (the recipe) is Provider-Only. The credential values are ALWAYS Restricted — destroyed on report submission, captured only as a hash of the prefix. This is non-negotiable: retaining the credential values IS the harm the test was hired to prevent. The dual-use classification is applied per finding at report time, but the rules were set in the RoE before testing began.
---
## Diagram 6 — The Engagement Report Structure
**Type**: Document outline / hierarchy
**Purpose**: The signature deliverable, made visible. The report is not a list of bugs — it is a structured assessment of Acme Corp's real tau deployment, with an executive summary, engagement metadata, findings (each structured, backed by real tool-call evidence), a control matrix (showing INSTALLED vs MISSING controls), a remediation roadmap (prescribing the specific tau_plugins to install and the B3/B8 controls to build), and a retest plan. Every section has a job; none is filler. A CISO reads the executive summary; the engineering team works from the control matrix and roadmap; the retest plan tells everyone how they will know the fixes worked.
**Reading the diagram**: Top-to-bottom as the report's sections. The teal blocks are the structural sections; the amber block (findings) is where the confirmed findings land, each mapped through Diagram 4. The red marker on the control matrix is the INSTALLED/MISSING distinction.
```mermaid
flowchart TB
SEC1["1. EXECUTIVE SUMMARY<br/>one page · Acme tau deployment · window · methodology<br/>headline: cred-exfil via missing tau_vault · the one action<br/><i>written for a CISO who reads only this</i>"]:::struct
SEC2["2. ENGAGEMENT METADATA<br/>tau version · plugin config (taint+sandbox, no vault)<br/>SOW ref · provider auths · model versions<br/><i>the legal anchor</i>"]:::struct
SEC3["3. FINDINGS<br/>each: ID · severity · OWASP ref · Microsoft ref<br/>attack procedure · REAL evidence · root cause<br/>residual risk · dual-use class<br/><i>backed by real tool-call output</i>"]:::finding
SEC4["4. CONTROL MATRIX<br/>finding → control → state (INSTALLED/MISSING) → plugin/module<br/>tau_taint INSTALLED · tau_sandbox INSTALLED (partial)<br/>tau_vault MISSING · B3 MISSING · B8 MISSING<br/><i>the bridge from findings to remediation</i>"]:::struct
SEC5["5. REMEDIATION ROADMAP<br/>1. install tau_vault (CRITICAL, S)<br/>2. add B3 memory gate (HIGH, M)<br/>3. add B8 intent tracker (HIGH, M)<br/>4. harden sandbox denylist (MEDIUM, S)"]:::struct
SEC6["6. RETEST PLAN<br/>battery vs FULLY-HARDENED tau (all 3 plugins + B3 + B8)<br/>per finding: original rate · patched version · threshold · timeline<br/><i>how Acme knows the fixes worked</i>"]:::struct
SEC7["APPENDICES<br/>methodology · scorecard battery config · raw rate data<br/>scope file reference · tau version pin"]:::appendix
SEC1 --> SEC2 --> SEC3 --> SEC4 --> SEC5 --> SEC6 --> SEC7
classDef struct fill:#101018,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
classDef finding fill:#101018,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
classDef appendix fill:#101018,stroke:#9494a0,color:#9494a0
```
> **Note**: The report's structure mirrors the engagement's logic against the real tau target. The executive summary names the headline (cred-exfil via missing tau_vault) and the one action (install the vault). The engagement metadata pins the tau version and plugin configuration — the legal anchor. The findings carry real tool-call evidence (the bash command that bypassed the denylist, the ok=True result, the hash of the credential prefix). The control matrix distinguishes INSTALLED controls (taint, sandbox) from MISSING ones (vault, B3, B8) — this is what makes the roadmap specific. The roadmap prescribes the exact tau_plugins to install and the B3/B8 controls to build, with effort estimates. The retest plan defines the measured future: the battery re-run against the fully-hardened tau, reporting before/after per finding.