Diagrams — Capstone B2: Run a Full Agent Red-Team Engagement

Module: CAP-B2 — Run a Full Agent Red-Team Engagement Diagram count: 6 Tool: Mermaid (primary). Each diagram validated in Mermaid Live Editor.


Diagram 1 — The Six-Phase Engagement Flow Against Real tau

Type: Flowchain / methodology sequence Purpose: The single most important visual in the capstone. A red-team engagement is not a fragment — it is the complete six-phase methodology from B12, executed in order, against a real tau deployment. Each phase produces a real artifact backed by real tool-call evidence. Skipping any phase voids the engagement's value: a finding without scope is inadmissible; a finding without reconnaissance is a guess; a finding without validation is an anecdote; a finding without a report is unsaid; a finding without a retest plan is binary "fixed" (the B0 anti-pattern). Each phase's output is the next phase's input. Reading the diagram: Top-to-bottom as the sequence. Each phase has an input (what it consumes) and an output (what it produces — the deliverable). The teal flow is the forward path; the amber dashed line is the retest loop closing back from Phase 6 to the fully-hardened target.

flowchart TB
  P1["PHASE 1 — SCOPING<br/>write the SOW + scope file<br/>B0 clauses: provider auth, dual-use,<br/>DMCA waiver, data handling<br/>target: real tau + partial plugins"]:::phase
  P1OUT["→ signed SOW + validated scope file"]:::out

  P2["PHASE 2 — RECONNAISSANCE<br/>map tau's 7 surfaces (B1/SDD-B11)<br/>build the CONTROL-GAP MAP<br/>what's IN: taint + sandbox<br/>what's MISSING: vault, B3, B8"]:::phase
  P2OUT["→ control-gap map (the target as gaps)"]:::out

  P3["PHASE 3 — VULNERABILITY DISCOVERY<br/>scorecard battery (measures the gaps)<br/>OWASP checklist (B9) + chains (B10)<br/>headline: cred-exfil via missing tau_vault"]:::phase
  P3OUT["→ scorecard + checklist + 3 attack chains"]:::out

  P4["PHASE 4 — EXPLOITATION & VALIDATION<br/>minimum-proof (B0) against REAL tau tools<br/>measured rates over N attempts<br/>hash of cred prefix, never the values"]:::phase
  P4OUT["→ confirmed findings w/ real tool-call evidence"]:::out

  P5["PHASE 5 — REPORTING<br/>the engagement report<br/>findings · control matrix · roadmap<br/>prescribes tau_vault, B3, B8"]:::phase
  P5OUT["→ the signature deliverable"]:::out

  P6["PHASE 6 — RETESTING<br/>define the retest plan<br/>battery vs FULLY-HARDENED tau<br/>before/after per finding"]:::phase
  P6OUT["→ retest plan (measured future)"]:::out

  P1 --> P1OUT --> P2
  P2 --> P2OUT --> P3
  P3 --> P3OUT --> P4
  P4 --> P4OUT --> P5
  P5 --> P5OUT --> P6
  P6 --> P6OUT

  RETEST["re-run battery vs<br/>FULLY-HARDENED tau<br/>(all 3 plugins + B3 + B8)<br/>report before/after rate"]:::retest
  P6 -. closes the loop .-> RETEST

  classDef phase fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef out fill:#101018,stroke:#9494a0,color:#9494a0
  classDef retest fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#f0a868

Note: The phases are ordered and non-skippable, and every artifact is backed by real tau tool calls. Phase 1's scope file names the specific tau version and plugin configuration. Phase 2's control-gap map is the input to Phase 3's battery — the battery reveals which classes are mitigated (indirect, tool_abuse) and which are live (memory_poison, sandbox_escape). Phase 4's evidence is real bash output, real session JSONL, real credential-file reachability. The dashed line from Phase 6 is the retest loop: the same battery, re-run against the fully-hardened tau (all three plugins plus B3 and B8), reporting the measured residual risk.


Diagram 2 — The Partially-Hardened tau Deployment

Type: Architecture / control-state map Purpose: The target, made visible. Acme Corp's tau deployment has tau_taint (B2) and tau_sandbox (B7) installed, but tau_vault (B5), the B3 memory gate, and the B8 intent tracker are MISSING. This is the realistic partial-hardening scenario — the most common production state. The diagram shows what is defended (teal) and what is missing (red), so the control-gap map is visible at a glance. The headline gap — plaintext credentials with no vault — is marked. Reading the diagram: The tau architecture flows top-to-bottom: provider → loop → tools → memory → identity. Each layer shows its control state. Teal = INSTALLED, red = MISSING. The credential store (identity layer) is the headline: tau_sandbox blocks the obvious read (cat), but the credentials are still plaintext because tau_vault is absent.

flowchart TB
  subgraph TAU["ACME CORP — tau DEPLOYMENT (partially hardened)"]
    direction TB

    PROV["PROVIDER LAYER<br/>tau_ai — model API streaming<br/>OpenAI / Anthropic / local"]:::neutral

    LOOP["AGENT LOOP<br/>tau_agent/loop.py<br/>run_agent_loop → _execute_tool_calls"]:::neutral

    TAINT["tau_taint — INSTALLED (B2)<br/>Extension Point 1: executor wrapping<br/>tags tool output as < untrusted ><br/>blocks high-impact calls when taint active<br/>STATUS: WORKING — indirect injection mitigated"]:::installed

    TOOLS["TOOLS: read · write · edit · bash"]:::neutral

    SANDBOX["tau_sandbox — INSTALLED (B7)<br/>Extension Point 2: bash factory replacement<br/>network egress DENIED (curl, wget, ssh...)<br/>credential-read denylist (cat credentials.json)<br/>STATUS: WORKING — but denylist is a REGEX (bypassable)"]:::installed

    MEM["MEMORY / SESSIONS<br/>tau_coding/session.py<br/>~/.tau/sessions/ as JSONL<br/>_persist_messages_since appends UNFILTERED"]:::neutral

    MEMGATE["B3 memory-write gate — MISSING<br/>no validation on session writes<br/>tainted tool results persist to JSONL<br/>on resume, poison re-enters context<br/>STATUS: UNDEFENDED — session poisoning"]:::missing

    CRED["IDENTITY / CREDENTIALS<br/>~/.tau/credentials.json<br/>FileCredentialStore — PLAINTEXT JSON"]:::neutral

    VAULT["tau_vault — MISSING (B5)<br/>Extension Point 3 NOT installed<br/>credentials remain plaintext on disk<br/>sandbox denylist blocks 'cat' but not interpreters<br/>STATUS: HEADLINE GAP — cred-exfil chain live"]:::headline

    EVENTS["EVENT STREAM / OBSERVABILITY<br/>tau_agent/events.py<br/>harness.subscribe(listener)<br/>events fire for UI only — NO security listener"]:::neutral

    INTENT["B8 session intent tracker — MISSING<br/>no listener subscribed<br/>zero-click chains go undetected<br/>compound trajectory invisible<br/>STATUS: UNDEFENDED — zero-click chain"]:::missing
  end

  PROV --> LOOP
  LOOP --> TAINT
  TAINT --> TOOLS
  TOOLS --> SANDBOX
  LOOP --> MEM
  MEM --> MEMGATE
  LOOP --> CRED
  CRED --> VAULT
  LOOP --> EVENTS
  EVENTS --> INTENT

  classDef neutral fill:#101018,stroke:#5a5a68,color:#9494a0
  classDef installed fill:#101018,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
  classDef missing fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef headline fill:#14141f,stroke:#f08080,stroke-width:2.5px,color:#f08080

Note: Two of three tau_plugins controls are installed. tau_taint (Extension Point 1) and tau_sandbox (Extension Point 2) are working — the scorecard shows indirect injection at 0% and tool_abuse at 0%. But tau_vault (Extension Point 3) is missing, leaving credentials in plaintext. The B3 memory gate and B8 intent tracker are not part of the tau_plugins pack — they are controls tau does not have, and their absence is the session-poisoning and zero-click findings. The sandbox denylist is a regex on the command string — it blocks cat ~/.tau/credentials.json but not python3 -c "open(...).read()". That bypass is the credential-exfil chain's entry point.


Diagram 3 — The Credential-Exfil Attack Chain Against the Missing tau_vault

Type: Multi-step attack sequence / kill chain Purpose: The headline finding, made concrete. tau_vault is not installed. Credentials are plaintext at ~/.tau/credentials.json. tau_sandbox blocks cat ~/.tau/credentials.json via a regex denylist. The chain bypasses the denylist using an interpreter (python3), reads the plaintext credentials, and — because the sandbox cannot block the model from seeing the tool output — the credentials enter tau's context and the session JSONL. This is the finding that prescribes tau_vault as the remediation. Reading the diagram: Left-to-right as the adversary's steps. Each step maps to a tau surface. The red blocks are the defender's gaps; the amber block (step 3) is the credentials entering the context — the moment the sandbox can no longer help. The closing control (tau_vault, B5) is marked at the bottom — its absence is the finding's root cause.

flowchart LR
  S0["ATTACKER identifies the gap<br/>tau_vault NOT installed<br/>credentials.json is PLAINTEXT<br/>sandbox denylist = regex on command"]:::atk
  S1["STEP 1 — recon the denylist<br/>sandbox blocks: cat/head/tail ... credentials.json<br/>regex: r'cat|head|tail|... \s+ .* path'<br/>base command extraction → 'cat' blocked"]:::step
  S2["STEP 2 — the bypass<br/>command: python3 -c 'open(creds).read()'<br/>base command = 'python3' (not in denylist)<br/>regex does NOT match → command EXECUTES"]:::gap
  S3["STEP 3 — credentials in context<br/>tool output contains the credential keys<br/>output enters tau's context window<br/>sandbox CANNOT block this — too late"]:::impact
  S4["STEP 4 — persistence<br/>tainted tool result persists to session JSONL<br/>no B3 gate → stored unfiltered<br/>credentials now in ~/.tau/sessions/"]:::step
  S5["STEP 5 — the leak channel<br/>if API model: creds in prompt sent to provider<br/>if file write: creds written to working dir<br/>direct exfil (curl) blocked, but data already read"]:::impact

  S0 --> S1 --> S2 --> S3 --> S4 --> S5

  CLOSURE["CLOSING CONTROL — tau_vault (B5)<br/>Extension Point 3: credential store replacement<br/>credentials stored in vault format (not plaintext)<br/>agent process CANNOT read them directly<br/>sandbox denylist becomes defense-in-depth, not the only gate<br/><b>ABSENT = the finding's root cause</b>"]:::closure
  S5 -. remediated by .-> CLOSURE

  classDef atk fill:#14141f,stroke:#f08080,stroke-width:2px,color:#f08080
  classDef step fill:#101018,stroke:#5eead4,color:#e4e4e8
  classDef gap fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef impact fill:#14141f,stroke:#f08080,stroke-width:2px,color:#f08080
  classDef closure fill:#14141f,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa

Note: The chain succeeds because the sandbox denylist is a regex on the command string, not a filesystem-level access control. The denylist blocks cat, head, tail followed by the credential path — but python3 -c "..." has a base command of python3, which is not in the denylist. The credentials are read, enter the context, and persist to the session. The sandbox blocked the direct exfil channel (curl), but the credential values are already in the model's context — a channel the sandbox cannot close. The finding is not "the sandbox is bypassed" — the finding is "the credential vault is absent, and the sandbox's denylist is a partial mitigation, not a substitute for credential isolation at rest." The remediation is tau_vault.


Diagram 4 — Finding-to-Report Mapping

Type: Flow / artifact mapping Purpose: How a confirmed finding (Phase 4, backed by real tau tool-call evidence) becomes a report entry (Phase 5). Each finding carries its measured rate, its minimum-proof evidence (real tool output, hashed where sensitive), its OWASP and Microsoft references, and its root cause (the missing control) into a structured report entry. The dual-use classification governs what is published vs. withheld per finding. The control matrix maps the finding to the INSTALLED/MISSING control and the plugin that builds it. Reading the diagram: Left = the confirmed finding's components (all backed by real tau evidence). Right = the report entry they populate. The amber block is the dual-use classification — the gate that decides recipe vs. technique per finding.

flowchart LR
  subgraph FINDING["CONFIRMED FINDING (Phase 4 — real tau evidence)"]
    direction TB
    F1["measured success rate<br/>N/M + tau version + plugin config + model"]
    F2["minimum-proof evidence<br/>command string · ok=True · hash of cred prefix<br/><b>NEVER the credential values</b>"]:::warn
    F3["OWASP reference (ASI03/05/10)"]
    F4["Microsoft taxonomy class<br/>(sandbox bypass · multi-step chain)"]
    F5["root cause<br/>tau_vault MISSING (B5 absent)"]
    F6["control state<br/>tau_sandbox INSTALLED (partial)<br/>tau_vault MISSING (the gap)"]
  end

  subgraph REPORT["REPORT ENTRY (Phase 5)"]
    direction TB
    R1["Finding ID + title + severity"]
    R2["OWASP + Microsoft refs"]
    R3["attack procedure<br/>(the path, not the recipe)"]
    R4["evidence (rate + min-proof)"]
    R5["root cause + residual risk"]
    R6["control matrix entry<br/>→ INSTALLED/MISSING → plugin/module"]
    R7["roadmap item<br/>install tau_vault (Effort: S)"]
  end

  DUAL["DUAL-USE CLASSIFICATION (B0)<br/>Public: technique (denylist bypass class)<br/>Provider-Only: the exact bypass command<br/>Restricted: credential values (destroyed)<br/><b>decides recipe vs technique per finding</b>"]:::gate

  F1 --> R4
  F2 --> R4
  F3 --> R2
  F4 --> R2
  F5 --> R5
  F6 --> R6
  F5 --> R7
  FINDING -. passes through .-> DUAL
  DUAL -. governs .-> R3

  style FINDING fill:#0c0c14,stroke:#5eead4,color:#9494a0
  style REPORT fill:#0c0c14,stroke:#82e0aa,color:#9494a0
  classDef warn fill:#101018,stroke:#f08080,color:#e4e4e8
  classDef gate fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#f0a868
  style F1 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style F3 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style F4 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style F5 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style F6 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style R1 fill:#101018,stroke:#82e0aa,color:#e4e4e8
  style R2 fill:#101018,stroke:#82e0aa,color:#e4e4e8
  style R3 fill:#101018,stroke:#82e0aa,color:#e4e4e8
  style R4 fill:#101018,stroke:#82e0aa,color:#e4e4e8
  style R5 fill:#101018,stroke:#82e0aa,color:#e4e4e8
  style R6 fill:#101018,stroke:#82e0aa,color:#e4e4e8
  style R7 fill:#101018,stroke:#82e0aa,color:#e4e4e8

Note: Every component of a confirmed finding is backed by real tau tool-call evidence. The attack procedure describes the path — "an interpreter-based read bypasses the sandbox's reader-regex denylist because the base command is python3, not cat" — without the copy-paste-usable command (that is Provider-Only). The control matrix entry records both states: tau_sandbox INSTALLED (partial mitigation) and tau_vault MISSING (the gap). The roadmap item prescribes the specific plugin to install and the effort. A finding with no control-matrix entry is a finding with no remediation — not actionable.


Diagram 5 — The Dual-Use Disclosure Decision Per Finding

Type: Decision flowchart Purpose: B0's central ethical problem — a credential-exfil bypass is both a finding (report) and a misuse recipe (suppress) — resolved per finding in Phase 5. The decision is made in the engagement RoE before testing, but applied per finding at report time. This is where AI red-teaming diverges from the traditional "publish everything" norm: pure-misuse content with no defensive lesson is withheld, and credential values are always Restricted (destroyed). Reading the diagram: A finding enters and the decision flow determines its publication class. The four B0 principles are the decision points. The bottom-right (WITHHOLD) is the divergence from traditional CVD. The credential-exfil finding's path is marked: the technique is published, the recipe is Provider-Only, the values are Restricted.

flowchart TB
  FIND["A CONFIRMED FINDING<br/>e.g. credential-exfil via denylist bypass<br/>backed by real tau tool-call evidence"]:::entry
  P0["0. Reported to provider first<br/>under NDA?"]:::det
  FIND --> P0
  P0 -->|"NO — stop, report first"| STOP["Report to provider.<br/>Do not proceed."]:::danger
  P0 -->|"YES"| P1["1. Provider notified.<br/>Recipe shared under NDA."]:::det

  P1 --> P2{"2. New technique or<br/>architectural insight?"}
  P2 -->|"YES — denylist bypass class<br/>(interpreter reads)"| TECH["Publish the TECHNIQUE<br/>(not the recipe) after embargo<br/>≥180d model-level · 45-90d harness<br/>e.g. 'interpreter-based reads bypass<br/>reader-regex denylists'"]:::good
  P2 -->|"NO"| P3{"3. Pure-misuse-enabling?<br/>(recipe, no defensive lesson)"}

  P3 -->|"YES"| WITHHOLD["4. WITHHOLD publication<br/>Provider-Only disclosure<br/><b>diverges from publish-everything</b>"]:::danger
  P3 -->|"NO"| EXIST["Publish EXISTENCE + SEVERITY<br/>+ measured rate after embargo<br/>recipe stays Provider-Only"]:::good

  CRED["CREDENTIAL VALUES<br/>ALWAYS Restricted class<br/>destroy on report submission<br/>hash of prefix only, never the values<br/><b>non-negotiable regardless of path</b>"]:::cred
  FIND -. credential values .-> CRED

  classDef entry fill:#14141f,stroke:#5eead4,stroke-width:2px,color:#5eead4
  classDef det fill:#101018,stroke:#5eead4,color:#e4e4e8
  classDef good fill:#101018,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
  classDef danger fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef cred fill:#101018,stroke:#f0a868,stroke-width:2px,color:#f0a868
  style P2 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style P3 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style STOP fill:#101018,stroke:#f08080,color:#f08080

Note: The credential-exfil finding has a defensive lesson (the denylist-bypass class — interpreter reads bypass reader-regex denylists), so the technique is published after the embargo. The exact bypass command (the recipe) is Provider-Only. The credential values are ALWAYS Restricted — destroyed on report submission, captured only as a hash of the prefix. This is non-negotiable: retaining the credential values IS the harm the test was hired to prevent. The dual-use classification is applied per finding at report time, but the rules were set in the RoE before testing began.


Diagram 6 — The Engagement Report Structure

Type: Document outline / hierarchy Purpose: The signature deliverable, made visible. The report is not a list of bugs — it is a structured assessment of Acme Corp's real tau deployment, with an executive summary, engagement metadata, findings (each structured, backed by real tool-call evidence), a control matrix (showing INSTALLED vs MISSING controls), a remediation roadmap (prescribing the specific tau_plugins to install and the B3/B8 controls to build), and a retest plan. Every section has a job; none is filler. A CISO reads the executive summary; the engineering team works from the control matrix and roadmap; the retest plan tells everyone how they will know the fixes worked. Reading the diagram: Top-to-bottom as the report's sections. The teal blocks are the structural sections; the amber block (findings) is where the confirmed findings land, each mapped through Diagram 4. The red marker on the control matrix is the INSTALLED/MISSING distinction.

flowchart TB
  SEC1["1. EXECUTIVE SUMMARY<br/>one page · Acme tau deployment · window · methodology<br/>headline: cred-exfil via missing tau_vault · the one action<br/><i>written for a CISO who reads only this</i>"]:::struct
  SEC2["2. ENGAGEMENT METADATA<br/>tau version · plugin config (taint+sandbox, no vault)<br/>SOW ref · provider auths · model versions<br/><i>the legal anchor</i>"]:::struct
  SEC3["3. FINDINGS<br/>each: ID · severity · OWASP ref · Microsoft ref<br/>attack procedure · REAL evidence · root cause<br/>residual risk · dual-use class<br/><i>backed by real tool-call output</i>"]:::finding
  SEC4["4. CONTROL MATRIX<br/>finding → control → state (INSTALLED/MISSING) → plugin/module<br/>tau_taint INSTALLED · tau_sandbox INSTALLED (partial)<br/>tau_vault MISSING · B3 MISSING · B8 MISSING<br/><i>the bridge from findings to remediation</i>"]:::struct
  SEC5["5. REMEDIATION ROADMAP<br/>1. install tau_vault (CRITICAL, S)<br/>2. add B3 memory gate (HIGH, M)<br/>3. add B8 intent tracker (HIGH, M)<br/>4. harden sandbox denylist (MEDIUM, S)"]:::struct
  SEC6["6. RETEST PLAN<br/>battery vs FULLY-HARDENED tau (all 3 plugins + B3 + B8)<br/>per finding: original rate · patched version · threshold · timeline<br/><i>how Acme knows the fixes worked</i>"]:::struct
  SEC7["APPENDICES<br/>methodology · scorecard battery config · raw rate data<br/>scope file reference · tau version pin"]:::appendix

  SEC1 --> SEC2 --> SEC3 --> SEC4 --> SEC5 --> SEC6 --> SEC7

  classDef struct fill:#101018,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef finding fill:#101018,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  classDef appendix fill:#101018,stroke:#9494a0,color:#9494a0

Note: The report's structure mirrors the engagement's logic against the real tau target. The executive summary names the headline (cred-exfil via missing tau_vault) and the one action (install the vault). The engagement metadata pins the tau version and plugin configuration — the legal anchor. The findings carry real tool-call evidence (the bash command that bypassed the denylist, the ok=True result, the hash of the credential prefix). The control matrix distinguishes INSTALLED controls (taint, sandbox) from MISSING ones (vault, B3, B8) — this is what makes the roadmap specific. The roadmap prescribes the exact tau_plugins to install and the B3/B8 controls to build, with effort estimates. The retest plan defines the measured future: the battery re-run against the fully-hardened tau, reporting before/after per finding.

# Diagrams — Capstone B2: Run a Full Agent Red-Team Engagement

**Module**: CAP-B2 — Run a Full Agent Red-Team Engagement
**Diagram count**: 6
**Tool**: Mermaid (primary). Each diagram validated in [Mermaid Live Editor](https://mermaid.live).

---

## Diagram 1 — The Six-Phase Engagement Flow Against Real tau

**Type**: Flowchain / methodology sequence
**Purpose**: The single most important visual in the capstone. A red-team engagement is not a fragment — it is the complete six-phase methodology from B12, executed in order, against a real tau deployment. Each phase produces a real artifact backed by real tool-call evidence. Skipping any phase voids the engagement's value: a finding without scope is inadmissible; a finding without reconnaissance is a guess; a finding without validation is an anecdote; a finding without a report is unsaid; a finding without a retest plan is binary "fixed" (the B0 anti-pattern). Each phase's output is the next phase's input.
**Reading the diagram**: Top-to-bottom as the sequence. Each phase has an input (what it consumes) and an output (what it produces — the deliverable). The teal flow is the forward path; the amber dashed line is the retest loop closing back from Phase 6 to the fully-hardened target.

```mermaid
flowchart TB
  P1["PHASE 1 — SCOPING<br/>write the SOW + scope file<br/>B0 clauses: provider auth, dual-use,<br/>DMCA waiver, data handling<br/>target: real tau + partial plugins"]:::phase
  P1OUT["→ signed SOW + validated scope file"]:::out

  P2["PHASE 2 — RECONNAISSANCE<br/>map tau's 7 surfaces (B1/SDD-B11)<br/>build the CONTROL-GAP MAP<br/>what's IN: taint + sandbox<br/>what's MISSING: vault, B3, B8"]:::phase
  P2OUT["→ control-gap map (the target as gaps)"]:::out

  P3["PHASE 3 — VULNERABILITY DISCOVERY<br/>scorecard battery (measures the gaps)<br/>OWASP checklist (B9) + chains (B10)<br/>headline: cred-exfil via missing tau_vault"]:::phase
  P3OUT["→ scorecard + checklist + 3 attack chains"]:::out

  P4["PHASE 4 — EXPLOITATION & VALIDATION<br/>minimum-proof (B0) against REAL tau tools<br/>measured rates over N attempts<br/>hash of cred prefix, never the values"]:::phase
  P4OUT["→ confirmed findings w/ real tool-call evidence"]:::out

  P5["PHASE 5 — REPORTING<br/>the engagement report<br/>findings · control matrix · roadmap<br/>prescribes tau_vault, B3, B8"]:::phase
  P5OUT["→ the signature deliverable"]:::out

  P6["PHASE 6 — RETESTING<br/>define the retest plan<br/>battery vs FULLY-HARDENED tau<br/>before/after per finding"]:::phase
  P6OUT["→ retest plan (measured future)"]:::out

  P1 --> P1OUT --> P2
  P2 --> P2OUT --> P3
  P3 --> P3OUT --> P4
  P4 --> P4OUT --> P5
  P5 --> P5OUT --> P6
  P6 --> P6OUT

  RETEST["re-run battery vs<br/>FULLY-HARDENED tau<br/>(all 3 plugins + B3 + B8)<br/>report before/after rate"]:::retest
  P6 -. closes the loop .-> RETEST

  classDef phase fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef out fill:#101018,stroke:#9494a0,color:#9494a0
  classDef retest fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#f0a868
```

> **Note**: The phases are ordered and non-skippable, and every artifact is backed by real tau tool calls. Phase 1's scope file names the specific tau version and plugin configuration. Phase 2's control-gap map is the input to Phase 3's battery — the battery reveals which classes are mitigated (indirect, tool_abuse) and which are live (memory_poison, sandbox_escape). Phase 4's evidence is real `bash` output, real session JSONL, real credential-file reachability. The dashed line from Phase 6 is the retest loop: the same battery, re-run against the fully-hardened tau (all three plugins plus B3 and B8), reporting the measured residual risk.

---

## Diagram 2 — The Partially-Hardened tau Deployment

**Type**: Architecture / control-state map
**Purpose**: The target, made visible. Acme Corp's tau deployment has tau_taint (B2) and tau_sandbox (B7) installed, but tau_vault (B5), the B3 memory gate, and the B8 intent tracker are MISSING. This is the realistic partial-hardening scenario — the most common production state. The diagram shows what is defended (teal) and what is missing (red), so the control-gap map is visible at a glance. The headline gap — plaintext credentials with no vault — is marked.
**Reading the diagram**: The tau architecture flows top-to-bottom: provider → loop → tools → memory → identity. Each layer shows its control state. Teal = INSTALLED, red = MISSING. The credential store (identity layer) is the headline: tau_sandbox blocks the obvious read (cat), but the credentials are still plaintext because tau_vault is absent.

```mermaid
flowchart TB
  subgraph TAU["ACME CORP — tau DEPLOYMENT (partially hardened)"]
    direction TB

    PROV["PROVIDER LAYER<br/>tau_ai — model API streaming<br/>OpenAI / Anthropic / local"]:::neutral

    LOOP["AGENT LOOP<br/>tau_agent/loop.py<br/>run_agent_loop → _execute_tool_calls"]:::neutral

    TAINT["tau_taint — INSTALLED (B2)<br/>Extension Point 1: executor wrapping<br/>tags tool output as < untrusted ><br/>blocks high-impact calls when taint active<br/>STATUS: WORKING — indirect injection mitigated"]:::installed

    TOOLS["TOOLS: read · write · edit · bash"]:::neutral

    SANDBOX["tau_sandbox — INSTALLED (B7)<br/>Extension Point 2: bash factory replacement<br/>network egress DENIED (curl, wget, ssh...)<br/>credential-read denylist (cat credentials.json)<br/>STATUS: WORKING — but denylist is a REGEX (bypassable)"]:::installed

    MEM["MEMORY / SESSIONS<br/>tau_coding/session.py<br/>~/.tau/sessions/ as JSONL<br/>_persist_messages_since appends UNFILTERED"]:::neutral

    MEMGATE["B3 memory-write gate — MISSING<br/>no validation on session writes<br/>tainted tool results persist to JSONL<br/>on resume, poison re-enters context<br/>STATUS: UNDEFENDED — session poisoning"]:::missing

    CRED["IDENTITY / CREDENTIALS<br/>~/.tau/credentials.json<br/>FileCredentialStore — PLAINTEXT JSON"]:::neutral

    VAULT["tau_vault — MISSING (B5)<br/>Extension Point 3 NOT installed<br/>credentials remain plaintext on disk<br/>sandbox denylist blocks 'cat' but not interpreters<br/>STATUS: HEADLINE GAP — cred-exfil chain live"]:::headline

    EVENTS["EVENT STREAM / OBSERVABILITY<br/>tau_agent/events.py<br/>harness.subscribe(listener)<br/>events fire for UI only — NO security listener"]:::neutral

    INTENT["B8 session intent tracker — MISSING<br/>no listener subscribed<br/>zero-click chains go undetected<br/>compound trajectory invisible<br/>STATUS: UNDEFENDED — zero-click chain"]:::missing
  end

  PROV --> LOOP
  LOOP --> TAINT
  TAINT --> TOOLS
  TOOLS --> SANDBOX
  LOOP --> MEM
  MEM --> MEMGATE
  LOOP --> CRED
  CRED --> VAULT
  LOOP --> EVENTS
  EVENTS --> INTENT

  classDef neutral fill:#101018,stroke:#5a5a68,color:#9494a0
  classDef installed fill:#101018,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
  classDef missing fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef headline fill:#14141f,stroke:#f08080,stroke-width:2.5px,color:#f08080
```

> **Note**: Two of three tau_plugins controls are installed. tau_taint (Extension Point 1) and tau_sandbox (Extension Point 2) are working — the scorecard shows indirect injection at 0% and tool_abuse at 0%. But tau_vault (Extension Point 3) is missing, leaving credentials in plaintext. The B3 memory gate and B8 intent tracker are not part of the tau_plugins pack — they are controls tau does not have, and their absence is the session-poisoning and zero-click findings. The sandbox denylist is a regex on the command string — it blocks `cat ~/.tau/credentials.json` but not `python3 -c "open(...).read()"`. That bypass is the credential-exfil chain's entry point.

---

## Diagram 3 — The Credential-Exfil Attack Chain Against the Missing tau_vault

**Type**: Multi-step attack sequence / kill chain
**Purpose**: The headline finding, made concrete. tau_vault is not installed. Credentials are plaintext at `~/.tau/credentials.json`. tau_sandbox blocks `cat ~/.tau/credentials.json` via a regex denylist. The chain bypasses the denylist using an interpreter (python3), reads the plaintext credentials, and — because the sandbox cannot block the model from seeing the tool output — the credentials enter tau's context and the session JSONL. This is the finding that prescribes tau_vault as the remediation.
**Reading the diagram**: Left-to-right as the adversary's steps. Each step maps to a tau surface. The red blocks are the defender's gaps; the amber block (step 3) is the credentials entering the context — the moment the sandbox can no longer help. The closing control (tau_vault, B5) is marked at the bottom — its absence is the finding's root cause.

```mermaid
flowchart LR
  S0["ATTACKER identifies the gap<br/>tau_vault NOT installed<br/>credentials.json is PLAINTEXT<br/>sandbox denylist = regex on command"]:::atk
  S1["STEP 1 — recon the denylist<br/>sandbox blocks: cat/head/tail ... credentials.json<br/>regex: r'cat|head|tail|... \s+ .* path'<br/>base command extraction → 'cat' blocked"]:::step
  S2["STEP 2 — the bypass<br/>command: python3 -c 'open(creds).read()'<br/>base command = 'python3' (not in denylist)<br/>regex does NOT match → command EXECUTES"]:::gap
  S3["STEP 3 — credentials in context<br/>tool output contains the credential keys<br/>output enters tau's context window<br/>sandbox CANNOT block this — too late"]:::impact
  S4["STEP 4 — persistence<br/>tainted tool result persists to session JSONL<br/>no B3 gate → stored unfiltered<br/>credentials now in ~/.tau/sessions/"]:::step
  S5["STEP 5 — the leak channel<br/>if API model: creds in prompt sent to provider<br/>if file write: creds written to working dir<br/>direct exfil (curl) blocked, but data already read"]:::impact

  S0 --> S1 --> S2 --> S3 --> S4 --> S5

  CLOSURE["CLOSING CONTROL — tau_vault (B5)<br/>Extension Point 3: credential store replacement<br/>credentials stored in vault format (not plaintext)<br/>agent process CANNOT read them directly<br/>sandbox denylist becomes defense-in-depth, not the only gate<br/><b>ABSENT = the finding's root cause</b>"]:::closure
  S5 -. remediated by .-> CLOSURE

  classDef atk fill:#14141f,stroke:#f08080,stroke-width:2px,color:#f08080
  classDef step fill:#101018,stroke:#5eead4,color:#e4e4e8
  classDef gap fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef impact fill:#14141f,stroke:#f08080,stroke-width:2px,color:#f08080
  classDef closure fill:#14141f,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
```

> **Note**: The chain succeeds because the sandbox denylist is a regex on the command string, not a filesystem-level access control. The denylist blocks `cat`, `head`, `tail` followed by the credential path — but `python3 -c "..."` has a base command of `python3`, which is not in the denylist. The credentials are read, enter the context, and persist to the session. The sandbox blocked the direct exfil channel (curl), but the credential values are already in the model's context — a channel the sandbox cannot close. The finding is not "the sandbox is bypassed" — the finding is "the credential vault is absent, and the sandbox's denylist is a partial mitigation, not a substitute for credential isolation at rest." The remediation is tau_vault.

---

## Diagram 4 — Finding-to-Report Mapping

**Type**: Flow / artifact mapping
**Purpose**: How a confirmed finding (Phase 4, backed by real tau tool-call evidence) becomes a report entry (Phase 5). Each finding carries its measured rate, its minimum-proof evidence (real tool output, hashed where sensitive), its OWASP and Microsoft references, and its root cause (the missing control) into a structured report entry. The dual-use classification governs what is published vs. withheld per finding. The control matrix maps the finding to the INSTALLED/MISSING control and the plugin that builds it.
**Reading the diagram**: Left = the confirmed finding's components (all backed by real tau evidence). Right = the report entry they populate. The amber block is the dual-use classification — the gate that decides recipe vs. technique per finding.

```mermaid
flowchart LR
  subgraph FINDING["CONFIRMED FINDING (Phase 4 — real tau evidence)"]
    direction TB
    F1["measured success rate<br/>N/M + tau version + plugin config + model"]
    F2["minimum-proof evidence<br/>command string · ok=True · hash of cred prefix<br/><b>NEVER the credential values</b>"]:::warn
    F3["OWASP reference (ASI03/05/10)"]
    F4["Microsoft taxonomy class<br/>(sandbox bypass · multi-step chain)"]
    F5["root cause<br/>tau_vault MISSING (B5 absent)"]
    F6["control state<br/>tau_sandbox INSTALLED (partial)<br/>tau_vault MISSING (the gap)"]
  end

  subgraph REPORT["REPORT ENTRY (Phase 5)"]
    direction TB
    R1["Finding ID + title + severity"]
    R2["OWASP + Microsoft refs"]
    R3["attack procedure<br/>(the path, not the recipe)"]
    R4["evidence (rate + min-proof)"]
    R5["root cause + residual risk"]
    R6["control matrix entry<br/>→ INSTALLED/MISSING → plugin/module"]
    R7["roadmap item<br/>install tau_vault (Effort: S)"]
  end

  DUAL["DUAL-USE CLASSIFICATION (B0)<br/>Public: technique (denylist bypass class)<br/>Provider-Only: the exact bypass command<br/>Restricted: credential values (destroyed)<br/><b>decides recipe vs technique per finding</b>"]:::gate

  F1 --> R4
  F2 --> R4
  F3 --> R2
  F4 --> R2
  F5 --> R5
  F6 --> R6
  F5 --> R7
  FINDING -. passes through .-> DUAL
  DUAL -. governs .-> R3

  style FINDING fill:#0c0c14,stroke:#5eead4,color:#9494a0
  style REPORT fill:#0c0c14,stroke:#82e0aa,color:#9494a0
  classDef warn fill:#101018,stroke:#f08080,color:#e4e4e8
  classDef gate fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#f0a868
  style F1 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style F3 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style F4 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style F5 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style F6 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style R1 fill:#101018,stroke:#82e0aa,color:#e4e4e8
  style R2 fill:#101018,stroke:#82e0aa,color:#e4e4e8
  style R3 fill:#101018,stroke:#82e0aa,color:#e4e4e8
  style R4 fill:#101018,stroke:#82e0aa,color:#e4e4e8
  style R5 fill:#101018,stroke:#82e0aa,color:#e4e4e8
  style R6 fill:#101018,stroke:#82e0aa,color:#e4e4e8
  style R7 fill:#101018,stroke:#82e0aa,color:#e4e4e8
```

> **Note**: Every component of a confirmed finding is backed by real tau tool-call evidence. The attack procedure describes the path — "an interpreter-based read bypasses the sandbox's reader-regex denylist because the base command is python3, not cat" — without the copy-paste-usable command (that is Provider-Only). The control matrix entry records both states: tau_sandbox INSTALLED (partial mitigation) and tau_vault MISSING (the gap). The roadmap item prescribes the specific plugin to install and the effort. A finding with no control-matrix entry is a finding with no remediation — not actionable.

---

## Diagram 5 — The Dual-Use Disclosure Decision Per Finding

**Type**: Decision flowchart
**Purpose**: B0's central ethical problem — a credential-exfil bypass is both a finding (report) and a misuse recipe (suppress) — resolved per finding in Phase 5. The decision is made in the engagement RoE before testing, but applied per finding at report time. This is where AI red-teaming diverges from the traditional "publish everything" norm: pure-misuse content with no defensive lesson is withheld, and credential values are always Restricted (destroyed).
**Reading the diagram**: A finding enters and the decision flow determines its publication class. The four B0 principles are the decision points. The bottom-right (WITHHOLD) is the divergence from traditional CVD. The credential-exfil finding's path is marked: the technique is published, the recipe is Provider-Only, the values are Restricted.

```mermaid
flowchart TB
  FIND["A CONFIRMED FINDING<br/>e.g. credential-exfil via denylist bypass<br/>backed by real tau tool-call evidence"]:::entry
  P0["0. Reported to provider first<br/>under NDA?"]:::det
  FIND --> P0
  P0 -->|"NO — stop, report first"| STOP["Report to provider.<br/>Do not proceed."]:::danger
  P0 -->|"YES"| P1["1. Provider notified.<br/>Recipe shared under NDA."]:::det

  P1 --> P2{"2. New technique or<br/>architectural insight?"}
  P2 -->|"YES — denylist bypass class<br/>(interpreter reads)"| TECH["Publish the TECHNIQUE<br/>(not the recipe) after embargo<br/>≥180d model-level · 45-90d harness<br/>e.g. 'interpreter-based reads bypass<br/>reader-regex denylists'"]:::good
  P2 -->|"NO"| P3{"3. Pure-misuse-enabling?<br/>(recipe, no defensive lesson)"}

  P3 -->|"YES"| WITHHOLD["4. WITHHOLD publication<br/>Provider-Only disclosure<br/><b>diverges from publish-everything</b>"]:::danger
  P3 -->|"NO"| EXIST["Publish EXISTENCE + SEVERITY<br/>+ measured rate after embargo<br/>recipe stays Provider-Only"]:::good

  CRED["CREDENTIAL VALUES<br/>ALWAYS Restricted class<br/>destroy on report submission<br/>hash of prefix only, never the values<br/><b>non-negotiable regardless of path</b>"]:::cred
  FIND -. credential values .-> CRED

  classDef entry fill:#14141f,stroke:#5eead4,stroke-width:2px,color:#5eead4
  classDef det fill:#101018,stroke:#5eead4,color:#e4e4e8
  classDef good fill:#101018,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
  classDef danger fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef cred fill:#101018,stroke:#f0a868,stroke-width:2px,color:#f0a868
  style P2 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style P3 fill:#101018,stroke:#5eead4,color:#e4e4e8
  style STOP fill:#101018,stroke:#f08080,color:#f08080
```

> **Note**: The credential-exfil finding has a defensive lesson (the denylist-bypass class — interpreter reads bypass reader-regex denylists), so the technique is published after the embargo. The exact bypass command (the recipe) is Provider-Only. The credential values are ALWAYS Restricted — destroyed on report submission, captured only as a hash of the prefix. This is non-negotiable: retaining the credential values IS the harm the test was hired to prevent. The dual-use classification is applied per finding at report time, but the rules were set in the RoE before testing began.

---

## Diagram 6 — The Engagement Report Structure

**Type**: Document outline / hierarchy
**Purpose**: The signature deliverable, made visible. The report is not a list of bugs — it is a structured assessment of Acme Corp's real tau deployment, with an executive summary, engagement metadata, findings (each structured, backed by real tool-call evidence), a control matrix (showing INSTALLED vs MISSING controls), a remediation roadmap (prescribing the specific tau_plugins to install and the B3/B8 controls to build), and a retest plan. Every section has a job; none is filler. A CISO reads the executive summary; the engineering team works from the control matrix and roadmap; the retest plan tells everyone how they will know the fixes worked.
**Reading the diagram**: Top-to-bottom as the report's sections. The teal blocks are the structural sections; the amber block (findings) is where the confirmed findings land, each mapped through Diagram 4. The red marker on the control matrix is the INSTALLED/MISSING distinction.

```mermaid
flowchart TB
  SEC1["1. EXECUTIVE SUMMARY<br/>one page · Acme tau deployment · window · methodology<br/>headline: cred-exfil via missing tau_vault · the one action<br/><i>written for a CISO who reads only this</i>"]:::struct
  SEC2["2. ENGAGEMENT METADATA<br/>tau version · plugin config (taint+sandbox, no vault)<br/>SOW ref · provider auths · model versions<br/><i>the legal anchor</i>"]:::struct
  SEC3["3. FINDINGS<br/>each: ID · severity · OWASP ref · Microsoft ref<br/>attack procedure · REAL evidence · root cause<br/>residual risk · dual-use class<br/><i>backed by real tool-call output</i>"]:::finding
  SEC4["4. CONTROL MATRIX<br/>finding → control → state (INSTALLED/MISSING) → plugin/module<br/>tau_taint INSTALLED · tau_sandbox INSTALLED (partial)<br/>tau_vault MISSING · B3 MISSING · B8 MISSING<br/><i>the bridge from findings to remediation</i>"]:::struct
  SEC5["5. REMEDIATION ROADMAP<br/>1. install tau_vault (CRITICAL, S)<br/>2. add B3 memory gate (HIGH, M)<br/>3. add B8 intent tracker (HIGH, M)<br/>4. harden sandbox denylist (MEDIUM, S)"]:::struct
  SEC6["6. RETEST PLAN<br/>battery vs FULLY-HARDENED tau (all 3 plugins + B3 + B8)<br/>per finding: original rate · patched version · threshold · timeline<br/><i>how Acme knows the fixes worked</i>"]:::struct
  SEC7["APPENDICES<br/>methodology · scorecard battery config · raw rate data<br/>scope file reference · tau version pin"]:::appendix

  SEC1 --> SEC2 --> SEC3 --> SEC4 --> SEC5 --> SEC6 --> SEC7

  classDef struct fill:#101018,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef finding fill:#101018,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  classDef appendix fill:#101018,stroke:#9494a0,color:#9494a0
```

> **Note**: The report's structure mirrors the engagement's logic against the real tau target. The executive summary names the headline (cred-exfil via missing tau_vault) and the one action (install the vault). The engagement metadata pins the tau version and plugin configuration — the legal anchor. The findings carry real tool-call evidence (the bash command that bypassed the denylist, the ok=True result, the hash of the credential prefix). The control matrix distinguishes INSTALLED controls (taint, sandbox) from MISSING ones (vault, B3, B8) — this is what makes the roadmap specific. The roadmap prescribes the exact tau_plugins to install and the B3/B8 controls to build, with effort estimates. The retest plan defines the measured future: the battery re-run against the fully-hardened tau, reporting before/after per finding.