Module: CAP-B1 — Harden the tau Harness Diagram count: 6 Tool: Mermaid (primary). Each diagram validated in Mermaid Live Editor.
Type: Surface map / defense-gap illustration Purpose: The starting point. tau has seven attack surfaces, each mapped to a B-module that covers it. This capstone hardens three of them (B2, B5, B7) with tested plugins; the others remain as named residuals. The diagram shows where every attack lands on the real codebase and which extension point each control wedges into. Reading the diagram: The seven surfaces (left) are tau's real attack surface from SDD-B11. The center column is tau's undefended state. The right column is the B-module that covers each surface. The teal highlight marks the three this capstone installs.
flowchart LR
subgraph SURF["tau's SEVEN ATTACK SURFACES (SDD-B11)"]
direction TB
S1["1. AGENT LOOP<br/>loop.py — _execute_tool_calls<br/>no pre-execution gate"]:::surf
S2["2. TOOL OUTPUT<br/>loop.py — _tool_result_message<br/>unfiltered → transcript"]:::surf
S3["3. MEMORY / SESSIONS<br/>session.py — JSONL append<br/>no memory-write gate"]:::surf
S4["4. PROVIDER<br/>tau_ai / provider_config.py<br/>no provider-authz check"]:::surf
S5["5. CREDENTIALS<br/>credentials.py — plaintext JSON<br/>cat ~/.tau/credentials.json"]:::surf
S6["6. SANDBOX<br/>tools.py — bash runs raw shell<br/>no egress / allowlist"]:::surf
S7["7. INTER-AGENT / OBSERVABILITY<br/>events.py — rich stream<br/>no security listener"]:::surf
end
subgraph WEDGE["EXTENSION POINT the control wedges"]
direction TB
E1["EP5 — tool-list site (B0/B1 scope)"]:::ep
E2["EP1 — executor wrap (B2 taint)<br/><b>INSTALLED: tau_taint</b>"]:::installed
E3["EP1 — executor wrap (B3 memory)<br/>residual: no plugin"]:::residual
E4["EP5 — scope gate (B0/B1)"]:::ep
E5["EP3 — credential store (B5 vault)<br/><b>INSTALLED: tau_vault</b>"]:::installed
E6["EP2 — bash factory (B7 sandbox)<br/><b>INSTALLED: tau_sandbox</b>"]:::installed
E7["EP4 — event subscribe (B8 intent)<br/>wired in Phase 5"]:::ep
end
S1 --> E1
S2 --> E2
S3 --> E3
S4 --> E4
S5 --> E5
S6 --> E6
S7 --> E7
classDef surf fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#e4e4e8
classDef installed fill:#101018,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
classDef residual fill:#101018,stroke:#f0a868,color:#e4e4e8
classDef ep fill:#101018,stroke:#9494a0,color:#9494a0
style SURF fill:#0c0c14,stroke:#f08080,color:#9494a0
style WEDGE fill:#0c0c14,stroke:#5eead4,color:#9494a0
Note: The teal surfaces (2, 5, 6) are the ones this capstone secures with tested plugins —
tau_tainton tool output,tau_vaulton credentials,tau_sandboxon the bash tool. The amber surface (3, memory) remains a named residual: the plugin pack ships no B3 memory-write gate, so memory poisoning still succeeds in the scorecard. The honest scorecard reports this rather than hiding it.
Type: Phased build / waterfall with scorecard checkpoints Purpose: The capstone builds in six phases, each installing one layer against the real tau codebase and re-running the battery. The phases mirror the defense stack and the scorecard checkpoints. This is the lab structure: you do not compose a control you have not individually measured against the real harness. Reading the diagram: Left-to-right as six phases. Each phase names the plugin installed, the extension point it wedges, and which attack classes collapse in the scorecard. Phase 6 is where the build becomes the final measurement.
flowchart LR
P1["PHASE 1<br/>CLONE & BASELINE<br/>git clone tau · pip install<br/>run battery on unmodified tau<br/><i>records ~33% baseline</i>"]:::phase
P2["PHASE 2<br/>+ tau_taint (B2)<br/>EP1 executor wrap<br/>output tagged <untrusted><br/>indirect injection → 0"]:::phase
P3["PHASE 3<br/>+ tau_sandbox (B7)<br/>EP2 bash factory<br/>egress/creds/rm blocked<br/>tool-abuse + escape → 0"]:::phase
P4["PHASE 4<br/>+ tau_vault (B5)<br/>EP3 credential store<br/>plaintext → vault format<br/>creds secured at rest"]:::phase
P5["PHASE 5<br/>+ observability<br/>EP5 hardened tools<br/>EP4 intent tracker<br/>B0/B1 scope wired"]:::phase
P6["PHASE 6<br/>SCORE IT<br/>full battery vs hardened<br/>defense scorecard<br/>33% → ~0% delta"]:::score
P1 --> P2 --> P3 --> P4 --> P5 --> P6
V1["verify: tau importable,<br/>baseline battery runs,<br/>~33% recorded"]:::verify
V2["verify: read output<br/>wrapped <untrusted>,<br/>taint gate blocks bash"]:::verify
V3["verify: curl/cat creds/<br/>rm all return SANDBOX<br/>blocked"]:::verify
V4["verify: credentials.json<br/>no longer plaintext,<br/>vault.read_count tracks"]:::verify
V5["verify: create_hardened_tools<br/>composes all three,<br/>intent tracker subscribed"]:::verify
P1 -. verify .-> V1
P2 -. verify .-> V2
P3 -. verify .-> V3
P4 -. verify .-> V4
P5 -. verify .-> V5
classDef phase fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
classDef score fill:#14141f,stroke:#82e0aa,stroke-width:2px,color:#82e0aa
classDef verify fill:#101018,stroke:#9494a0,color:#9494a0
Note: Each phase is verified against the real tau battery before the next is composed. Phase 6 is a measurement phase — the deliverable transitions from "the hardened fork" to "the scorecard showing the before/after delta." The curve from the ~33% baseline toward ~0% on the deterministic-gate classes is what the client accepts.
Type: Matrix / before-after comparison Purpose: The signature deliverable, made visual. Attack success rate per class, measured against unmodified tau (baseline) versus tau with the three plugins (hardened). The color intensity drops as defenses land. The residual block names what the installed controls do not cover. Reading the diagram: Two columns — baseline (undefended tau) and hardened (with tau_taint + tau_sandbox + tau_vault). Each row is an attack class. Darker cells = higher attack success (worse). The bottom block names the residual (memory_poison) and its closing control (B3, not in the pack).
flowchart TB
subgraph MATRIX["ATTACK SUCCESS RATE — baseline tau vs hardened tau"]
direction TB
HDR["attack class │ baseline │ hardened │ Δ"]
R1["direct (rm -rf) │ 100% │ 0% │ -100 (sandbox)"]:::zero
R2["indirect (file read inj) │ 100% │ 0% │ -100 (taint gate)"]:::zero
R3["memory_poison │ 100% │ 100% │ 0 (RESIDUAL)"]:::residual
R4["tool_abuse (curl/wget) │ 100% │ 0% │ -100 (sandbox)"]:::zero
R5["sandbox_escape (cat creds) │ 100% │ 0% │ -100 (sandbox+vault)"]:::zero
TOT["OVERALL │ ~100% │ ~11% │ -89pp"]:::total
end
subgraph RESIDUAL["RESIDUAL CHARACTERIZATION (honest scorecard)"]
direction TB
RES1["memory_poison 100% → no B3 memory-write gate in pack<br/>closing control: B3 (write_to_memory provenance gate)"]:::resnote
RES2["obfuscated injection → no probabilistic B2 L4 detector in pack<br/>closing control: B2 Layer 4 (secondary-model detector)"]:::resnote
end
MATRIX --> RESIDUAL
classDef zero fill:#101018,stroke:#82e0aa,color:#e4e4e8
classDef residual fill:#101018,stroke:#f08080,color:#f08080
classDef total fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
classDef resnote fill:#14141f,stroke:#f0a868,color:#f0a868
style HDR fill:#14141f,stroke:#5eead4,color:#5eead4
style MATRIX fill:#0c0c14,stroke:#9494a0,color:#9494a0
style RESIDUAL fill:#0c0c14,stroke:#f0a868,color:#9494a0
Note: The deterministic gates (tau_taint on indirect, tau_sandbox on direct/tool-abuse/escape) produce clean drops to zero on their enumerated classes. The residual — memory_poison — is named honestly: the plugin pack ships no B3 memory-write gate, so memory poisoning still succeeds. The closing control (B3) is named. An honest scorecard reports this rather than claiming the harness is "secured."
Type: Code-structure / extension-point map
Purpose: tau has no plugin system. Every control attaches by wrapping or replacing objects at explicit, named sites. This diagram shows exactly where each of the three plugins wedges into tau's source — the line numbers, the factory functions, and the composition path. This is SDD-B11's extension-point map made concrete against the installed plugins.
Reading the diagram: tau's three layers (top). The five extension points (middle), each with its tau source location. The three installed plugins (bottom), each attaching at its named point. The composition path flows through create_hardened_tools → CodingSessionConfig(tools=...).
flowchart TB
subgraph TAU["tau THREE-LAYER ARCHITECTURE"]
direction LR
AI["tau_ai<br/>provider/model streaming"]:::layer
AGENT["tau_agent<br/>harness · loop · tools · events"]:::layer
CODING["tau_coding<br/>CLI/TUI · read/write/edit/bash · sessions · creds"]:::layer
end
subgraph EPS["THE FIVE EXTENSION POINTS (SDD-B11)"]
direction TB
EP1["EP1 — tool-executor wrap<br/>tau_agent/tools.py:61 · AgentTool.executor<br/>dataclasses.replace(tool, executor=gated)"]:::ep
EP2["EP2 — bash-tool factory<br/>tau_coding/tools.py:574 · create_bash_tool<br/>BOTH bash paths go through here"]:::ep
EP3["EP3 — credential store<br/>tau_coding/provider_runtime.py:46<br/>create_model_provider(credential_store=)"]:::ep
EP4["EP4 — event subscribe<br/>tau_agent/harness.py:124<br/>harness.subscribe(listener)"]:::ep
EP5["EP5 — tool-list site<br/>tau_coding/session.py:286 · CodingSession.load<br/>CodingSessionConfig(tools=hardened)"]:::ep
end
subgraph PLUGINS["THE THREE INSTALLED PLUGINS"]
direction LR
TAINT["tau_taint (B2)<br/>wrap_tools_with_taint_gate<br/>tags output <untrusted><br/>blocks high-impact after taint"]:::plugin
SAND["tau_sandbox (B7)<br/>create_hardened_bash_tool<br/>denylist + egress gate<br/>covers both bash paths"]:::plugin
VAULT["tau_vault (B5)<br/>CredentialVault<br/>vault format not plaintext<br/>implements CredentialReader"]:::plugin
end
AGENT --> EP1
AGENT --> EP4
CODING --> EP2
CODING --> EP3
CODING --> EP5
EP1 --> TAINT
EP2 --> SAND
EP3 --> VAULT
EP5 -. "composes all three via create_hardened_tools" .-> PLUGINS
classDef layer fill:#101018,stroke:#9494a0,color:#9494a0
classDef ep fill:#14141f,stroke:#5eead4,color:#e4e4e8
classDef plugin fill:#101018,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
style TAU fill:#0c0c14,stroke:#9494a0,color:#9494a0
style EPS fill:#0c0c14,stroke:#5eead4,color:#9494a0
style PLUGINS fill:#0c0c14,stroke:#82e0aa,color:#9494a0
Note: tau has no
register_tool, no hook framework, no middleware (SDD-B11 verified this by grepping the source). Every plugin attaches by wrapping or replacing at a named site. The composition path iscreate_hardened_tools(cwd=...)→CodingSessionConfig(tools=...)→CodingSession.load(Extension Point 5). No monkey-patching, no subclassing. This is what makes the wedge points auditable and teachable.
Type: Funnel / logical-AND illustration Purpose: Why no single plugin suffices. An attack against the hardened tau must bypass every installed gate. Each gate's bypass condition is different, so the conjunction is hard. The diagram shows the path an attack takes through the hardened tool set and where each plugin catches it. Reading the diagram: An attack enters at the top and must pass through each filter. Each filter is labeled with the plugin that implements it, the attack class it catches, and what would pass through (the residual that the next filter or a future plugin must close).
flowchart TB
ATK["ATTACK against hardened tau<br/>e.g. indirect injection via read tool<br/>baseline: ~100% on this class"]:::entry
ATK --> F1["tau_taint — OUTPUT TAGGING<br/>catches: untagged content entering transcript<br/>read output wrapped <untrusted><br/>passes: content still influences model despite tag"]:::plugin
F1 --> F2["tau_taint — TAINT GATE (DET)<br/>catches: high-impact call with tainted args<br/>bash/send_email/write_to_memory blocked after taint<br/>passes: call NOT high-impact, OR laundered taint"]:::plugin
F2 --> F3["tau_sandbox — BASH POLICY (DET)<br/>catches: curl/wget/ssh egress, cat creds, rm<br/>both bash paths covered (factory wedge)<br/>passes: command in policy, OR non-bash action"]:::plugin
F3 --> F4["tau_vault — CREDENTIAL STORE (DET)<br/>catches: plaintext creds readable at rest<br/>vault format, agent cannot read directly<br/>passes: creds already exfiltrated via another channel"]:::plugin
F4 --> F5["B8 INTENT TRACKER (PROB, advisory)<br/>catches: multi-step compound trajectory drift<br/>subscribed at EP4, read-only<br/>passes: drift too slow to signal"]:::prob
F5 --> RES["RESIDUAL — characterized<br/>memory_poison (no B3 gate)<br/>obfuscated injection (no B2 L4 detector)<br/>named, with closing control"]:::residual
classDef entry fill:#14141f,stroke:#f08080,stroke-width:2px,color:#f08080
classDef plugin fill:#101018,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
classDef prob fill:#101018,stroke:#f0a868,color:#e4e4e8
classDef residual fill:#14141f,stroke:#f0a868,stroke-width:2px,color:#f0a868
Note: Each installed plugin has a known bypass, and each bypass is named. The defense-in-depth claim is not "each plugin is perfect" — it is "the conjunction of different bypass conditions is hard, and the residual is measured and characterized." The composition is what drives the scorecard from ~33% baseline toward ~0% on the deterministic-gate classes.
Type: Bar comparison / measured delta Purpose: The single most load-bearing visual. The measured attack-success rate per class, baseline tau versus hardened tau. This is the number the client accepts. The deterministic gates (tau_taint, tau_sandbox) produce clean drops to zero on their enumerated classes; the residual (memory_poison) is named honestly. Reading the diagram: Pairs of bars — baseline (red, undefended tau) versus hardened (teal, with plugins) — for each attack class. The drop is the defense's measured contribution. The one pair that does not drop (memory_poison) is the named residual.
flowchart LR
subgraph COMPARE["ATTACK SUCCESS RATE (%) — baseline vs hardened"]
direction TB
D1["direct (rm -rf)<br/>baseline ████████████ 100%<br/>hardened ░░░░░░░░░░░░ 0%<br/>Δ: -100 (tau_sandbox)"]:::win
D2["indirect (file-read injection)<br/>baseline ████████████ 100%<br/>hardened ░░░░░░░░░░░░ 0%<br/>Δ: -100 (tau_taint)"]:::win
D3["memory_poison<br/>baseline ████████████ 100%<br/>hardened ████████████ 100%<br/>Δ: 0 — RESIDUAL (no B3 gate)"]:::residual
D4["tool_abuse (curl/wget egress)<br/>baseline ████████████ 100%<br/>hardened ░░░░░░░░░░░░ 0%<br/>Δ: -100 (tau_sandbox)"]:::win
D5["sandbox_escape (cat creds)<br/>baseline ████████████ 100%<br/>hardened ░░░░░░░░░░░░ 0%<br/>Δ: -100 (tau_sandbox + tau_vault)"]:::win
DTOT["OVERALL<br/>baseline ~100%<br/>hardened ~11%<br/>DEFENSE IMPROVEMENT: 89pp"]:::total
end
KEY["█ baseline (undefended tau) ~33% overall<br/>░ hardened (3 plugins) ~0% on det-gate classes<br/>RESIDUAL: memory_poison → closing control B3"]:::key
COMPARE --> KEY
classDef win fill:#101018,stroke:#82e0aa,color:#e4e4e8
classDef residual fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef total fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
classDef key fill:#14141f,stroke:#f0a868,color:#f0a868
style COMPARE fill:#0c0c14,stroke:#5eead4,color:#9494a0
Note: This is the capstone's signature measurement. The baseline is real — tau actually executes the destructive commands and actually reads the credentials. The hardened column is real — the three plugins actually block the enumerated commands and actually tag the output. The one residual (memory_poison) is reported honestly with its closing control (B3). The 89-point defense improvement is the measured deliverable, not an assertion. Reproduce it by cloning tau, installing the plugin pack, and running the scorecard runner.
# Diagrams — Capstone B1: Harden the tau Harness
**Module**: CAP-B1 — Harden the tau Harness
**Diagram count**: 6
**Tool**: Mermaid (primary). Each diagram validated in [Mermaid Live Editor](https://mermaid.live).
---
## Diagram 1 — tau's Seven Attack Surfaces (from SDD-B11)
**Type**: Surface map / defense-gap illustration
**Purpose**: The starting point. tau has seven attack surfaces, each mapped to a B-module that covers it. This capstone hardens three of them (B2, B5, B7) with tested plugins; the others remain as named residuals. The diagram shows where every attack lands on the real codebase and which extension point each control wedges into.
**Reading the diagram**: The seven surfaces (left) are tau's real attack surface from SDD-B11. The center column is tau's undefended state. The right column is the B-module that covers each surface. The teal highlight marks the three this capstone installs.
```mermaid
flowchart LR
subgraph SURF["tau's SEVEN ATTACK SURFACES (SDD-B11)"]
direction TB
S1["1. AGENT LOOP<br/>loop.py — _execute_tool_calls<br/>no pre-execution gate"]:::surf
S2["2. TOOL OUTPUT<br/>loop.py — _tool_result_message<br/>unfiltered → transcript"]:::surf
S3["3. MEMORY / SESSIONS<br/>session.py — JSONL append<br/>no memory-write gate"]:::surf
S4["4. PROVIDER<br/>tau_ai / provider_config.py<br/>no provider-authz check"]:::surf
S5["5. CREDENTIALS<br/>credentials.py — plaintext JSON<br/>cat ~/.tau/credentials.json"]:::surf
S6["6. SANDBOX<br/>tools.py — bash runs raw shell<br/>no egress / allowlist"]:::surf
S7["7. INTER-AGENT / OBSERVABILITY<br/>events.py — rich stream<br/>no security listener"]:::surf
end
subgraph WEDGE["EXTENSION POINT the control wedges"]
direction TB
E1["EP5 — tool-list site (B0/B1 scope)"]:::ep
E2["EP1 — executor wrap (B2 taint)<br/><b>INSTALLED: tau_taint</b>"]:::installed
E3["EP1 — executor wrap (B3 memory)<br/>residual: no plugin"]:::residual
E4["EP5 — scope gate (B0/B1)"]:::ep
E5["EP3 — credential store (B5 vault)<br/><b>INSTALLED: tau_vault</b>"]:::installed
E6["EP2 — bash factory (B7 sandbox)<br/><b>INSTALLED: tau_sandbox</b>"]:::installed
E7["EP4 — event subscribe (B8 intent)<br/>wired in Phase 5"]:::ep
end
S1 --> E1
S2 --> E2
S3 --> E3
S4 --> E4
S5 --> E5
S6 --> E6
S7 --> E7
classDef surf fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#e4e4e8
classDef installed fill:#101018,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
classDef residual fill:#101018,stroke:#f0a868,color:#e4e4e8
classDef ep fill:#101018,stroke:#9494a0,color:#9494a0
style SURF fill:#0c0c14,stroke:#f08080,color:#9494a0
style WEDGE fill:#0c0c14,stroke:#5eead4,color:#9494a0
```
> **Note**: The teal surfaces (2, 5, 6) are the ones this capstone secures with tested plugins — `tau_taint` on tool output, `tau_vault` on credentials, `tau_sandbox` on the bash tool. The amber surface (3, memory) remains a named residual: the plugin pack ships no B3 memory-write gate, so memory poisoning still succeeds in the scorecard. The honest scorecard reports this rather than hiding it.
---
## Diagram 2 — The Six-Phase Hardening Progression
**Type**: Phased build / waterfall with scorecard checkpoints
**Purpose**: The capstone builds in six phases, each installing one layer against the real tau codebase and re-running the battery. The phases mirror the defense stack and the scorecard checkpoints. This is the lab structure: you do not compose a control you have not individually measured against the real harness.
**Reading the diagram**: Left-to-right as six phases. Each phase names the plugin installed, the extension point it wedges, and which attack classes collapse in the scorecard. Phase 6 is where the build becomes the final measurement.
```mermaid
flowchart LR
P1["PHASE 1<br/>CLONE & BASELINE<br/>git clone tau · pip install<br/>run battery on unmodified tau<br/><i>records ~33% baseline</i>"]:::phase
P2["PHASE 2<br/>+ tau_taint (B2)<br/>EP1 executor wrap<br/>output tagged <untrusted><br/>indirect injection → 0"]:::phase
P3["PHASE 3<br/>+ tau_sandbox (B7)<br/>EP2 bash factory<br/>egress/creds/rm blocked<br/>tool-abuse + escape → 0"]:::phase
P4["PHASE 4<br/>+ tau_vault (B5)<br/>EP3 credential store<br/>plaintext → vault format<br/>creds secured at rest"]:::phase
P5["PHASE 5<br/>+ observability<br/>EP5 hardened tools<br/>EP4 intent tracker<br/>B0/B1 scope wired"]:::phase
P6["PHASE 6<br/>SCORE IT<br/>full battery vs hardened<br/>defense scorecard<br/>33% → ~0% delta"]:::score
P1 --> P2 --> P3 --> P4 --> P5 --> P6
V1["verify: tau importable,<br/>baseline battery runs,<br/>~33% recorded"]:::verify
V2["verify: read output<br/>wrapped <untrusted>,<br/>taint gate blocks bash"]:::verify
V3["verify: curl/cat creds/<br/>rm all return SANDBOX<br/>blocked"]:::verify
V4["verify: credentials.json<br/>no longer plaintext,<br/>vault.read_count tracks"]:::verify
V5["verify: create_hardened_tools<br/>composes all three,<br/>intent tracker subscribed"]:::verify
P1 -. verify .-> V1
P2 -. verify .-> V2
P3 -. verify .-> V3
P4 -. verify .-> V4
P5 -. verify .-> V5
classDef phase fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
classDef score fill:#14141f,stroke:#82e0aa,stroke-width:2px,color:#82e0aa
classDef verify fill:#101018,stroke:#9494a0,color:#9494a0
```
> **Note**: Each phase is verified against the real tau battery before the next is composed. Phase 6 is a measurement phase — the deliverable transitions from "the hardened fork" to "the scorecard showing the before/after delta." The curve from the ~33% baseline toward ~0% on the deterministic-gate classes is what the client accepts.
---
## Diagram 3 — The Defense Scorecard Structure (Baseline vs Hardened)
**Type**: Matrix / before-after comparison
**Purpose**: The signature deliverable, made visual. Attack success rate per class, measured against unmodified tau (baseline) versus tau with the three plugins (hardened). The color intensity drops as defenses land. The residual block names what the installed controls do not cover.
**Reading the diagram**: Two columns — baseline (undefended tau) and hardened (with tau_taint + tau_sandbox + tau_vault). Each row is an attack class. Darker cells = higher attack success (worse). The bottom block names the residual (memory_poison) and its closing control (B3, not in the pack).
```mermaid
flowchart TB
subgraph MATRIX["ATTACK SUCCESS RATE — baseline tau vs hardened tau"]
direction TB
HDR["attack class │ baseline │ hardened │ Δ"]
R1["direct (rm -rf) │ 100% │ 0% │ -100 (sandbox)"]:::zero
R2["indirect (file read inj) │ 100% │ 0% │ -100 (taint gate)"]:::zero
R3["memory_poison │ 100% │ 100% │ 0 (RESIDUAL)"]:::residual
R4["tool_abuse (curl/wget) │ 100% │ 0% │ -100 (sandbox)"]:::zero
R5["sandbox_escape (cat creds) │ 100% │ 0% │ -100 (sandbox+vault)"]:::zero
TOT["OVERALL │ ~100% │ ~11% │ -89pp"]:::total
end
subgraph RESIDUAL["RESIDUAL CHARACTERIZATION (honest scorecard)"]
direction TB
RES1["memory_poison 100% → no B3 memory-write gate in pack<br/>closing control: B3 (write_to_memory provenance gate)"]:::resnote
RES2["obfuscated injection → no probabilistic B2 L4 detector in pack<br/>closing control: B2 Layer 4 (secondary-model detector)"]:::resnote
end
MATRIX --> RESIDUAL
classDef zero fill:#101018,stroke:#82e0aa,color:#e4e4e8
classDef residual fill:#101018,stroke:#f08080,color:#f08080
classDef total fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
classDef resnote fill:#14141f,stroke:#f0a868,color:#f0a868
style HDR fill:#14141f,stroke:#5eead4,color:#5eead4
style MATRIX fill:#0c0c14,stroke:#9494a0,color:#9494a0
style RESIDUAL fill:#0c0c14,stroke:#f0a868,color:#9494a0
```
> **Note**: The deterministic gates (tau_taint on indirect, tau_sandbox on direct/tool-abuse/escape) produce clean drops to zero on their enumerated classes. The residual — memory_poison — is named honestly: the plugin pack ships no B3 memory-write gate, so memory poisoning still succeeds. The closing control (B3) is named. An honest scorecard reports this rather than claiming the harness is "secured."
---
## Diagram 4 — The Plugin Attachment Map (Where Each Plugin Wedges)
**Type**: Code-structure / extension-point map
**Purpose**: tau has no plugin system. Every control attaches by wrapping or replacing objects at explicit, named sites. This diagram shows exactly where each of the three plugins wedges into tau's source — the line numbers, the factory functions, and the composition path. This is SDD-B11's extension-point map made concrete against the installed plugins.
**Reading the diagram**: tau's three layers (top). The five extension points (middle), each with its tau source location. The three installed plugins (bottom), each attaching at its named point. The composition path flows through `create_hardened_tools` → `CodingSessionConfig(tools=...)`.
```mermaid
flowchart TB
subgraph TAU["tau THREE-LAYER ARCHITECTURE"]
direction LR
AI["tau_ai<br/>provider/model streaming"]:::layer
AGENT["tau_agent<br/>harness · loop · tools · events"]:::layer
CODING["tau_coding<br/>CLI/TUI · read/write/edit/bash · sessions · creds"]:::layer
end
subgraph EPS["THE FIVE EXTENSION POINTS (SDD-B11)"]
direction TB
EP1["EP1 — tool-executor wrap<br/>tau_agent/tools.py:61 · AgentTool.executor<br/>dataclasses.replace(tool, executor=gated)"]:::ep
EP2["EP2 — bash-tool factory<br/>tau_coding/tools.py:574 · create_bash_tool<br/>BOTH bash paths go through here"]:::ep
EP3["EP3 — credential store<br/>tau_coding/provider_runtime.py:46<br/>create_model_provider(credential_store=)"]:::ep
EP4["EP4 — event subscribe<br/>tau_agent/harness.py:124<br/>harness.subscribe(listener)"]:::ep
EP5["EP5 — tool-list site<br/>tau_coding/session.py:286 · CodingSession.load<br/>CodingSessionConfig(tools=hardened)"]:::ep
end
subgraph PLUGINS["THE THREE INSTALLED PLUGINS"]
direction LR
TAINT["tau_taint (B2)<br/>wrap_tools_with_taint_gate<br/>tags output <untrusted><br/>blocks high-impact after taint"]:::plugin
SAND["tau_sandbox (B7)<br/>create_hardened_bash_tool<br/>denylist + egress gate<br/>covers both bash paths"]:::plugin
VAULT["tau_vault (B5)<br/>CredentialVault<br/>vault format not plaintext<br/>implements CredentialReader"]:::plugin
end
AGENT --> EP1
AGENT --> EP4
CODING --> EP2
CODING --> EP3
CODING --> EP5
EP1 --> TAINT
EP2 --> SAND
EP3 --> VAULT
EP5 -. "composes all three via create_hardened_tools" .-> PLUGINS
classDef layer fill:#101018,stroke:#9494a0,color:#9494a0
classDef ep fill:#14141f,stroke:#5eead4,color:#e4e4e8
classDef plugin fill:#101018,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
style TAU fill:#0c0c14,stroke:#9494a0,color:#9494a0
style EPS fill:#0c0c14,stroke:#5eead4,color:#9494a0
style PLUGINS fill:#0c0c14,stroke:#82e0aa,color:#9494a0
```
> **Note**: tau has no `register_tool`, no hook framework, no middleware (SDD-B11 verified this by grepping the source). Every plugin attaches by wrapping or replacing at a named site. The composition path is `create_hardened_tools(cwd=...)` → `CodingSessionConfig(tools=...)` → `CodingSession.load` (Extension Point 5). No monkey-patching, no subclassing. This is what makes the wedge points auditable and teachable.
---
## Diagram 5 — The Defense-in-Depth Conjunction on tau
**Type**: Funnel / logical-AND illustration
**Purpose**: Why no single plugin suffices. An attack against the hardened tau must bypass every installed gate. Each gate's bypass condition is different, so the conjunction is hard. The diagram shows the path an attack takes through the hardened tool set and where each plugin catches it.
**Reading the diagram**: An attack enters at the top and must pass through each filter. Each filter is labeled with the plugin that implements it, the attack class it catches, and what would pass through (the residual that the next filter or a future plugin must close).
```mermaid
flowchart TB
ATK["ATTACK against hardened tau<br/>e.g. indirect injection via read tool<br/>baseline: ~100% on this class"]:::entry
ATK --> F1["tau_taint — OUTPUT TAGGING<br/>catches: untagged content entering transcript<br/>read output wrapped <untrusted><br/>passes: content still influences model despite tag"]:::plugin
F1 --> F2["tau_taint — TAINT GATE (DET)<br/>catches: high-impact call with tainted args<br/>bash/send_email/write_to_memory blocked after taint<br/>passes: call NOT high-impact, OR laundered taint"]:::plugin
F2 --> F3["tau_sandbox — BASH POLICY (DET)<br/>catches: curl/wget/ssh egress, cat creds, rm<br/>both bash paths covered (factory wedge)<br/>passes: command in policy, OR non-bash action"]:::plugin
F3 --> F4["tau_vault — CREDENTIAL STORE (DET)<br/>catches: plaintext creds readable at rest<br/>vault format, agent cannot read directly<br/>passes: creds already exfiltrated via another channel"]:::plugin
F4 --> F5["B8 INTENT TRACKER (PROB, advisory)<br/>catches: multi-step compound trajectory drift<br/>subscribed at EP4, read-only<br/>passes: drift too slow to signal"]:::prob
F5 --> RES["RESIDUAL — characterized<br/>memory_poison (no B3 gate)<br/>obfuscated injection (no B2 L4 detector)<br/>named, with closing control"]:::residual
classDef entry fill:#14141f,stroke:#f08080,stroke-width:2px,color:#f08080
classDef plugin fill:#101018,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
classDef prob fill:#101018,stroke:#f0a868,color:#e4e4e8
classDef residual fill:#14141f,stroke:#f0a868,stroke-width:2px,color:#f0a868
```
> **Note**: Each installed plugin has a known bypass, and each bypass is named. The defense-in-depth claim is not "each plugin is perfect" — it is "the conjunction of different bypass conditions is hard, and the residual is measured and characterized." The composition is what drives the scorecard from ~33% baseline toward ~0% on the deterministic-gate classes.
---
## Diagram 6 — Before/After Attack-Success-Rate Comparison
**Type**: Bar comparison / measured delta
**Purpose**: The single most load-bearing visual. The measured attack-success rate per class, baseline tau versus hardened tau. This is the number the client accepts. The deterministic gates (tau_taint, tau_sandbox) produce clean drops to zero on their enumerated classes; the residual (memory_poison) is named honestly.
**Reading the diagram**: Pairs of bars — baseline (red, undefended tau) versus hardened (teal, with plugins) — for each attack class. The drop is the defense's measured contribution. The one pair that does not drop (memory_poison) is the named residual.
```mermaid
flowchart LR
subgraph COMPARE["ATTACK SUCCESS RATE (%) — baseline vs hardened"]
direction TB
D1["direct (rm -rf)<br/>baseline ████████████ 100%<br/>hardened ░░░░░░░░░░░░ 0%<br/>Δ: -100 (tau_sandbox)"]:::win
D2["indirect (file-read injection)<br/>baseline ████████████ 100%<br/>hardened ░░░░░░░░░░░░ 0%<br/>Δ: -100 (tau_taint)"]:::win
D3["memory_poison<br/>baseline ████████████ 100%<br/>hardened ████████████ 100%<br/>Δ: 0 — RESIDUAL (no B3 gate)"]:::residual
D4["tool_abuse (curl/wget egress)<br/>baseline ████████████ 100%<br/>hardened ░░░░░░░░░░░░ 0%<br/>Δ: -100 (tau_sandbox)"]:::win
D5["sandbox_escape (cat creds)<br/>baseline ████████████ 100%<br/>hardened ░░░░░░░░░░░░ 0%<br/>Δ: -100 (tau_sandbox + tau_vault)"]:::win
DTOT["OVERALL<br/>baseline ~100%<br/>hardened ~11%<br/>DEFENSE IMPROVEMENT: 89pp"]:::total
end
KEY["█ baseline (undefended tau) ~33% overall<br/>░ hardened (3 plugins) ~0% on det-gate classes<br/>RESIDUAL: memory_poison → closing control B3"]:::key
COMPARE --> KEY
classDef win fill:#101018,stroke:#82e0aa,color:#e4e4e8
classDef residual fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef total fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
classDef key fill:#14141f,stroke:#f0a868,color:#f0a868
style COMPARE fill:#0c0c14,stroke:#5eead4,color:#9494a0
```
> **Note**: This is the capstone's signature measurement. The baseline is real — tau actually executes the destructive commands and actually reads the credentials. The hardened column is real — the three plugins actually block the enumerated commands and actually tag the output. The one residual (memory_poison) is reported honestly with its closing control (B3). The 89-point defense improvement is the measured deliverable, not an assertion. Reproduce it by cloning tau, installing the plugin pack, and running the scorecard runner.