Diagrams — Capstone B1: Harden the tau Harness

Module: CAP-B1 — Harden the tau Harness Diagram count: 6 Tool: Mermaid (primary). Each diagram validated in Mermaid Live Editor.


Diagram 1 — tau's Seven Attack Surfaces (from SDD-B11)

Type: Surface map / defense-gap illustration Purpose: The starting point. tau has seven attack surfaces, each mapped to a B-module that covers it. This capstone hardens three of them (B2, B5, B7) with tested plugins; the others remain as named residuals. The diagram shows where every attack lands on the real codebase and which extension point each control wedges into. Reading the diagram: The seven surfaces (left) are tau's real attack surface from SDD-B11. The center column is tau's undefended state. The right column is the B-module that covers each surface. The teal highlight marks the three this capstone installs.

flowchart LR
  subgraph SURF["tau's SEVEN ATTACK SURFACES (SDD-B11)"]
    direction TB
    S1["1. AGENT LOOP<br/>loop.py — _execute_tool_calls<br/>no pre-execution gate"]:::surf
    S2["2. TOOL OUTPUT<br/>loop.py — _tool_result_message<br/>unfiltered → transcript"]:::surf
    S3["3. MEMORY / SESSIONS<br/>session.py — JSONL append<br/>no memory-write gate"]:::surf
    S4["4. PROVIDER<br/>tau_ai / provider_config.py<br/>no provider-authz check"]:::surf
    S5["5. CREDENTIALS<br/>credentials.py — plaintext JSON<br/>cat ~/.tau/credentials.json"]:::surf
    S6["6. SANDBOX<br/>tools.py — bash runs raw shell<br/>no egress / allowlist"]:::surf
    S7["7. INTER-AGENT / OBSERVABILITY<br/>events.py — rich stream<br/>no security listener"]:::surf
  end

  subgraph WEDGE["EXTENSION POINT the control wedges"]
    direction TB
    E1["EP5 — tool-list site (B0/B1 scope)"]:::ep
    E2["EP1 — executor wrap (B2 taint)<br/><b>INSTALLED: tau_taint</b>"]:::installed
    E3["EP1 — executor wrap (B3 memory)<br/>residual: no plugin"]:::residual
    E4["EP5 — scope gate (B0/B1)"]:::ep
    E5["EP3 — credential store (B5 vault)<br/><b>INSTALLED: tau_vault</b>"]:::installed
    E6["EP2 — bash factory (B7 sandbox)<br/><b>INSTALLED: tau_sandbox</b>"]:::installed
    E7["EP4 — event subscribe (B8 intent)<br/>wired in Phase 5"]:::ep
  end

  S1 --> E1
  S2 --> E2
  S3 --> E3
  S4 --> E4
  S5 --> E5
  S6 --> E6
  S7 --> E7

  classDef surf fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#e4e4e8
  classDef installed fill:#101018,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
  classDef residual fill:#101018,stroke:#f0a868,color:#e4e4e8
  classDef ep fill:#101018,stroke:#9494a0,color:#9494a0
  style SURF fill:#0c0c14,stroke:#f08080,color:#9494a0
  style WEDGE fill:#0c0c14,stroke:#5eead4,color:#9494a0

Note: The teal surfaces (2, 5, 6) are the ones this capstone secures with tested plugins — tau_taint on tool output, tau_vault on credentials, tau_sandbox on the bash tool. The amber surface (3, memory) remains a named residual: the plugin pack ships no B3 memory-write gate, so memory poisoning still succeeds in the scorecard. The honest scorecard reports this rather than hiding it.


Diagram 2 — The Six-Phase Hardening Progression

Type: Phased build / waterfall with scorecard checkpoints Purpose: The capstone builds in six phases, each installing one layer against the real tau codebase and re-running the battery. The phases mirror the defense stack and the scorecard checkpoints. This is the lab structure: you do not compose a control you have not individually measured against the real harness. Reading the diagram: Left-to-right as six phases. Each phase names the plugin installed, the extension point it wedges, and which attack classes collapse in the scorecard. Phase 6 is where the build becomes the final measurement.

flowchart LR
  P1["PHASE 1<br/>CLONE &amp; BASELINE<br/>git clone tau · pip install<br/>run battery on unmodified tau<br/><i>records ~33% baseline</i>"]:::phase
  P2["PHASE 2<br/>+ tau_taint (B2)<br/>EP1 executor wrap<br/>output tagged &lt;untrusted&gt;<br/>indirect injection → 0"]:::phase
  P3["PHASE 3<br/>+ tau_sandbox (B7)<br/>EP2 bash factory<br/>egress/creds/rm blocked<br/>tool-abuse + escape → 0"]:::phase
  P4["PHASE 4<br/>+ tau_vault (B5)<br/>EP3 credential store<br/>plaintext → vault format<br/>creds secured at rest"]:::phase
  P5["PHASE 5<br/>+ observability<br/>EP5 hardened tools<br/>EP4 intent tracker<br/>B0/B1 scope wired"]:::phase
  P6["PHASE 6<br/>SCORE IT<br/>full battery vs hardened<br/>defense scorecard<br/>33% → ~0% delta"]:::score

  P1 --> P2 --> P3 --> P4 --> P5 --> P6

  V1["verify: tau importable,<br/>baseline battery runs,<br/>~33% recorded"]:::verify
  V2["verify: read output<br/>wrapped &lt;untrusted&gt;,<br/>taint gate blocks bash"]:::verify
  V3["verify: curl/cat creds/<br/>rm all return SANDBOX<br/>blocked"]:::verify
  V4["verify: credentials.json<br/>no longer plaintext,<br/>vault.read_count tracks"]:::verify
  V5["verify: create_hardened_tools<br/>composes all three,<br/>intent tracker subscribed"]:::verify

  P1 -. verify .-> V1
  P2 -. verify .-> V2
  P3 -. verify .-> V3
  P4 -. verify .-> V4
  P5 -. verify .-> V5

  classDef phase fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef score fill:#14141f,stroke:#82e0aa,stroke-width:2px,color:#82e0aa
  classDef verify fill:#101018,stroke:#9494a0,color:#9494a0

Note: Each phase is verified against the real tau battery before the next is composed. Phase 6 is a measurement phase — the deliverable transitions from "the hardened fork" to "the scorecard showing the before/after delta." The curve from the ~33% baseline toward ~0% on the deterministic-gate classes is what the client accepts.


Diagram 3 — The Defense Scorecard Structure (Baseline vs Hardened)

Type: Matrix / before-after comparison Purpose: The signature deliverable, made visual. Attack success rate per class, measured against unmodified tau (baseline) versus tau with the three plugins (hardened). The color intensity drops as defenses land. The residual block names what the installed controls do not cover. Reading the diagram: Two columns — baseline (undefended tau) and hardened (with tau_taint + tau_sandbox + tau_vault). Each row is an attack class. Darker cells = higher attack success (worse). The bottom block names the residual (memory_poison) and its closing control (B3, not in the pack).

flowchart TB
  subgraph MATRIX["ATTACK SUCCESS RATE — baseline tau vs hardened tau"]
    direction TB
    HDR["attack class │ baseline │ hardened │ Δ"]
    R1["direct (rm -rf) │ 100% │ 0% │ -100 (sandbox)"]:::zero
    R2["indirect (file read inj) │ 100% │ 0% │ -100 (taint gate)"]:::zero
    R3["memory_poison │ 100% │ 100% │ 0 (RESIDUAL)"]:::residual
    R4["tool_abuse (curl/wget) │ 100% │ 0% │ -100 (sandbox)"]:::zero
    R5["sandbox_escape (cat creds) │ 100% │ 0% │ -100 (sandbox+vault)"]:::zero
    TOT["OVERALL │ ~100% │ ~11% │ -89pp"]:::total
  end

  subgraph RESIDUAL["RESIDUAL CHARACTERIZATION (honest scorecard)"]
    direction TB
    RES1["memory_poison 100% → no B3 memory-write gate in pack<br/>closing control: B3 (write_to_memory provenance gate)"]:::resnote
    RES2["obfuscated injection → no probabilistic B2 L4 detector in pack<br/>closing control: B2 Layer 4 (secondary-model detector)"]:::resnote
  end

  MATRIX --> RESIDUAL

  classDef zero fill:#101018,stroke:#82e0aa,color:#e4e4e8
  classDef residual fill:#101018,stroke:#f08080,color:#f08080
  classDef total fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
  classDef resnote fill:#14141f,stroke:#f0a868,color:#f0a868
  style HDR fill:#14141f,stroke:#5eead4,color:#5eead4
  style MATRIX fill:#0c0c14,stroke:#9494a0,color:#9494a0
  style RESIDUAL fill:#0c0c14,stroke:#f0a868,color:#9494a0

Note: The deterministic gates (tau_taint on indirect, tau_sandbox on direct/tool-abuse/escape) produce clean drops to zero on their enumerated classes. The residual — memory_poison — is named honestly: the plugin pack ships no B3 memory-write gate, so memory poisoning still succeeds. The closing control (B3) is named. An honest scorecard reports this rather than claiming the harness is "secured."


Diagram 4 — The Plugin Attachment Map (Where Each Plugin Wedges)

Type: Code-structure / extension-point map Purpose: tau has no plugin system. Every control attaches by wrapping or replacing objects at explicit, named sites. This diagram shows exactly where each of the three plugins wedges into tau's source — the line numbers, the factory functions, and the composition path. This is SDD-B11's extension-point map made concrete against the installed plugins. Reading the diagram: tau's three layers (top). The five extension points (middle), each with its tau source location. The three installed plugins (bottom), each attaching at its named point. The composition path flows through create_hardened_toolsCodingSessionConfig(tools=...).

flowchart TB
  subgraph TAU["tau THREE-LAYER ARCHITECTURE"]
    direction LR
    AI["tau_ai<br/>provider/model streaming"]:::layer
    AGENT["tau_agent<br/>harness · loop · tools · events"]:::layer
    CODING["tau_coding<br/>CLI/TUI · read/write/edit/bash · sessions · creds"]:::layer
  end

  subgraph EPS["THE FIVE EXTENSION POINTS (SDD-B11)"]
    direction TB
    EP1["EP1 — tool-executor wrap<br/>tau_agent/tools.py:61 · AgentTool.executor<br/>dataclasses.replace(tool, executor=gated)"]:::ep
    EP2["EP2 — bash-tool factory<br/>tau_coding/tools.py:574 · create_bash_tool<br/>BOTH bash paths go through here"]:::ep
    EP3["EP3 — credential store<br/>tau_coding/provider_runtime.py:46<br/>create_model_provider(credential_store=)"]:::ep
    EP4["EP4 — event subscribe<br/>tau_agent/harness.py:124<br/>harness.subscribe(listener)"]:::ep
    EP5["EP5 — tool-list site<br/>tau_coding/session.py:286 · CodingSession.load<br/>CodingSessionConfig(tools=hardened)"]:::ep
  end

  subgraph PLUGINS["THE THREE INSTALLED PLUGINS"]
    direction LR
    TAINT["tau_taint (B2)<br/>wrap_tools_with_taint_gate<br/>tags output &lt;untrusted&gt;<br/>blocks high-impact after taint"]:::plugin
    SAND["tau_sandbox (B7)<br/>create_hardened_bash_tool<br/>denylist + egress gate<br/>covers both bash paths"]:::plugin
    VAULT["tau_vault (B5)<br/>CredentialVault<br/>vault format not plaintext<br/>implements CredentialReader"]:::plugin
  end

  AGENT --> EP1
  AGENT --> EP4
  CODING --> EP2
  CODING --> EP3
  CODING --> EP5

  EP1 --> TAINT
  EP2 --> SAND
  EP3 --> VAULT
  EP5 -. "composes all three via create_hardened_tools" .-> PLUGINS

  classDef layer fill:#101018,stroke:#9494a0,color:#9494a0
  classDef ep fill:#14141f,stroke:#5eead4,color:#e4e4e8
  classDef plugin fill:#101018,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
  style TAU fill:#0c0c14,stroke:#9494a0,color:#9494a0
  style EPS fill:#0c0c14,stroke:#5eead4,color:#9494a0
  style PLUGINS fill:#0c0c14,stroke:#82e0aa,color:#9494a0

Note: tau has no register_tool, no hook framework, no middleware (SDD-B11 verified this by grepping the source). Every plugin attaches by wrapping or replacing at a named site. The composition path is create_hardened_tools(cwd=...)CodingSessionConfig(tools=...)CodingSession.load (Extension Point 5). No monkey-patching, no subclassing. This is what makes the wedge points auditable and teachable.


Diagram 5 — The Defense-in-Depth Conjunction on tau

Type: Funnel / logical-AND illustration Purpose: Why no single plugin suffices. An attack against the hardened tau must bypass every installed gate. Each gate's bypass condition is different, so the conjunction is hard. The diagram shows the path an attack takes through the hardened tool set and where each plugin catches it. Reading the diagram: An attack enters at the top and must pass through each filter. Each filter is labeled with the plugin that implements it, the attack class it catches, and what would pass through (the residual that the next filter or a future plugin must close).

flowchart TB
  ATK["ATTACK against hardened tau<br/>e.g. indirect injection via read tool<br/>baseline: ~100% on this class"]:::entry

  ATK --> F1["tau_taint — OUTPUT TAGGING<br/>catches: untagged content entering transcript<br/>read output wrapped &lt;untrusted&gt;<br/>passes: content still influences model despite tag"]:::plugin
  F1 --> F2["tau_taint — TAINT GATE (DET)<br/>catches: high-impact call with tainted args<br/>bash/send_email/write_to_memory blocked after taint<br/>passes: call NOT high-impact, OR laundered taint"]:::plugin
  F2 --> F3["tau_sandbox — BASH POLICY (DET)<br/>catches: curl/wget/ssh egress, cat creds, rm<br/>both bash paths covered (factory wedge)<br/>passes: command in policy, OR non-bash action"]:::plugin
  F3 --> F4["tau_vault — CREDENTIAL STORE (DET)<br/>catches: plaintext creds readable at rest<br/>vault format, agent cannot read directly<br/>passes: creds already exfiltrated via another channel"]:::plugin
  F4 --> F5["B8 INTENT TRACKER (PROB, advisory)<br/>catches: multi-step compound trajectory drift<br/>subscribed at EP4, read-only<br/>passes: drift too slow to signal"]:::prob
  F5 --> RES["RESIDUAL — characterized<br/>memory_poison (no B3 gate)<br/>obfuscated injection (no B2 L4 detector)<br/>named, with closing control"]:::residual

  classDef entry fill:#14141f,stroke:#f08080,stroke-width:2px,color:#f08080
  classDef plugin fill:#101018,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef prob fill:#101018,stroke:#f0a868,color:#e4e4e8
  classDef residual fill:#14141f,stroke:#f0a868,stroke-width:2px,color:#f0a868

Note: Each installed plugin has a known bypass, and each bypass is named. The defense-in-depth claim is not "each plugin is perfect" — it is "the conjunction of different bypass conditions is hard, and the residual is measured and characterized." The composition is what drives the scorecard from ~33% baseline toward ~0% on the deterministic-gate classes.


Diagram 6 — Before/After Attack-Success-Rate Comparison

Type: Bar comparison / measured delta Purpose: The single most load-bearing visual. The measured attack-success rate per class, baseline tau versus hardened tau. This is the number the client accepts. The deterministic gates (tau_taint, tau_sandbox) produce clean drops to zero on their enumerated classes; the residual (memory_poison) is named honestly. Reading the diagram: Pairs of bars — baseline (red, undefended tau) versus hardened (teal, with plugins) — for each attack class. The drop is the defense's measured contribution. The one pair that does not drop (memory_poison) is the named residual.

flowchart LR
  subgraph COMPARE["ATTACK SUCCESS RATE (%) — baseline vs hardened"]
    direction TB
    D1["direct (rm -rf)<br/>baseline ████████████ 100%<br/>hardened ░░░░░░░░░░░░   0%<br/>Δ: -100 (tau_sandbox)"]:::win
    D2["indirect (file-read injection)<br/>baseline ████████████ 100%<br/>hardened ░░░░░░░░░░░░   0%<br/>Δ: -100 (tau_taint)"]:::win
    D3["memory_poison<br/>baseline ████████████ 100%<br/>hardened ████████████ 100%<br/>Δ: 0 — RESIDUAL (no B3 gate)"]:::residual
    D4["tool_abuse (curl/wget egress)<br/>baseline ████████████ 100%<br/>hardened ░░░░░░░░░░░░   0%<br/>Δ: -100 (tau_sandbox)"]:::win
    D5["sandbox_escape (cat creds)<br/>baseline ████████████ 100%<br/>hardened ░░░░░░░░░░░░   0%<br/>Δ: -100 (tau_sandbox + tau_vault)"]:::win
    DTOT["OVERALL<br/>baseline ~100%<br/>hardened ~11%<br/>DEFENSE IMPROVEMENT: 89pp"]:::total
  end

  KEY["█ baseline (undefended tau) ~33% overall<br/>░ hardened (3 plugins) ~0% on det-gate classes<br/>RESIDUAL: memory_poison → closing control B3"]:::key

  COMPARE --> KEY

  classDef win fill:#101018,stroke:#82e0aa,color:#e4e4e8
  classDef residual fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef total fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
  classDef key fill:#14141f,stroke:#f0a868,color:#f0a868
  style COMPARE fill:#0c0c14,stroke:#5eead4,color:#9494a0

Note: This is the capstone's signature measurement. The baseline is real — tau actually executes the destructive commands and actually reads the credentials. The hardened column is real — the three plugins actually block the enumerated commands and actually tag the output. The one residual (memory_poison) is reported honestly with its closing control (B3). The 89-point defense improvement is the measured deliverable, not an assertion. Reproduce it by cloning tau, installing the plugin pack, and running the scorecard runner.

# Diagrams — Capstone B1: Harden the tau Harness

**Module**: CAP-B1 — Harden the tau Harness
**Diagram count**: 6
**Tool**: Mermaid (primary). Each diagram validated in [Mermaid Live Editor](https://mermaid.live).

---

## Diagram 1 — tau's Seven Attack Surfaces (from SDD-B11)

**Type**: Surface map / defense-gap illustration
**Purpose**: The starting point. tau has seven attack surfaces, each mapped to a B-module that covers it. This capstone hardens three of them (B2, B5, B7) with tested plugins; the others remain as named residuals. The diagram shows where every attack lands on the real codebase and which extension point each control wedges into.
**Reading the diagram**: The seven surfaces (left) are tau's real attack surface from SDD-B11. The center column is tau's undefended state. The right column is the B-module that covers each surface. The teal highlight marks the three this capstone installs.

```mermaid
flowchart LR
  subgraph SURF["tau's SEVEN ATTACK SURFACES (SDD-B11)"]
    direction TB
    S1["1. AGENT LOOP<br/>loop.py — _execute_tool_calls<br/>no pre-execution gate"]:::surf
    S2["2. TOOL OUTPUT<br/>loop.py — _tool_result_message<br/>unfiltered → transcript"]:::surf
    S3["3. MEMORY / SESSIONS<br/>session.py — JSONL append<br/>no memory-write gate"]:::surf
    S4["4. PROVIDER<br/>tau_ai / provider_config.py<br/>no provider-authz check"]:::surf
    S5["5. CREDENTIALS<br/>credentials.py — plaintext JSON<br/>cat ~/.tau/credentials.json"]:::surf
    S6["6. SANDBOX<br/>tools.py — bash runs raw shell<br/>no egress / allowlist"]:::surf
    S7["7. INTER-AGENT / OBSERVABILITY<br/>events.py — rich stream<br/>no security listener"]:::surf
  end

  subgraph WEDGE["EXTENSION POINT the control wedges"]
    direction TB
    E1["EP5 — tool-list site (B0/B1 scope)"]:::ep
    E2["EP1 — executor wrap (B2 taint)<br/><b>INSTALLED: tau_taint</b>"]:::installed
    E3["EP1 — executor wrap (B3 memory)<br/>residual: no plugin"]:::residual
    E4["EP5 — scope gate (B0/B1)"]:::ep
    E5["EP3 — credential store (B5 vault)<br/><b>INSTALLED: tau_vault</b>"]:::installed
    E6["EP2 — bash factory (B7 sandbox)<br/><b>INSTALLED: tau_sandbox</b>"]:::installed
    E7["EP4 — event subscribe (B8 intent)<br/>wired in Phase 5"]:::ep
  end

  S1 --> E1
  S2 --> E2
  S3 --> E3
  S4 --> E4
  S5 --> E5
  S6 --> E6
  S7 --> E7

  classDef surf fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#e4e4e8
  classDef installed fill:#101018,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
  classDef residual fill:#101018,stroke:#f0a868,color:#e4e4e8
  classDef ep fill:#101018,stroke:#9494a0,color:#9494a0
  style SURF fill:#0c0c14,stroke:#f08080,color:#9494a0
  style WEDGE fill:#0c0c14,stroke:#5eead4,color:#9494a0
```

> **Note**: The teal surfaces (2, 5, 6) are the ones this capstone secures with tested plugins — `tau_taint` on tool output, `tau_vault` on credentials, `tau_sandbox` on the bash tool. The amber surface (3, memory) remains a named residual: the plugin pack ships no B3 memory-write gate, so memory poisoning still succeeds in the scorecard. The honest scorecard reports this rather than hiding it.

---

## Diagram 2 — The Six-Phase Hardening Progression

**Type**: Phased build / waterfall with scorecard checkpoints
**Purpose**: The capstone builds in six phases, each installing one layer against the real tau codebase and re-running the battery. The phases mirror the defense stack and the scorecard checkpoints. This is the lab structure: you do not compose a control you have not individually measured against the real harness.
**Reading the diagram**: Left-to-right as six phases. Each phase names the plugin installed, the extension point it wedges, and which attack classes collapse in the scorecard. Phase 6 is where the build becomes the final measurement.

```mermaid
flowchart LR
  P1["PHASE 1<br/>CLONE &amp; BASELINE<br/>git clone tau · pip install<br/>run battery on unmodified tau<br/><i>records ~33% baseline</i>"]:::phase
  P2["PHASE 2<br/>+ tau_taint (B2)<br/>EP1 executor wrap<br/>output tagged &lt;untrusted&gt;<br/>indirect injection → 0"]:::phase
  P3["PHASE 3<br/>+ tau_sandbox (B7)<br/>EP2 bash factory<br/>egress/creds/rm blocked<br/>tool-abuse + escape → 0"]:::phase
  P4["PHASE 4<br/>+ tau_vault (B5)<br/>EP3 credential store<br/>plaintext → vault format<br/>creds secured at rest"]:::phase
  P5["PHASE 5<br/>+ observability<br/>EP5 hardened tools<br/>EP4 intent tracker<br/>B0/B1 scope wired"]:::phase
  P6["PHASE 6<br/>SCORE IT<br/>full battery vs hardened<br/>defense scorecard<br/>33% → ~0% delta"]:::score

  P1 --> P2 --> P3 --> P4 --> P5 --> P6

  V1["verify: tau importable,<br/>baseline battery runs,<br/>~33% recorded"]:::verify
  V2["verify: read output<br/>wrapped &lt;untrusted&gt;,<br/>taint gate blocks bash"]:::verify
  V3["verify: curl/cat creds/<br/>rm all return SANDBOX<br/>blocked"]:::verify
  V4["verify: credentials.json<br/>no longer plaintext,<br/>vault.read_count tracks"]:::verify
  V5["verify: create_hardened_tools<br/>composes all three,<br/>intent tracker subscribed"]:::verify

  P1 -. verify .-> V1
  P2 -. verify .-> V2
  P3 -. verify .-> V3
  P4 -. verify .-> V4
  P5 -. verify .-> V5

  classDef phase fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef score fill:#14141f,stroke:#82e0aa,stroke-width:2px,color:#82e0aa
  classDef verify fill:#101018,stroke:#9494a0,color:#9494a0
```

> **Note**: Each phase is verified against the real tau battery before the next is composed. Phase 6 is a measurement phase — the deliverable transitions from "the hardened fork" to "the scorecard showing the before/after delta." The curve from the ~33% baseline toward ~0% on the deterministic-gate classes is what the client accepts.

---

## Diagram 3 — The Defense Scorecard Structure (Baseline vs Hardened)

**Type**: Matrix / before-after comparison
**Purpose**: The signature deliverable, made visual. Attack success rate per class, measured against unmodified tau (baseline) versus tau with the three plugins (hardened). The color intensity drops as defenses land. The residual block names what the installed controls do not cover.
**Reading the diagram**: Two columns — baseline (undefended tau) and hardened (with tau_taint + tau_sandbox + tau_vault). Each row is an attack class. Darker cells = higher attack success (worse). The bottom block names the residual (memory_poison) and its closing control (B3, not in the pack).

```mermaid
flowchart TB
  subgraph MATRIX["ATTACK SUCCESS RATE — baseline tau vs hardened tau"]
    direction TB
    HDR["attack class │ baseline │ hardened │ Δ"]
    R1["direct (rm -rf) │ 100% │ 0% │ -100 (sandbox)"]:::zero
    R2["indirect (file read inj) │ 100% │ 0% │ -100 (taint gate)"]:::zero
    R3["memory_poison │ 100% │ 100% │ 0 (RESIDUAL)"]:::residual
    R4["tool_abuse (curl/wget) │ 100% │ 0% │ -100 (sandbox)"]:::zero
    R5["sandbox_escape (cat creds) │ 100% │ 0% │ -100 (sandbox+vault)"]:::zero
    TOT["OVERALL │ ~100% │ ~11% │ -89pp"]:::total
  end

  subgraph RESIDUAL["RESIDUAL CHARACTERIZATION (honest scorecard)"]
    direction TB
    RES1["memory_poison 100% → no B3 memory-write gate in pack<br/>closing control: B3 (write_to_memory provenance gate)"]:::resnote
    RES2["obfuscated injection → no probabilistic B2 L4 detector in pack<br/>closing control: B2 Layer 4 (secondary-model detector)"]:::resnote
  end

  MATRIX --> RESIDUAL

  classDef zero fill:#101018,stroke:#82e0aa,color:#e4e4e8
  classDef residual fill:#101018,stroke:#f08080,color:#f08080
  classDef total fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
  classDef resnote fill:#14141f,stroke:#f0a868,color:#f0a868
  style HDR fill:#14141f,stroke:#5eead4,color:#5eead4
  style MATRIX fill:#0c0c14,stroke:#9494a0,color:#9494a0
  style RESIDUAL fill:#0c0c14,stroke:#f0a868,color:#9494a0
```

> **Note**: The deterministic gates (tau_taint on indirect, tau_sandbox on direct/tool-abuse/escape) produce clean drops to zero on their enumerated classes. The residual — memory_poison — is named honestly: the plugin pack ships no B3 memory-write gate, so memory poisoning still succeeds. The closing control (B3) is named. An honest scorecard reports this rather than claiming the harness is "secured."

---

## Diagram 4 — The Plugin Attachment Map (Where Each Plugin Wedges)

**Type**: Code-structure / extension-point map
**Purpose**: tau has no plugin system. Every control attaches by wrapping or replacing objects at explicit, named sites. This diagram shows exactly where each of the three plugins wedges into tau's source — the line numbers, the factory functions, and the composition path. This is SDD-B11's extension-point map made concrete against the installed plugins.
**Reading the diagram**: tau's three layers (top). The five extension points (middle), each with its tau source location. The three installed plugins (bottom), each attaching at its named point. The composition path flows through `create_hardened_tools` → `CodingSessionConfig(tools=...)`.

```mermaid
flowchart TB
  subgraph TAU["tau THREE-LAYER ARCHITECTURE"]
    direction LR
    AI["tau_ai<br/>provider/model streaming"]:::layer
    AGENT["tau_agent<br/>harness · loop · tools · events"]:::layer
    CODING["tau_coding<br/>CLI/TUI · read/write/edit/bash · sessions · creds"]:::layer
  end

  subgraph EPS["THE FIVE EXTENSION POINTS (SDD-B11)"]
    direction TB
    EP1["EP1 — tool-executor wrap<br/>tau_agent/tools.py:61 · AgentTool.executor<br/>dataclasses.replace(tool, executor=gated)"]:::ep
    EP2["EP2 — bash-tool factory<br/>tau_coding/tools.py:574 · create_bash_tool<br/>BOTH bash paths go through here"]:::ep
    EP3["EP3 — credential store<br/>tau_coding/provider_runtime.py:46<br/>create_model_provider(credential_store=)"]:::ep
    EP4["EP4 — event subscribe<br/>tau_agent/harness.py:124<br/>harness.subscribe(listener)"]:::ep
    EP5["EP5 — tool-list site<br/>tau_coding/session.py:286 · CodingSession.load<br/>CodingSessionConfig(tools=hardened)"]:::ep
  end

  subgraph PLUGINS["THE THREE INSTALLED PLUGINS"]
    direction LR
    TAINT["tau_taint (B2)<br/>wrap_tools_with_taint_gate<br/>tags output &lt;untrusted&gt;<br/>blocks high-impact after taint"]:::plugin
    SAND["tau_sandbox (B7)<br/>create_hardened_bash_tool<br/>denylist + egress gate<br/>covers both bash paths"]:::plugin
    VAULT["tau_vault (B5)<br/>CredentialVault<br/>vault format not plaintext<br/>implements CredentialReader"]:::plugin
  end

  AGENT --> EP1
  AGENT --> EP4
  CODING --> EP2
  CODING --> EP3
  CODING --> EP5

  EP1 --> TAINT
  EP2 --> SAND
  EP3 --> VAULT
  EP5 -. "composes all three via create_hardened_tools" .-> PLUGINS

  classDef layer fill:#101018,stroke:#9494a0,color:#9494a0
  classDef ep fill:#14141f,stroke:#5eead4,color:#e4e4e8
  classDef plugin fill:#101018,stroke:#82e0aa,stroke-width:1.5px,color:#82e0aa
  style TAU fill:#0c0c14,stroke:#9494a0,color:#9494a0
  style EPS fill:#0c0c14,stroke:#5eead4,color:#9494a0
  style PLUGINS fill:#0c0c14,stroke:#82e0aa,color:#9494a0
```

> **Note**: tau has no `register_tool`, no hook framework, no middleware (SDD-B11 verified this by grepping the source). Every plugin attaches by wrapping or replacing at a named site. The composition path is `create_hardened_tools(cwd=...)` → `CodingSessionConfig(tools=...)` → `CodingSession.load` (Extension Point 5). No monkey-patching, no subclassing. This is what makes the wedge points auditable and teachable.

---

## Diagram 5 — The Defense-in-Depth Conjunction on tau

**Type**: Funnel / logical-AND illustration
**Purpose**: Why no single plugin suffices. An attack against the hardened tau must bypass every installed gate. Each gate's bypass condition is different, so the conjunction is hard. The diagram shows the path an attack takes through the hardened tool set and where each plugin catches it.
**Reading the diagram**: An attack enters at the top and must pass through each filter. Each filter is labeled with the plugin that implements it, the attack class it catches, and what would pass through (the residual that the next filter or a future plugin must close).

```mermaid
flowchart TB
  ATK["ATTACK against hardened tau<br/>e.g. indirect injection via read tool<br/>baseline: ~100% on this class"]:::entry

  ATK --> F1["tau_taint — OUTPUT TAGGING<br/>catches: untagged content entering transcript<br/>read output wrapped &lt;untrusted&gt;<br/>passes: content still influences model despite tag"]:::plugin
  F1 --> F2["tau_taint — TAINT GATE (DET)<br/>catches: high-impact call with tainted args<br/>bash/send_email/write_to_memory blocked after taint<br/>passes: call NOT high-impact, OR laundered taint"]:::plugin
  F2 --> F3["tau_sandbox — BASH POLICY (DET)<br/>catches: curl/wget/ssh egress, cat creds, rm<br/>both bash paths covered (factory wedge)<br/>passes: command in policy, OR non-bash action"]:::plugin
  F3 --> F4["tau_vault — CREDENTIAL STORE (DET)<br/>catches: plaintext creds readable at rest<br/>vault format, agent cannot read directly<br/>passes: creds already exfiltrated via another channel"]:::plugin
  F4 --> F5["B8 INTENT TRACKER (PROB, advisory)<br/>catches: multi-step compound trajectory drift<br/>subscribed at EP4, read-only<br/>passes: drift too slow to signal"]:::prob
  F5 --> RES["RESIDUAL — characterized<br/>memory_poison (no B3 gate)<br/>obfuscated injection (no B2 L4 detector)<br/>named, with closing control"]:::residual

  classDef entry fill:#14141f,stroke:#f08080,stroke-width:2px,color:#f08080
  classDef plugin fill:#101018,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef prob fill:#101018,stroke:#f0a868,color:#e4e4e8
  classDef residual fill:#14141f,stroke:#f0a868,stroke-width:2px,color:#f0a868
```

> **Note**: Each installed plugin has a known bypass, and each bypass is named. The defense-in-depth claim is not "each plugin is perfect" — it is "the conjunction of different bypass conditions is hard, and the residual is measured and characterized." The composition is what drives the scorecard from ~33% baseline toward ~0% on the deterministic-gate classes.

---

## Diagram 6 — Before/After Attack-Success-Rate Comparison

**Type**: Bar comparison / measured delta
**Purpose**: The single most load-bearing visual. The measured attack-success rate per class, baseline tau versus hardened tau. This is the number the client accepts. The deterministic gates (tau_taint, tau_sandbox) produce clean drops to zero on their enumerated classes; the residual (memory_poison) is named honestly.
**Reading the diagram**: Pairs of bars — baseline (red, undefended tau) versus hardened (teal, with plugins) — for each attack class. The drop is the defense's measured contribution. The one pair that does not drop (memory_poison) is the named residual.

```mermaid
flowchart LR
  subgraph COMPARE["ATTACK SUCCESS RATE (%) — baseline vs hardened"]
    direction TB
    D1["direct (rm -rf)<br/>baseline ████████████ 100%<br/>hardened ░░░░░░░░░░░░   0%<br/>Δ: -100 (tau_sandbox)"]:::win
    D2["indirect (file-read injection)<br/>baseline ████████████ 100%<br/>hardened ░░░░░░░░░░░░   0%<br/>Δ: -100 (tau_taint)"]:::win
    D3["memory_poison<br/>baseline ████████████ 100%<br/>hardened ████████████ 100%<br/>Δ: 0 — RESIDUAL (no B3 gate)"]:::residual
    D4["tool_abuse (curl/wget egress)<br/>baseline ████████████ 100%<br/>hardened ░░░░░░░░░░░░   0%<br/>Δ: -100 (tau_sandbox)"]:::win
    D5["sandbox_escape (cat creds)<br/>baseline ████████████ 100%<br/>hardened ░░░░░░░░░░░░   0%<br/>Δ: -100 (tau_sandbox + tau_vault)"]:::win
    DTOT["OVERALL<br/>baseline ~100%<br/>hardened ~11%<br/>DEFENSE IMPROVEMENT: 89pp"]:::total
  end

  KEY["█ baseline (undefended tau) ~33% overall<br/>░ hardened (3 plugins) ~0% on det-gate classes<br/>RESIDUAL: memory_poison → closing control B3"]:::key

  COMPARE --> KEY

  classDef win fill:#101018,stroke:#82e0aa,color:#e4e4e8
  classDef residual fill:#101018,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef total fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
  classDef key fill:#14141f,stroke:#f0a868,color:#f0a868
  style COMPARE fill:#0c0c14,stroke:#5eead4,color:#9494a0
```

> **Note**: This is the capstone's signature measurement. The baseline is real — tau actually executes the destructive commands and actually reads the credentials. The hardened column is real — the three plugins actually block the enumerated commands and actually tag the output. The one residual (memory_poison) is reported honestly with its closing control (B3). The 89-point defense improvement is the measured deliverable, not an assertion. Reproduce it by cloning tau, installing the plugin pack, and running the scorecard runner.