Module: SDD-B05 — IronCurtain Offensive Analysis Diagram count: 5 Tool: Mermaid (primary). Each diagram validated in Mermaid Live Editor.
Type: Architecture / attack-surface overlay Purpose: The foundational visual. IronCurtain's deterministic runtime has no semantic surface — but the LLM was not eliminated, it was relocated to build time. Three surfaces fall out: the compilation pipeline (a probabilistic LLM compiling the deterministic rules), the V8 isolate (the sandbox the credential quarantine depends on), and the escalation mechanism (the human the deterministic design cannot eliminate). The runtime enforcement engine is deliberately not on the list — pure if/then has no surface. Reading the diagram: Top = the build-time compilation pipeline (surface 1). Middle = the runtime (no surface). Bottom = the isolate boundary (surface 2) and the escalation channel (surface 3). The credential quarantine spans the isolate and the proxy.
flowchart TB
CONSTIT["constitution.md<br/>(plain English policy)"]
subgraph BUILD["BUILD TIME — the compilation pipeline (SURFACE 1)"]
direction TB
ANN["Annotate (LLM)<br/>classify tool args"]
COMP["Compile (LLM)<br/>English → if/then rules"]
RES["Resolve Lists (LLM)<br/>symbols → concrete values"]
SCEN["Generate Scenarios (LLM)<br/>test cases"]
VER["Verify & Repair (LLM)<br/>up to 2 rounds; build fails if unverified"]:::warn
POLICY["compiled-policy.json<br/>(deterministic rules)"]:::teal
ANN --> COMP --> RES --> SCEN --> VER --> POLICY
end
CONSTIT --> BUILD
subgraph RUNTIME["RUNTIME — deterministic enforcement (NO surface)"]
direction TB
ENG["enforcement engine<br/>pure if/then JSON rule eval<br/>ZERO LLM — cannot be injected"]:::teal
DECISION{"ALLOW / DENY / ESCALATE"}
ENG --> DECISION
end
POLICY --> ENG
subgraph SANDBOX["CODE MODE — the V8 isolate (SURFACE 2)"]
direction TB
ISO["V8 isolate (isolated-vm)<br/>agent TypeScript<br/>per-call fuel + memory limits"]:::danger
FAKE["agent holds FAKE keys<br/>FAKE_ANTHROPIC_KEY_abc"]:::teal
ISO --> FAKE
end
PROXY["MITM PROXY (host process)<br/>holds REAL keys<br/>hot-swaps fake→real at boundary"]:::danger
FAKE -.->|"API call transits proxy"| PROXY
PROXY -.->|"swap happens here"| PROVIDER["LLM provider"]
HUMAN["ESCALATION → HUMAN (SURFACE 3)<br/>terminal mux / Signal<br/>a/d/w: allow/deny/whitelist"]:::danger
DECISION -->|"escalate (edge case)"| HUMAN
HUMAN -.->|"fatigued → rubber-stamp"| AUTO["auto-approve (the fatigue failure)"]:::danger
SURF1["SURFACE 1 — COMPILATION FIDELITY<br/>probabilistic LLM compiles deterministic rules<br/>miscompilation enforced consistently"]:::danger
SURF2["SURFACE 2 — V8 ISOLATE BOUNDARY<br/>escape CVE history; quarantine holds<br/>only as long as the isolate does"]:::danger
SURF3["SURFACE 3 — ESCALATION FATIGUE<br/>human is the probabilistic component<br/>flood → rubber-stamp"]:::danger
VER -.-> SURF1
ISO -.-> SURF2
HUMAN -.-> SURF3
classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
style CONSTIT fill:#101018,stroke:#9494a0,color:#e4e4e8
style DECISION fill:#101018,stroke:#5eead4,color:#e4e4e8
style PROVIDER fill:#101018,stroke:#9494a0,color:#e4e4e8
style BUILD fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
style RUNTIME fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
style SANDBOX fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
Note: The runtime enforcement engine is the part of IronCurtain that genuinely has no attack surface — pure if/then cannot be injected. The surfaces are everything around it: the build-time compilation (a probabilistic system producing the deterministic rules), the isolate boundary (the sandbox the quarantine depends on), and the escalation channel (the human the deterministic design still needs). The LLM was not eliminated; it was relocated.
Type: Attack flow Purpose: The primary break. The deterministic policy is compiled by a probabilistic LLM. Three vectors steer the compilation toward a permissive rule: constitution ambiguity, scenario coverage gaps, and resolved-list poisoning. The verify-and-repair defense mitigates but does not eliminate — it is a second LLM checking the first, and two probabilistic systems agreeing is not a deterministic guarantee. Reading the diagram: The attacker influences the constitution, the scenario set, or a resolved list. The compilation produces a permissive rule. The verify-and-repair stage may catch it — or may agree with the miscompilation. The permissive rule is then enforced deterministically, consistently, every time.
flowchart TB
subgraph VECTORS["THREE ATTACK VECTORS"]
direction TB
V1["CONSTITUTION AMBIGUITY<br/>'may post to internal channels<br/>for routine updates' — what counts?<br/>steer the resolution toward permissive"]:::danger
V2["SCENARIO COVERAGE GAP<br/>scenario set doesn't exercise<br/>the attacker's intended action<br/>→ verify-and-repair never tests it"]:::danger
V3["RESOLVED-LIST POISONING<br/>@trusted-endpoints includes<br/>attacker domain; @sensitive-ops<br/>omits the target action"]:::danger
end
V1 --> COMP
V2 --> COMP
V3 --> COMP
COMP["COMPILE (LLM)<br/>translates English → if/then<br/>produces a PERMISSIVE rule<br/>(e.g. allows the exfil webhook)"]:::warn
COMP --> VER["VERIFY & REPAIR (LLM)<br/>a second LLM checks the first<br/>may catch — or may AGREE with<br/>the miscompilation"]:::warn
VER --> Q{"does verify agree<br/>with the miscompilation?"}
Q -->|"YES (the residual)"| PASS["PERMISSIVE RULE PASSES<br/>baked into compiled-policy.json"]:::danger
Q -->|"NO — caught"| REPAIR["repaired (up to 2 rounds)<br/>or build fails"]:::teal
PASS --> RUNTIME["DETERMINISTIC RUNTIME<br/>enforces the permissive rule<br/>CONSISTENTLY, every time<br/>(no runtime chance of refusal)"]:::danger
PROVES["WHAT IT PROVES:<br/>relocating the LLM from runtime to build time<br/>does NOT eliminate the probabilistic component<br/>— it CONCENTRATES it. One miscompilation<br/>= a consistently-enforced wrong rule"]:::warn
RUNTIME -.-> PROVES
classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
style COMP fill:#101018,stroke:#f0a868,color:#e4e4e8
style VER fill:#101018,stroke:#f0a868,color:#e4e4e8
style Q fill:#101018,stroke:#f0a868,color:#e4e4e8
style VECTORS fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
Note: The verify-and-repair pipeline is a real defense — it catches many miscompilations. But it is a second LLM checking the first. A permissive interpretation of an ambiguous clause, validated against a scenario set that does not exercise the permissive case, passes. Two probabilistic systems agreeing is not a deterministic guarantee. The measurement is a fuzz-harness drift rate: the percentage of fuzzed constitutions that produce a permissive rule for the target action.
Type: Escape-path analysis / dependency
Purpose: The credential quarantine is the strongest primitive in the course — but it holds only as long as the V8 isolate does. An isolate escape (a V8 or isolated-vm CVE) is the path from "compromised agent" to "real credentials." This is an escape-path analysis, not a constructed exploit — the course does not teach V8 exploitation. What it establishes is the structural dependence.
Reading the diagram: The agent runs in the isolate with fake keys. The real keys live in the proxy's host process. The isolation is the only thing preventing the agent from reaching them. An escape defeats the isolation; the defense-in-depth prescription layers the sandbox so an escape has to defeat three boundaries.
flowchart TB
subgraph ISOLATE["V8 ISOLATE (the sandbox)"]
direction TB
AGENT["AGENT CODE (TypeScript)<br/>compromised via prompt injection<br/>wants the REAL credentials"]
FAKE["holds FAKE keys only<br/>FAKE_ANTHROPIC_KEY_abc123"]:::teal
FUEL["per-call fuel + memory limits<br/>(partial defense)"]:::warn
AGENT --> FAKE
AGENT --> FUEL
end
BOUNDARY["ISOLATE BOUNDARY<br/>the only thing between<br/>the agent and the real keys"]:::danger
ISOLATE -.->|"must hold"| BOUNDARY
subgraph HOST["HOST PROCESS (where the real keys live)"]
direction TB
PROXY["MITM PROXY<br/>holds REAL keys<br/>does the fake→real swap"]:::danger
NET["network stack<br/>can make calls with real creds"]:::danger
CFG["policy engine config<br/>compiled-policy.json, audit log"]:::danger
end
ESCAPE["ISOLATE ESCAPE (a V8 / isolated-vm CVE)<br/>type confusion · bounds error · JIT bug · GC edge case<br/>→ code runs in the HOST PROCESS, outside the isolate"]:::danger
BOUNDARY -.->|"defeated by"| ESCAPE
ESCAPE -.->|"reaches"| PROXY
ESCAPE -.->|"reaches"| NET
ESCAPE -.->|"reaches"| CFG
DEFEAT["CREDENTIAL QUARANTINE DEFEATED<br/>the strongest primitive in the course<br/>falls to one memory-corruption bug"]:::danger
PROXY -.-> DEFEAT
PRESC["DEFENSE-IN-DEPTH PRESCRIPTION<br/>layer the sandbox so an escape defeats 3, not 1:<br/>ISOLATE (inner) → SECCOMP/CAPABILITY (middle) → EGRESS CONTROLS (outer)<br/>quarantine preserved at outer layer even if isolate falls"]:::teal
DEFEAT -.-> PRESC
classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
style AGENT fill:#101018,stroke:#9494a0,color:#e4e4e8
style ISOLATE fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
style HOST fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
Note: This break has no InjecAgent delta — the escape depends on a specific V8 version and a specific bug. The measurement is a dependency-CVE audit: is the deployed V8 /
isolated-vmversion current? Are there known escape CVEs? The honest framing: the credential quarantine is one memory-corruption bug from defeat, and the defense-in-depth prescription treats the isolate as one layer among several, not the load-bearing boundary.
Type: Pressure / drift (human analogue) Purpose: The deterministic system still needs a human for edge cases. The human is the probabilistic component the deterministic design cannot eliminate. Three pressure patterns — volume fatigue, contextual fatigue, timing fatigue — degrade the human's allow/deny decisions into rubber-stamping. This is the deterministic analogue of CrabTrap's latency/cost pressure (SDD-B04 Break 3): a defense expensive to honor is a defense the human defeats. Reading the diagram: The attacker generates ambiguous tool calls that force escalation. Three fatigue patterns raise the approval rate. The measurement is a fatigue simulator: approval-rate delta rested vs fatigued.
flowchart TB
EDGE["ATTACKER GENERATES EDGE CASES<br/>tool calls ambiguous under compiled policy<br/>not clearly ALLOW, not clearly DENY<br/>→ forces ESCALATION to human"]:::danger
EDGE --> HUMAN["HUMAN-IN-THE-LOOP<br/>terminal mux / Signal<br/>a/d/w: allow/deny/whitelist<br/>the probabilistic component"]:::warn
HUMAN --> P1
HUMAN --> P2
HUMAN --> P3
P1["VOLUME FATIGUE<br/>many escalations in a short window<br/>human defaults to ALLOW (keeps agent moving)<br/>to clear the backlog"]:::danger
P2["CONTEXTUAL FATIGUE<br/>escalations similar to prior-approved calls<br/>human approves by analogy<br/>misses the difference that makes it an attack<br/>(= SDD-B04 allowlist-widening pattern)"]:::danger
P3["TIMING FATIGUE<br/>escalations during launch / incident / off-hours<br/>approval rate up, scrutiny down<br/>(Signal-on-mobile = double-edged)"]:::danger
P1 --> RUBBER["RUBBER-STAMPING<br/>allow decisions the deterministic engine<br/>was supposed to make — delegated back<br/>to a fatigued human"]:::danger
P2 --> RUBBER
P3 --> RUBBER
PROVES["WHAT IT PROVES:<br/>a deterministic system that needs a human<br/>inherits the human's vulnerabilities<br/>a fatigued human is as steerable as a judge<br/>(= deterministic analogue of CrabTrap latency pressure)"]:::warn
RUBBER -.-> PROVES
MEASURE["MEASUREMENT: fatigue simulator<br/>approval rate: 4% rested → 31% fatigued<br/>(example delta)<br/>controls: rate-limiting + smart batching + two-person rule<br/>(partial, not elimination)"]:::teal
PROVES -.-> MEASURE
classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
style EDGE fill:#101018,stroke:#f08080,color:#e4e4e8
style HUMAN fill:#101018,stroke:#f0a868,color:#e4e4e8
style RUBBER fill:#101018,stroke:#f08080,color:#f08080
Note: Rate-limiting (cap escalations per hour; deny-by-default above the cap), smart batching (evaluate one representative call, not twenty near-duplicates), and the two-person rule for high-impact allows turn the fatigue surface into a bounded residual. But none eliminates it — the human is the irreducible probabilistic component, and a deterministic system that delegates edge cases to a human inherits the human's failure modes.
Type: Comparison / residual map / prescription Purpose: The thesis of the deep-dive. IronCurtain is the strongest single defense — it closes the two surfaces CrabTrap leaves open (SDD-B04). But it has its own honest residuals: compilation fidelity, the isolate boundary, escalation fatigue. No single residual is a defeat, but no single layer suffices. The prescription layers around IronCurtain: human review for compilation, sandbox defense-in-depth for the isolate, rate-limiting for escalation, and a probabilistic second layer for the ambiguous cases. Reading the diagram: Three IronCurtain residuals on the left; the layered prescription that addresses each on the right. The bottom is B2's thesis: every layer has a residual; the only complete answer is layers.
flowchart LR
subgraph RESID["IRONCURTAIN RESIDUALS (honest)"]
direction TB
R1["COMPILATION FIDELITY<br/>probabilistic LLM compiles<br/>deterministic rules; miscompilation<br/>enforced consistently"]:::danger
R2["V8 ISOLATE BOUNDARY<br/>escape CVE history; quarantine<br/>holds only as long as isolate does"]:::danger
R3["ESCALATION FATIGUE<br/>human is probabilistic;<br/>flood → rubber-stamp"]:::danger
end
subgraph LAYERS["THE LAYERED PRESCRIPTION"]
direction TB
L1["LAYER 1 — HUMAN REVIEW GATE<br/>review compiled-policy.json before deploy<br/>diff vs last-reviewed version<br/>catches the residual verify-and-repair missed"]:::teal
L2["LAYER 2 — SANDBOX DEFENSE-IN-DEPTH<br/>isolate (inner) → seccomp/capability (middle)<br/>→ egress controls (outer)<br/>escape defeats 3 layers, not 1"]:::teal
L3["LAYER 3 — ESCALATION RATE-LIMITING<br/>cap/hour + smart batching + two-person rule<br/>fatigue → bounded residual"]:::teal
L4["LAYER 4 — PROBABILISTIC SECOND<br/>LLM-as-judge for escalated cases ONLY<br/>(positioned AFTER deterministic)<br/>judge injectability = residual, not primary surface"]:::warn
end
R1 -.->|"addressed by"| L1
R2 -.->|"addressed by"| L2
R3 -.->|"addressed by"| L3
R3 -.->|"ambiguous cases"| L4
THESIS["B2's THESIS (made concrete)<br/>every layer has a residual; no single layer suffices<br/>deterministic runtime = strongest single layer, NOT a complete answer<br/>the layered prescription closes more surface than IronCurtain alone<br/>SDD-B03 measures layered defense reaching single-digit injection rates"]:::teal
LAYERS -.-> THESIS
RESID -.-> THESIS
classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
style RESID fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
style LAYERS fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
Note: The engagement deliverable is not "IronCurtain is broken, abandon it." The deterministic runtime is the strongest single layer — keep it. The prescription layers around it: human review for the compilation residual, sandbox defense-in-depth for the isolate residual, rate-limiting for the escalation residual, and a probabilistic second layer for the ambiguous cases the deterministic layer escalates. Each layer addresses a residual the others leave. This is B2's thesis: the only complete answer is layers, and this deep-dive — attacking the strongest single defense — is its motivation.
# Diagrams — SDD-B05: IronCurtain Offensive Analysis
**Module**: SDD-B05 — IronCurtain Offensive Analysis
**Diagram count**: 5
**Tool**: Mermaid (primary). Each diagram validated in [Mermaid Live Editor](https://mermaid.live).
---
## Diagram 1 — IronCurtain's Architecture Read as an Attack Surface Map
**Type**: Architecture / attack-surface overlay
**Purpose**: The foundational visual. IronCurtain's deterministic runtime has no semantic surface — but the LLM was not eliminated, it was relocated to build time. Three surfaces fall out: the compilation pipeline (a probabilistic LLM compiling the deterministic rules), the V8 isolate (the sandbox the credential quarantine depends on), and the escalation mechanism (the human the deterministic design cannot eliminate). The runtime enforcement engine is deliberately not on the list — pure if/then has no surface.
**Reading the diagram**: Top = the build-time compilation pipeline (surface 1). Middle = the runtime (no surface). Bottom = the isolate boundary (surface 2) and the escalation channel (surface 3). The credential quarantine spans the isolate and the proxy.
```mermaid
flowchart TB
CONSTIT["constitution.md<br/>(plain English policy)"]
subgraph BUILD["BUILD TIME — the compilation pipeline (SURFACE 1)"]
direction TB
ANN["Annotate (LLM)<br/>classify tool args"]
COMP["Compile (LLM)<br/>English → if/then rules"]
RES["Resolve Lists (LLM)<br/>symbols → concrete values"]
SCEN["Generate Scenarios (LLM)<br/>test cases"]
VER["Verify & Repair (LLM)<br/>up to 2 rounds; build fails if unverified"]:::warn
POLICY["compiled-policy.json<br/>(deterministic rules)"]:::teal
ANN --> COMP --> RES --> SCEN --> VER --> POLICY
end
CONSTIT --> BUILD
subgraph RUNTIME["RUNTIME — deterministic enforcement (NO surface)"]
direction TB
ENG["enforcement engine<br/>pure if/then JSON rule eval<br/>ZERO LLM — cannot be injected"]:::teal
DECISION{"ALLOW / DENY / ESCALATE"}
ENG --> DECISION
end
POLICY --> ENG
subgraph SANDBOX["CODE MODE — the V8 isolate (SURFACE 2)"]
direction TB
ISO["V8 isolate (isolated-vm)<br/>agent TypeScript<br/>per-call fuel + memory limits"]:::danger
FAKE["agent holds FAKE keys<br/>FAKE_ANTHROPIC_KEY_abc"]:::teal
ISO --> FAKE
end
PROXY["MITM PROXY (host process)<br/>holds REAL keys<br/>hot-swaps fake→real at boundary"]:::danger
FAKE -.->|"API call transits proxy"| PROXY
PROXY -.->|"swap happens here"| PROVIDER["LLM provider"]
HUMAN["ESCALATION → HUMAN (SURFACE 3)<br/>terminal mux / Signal<br/>a/d/w: allow/deny/whitelist"]:::danger
DECISION -->|"escalate (edge case)"| HUMAN
HUMAN -.->|"fatigued → rubber-stamp"| AUTO["auto-approve (the fatigue failure)"]:::danger
SURF1["SURFACE 1 — COMPILATION FIDELITY<br/>probabilistic LLM compiles deterministic rules<br/>miscompilation enforced consistently"]:::danger
SURF2["SURFACE 2 — V8 ISOLATE BOUNDARY<br/>escape CVE history; quarantine holds<br/>only as long as the isolate does"]:::danger
SURF3["SURFACE 3 — ESCALATION FATIGUE<br/>human is the probabilistic component<br/>flood → rubber-stamp"]:::danger
VER -.-> SURF1
ISO -.-> SURF2
HUMAN -.-> SURF3
classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
style CONSTIT fill:#101018,stroke:#9494a0,color:#e4e4e8
style DECISION fill:#101018,stroke:#5eead4,color:#e4e4e8
style PROVIDER fill:#101018,stroke:#9494a0,color:#e4e4e8
style BUILD fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
style RUNTIME fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
style SANDBOX fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
```
> **Note**: The runtime enforcement engine is the part of IronCurtain that genuinely has no attack surface — pure if/then cannot be injected. The surfaces are everything around it: the build-time compilation (a probabilistic system producing the deterministic rules), the isolate boundary (the sandbox the quarantine depends on), and the escalation channel (the human the deterministic design still needs). The LLM was not eliminated; it was relocated.
---
## Diagram 2 — Break 1: Compilation Fidelity — Steering the Build-Time LLM
**Type**: Attack flow
**Purpose**: The primary break. The deterministic policy is compiled by a probabilistic LLM. Three vectors steer the compilation toward a permissive rule: constitution ambiguity, scenario coverage gaps, and resolved-list poisoning. The verify-and-repair defense mitigates but does not eliminate — it is a second LLM checking the first, and two probabilistic systems agreeing is not a deterministic guarantee.
**Reading the diagram**: The attacker influences the constitution, the scenario set, or a resolved list. The compilation produces a permissive rule. The verify-and-repair stage may catch it — or may agree with the miscompilation. The permissive rule is then enforced deterministically, consistently, every time.
```mermaid
flowchart TB
subgraph VECTORS["THREE ATTACK VECTORS"]
direction TB
V1["CONSTITUTION AMBIGUITY<br/>'may post to internal channels<br/>for routine updates' — what counts?<br/>steer the resolution toward permissive"]:::danger
V2["SCENARIO COVERAGE GAP<br/>scenario set doesn't exercise<br/>the attacker's intended action<br/>→ verify-and-repair never tests it"]:::danger
V3["RESOLVED-LIST POISONING<br/>@trusted-endpoints includes<br/>attacker domain; @sensitive-ops<br/>omits the target action"]:::danger
end
V1 --> COMP
V2 --> COMP
V3 --> COMP
COMP["COMPILE (LLM)<br/>translates English → if/then<br/>produces a PERMISSIVE rule<br/>(e.g. allows the exfil webhook)"]:::warn
COMP --> VER["VERIFY & REPAIR (LLM)<br/>a second LLM checks the first<br/>may catch — or may AGREE with<br/>the miscompilation"]:::warn
VER --> Q{"does verify agree<br/>with the miscompilation?"}
Q -->|"YES (the residual)"| PASS["PERMISSIVE RULE PASSES<br/>baked into compiled-policy.json"]:::danger
Q -->|"NO — caught"| REPAIR["repaired (up to 2 rounds)<br/>or build fails"]:::teal
PASS --> RUNTIME["DETERMINISTIC RUNTIME<br/>enforces the permissive rule<br/>CONSISTENTLY, every time<br/>(no runtime chance of refusal)"]:::danger
PROVES["WHAT IT PROVES:<br/>relocating the LLM from runtime to build time<br/>does NOT eliminate the probabilistic component<br/>— it CONCENTRATES it. One miscompilation<br/>= a consistently-enforced wrong rule"]:::warn
RUNTIME -.-> PROVES
classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
style COMP fill:#101018,stroke:#f0a868,color:#e4e4e8
style VER fill:#101018,stroke:#f0a868,color:#e4e4e8
style Q fill:#101018,stroke:#f0a868,color:#e4e4e8
style VECTORS fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
```
> **Note**: The verify-and-repair pipeline is a real defense — it catches many miscompilations. But it is a second LLM checking the first. A permissive interpretation of an ambiguous clause, validated against a scenario set that does not exercise the permissive case, passes. Two probabilistic systems agreeing is not a deterministic guarantee. The measurement is a fuzz-harness drift rate: the percentage of fuzzed constitutions that produce a permissive rule for the target action.
---
## Diagram 3 — Break 2: The V8 Isolate Boundary and the Credential Quarantine
**Type**: Escape-path analysis / dependency
**Purpose**: The credential quarantine is the strongest primitive in the course — but it holds only as long as the V8 isolate does. An isolate escape (a V8 or `isolated-vm` CVE) is the path from "compromised agent" to "real credentials." This is an escape-path analysis, not a constructed exploit — the course does not teach V8 exploitation. What it establishes is the structural dependence.
**Reading the diagram**: The agent runs in the isolate with fake keys. The real keys live in the proxy's host process. The isolation is the only thing preventing the agent from reaching them. An escape defeats the isolation; the defense-in-depth prescription layers the sandbox so an escape has to defeat three boundaries.
```mermaid
flowchart TB
subgraph ISOLATE["V8 ISOLATE (the sandbox)"]
direction TB
AGENT["AGENT CODE (TypeScript)<br/>compromised via prompt injection<br/>wants the REAL credentials"]
FAKE["holds FAKE keys only<br/>FAKE_ANTHROPIC_KEY_abc123"]:::teal
FUEL["per-call fuel + memory limits<br/>(partial defense)"]:::warn
AGENT --> FAKE
AGENT --> FUEL
end
BOUNDARY["ISOLATE BOUNDARY<br/>the only thing between<br/>the agent and the real keys"]:::danger
ISOLATE -.->|"must hold"| BOUNDARY
subgraph HOST["HOST PROCESS (where the real keys live)"]
direction TB
PROXY["MITM PROXY<br/>holds REAL keys<br/>does the fake→real swap"]:::danger
NET["network stack<br/>can make calls with real creds"]:::danger
CFG["policy engine config<br/>compiled-policy.json, audit log"]:::danger
end
ESCAPE["ISOLATE ESCAPE (a V8 / isolated-vm CVE)<br/>type confusion · bounds error · JIT bug · GC edge case<br/>→ code runs in the HOST PROCESS, outside the isolate"]:::danger
BOUNDARY -.->|"defeated by"| ESCAPE
ESCAPE -.->|"reaches"| PROXY
ESCAPE -.->|"reaches"| NET
ESCAPE -.->|"reaches"| CFG
DEFEAT["CREDENTIAL QUARANTINE DEFEATED<br/>the strongest primitive in the course<br/>falls to one memory-corruption bug"]:::danger
PROXY -.-> DEFEAT
PRESC["DEFENSE-IN-DEPTH PRESCRIPTION<br/>layer the sandbox so an escape defeats 3, not 1:<br/>ISOLATE (inner) → SECCOMP/CAPABILITY (middle) → EGRESS CONTROLS (outer)<br/>quarantine preserved at outer layer even if isolate falls"]:::teal
DEFEAT -.-> PRESC
classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
style AGENT fill:#101018,stroke:#9494a0,color:#e4e4e8
style ISOLATE fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
style HOST fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
```
> **Note**: This break has no InjecAgent delta — the escape depends on a specific V8 version and a specific bug. The measurement is a dependency-CVE audit: is the deployed V8 / `isolated-vm` version current? Are there known escape CVEs? The honest framing: the credential quarantine is one memory-corruption bug from defeat, and the defense-in-depth prescription treats the isolate as one layer among several, not the load-bearing boundary.
---
## Diagram 4 — Break 3: Escalation Fatigue — Flooding the Human-in-the-Loop
**Type**: Pressure / drift (human analogue)
**Purpose**: The deterministic system still needs a human for edge cases. The human is the probabilistic component the deterministic design cannot eliminate. Three pressure patterns — volume fatigue, contextual fatigue, timing fatigue — degrade the human's allow/deny decisions into rubber-stamping. This is the deterministic analogue of CrabTrap's latency/cost pressure (SDD-B04 Break 3): a defense expensive to honor is a defense the human defeats.
**Reading the diagram**: The attacker generates ambiguous tool calls that force escalation. Three fatigue patterns raise the approval rate. The measurement is a fatigue simulator: approval-rate delta rested vs fatigued.
```mermaid
flowchart TB
EDGE["ATTACKER GENERATES EDGE CASES<br/>tool calls ambiguous under compiled policy<br/>not clearly ALLOW, not clearly DENY<br/>→ forces ESCALATION to human"]:::danger
EDGE --> HUMAN["HUMAN-IN-THE-LOOP<br/>terminal mux / Signal<br/>a/d/w: allow/deny/whitelist<br/>the probabilistic component"]:::warn
HUMAN --> P1
HUMAN --> P2
HUMAN --> P3
P1["VOLUME FATIGUE<br/>many escalations in a short window<br/>human defaults to ALLOW (keeps agent moving)<br/>to clear the backlog"]:::danger
P2["CONTEXTUAL FATIGUE<br/>escalations similar to prior-approved calls<br/>human approves by analogy<br/>misses the difference that makes it an attack<br/>(= SDD-B04 allowlist-widening pattern)"]:::danger
P3["TIMING FATIGUE<br/>escalations during launch / incident / off-hours<br/>approval rate up, scrutiny down<br/>(Signal-on-mobile = double-edged)"]:::danger
P1 --> RUBBER["RUBBER-STAMPING<br/>allow decisions the deterministic engine<br/>was supposed to make — delegated back<br/>to a fatigued human"]:::danger
P2 --> RUBBER
P3 --> RUBBER
PROVES["WHAT IT PROVES:<br/>a deterministic system that needs a human<br/>inherits the human's vulnerabilities<br/>a fatigued human is as steerable as a judge<br/>(= deterministic analogue of CrabTrap latency pressure)"]:::warn
RUBBER -.-> PROVES
MEASURE["MEASUREMENT: fatigue simulator<br/>approval rate: 4% rested → 31% fatigued<br/>(example delta)<br/>controls: rate-limiting + smart batching + two-person rule<br/>(partial, not elimination)"]:::teal
PROVES -.-> MEASURE
classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
style EDGE fill:#101018,stroke:#f08080,color:#e4e4e8
style HUMAN fill:#101018,stroke:#f0a868,color:#e4e4e8
style RUBBER fill:#101018,stroke:#f08080,color:#f08080
```
> **Note**: Rate-limiting (cap escalations per hour; deny-by-default above the cap), smart batching (evaluate one representative call, not twenty near-duplicates), and the two-person rule for high-impact allows turn the fatigue surface into a bounded residual. But none eliminates it — the human is the irreducible probabilistic component, and a deterministic system that delegates edge cases to a human inherits the human's failure modes.
---
## Diagram 5 — Defense-in-Depth: Why No Single Layer Suffices
**Type**: Comparison / residual map / prescription
**Purpose**: The thesis of the deep-dive. IronCurtain is the strongest single defense — it closes the two surfaces CrabTrap leaves open (SDD-B04). But it has its own honest residuals: compilation fidelity, the isolate boundary, escalation fatigue. No single residual is a defeat, but no single layer suffices. The prescription layers around IronCurtain: human review for compilation, sandbox defense-in-depth for the isolate, rate-limiting for escalation, and a probabilistic second layer for the ambiguous cases.
**Reading the diagram**: Three IronCurtain residuals on the left; the layered prescription that addresses each on the right. The bottom is B2's thesis: every layer has a residual; the only complete answer is layers.
```mermaid
flowchart LR
subgraph RESID["IRONCURTAIN RESIDUALS (honest)"]
direction TB
R1["COMPILATION FIDELITY<br/>probabilistic LLM compiles<br/>deterministic rules; miscompilation<br/>enforced consistently"]:::danger
R2["V8 ISOLATE BOUNDARY<br/>escape CVE history; quarantine<br/>holds only as long as isolate does"]:::danger
R3["ESCALATION FATIGUE<br/>human is probabilistic;<br/>flood → rubber-stamp"]:::danger
end
subgraph LAYERS["THE LAYERED PRESCRIPTION"]
direction TB
L1["LAYER 1 — HUMAN REVIEW GATE<br/>review compiled-policy.json before deploy<br/>diff vs last-reviewed version<br/>catches the residual verify-and-repair missed"]:::teal
L2["LAYER 2 — SANDBOX DEFENSE-IN-DEPTH<br/>isolate (inner) → seccomp/capability (middle)<br/>→ egress controls (outer)<br/>escape defeats 3 layers, not 1"]:::teal
L3["LAYER 3 — ESCALATION RATE-LIMITING<br/>cap/hour + smart batching + two-person rule<br/>fatigue → bounded residual"]:::teal
L4["LAYER 4 — PROBABILISTIC SECOND<br/>LLM-as-judge for escalated cases ONLY<br/>(positioned AFTER deterministic)<br/>judge injectability = residual, not primary surface"]:::warn
end
R1 -.->|"addressed by"| L1
R2 -.->|"addressed by"| L2
R3 -.->|"addressed by"| L3
R3 -.->|"ambiguous cases"| L4
THESIS["B2's THESIS (made concrete)<br/>every layer has a residual; no single layer suffices<br/>deterministic runtime = strongest single layer, NOT a complete answer<br/>the layered prescription closes more surface than IronCurtain alone<br/>SDD-B03 measures layered defense reaching single-digit injection rates"]:::teal
LAYERS -.-> THESIS
RESID -.-> THESIS
classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
style RESID fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
style LAYERS fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
```
> **Note**: The engagement deliverable is not "IronCurtain is broken, abandon it." The deterministic runtime is the strongest single layer — keep it. The prescription layers around it: human review for the compilation residual, sandbox defense-in-depth for the isolate residual, rate-limiting for the escalation residual, and a probabilistic second layer for the ambiguous cases the deterministic layer escalates. Each layer addresses a residual the others leave. This is B2's thesis: the only complete answer is layers, and this deep-dive — attacking the strongest single defense — is its motivation.