Diagrams — SDD-B05: IronCurtain Offensive Analysis

Module: SDD-B05 — IronCurtain Offensive Analysis Diagram count: 5 Tool: Mermaid (primary). Each diagram validated in Mermaid Live Editor.


Diagram 1 — IronCurtain's Architecture Read as an Attack Surface Map

Type: Architecture / attack-surface overlay Purpose: The foundational visual. IronCurtain's deterministic runtime has no semantic surface — but the LLM was not eliminated, it was relocated to build time. Three surfaces fall out: the compilation pipeline (a probabilistic LLM compiling the deterministic rules), the V8 isolate (the sandbox the credential quarantine depends on), and the escalation mechanism (the human the deterministic design cannot eliminate). The runtime enforcement engine is deliberately not on the list — pure if/then has no surface. Reading the diagram: Top = the build-time compilation pipeline (surface 1). Middle = the runtime (no surface). Bottom = the isolate boundary (surface 2) and the escalation channel (surface 3). The credential quarantine spans the isolate and the proxy.

flowchart TB
  CONSTIT["constitution.md<br/>(plain English policy)"]

  subgraph BUILD["BUILD TIME — the compilation pipeline (SURFACE 1)"]
    direction TB
    ANN["Annotate (LLM)<br/>classify tool args"]
    COMP["Compile (LLM)<br/>English → if/then rules"]
    RES["Resolve Lists (LLM)<br/>symbols → concrete values"]
    SCEN["Generate Scenarios (LLM)<br/>test cases"]
    VER["Verify &amp; Repair (LLM)<br/>up to 2 rounds; build fails if unverified"]:::warn
    POLICY["compiled-policy.json<br/>(deterministic rules)"]:::teal
    ANN --> COMP --> RES --> SCEN --> VER --> POLICY
  end

  CONSTIT --> BUILD

  subgraph RUNTIME["RUNTIME — deterministic enforcement (NO surface)"]
    direction TB
    ENG["enforcement engine<br/>pure if/then JSON rule eval<br/>ZERO LLM — cannot be injected"]:::teal
    DECISION{"ALLOW / DENY / ESCALATE"}
    ENG --> DECISION
  end

  POLICY --> ENG

  subgraph SANDBOX["CODE MODE — the V8 isolate (SURFACE 2)"]
    direction TB
    ISO["V8 isolate (isolated-vm)<br/>agent TypeScript<br/>per-call fuel + memory limits"]:::danger
    FAKE["agent holds FAKE keys<br/>FAKE_ANTHROPIC_KEY_abc"]:::teal
    ISO --> FAKE
  end

  PROXY["MITM PROXY (host process)<br/>holds REAL keys<br/>hot-swaps fake→real at boundary"]:::danger
  FAKE -.->|"API call transits proxy"| PROXY
  PROXY -.->|"swap happens here"| PROVIDER["LLM provider"]

  HUMAN["ESCALATION → HUMAN (SURFACE 3)<br/>terminal mux / Signal<br/>a/d/w: allow/deny/whitelist"]:::danger
  DECISION -->|"escalate (edge case)"| HUMAN
  HUMAN -.->|"fatigued → rubber-stamp"| AUTO["auto-approve (the fatigue failure)"]:::danger

  SURF1["SURFACE 1 — COMPILATION FIDELITY<br/>probabilistic LLM compiles deterministic rules<br/>miscompilation enforced consistently"]:::danger
  SURF2["SURFACE 2 — V8 ISOLATE BOUNDARY<br/>escape CVE history; quarantine holds<br/>only as long as the isolate does"]:::danger
  SURF3["SURFACE 3 — ESCALATION FATIGUE<br/>human is the probabilistic component<br/>flood → rubber-stamp"]:::danger

  VER -.-> SURF1
  ISO -.-> SURF2
  HUMAN -.-> SURF3

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  style CONSTIT fill:#101018,stroke:#9494a0,color:#e4e4e8
  style DECISION fill:#101018,stroke:#5eead4,color:#e4e4e8
  style PROVIDER fill:#101018,stroke:#9494a0,color:#e4e4e8
  style BUILD fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
  style RUNTIME fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
  style SANDBOX fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8

Note: The runtime enforcement engine is the part of IronCurtain that genuinely has no attack surface — pure if/then cannot be injected. The surfaces are everything around it: the build-time compilation (a probabilistic system producing the deterministic rules), the isolate boundary (the sandbox the quarantine depends on), and the escalation channel (the human the deterministic design still needs). The LLM was not eliminated; it was relocated.


Diagram 2 — Break 1: Compilation Fidelity — Steering the Build-Time LLM

Type: Attack flow Purpose: The primary break. The deterministic policy is compiled by a probabilistic LLM. Three vectors steer the compilation toward a permissive rule: constitution ambiguity, scenario coverage gaps, and resolved-list poisoning. The verify-and-repair defense mitigates but does not eliminate — it is a second LLM checking the first, and two probabilistic systems agreeing is not a deterministic guarantee. Reading the diagram: The attacker influences the constitution, the scenario set, or a resolved list. The compilation produces a permissive rule. The verify-and-repair stage may catch it — or may agree with the miscompilation. The permissive rule is then enforced deterministically, consistently, every time.

flowchart TB
  subgraph VECTORS["THREE ATTACK VECTORS"]
    direction TB
    V1["CONSTITUTION AMBIGUITY<br/>'may post to internal channels<br/>for routine updates' — what counts?<br/>steer the resolution toward permissive"]:::danger
    V2["SCENARIO COVERAGE GAP<br/>scenario set doesn't exercise<br/>the attacker's intended action<br/>→ verify-and-repair never tests it"]:::danger
    V3["RESOLVED-LIST POISONING<br/>@trusted-endpoints includes<br/>attacker domain; @sensitive-ops<br/>omits the target action"]:::danger
  end

  V1 --> COMP
  V2 --> COMP
  V3 --> COMP

  COMP["COMPILE (LLM)<br/>translates English → if/then<br/>produces a PERMISSIVE rule<br/>(e.g. allows the exfil webhook)"]:::warn

  COMP --> VER["VERIFY &amp; REPAIR (LLM)<br/>a second LLM checks the first<br/>may catch — or may AGREE with<br/>the miscompilation"]:::warn

  VER --> Q{"does verify agree<br/>with the miscompilation?"}

  Q -->|"YES (the residual)"| PASS["PERMISSIVE RULE PASSES<br/>baked into compiled-policy.json"]:::danger
  Q -->|"NO — caught"| REPAIR["repaired (up to 2 rounds)<br/>or build fails"]:::teal

  PASS --> RUNTIME["DETERMINISTIC RUNTIME<br/>enforces the permissive rule<br/>CONSISTENTLY, every time<br/>(no runtime chance of refusal)"]:::danger

  PROVES["WHAT IT PROVES:<br/>relocating the LLM from runtime to build time<br/>does NOT eliminate the probabilistic component<br/>— it CONCENTRATES it. One miscompilation<br/>= a consistently-enforced wrong rule"]:::warn
  RUNTIME -.-> PROVES

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  style COMP fill:#101018,stroke:#f0a868,color:#e4e4e8
  style VER fill:#101018,stroke:#f0a868,color:#e4e4e8
  style Q fill:#101018,stroke:#f0a868,color:#e4e4e8
  style VECTORS fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8

Note: The verify-and-repair pipeline is a real defense — it catches many miscompilations. But it is a second LLM checking the first. A permissive interpretation of an ambiguous clause, validated against a scenario set that does not exercise the permissive case, passes. Two probabilistic systems agreeing is not a deterministic guarantee. The measurement is a fuzz-harness drift rate: the percentage of fuzzed constitutions that produce a permissive rule for the target action.


Diagram 3 — Break 2: The V8 Isolate Boundary and the Credential Quarantine

Type: Escape-path analysis / dependency Purpose: The credential quarantine is the strongest primitive in the course — but it holds only as long as the V8 isolate does. An isolate escape (a V8 or isolated-vm CVE) is the path from "compromised agent" to "real credentials." This is an escape-path analysis, not a constructed exploit — the course does not teach V8 exploitation. What it establishes is the structural dependence. Reading the diagram: The agent runs in the isolate with fake keys. The real keys live in the proxy's host process. The isolation is the only thing preventing the agent from reaching them. An escape defeats the isolation; the defense-in-depth prescription layers the sandbox so an escape has to defeat three boundaries.

flowchart TB
  subgraph ISOLATE["V8 ISOLATE (the sandbox)"]
    direction TB
    AGENT["AGENT CODE (TypeScript)<br/>compromised via prompt injection<br/>wants the REAL credentials"]
    FAKE["holds FAKE keys only<br/>FAKE_ANTHROPIC_KEY_abc123"]:::teal
    FUEL["per-call fuel + memory limits<br/>(partial defense)"]:::warn
    AGENT --> FAKE
    AGENT --> FUEL
  end

  BOUNDARY["ISOLATE BOUNDARY<br/>the only thing between<br/>the agent and the real keys"]:::danger

  ISOLATE -.->|"must hold"| BOUNDARY

  subgraph HOST["HOST PROCESS (where the real keys live)"]
    direction TB
    PROXY["MITM PROXY<br/>holds REAL keys<br/>does the fake→real swap"]:::danger
    NET["network stack<br/>can make calls with real creds"]:::danger
    CFG["policy engine config<br/>compiled-policy.json, audit log"]:::danger
  end

  ESCAPE["ISOLATE ESCAPE (a V8 / isolated-vm CVE)<br/>type confusion · bounds error · JIT bug · GC edge case<br/>→ code runs in the HOST PROCESS, outside the isolate"]:::danger

  BOUNDARY -.->|"defeated by"| ESCAPE
  ESCAPE -.->|"reaches"| PROXY
  ESCAPE -.->|"reaches"| NET
  ESCAPE -.->|"reaches"| CFG

  DEFEAT["CREDENTIAL QUARANTINE DEFEATED<br/>the strongest primitive in the course<br/>falls to one memory-corruption bug"]:::danger
  PROXY -.-> DEFEAT

  PRESC["DEFENSE-IN-DEPTH PRESCRIPTION<br/>layer the sandbox so an escape defeats 3, not 1:<br/>ISOLATE (inner) → SECCOMP/CAPABILITY (middle) → EGRESS CONTROLS (outer)<br/>quarantine preserved at outer layer even if isolate falls"]:::teal
  DEFEAT -.-> PRESC

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  style AGENT fill:#101018,stroke:#9494a0,color:#e4e4e8
  style ISOLATE fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
  style HOST fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8

Note: This break has no InjecAgent delta — the escape depends on a specific V8 version and a specific bug. The measurement is a dependency-CVE audit: is the deployed V8 / isolated-vm version current? Are there known escape CVEs? The honest framing: the credential quarantine is one memory-corruption bug from defeat, and the defense-in-depth prescription treats the isolate as one layer among several, not the load-bearing boundary.


Diagram 4 — Break 3: Escalation Fatigue — Flooding the Human-in-the-Loop

Type: Pressure / drift (human analogue) Purpose: The deterministic system still needs a human for edge cases. The human is the probabilistic component the deterministic design cannot eliminate. Three pressure patterns — volume fatigue, contextual fatigue, timing fatigue — degrade the human's allow/deny decisions into rubber-stamping. This is the deterministic analogue of CrabTrap's latency/cost pressure (SDD-B04 Break 3): a defense expensive to honor is a defense the human defeats. Reading the diagram: The attacker generates ambiguous tool calls that force escalation. Three fatigue patterns raise the approval rate. The measurement is a fatigue simulator: approval-rate delta rested vs fatigued.

flowchart TB
  EDGE["ATTACKER GENERATES EDGE CASES<br/>tool calls ambiguous under compiled policy<br/>not clearly ALLOW, not clearly DENY<br/>→ forces ESCALATION to human"]:::danger

  EDGE --> HUMAN["HUMAN-IN-THE-LOOP<br/>terminal mux / Signal<br/>a/d/w: allow/deny/whitelist<br/>the probabilistic component"]:::warn

  HUMAN --> P1
  HUMAN --> P2
  HUMAN --> P3

  P1["VOLUME FATIGUE<br/>many escalations in a short window<br/>human defaults to ALLOW (keeps agent moving)<br/>to clear the backlog"]:::danger
  P2["CONTEXTUAL FATIGUE<br/>escalations similar to prior-approved calls<br/>human approves by analogy<br/>misses the difference that makes it an attack<br/>(= SDD-B04 allowlist-widening pattern)"]:::danger
  P3["TIMING FATIGUE<br/>escalations during launch / incident / off-hours<br/>approval rate up, scrutiny down<br/>(Signal-on-mobile = double-edged)"]:::danger

  P1 --> RUBBER["RUBBER-STAMPING<br/>allow decisions the deterministic engine<br/>was supposed to make — delegated back<br/>to a fatigued human"]:::danger
  P2 --> RUBBER
  P3 --> RUBBER

  PROVES["WHAT IT PROVES:<br/>a deterministic system that needs a human<br/>inherits the human's vulnerabilities<br/>a fatigued human is as steerable as a judge<br/>(= deterministic analogue of CrabTrap latency pressure)"]:::warn
  RUBBER -.-> PROVES

  MEASURE["MEASUREMENT: fatigue simulator<br/>approval rate: 4% rested → 31% fatigued<br/>(example delta)<br/>controls: rate-limiting + smart batching + two-person rule<br/>(partial, not elimination)"]:::teal
  PROVES -.-> MEASURE

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  style EDGE fill:#101018,stroke:#f08080,color:#e4e4e8
  style HUMAN fill:#101018,stroke:#f0a868,color:#e4e4e8
  style RUBBER fill:#101018,stroke:#f08080,color:#f08080

Note: Rate-limiting (cap escalations per hour; deny-by-default above the cap), smart batching (evaluate one representative call, not twenty near-duplicates), and the two-person rule for high-impact allows turn the fatigue surface into a bounded residual. But none eliminates it — the human is the irreducible probabilistic component, and a deterministic system that delegates edge cases to a human inherits the human's failure modes.


Diagram 5 — Defense-in-Depth: Why No Single Layer Suffices

Type: Comparison / residual map / prescription Purpose: The thesis of the deep-dive. IronCurtain is the strongest single defense — it closes the two surfaces CrabTrap leaves open (SDD-B04). But it has its own honest residuals: compilation fidelity, the isolate boundary, escalation fatigue. No single residual is a defeat, but no single layer suffices. The prescription layers around IronCurtain: human review for compilation, sandbox defense-in-depth for the isolate, rate-limiting for escalation, and a probabilistic second layer for the ambiguous cases. Reading the diagram: Three IronCurtain residuals on the left; the layered prescription that addresses each on the right. The bottom is B2's thesis: every layer has a residual; the only complete answer is layers.

flowchart LR
  subgraph RESID["IRONCURTAIN RESIDUALS (honest)"]
    direction TB
    R1["COMPILATION FIDELITY<br/>probabilistic LLM compiles<br/>deterministic rules; miscompilation<br/>enforced consistently"]:::danger
    R2["V8 ISOLATE BOUNDARY<br/>escape CVE history; quarantine<br/>holds only as long as isolate does"]:::danger
    R3["ESCALATION FATIGUE<br/>human is probabilistic;<br/>flood → rubber-stamp"]:::danger
  end

  subgraph LAYERS["THE LAYERED PRESCRIPTION"]
    direction TB
    L1["LAYER 1 — HUMAN REVIEW GATE<br/>review compiled-policy.json before deploy<br/>diff vs last-reviewed version<br/>catches the residual verify-and-repair missed"]:::teal
    L2["LAYER 2 — SANDBOX DEFENSE-IN-DEPTH<br/>isolate (inner) → seccomp/capability (middle)<br/>→ egress controls (outer)<br/>escape defeats 3 layers, not 1"]:::teal
    L3["LAYER 3 — ESCALATION RATE-LIMITING<br/>cap/hour + smart batching + two-person rule<br/>fatigue → bounded residual"]:::teal
    L4["LAYER 4 — PROBABILISTIC SECOND<br/>LLM-as-judge for escalated cases ONLY<br/>(positioned AFTER deterministic)<br/>judge injectability = residual, not primary surface"]:::warn
  end

  R1 -.->|"addressed by"| L1
  R2 -.->|"addressed by"| L2
  R3 -.->|"addressed by"| L3
  R3 -.->|"ambiguous cases"| L4

  THESIS["B2's THESIS (made concrete)<br/>every layer has a residual; no single layer suffices<br/>deterministic runtime = strongest single layer, NOT a complete answer<br/>the layered prescription closes more surface than IronCurtain alone<br/>SDD-B03 measures layered defense reaching single-digit injection rates"]:::teal

  LAYERS -.-> THESIS
  RESID -.-> THESIS

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  style RESID fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
  style LAYERS fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8

Note: The engagement deliverable is not "IronCurtain is broken, abandon it." The deterministic runtime is the strongest single layer — keep it. The prescription layers around it: human review for the compilation residual, sandbox defense-in-depth for the isolate residual, rate-limiting for the escalation residual, and a probabilistic second layer for the ambiguous cases the deterministic layer escalates. Each layer addresses a residual the others leave. This is B2's thesis: the only complete answer is layers, and this deep-dive — attacking the strongest single defense — is its motivation.

# Diagrams — SDD-B05: IronCurtain Offensive Analysis

**Module**: SDD-B05 — IronCurtain Offensive Analysis
**Diagram count**: 5
**Tool**: Mermaid (primary). Each diagram validated in [Mermaid Live Editor](https://mermaid.live).

---

## Diagram 1 — IronCurtain's Architecture Read as an Attack Surface Map

**Type**: Architecture / attack-surface overlay
**Purpose**: The foundational visual. IronCurtain's deterministic runtime has no semantic surface — but the LLM was not eliminated, it was relocated to build time. Three surfaces fall out: the compilation pipeline (a probabilistic LLM compiling the deterministic rules), the V8 isolate (the sandbox the credential quarantine depends on), and the escalation mechanism (the human the deterministic design cannot eliminate). The runtime enforcement engine is deliberately not on the list — pure if/then has no surface.
**Reading the diagram**: Top = the build-time compilation pipeline (surface 1). Middle = the runtime (no surface). Bottom = the isolate boundary (surface 2) and the escalation channel (surface 3). The credential quarantine spans the isolate and the proxy.

```mermaid
flowchart TB
  CONSTIT["constitution.md<br/>(plain English policy)"]

  subgraph BUILD["BUILD TIME — the compilation pipeline (SURFACE 1)"]
    direction TB
    ANN["Annotate (LLM)<br/>classify tool args"]
    COMP["Compile (LLM)<br/>English → if/then rules"]
    RES["Resolve Lists (LLM)<br/>symbols → concrete values"]
    SCEN["Generate Scenarios (LLM)<br/>test cases"]
    VER["Verify &amp; Repair (LLM)<br/>up to 2 rounds; build fails if unverified"]:::warn
    POLICY["compiled-policy.json<br/>(deterministic rules)"]:::teal
    ANN --> COMP --> RES --> SCEN --> VER --> POLICY
  end

  CONSTIT --> BUILD

  subgraph RUNTIME["RUNTIME — deterministic enforcement (NO surface)"]
    direction TB
    ENG["enforcement engine<br/>pure if/then JSON rule eval<br/>ZERO LLM — cannot be injected"]:::teal
    DECISION{"ALLOW / DENY / ESCALATE"}
    ENG --> DECISION
  end

  POLICY --> ENG

  subgraph SANDBOX["CODE MODE — the V8 isolate (SURFACE 2)"]
    direction TB
    ISO["V8 isolate (isolated-vm)<br/>agent TypeScript<br/>per-call fuel + memory limits"]:::danger
    FAKE["agent holds FAKE keys<br/>FAKE_ANTHROPIC_KEY_abc"]:::teal
    ISO --> FAKE
  end

  PROXY["MITM PROXY (host process)<br/>holds REAL keys<br/>hot-swaps fake→real at boundary"]:::danger
  FAKE -.->|"API call transits proxy"| PROXY
  PROXY -.->|"swap happens here"| PROVIDER["LLM provider"]

  HUMAN["ESCALATION → HUMAN (SURFACE 3)<br/>terminal mux / Signal<br/>a/d/w: allow/deny/whitelist"]:::danger
  DECISION -->|"escalate (edge case)"| HUMAN
  HUMAN -.->|"fatigued → rubber-stamp"| AUTO["auto-approve (the fatigue failure)"]:::danger

  SURF1["SURFACE 1 — COMPILATION FIDELITY<br/>probabilistic LLM compiles deterministic rules<br/>miscompilation enforced consistently"]:::danger
  SURF2["SURFACE 2 — V8 ISOLATE BOUNDARY<br/>escape CVE history; quarantine holds<br/>only as long as the isolate does"]:::danger
  SURF3["SURFACE 3 — ESCALATION FATIGUE<br/>human is the probabilistic component<br/>flood → rubber-stamp"]:::danger

  VER -.-> SURF1
  ISO -.-> SURF2
  HUMAN -.-> SURF3

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  style CONSTIT fill:#101018,stroke:#9494a0,color:#e4e4e8
  style DECISION fill:#101018,stroke:#5eead4,color:#e4e4e8
  style PROVIDER fill:#101018,stroke:#9494a0,color:#e4e4e8
  style BUILD fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
  style RUNTIME fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
  style SANDBOX fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
```

> **Note**: The runtime enforcement engine is the part of IronCurtain that genuinely has no attack surface — pure if/then cannot be injected. The surfaces are everything around it: the build-time compilation (a probabilistic system producing the deterministic rules), the isolate boundary (the sandbox the quarantine depends on), and the escalation channel (the human the deterministic design still needs). The LLM was not eliminated; it was relocated.

---

## Diagram 2 — Break 1: Compilation Fidelity — Steering the Build-Time LLM

**Type**: Attack flow
**Purpose**: The primary break. The deterministic policy is compiled by a probabilistic LLM. Three vectors steer the compilation toward a permissive rule: constitution ambiguity, scenario coverage gaps, and resolved-list poisoning. The verify-and-repair defense mitigates but does not eliminate — it is a second LLM checking the first, and two probabilistic systems agreeing is not a deterministic guarantee.
**Reading the diagram**: The attacker influences the constitution, the scenario set, or a resolved list. The compilation produces a permissive rule. The verify-and-repair stage may catch it — or may agree with the miscompilation. The permissive rule is then enforced deterministically, consistently, every time.

```mermaid
flowchart TB
  subgraph VECTORS["THREE ATTACK VECTORS"]
    direction TB
    V1["CONSTITUTION AMBIGUITY<br/>'may post to internal channels<br/>for routine updates' — what counts?<br/>steer the resolution toward permissive"]:::danger
    V2["SCENARIO COVERAGE GAP<br/>scenario set doesn't exercise<br/>the attacker's intended action<br/>→ verify-and-repair never tests it"]:::danger
    V3["RESOLVED-LIST POISONING<br/>@trusted-endpoints includes<br/>attacker domain; @sensitive-ops<br/>omits the target action"]:::danger
  end

  V1 --> COMP
  V2 --> COMP
  V3 --> COMP

  COMP["COMPILE (LLM)<br/>translates English → if/then<br/>produces a PERMISSIVE rule<br/>(e.g. allows the exfil webhook)"]:::warn

  COMP --> VER["VERIFY &amp; REPAIR (LLM)<br/>a second LLM checks the first<br/>may catch — or may AGREE with<br/>the miscompilation"]:::warn

  VER --> Q{"does verify agree<br/>with the miscompilation?"}

  Q -->|"YES (the residual)"| PASS["PERMISSIVE RULE PASSES<br/>baked into compiled-policy.json"]:::danger
  Q -->|"NO — caught"| REPAIR["repaired (up to 2 rounds)<br/>or build fails"]:::teal

  PASS --> RUNTIME["DETERMINISTIC RUNTIME<br/>enforces the permissive rule<br/>CONSISTENTLY, every time<br/>(no runtime chance of refusal)"]:::danger

  PROVES["WHAT IT PROVES:<br/>relocating the LLM from runtime to build time<br/>does NOT eliminate the probabilistic component<br/>— it CONCENTRATES it. One miscompilation<br/>= a consistently-enforced wrong rule"]:::warn
  RUNTIME -.-> PROVES

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  style COMP fill:#101018,stroke:#f0a868,color:#e4e4e8
  style VER fill:#101018,stroke:#f0a868,color:#e4e4e8
  style Q fill:#101018,stroke:#f0a868,color:#e4e4e8
  style VECTORS fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
```

> **Note**: The verify-and-repair pipeline is a real defense — it catches many miscompilations. But it is a second LLM checking the first. A permissive interpretation of an ambiguous clause, validated against a scenario set that does not exercise the permissive case, passes. Two probabilistic systems agreeing is not a deterministic guarantee. The measurement is a fuzz-harness drift rate: the percentage of fuzzed constitutions that produce a permissive rule for the target action.

---

## Diagram 3 — Break 2: The V8 Isolate Boundary and the Credential Quarantine

**Type**: Escape-path analysis / dependency
**Purpose**: The credential quarantine is the strongest primitive in the course — but it holds only as long as the V8 isolate does. An isolate escape (a V8 or `isolated-vm` CVE) is the path from "compromised agent" to "real credentials." This is an escape-path analysis, not a constructed exploit — the course does not teach V8 exploitation. What it establishes is the structural dependence.
**Reading the diagram**: The agent runs in the isolate with fake keys. The real keys live in the proxy's host process. The isolation is the only thing preventing the agent from reaching them. An escape defeats the isolation; the defense-in-depth prescription layers the sandbox so an escape has to defeat three boundaries.

```mermaid
flowchart TB
  subgraph ISOLATE["V8 ISOLATE (the sandbox)"]
    direction TB
    AGENT["AGENT CODE (TypeScript)<br/>compromised via prompt injection<br/>wants the REAL credentials"]
    FAKE["holds FAKE keys only<br/>FAKE_ANTHROPIC_KEY_abc123"]:::teal
    FUEL["per-call fuel + memory limits<br/>(partial defense)"]:::warn
    AGENT --> FAKE
    AGENT --> FUEL
  end

  BOUNDARY["ISOLATE BOUNDARY<br/>the only thing between<br/>the agent and the real keys"]:::danger

  ISOLATE -.->|"must hold"| BOUNDARY

  subgraph HOST["HOST PROCESS (where the real keys live)"]
    direction TB
    PROXY["MITM PROXY<br/>holds REAL keys<br/>does the fake→real swap"]:::danger
    NET["network stack<br/>can make calls with real creds"]:::danger
    CFG["policy engine config<br/>compiled-policy.json, audit log"]:::danger
  end

  ESCAPE["ISOLATE ESCAPE (a V8 / isolated-vm CVE)<br/>type confusion · bounds error · JIT bug · GC edge case<br/>→ code runs in the HOST PROCESS, outside the isolate"]:::danger

  BOUNDARY -.->|"defeated by"| ESCAPE
  ESCAPE -.->|"reaches"| PROXY
  ESCAPE -.->|"reaches"| NET
  ESCAPE -.->|"reaches"| CFG

  DEFEAT["CREDENTIAL QUARANTINE DEFEATED<br/>the strongest primitive in the course<br/>falls to one memory-corruption bug"]:::danger
  PROXY -.-> DEFEAT

  PRESC["DEFENSE-IN-DEPTH PRESCRIPTION<br/>layer the sandbox so an escape defeats 3, not 1:<br/>ISOLATE (inner) → SECCOMP/CAPABILITY (middle) → EGRESS CONTROLS (outer)<br/>quarantine preserved at outer layer even if isolate falls"]:::teal
  DEFEAT -.-> PRESC

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  style AGENT fill:#101018,stroke:#9494a0,color:#e4e4e8
  style ISOLATE fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
  style HOST fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
```

> **Note**: This break has no InjecAgent delta — the escape depends on a specific V8 version and a specific bug. The measurement is a dependency-CVE audit: is the deployed V8 / `isolated-vm` version current? Are there known escape CVEs? The honest framing: the credential quarantine is one memory-corruption bug from defeat, and the defense-in-depth prescription treats the isolate as one layer among several, not the load-bearing boundary.

---

## Diagram 4 — Break 3: Escalation Fatigue — Flooding the Human-in-the-Loop

**Type**: Pressure / drift (human analogue)
**Purpose**: The deterministic system still needs a human for edge cases. The human is the probabilistic component the deterministic design cannot eliminate. Three pressure patterns — volume fatigue, contextual fatigue, timing fatigue — degrade the human's allow/deny decisions into rubber-stamping. This is the deterministic analogue of CrabTrap's latency/cost pressure (SDD-B04 Break 3): a defense expensive to honor is a defense the human defeats.
**Reading the diagram**: The attacker generates ambiguous tool calls that force escalation. Three fatigue patterns raise the approval rate. The measurement is a fatigue simulator: approval-rate delta rested vs fatigued.

```mermaid
flowchart TB
  EDGE["ATTACKER GENERATES EDGE CASES<br/>tool calls ambiguous under compiled policy<br/>not clearly ALLOW, not clearly DENY<br/>→ forces ESCALATION to human"]:::danger

  EDGE --> HUMAN["HUMAN-IN-THE-LOOP<br/>terminal mux / Signal<br/>a/d/w: allow/deny/whitelist<br/>the probabilistic component"]:::warn

  HUMAN --> P1
  HUMAN --> P2
  HUMAN --> P3

  P1["VOLUME FATIGUE<br/>many escalations in a short window<br/>human defaults to ALLOW (keeps agent moving)<br/>to clear the backlog"]:::danger
  P2["CONTEXTUAL FATIGUE<br/>escalations similar to prior-approved calls<br/>human approves by analogy<br/>misses the difference that makes it an attack<br/>(= SDD-B04 allowlist-widening pattern)"]:::danger
  P3["TIMING FATIGUE<br/>escalations during launch / incident / off-hours<br/>approval rate up, scrutiny down<br/>(Signal-on-mobile = double-edged)"]:::danger

  P1 --> RUBBER["RUBBER-STAMPING<br/>allow decisions the deterministic engine<br/>was supposed to make — delegated back<br/>to a fatigued human"]:::danger
  P2 --> RUBBER
  P3 --> RUBBER

  PROVES["WHAT IT PROVES:<br/>a deterministic system that needs a human<br/>inherits the human's vulnerabilities<br/>a fatigued human is as steerable as a judge<br/>(= deterministic analogue of CrabTrap latency pressure)"]:::warn
  RUBBER -.-> PROVES

  MEASURE["MEASUREMENT: fatigue simulator<br/>approval rate: 4% rested → 31% fatigued<br/>(example delta)<br/>controls: rate-limiting + smart batching + two-person rule<br/>(partial, not elimination)"]:::teal
  PROVES -.-> MEASURE

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#5eead4
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  style EDGE fill:#101018,stroke:#f08080,color:#e4e4e8
  style HUMAN fill:#101018,stroke:#f0a868,color:#e4e4e8
  style RUBBER fill:#101018,stroke:#f08080,color:#f08080
```

> **Note**: Rate-limiting (cap escalations per hour; deny-by-default above the cap), smart batching (evaluate one representative call, not twenty near-duplicates), and the two-person rule for high-impact allows turn the fatigue surface into a bounded residual. But none eliminates it — the human is the irreducible probabilistic component, and a deterministic system that delegates edge cases to a human inherits the human's failure modes.

---

## Diagram 5 — Defense-in-Depth: Why No Single Layer Suffices

**Type**: Comparison / residual map / prescription
**Purpose**: The thesis of the deep-dive. IronCurtain is the strongest single defense — it closes the two surfaces CrabTrap leaves open (SDD-B04). But it has its own honest residuals: compilation fidelity, the isolate boundary, escalation fatigue. No single residual is a defeat, but no single layer suffices. The prescription layers around IronCurtain: human review for compilation, sandbox defense-in-depth for the isolate, rate-limiting for escalation, and a probabilistic second layer for the ambiguous cases.
**Reading the diagram**: Three IronCurtain residuals on the left; the layered prescription that addresses each on the right. The bottom is B2's thesis: every layer has a residual; the only complete answer is layers.

```mermaid
flowchart LR
  subgraph RESID["IRONCURTAIN RESIDUALS (honest)"]
    direction TB
    R1["COMPILATION FIDELITY<br/>probabilistic LLM compiles<br/>deterministic rules; miscompilation<br/>enforced consistently"]:::danger
    R2["V8 ISOLATE BOUNDARY<br/>escape CVE history; quarantine<br/>holds only as long as isolate does"]:::danger
    R3["ESCALATION FATIGUE<br/>human is probabilistic;<br/>flood → rubber-stamp"]:::danger
  end

  subgraph LAYERS["THE LAYERED PRESCRIPTION"]
    direction TB
    L1["LAYER 1 — HUMAN REVIEW GATE<br/>review compiled-policy.json before deploy<br/>diff vs last-reviewed version<br/>catches the residual verify-and-repair missed"]:::teal
    L2["LAYER 2 — SANDBOX DEFENSE-IN-DEPTH<br/>isolate (inner) → seccomp/capability (middle)<br/>→ egress controls (outer)<br/>escape defeats 3 layers, not 1"]:::teal
    L3["LAYER 3 — ESCALATION RATE-LIMITING<br/>cap/hour + smart batching + two-person rule<br/>fatigue → bounded residual"]:::teal
    L4["LAYER 4 — PROBABILISTIC SECOND<br/>LLM-as-judge for escalated cases ONLY<br/>(positioned AFTER deterministic)<br/>judge injectability = residual, not primary surface"]:::warn
  end

  R1 -.->|"addressed by"| L1
  R2 -.->|"addressed by"| L2
  R3 -.->|"addressed by"| L3
  R3 -.->|"ambiguous cases"| L4

  THESIS["B2's THESIS (made concrete)<br/>every layer has a residual; no single layer suffices<br/>deterministic runtime = strongest single layer, NOT a complete answer<br/>the layered prescription closes more surface than IronCurtain alone<br/>SDD-B03 measures layered defense reaching single-digit injection rates"]:::teal

  LAYERS -.-> THESIS
  RESID -.-> THESIS

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  style RESID fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
  style LAYERS fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
```

> **Note**: The engagement deliverable is not "IronCurtain is broken, abandon it." The deterministic runtime is the strongest single layer — keep it. The prescription layers around it: human review for the compilation residual, sandbox defense-in-depth for the isolate residual, rate-limiting for the escalation residual, and a probabilistic second layer for the ambiguous cases the deterministic layer escalates. Each layer addresses a residual the others leave. This is B2's thesis: the only complete answer is layers, and this deep-dive — attacking the strongest single defense — is its motivation.