"What is IronCurtain's central thesis, and what does it mean operationally?" "The agent is untrusted; security does NOT depend on the model being good. Operationally: (1) at RUNTIME, enforcement is deterministic JSON rule evaluation — ZERO LLM, no judge to inject; (2) at the BOUNDARY, the agent holds FAKE credentials (a TLS-terminating proxy hot-swaps fake→real), so even a fully compromised agent cannot exfiltrate real secrets. This is the strongest position in the roster — the two surfaces SDD-B04 broke (injectable judge, credential-exfil path) are structurally closed." c2b::sdd-b05::recall "If IronCurtain has no runtime judge, where is the attack surface?" "Three surfaces, each a structural property of the deterministic design: (1) COMPILATION FIDELITY — the deterministic policy is compiled by a probabilistic LLM at BUILD time (the LLM was not eliminated, it was RELOCATED); a miscompilation is enforced consistently. (2) THE V8 ISOLATE BOUNDARY — the credential quarantine holds only as long as the isolate does; V8/isolated-vm have escape CVE history. (3) ESCALATION FATIGUE — edge cases escalate to a human, and a human can be fatigued (the deterministic analogue of CrabTrap's latency/cost pressure). The runtime engine itself has NO surface." c2b::sdd-b05::recall "What does it mean that 'the LLM was not eliminated, it was relocated'?" "IronCurtain's thesis is LLMs are stochastic and policy must be deterministic, so it removes the LLM from RUNTIME. But the compilation pipeline (Annotate, Compile, Resolve Lists, Generate Scenarios, Verify & Repair) is ALL LLM calls at BUILD time. The probabilistic component was not eliminated — it was concentrated in the compilation step. If the build-time LLM misinterprets the constitution, the wrong rule is baked into the deterministic runtime and enforced CONSISTENTLY. You get predictable enforcement of potentially-wrong rules." c2b::sdd-b05::recall "Describe IronCurtain's compilation pipeline and the role of verify-and-repair." "constitution.md → Annotate (classify tool args) → Compile (English→if/then) → Resolve Lists (symbols→concrete values) → Generate Scenarios (test cases) → Verify & Repair (LLM judge repairs failures, up to 2 rounds; build FAILS if unverified) → compiled-policy.json. Verify-and-repair is a real defense — it catches many miscompilations. BUT it is a SECOND LLM checking the FIRST; two probabilistic systems agreeing is NOT a deterministic guarantee. A permissive interpretation validated against a scenario set that doesn't exercise it passes." c2b::sdd-b05::recall "What is the compilation-fidelity attack (Break 1), and what are its three vectors?" "Goal: cause the compilation to produce a rule that PERMITS an action the constitution intends to DENY, in a way that passes verify-and-repair. Three vectors: (1) CONSTITUTION AMBIGUITY — a loosely-worded clause ('may post to internal channels for routine updates') is steered toward a permissive resolution. (2) SCENARIO COVERAGE GAP — the scenario set doesn't exercise the attacker's action, so verify-and-repair never tests it. (3) RESOLVED-LIST POISONING — @trusted-endpoints includes an attacker domain, or @sensitive-ops omits the target action." c2b::sdd-b05::recall "What does a successful compilation-fidelity break prove?" "That relocating the LLM from runtime to build time does NOT eliminate the probabilistic component — it CONCENTRATES it. Where CrabTrap's judge might REFUSE an exfil on a given request (probabilistic enforcement of correct understanding), IronCurtain's miscompiled rule PERMITS it every time (deterministic enforcement of incorrect compilation). The deterministic thesis is correct about runtime; it is INCOMPLETE about build time. One miscompilation = a consistently-enforced wrong rule. This motivates the human review gate in B05.3." c2b::sdd-b05::analysis "How is the compilation-fidelity break measured (its InjecAgent analogue)?" "Via a FUZZ HARNESS over the compilation pipeline: generate N constitution variants (introducing ambiguity, coverage gaps, list poisoning), compile each, measure the rate at which the compiled policy permits an action the un-fuzzed constitution denies. The metric is the COMPILATION-FIDELITY DRIFT RATE — the % of fuzzed constitutions producing a permissive rule for the target action. A low rate (e.g. 2%) means verify-and-repair catches most; a high rate means it doesn't. This is the BUILD-TIME analogue of the InjecAgent runtime delta — a measured effectiveness claim, not an assertion." c2b::sdd-b05::analysis "What is the V8 isolate boundary (Break 2), and what does an escape mean for the credential quarantine?" "IronCurtain Code Mode runs agent TypeScript in a V8 isolate (isolated-vm) with per-call fuel + memory limits — a JS-level sandbox. The credential quarantine DEPENDS on the isolate holding: the agent holds FAKE keys; the REAL keys live in the proxy's HOST process. An isolate escape (a V8/isolated-vm CVE — type confusion, bounds error, JIT bug, GC edge case) lets compromised agent code run in the host process — reaching the real keys, network stack, policy config. The isolation that made the quarantine hold is gone. The quarantine is ONE memory-corruption bug from defeat." c2b::sdd-b05::analysis "Why is the V8 isolate break framed as an escape-path analysis rather than a constructed exploit, and how is it measured?" "Because V8 exploitation is a deep specialization and a working isolate escape is a ZERO-DAY with a short shelf life — the course does not teach it. What the analysis establishes is the STRUCTURAL DEPENDENCE: the credential quarantine holds only as long as the isolate does. The measurement is a DEPENDENCY-CVE AUDIT (like SDD-B04's configuration-drift audit): is the deployed V8/isolated-vm version current? Are there known escape CVEs? The defense-in-depth prescription treats the isolate as one layer among several, NOT the load-bearing boundary." c2b::sdd-b05::analysis "What is escalation fatigue (Break 3), and why is it the deterministic analogue of CrabTrap's latency/cost pressure?" "IronCurtain escalates EDGE CASES (ambiguous tool calls) to a human (terminal mux/Signal, a/d/w). The human is the probabilistic component the deterministic design cannot eliminate. An attacker generates ambiguous tool calls to FLOOD the escalation channel until rubber-stamping. Three patterns: VOLUME fatigue, CONTEXTUAL fatigue (approve-by-analogy, missing the difference), TIMING fatigue (launch/incident/off-hours). It is the deterministic analogue of latency/cost pressure: a defense expensive to honor (in human attention) is a defense the human defeats." c2b::sdd-b05::analysis "How is the escalation-fatigue break measured, and what controls partially address it?" "Via a FATIGUE SIMULATOR: generate a stream of escalating tool calls (varying ambiguity, volume, timing), simulate a human approver with a fatigue model (approval rate RISES with volume, FALLS with scrutiny time), measure the rate at which attacker-intended actions are approved fatigued vs a rested baseline. The delta (e.g. 4% rested → 31% fatigued) is the honest measurement. Partial controls: RATE-LIMITING (cap escalations/hour; deny-by-default above), SMART BATCHING (evaluate one representative call, not 20 near-duplicates), TWO-PERSON RULE for high-impact allows. None eliminates — the human is irreducibly probabilistic." c2b::sdd-b05::analysis "State the four layers of the defense-in-depth prescription for IronCurtain's residuals." "(1) HUMAN REVIEW GATE — review compiled-policy.json before deploy, diff vs last-reviewed; catches the residual verify-and-repair agreed with; no runtime LLM added. (2) SANDBOX DEFENSE-IN-DEPTH — isolate (inner) → seccomp/capability (middle) → egress controls (outer); an escape defeats 3 layers, not 1; quarantine preserved at the outer layer. (3) ESCALATION RATE-LIMITING — cap/hour + smart batching + two-person rule; fatigue → bounded residual. (4) PROBABILISTIC SECOND LAYER — an LLM-as-judge for ESCALATED CASES ONLY, positioned AFTER the deterministic layer; judge injectability becomes a residual, not the primary surface." c2b::sdd-b05::analysis "Why is the engagement deliverable a layered prescription rather than 'abandon IronCurtain'?" "Because the deterministic runtime is the STRONGEST SINGLE LAYER — it genuinely has no semantic attack surface. The residuals (compilation fidelity, isolate boundary, escalation fatigue) are structural properties of any single-layer defense, not reasons to abandon the deterministic approach. The prescription LAYERS AROUND the deterministic core: each layer addresses a residual the others leave (human review for compilation, sandbox defense-in-depth for the isolate, rate-limiting for escalation, probabilistic-second for ambiguous cases). No single layer is load-bearing; each is a backstop. This is what SDD-B03 measures reaching single-digit injection rates." c2b::sdd-b05::analysis "How does SDD-B05 complete the argument that SDD-B03 and SDD-B04 began?" "SDD-B03 MEASURED it: layered defenses reach single-digit injection rates where single defenses sit near baseline. SDD-B04 DEMONSTRATED it: CrabTrap alone has residuals (injectable judge, response gap, cost erosion); the deterministic-first prescription points at IronCurtain. SDD-B05 COMPLETES it: even IronCurtain, the strongest single defense, has its own residuals (compilation fidelity, isolate boundary, escalation fatigue) — not implementation bugs but structural properties of any single-layer defense. The conclusion: the only complete answer is LAYERS. No single layer suffices — not even IronCurtain. This is B2's thesis, the throughline of the course." c2b::sdd-b05::analysis "Why is verify-and-repair insufficient as deterministic verification of the compilation?" "Verify-and-repair is a SECOND LLM checking the FIRST. A permissive interpretation of an ambiguous clause, validated against a scenario set that does NOT exercise the permissive case, passes — because the verifying LLM is the same kind of probabilistic system that produced the miscompilation. Two probabilistic systems agreeing is NOT a deterministic guarantee. The defense catches NAIVE miscompilations (rules that obviously contradict the constitution) but not the residual where the verifier AGREES with the error. This is why the B05.3 prescription adds a HUMAN REVIEW of the compiled policy before deploy — the human catches what the second LLM missed." c2b::sdd-b05::analysis "What does it prove that IronCurtain's runtime engine is NOT on the attack-surface list?" "That pure if/then JSON rule evaluation genuinely has NO semantic attack surface — you cannot inject an if-statement. This is the part of IronCurtain that validates the deterministic thesis. The surfaces are everything AROUND the runtime: the build-time compilation (a probabilistic system producing the deterministic rules), the isolate boundary (the sandbox the quarantine depends on), and the escalation channel (the human the deterministic design still needs). The runtime is the strongest single layer; the prescription is to keep it and layer around its residuals, not to replace it." c2b::sdd-b05::analysis "How does the credential quarantine work, and on what does its integrity depend?" "The agent is configured with FAKE API keys (e.g. FAKE_ANTHROPIC_KEY_abc123). When the agent makes an LLM API call, the request hits IronCurtain's TLS-terminating MITM proxy. The proxy REPLACES the fake key with the REAL one before forwarding to the provider; the response comes back through the proxy, which scrubs any key reflection. The agent NEVER sees a real credential. Its integrity depends ENTIRELY on the V8 isolate holding — the agent cannot reach the proxy's host process (where real keys live) unless it escapes the isolate. One isolate-escape CVE and the quarantine falls." c2b::sdd-b05::recall "Why does the probabilistic second layer (Layer 4) NOT reintroduce the SDD-B04 CrabTrap vulnerability?" "Because of POSITIONING. In SDD-B04, the judge was the PRIMARY surface — every novel request reached it, and its injectability was the main attack vector. In the B05.3 prescription, the LLM-as-judge is positioned AFTER the deterministic layer and handles only the ESCALATED subset (ambiguous cases the deterministic rules cannot resolve). The judge's injectability (SDD-B04 Break 1) is now a RESIDUAL on the small escalated subset, not the primary surface — and the human still reviews high-impact judge decisions. The deterministic layer handles the bulk of traffic with zero injectability; the judge adds semantic flexibility only where the deterministic layer is ambiguous." c2b::sdd-b05::analysis