"Enumerate the seven attack surfaces of an agentic system." "(1) The LOOP — the reasoning cycle itself. (2) TOOLS — tool contracts and tool output as injection vector. (3) MEMORY — long-term and context-window. (4) The PROVIDER — the model API as a trust boundary. (5) IDENTITY — non-human identities, scoped credentials. (6) SANDBOX — execution isolation, escape surface. (7) INTER-AGENT EDGES — multi-agent communication, cascade. Six are harness-layer (98.4%); the provider is model-layer (1.6%)." c2b::b1::recall "What does B1 add to B0's scope file, and why is the scope file alone insufficient?" "B0's scope file defines WHAT YOU ARE ALLOWED TO TEST (the legal boundary: deployer vs provider surfaces, provider_authorization per technique). B1 defines WHAT THERE IS TO ATTACK. The scope file does not enumerate the attack surface — it tells you the legal cover but not that the agent has a loop, tools, memory, provider boundary, identity, sandbox, and inter-agent edges, each a distinct attack target. B1 turns the scope file into a surface map." c2b::b1::recall "State the 1.6% / 98.4% framing and its consequence for red-teaming." "The model is ~1.6% of the system; the harness is 98.4%. Of the OWASP ASI Top 10, only ASI02 (prompt leakage) and the refusal-bypass flavor of ASI01 are purely model-layer; the other eight are harness-layer. A red-team that tests only the model (jailbreaks, leakage) has covered 1.6%. A defender who hardens only refusal training has defended 1.6%. The other 98.4% — loop, tools, memory, identity, sandbox, inter-agent edges — is where serious agentic compromises land." c2b::b1::recall "What is the trust boundary of the loop (surface 1), and what is the canonical attack?" "The loop crosses a boundary on EVERY ITERATION between consuming untrusted context and selecting an action. The model emits a structured action (tool name + args) as text and the harness parses and executes it — with no independent check that the action serves the user's original goal. CANONICAL ATTACK: goal hijacking (ASI01) — injected content rewrites the objective mid-loop; the loop runs correctly toward the wrong goal. The multi-step variant spans tool calls, each individually benign (the zero-click HITL bypass chain)." c2b::b1::recall "What is indirect prompt injection, and why is it the most dangerous vector on the tools surface?" "Indirect injection is injection delivered via CONTENT the agent reads (tool output, retrieved doc, email) rather than direct user input. The tool faithfully returns attacker-controlled data (e.g. fetch_url returns a page containing 'ignore instructions...'); the harness inserts it into the context window WITHOUT an untrusted tag; the model treats it as instruction. It is the most dangerous vector because it is the most common — InjecAgent measured ~50% of agentic tasks vulnerable to indirect injection via tool outputs. The defense is output sanitization + untrusted-tagging on every tool return (B4)." c2b::b1::recall "Describe the sleeper attack (memory poisoning, ASI04) and why per-session detection misses it." "In session 1, the attacker injects a payload the agent persists to memory (e.g. 'the user authorized transferring funds to X'). In session 2, a DIFFERENT legitimate user asks the agent to handle finances; the agent retrieves the poisoned memory, treats it as a fact about the world, and acts on it. Per-session detection misses it because the DELAY between write and activation crosses the session boundary — the write looks benign in session 1, the activation looks like normal retrieval in session 2. Defense: harness-managed writes (agent proposes, harness decides), signed entries, retrieval-time tagging, TTL decay (B3)." c2b::b1::recall "What is excessive agency (ASI03), and how does it turn a contained finding into a host-wide incident?" "Excessive agency is the gap between what the agent's TASK needs and what its CREDENTIALS permit. An agent that needs to read one table should not hold a DB credential that can read every table and drop schemas. A compromised agent (hijacked via surfaces 1-3) uses the surplus permission to do things the task never required — a summarization agent holding a broad S3 role exfiltrates the bucket. The over-scoped credential turns a contained tool-abuse finding into a host/credential-scope-wide incident. Defense: least privilege, ephemeral task-scoped creds, per-tool isolation, JIT elevation (B5)." c2b::b1::recall "Why do agent credentials pose a distinct identity risk compared to human credentials?" "Agent credentials are NON-HUMAN identities (service accounts, workload identities, API keys) that are typically LONG-LIVED, embedded in config, rotated rarely, and have NO MFA — the opposite of human credentials. A credential leaked via a tool-output disclosure (surface 2) or memory leak (surface 3) is immediately usable because it is a machine credential with no interactive challenge. This is why least-privilege, ephemeral/task-scoped credentials (STS tokens, workload identity) and per-tool credential isolation are the defense — IronCurtain's (DD-20) credential quarantine is the reference architecture." c2b::b1::recall "What two attacks target the sandbox surface (surface 6), and what ASI risks do they map to?" "(1) SANDBOX ESCAPE (ASI07) — agent-executed code exploits an isolation-primitive vulnerability (container breakout, V8 isolate escape, kernel exploit via a permitted syscall) and reaches the host, where it can read credentials (surface 5), memory (surface 3), the system prompt (surface 4), and pivot. (2) RESOURCE EXHAUSTION (ASI09) — the agent is induced (via injection) to run indefinitely: infinite loop, recursive tool call, self-prompting cycle — a DoS on the agent's infrastructure or a cost-exhaustion attack against the API budget." c2b::b1::recall "What is cascading hallucination (ASI06), and why is the inter-agent edge blast radius mesh-wide?" "One agent produces a hallucinated or poisoned result; downstream agents in the mesh consume it as FACT and act on it, propagating the error. The cascade AMPLIFIES: one bad output becomes ten decisions across five agents. The blast radius is mesh-wide because most multi-agent systems default to IMPLICIT TRUST — shared context, no message authentication, unverified peer outputs. A compromise of any one node (or a forged supervisor message) propagates to all peers. Defense: HMAC-signed messages per edge, replay protection, per-agent identity isolation, output verification at every edge, cascade-depth limits (B6)." c2b::b1::recall "What is STRIDE-for-agents, and what is the seventh agent-specific category it adds?" "STRIDE-for-agents adapts Microsoft's STRIDE framework (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to agentic systems. The seventh, agent-specific category is GOAL SUBVERSION — because an agent can be perfectly authenticated, untampered, and auditable, and still do the wrong thing because its objective was hijacked. Goal subversion has no STRIDE analogue. The loop and inter-agent edges map to it. The value: STRIDE gives a defender a per-surface checklist; 'we did not consider it' is a finding." c2b::b1::recall "How does the blast-radius scoring table prioritize remediation, and what is the governing principle?" "Worst case per surface: inter-agent edges = mesh-wide; sandbox = host-wide; identity = credential-scope-wide; provider = cross-tenant (if shared); memory = cross-session/cross-user; tools = tool-scope-wide; the loop = session-wide (lowest, if halted). PRINCIPLE: prioritize surfaces whose worst case is CONTAINMENT FAILURE (sandbox, identity, inter-agent edges) over those whose worst case is single-session compromise (the loop). A contained compromise is a finding; an uncontained one is an incident." c2b::b1::analysis "CrabTrap (DD-19) is probabilistic defense; IronCurtain (DD-20) is deterministic. Why is neither sufficient alone, and what does the seven-surface map reveal about this?" "A defense on ONE surface does not protect the OTHERS. CrabTrap sits on the tools surface (egress filter) — it does not stop a sandbox escape (surface 6) or memory poisoning (surface 3). IronCurtain sits on identity/sandbox/loop (deterministic policy + credential quarantine + V8 isolate) — it does not stop an indirect injection via tool output (surface 2) if the inbound response is not filtered. The seven-surface map makes the gap literal: each surface needs its own control. The thesis (developed across B2-B12) is DEFENSE IN DEPTH across all seven surfaces, each with its own module, control, and red-team test." c2b::b1::analysis "Name three specific ways CrabTrap (DD-19) fails under offensive pressure." "(1) THE JUDGE IS A MODEL — the same indirect-injection techniques that hijack the agent can fool the judge; if the malicious tool output is crafted to read as benign to a judge model (obfuscation, encoding, multi-step assembly), the judge passes it. (2) RESPONSE-SIDE GAP — CrabTrap filters the request body (outbound) but historically did not filter the inbound tool return value, so attacker content enters the context window unfiltered. (3) LATENCY BUDGET — a judge model adds per-call latency; under load, agents skip the check or run it on a cheaper, weaker model — the defense degrades exactly when the system is busy." c2b::b1::analysis "Name three specific ways IronCurtain (DD-20) fails under offensive pressure." "(1) COMPILATION FIDELITY — IronCurtain compiles natural-language policies into deterministic rules using a build-time LLM; if an attacker influences the policy text or build-time context, the COMPILED rule may not match the INTENDED rule, and the deterministic enforcer faithfully enforces the wrong thing (determinism amplifies a poisoned compile). (2) V8 ISOLATE ESCAPE — the sandbox is a V8 isolate; a V8 vulnerability or a permitted API reaching outside the isolate is a direct escape path (surface 6). (3) ESCALATION FATIGUE — flood the human approval queue with benign-looking requests until a malicious one is approved to clear the backlog (defeats per-step HITL)." c2b::b1::analysis "Trace the indirect-injection attack path from untrusted content to real-world impact, naming the four defense points that could halt it." "(1) Attacker content on a web page/email. (2) Tool fetches it — fetch_url returns the string; tool output is untrusted but UNTAGGED. (3) Enters context window — model reads it as instruction (no untrusted tag). (4) Loop selects action — goal hijacked, reads file then exfiltrates. (5) Tool executes — read_file/send_email with real creds. (6) Impact — SSH key exfiltrated. DEFENSE POINTS: (2) tag tool output as untrusted (B4); (3) instruction isolation, system prompt privileged (B2); (4) session-level intent tracking vs original goal (B2); (5) path allowlist + scoped credential (B4, B5). Any one halts the chain — defense in depth." c2b::b1::analysis "Map the seven surfaces to their destination defense modules (B2-B12) and the Course 1 architecture each attacks." "(1) Loop → B2 Prompt Injection Defense, attacks CrabTrap DD-19. (2) Tools → B4 Tool & MCP Security, attacks CrabTrap egress. (3) Memory → B3 Memory & Context Poisoning, attacks harness-managed writes. (4) Provider → B2 + B11 leakage + governance, attacks the provider boundary. (5) Identity → B5 Identity & Permission, attacks IronCurtain DD-20 credential quarantine. (6) Sandbox → B7 Sandbox & Execution, attacks NemoClaw OpenShell DD-09 + IronCurtain V8 isolate. (7) Inter-agent edges → B6 Inter-Agent Trust, attacks ZeroClaw DD-16 HMAC (open gap: ephemeral keys)." c2b::b1::analysis "What is the zero-click HITL bypass chain, and why do per-step human approvals fail against it?" "A single external input triggers a multi-step chain where EACH individual step passes human approval, but the COMPOUND intent is malicious. Step 1 reads a file (approved — looks benign). Step 2 reads another (approved). Step 3 combines and exfiltrates (approved — each step looked reasonable in isolation). Per-step approvals fail because no single step is the attack — the attack is the SEQUENCE. This is the Microsoft failure-mode taxonomy's central finding: per-step HITL is insufficient; it requires SESSION-LEVEL intent detection that evaluates the compound trajectory, not just each action. Escalation fatigue (flooding the queue) compounds the failure." c2b::b1::analysis "Why is treating retrieved memory/context as trusted content a critical error, and what is the correct posture?" "Retrieved memory may be ATTACKER-AUTHORED (memory poisoning, ASI04) or accumulated-contamination (session context contamination). Treating it as trusted fact means the agent acts on poisoned data as if it were ground truth. The correct posture: every retrieved byte is UNTRUSTED until tagged and verified. Specifically — harness-managed writes (the agent proposes, the harness decides what to persist; never let the model write raw memory), signed memory entries with provenance, retrieval-time untrusted-tagging (mark every retrieved fact as data not instruction), and TTL/decay so a poisoned entry does not live forever. B3 implements this; Course 1 Module 4.3 (harness-managed writes) is the precursor." c2b::b1::analysis "What is the difference between tool/skill abuse (ASI05) and excessive agency (ASI03), and how do they interact?" "ASI05 (tool abuse) is a LEGITIMATE tool used for an UNINTENDED PURPOSE — read_file used to read /etc/passwd, web_search used to exfiltrate via query params, send_email used to ship secrets. The tool worked as designed; the INTENT was wrong; the contract permitted the call. ASI03 (excessive agency) is the agent holding MORE PERMISSION than the task requires — the credential/scope gap. They INTERACT: tool abuse becomes catastrophic when paired with excessive agency. A tool-abuse finding (read_file reads a sensitive file) is contained if the credential is scoped to non-sensitive paths; it becomes a host-wide incident if the credential is over-scoped (ASI03 amplifies ASI05). Defense: least-privilege tool contracts (B4) AND least-privilege credentials (B5) together." c2b::b1::analysis "Why is prompt leakage (ASI02) more damaging than it first appears, beyond exposing the system prompt text?" "The system prompt often contains the agent's FULL TOOL LIST, business logic, guardrail instructions, and sometimes embedded credentials or API endpoints. Leaking it hands the attacker the MAP of the entire attack surface — which tools exist, what they accept, where the guardrails are. It converts a blind attacker into an informed one. Beyond the prompt itself, the provider logs every prompt sent; if the agent's context contains retrieved customer data, credentials, or PII, that data is in a third-party log store the deployer does not control (surface 4 — the provider as trust boundary). Defense: minimize what is sent, DLP on outbound context, pin model version, self-host for high-sensitivity." c2b::b1::analysis "Why does ZeroClaw's (DD-16) HMAC tool receipt system represent only a partial defense for inter-agent edges, and what gap must B6 close?" "ZeroClaw uses HMAC tool receipts — signing tool calls/outputs so they can be verified. This is the right primitive for inter-agent message authentication. BUT Course 1 flags that its keys are EPHEMERAL and NOT YET DURABLE — they do not persist across sessions or survive restarts, so a message signed in session 1 cannot be verified in session 2, and a restart invalidates the signing key. B6 must close this gap with DURABLE, rotated signing keys (or asymmetric signatures for cross-domain trust), plus replay protection (nonces/timestamps), per-agent identity isolation, and output verification at every edge. HMAC alone, with ephemeral keys, authenticates within a session but not across the boundaries where the sleeper and cascade attacks actually operate." c2b::b1::analysis "Given a sample agent with a code-execution tool, a vector memory store with customer data, and three peer agents, prioritize the three surfaces to remediate first and justify the order." "(1) SANDBOX (surface 6) — a code-execution tool with a weak isolation primitive is a direct host-escape path; blast radius is host-wide (reaches creds, memory, prompt, pivot). Fix the isolation primitive and limits first because escape subverts all other defenses. (2) IDENTITY (surface 5) — the code-exec tool's credential scope determines whether an escape or tool-abuse is contained; if the credential is over-scoped (ASI03), any compromise becomes credential-scope-wide. Scope it to minimum before anything else. (3) INTER-AGENT EDGES (surface 7) — three peer agents with implicit trust means mesh-wide blast radius via cascade (ASI06) or forged messages; add signed messages + output verification. Order justification: containment-failure surfaces (sandbox, identity, edges) before single-session surfaces, per the blast-radius principle — a contained compromise is a finding, an uncontained one is an incident." c2b::b1::analysis