Harden the tau Harness
Take the REAL tau codebase — Hugging Face's educational coding agent — measure its baseline vulnerability with an InjecAgent-style injection battery, install three tested security plugins (tau_taint, tau_sandbox, tau_vault from the tau_plugins pack), and produce a defense scorecard showing the measured before/after delta. Baseline tau has ~33% attack-success; hardened tau has ~0% on the deterministic-gate classes. The deliverable is a real tau fork with measured hardening — not a simulation, not a stub.
The plugin pack is REAL and TESTED. The tau_plugins pack ships three runnable Python plugins (tau_taint for B2, tau_sandbox for B7, tau_vault for B5), a scorecard harness, and create_hardened_tools() that composes all three. 31/31 tests pass against the real tau codebase. The integration test (test_hardened_tools_beat_baseline) asserts the hardened tool set has a measurably lower attack-success rate than the undefended baseline — CI-grade proof, not an assertion. Each plugin attaches at a named extension point from SDD-B11: tau_taint at EP1 (tool-executor wrap via dataclasses.replace), tau_sandbox at EP2 (bash-factory replacement covering BOTH bash paths), tau_vault at EP3 (credential-store replacement).
Only a real harness surfaces the integration hazards that break in production. The capstone's signature teaching point is the two-bash-tool finding: run_terminal_command (session.py:1183) constructs its OWN bash tool outside the harness tool list. A sandbox that wraps only the harness-list bash is bypassed by the terminal-command path. tau_sandbox wedges at the FACTORY level (create_hardened_bash_tool replaces create_bash_tool) so both call sites use the hardened executor. A stub capstone cannot teach this — there is no second bash path to find. The real capstone teaches it because the bypass is sitting in tau's source, waiting for a student who wraps only the harness list.
The baseline is real, not simulated. Unmodified tau actually executes the destructive commands, actually reads ~/.tau/credentials.json (returning the plaintext API key), and actually runs curl. The ~33% the battery measures is vulnerability, not a simulation of it. When the battery prints your real API key from the credentials file, the stakes are concrete in a way a stub cannot convey. After the three plugins land, every deterministic-gate class drops to zero: tau_taint collapses indirect injection (output tagged
The honest scorecard names the residual. The plugin pack ships B2, B5, B7 — not B3 (memory-write gate), not B4 (manifest), not B6 (inter-agent), not a probabilistic B2 Layer 4 detector. memory_poison stays at 100% in the hardened column because no B3 gate is installed. This is not a failure of the installed controls; it is the measured consequence of installing 3 of 7 defenses. The honest scorecard reports the residual with its closing control (B3) rather than claiming the harness is 'secured.' The deliverable is measured residual risk under a battery — the B0 anti-pattern made operational against a real harness.