Module CAP-B1 — Harden the tau Harness

Harden the tau Harness

Take the REAL tau codebase — Hugging Face's educational coding agent — measure its baseline vulnerability with an InjecAgent-style injection battery, install three tested security plugins (tau_taint, tau_sandbox, tau_vault from the tau_plugins pack), and produce a defense scorecard showing the measured before/after delta. Baseline tau has ~33% attack-success; hardened tau has ~0% on the deterministic-gate classes. The deliverable is a real tau fork with measured hardening — not a simulation, not a stub.

120
minutes
8
artifacts
3
sub-sections
The old version of this capstone built a stub harness in TypeScript with a fake model. It taught the architecture, but it could not teach the part that breaks in production: integration. This version attacks REAL tau. You clone the codebase, run the injection battery against unmodified tau to record the baseline (the real number — tau actually executes rm, actually reads your credentials, actually runs curl), then install the three tested plugins one per phase, re-running the battery after each. The plugins attach at SDD-B11's five named extension points — no monkey-patching, no framework registration. The deliverable is a real tau fork plus a measured scorecard showing the 33%→0% delta on the deterministic-gate classes, with the residual (memory_poison) named and its closing control (B3) identified. Real fork. Measured hardening. Not a simulation.
Key Claims
Load-Bearing Claims

The plugin pack is REAL and TESTED. The tau_plugins pack ships three runnable Python plugins (tau_taint for B2, tau_sandbox for B7, tau_vault for B5), a scorecard harness, and create_hardened_tools() that composes all three. 31/31 tests pass against the real tau codebase. The integration test (test_hardened_tools_beat_baseline) asserts the hardened tool set has a measurably lower attack-success rate than the undefended baseline — CI-grade proof, not an assertion. Each plugin attaches at a named extension point from SDD-B11: tau_taint at EP1 (tool-executor wrap via dataclasses.replace), tau_sandbox at EP2 (bash-factory replacement covering BOTH bash paths), tau_vault at EP3 (credential-store replacement).

Only a real harness surfaces the integration hazards that break in production. The capstone's signature teaching point is the two-bash-tool finding: run_terminal_command (session.py:1183) constructs its OWN bash tool outside the harness tool list. A sandbox that wraps only the harness-list bash is bypassed by the terminal-command path. tau_sandbox wedges at the FACTORY level (create_hardened_bash_tool replaces create_bash_tool) so both call sites use the hardened executor. A stub capstone cannot teach this — there is no second bash path to find. The real capstone teaches it because the bypass is sitting in tau's source, waiting for a student who wraps only the harness list.

The baseline is real, not simulated. Unmodified tau actually executes the destructive commands, actually reads ~/.tau/credentials.json (returning the plaintext API key), and actually runs curl. The ~33% the battery measures is vulnerability, not a simulation of it. When the battery prints your real API key from the credentials file, the stakes are concrete in a way a stub cannot convey. After the three plugins land, every deterministic-gate class drops to zero: tau_taint collapses indirect injection (output tagged ), tau_sandbox collapses tool-abuse/escape/direct (egress/creds/destructive blocked), tau_vault removes plaintext from disk. The measured delta — 33%→~0% — is the capstone's signature output.

The honest scorecard names the residual. The plugin pack ships B2, B5, B7 — not B3 (memory-write gate), not B4 (manifest), not B6 (inter-agent), not a probabilistic B2 Layer 4 detector. memory_poison stays at 100% in the hardened column because no B3 gate is installed. This is not a failure of the installed controls; it is the measured consequence of installing 3 of 7 defenses. The honest scorecard reports the residual with its closing control (B3) rather than claiming the harness is 'secured.' The deliverable is measured residual risk under a battery — the B0 anti-pattern made operational against a real harness.

After This Module
01
Measure a real harness's baseline vulnerability — clone tau, install it, run the scorecard's injection battery against the unmodified codebase, and record the real attack-success rate per class (~33% overall).
02
Install and compose three real security plugins onto tau's five extension points — tau_taint (B2, EP1), tau_sandbox (B7, EP2), tau_vault (B5, EP3) — and explain why tau's lack of a plugin system makes every wedge point auditable.
03
Re-run the battery at each phase and attribute each layer's contribution — watch indirect injection collapse as tau_taint tags output; watch tool-abuse/escape collapse as tau_sandbox blocks egress and credential reads; watch credential exfiltration collapse as tau_vault removes plaintext from disk.
04
Wire the observability layer (B0/B1 scope, B8 intent) — compose all three via create_hardened_tools() at EP5, subscribe an intent tracker to the event stream at EP4, and confirm every control fires through the audit substrate.
05
Defend the hardened harness as a measured system, not a 'secured' claim — articulate why the deliverable is the before/after scorecard (baseline ~33% → hardened ~0% on deterministic-gate classes), why defense-in-depth is a conjunction across tau's surfaces, and how the characterized residual becomes the client's acceptance criterion.
06
Diagnose residual leaks against the real tau surfaces — when a probe still succeeds, attribute it to the specific tau surface and prescribe the closing control from the appropriate B-module, referencing SDD-B11's extension-point map.
Artifacts
01
Teaching Document
~5,300 words; the capstone hardening REAL tau — learning objectives, the capstone goal (real fork + measured scorecard), tau as the target, the six tau-based build phases (clone/baseline; tau_taint; tau_sandbox; tau_vault; observability; score it), the measured scorecard (baseline ~33% → hardened ~0%), why the real harness beats the stub (integration hazards, real baseline, wedge-point discipline); with anti-patterns (two-bash-tool bypass, shell_command_prefix misuse, loop-patching, event-listener enforcement, base64-as-encryption), key terms, references (cross-referencing SDD-B11, the plugin pack, B2/B5/B7)
READ
02
Diagrams
6 Mermaid diagrams — tau's seven attack surfaces mapped to extension points (from SDD-B11, with the 3 installed plugins highlighted); the six-phase hardening progression with scorecard checkpoints; the defense scorecard matrix (baseline vs hardened per class, with the named residual); the plugin attachment map (where each plugin wedges, with tau source locations); the defense-in-depth conjunction on tau (the funnel an attack must traverse); the before/after attack-success-rate bar comparison (the signature measurement)
READ
03
Slide Deck
19 slides — reveal.js, dark theme, design-system teal; covers why the rewrite (real harness beats stub), tau's surfaces and extension points, the six phases (clone/baseline, tau_taint, tau_sandbox, tau_vault, observability, score it), the measured scorecard, the two-bash-tool finding, anti-patterns, the load-bearing principle; matches the design system (Space Grotesk, JetBrains Mono, teal accent, no emoji)
READ
04
Teaching Script
Verbatim transcript (~70 min spoken at ~140 wpm), [SLIDE N] cues matching the deck; the remaining 50 min is the lab build. Senior-engineer voice, direct and sourced.
READ
05
Flashcards
27 flashcards (capstone depth) — mix of recall (deliverables, plugin/extension-point mapping, baseline numbers, wedge points) and analysis (two-bash-tool bypass diagnosis, B5/B7 coupling, residual diagnosis, why real-beats-stub, denylist-vs-allowlist tradeoff, base64 teaching caveat)
TEST
06
Exam
15 questions, 20/40/40 Bloom (3 recall / 6 application / 6 analysis); covers the capstone goal, plugin/B-module/extension-point mapping, the two-bash-tool bypass, B5/B7 coupling, the named residual and its closing control, the event-listener-vs-enforcement distinction, the shell_command_prefix anti-pattern, factory-level wedge discipline, the real-beats-stub rationale, the base64 teaching-context evaluation
TEST
07
Lab Spec
The main deliverable — 'Harden tau': clone real tau from github.com/huggingface/tau, pip install, set PYTHONPATH to the plugin pack, run the scorecard battery at each of the six phases (baseline → +tau_taint → +tau_sandbox → +tau_vault → +observability → final scorecard), produce the defense scorecard showing baseline ~33% → hardened ~0% with the named residual (memory_poison → B3). Python, type hints, REAL tau and the REAL plugin pack (31/31 tests). Exact clone/install/PYTHONPATH commands included. The most substantial lab in the course.
DO
08
Module Web Page
Single-file HTML hub
HERE