Run a Full Agent Red-Team Engagement
The offensive bookend to B1, now against a real target. Attack a live tau deployment (github.com/huggingface/tau) with partial hardening — tau_taint (B2) and tau_sandbox (B7) installed, but tau_vault (B5) missing — and run a complete six-phase red-team engagement. Scope with B0's clauses, recon the seven surfaces against real tau code, discover findings with the OWASP Agentic Top 10 (B9) and Microsoft chains (B10), validate with minimum-proof discipline, ship a report a CISO would accept, and define a retest plan that measures residual risk.
The deliverable is a report, not a score — and the headline is the credential-exfil chain. B1 shipped a defense scorecard (defensive). B2 ships a red-team engagement report (offensive) against a real tau deployment with partial hardening. The headline finding is the credential-exfil chain: tau_vault (B5) is not installed, so credentials sit in plaintext at ~/.tau/credentials.json, and python3 -c bypasses tau_sandbox's reader-regex denylist (the regex matches cat|head|tail|less|more|vim|nano|vi|emacs|od|hexdump|xxd|strings but not python3). The sandbox blocks cat; it does not block python3 -c "import json; print(list(json.load(open('...')).keys()))". The report carries executive summary, engagement metadata (the legal anchor), findings (each with OWASP/Microsoft ref, attack procedure, minimum-proof evidence, root cause, residual risk, dual-use class), a control matrix mapping findings to controls, a remediation roadmap prioritized by severity times effort, and a retest plan. 'We found bugs' is a claim; 'one critical credential-exfil chain at 100% over 50 attempts, root cause is the missing tau_vault, remediation is install B5 and close the python3 bypass' is a deliverable.
The target is real tau with a specific partial-hardening configuration — not a stub. Acme Corp's tau deployment has tau_taint (B2, Extension Point 1) and tau_sandbox (B7, Extension Point 2) installed via the tau_plugins pack, but tau_vault (B5, Extension Point 3) is NOT installed, there is no B3 memory gate, and there is no B8 intent tracker. This is the configuration that produces the three signature findings: (1) the credential-exfil chain — tau_vault absent means plaintext creds, and python3 -c evades the sandbox denylist; (2) the zero-click chain — write/edit are absent from DEFAULT_HIGH_IMPACT_TOOLS (which is {send_email, write_to_memory, bash}), so a tainted agent can write a payload file with no human approval, and absent B8 means no session-intent tracking to flag the drift; (3) the session-poisoning chain — no B3 means _persist_messages_since appends unfiltered to JSONL, and SessionStorage.load on resume reads the JSONL directly without routing through the taint gate's executor. Each finding maps to a real code path in tau and to a specific missing control. Recon against real code, not a stub, is what makes the findings defensible.
The six phases are ordered and non-skippable; each phase's output is the next phase's input. Phase 1's SOW carrying B0's clauses is the legal precondition for every Phase 3/4 technique — a technique with no authorization is a technique you do not run. Phase 2's control-gap map (seven surfaces, each marked INSTALLED or MISSING) is the input to Phase 3's discovery — without it you test the obvious surface (the sandbox) and miss the credential-exfil chain that only fires because the vault is absent. Phase 3's scorecard battery plus OWASP checklist plus Microsoft chains are what Phase 4 validates at N=50. Phase 4's measured rates and minimum-proof evidence are what Phase 5 reports. Phase 6's retest plan measures the residual risk after tau_vault is installed. A finding without scope is inadmissible; without recon is a guess; without validation is an anecdote; without a report is unsaid; without a retest is binary 'fixed' (the B0 anti-pattern).
B0's legal/ethical controls govern every finding — minimum-proof discipline and the dual-use classification are applied per finding at report time, and credential values are Restricted. Every finding is validated with a measured success rate (InjecAgent-style, N over M with sampling config), never a single anecdotal success. For the credential-exfil chain specifically: capture the command string, ok=True, and a hash of the credential file prefix — never the credential values themselves, which are classified Restricted and destroyed on report. For weights and system prompts the rule is the same: path plus hash plus byte count, never the full artifact. Every finding passes through the four disclosure classes (Public / Provider-Only / Restricted / Destroy-on-Report). The defensive lesson (install tau_vault, close the python3 bypass, add write/edit to the high-impact set, add a B3 memory gate) is published; the step-by-step recipe for reading Acme's live credentials is suppressed. The report's per-finding dual-use classification is B0's central ethical problem, made operational at the document level.