IronCurtain Offensive Analysis
The defense to beat. IronCurtain (Course 1 DD-20) is the deterministic governance + credential quarantine system — the strongest single defense in the roster. This deep-dive dissects its attack surface: the compilation-fidelity attack (the deterministic policy is compiled by a probabilistic LLM, so the build-time compilation is the weak link — a miscompilation enforced consistently); the V8 isolate escape (the sandbox is a V8 isolate with escape CVE history, and the credential quarantine holds only as long as it does); the escalation-fatigue attack (flood the human-in-the-loop with approval requests until they rubber-stamp — the deterministic system still needs a human for edge cases). The offensive analysis of the strongest defense: how to break IronCurtain, what each break proves, and the residual risks that motivate defense-in-depth.
The LLM was not eliminated; it was relocated — and the compilation step is the load-bearing attack surface. IronCurtain's thesis is that LLMs are stochastic and policy must be deterministic, so it removes the LLM from runtime (pure if/then, zero LLM, no judge to inject). But the compilation pipeline (Annotate, Compile, Resolve Lists, Generate Scenarios, Verify & Repair) is ALL LLM calls at build time. A probabilistic system is producing the rules a deterministic system enforces. If the build-time LLM miscompiles — via constitution ambiguity, scenario coverage gaps, or resolved-list poisoning — the wrong rule is baked into the deterministic runtime and enforced CONSISTENTLY. Where CrabTrap's judge might refuse an exfil on a given request, IronCurtain's miscompiled rule permits it every time. Verify-and-repair mitigates but does not eliminate: it is a second LLM checking the first, and two probabilistic systems agreeing is not a deterministic guarantee. The measurement is a compilation-fidelity drift rate (the % of fuzzed constitutions producing a permissive rule).
The credential quarantine holds only as long as the V8 isolate does — and the isolate is one memory-corruption bug from defeat. IronCurtain Code Mode runs agent TypeScript in a V8 isolate (isolated-vm) with per-call fuel and memory limits. The agent holds FAKE keys; the REAL keys live in the proxy's host process. The isolation between them is the only thing preventing a compromised agent from reaching the real credentials. V8 and isolated-vm have a history of sandbox-escape CVEs (type confusion, bounds errors, JIT bugs, GC edge cases). An isolate escape is the path from 'compromised agent' to 'real credentials' — and it defeats the strongest primitive in the course. This is an escape-path analysis (the course does not teach V8 exploitation), measured as a dependency-CVE audit: is the deployed version current? Are there known escape CVEs? The prescription treats the isolate as one layer among several, not the load-bearing boundary.
Escalation fatigue is the deterministic analogue of CrabTrap's latency/cost pressure — a human fatigued into rubber-stamping is as steerable as a judge. IronCurtain escalates edge cases (ambiguous tool calls) to a human (terminal mux, Signal). The human is the probabilistic component the deterministic design cannot eliminate. An attacker generates ambiguous tool calls to flood the escalation channel; under volume fatigue, contextual fatigue (approve-by-analogy, missing the difference), and timing fatigue, the human's allow decisions degrade into rubber-stamping. This is the same structural property as SDD-B04 Break 3: a defense expensive to honor (in human attention) is a defense the human defeats. Measured via a fatigue simulator (approval-rate delta rested vs fatigued, e.g. 4%→31%). Rate-limiting, batching, and the two-person rule bound the residual but do not eliminate it.
The prescription is layered, not a swap — and this is B2's thesis completed: no single layer suffices, not even IronCurtain. SDD-B03 measured that layered defenses reach single-digit injection rates. SDD-B04 demonstrated CrabTrap has residuals and prescribed the deterministic-first fix. SDD-B05 completes the argument: even IronCurtain, the strongest single defense, has structural residuals (compilation fidelity, isolate boundary, escalation fatigue) that are properties of any single-layer defense, not implementation bugs. The four-layer prescription keeps the deterministic runtime (strongest single layer) and layers around it: (1) human review gate for the compilation residual; (2) sandbox defense-in-depth (isolate→seccomp/capability→egress) for the isolate residual; (3) escalation rate-limiting for the fatigue residual; (4) a probabilistic second layer (LLM-as-judge for escalated cases ONLY, positioned AFTER deterministic) for ambiguous cases. Each layer addresses a residual the others leave. No single layer is load-bearing; each is a backstop.