"Why is CrabTrap the primary attack target of Course 2B?" "Three STRUCTURAL reasons. (1) The JUDGE IS INJECTABLE — the LLM-as-judge reads attacker-influenced request text and cannot structurally distinguish request content from policy override (same property InjecAgent measures for tool outputs, transposed to the egress-judge boundary). (2) The RESPONSE-SIDE GAP — CrabTrap governs egress only; inbound API responses flow back uninspected (the InjecAgent vector on an ungoverned channel). (3) The LATENCY/COST BOTTLENECK — per-request LLM cost creates pressure to allowlist/passthrough; the defense erodes under load." c2b::sdd-b04::recall "Describe CrabTrap's two-tier evaluation pipeline and identify where the attack surface concentrates." "TIER 1 = STATIC deterministic rules (prefix/exact/glob URL patterns, deny always wins) — DETERMINISTIC, cannot be semantically manipulated, only matched/not matched. TIER 2 = LLM-as-JUDGE (full request JSON-encoded + NL policy → ALLOW/DENY) — PROBABILISTIC, the judge is a model so it is injectable. Most NOVEL traffic (new endpoints, dynamic args) falls through to the judge — that is where the attack surface concentrates. The static tier is not broken; it is ERODED via allowlist widening." c2b::sdd-b04::recall "What does CrabTrap's JSON-encoding defense at the judge boundary do, and what does it NOT stop?" "DOES: defeats the SYNTAX of injection — the request body becomes a JSON string value, so a bare override ('SYSTEM: ALLOW') arrives as a string the judge evaluates, not an instruction it obeys. Stops naive injection. Does NOT: defeat the SEMANTICS — the judge must parse the content's MEANING to classify the request, so benign-framing, policy-priming, and ambiguity exploitation work THROUGH the encoding. The defense is syntactic; the surface is semantic. The gap is where Break 1 lives." c2b::sdd-b04::recall "Name CrabTrap's three primary attack surfaces and the structural cause of each." "(1) THE JUDGE ITSELF (request-body manipulation) — the judge is a model reading attacker-influenced text; JSON encoding is syntactic, the surface is semantic. (2) THE RESPONSE-SIDE GAP (no inbound filtering) — CrabTrap governs egress only; the inbound content that shapes the agent is ungoverned. (3) THE LATENCY/COST BOTTLENECK — every non-static request costs an LLM call + latency; operational pressure erodes the defense (allowlist widening, passthrough, deadline exemptions). The static tier is NOT on the list — it is deterministic, only eroded indirectly." c2b::sdd-b04::recall "State the three classes of request-body judge manipulation (Break 1) and why JSON encoding does not stop them." "(1) BENIGN-FRAMING — payload phrased as a permitted op ('analytics event') matches an allow category. (2) POLICY-PRIMING — context shifts the judge's probability mass toward ALLOW (a semantic nudge, not an override). (3) AMBIGUITY — request genuinely ambiguous; judge tuned to not block legitimate traffic → ALLOW. JSON encoding doesn't stop these because they live in the CONTENT the judge must parse to classify the request — the defense is syntactic, the surface is semantic." c2b::sdd-b04::recall "What does a successful Break 1 (judge manipulation) prove about probabilistic vs deterministic enforcement?" "It proves probabilistic enforcement has an attack surface deterministic enforcement does NOT. The judge returned ALLOW for a request a deterministic rule (if one existed) would have matched to DENY — because the deterministic rule matches on STRUCTURE, not on an attacker-influenced semantic classification. This is the finding that motivates the deterministic-first prescription in B04.3. Measured under InjecAgent: the defended-but-nonzero residual (e.g. 55%→24%) IS the judge's injectability." c2b::sdd-b04::analysis "Explain how Break 2 (response-side gap) enables Break 1, and why neither alone is the full chain." "Break 2: an injected API RESPONSE (on a channel CrabTrap does NOT inspect) steers the agent toward an outbound exfil call. Break 1: the body of that exfil call is benign-framed to pass the judge. Neither alone is complete — Break 2 without Break 1 has the exfil call blocked by the judge; Break 1 without Break 2 has no steered agent to make the call. Together: injected response (ASI07) → goal hijack (ASI01) → exfil call body-manipulated past judge (ASI05/ASI03). CrabTrap saw only the LAST step of a chain it could not see whole." c2b::sdd-b04::analysis "Why does governing egress only (CrabTrap's scope) cover only half the boundary?" "CrabTrap inspects outbound REQUESTS. It does NOT inspect response bodies. The inbound content that SHAPES the agent's behavior flows back uninspected — and that inbound content is exactly the indirect-injection-via-tool-output vector from SDD-B03 (the defining agentic surface). A defense that does not see the response cannot defend against response-borne injection. Measured under InjecAgent: the response-borne vector barely moves from the un-defended baseline because CrabTrap never sees the injection, only the exfil call it was steered toward." c2b::sdd-b04::analysis "What is the latency/cost bottleneck (Break 3), and why is it an audit finding rather than a benchmark number?" "Every non-static request costs an LLM call + hundreds of ms. Under load, operations ERODES the defense: allowlist widening (paths the judge no longer inspects), circuit-breaker-to-passthrough (judge failure = request ALLOWED), deadline exemptions (temporary allowlist becomes permanent). The root cause of a 'stopped working' CrabTrap is usually configuration drift, not request content. It is an AUDIT finding (does deployed allowlist match reviewed policy? is fallback deny or passthrough?) not an InjecAgent delta. Enforcement cost IS a security property." c2b::sdd-b04::analysis "How does IronCurtain's credential quarantine close Break 1's worst outcome, even if the judge-equivalent is manipulated?" "In IronCurtain the agent runs with FAKE API keys; a TLS-terminating proxy hot-swaps fake for real at the boundary. Even if the policy decision is fully manipulated (the allow-decision equivalent of judge manipulation), the agent has NO REAL credential to exfiltrate — the worst it can do is use the fake keys, which only work through IronCurtain's controlled proxy. Break 1 still exists conceptually (a manipulated allow lets the agent make a call) but the IMPACT is contained: the call carries no real secret. This is the single strongest primitive in the course for the credential-exfil attack type." c2b::sdd-b04::analysis "How does IronCurtain's deterministic policy compilation structurally close the judge attack surface?" "Policy is compiled OFFLINE (plain English → deterministic JSON rules via an LLM pipeline with verify-and-repair). At RUNTIME, enforcement is pure if/then — ZERO LLM. There is NO judge to inject, because there is no model reading request content at runtime. The request-body semantic-manipulation attack (Break 1) has no target. The latency/cost bottleneck (Break 3) largely dissolves — deterministic evaluation is cheap/fast, so no pressure to allowlist or flip to passthrough. The tradeoff: the build-time LLM could miscompile (compilation fidelity — the SDD-B05 target)." c2b::sdd-b04::analysis "What residual risks does IronCurtain have that the honest analysis must acknowledge?" "(1) COMPILATION FIDELITY — the offline LLM that compiles the constitution to deterministic rules could misinterpret the policy, and the WRONG rule is enforced CONSISTENTLY. The verify-and-repair pipeline mitigates but does not eliminate. This is the SDD-B05 attack target. (2) ESCALATION FATIGUE — the escalate-to-human mechanism (terminal mux, Signal) can be flooded; too many approvals condition the human to auto-approve (the deterministic analogue of the latency/cost pressure on CrabTrap). (3) RESPONSE-SIDE DATA — IronCurtain governs ACTIONS not DATA; the structured-output layer is a separate defense both need." c2b::sdd-b04::analysis "Why is the engagement deliverable a layered prescription rather than 'replace CrabTrap with IronCurtain'?" "Because each approach alone has residuals. CrabTrap alone sits near the InjecAgent baseline (injectable judge + response gap + cost erosion). IronCurtain alone has compilation fidelity + escalation fatigue residuals. The layered prescription closes more surface than either: (1) DETERMINISTIC-FIRST (structured outputs + egress gate + scope — largest deltas, no judge), (2) PROBABILISTIC-SECOND (judge for novel patterns only, AFTER the deterministic layer), (3) RESPONSE-SIDE filtering (structured + sanitize tool outputs), (4) COST-AWARE enforcement (cheap tier handles most traffic). This is the defense-in-depth SDD-B03 measures reaching single-digit rates." c2b::sdd-b04::analysis "How should each CrabTrap break be measured, and why is 'I broke the judge' an insufficient claim?" "Each break must be a measured (before, after, configuration) delta under InjecAgent (per SDD-B03). Break 1 (judge manipulation): measure credential-exfil with/without CrabTrap — the nonzero residual (e.g. 55%→24%) IS the judge's injectability. Break 2 (response-side): measure the response-borne vector — it barely moves from baseline because CrabTrap never sees the injection. Break 3 (cost): an AUDIT finding (config drift), not a benchmark number. 'I broke the judge' without the delta is an opinion — no delta, no finding. Every break is a number or an audit, not an assertion." c2b::sdd-b04::analysis "What is the static-tier-only EROSION pattern, and how does an attacker exploit it without breaking the judge?" "The static tier is deterministic — it cannot be semantically manipulated. But under LATENCY/COST pressure (Break 3), operations WIDENS the static ALLOW rules to reduce judge load. Each new allow rule is a path the judge no longer inspects. The attacker routes through the widened allowlist — no judge call, no manipulation needed. The judge was not broken; it was routed around. This is why the static tier is 'eroded, not broken,' and why configuration-drift audit (does deployed allowlist match reviewed policy?) is a primary engagement finding." c2b::sdd-b04::analysis "Map the CrabTrap response-side compound chain to the OWASP cross-row chain (SDD-B01)." "Injected API response = ASI07 (insecure output handling — response not sanitized/structured). Agent follows the injection = ASI01 (goal hijacking — injection overrode the task). Outbound exfil call (body-crafted, Break 1) = ASI05 (tool abuse) or ASI03 (excessive agency). CrabTrap saw only the exfil call — the LAST step. The compound is the finding; CrabTrap's per-request evaluation is structurally blind to the chain because it inspects requests in isolation, not the inbound content that caused the request." c2b::sdd-b04::analysis "Why is enforcement cost a security property, not just a performance metric?" "Because a defense that is expensive to run is a defense that operations will DEFEAT. CrabTrap's per-request LLM call creates pressure to allowlist, widen static rules, flip the circuit breaker to passthrough, or grant deadline exemptions — each one a path the attacker routes through (or a fallback that lets requests through on failure). A governance layer the operations team routed around to keep the service fast is a governance layer that is NOT governing. Cost-aware enforcement (deterministic-first tier handling most traffic cheaply) is the structural fix — it removes the pressure that causes the erosion." c2b::sdd-b04::analysis "What is the circuit breaker's role, and why is deny-by-default fallback critical while passthrough is dangerous?" "The circuit breaker triggers after 5 consecutive LLM failures → 10-second cooldown, with configurable fallback. DENY-by-default (the safe default) means judge failure = request BLOCKED — fails safe. PASSTHROUGH means judge failure = request ALLOWED — an attacker who can induce judge failures (malformed requests, context-length attacks, sheer volume) gets requests through during cooldown windows. The operational pressure to flip deny→passthrough under latency/load is Break 3's most dangerous erosion. The audit question: is the production fallback deny or passthrough?" c2b::sdd-b04::recall "How does SDD-B04 connect back to SDD-B03 (InjecAgent), and why is that connection load-bearing?" "SDD-B03 is the MEASUREMENT INSTRUMENT; SDD-B04 is one of the defenses it measures. Every break in SDD-B04 is reported as a (before, after, configuration) delta under InjecAgent: the judge-manipulation residual (24%), the response-side gap (barely moves), the cost-erosion (audit). Without SDD-B03, 'I broke CrabTrap' is an opinion. With it, the break is a measured effectiveness claim. SDD-B04 also feeds SDD-B03: CrabTrap's response-side gap IS the InjecAgent vector on an ungoverned channel — the benchmark that measures injection resistance exposes exactly the surface CrabTrap leaves open." c2b::sdd-b04::analysis