Skip to content

Reading Evidence

AIT separates operation, targeting, and validation.

Operate

Seam records what crossed an intercept. A passive record means Seam observed and forwarded traffic without mutation. A rewrite record contains before, after, and rule_applied.

Use transcript inspection and verification before drawing conclusions:

seam transcript inspect --transcript out.json --schema agentic-redteam/schema/transcript.schema.json

Map

meshmapper emits deterministic graph hypotheses. These are intentionally unvalidated:

  • privilege_laundering
  • confused_deputy
  • injection_propagation
  • trust_spoof

A hypothesis is useful when it points to a route, trust gap, or high-privilege sink that the operator can attack with Seam or validate with Assay.

Validate Impact

Assay validates a differential claim only when an oracle observes a side effect. Agent self-report, status text, and claims inside the transcript are not enough.

For laundering cases, the core signal is:

direct successes = 0
laundered successes > 0
method.delta_confirmed = true

Confidence intervals summarize repeated trials. They do not convert agent claims into evidence; they only describe the observed oracle outcomes.

Reports

Reports should show:

  • oracle observation summaries
  • route and framing stats
  • transcript refs and hashes
  • graph refs and hypothesis ids
  • rule ids and rewrite summaries

Reports should not dump raw_b64 payloads by default. Use the raw transcript when you are handling it as operator evidence.