Professional Range Deployment¶
The range track is the professional deployment path for AIT. It keeps the fast Docker Lab L6 demo intact, then adds Ludus/Proxmox-backed range profiles for research, training, and presentations where operators can see traffic cross host and subnet boundaries.
Use the paths this way:
| Path | Best For | Shape |
|---|---|---|
| Docker L6 | first proof, local demos, CI smoke | one host, Docker services, host-run Seam |
| Ludus | reusable cyber range, workshops, shared demos | selectable compact, standard, or full-split VM profile |
| Raw Proxmox | custom homelab and lower-level control | OpenTofu/Terraform-style VM templates plus Ansible |
R2 Profile Choice¶
Every service does not need its own VM by default. R2 uses three profiles:
| Profile | VM Count | Purpose |
|---|---|---|
compact |
2 | operator VM plus one combined target VM for small hosts |
standard |
4 | recommended default: operator, support/planner, services, privileged sink |
full-split |
8 | one VM per role plus dedicated Seam intercept VM for isolation and workshops |
Start with standard. Move down to compact when capacity matters. Move up to
full-split when the point of the exercise is VM-level isolation or a routed
intercept demonstration.
The range artifact contract stays the same as local labs:
- Seam transcripts
- meshmapper graph and paths
- Assay finding
- robustness bundle
- rendered report
- tripwire/oracle evidence
- service logs
- AIT cockpit run manifest
Range Workflows¶
The professional range must support three independent workflows:
- Seam-only operation: route traffic through one or more Seam proxies, watch A2A/MCP/memory traffic in the cockpit, and rewrite fields live.
- Mapping pass: ingest the captured transcripts plus Agent Cards, MCP
tools/list, endpoint inventories, and configs into meshmapper, then inspect suggested attack paths. - Optional validation: run Assay only for claims that need oracle-backed impact evidence, regression checks, or research metrics.
This keeps the range useful for field-style testing as well as controlled research. A demo can stop after Seam if the goal is traffic manipulation, stop after meshmapper if the goal is target selection, or continue to Assay if the result needs a finding and report.
Exercise Packs¶
Range exercises package the same offensive techniques as local demo packs for
compact, standard, and full-split profiles.
python3 -m ait.cli range exercise list
python3 -m ait.cli range exercise plan \
--exercise a2a-content-rewrite \
--profile standard \
--provider ludus
python3 -m ait.cli range exercise run \
--exercise memory-context-propagation \
--profile compact \
--provider docker
Initial descriptors cover A2A content rewrite, MCP tool-result injection, memory/context propagation, and negative controls. Ludus and raw Proxmox providers produce a range run plan and artifact directory; the Docker provider points at the matching local demo pack for quick iteration.
R2 automation splits the lifecycle into explicit provider actions. These are dry-run safe by default for Ludus and raw Proxmox/OpenTofu; real apply/destroy requires an explicit provider script flag.
python3 -m ait.cli range exercise check \
--exercise a2a-content-rewrite \
--profile standard \
--provider ludus
python3 -m ait.cli range exercise execute \
--exercise a2a-content-rewrite \
--profile standard \
--provider ludus
python3 -m ait.cli range exercise collect \
--exercise a2a-content-rewrite \
--profile standard \
--provider ludus
python3 -m ait.cli range exercise reset \
--exercise a2a-content-rewrite \
--profile standard \
--provider ludus
Each action stores provider, profile, command, exit status, logs, collected artifacts, and reset state in the standard AIT run layout. That means a range exercise can still be opened in the cockpit alongside local Docker runs.
Current Local View¶
Before building a range, use the local cockpit path to see the current operator experience.
python3 -m ait.cli demo full-agent-mesh \
--scenario content_rewrite \
--trials 1 \
--serve-live \
--listen 127.0.0.1:8788
Open:
http://127.0.0.1:8788
Range Milestones¶
- R1 Range Lab: scaffold topology, Ansible roles, docs, and demo scripts.
- R2 Ludus Range Pack: package compact, standard, and full-split Ludus profiles with deploy/check/reset/collect scripts.
- R3 Raw Proxmox/OpenTofu Pack: lower-level VM templates, profile tfvars, inventory generation, and plan/apply/destroy wrappers for non-Ludus users.
- R4 Multi-Scenario Exercises: content rewrite, MCP result injection, memory poisoning, trust spoof, and approval-gate exercises.
- D2 Demo Media Pack: asciinema casts and VHS scripted clips for docs and presentations.
References¶
- Ludus: Proxmox-backed cyber ranges configured from YAML and provisioned with automation.
- Ansible: shared provisioning layer for operator hosts, services, schemas, rules, and artifacts.
- asciinema and VHS: reproducible terminal recordings for demos and docs.