Seam Operator Handbook¶
Seam is the live offensive instrument in AIT. It sits in path, decodes agent traffic, optionally rewrites complete messages, and writes hash-chained transcripts for later graphing and proof.
Mental Model¶
| Mode | Use it when | Mutates traffic |
|---|---|---|
tap |
You need passive capture over HTTP, SSE, or WebSocket. | No |
proxy |
You need active rewrite over complete decoded HTTP/SSE/WebSocket messages. | Yes |
stdio tap |
You need to observe a local MCP stdio server. | No |
stdio proxy |
You need to rewrite complete MCP JSON-RPC stdio lines. | Yes |
api |
Assay or a workbench needs to start an intercept and call /deliver. |
Optional |
robustness run |
You need repeated fixture survival checks. | Scenario-dependent |
Fast Operator Loop¶
- Run
seam doctorfrom the release or repo. - List and explain the rule you intend to use.
- Test the rule against a fixture.
- Start
proxyorstdio proxy. - Tail the transcript while traffic flows.
- Inspect and verify the transcript.
- Hand the transcript to meshmapper or reference it from Assay.
seam doctor
seam rules list --rules rules/
seam rules explain --rules rules/ --rule a2a_prompt_laundering_replace
seam rules test --rules rules/a2a_message_part_insert.yaml \
--fixture examples/a2a-message-send.json \
--expect-rule a2a_message_part_insert
seam session tail --transcript rewrite.json --limit 5
seam transcript inspect --transcript rewrite.json --schema schemas/transcript.schema.json --decoded
seam transcript verify --transcript rewrite.json --schema schemas/transcript.schema.json
For every command and flag, use the command reference. For rule authoring, start with Rules and the shipped files under rules/.
What Counts As Evidence¶
Seam evidence is traffic evidence:
- raw bytes are preserved as
raw_b64 - rewrite records contain
before,after, andrule_applied - records are chained with
prev_hashandhash - schema validation happens on write and offline verify
Seam does not prove a side effect happened. Use Assay when the claim depends on whether the target actually performed an action.
Complete-Message Rule¶
Seam rewrites only complete decoded application messages. It does not mutate passive tap traffic, TLS it cannot see, WebSocket handshakes, HTTP upgrades, stdio stderr, or arbitrary partial chunks.
That boundary is useful offensively: if a rule fires, the transcript shows the complete message Seam changed.