Skip to content

Seam Operator Handbook

Seam is the live offensive instrument in AIT. It sits in path, decodes agent traffic, optionally rewrites complete messages, and writes hash-chained transcripts for later graphing and proof.

Mental Model

Mode Use it when Mutates traffic
tap You need passive capture over HTTP, SSE, or WebSocket. No
proxy You need active rewrite over complete decoded HTTP/SSE/WebSocket messages. Yes
stdio tap You need to observe a local MCP stdio server. No
stdio proxy You need to rewrite complete MCP JSON-RPC stdio lines. Yes
api Assay or a workbench needs to start an intercept and call /deliver. Optional
robustness run You need repeated fixture survival checks. Scenario-dependent

Fast Operator Loop

  1. Run seam doctor from the release or repo.
  2. List and explain the rule you intend to use.
  3. Test the rule against a fixture.
  4. Start proxy or stdio proxy.
  5. Tail the transcript while traffic flows.
  6. Inspect and verify the transcript.
  7. Hand the transcript to meshmapper or reference it from Assay.
seam doctor
seam rules list --rules rules/
seam rules explain --rules rules/ --rule a2a_prompt_laundering_replace
seam rules test --rules rules/a2a_message_part_insert.yaml \
  --fixture examples/a2a-message-send.json \
  --expect-rule a2a_message_part_insert
seam session tail --transcript rewrite.json --limit 5
seam transcript inspect --transcript rewrite.json --schema schemas/transcript.schema.json --decoded
seam transcript verify --transcript rewrite.json --schema schemas/transcript.schema.json

For every command and flag, use the command reference. For rule authoring, start with Rules and the shipped files under rules/.

What Counts As Evidence

Seam evidence is traffic evidence:

  • raw bytes are preserved as raw_b64
  • rewrite records contain before, after, and rule_applied
  • records are chained with prev_hash and hash
  • schema validation happens on write and offline verify

Seam does not prove a side effect happened. Use Assay when the claim depends on whether the target actually performed an action.

Complete-Message Rule

Seam rewrites only complete decoded application messages. It does not mutate passive tap traffic, TLS it cannot see, WebSocket handshakes, HTTP upgrades, stdio stderr, or arbitrary partial chunks.

That boundary is useful offensively: if a rule fires, the transcript shows the complete message Seam changed.