Skip to content

Seam Profiles

Profiles are optional operator presets. They are not authorization mechanisms, and they do not replace the low-level flags on seam tap, seam proxy, seam stdio, or seam api.

The authoritative controls remain explicit flags:

  • --allow-remote-listen
  • --allow-remote-intercept
  • --allow-redirects
  • --api-token or SEAM_API_TOKEN

When seam profile run expands a profile and the operator also supplies a conflicting flag, the explicit flag wins and Seam warns. This keeps profiles ergonomic without making them a hidden policy layer.

Built-In Manifests

Profile manifests live under agentic-redteam/seam/profiles/.

Profile Intent Default posture
local-safe Local capture and rewrite on one workstation. Loopback data plane and API, redirects off, token optional.
authorized-range Remote data-plane operation on an explicitly authorized range. Remote data plane opt-ins present, API still loopback, token recommended.
lab Deterministic local AIT labs. Loopback, redirects off, packaged transcript schema path.

Equivalent Direct Commands

local-safe is equivalent to explicit low-level flags such as:

seam proxy \
  --listen 127.0.0.1:8400 \
  --upstream http://127.0.0.1:8500 \
  --rules rules/ \
  --transcript rewrite.json \
  --schema schemas/transcript.schema.json

authorized-range is intentionally noisy because it exposes a data-plane listener:

seam proxy \
  --listen 0.0.0.0:8400 \
  --allow-remote-listen \
  --upstream http://10.10.0.25:8500 \
  --rules rules/ \
  --transcript rewrite.json \
  --schema schemas/transcript.schema.json

For API-managed intercepts, the same idea is split across the API process and the requested intercept:

export SEAM_API_TOKEN="$(openssl rand -hex 24)"
seam api --listen 127.0.0.1:8401 --api-token "$SEAM_API_TOKEN" \
  --allow-remote-intercept \
  --transcript api.json \
  --schema schemas/transcript.schema.json

Assay can then call the protected API with:

assay run --case cases/refund_tripwire.yaml \
  --seam http://127.0.0.1:8401 \
  --seam-token "$SEAM_API_TOKEN" \
  --out finding.json

Capability Contract

Hardening must preserve offensive capability:

Capability Hardened default Explicit opt-in
Local tap / proxy Works on loopback. None needed.
SSE / WebSocket capture and rewrite Works for complete decoded messages. None needed.
MCP stdio tap/proxy Works through subprocess wrapping. None needed.
API /deliver Works on loopback API. Token if configured by operator.
Remote data-plane bind Rejected. --allow-remote-listen.
API-created remote intercept Rejected. --allow-remote-intercept.
Upstream redirects Returned to caller, not followed by Seam. --allow-redirects.
Protected API Token accepted from --api-token or SEAM_API_TOKEN. Assay uses --seam-token or SEAM_API_TOKEN.
Offensive rule packs Still rewrite complete eligible messages. Rules selected by --rules.

The contract is tested with local transport fixtures, token-protected fake Seam APIs, and profile manifest validation.