Seam Profiles¶
Profiles are optional operator presets. They are not authorization mechanisms, and they do not replace the low-level flags on seam tap, seam proxy, seam stdio, or seam api.
The authoritative controls remain explicit flags:
--allow-remote-listen--allow-remote-intercept--allow-redirects--api-tokenorSEAM_API_TOKEN
When seam profile run expands a profile and the operator also supplies a conflicting flag, the explicit flag wins and Seam warns. This keeps profiles ergonomic without making them a hidden policy layer.
Built-In Manifests¶
Profile manifests live under agentic-redteam/seam/profiles/.
| Profile | Intent | Default posture |
|---|---|---|
local-safe |
Local capture and rewrite on one workstation. | Loopback data plane and API, redirects off, token optional. |
authorized-range |
Remote data-plane operation on an explicitly authorized range. | Remote data plane opt-ins present, API still loopback, token recommended. |
lab |
Deterministic local AIT labs. | Loopback, redirects off, packaged transcript schema path. |
Equivalent Direct Commands¶
local-safe is equivalent to explicit low-level flags such as:
seam proxy \
--listen 127.0.0.1:8400 \
--upstream http://127.0.0.1:8500 \
--rules rules/ \
--transcript rewrite.json \
--schema schemas/transcript.schema.json
authorized-range is intentionally noisy because it exposes a data-plane listener:
seam proxy \
--listen 0.0.0.0:8400 \
--allow-remote-listen \
--upstream http://10.10.0.25:8500 \
--rules rules/ \
--transcript rewrite.json \
--schema schemas/transcript.schema.json
For API-managed intercepts, the same idea is split across the API process and the requested intercept:
export SEAM_API_TOKEN="$(openssl rand -hex 24)"
seam api --listen 127.0.0.1:8401 --api-token "$SEAM_API_TOKEN" \
--allow-remote-intercept \
--transcript api.json \
--schema schemas/transcript.schema.json
Assay can then call the protected API with:
assay run --case cases/refund_tripwire.yaml \
--seam http://127.0.0.1:8401 \
--seam-token "$SEAM_API_TOKEN" \
--out finding.json
Capability Contract¶
Hardening must preserve offensive capability:
| Capability | Hardened default | Explicit opt-in |
|---|---|---|
Local tap / proxy |
Works on loopback. | None needed. |
| SSE / WebSocket capture and rewrite | Works for complete decoded messages. | None needed. |
| MCP stdio tap/proxy | Works through subprocess wrapping. | None needed. |
API /deliver |
Works on loopback API. | Token if configured by operator. |
| Remote data-plane bind | Rejected. | --allow-remote-listen. |
| API-created remote intercept | Rejected. | --allow-remote-intercept. |
| Upstream redirects | Returned to caller, not followed by Seam. | --allow-redirects. |
| Protected API | Token accepted from --api-token or SEAM_API_TOKEN. |
Assay uses --seam-token or SEAM_API_TOKEN. |
| Offensive rule packs | Still rewrite complete eligible messages. | Rules selected by --rules. |
The contract is tested with local transport fixtures, token-protected fake Seam APIs, and profile manifest validation.