Module TAU-SEC — tau-security — The Base Harness

tau-security — The Base Harness

Turning a coding agent into a security agent: the four-part transformation that makes the course thesis concrete.

90
minutes
8
artifacts
5
sub-sections
tau-security is a companion package to tau (github.com/huggingface/tau) that wraps tau's AgentHarness as a security agent. Same brain, different tools, hard-wired scope enforcement, and a tamper-evident evidence chain fed by the event stream. It is the base harness students build on throughout Course 2A — the running system that turns the architecture concepts from S01 into a real, inspectable, testable security harness.
Key Claims
Load-Bearing Claims

The model is 1.6% of the system, the harness is the other 98.4%. tau-security proves this by making four changes to a coding agent (system prompt, tools, scope, evidence) and none of them touch the model, the agent loop, or the session layer. The transformation is entirely in the harness.

Scope enforcement is structural, not advisory. Every security tool's executor calls assert_in_scope() before touching a target. The model cannot bypass it — an out-of-scope target returns a blocked result that never executes. This is the difference between 'don't scan that' (prompt) and 'you cannot scan that' (code).

The evidence chain is what separates a harness from a scanner. Every tool execution produces an Evidence record with a SHA-256 hash, chained to the previous record for tamper-evidence. A scanner finds things; a harness proves things to a client, a program, or a court.

tau-security is a teaching artifact, not a production tool. ~1,500 lines of source, readable in an hour. CAI and Heimdallr are production systems — powerful but opaque. tau-security is simple but transparent. Students read it, extend it, and understand every decision.

After This Module
01
Understand tau's three-layer architecture and how tau-security sits beside tau_coding as a sibling package.
02
Explain the four-part transformation: system prompt, tools, scope enforcement, evidence chain — and why none of them touch the agent brain.
03
Trace the scope enforcement path from tool call through assert_in_scope to blocked result or evidence-captured execution.
04
Read and understand the evidence chain: SHA-256 hashing, chain hashing for tamper-evidence, and verify_integrity().
05
Configure and run a SecurityHarness against a real target, interpret the event stream, and generate a client-ready report.
06
Write a custom security tool as an AgentTool following the tau-security pattern.
Artifacts