tau-security — The Base Harness
Turning a coding agent into a security agent: the four-part transformation that makes the course thesis concrete.
The model is 1.6% of the system, the harness is the other 98.4%. tau-security proves this by making four changes to a coding agent (system prompt, tools, scope, evidence) and none of them touch the model, the agent loop, or the session layer. The transformation is entirely in the harness.
Scope enforcement is structural, not advisory. Every security tool's executor calls assert_in_scope() before touching a target. The model cannot bypass it — an out-of-scope target returns a blocked result that never executes. This is the difference between 'don't scan that' (prompt) and 'you cannot scan that' (code).
The evidence chain is what separates a harness from a scanner. Every tool execution produces an Evidence record with a SHA-256 hash, chained to the previous record for tamper-evidence. A scanner finds things; a harness proves things to a client, a program, or a court.
tau-security is a teaching artifact, not a production tool. ~1,500 lines of source, readable in an hour. CAI and Heimdallr are production systems — powerful but opaque. tau-security is simple but transparent. Students read it, extend it, and understand every decision.