"What is IronCurtain's central security thesis?" 'The agent is untrusted; security does not depend on the model being good.' Created by Niels Provos (veteran security researcher, formerly Google). Wraps the entire agent in a secure runtime with credential quarantine and deterministic policy enforcement. 550 stars, TypeScript/Node, Apache-2.0. harness-engineering::dd20::recall "Explain the credential quarantine mechanism." The agent runs in a network-less Docker container holding ONLY fake API keys. A TLS-terminating MITM proxy hot-swaps fake keys for real ones at the boundary. Responses are scrubbed of key reflections. The agent NEVER holds real credentials. Even a fully compromised agent cannot exfiltrate credentials it doesn't have. harness-engineering::dd20::recall "How does IronCurtain's constitution pipeline work?" Plain English constitution.md → [Annotate (classify args by role)] → [Compile (English→if/then)] → [Resolve Lists (@symbols→values)] → [Generate Scenarios (test cases)] → [Verify & Repair (LLM judge, max 2 rounds)] → compiled-policy.json. BUILD FAILS if unverifiable. LLM at BUILD time only; ZERO LLM at runtime. harness-engineering::dd20::recall "Why does IronCurtain reject LLM-as-judge at runtime?" LLMs are stochastic — they can be manipulated by prompt injection. Security policy must be deterministic. IronCurtain uses LLM only at build time to compile policy, then enforces with pure if/then at runtime. This is the direct counterpoint to CrabTrap's probabilistic approach. harness-engineering::dd20::analysis "What is the honest tradeoff between IronCurtain and CrabTrap?" CrabTrap: probabilistic enforcement of CORRECT understanding (judge understands each request). IronCurtain: deterministic enforcement of POSSIBLY-INCORRECT compilation (rule compiled once, enforced forever). CrabTrap is bypassable at runtime; IronCurtain could bake in a wrong rule at build time. Verify-and-repair mitigates but doesn't eliminate this. harness-engineering::dd20::analysis "What are IronCurtain's hardcoded structural invariants?" Agent can NEVER: modify its own policy files, modify audit logs, modify configuration. Symlink-aware path resolution prevents traversal/escape. Append-only JSONL audit log. Token/step/time/cost budgets. These cannot be overridden by the constitution. harness-engineering::dd20::recall "What enforcement decisions can IronCurtain make per tool call?" Three: Allow (rule matches allow pattern), Deny (default, no allow-rule match), Escalate (pause agent, prompt human via terminal mux a/d/w or Signal on mobile). Optional LLM auto-approver handles unambiguous trusted-command cases (e.g., user said 'push' → auto-approve git_push). harness-engineering::dd20::recall "What are IronCurtain's 2B attack surfaces?" (1) Compilation fidelity — trick the build-time LLM into compiling a wrong rule (2) V8 isolate boundary — escape the JavaScript sandbox (3) Escalation fatigue — flood human with approval requests until they auto-approve. The credential quarantine is the hardest to attack — agent has no real keys to leak. harness-engineering::dd20::analysis