The lab

The claim: a guardrail that lives in the model's judgment fails, and a guardrail that lives in deterministic server code holds. Each exhibit here tests that claim a different way. One maps the attack surface, one is a real server on the public internet, one walks defenses up a control ladder until they fall, and one puts two path matchers side by side to rule on the same request.

01 live server · workers ai · path traversal

My résumé is an MCP server

A public MCP server, live at mcp.apkasture02.workers.dev, serves my résumé through real tools. Talk the Workers-AI agent into traversing to the inert canary: the naive build leaks it, the hardened build refuses at a canonicalize-then-confine check a few lines long. A live scoreboard counts the leaks by rung.

02 indirect injection · live model · L0→L3

Break this server

You don't command the agent, you write the support ticket it reads. Hide an instruction in that data and make a live model fire a refund it was never asked to. Prompt defenses fall; the capability gate at L3 holds.

03 reference · owasp 2026

The OWASP Agentic Top 10

Ten risks, each a prism with three faces: the attack, the server-side control that prevents it, and the signal that tells you the control failed. This is the map the other exhibits run on.

04 glob vs regex · path allowlist

The wildcard that spans a slash

A path allowlist written as the glob /files/* approves /files/../../etc/passwd, because * matches across a slash. Type a path and watch a naive fnmatch glob and an anchored ^/files/[^/]+$ rule on it side by side.