// four exhibits · one control
The lab
The claim: a guardrail that lives in the model's judgment fails, and a
guardrail that lives in deterministic server code holds. Each exhibit here
tests that claim a different way. One maps the attack surface, one is a real
server on the public internet, one walks defenses up a control ladder until
they fall, and one puts two path matchers side by side to rule on the same
request.
// exhibits
01
live server · workers ai · path traversal
My résumé is an MCP server
A public MCP server, live at mcp.apkasture02.workers.dev,
serves my résumé through real tools. Talk the Workers-AI agent into
traversing to the inert canary: the naive build leaks it, the hardened
build refuses at a canonicalize-then-confine check a few lines long. A
live scoreboard counts the leaks by rung.
02
indirect injection · live model · L0→L3
Break this server
You don't command the agent, you write the support ticket it reads. Hide
an instruction in that data and make a live model fire a refund it was
never asked to. Prompt defenses fall; the capability gate at L3 holds.
03
reference · owasp 2026
The OWASP Agentic Top 10
Ten risks, each a prism with three faces: the attack, the server-side
control that prevents it, and the signal that tells you the control
failed. This is the map the other exhibits run on.
04
glob vs regex · path allowlist
The wildcard that spans a slash
A path allowlist written as the glob /files/* approves
/files/../../etc/passwd, because * matches
across a slash. Type a path and watch a naive fnmatch glob
and an anchored ^/files/[^/]+$ rule on it side by side.