"What is CrabTrap and what problem does it solve?" An HTTP/HTTPS forward proxy by Brex (Go, MIT, 705 stars) that sits between AI agents and external APIs. Evaluates every outbound request against a natural-language security policy. Allows or blocks (403 + reason). Solves: how do you govern network egress when the agent might be prompt-injected? harness-engineering::dd19::recall "How does CrabTrap's two-tier evaluation work?" Tier 1: static deterministic rules (prefix/exact/glob URL patterns). Deny always wins over allow. Instant, no LLM. Tier 2: if no static match, LLM-as-judge sees full request (JSON-encoded, prompt-injection defense) + NL policy → allow/deny + reason. Circuit breaker: 5 failures → 10s cooldown → deny-by-default. harness-engineering::dd19::recall "What does CrabTrap NOT intercept?" Response bodies (inbound injections from API responses flow unchecked). WebSocket frames (only upgrade request checked). Inbound traffic (not a WAF). Tool calls or filesystem access (purely network egress). Credentials (sees all in cleartext, no isolation). harness-engineering::dd19::analysis "What is the probabilistic vs deterministic enforcement debate?" CrabTrap bets on LLM-as-judge at RUNTIME — flexible but bypassable (prompt injection could manipulate the judge). IronCurtain bets on LLM compiling policy at BUILD time, then enforcing deterministically at runtime with zero LLM — predictable but compilation-fidelity risk. This is the core debate in agent security. harness-engineering::dd19::analysis "What are CrabTrap's two novel engineering features?" (1) Policy Builder: an agentic loop that analyzes observed traffic and drafts NL policies for human review. (2) Eval System: replays historical audit entries against a policy to measure accuracy — regression-testing for security rules. Both are rare and valuable. harness-engineering::dd19::recall "What built-in defenses does CrabTrap ship with?" SSRF protection (blocks RFC1918, loopback, link-local, CGNAT, IPv6 ULA). DNS-rebinding prevention. Per-IP token-bucket rate limiting (50 req/s, burst 100). Prompt-injection defense at judge boundary (JSON encoding). Deny-by-default on judge failure (circuit breaker). harness-engineering::dd19::recall "What is CrabTrap's primary attack surface for Course 2B?" The LLM-as-judge itself. A prompt injection in an outbound request body (JSON-encoded but still semantically interpretable) could manipulate the judge into allowing a malicious call. The response-side gap is worse: an injected API response flows unchecked back to the agent. No tool-call or filesystem governance. harness-engineering::dd19::analysis "How does CrabTrap compare to IronCurtain (DD-20)?" CrabTrap: egress-only, LLM-as-judge at runtime (probabilistic), sees all credentials, production-oriented, Go. IronCurtain: full runtime wrap, LLM compiles policy at build time (deterministic), agent never holds real creds (fake-key swap), research prototype, TypeScript. CrabTrap = narrow+production; IronCurtain = broad+experimental. harness-engineering::dd19::analysis