FIND EVIL! defensive build · vøiddo
an incident agent that refuses unsupported claims.
TraceLock reads case events, forms initial findings, runs a self-correction pass to corroborate or promote each finding, and hashes every piece of evidence. Nothing is confirmed without two corroborating events.
4 reproducible cases · switch to explore
four threat classes, four independent agent runs.
agent output · evidence-backed only
confirmed findings carry sha256 evidence hashes.
every "confirmed" finding references at least two corroborating events. "needs-corroboration" findings are raised but not reported as confirmed — the agent explicitly refuses to promote findings it cannot back.
execution trace
every tool call is logged and timestamped.
the agent cannot make a finding without logging the tool call that produced it. logs are included in the accuracy report output.
defensive guardrails
no destructive tools, no unsafe actions.
the harness exposes read-only tools only. the agent cannot delete, modify, or exfiltrate case data. every run includes an integrity block: writes_to_case: false, destructive_tools_exposed: false, and a sha256 of the input case file to prove the case was not modified during analysis.
system design
evidence ladder — full architecture.
six components, one defensive boundary. every finding is evidence-backed before it leaves the self-correction loop.
