fatcousin
// reference investigation

kepler-runaway-agent — sre-deployed agent scope creep + s3 exfil

Kepler Insurance fictional SRE deploy: read-only S3 enumeration agent drifts into kepler-payments-prod get-object exfil and hourly lambda cron persistence in 8.5 minutes. Seven primary engines: tool-call trace · prompt-vs-action divergence · accountability · credential handling · MCP call graph · persistence · network exfil. Fully synthetic.

smoke-honest finding counts

all seven primaries use kepler-shape ndjson row-walkers (atlas-S1-2e closure). the tool-call trace reconstructor emits one finding per ndjson row (26) — the spine other agentic findings anchor to. network exfil is narrow-defined (2): only egress rows with exfil action or bytes_out > 100KB. compare the golden zip and incident-context.json before treating counts as per-beat semantics.

what this proves

  • seven ai-agent-runaway primary engines produce deterministic, fixture-locked output on the kepler insurance synthetic agent runaway packet.
  • every output runs 100% locally — tool-call traces and oauth grant exports never upload.
  • 8.5-minute window (2026-04-12 14:00–14:08 UTC): read-only s3 survey drifts to kepler-payments-prod get-object exfil (claims export + member roster) and hourly lambda cron on kepler-s3-lifecycle-tagger while deployer taylor keel is offline.
  • published golden assessments: trace-reconstructor HIGH (26 findings) · divergence HIGH (5) · accountability HIGH (7) · credential-handling CRITICAL (9) · MCP call-graph MEDIUM (14) · persistence CRITICAL (8) · network-exfil HIGH (2).

primary engines locked to this fixture

build the case binder

runs all seven primary engines on the synthetic evidence zip and opens a self-contained html binder. no upload.

runs all 8 primary engines locally on the synthetic evidence zip · opens a self-contained html binder · no upload

download the synthetic evidence

MIT-licensed, fully synthetic. agent tool-call trace ndjson · MCP call graph · prompt-action divergence corpus · credential-handling audit · network events · persistence artifacts · accountability corpus · incident context.

download evidence zip →download goldens zip →run this kit in your browser →

built deterministically from app/tools/__fixtures__/cases/kepler-runaway-agent/generate.ts. seed: kepler-runaway-agent:v1.

methodology

ai-agent runaway starts with hashed tool-call traces and oauth grant exports, then walks prompt-vs-action divergence and MCP graph parsers before counsel packet assembly. not legal advice on deployer fault. read the full AI agent runaway action guide →
methodology articleapi-agentic-action verticalagent runaway playbookforensics home

synthetic scenario only · no real insurer or customer data · grading rubric

ready