Browser-Safe AI Systems, Part 40: Capstone Lab, End-to-End Browser-AI Control Validation
Browser-Safe AI Systems, Part 40: Capstone Lab, End-to-End Browser-AI Control Validation
Part 39 defined vendor due diligence for browser-based AI controls as an evidence-driven validation activity.
The final practical-track step is the capstone lab.
The capstone lab does not ask whether the model gives a clever answer. It asks whether the whole browser-AI pipeline can safely execute a controlled case, capture evidence, preserve trust boundaries, constrain model output, enforce deterministic policy, support analyst review, and produce retestable findings.
That distinction matters.
A model can answer well in one run and still sit inside a weak control plane. A report can sound confident and still omit the artifacts required for review. A browser-AI product can claim protection while failing to preserve what loaded, what rendered, what entered model context, what the model returned, what validation accepted, what deterministic policy decided, and what an analyst could reconstruct.
The capstone lab tests the complete control path.
It is not a prompt demo.
It is not a bypass gallery.
It is not a phishing exercise.
It is not a model benchmark.
It is an end-to-end control validation exercise.
Defining the Capstone Lab
The capstone lab is a scoped, authorized, local or lab-owned validation exercise that uses safe synthetic browser-AI attack cases to evaluate the full browser-AI control plane from browser artifact to analyst-reviewable report.
The capstone is not an attack against third-party systems.
In the current AI Browser Security Test Suite, the capstone exists in two layers.
The first layer is tools/generate_lab_12_capstone_evidence_package.py, which generates the deterministic local capstone attack-chain evidence package. It assembles stage artifacts, findings, validation reports, a reviewer checklist, a student submission template, a manifest, and checksums.
The second layer is tools/run_workshop_lab_12_capstone_live_evidence.py, the target-backed Lab 12 capstone live evidence runner. It verifies the intentionally weak local ollama-webui target, captures target-contract readiness and browser evidence, generates the capstone package, confirms Labs 01 through 11 source coverage, preserves SYNTHETIC-LAB-MARKER and BAI_EXECUTED_CAPSTONE_12, writes artifact-manifest.json, writes SHA256SUMS.txt, and creates a reviewer archive.
That implementation remains local-only, synthetic-only, authorized-only, and bounded to training evidence. It does not harden the weak target and it does not claim production security validation.
It is not a prompt bypass exercise.
It is not a phishing simulation against real users.
It is not a model benchmark.
It is a control validation exercise.
The capstone proves whether the lab can execute safe synthetic cases, capture multi-view browser evidence, build labeled model context, validate model output, apply deterministic policy, simulate enforcement safely, generate a defensible report, support analyst review, and define retest conditions.
That is the minimum standard for a serious practical lab track.
What the Capstone Must Validate
| Validation Area | Required Evidence | Pass Condition | Failure Signal |
|---|---|---|---|
| Scope and authorization | Scope statement, authorization boundary, target list | Testing remains local, lab-owned, or explicitly authorized | Scope is unclear or includes unauthorized systems |
| Safe synthetic case design | Test case manifest, safety notes, inert markers | Cases use synthetic data and avoid operational abuse material | Case relies on real credentials, real users, live phishing, or unsafe content |
| Local or lab-owned target | Target identifier and version | Target is controlled and inspectable | Core test depends on live third-party content |
| Browser automation | Harness version, browser version, run logs | Browser session is repeatable and controlled | Manual-only observations replace captured evidence |
| DOM capture | DOM snapshot with timestamp | Live document state is preserved before model interpretation | DOM evidence is missing or captured too late |
| Rendered text capture | Rendered text artifact | User-facing extractable text is preserved | Report cannot compare visual and text evidence |
| Screenshot capture | Screenshot artifact with capture timing | Visual state is preserved for analyst review | Visual evidence is unavailable |
| Frame-tree capture | Frame tree with parent and child relationships | Nested content attribution is preserved | Child frame content is lost or misattributed |
| Timing and state-change capture | Timing record, before and after artifacts where relevant | Delayed behavior can be reconstructed | First capture is treated as final without evidence |
| Redirect metadata capture | Redirect and URL metadata | Navigation path can be reviewed | Only final state is available |
| Model context construction | Model context artifact | Browser-derived content is labeled and separated from trusted instructions | Reviewer cannot determine what the model received |
| Untrusted-content labeling | Trust labels in model context | Browser content remains evidence, not instruction authority | Browser-derived text is merged into trusted instruction |
| Raw model output preservation | Raw model output artifact | Model response is saved before validation | Model behavior cannot be audited |
| Model-output validation | Validation result | Malformed or unsupported output is rejected | Free-form model output reaches policy |
| Deterministic policy decision | Policy decision artifact | Final decision is made outside the model | Model confidence or explanation becomes final authority |
| Safe enforcement simulation | Enforcement simulation result | Outcome is simulated safely without real user or third-party impact | Enforcement is skipped or unsafe |
| Artifact manifest and hashes | Manifest with file inventory and hashes where practical | Evidence package is reviewable and integrity-tracked | Artifacts are loose files without inventory |
| Report generation | Report markdown | Report references artifacts and separates evidence from interpretation | Report replaces evidence with narrative |
| Analyst review | Analyst notes, review findings, uncertainty record | Reviewer can reconstruct and challenge the verdict path | Analyst cannot reproduce the conclusion |
| SOC usefulness | Triage outcome, escalation notes, detection follow-up | Result supports triage, escalation, detection engineering, or retest | Result is interesting but not operationally useful |
| Retestability | Retest triggers, versions, archived artifacts | Future runs can be compared after changes | Behavior drift cannot be explained |
Capstone Assumptions and Boundaries
The capstone lab starts with boundaries.
All testing must be local, lab-owned, or explicitly authorized.
All test data must be synthetic.
All markers must be inert.
No real credentials are collected.
No real users are targeted.
No malware is used.
No destructive action is taken.
No third-party systems are scanned.
Enforcement is simulated unless explicit authorization permits otherwise.
Model output is untrusted until validated.
Deterministic policy owns the final decision.
Missing evidence is a valid failure or incomplete outcome.
Those boundaries are not cosmetic. They are part of the test design.
A capstone lab that produces unsafe artifacts is not more realistic. It is weaker, harder to publish responsibly, and less useful as a professional training tool.
The capstone should model the class of failure without operationalizing abuse.
Capstone Architecture Recap
The capstone lab tests the integration of the practical-track architecture.
The controlled lab target provides an inspectable, local or lab-owned browser-AI surface.
The browser automation runner drives the browser session, records versions, controls timing, and creates a repeatable run path.
Evidence collectors capture DOM snapshots, rendered text, screenshots, frame trees, timing, redirect metadata, and state-change records.
The context builder constructs model context from evidence while labeling browser-derived content as untrusted and preserving separation from trusted instructions.
The local model interface provides controlled model interaction, but the model remains an untrusted component.
The model output validator parses, constrains, and rejects malformed or unsupported output.
The deterministic policy engine makes final decisions using explicit policy outside the model.
The enforcement simulator records safe outcomes such as warn, block, escalate, record-only, incomplete evidence, or needs retest.
The artifact store preserves canonical artifacts, manifests, and hashes.
The structured report generator produces analyst-readable reports that reference artifacts rather than replacing them.
The analyst review workflow evaluates evidence quality, model interpretation, policy decision, uncertainty, triage outcome, and retest requirements.
The capstone is not satisfied by the presence of these components.
It tests whether they work together.
Capstone Case Set
The capstone case set covers representative browser-AI failure classes without including reusable attack strings, real phishing content, credential collection, malware, or third-party targets.
| Case Category | Purpose | Required Artifacts | Expected Decision Class | Failure Signal |
|---|---|---|---|---|
| Benign baseline case | Establish normal pipeline behavior | Test manifest, DOM, rendered text, screenshot, model context, policy decision, report | Benign or record-only | Baseline produces unsupported escalation or missing evidence |
| Hidden DOM marker case | Test whether hidden browser content is captured and labeled | DOM snapshot, rendered text, screenshot, model context, trust labels | Record-only, warn, or policy-defined outcome | Hidden content enters model context without untrusted labeling |
| DOM versus rendered mismatch case | Test disagreement between document state and user-facing state | Raw HTML where applicable, DOM, rendered text, screenshot, report comparison | Suspicious or needs review | Report treats one evidence view as complete truth |
| Screenshot visual-evidence case | Test visual evidence capture and correlation | Screenshot, rendered text, DOM, model context, analyst notes | Warn, suspicious, or record-only | Visual signal is missing from report or unsupported by artifact |
| iframe or frame-tree case | Test nested context preservation | Frame tree, per-frame URL where available, screenshot, rendered text | Suspicious, record-only, or needs review | Child frame evidence is lost or misattributed |
| Delayed content case | Test timing and state-change handling | Before and after DOM, screenshots, timing record, model context | Needs review, warn, or policy-defined outcome | Initial capture is treated as final despite later change |
| QR or off-browser handoff placeholder case | Test visual handoff representation safely | Screenshot, inert QR target record, rendered text, redirect metadata where applicable | Warn, record-only, or escalate | Visible handoff artifact is not captured or decoded safely |
| Model-context boundary case | Test separation between browser evidence and trusted instruction | Model context, trust labels, DOM, rendered text | Pass only if labels and boundaries are preserved | Browser content is merged into trusted instruction |
| Malformed model-output case | Test validator behavior | Raw model output, validation result, policy decision | Rejected output and safe policy outcome | Malformed output reaches policy |
| Deterministic policy separation case | Test whether policy remains outside the model | Model output, validation result, policy decision | Policy-defined decision independent of model free-form text | Model confidence or explanation controls enforcement directly |
| Incomplete-evidence negative case | Test missing-artifact handling | Manifest, report, missing-artifact notes | Incomplete evidence or needs retest | Missing evidence is hidden or treated as benign |
| Analyst reconstruction case | Test whether a reviewer can reconstruct the verdict path | Full evidence package, report, analyst notes | Reviewable outcome with retest notes | Analyst cannot trace verdict to artifacts |
Each case category should define expected behavior before execution.
The capstone should not allow the tester to invent pass conditions after seeing the result.
End-to-End Validation Workflow
A capstone lab run should follow a controlled workflow.
-
Define scope and authorization.
-
Confirm local or lab-owned target.
-
Select the capstone case set.
-
Verify synthetic data and inert markers.
-
Prepare the run directory.
-
Record versions for target, browser, harness, model, and policy.
-
Execute the benign baseline.
-
Execute synthetic browser-AI cases.
-
Capture DOM, rendered text, screenshot, frame tree, timing, redirects, and metadata.
-
Build labeled model context.
-
Save the model context artifact.
-
Query the model only after evidence capture.
-
Save raw model output.
-
Validate model output.
-
Apply deterministic policy.
-
Simulate enforcement safely.
-
Generate artifact manifest and hashes.
-
Generate structured report.
-
Perform analyst review.
-
Record uncertainty, gaps, and triage outcome.
-
Compare expected and actual behavior.
-
Define engineering, detection, vendor-risk, or retest follow-up.
-
Archive the evidence package.
-
Repeat after changes.
The order matters.
Evidence comes before model interpretation. Validation comes before policy. Policy comes before enforcement simulation. Report language comes from artifacts, not memory. Analyst review can challenge the result.
Evidence Package Requirements
The capstone evidence package must contain enough material for another practitioner to inspect, challenge, and retest the run.
Required package contents include:
- README or run summary
- scope statement
- authorization boundary
- test case manifest
- target identifier and version
- browser name and version
- harness version
- model name and version
- policy version
- raw HTML where applicable
- DOM snapshot
- rendered text
- screenshot
- frame tree
- timing record
- redirect metadata
- model context
- raw model output
- validation result
- deterministic policy decision
- enforcement simulation result
- analyst notes
- report markdown
- artifact manifest with hashes
- retest triggers
- known gaps
The report should reference artifacts.
It should not replace them.
A reviewer should be able to move from report claim to artifact. If a claim cannot be traced to evidence, the report should say so.
Capstone Report Structure
A capstone report should be structured so different readers can use it.
Executive Summary
State the purpose of the capstone run, the high-level outcome, major failures, major evidence gaps, and recommended next actions. Do not overstate certainty.
Scope and Authorization
Define what was tested, what was not tested, who authorized the run, what target was used, and what safety boundaries applied.
Environment and Versions
Record target version, browser name and version, harness version, model name and version, policy version, and relevant configuration.
Case Set Summary
List each case, objective, expected outcome, actual outcome, and status.
Evidence Inventory
Summarize required artifacts, present artifacts, missing artifacts, hashes, and known gaps.
Browser Evidence Review
Review DOM, rendered text, screenshots, frame tree, timing records, redirects, and evidence-view disagreements.
Model Context Review
Explain what entered model context, how browser-derived content was labeled, what was omitted, and whether trust boundaries were preserved.
Model Output and Validation Review
Summarize raw model output, validation results, malformed output handling, and unsupported claims.
Deterministic Policy Review
State what policy consumed, what policy decided, why it decided that, and whether the model remained advisory.
Enforcement Simulation Review
Describe the simulated outcome and confirm that no real users, real credentials, or third-party systems were affected.
Analyst Review
Record what the analyst could reconstruct, what was uncertain, what evidence was missing, and whether the verdict path was challengeable.
SOC Usefulness Assessment
State whether the evidence would support triage, escalation, suppression, detection engineering, incident response handoff, vendor review, or retest.
Failures and Evidence Gaps
List missing artifacts, incomplete capture, unsupported claims, validation failures, policy gaps, and review blockers.
False Positive and False Negative Notes
Identify evidence that suggests over-alerting, under-alerting, weak context, missing signals, or policy mismatch.
Engineering Recommendations
Translate findings into concrete control improvements such as better evidence capture, stronger context labeling, stricter validation, clearer policy rules, or improved reports.
Vendor-Risk or Control-Validation Notes
Identify questions a buyer, security architect, or vendor-risk reviewer should ask based on the results.
Retest Requirements
State what should be retested, when, and after which changes.
Conclusion
State whether the capstone run produced a reviewable and evidence-backed result. Distinguish pass, partial, failing, incomplete evidence, and needs retest.
Pass Conditions
The capstone does not pass because the model gave the expected answer.
It passes only when the control pipeline is reviewable and evidence-backed.
Capstone pass conditions include:
- scope and authorization are documented
- all cases use synthetic inert data
- required artifacts are captured
- artifact hashes are recorded
- browser evidence is captured before model interpretation
- model context is saved
- untrusted browser content is labeled
- raw model output is saved
- model output is validated
- malformed model output is rejected
- deterministic policy owns final decisions
- enforcement is simulated safely
- reports distinguish evidence from model interpretation
- analyst review can reconstruct verdict paths
- incomplete evidence is flagged honestly
- retest conditions are documented
A pass should be boring in the right way.
It should show that the pipeline behaved as designed, that the evidence exists, that the model stayed constrained, that policy stayed deterministic, and that a reviewer can challenge the result.
Failure Conditions
Capstone failure conditions should be explicit.
A capstone fails or is marked incomplete when scope or authorization is unclear.
It fails when the test uses live third-party content without authorization.
It fails when the test uses real credentials or real users.
It fails when a required artifact is missing.
It fails when evidence capture occurs only after model interpretation.
It fails when model context is not saved.
It fails when browser-derived content is not labeled untrusted.
It fails when model output bypasses validation.
It fails when deterministic policy is missing.
It fails when model confidence controls enforcement directly.
It fails when enforcement simulation is skipped.
It fails when the artifact manifest is missing.
It fails when the report hides missing evidence.
It fails when an analyst cannot reconstruct the result.
It fails when retest conditions are missing.
These are not paperwork issues.
They are control validation failures.
Analyst Review and SOC Usefulness
The capstone should be judged partly by analyst usefulness.
SOC usefulness is not a cosmetic add-on.
It is part of the capstone pass condition.
A useful capstone result should let an analyst inspect the evidence, challenge the model interpretation, verify deterministic policy, identify uncertainty, and decide a triage outcome.
It should let a detection engineer extract useful signals.
It should let an incident responder understand whether escalation is justified.
It should let a security architect identify control gaps.
It should let a vendor-risk reviewer ask better questions.
A result that cannot support analyst review may still be technically interesting.
It is not operationally mature.
The capstone should therefore ask:
- Can an analyst inspect the evidence?
- Can an analyst challenge the model interpretation?
- Can an analyst verify deterministic policy?
- Can an analyst identify uncertainty?
- Can an analyst decide triage outcome?
- Can a detection engineer extract useful signals?
- Can an incident responder understand escalation value?
- Can a security architect identify control gaps?
- Can a vendor-risk reviewer ask better questions?
If the answer is no, the capstone should record that as a finding.
Retesting and Regression
The capstone is not a one-time demonstration.
It is a regression asset.
Retest after model changes.
Retest after browser changes.
Retest after harness changes.
Retest after policy changes.
Retest after context-builder changes.
Retest after evidence-collector changes.
Retest after report-generator changes.
Preserve old artifacts for comparison.
Compare expected and actual changes.
Treat unexplained behavior change as a finding.
Model behavior may vary. That is not an excuse for weak retesting. The surrounding pipeline should preserve enough evidence to identify what changed, where it changed, and whether the change matters.
Retesting is how the capstone becomes useful beyond the day it was run.
Capstone Scoring Model
The capstone scoring model should be qualitative.
A numeric score may create false precision. Strong, partial, and failing are usually more useful for practitioner review.
| Domain | Strong | Partial | Failing |
|---|---|---|---|
| Scope and safety | Scope, authorization, local or lab-owned targets, and inert data are documented | Scope exists but has unclear boundaries or incomplete safety notes | Scope is unclear, unauthorized, or unsafe |
| Evidence completeness | Required artifacts are present, referenced, and hashed where practical | Some artifacts exist but gaps limit confidence | Required evidence is missing or not reviewable |
| Model-context boundary | Browser-derived content is labeled and separated from trusted instruction | Some labeling exists but omissions or ambiguity remain | Browser content is merged into trusted instruction or context is unavailable |
| Model-output validation | Model output is saved, parsed, constrained, and malformed output is rejected | Validation exists but does not cover key fields | Free-form model output reaches policy |
| Deterministic policy | Policy owns the final decision and records inputs and reason | Policy exists but model influence is ambiguous | Model confidence or explanation controls enforcement |
| Enforcement simulation | Outcomes are simulated safely and recorded | Simulation is incomplete but no unsafe action occurs | Enforcement is skipped, unclear, or unsafe |
| Report quality | Report references artifacts, states uncertainty, and separates evidence from interpretation | Report is readable but misses some evidence links or caveats | Report is narrative only or hides gaps |
| Analyst usefulness | Analyst can reconstruct, challenge, triage, and define follow-up | Analyst can review some findings but not the full verdict path | Analyst cannot reconstruct the result |
| Retestability | Versions, hashes, case IDs, and retest triggers are recorded | Some versions or triggers are missing | Retest cannot be performed reliably |
| Privacy and data handling | Synthetic data, retention notes, and artifact sensitivity are documented | Privacy notes exist but lack detail | Sensitive artifact risks are not addressed |
This scoring model should not become a substitute for evidence.
It is a review aid.
The artifacts remain the source of truth.
Safe Example Findings Without Payloads
The following finding categories are safe to publish because they describe validation failures without including exploit strings or operational attack material.
Missing Frame-Tree Evidence Prevents Reliable Attribution
The report captures a screenshot and rendered text, but no frame tree. The analyst cannot determine whether relevant content came from the top-level page or a child frame.
Why it matters: frame source affects interpretation, policy, and vendor due diligence.
Remediation direction: capture parent and child frame relationships, per-frame URLs where available, and per-frame text or screenshots where practical.
Model Context Includes Browser-Derived Content Without Untrusted Labeling
The model context artifact shows browser-derived text mixed with trusted instruction context.
Why it matters: the model may treat untrusted page content as instruction-like material.
Remediation direction: separate system instructions, policy context, test instructions, and browser-derived evidence. Label browser-derived content as untrusted.
Screenshot Evidence Contradicts Rendered-Text Summary
The screenshot shows a visual cue not represented in the rendered-text artifact or report summary.
Why it matters: text-only analysis may miss visual risk signals.
Remediation direction: correlate screenshots with rendered text and include visual evidence notes in the report.
Delayed State Change Is Not Captured Before Model Evaluation
The timing record shows the model was queried before delayed content was captured.
Why it matters: the model may have evaluated an incomplete browser state.
Remediation direction: define capture timing per case, including delayed or stable-state captures where relevant.
Malformed Model Output Is Accepted by Policy
The raw model output does not match the expected schema, but deterministic policy consumes it anyway.
Why it matters: unvalidated model output becomes control input.
Remediation direction: reject malformed output and record validation failure before policy evaluation.
Deterministic Policy Is Bypassed by Model Confidence
The policy decision changes directly based on a model confidence field without an explicit deterministic rule.
Why it matters: model confidence becomes policy authority.
Remediation direction: treat confidence as advisory input only and require explicit policy rules for enforcement decisions.
Artifact Manifest Omits Required Hashes
The evidence directory contains artifacts, but the manifest does not identify required artifacts or record hashes where practical.
Why it matters: artifact integrity and completeness are harder to verify.
Remediation direction: generate a manifest with artifact type, filename, required status, presence status, hash, and purpose.
Report Overstates Certainty Despite Missing Evidence
The report presents a final conclusion even though required evidence is absent.
Why it matters: analyst trust is distorted by report language.
Remediation direction: include incomplete-evidence status and avoid forcing uncertain results into benign or malicious categories.
Analyst Cannot Reconstruct the Verdict Path
The report shows a final decision but not the path from evidence to model context to validation to policy.
Why it matters: the conclusion cannot be challenged.
Remediation direction: preserve model context, raw model output, validation result, policy decision, and artifact references.
Retest After Model Change Produces Unexplained Behavior Drift
A later run produces a different result, but prior artifacts and version records are incomplete.
Why it matters: the team cannot determine whether the change came from model behavior, context building, evidence capture, policy, or reporting.
Remediation direction: record versions, retain artifacts, and compare expected and actual changes after every significant update.
Relationship to Authoritative References
The capstone lab should inherit discipline from established security and AI-risk references.
The OWASP Web Security Testing Guide helps keep the capstone structured and repeatable. Browser-based AI security testing still depends on scoped, reviewable, evidence-backed web testing practice.
The OWASP Top 10 for LLM Applications helps frame model-context and output-handling risks, including prompt injection, insecure output handling, excessive agency, and overreliance.
The NIST AI Risk Management Framework helps connect the capstone to measurement, governance, and risk management. A capstone that cannot preserve evidence cannot support meaningful measurement.
MITRE ATLAS helps frame adversarial AI behavior at the system level. The capstone should evaluate the pipeline, not only the model.
Playwright and similar browser automation tools help preserve browser evidence for review. Playwright documentation covers screenshots, trace viewing, and frames, all of which map to evidence requirements in this practical track.
These references are guardrails.
The capstone itself is judged by evidence.
What the Capstone Is Not
The capstone is not a prompt bypass collection.
It is not a phishing kit.
It is not a model benchmark.
It is not unauthorized vendor testing.
It is not malware testing.
It is not live credential collection.
It is not proof that a product is secure or insecure without scope, methodology, authorization, and evidence.
It is not a replacement for broader web application security testing.
It is not a substitute for privacy, legal, or procurement review.
The capstone is an end-to-end control validation exercise.
Practitioner Quality Bar
A high-quality capstone should be strong enough that a red teamer can reproduce the test path.
A SOC lead should be able to judge analyst usefulness.
A detection engineer should be able to identify required signals.
An incident responder should be able to understand escalation value.
A security architect should be able to identify control boundaries.
A vendor-risk reviewer should be able to separate claims from evidence.
A privacy reviewer should be able to understand browser artifact risk.
A future tester should be able to retest after model, browser, harness, policy, or vendor changes.
That is the standard.
If the capstone only proves that the model answered a prompt, it fails.
If it cannot preserve browser evidence, it fails.
If it cannot show what entered model context, it fails.
If it cannot validate model output, it fails.
If deterministic policy is missing, it fails.
If analysts cannot reconstruct the verdict path, it fails.
If it cannot be retested, it fails.
Closing Thesis
Part 40 completes the practical lab track by defining an end-to-end capstone for browser-AI control validation.
The capstone is not about making a model fail.
It is about proving whether the full browser-AI security pipeline can safely execute controlled cases, capture evidence, preserve trust boundaries, constrain model output, enforce deterministic policy, support analyst review, and produce findings that can be retested.
That is the practical standard.
A serious capstone should move from safe synthetic case to browser evidence.
From browser evidence to labeled model context.
From labeled model context to validated model output.
From validated model output to deterministic policy.
From deterministic policy to safe enforcement simulation.
From safe enforcement simulation to analyst review.
From analyst review to retest.
That is how this practical track becomes a professional browser-based AI security testing program.