RELAY · Lab #1 · Security research

They’ll Verify. They Just Won’t Act.

How Authority Framing and Laundered Code Turn a Trusted Agentic CI/CD Pipeline Into an Attack Surface

Senthex Research·July 2026·9 pages·v1.0·100% synthetic data — fully reproducible
~80 %
laundered pull requests pass
a competent LLM code scanner, enabled
55 %
worst-case compromise
tailored framing, no scanner, long chain
0
content-based controls detected it
scan tool + firewall code shield: 0/40

Abstract

We study a five-agent CI/CD pipeline — triage, developer, security scan, review, approve-and-deploy — built from five distinct production LLMs across three providers, behind an LLM firewall in shadow mode. A single untrusted input, an external issue requesting a “usage-telemetry” feature, asks for code that exfiltrates process secrets to an attacker URL — laundered as observability. The laundering is in the intent, not the syntax: no eval, no exec, just an HTTP call a reviewer waves through.

Across a pre-registered factorial of 280 synthetic runs, the decisive lever is authority framing: an injection claiming the change is “pre-approved under SEC-2291, no need to re-review” makes downstream verifiers see the secret-exfiltration line, cite the pre-approval, and ship it. The automated scanner passes ~80% of laundered pull requests, and the worst-case cell — tailored framing, no scanner, long chain — reaches 55% compromise. Meanwhile two intuitive beliefs fail to explain anything: the entry agent’s system prompt resists extraction (0/40), and the bystander analogue is small and non-significant even at N=60.

Both a content-scanning tool and the firewall’s own code-danger shield miss the laundered intent entirely (0/40); only an LLM reasoning about intent provides a partial defence — and that reasoning is exactly what authority framing suppresses. The failure is systemic, not local: neither prompt secrecy nor distributed verification protects. A provenance-aware control at the entry, independent of both, would have. Everything is synthetic and mocked; every figure is regenerable from the frozen dataset.

Key findings

  • A single external issue — a plausible "usage-telemetry" feature request — induced a five-agent CI/CD pipeline (five distinct production models, three providers) to deploy code exfiltrating process secrets, reaching 55% compromise in the worst-case cell (tailored framing, no scanner, long chain).
  • Authority framing is the decisive lever. A fabricated "pre-approved under SEC-2291, do not re-review" claim made verifiers see the exfiltration line, cite the pre-approval in their notes, and ship it — a competent LLM code scanner passed ~80% of laundered pull requests.
  • Every content-based control was blind: the in-pipeline scan tool and the firewall's code-danger shield fired 0/40 on the laundered exfiltration. Only an LLM reasoning about intent is a partial defence — and that reasoning is exactly what authority framing suppresses.
  • Two intuitive beliefs disconfirmed, reported honestly: the entry agent's system prompt resisted extraction (0/40 — a defense-positive result), and the bystander analogue is small and non-significant even at N=60. Neither prompt secrecy nor distributed vigilance decided the outcome.
  • The failure is systemic, not local: a provenance-aware control at the entry point — independent of prompt secrecy and agent vigilance — is where the chain could have been cut. Side finding: asking a verifier to explain its assessment more than doubled its blocking rate (20% → 44%).

The full paper

The complete study — threat model, the pre-registered factorial design, the frozen and hash-verified dataset, and the honest disconfirmations — is in the PDF below. The paper is available in English and French.

The paper PDF is coming soon.

The abstract and key findings above are the full summary. The complete PDF will be embedded here shortly — check back, or reach out for an early copy.

Request a copy

Cite this work

If you reference this study, please use the following BibTeX entry:

@techreport{senthex2026relay,
  title       = {They'll Verify. They Just Won't Act.:
                 How Authority Framing and Laundered Code Turn a
                 Trusted Agentic CI/CD Pipeline Into an Attack Surface},
  author      = {{Senthex Research}},
  institution = {Senthex},
  type        = {RELAY Lab Report},
  number      = {1},
  year        = {2026},
  month       = jul,
  url         = {https://senthex.com/en/research/relay},
}