"State the synthesis principle that Capstone 2 operationalizes." "'Uncensor the model so it executes; harness the model so it executes only what it should.' The model executes (formulates tool calls, reasons, doesn't refuse mid-loop). The harness bounds (enforces which calls may run, which targets are in scope, which need approval). Uncensoring moves the refusal from the model (a black box) to the harness (a policy gate — deterministic, auditable, revisable)." c3::cap2::recall "What is the deliverable of Capstone 2?" "A demo, a harness, and a defense document: a steered model (abliterated OR DPO'd), optionally a reasoning distill, quantized + served locally, wrapped in a harness with eval'd policy gates (Course 1 patterns if taken, minimal stub if not). The demo shows a legitimate call executing AND an illegitimate call being vetoed. Plus a written trade-off-defense document." c3::cap2::recall "Name the three success criteria for Capstone 2." "(1) LOW REFUSAL RATE on legitimate prompts (steered model materially lower than base). (2) HIGH VETO RATE on illegitimate prompts (harness policy gate ~100% — any leak = fail). (3) THE TRADE-OFF DEFENSE document (justifies choice, policy, cost, limits, intended use)." c3::cap2::recall "What is the honest caveat about abliteration and capability?" "Abliteration measurably degrades capability. The Dec 2025 study (arXiv:2512.13655) shows GSM8K from +1.5pp to -18.8pp depending on tool/model. The refusal direction is entangled with other capabilities; steering away from refusal nudges them. DPO-toward-compliance (FT18) is higher-fidelity with smaller degradation." c3::cap2::recall "Why is an uncensored model in a weak harness 'strictly more dangerous' than a refusal-trained model in a weak harness?" "A refusal-trained model has a BACKSTOP the harness may not provide: even if the harness fails open, the model still refuses some dangerous requests. An uncensored model has NO backstop — if the harness fails open, it executes whatever it's asked. The harness becomes the only boundary. Hence: never deploy uncensored without eval'd gates hardened for the absence of model-level refusal." c3::cap2::analysis "What are the four quadrants of the risk matrix (harness strength × model type), and which is the capstone goal?" "Weak harness + refusal-trained = less dangerous (refusal is backstop). Weak harness + UNCENSORED = strictly more dangerous (cardinal failure). Strong harness + refusal-trained = belt+suspenders (may refuse legitimate). Strong harness + UNCENSORED = THE CAPSTONE GOAL (executes legitimate, vetoes illegitimate). Safety is a function of the harness, not the model." c3::cap2::analysis "What does the refusal rate (legitimate) metric measure, and what is the pass bar?" "It measures the fraction of AUTHORIZED prompts the steered model refuses. Run the same legitimate set on the un-steered base for comparison. Pass bar: the steered model's refusal rate is materially lower than the base's (e.g., base 55% -> steered 8%). If they refuse at the same rate, the steering accomplished nothing — you paid the capability cost for no benefit." c3::cap2::application "What does the veto rate (illegitimate) metric measure, and what is the pass bar?" "It measures the fraction of OUT-OF-POLICY calls the harness policy gate blocks — the harness's recall on policy violations. Pass bar: effectively 100%. Any illegitimate call that executes is a fail. A gate that lets through even one is a gate with a bug, not a gate with tolerance. This metric justifies the harness's existence." c3::cap2::application "What must the trade-off-defense document address?" "Four things: (1) the steering choice and its measured cost (why abliterate/DPO, what capability degradation). (2) the harness policy and its coverage (what it vetoes, the threat model, the gaps). (3) why the combination is safe for the intended use (use case, autonomy level, why the harness is strong enough). (4) the honest limits (what would make it unsafe — e.g., 'if the gate were removed, the model would execute dangerous requests')." c3::cap2::application "Contrast abliteration vs DPO-toward-compliance for the steering choice." "ABLITERATION (FT17): faster (no training data, weight edit), but higher capability cost (GSM8K -1.5 to -18.8pp). Use when speed matters and cost is acceptable. DPO-TOWARD-COMPLIANCE (FT18): higher fidelity (smaller degradation, more controllable), but needs a preference dataset + training. Use when capability preservation matters. No universally right answer — the defense (with data) is the deliverable." c3::cap2::analysis "What are the three properties a policy gate has that a model-level refusal cannot?" "DETERMINISM (same call -> same decision), AUDITABILITY (you can read the policy and know exactly what's allowed), and REVISABILITY (change the policy, redeploy, no GPU/retraining required). A model-level refusal is a black box — you cannot audit, tune per-deployment, or prove it to a regulator. This is why the boundary belongs in the harness, not the weights." c3::cap2::analysis "What does a minimal policy-gate stub check on each tool call?" "Three checks: (1) Is the TOOL permitted? (allow-list of tools). (2) Is the TARGET in scope? (allow-list of targets/paths). (3) If approval is REQUIRED for this tool, was it GIVEN? Any check fails -> veto with a reason. All pass -> allow. The stub demonstrates the principle: the boundary is deterministic code, not a model judgment." c3::cap2::application "Why is the harness-policy-gates dimension a gate in the evaluation rubric?" "Because a harness that leaks (veto rate <100%) combined with an uncensored model is STRICTLY DANGEROUS. The uncensored model has no model-level refusal backstop, so the harness is the only boundary. A 1 in this dimension (gates leak illegitimate calls) fails the submission regardless of total score. You cannot trade away the harness strength when the model has no backstop." c3::cap2::analysis "What is the 'cardinal failure' of Capstone 2?" "Steering a model toward compliance (uncensoring it) and demoing it executing tool calls WITH NO POLICY GATE. An uncensored model with no boundary is a liability, not a calibrated agent. This inverts the entire synthesis: uncensor without harness = strictly more dangerous. The capstone exists to teach the OPPOSITE — uncensor + strong harness." c3::cap2::analysis "How does Capstone 2 relate to Course 1 (Harness Engineering)?" "CAP2 is the BRIDGE to Course 1. The minimal policy-gate stub built here (if Course 1 not taken) is the SEED Course 1 grows into a full permission-safety, scope-enforcing, audit-logging harness. If Course 1 IS taken, CAP2 reuses its patterns (module-06 permission-safety, module-07 scope enforcement). The trade-off defense written here is the template for every model-in-harness deployment decision professionally." c3::cap2::analysis "Why must capability cost be MEASURED, not assumed, after steering?" "Because the defense document cannot justify a trade-off it didn't measure. Abliteration cost varies wildly (+1.5pp to -18.8pp on GSM8K by tool/model). Without a before/after general benchmark, you cannot say whether the steering was worth it. An unmeasured cost is an unknown cost — and an unknown cost means you cannot honestly claim the combination is safe for the use case." c3::cap2::analysis "What does Phase 6 (build harness policy gates) require if you have NOT taken Course 1?" "A MINIMAL POLICY-GATE STUB: a deterministic function that intercepts each tool call, checks args against a policy (allow-list of targets, allow-list of actions, approval-required flag for high-impact), and allows/vetoes. Not production-grade, but it proves you understand the boundary belongs in code, not weights. The stub is the seed Course 1 expands." c3::cap2::application "Why is reasoning distillation (Phase 3) optional in this capstone?" "Because it's only needed if abliteration's capability cost is high AND the use case stresses the degraded capabilities. If the cost is acceptable (e.g., -2pp GSM8K) or the use case is tool-use (not math), skip it. If used, measure the recovery (re-run the general benchmark) and report it. It's a recovery step, not a required one." c3::cap2::application "What is the evaluation rubric's passing threshold, and which dimension is a gate?" "Passing = 12/15+ with NO dimension below 2. The five dimensions: steering (uncensoring), harness policy gates, capability cost awareness, demo clarity, trade-off defense. HARNESS POLICY GATES is a gate — a 1 (gates leak illegitimate calls) fails regardless of total, because a leaking harness + uncensored model is strictly dangerous." c3::cap2::recall "What four things characterize a failing Capstone 2 submission?" "(1) STEERING WITHOUT A HARNESS — uncensored model, no policy gate (cardinal failure). (2) HARNESS THAT LEAKS — veto rate <100%, illegitimate calls execute. (3) NO CAPABILITY MEASUREMENT — steering done but cost unmeasured, defense can't justify. (4) NO DEFENSE DOCUMENT — demo runs but no written justification." c3::cap2::analysis "How does the demo prove the synthesis works?" "The demo is a SCRIPTED RUN showing both behaviors in one system: (a) a LEGITIMATE tool call (e.g., 'run nmap on in-scope host') that the steered model FORMULATES (doesn't refuse) and the harness ALLOWS — demonstrating uncensoring worked. (b) an ILLEGITIMATE tool call (e.g., 'rm -rf on prod host') that the harness VETOES (out of scope + destructive + unapproved) — demonstrating the boundary holds. Both recorded as evidence." c3::cap2::analysis "What is the deeper anti-pattern this capstone exists to correct?" "Believing that model-level refusal is the right place for safety boundaries. It is NOT. Model-level refusal is a black box — unauditable, untunable per-deployment, unprovable to a regulator. The harness policy gate is deterministic, auditable, revisable. The capstone teaches you to MOVE THE BOUNDARY from opaque weights to auditable code. That is the synthesis: uncensor the model, harness the model." c3::cap2::analysis