"front"	"back"	"tags"
"What is NemoClaw's defining architectural principle?"	"Governance lives BENEATH the agent, OUTSIDE its reach. NeMo Guardrails evaluate every call externally. The agent CANNOT reach the enforcement layer to disable it. Module 0.2's principle ('if the agent can reach the enforcement layer, a compromised agent can disable it') in production."	harness-engineering::dd09::recall
"Why can't a prompt-injected NemoClaw agent disable its own guardrails?"	"The guardrails are OUTSIDE the agent's process. The agent sits ABOVE the governance layer; it cannot reach below itself. Every call must pass through governance, which the agent has no API to disable, configure, or influence. The guardrails are in the call path, not in the context."	harness-engineering::dd09::analysis
"Why are 'policy tool the model calls' and 'system-prompt instruction' catastrophically weak governance?"	"A policy TOOL is just another tool — a compromised agent can not-call it, or call it with sanitized arguments while acting elsewhere. A system-prompt INSTRUCTION is a request, not a constraint — the model can ignore it, injection can override it. Both put the guard INSIDE the trust boundary of the thing it guards."	harness-engineering::dd09::analysis
"Name the three NemoClaw layers and the trust-boundary property between them."	"(1) OpenClaw core (the agent). (2) NeMo Guardrails (governance). (3) OpenShell sandbox (execution). Each layer is OUTSIDE the previous one's trust boundary. The agent cannot reach the guardrails; the guardrails cannot be bypassed to reach the sandbox. The nesting is the property."	harness-engineering::dd09::recall
"Name the three NeMo Guardrails rails and when each runs."	"INPUT RAIL: before the model is called — tags channel content untrusted, scans for injection (ASI01 fix). DIALOG RAIL: after the model responds — checks output against policy before action. ACTION RAIL: before the tool executes — validates tool calls against capability policy (Module 6 external). All three run OUTSIDE the agent's trust boundary."	harness-engineering::dd09::recall
"Why can't the agent disable an input rail by prompt injection?"	"The input rail runs BEFORE the model is called. The agent (and any injection that would compromise it) has not yet executed when the rail fires. The rail tags and scans the input before the agent ever sees it. The agent cannot inject past a layer that runs before the agent runs."	harness-engineering::dd09::analysis
"Why can't the agent bypass an action rail by reasoning around it?"	"The action rail runs AFTER the model proposes but BEFORE the tool executes. The agent's reasoning produces a proposal; the rail evaluates the proposal; only policy-approved proposals reach execution. The agent has no path from reasoning to execution that skips the rail — the rail is in the call path."	harness-engineering::dd09::analysis
"NemoClaw scores 39/60 — +4 over OpenClaw. Where does the +4 come from?"	"The governance layer: +3 Module 6 (external guardrails — highest permission score in roster), +2 Module 5 (OpenShell sandboxing). NemoClaw does NOT improve the agent — it improves the BOUNDARY around the agent. The agent is OpenClaw's agent; the boundary is new."	harness-engineering::dd09::recall
"What does OpenShell provide that OpenClaw's direct execution does not?"	"Sandboxed execution the agent NEVER touches directly. The agent calls the governed API; OpenShell executes in an isolated environment. Blast radius = the sandbox, not the host. The agent has no path to the sandbox — only to the governance layer, which has a path to the sandbox."	harness-engineering::dd09::analysis
"State the NemoClaw-vs-Tau contrast and why it is load-bearing for Course 2B."	"NemoClaw = all controls (3 rails + sandbox + external enforcement). Tau = zero defenses (no rails, no sandbox, no enforcement — the attack lab target). LESSON: governance is NOT a feature you add; it is WHERE the enforcement layer sits relative to the agent. Every Course 2B attack asks 'does this harness enforce governance outside the agent's reach?' NemoClaw is the yes; Tau is the no."	harness-engineering::dd09::analysis
"NemoClaw fixes OpenClaw's trust gap. How?"	"NeMo Guardrails (input rail) tag channel-derived content as untrusted BEFORE the model sees it. The cross-channel injection that works on OpenClaw (equal trust status for channel content and operator instruction) fails on NemoClaw (channel content tagged + demoted + scanned)."	harness-engineering::dd09::application
"How is NemoClaw the reference fix for Hermes's (DD-08) memory-write poisoning surface?"	"Harness-managed writes (model proposes, harness validates) are the SAME principle (governance outside the agent's reach) applied to the memory write path. The write gate is the input rail for persistent storage. NemoClaw's pattern is the template; Hermes omits the gate, NemoClaw shows where to add it."	harness-engineering::dd09::application
"Name the 3 costs of NemoClaw's governance layer and why they are inherent."	"(1) LATENCY: every call passes 3 external checks — cannot make policy free without making it optional. (2) POLICY MAINTENANCE: every new channel/tool needs a new rule; a policy gap is a vulnerability gap. (3) INHERITED LEGIBILITY: OpenClaw's large codebase. All three are the inherent tax of external enforcement, not avoidable overhead."	harness-engineering::dd09::analysis
"Why is 'treating governance latency as overhead to optimize away' an anti-pattern?"	"The latency is the inherent cost of external enforcement. Removing the layer to save latency makes policy optional, and optional policy is not policy. Cure: accept the latency as the tax, or invest in a faster governance layer (better classifiers, HW acceleration). Do NOT remove the layer."	harness-engineering::dd09::application
"Why is 'assuming a policy rule covers a new channel' an anti-pattern?"	"Every new channel requires a new input-rail rule. A new channel WITHOUT a rule inherits OpenClaw's cross-channel injection vulnerability — channel content enters the model with full trust. Cure: treat policy maintenance as first-class ops; gate new channel/tool registrations on a policy-rule review."	harness-engineering::dd09::application
"On which module does NemoClaw score highest, and what is the score?"	"Module 6 (Permission): 5/5 — external guardrails. The highest score in the roster on permission. The agent proposes, the rail disposes — Module 6's risk-tiered permission model realized externally."	harness-engineering::dd09::recall
"Name 3 things NemoClaw does better than any other harness."	"(1) Governance-beneath-the-agent — policy in the call path, outside the agent's trust boundary (the course's security foundation). (2) Trust-boundary fix — NeMo Guardrails tag channel content untrusted before the model (ASI01 fix). (3) OpenShell sandboxing — agent never touches execution directly."	harness-engineering::dd09::recall
"How does NemoClaw's 39/60 relate to Tau's security posture?"	"Both have an agent that reasons and proposes. The difference is the BOUNDARY: NemoClaw wraps the agent in three external layers (input rail, dialog rail, action rail, sandbox); Tau wraps it in nothing. The 39/60 vs near-zero-effective-security is the governance axis made measurable — every other harness sits between these poles."	harness-engineering::dd09::analysis
"What is the naive approach to agent governance, and why does NemoClaw reject it?"	"The naive approach puts policy INSIDE the agent: a policy tool the model calls (can be not-called or called with sanitized args), or a system-prompt instruction (can be ignored or overridden by injection). NemoClaw rejects both because the guard ends up inside the trust boundary of the thing it guards. Policy must be in the call path, outside the agent's reach."	harness-engineering::dd09::analysis
"What does 'the agent proposes, the rail disposes' mean?"	"The action rail pattern: the agent REASONS and PROPOSES an action, but the governance rail DECIDES whether the action executes. The agent's proposal is necessary but not sufficient — the rail's approval is required. The agent cannot reach the rail to override a denial. This is Module 6's risk-tiered permission realized externally."	harness-engineering::dd09::application
"Why is NemoClaw the harness every Course 2 attack module is scored against?"	"It is the reference for what correct governance looks like, which means it is the reference for what every other harness is MISSING. If you understand why NemoClaw puts policy outside the agent's reach, you understand the failure mode of every harness that puts policy inside it. Every attack asks 'does this harness enforce governance outside the agent's reach?' — NemoClaw defines the yes."	harness-engineering::dd09::analysis
