"What are the three properties that separate a real harness from a prompt wrapper?"	"Scope enforcement (OOS calls blocked by code), evidence chains (every finding links to tool call + raw output + hash), adversarial-output defense (tool output is data, never instructions). Without all three, it's a prompt with tools bolted on."	c2a::c1::recall
"What are the three sub-sections of Capstone C1 and their durations?"	"C1.1 Design Document (20 min) — domain, scope, memory, tools, evidence, autonomy, threat model. C1.2 Build (60 min) — scope middleware, memory, 5 tools, evidence logger, triage, report generator. C1.3 Evaluate/Harden/Benchmark (40 min) — vuln lab, OOS calls, injection payload, InjecAgent, publish."	c2a::c1::recall
"What are the two tracks for C1 and how do they differ?"	"Bug bounty (target = authorized program/lab, deliverable = triaged findings + PoC, scope = engagement boundary) vs AppSec gate (target = codebase in CI, deliverable = pass/fail gate + report, scope = repo/dependencies/code paths). Architecture is IDENTICAL — domain changes tool suite and report format, not skeleton."	c2a::c1::recall
"Why is scope enforcement a middleware and not a prompt?"	"You do not write 'stay in scope' in the system prompt and trust the LLM. You write a scope-check function that intercepts every tool invocation, inspects args, and rejects any call whose target is outside the allow-list. The LLM never sees the rejected call succeed. An OOS call is a liability, not a bug."	c2a::c1::analysis
"What are the three gates in the scope middleware?"	"Gate 1 — scope check: is target in allow-list? Gate 2 — rate limit: has per-host ceiling been hit? Gate 3 — autonomy policy: is this high-impact and unapproved (needs human approval)? A blocked call returns a structured result the LLM sees as 'blocked, here is why' — never a silent failure."	c2a::c1::recall
"What is defense in depth in the scope middleware context?"	"The tool itself calls scope.assert_in_scope AND the registry wraps the tool with ScopeMiddleware. Two redundant checks so a forgotten check in one layer does not create a hole. Belt and suspenders — the middleware is the primary gate, the tool's own check is the backup."	c2a::c1::analysis
"What does persistent target-state memory do and why does it matter?"	"Makes the harness cumulative. Before a tool runs, context_for() loads host state + prior findings into LLM context. After, record() writes findings + evidence back. A recon tool discovers /admin; the next active-probe sees /admin without being told. Without memory, every scan cold-starts."	c2a::c1::analysis
"What is the triage state machine in the memory schema?"	"Findings move between three states: 'findings' (candidate, unconfirmed), 'confirmed' (has linked evidence + passes signal/noise filter), 'rejected' (false positive, with reason). Rejected findings STAY in memory with their reason so the harness does not re-raise them on the next pass."	c2a::c1::recall
"What are the five minimum tools in the C1 suite?"	"(1) Recon — discovers target surface. (2) Active probe — crafted requests/mutations, high_impact. (3) Static analyzer — linter/SAST/pattern match. (4) Exploit verifier — controlled PoC to confirm, high_impact. (5) Evidence recorder — captures request/response/diff, linked by trace ID."	c2a::c1::recall
"What structure does every tool share and why?"	"Pydantic input model (rejects malformed args), extract_target(args) (gives middleware something to check), high_impact flag (routes through approval gate), run(args, trace_id) -> ToolResult (finding + evidence). Uniformity is the point — it's what makes the middleware hold for every tool."	c2a::c1::analysis
"What is the evidence chain and what makes it tamper-evident?"	"Finding.evidence_ids -> Evidence.id -> Evidence.tool_call_id -> ToolCall -> log line (trace_id). The evidence record has a sha256 hash of the raw output. The hash lets a reviewer verify the recorded output matches what the tool produced. The trace ID is the join key that makes the chain replayable."	c2a::c1::analysis
"Why is the evidence recorder a tool and not an afterthought?"	"Making it a first-class tool means the LLM can be prompted to record evidence as an action. It goes through the same scope/rate/autonomy gates. Evidence capture is part of the workflow, not a side effect. A finding without evidence is an opinion."	c2a::c1::application
"What are the three autonomy levels?"	"Level 1 — advisory (harness finds/triages, human reviews every finding, report-only). Level 2 — gated autonomy (acts autonomously in scope, high-impact actions need human approval via an approval-gate tool). Level 3 — fully autonomous (no human, isolated lab only, never live bug bounty). Encoded as a policy object, not a prompt."	c2a::c1::recall
"How does the OWASP Agentic Top 10 apply to the harness itself?"	"The harness is an agentic system = itself an attack surface. Must address: prompt injection from tool output (defense: output is data), tool misuse (scope + rate limit), excessive agency (autonomy policy + gates), memory poisoning (schema-validated writes, quarantined rejections), unbounded consumption (global call budget + rate limits). Plus data leakage, insecure output, unauthenticated agents, supply-chain, over-privileged creds."	c2a::c1::analysis
"What is the signal/noise triage filter and what rules does it apply?"	"Moves findings from candidate to confirmed/rejected. Rules: (1) Duplicate suppression — same finding raised twice is merged. (2) Known-false-positive filter — per-tool rule set (e.g., 404 on /admin is not auth bypass), code not LLM judgment. (3) Confidence threshold — below score held in 'findings' until verifier runs. A harness that dumps every candidate is a scanner; one that triages is an analyst."	c2a::c1::analysis
"What are the four tests in the C1.3 benchmark gauntlet?"	"(1) Vuln lab recall — of N known bugs, how many confirmed? (2) OOS call block rate — inject OOS targets, 100% must be blocked, any success = scope bug. (3) Served injection payload — serve response with prompt injection, verify behavior unchanged. (4) InjecAgent suite — % injection attempts that failed to manipulate, publishable if >90%."	c2a::c1::recall
"What is the pass bar for the OOS call block test and what happens on failure?"	"100% blocked — any OOS call that succeeds means the scope middleware has a bug. You fix it BEFORE continuing to the other tests. There is no partial credit on scope enforcement. A single OOS success is a liability."	c2a::c1::application
"What is InjecAgent and what score is publishable?"	"InjecAgent is a prompt-injection benchmark for agentic systems. The score is the percentage of injection attempts that failed to manipulate the harness. Above 90% is a publishable security claim. Document the score, failure cases, and mitigations."	c2a::c1::recall
"What are the two portfolio assets C1 produces and what does each prove?"	"Client report (HTML + JSON) — proves the harness WORKS (recall, findings with PoC + evidence). Published benchmark — proves the harness is SAFE (OOS block rate, injection defense, InjecAgent score). Report = effectiveness, benchmark = safety. Both are publishable to GitHub/LinkedIn/Deepthreat.ai."	c2a::c1::analysis
"Why is the harness severity a draft and not final?"	"The LLM triage assigns a draft severity, but every severity is human-confirmed before the report ships (Levels 1 and 2). A Medium that should be Critical misleads remediation priority. The harness does the assembly; the human does the judgment. For Level 3 (autonomous lab only) the draft may ship, but that is never appropriate for live targets."	c2a::c1::application
