"What is NeMo Guardrails, and what is its unit of enforcement?"	"NVIDIA's open-source programmable guardrail framework that adds a guardrail layer to LLM conversational applications. It sits in the request/response path between user and model. Its unit of enforcement is the RAIL — a configurable check that runs at a specific stage of the conversation and either allows the stage to proceed, modifies the input/output, or blocks it. Configured in Colang (conversational flow DSL) and Python (actions). The policy is CODE, not a fixed filter."	c2b::sdd-b08::recall
"Name and describe the five NeMo rail types."	"(1) INPUT rails — run on user input before the model; check toxicity, jailbreak patterns, PII, off-topic; 1st line vs prompt injection. (2) OUTPUT rails — run on model response before the user; check leaked data, harmful content, hallucinations; catches a model that complied despite input rails. (3) DIALOG rails — govern conversation flow; on-topic check, canonical-form matching, 'this agent only discusses X.' (4) RETRIEVAL rails — run on retrieved RAG chunks before the model; govern indirect injection (SDD-B03). (5) EXECUTION rails — govern tool calls + arguments + results; prevent disallowed invocation (SDD-B04)."	c2b::sdd-b08::recall
"What is the load-bearing architectural property of NeMo, and what principle does it realize?"	"EXTERNAL EVALUATION: the guardrail layer is a SEPARATE PROCESS the agent calls through. The agent does not host, run, or reach the rails — it cannot disable or modify them. This realizes the Course 1 Module 0.2 principle: if the agent can REACH the enforcement layer, a compromised agent can DISABLE it. By placing the rails outside the agent's process boundary, NeMo ensures a compromised model (prompt injection, jailbreak) cannot turn off its own guardrails. The agent can be fully compromised and the guardrails still run. This is why NemoClaw (DD-09) scored +4."	c2b::sdd-b08::recall
"State the load-bearing vulnerability of NeMo Guardrails."	"THE GUARDRAIL IS A MODEL, AND MODELS ARE INJECTABLE. The rails are evaluated by MODELS — embedding models for similarity, LLM-based classifiers for content categorization, model-based canonical-form matching. These models are themselves subject to prompt injection, adversarial inputs, and the full range of model-level attacks (SDD-B06). External enforcement protects the rails from being DISABLED by a compromised agent; it does NOT protect the rail's classifier from being EVADED by an input crafted against the classifier's model surface. The rail runs but classifies the adversarial input as benign."	c2b::sdd-b08::recall
"Distinguish the DISABLE threat from the EVADE threat against a NeMo rail, and which is stopped by external enforcement."	"DISABLE: a compromised agent reaches the rail process and turns it off. STOPPED by external enforcement — the agent cannot reach the rail process (the Course 1 Module 0.2 principle holds). EVADE: an adversarial input is crafted against the RAIL'S OWN CLASSIFIER model surface — the rail runs but classifies the adversarial input as benign because its classifier is a model with blind spots. NOT STOPPED by external enforcement — the rail ran; it was just fooled. External enforcement protects against DISABLE; it does not protect against EVADE."	c2b::sdd-b08::recall
"What is Colang, and why does programmable policy matter?"	"Colang is NeMo's domain-specific language for conversational flow and rail definition (with Python for actions). Programmable policy means the rail is CODE — version-controlled, reviewable, and can express deployment-specific constraints a fixed filter cannot ('this banking agent never discloses account numbers'). This distinguishes NeMo from a fixed provider-side safety classifier (a black box). TRADE-OFF: programmable policy is only as good as the POLICY AUTHOR — a MISSING RAIL = a MISSING CONTROL, and the framework does not infer the policy the deployer should have written. Audit the rail configuration (B11)."	c2b::sdd-b08::recall
"How is NeMo's multi-rail structure a realization of B2's defense-in-depth thesis?"	"The five rail types cover the full conversation lifecycle, and a well-configured deployment uses multiple rails in sequence. Each rail is a classifier with its own false-negative rate; the composition's overall bypass rate is the PRODUCT of the individual rates (under independence), which is why layered defenses reach single-digit bypass rates where single defenses sit near the baseline (SDD-B03 measurement). Input rails catch the jailbreak; output rails catch a model that complied anyway; retrieval rails govern indirect injection; execution rails govern tool calls. Multi-rail = defense-in-depth at the guardrail layer."	c2b::sdd-b08::recall
"What is a rail residual, and how is it measured?"	"A rail's FALSE-NEGATIVE RATE against an attack class — the measurable bypass probability. Measured over N attempts under fixed parameters (rail config, underlying model version, temperature), per SDD-B03 and SDD-B06 methodology. For a NeMo system, measure per-rail rates (input-rail bypass rate, output-rail bypass rate) AND the end-to-end composition rate (fraction of attacks that produce a disallowed output having passed every rail). The end-to-end rate is the finding that matters. No rate, no finding."	c2b::sdd-b08::recall
"Describe the input-rail bypass vector."	"ADVERSARIAL-INPUT EVASION. The input rail's classifier (embedding model, toxicity detector, jailbreak-pattern matcher) has its own false-negative surface. An input crafted to avoid the classifier's KNOWN patterns — the context-specific attack technique from SDD-B06, applied to the RAIL'S classifier rather than the underlying model — evades the rail. The red-team probes the input rail directly: submit adversarial variants, measure the rail's false-negative rate over N attempts, identify inputs that pass the rail AND trigger the underlying model."	c2b::sdd-b08::analysis
"Describe the output-rail bypass vector."	"CLASSIFIER-TARGETING INJECTION. The output rail checks the model's response using an LLM-based classifier. If the response contains a PROMPT INJECTION targeting the output rail's classifier model itself (e.g., embedded instructions causing the classifier to categorize the response as benign), the rail can be manipulated. The red-team submits inputs designed to produce responses containing rail-targeting injections, and measures whether the output rail is fooled. The model evaluating the output is itself susceptible to injection in the text it evaluates."	c2b::sdd-b08::analysis
"Describe the dialog-rail, retrieval-rail, and execution-rail bypass vectors."	"DIALOG: CANONICAL-FORM CONFUSION — a request engineered to match an allowed canonical form while carrying a disallowed intent (indirection, SDD-B03). RETRIEVAL: INDIRECT-INJECTION PASSTHROUGH — if the rail does not adequately quarantine/filter untrusted retrieved content, an injection embedded in a retrieved chunk passes to the model (SDD-B03); poison the retrieval store and measure the filtering rate. EXECUTION: TOOL-ARGUMENT MANIPULATION — if the rail validates the tool name but not the arguments (or weakly), a manipulated model calls an allowed tool with disallowed arguments (SDD-B04)."	c2b::sdd-b08::analysis
"Why are per-rail bypass rates not sufficient, and why must the red-team measure the end-to-end composition?"	"Per-rail rates in isolation miss the COMPOSITION. A 5% input-rail rate and 5% output-rail rate compose to ~0.25% under INDEPENDENCE — but the rails are NOT independent when they share an underlying model surface. An adversarial technique that evades the input rail's classifier may ALSO evade the output rail's classifier if both use the same model class (e.g., both are LLM-based). The composition is weaker than the independence calculation suggests. The red-team must test the composition directly because the real attack passes the WHOLE CHAIN, not one rail in isolation."	c2b::sdd-b08::analysis
"A client says 'we deployed NeMo Guardrails, so our agent is fully defended.' Construct the refutation."	"NeMo is a LAYER, not a BOUNDARY. The rails are model-evaluated classifiers with false-negative surfaces (the guardrail is a model → injectable). Each rail type has a bypass vector. The composition has a measurable residual. NeMo composed with the layered architecture (deterministic boundary from SDD-B05, harness controls from B4) HOLDS because each layer's bypass is bounded by the others. NeMo ALONE — without the deterministic boundary, without the harness controls — has the residuals this deep-dive measures. Measure the end-to-end bypass rate; no rate, no claim of 'fully defended.'"	c2b::sdd-b08::analysis
"Why does external enforcement NOT protect against the EVADE threat, and what is the implication for red-teaming?"	"External enforcement protects the rails from being DISABLED (the agent cannot reach the rail process). It does NOT protect the rail's CLASSIFIER from being EVADED — the classifier is a model, and an adversarial input crafted against its blind spots passes through. The rail RAN; it classified the adversarial input as benign. IMPLICATION FOR RED-TEAMING: you do not try to disable the rails (you can't); you craft inputs that the rail's classifier model classifies as benign while the underlying model complies. This is the same novel-pattern bypass as SDD-B06, applied to the rail's classifier."	c2b::sdd-b08::analysis
"How does NeMo fit into the SDD-B04 through SDD-B08 defense-layer progression, and what is the synthesis?"	"Every defense layer has a residual: SDD-B04 CrabTrap's judge is INJECTABLE; SDD-B05 IronCurtain's deterministic policy has COMPILATION RESIDUALS; SDD-B06 the model's refusal falls in 5 QUERIES; SDD-B08 NeMo's guardrails have CLASSIFIER-EVASION RESIDUALS (the guardrail is a model). SYNTHESIS (B2's thesis): no single layer suffices. The prescription is layered defense where each layer's bypass is bounded by the others. NeMo's input rails raise the bar + provide signal; output rails catch what input misses; retrieval/execution rails govern indirect-injection + tool surfaces; the DETERMINISTIC BOUNDARY (IronCurtain) is the limit the probabilistic layers cannot provide."	c2b::sdd-b08::analysis
"What does the NemoClaw (Course 1 DD-09) reference prove about NeMo, and why does it matter?"	"NemoClaw is the production proof that governance belongs beneath the agent. Its +4 score over OpenClaw came almost entirely from the governance layer: NeMo Guardrails evaluating every model call externally, plus OpenShell sandboxing. It demonstrates external guardrail enforcement SCALES to a real agent with a real tool surface and real adversarial traffic — not just a demo. This deployment maturity is what makes NeMo the reference framework. The architect's verdict: 'optimizes for governance integrity — policy enforced outside the agent's reach; the production reference for governance done right.'"	c2b::sdd-b08::analysis
"Design a red-team methodology for measuring a NeMo-guardrailed system's residuals. What do you measure and report?"	"Measure per-rail AND end-to-end rates over N attempts under fixed params (rail config, model version, temperature). PER-RAIL: input-rail bypass rate (adversarial inputs passing the input classifier), output-rail bypass rate (disallowed responses passing the output classifier), retrieval-rail filtering rate (injected chunks quarantined vs passed), execution-rail argument-check rate. END-TO-END: fraction of attacks producing a disallowed output having passed every rail. Test the COMPOSITION directly (rails sharing a model class are not independent). Report: per-rail rates, end-to-end rate, the attack classes that evaded shared model surfaces, and the recommendation to compose with the deterministic boundary (SDD-B05) to bound the residuals."	c2b::sdd-b08::analysis
"Why is a NeMo deployment without retrieval and execution rails incomplete, and what surfaces are left unguarded?"	"Indirect injection arrives via retrieved content (SDD-B03) and tool-call manipulation via the execution surface (SDD-B04). A NeMo deployment WITHOUT retrieval rails is open to indirect injection (untrusted retrieved chunks pass to the model unfiltered). WITHOUT execution rails, it is open to tool-argument manipulation (a manipulated model calls an allowed tool with disallowed arguments). All five rail types cover the conversation lifecycle; omitting any leaves its stage unguarded. Input + output rails alone cover only the direct channel; the indirect (retrieval) and action (execution) channels need their own rails."	c2b::sdd-b08::analysis
