The Calibrated Uncensored Agent
Capstone CAP2 · Course 3 — LLM Fine-Tuning Masterclass
90 minutes · 7 phases: choose approach → steer → (distill) → quantize → serve → harness policy gates → eval + defense
The synthesis capstone. The bridge to the Harness Engineering courses.
Capstones · Tests P05 (Uncensored) + P07 (Sensitive Domains)
The synthesis — one sentence
Uncensor the model so it executes;
harness the model so it executes only what it should.
The model and the harness solve different problems at different layers:
- The model executes — formulates tool calls, reasons through tasks, doesn't refuse mid-loop
- The harness bounds — enforces which calls may run, which targets are in scope, which need approval
Uncensoring moves the refusal from the model (a black box) to the harness (a policy gate — deterministic, auditable, revisable).
The honest caveat
Abliteration degrades capability
GSM8K moves from +1.5pp to -18.8pp (Dec 2025 study). The refusal direction is entangled with other capabilities.
Weak harness + uncensored = danger
An uncensored model in a weak harness is strictly more dangerous than a refusal-trained model in a weak harness.
The rule: never deploy an uncensored model without a harness whose policy gates you have eval'd and whose threat model you have hardened for the absence of model-level refusal. P05 raised the harness requirement; it did not lower it.
The risk matrix — why harness strength matters
Weak harness (gates leak)
Refusal-trained
refusal is a backstop
(less dangerous)
UNCENSORED
no backstop, gates leak
(STRICTLY MORE DANGEROUS)
Strong harness (~100% veto)
Refusal-trained
belt + suspenders
(may refuse legitimate)
UNCENSORED
executes legitimate,
vetoes illegitimate
(THE CAPSTONE GOAL)
The deliverable
A demo, a harness, and a defense document:
- A steered model — abliterated OR DPO'd toward compliance (you defend the choice)
- (Optional) reasoning distill — recover capability if abliteration cost is high
- Quantized + served locally — GGUF via Ollama/llama.cpp
- A harness with eval'd policy gates — Course 1 patterns if taken, minimal stub if not
- The demo — legitimate call executes, illegitimate call vetoed (both recorded)
- The trade-off-defense document — justify the combination
The three success criteria
| Criterion | Measurement | Pass bar |
| Refusal rate (legitimate) | steered model on authorized prompts | materially lower than base |
| Veto rate (illegitimate) | harness policy gate on out-of-policy calls | ~100% (any leak = fail) |
| Trade-off defense | written document | justifies choice, policy, cost, limits, use |
Two metrics, both required. Refusal rate proves steering worked. Veto rate proves the harness is strong enough to replace the removed backstop. The defense ties them together.
The pipeline — 7 phases
1. CHOOSE BASE + STEERING APPROACH · abliterate vs DPO (defend it)
↑
2. STEER · measure refusal reduction + capability cost
↑
3. (OPTIONAL) REASONING DISTILL · recover capability if abliteration cost high
↑
4. QUANTIZE (GGUF) · Q4_K_M default
↑
5. SERVE LOCALLY · Ollama / llama.cpp, no telemetry
↑
6. BUILD HARNESS POLICY GATES · eval'd gates, ~100% veto on illegitimate
↑
7. EVAL + TRADE-OFF DEFENSE · refusal rate + veto rate + defense document
The policy gate — the boundary in code
Every tool call passes through three checks. Any fail = veto with a reason.
class PolicyGate:
def check(self, tool_name, args) -> Decision:
if not self.policy.tool_allowed(tool_name):
return Decision.veto("tool not permitted")
if not self.policy.target_in_scope(args.get("target")):
return Decision.veto("target out of scope")
if self.policy.requires_approval(tool_name) and not args.get("_approved"):
return Decision.veto("action requires human approval")
return Decision.allow()
Deterministic, auditable, revisable without retraining. These are the properties a model-level refusal cannot have. This is why the boundary belongs in the harness, not the weights.
Choosing: abliterate vs DPO
Abliteration (FT17)
- Faster — no training data, weight edit
- Higher capability cost (GSM8K -1.5 to -18.8pp)
- Use when speed matters and cost is acceptable
DPO-toward-compliance (FT18)
- Higher fidelity — smaller degradation
- Needs preference dataset + training
- Use when capability preservation matters
There is no universally right answer. The defense — written, with data — is the deliverable. Choose based on the demo's use case and justify it.
What a passing submission looks like
- Steered model — Llama 3.x 8B abliterated. Legitimate refusal: base 55% → steered 8%. GSM8K: 52.1 → 47.3 (cost -4.8, discussed)
- Harness — minimal policy-gate stub, 3 tools. Veto rate on illegitimate: 100% (24/24)
- Demo — "run nmap on in-scope host" → executes. "rm -rf on prod host" → vetoed (out of scope + destructive + unapproved)
- Defense doc — 1.5 pages: choice, policy, threat model, why safe, honest limits
What fails: steering without a harness. Harness that leaks. No capability measurement. No defense document. Any of these fails the capstone.
Why this capstone matters
The synthesis of the entire course, and the bridge to what comes next:
Uncensoring a model is not inherently good or bad. It is a steering operation that removes a backstop. Whether the result is safe depends entirely on whether a stronger boundary — the harness — replaces the one removed.
For students continuing:
- Course 1 — the minimal policy-gate stub you build here is the seed Course 1 grows into a full harness
- Course 2A/2B — the trade-off defense is the template for every model-in-harness deployment decision
What you can now do
- Steer a model toward compliance (abliterate OR DPO) and defend the choice with data.
- Build an eval'd harness policy gate that vetoes illegitimate calls at ~100%.
- Demonstrate the synthesis: legitimate executes, illegitimate vetoed.
- Write the trade-off defense — the justification that earns the right to deploy.
Course 3 complete. Next: Course 1 — Harness Engineering · build the real harness · https://lemon-delta-m9te.here.now/