# Teaching Script — Capstone CAP2: The Calibrated Uncensored Agent

**Course**: Course 3 — LLM Fine-Tuning Masterclass
**Module**: CAP2 — The Calibrated Uncensored Agent
**Duration**: ~90 minutes (the build; this script frames it, ~20 min spoken at ~140 wpm)
**Format**: Verbatim transcript with `[SLIDE N]` cues. Read aloud or use as speaker notes.

---

[SLIDE 1 — Title]

Welcome to Capstone two of the LLM Fine-Tuning Masterclass — The Calibrated Uncensored Agent. This is the synthesis capstone. It is the bridge to the Harness Engineering courses. Everything in Course 3 — the steering thesis, the alignment-control techniques, the sensitive-domain framing — converges here into one running system.

The deliverable is a model you steered toward compliance, wrapped in a harness with eval'd policy gates. The demo shows two things: a legitimate tool call the model executes without refusal, and an illegitimate tool call the harness vetoes. Both behaviors, in one system. That is the synthesis. Let me frame it.

[SLIDE 2 — The synthesis sentence]

Here is the sentence. Uncensor the model so it executes; harness the model so it executes only what it should. Read it twice.

The model and the harness solve different problems at different layers. The model's job is to execute — to formulate tool calls, to reason through a task, to not refuse mid-loop because a step looks dangerous. A tool-use agent that refuses to call run-shell when the harness has authorized it is broken. The refusal lives in the wrong place.

The harness's job is to bound — to enforce which calls may run, which targets are in scope, which actions require human approval. The harness is deterministic, auditable, and revisable without retraining. The model's refusal is none of those things.

Uncensoring moves the refusal from the model — where it is a black box — to the harness — where it is a policy gate. That is the move this capstone makes. And it is the move that makes the uncensored model safe, because the boundary is now in code you can read, test, and tune to doctrine.

[SLIDE 3 — The honest caveat]

This capstone does not pretend the trade-off away. Two facts, both load-bearing.

First, abliteration measurably degrades capability. The December twenty-twenty-five comparative study shows GSM8K scores moving from plus one-point-five points to minus eighteen-point-eight points depending on tool and model. Removing the refusal direction is not a clean operation. That direction is entangled with other capabilities, and steering away from refusal nudges them. DPO-toward-compliance is the higher-fidelity path with smaller degradation, which is one reason you will defend the choice.

Second — and this is the rule that governs the whole capstone — an uncensored model in a weak harness is strictly more dangerous than a refusal-trained model in a weak harness. A refusal-trained model has a backstop the harness may not provide: even if the harness fails open, the model still refuses some dangerous requests. An uncensored model has no such backstop. If the harness fails open, the model executes whatever it is asked. The harness is now the only boundary, and its strength is non-negotiable.

The implication: never deploy an uncensored model without a harness whose policy gates you have eval'd and whose threat model you have hardened for the absence of model-level refusal. Pillar five raised the harness requirement. It did not lower it.

[SLIDE 4 — The risk matrix]

Look at this matrix. Four quadrants. The column is harness strength. The row is whether the model is refusal-trained or uncensored.

Top-left: refusal-trained model, weak harness. The refusal is a backstop. Less dangerous.

Bottom-left: uncensored model, weak harness. No backstop, and the gates leak. This is strictly more dangerous. This is the cardinal failure. If your capstone looks like this, you have failed.

Top-right: refusal-trained model, strong harness. Belt and suspenders. Safe, but the model may refuse legitimate calls — which is the problem you are trying to solve.

Bottom-right: uncensored model, strong harness. The model executes legitimate calls because it was steered not to refuse them. The harness vetoes illegitimate calls because the policy gate is strong. This is the capstone goal.

The matrix tells you the whole story. The safety is a function of the harness, not the model. An uncensored model is safe exactly when the harness is strong.

[SLIDE 5 — The deliverable]

Here is what you build. A demo, a harness, and a defense document.

A steered model — abliterated or DPO'd toward compliance, and you defend the choice in writing. Optionally, a reasoning distill to recover capability if abliteration cost you too much. Quantized and served locally — GGUF via Ollama or llama-cpp. A harness with eval'd policy gates — if you have taken Course one, reuse its patterns; if not, build a minimal policy-gate stub that demonstrates the same principle. The demo — a scripted run showing a legitimate call executing and an illegitimate call being vetoed. And the trade-off-defense document — the written justification that earns you the right to deploy this combination.

[SLIDE 6 — The three success criteria]

Three criteria, each falsifiable.

Criterion one: low refusal rate on legitimate prompts. The steered model, queried with authorized actions, must have a materially lower refusal rate than the base. If the base refuses sixty percent and the steered model refuses ten percent, the steering worked. If they refuse at the same rate, the steering accomplished nothing — and you paid the capability cost for no benefit.

Criterion two: high policy-gate veto rate on illegitimate prompts. The harness, queried with out-of-policy calls, must veto them at effectively one hundred percent. Any illegitimate call that executes is a fail of this criterion. A gate that lets through even one is a gate with a bug.

Criterion three: the trade-off-defense document. One to two pages justifying the steering choice, the harness policy, the measured capability cost, and why the combination is safe for the intended use. The defense is what separates a calibrated agent from a reckless one.

[SLIDE 7 — The seven-phase pipeline]

Now the build. Seven phases. Phase one: choose the base and the steering approach, and defend it. Phase two: steer — abliterate or DPO — and measure the refusal reduction and the capability cost. Phase three, optional: reasoning distill if the cost was high. Phase four: quantize to GGUF. Phase five: serve locally. Phase six: build the harness policy gates. Phase seven: eval and write the defense.

The critical phases are two and six. Phase two is where you steer the model. Phase six is where you build the boundary that makes the steering safe. Skip phase six and you have an uncensored model with no boundary — the cardinal failure.

[SLIDE 8 — The policy gate]

Here is the heart of the harness. The policy gate. Every tool call passes through three checks. Is the tool permitted? Is the target in scope? If approval is required, was it given? Any check fails, the call is vetoed with a reason. All pass, the call executes.

Notice what this gives you that a model-level refusal cannot. Determinism — the same call always gets the same decision. Auditability — you can read the policy and know exactly what is allowed. Revisability — change the policy, redeploy, no GPU required. A model-level refusal is a black box. You cannot audit it, tune it per-deployment, or prove it to a regulator. That is why the boundary belongs in the harness, not the weights. This is the move the whole capstone exists to teach.

[SLIDE 9 — Abliterate versus DPO]

The steering choice. Abliteration is faster — no training data, it is a weight edit. But the capability cost is higher. Use it when speed matters and you can accept the cost, or when the use case does not stress the degraded capabilities.

DPO-toward-compliance is higher fidelity — smaller degradation, more controllable, you steer toward specific compliant behaviors. But it needs a preference dataset and training. Use it when capability preservation matters and you have the data.

There is no universally right answer. The defense — written, with data — is the deliverable. Choose based on the demo's use case and justify it. A student who picks abliteration "because it's faster" without measuring the cost has not defended the choice. A student who picks DPO "because it's better" without explaining why capability preservation matters for their use case has not defended it either. The defense is the work.

[SLIDE 10 — What a passing submission looks like]

Concretely. A Llama three eight-B instruct, abliterated. Measured refusal on legitimate security-tool prompts: base fifty-five percent, steered eight percent. GSM8K: base fifty-two-point-one, steered forty-seven-point-three — a cost of minus four-point-eight, discussed in the defense. A minimal policy-gate stub wrapping three tools — run-shell, query-db, read-file. Veto rate on illegitimate prompts: one hundred percent, twenty-four of twenty-four tested. A scripted demo: run nmap on the in-scope host executes; rm-rf on the production host is vetoed. And a one-and-a-half-page defense document justifying the choice, the policy, the threat model, and the honest limits.

What fails. Steering without a harness — the cardinal failure. A harness that leaks — strictly dangerous with an uncensored model. No capability measurement — the defense cannot justify a trade-off it did not measure. No defense document — a demo without a justification is not a deliverable.

[SLIDE 11 — Why this capstone matters]

This is the synthesis of the entire course, and the bridge to what comes next. Course three opened with the thesis — fine-tuning steers behavior; the model steers, the harness bounds — and spent twenty-three modules establishing what steering can and cannot do. This capstone is where steering meets bounding in one running system.

The honest framing. Uncensoring a model is not inherently good or bad. It is a steering operation that removes a backstop. Whether the result is safe depends entirely on whether a stronger boundary — the harness — replaces the one removed. This capstone makes you build that replacement and prove it works. The veto rate is the proof. The defense document is the justification.

For students continuing to Course one and Course two-A, this capstone is the on-ramp. The minimal policy-gate stub you build here is the seed that Course one grows into a full permission-safety, scope-enforcing, audit-logging harness. The trade-off defense you write here is the template for every model-in-harness deployment decision you will make professionally.

[SLIDE 12 — What you can now do]

When you finish, you can steer a model toward compliance and defend the choice with data. You can build an eval'd harness policy gate that vetoes illegitimate calls at effectively one hundred percent. You can demonstrate the synthesis — legitimate executes, illegitimate vetoed — in one running system. And you can write the trade-off defense, the justification that earns the right to deploy.

That is Course three. The model steers; the harness bounds. You have now built both sides of that sentence in one system. If you are continuing, Course one is next — build the real harness. The URL is on the screen. If you are ending here, take with you the one rule: never deploy an uncensored model without an eval'd harness. The boundary belongs in code, not in weights. Open the lab spec and begin.

---

*End of capstone CAP2 framing. The build itself runs ~90 minutes following the seven phases in `07-lab-spec.md`. Course 3 complete.*
