"What are the three properties that separate a real harness from a prompt wrapper?" "Scope enforcement (OOS calls blocked by code), evidence chains (every finding links to tool call + raw output + hash), adversarial-output defense (tool output is data, never instructions). Without all three, it's a prompt with tools bolted on." c2a::c1::recall "What are the three sub-sections of Capstone C1 and their durations?" "C1.1 Design Document (20 min) — domain, scope, memory, tools, evidence, autonomy, threat model. C1.2 Build (60 min) — scope middleware, memory, 5 tools, evidence logger, triage, report generator. C1.3 Evaluate/Harden/Benchmark (40 min) — vuln lab, OOS calls, injection payload, InjecAgent, publish." c2a::c1::recall "What are the two tracks for C1 and how do they differ?" "Bug bounty (target = authorized program/lab, deliverable = triaged findings + PoC, scope = engagement boundary) vs AppSec gate (target = codebase in CI, deliverable = pass/fail gate + report, scope = repo/dependencies/code paths). Architecture is IDENTICAL — domain changes tool suite and report format, not skeleton." c2a::c1::recall "Why is scope enforcement a middleware and not a prompt?" "You do not write 'stay in scope' in the system prompt and trust the LLM. You write a scope-check function that intercepts every tool invocation, inspects args, and rejects any call whose target is outside the allow-list. The LLM never sees the rejected call succeed. An OOS call is a liability, not a bug." c2a::c1::analysis "What are the three gates in the scope middleware?" "Gate 1 — scope check: is target in allow-list? Gate 2 — rate limit: has per-host ceiling been hit? Gate 3 — autonomy policy: is this high-impact and unapproved (needs human approval)? A blocked call returns a structured result the LLM sees as 'blocked, here is why' — never a silent failure." c2a::c1::recall "What is defense in depth in the scope middleware context?" "The tool itself calls scope.assert_in_scope AND the registry wraps the tool with ScopeMiddleware. Two redundant checks so a forgotten check in one layer does not create a hole. Belt and suspenders — the middleware is the primary gate, the tool's own check is the backup." c2a::c1::analysis "What does persistent target-state memory do and why does it matter?" "Makes the harness cumulative. Before a tool runs, context_for() loads host state + prior findings into LLM context. After, record() writes findings + evidence back. A recon tool discovers /admin; the next active-probe sees /admin without being told. Without memory, every scan cold-starts." c2a::c1::analysis "What is the triage state machine in the memory schema?" "Findings move between three states: 'findings' (candidate, unconfirmed), 'confirmed' (has linked evidence + passes signal/noise filter), 'rejected' (false positive, with reason). Rejected findings STAY in memory with their reason so the harness does not re-raise them on the next pass." c2a::c1::recall "What are the five minimum tools in the C1 suite?" "(1) Recon — discovers target surface. (2) Active probe — crafted requests/mutations, high_impact. (3) Static analyzer — linter/SAST/pattern match. (4) Exploit verifier — controlled PoC to confirm, high_impact. (5) Evidence recorder — captures request/response/diff, linked by trace ID." c2a::c1::recall "What structure does every tool share and why?" "Pydantic input model (rejects malformed args), extract_target(args) (gives middleware something to check), high_impact flag (routes through approval gate), run(args, trace_id) -> ToolResult (finding + evidence). Uniformity is the point — it's what makes the middleware hold for every tool." c2a::c1::analysis "What is the evidence chain and what makes it tamper-evident?" "Finding.evidence_ids -> Evidence.id -> Evidence.tool_call_id -> ToolCall -> log line (trace_id). The evidence record has a sha256 hash of the raw output. The hash lets a reviewer verify the recorded output matches what the tool produced. The trace ID is the join key that makes the chain replayable." c2a::c1::analysis "Why is the evidence recorder a tool and not an afterthought?" "Making it a first-class tool means the LLM can be prompted to record evidence as an action. It goes through the same scope/rate/autonomy gates. Evidence capture is part of the workflow, not a side effect. A finding without evidence is an opinion." c2a::c1::application "What are the three autonomy levels?" "Level 1 — advisory (harness finds/triages, human reviews every finding, report-only). Level 2 — gated autonomy (acts autonomously in scope, high-impact actions need human approval via an approval-gate tool). Level 3 — fully autonomous (no human, isolated lab only, never live bug bounty). Encoded as a policy object, not a prompt." c2a::c1::recall "How does the OWASP Agentic Top 10 apply to the harness itself?" "The harness is an agentic system = itself an attack surface. Must address: prompt injection from tool output (defense: output is data), tool misuse (scope + rate limit), excessive agency (autonomy policy + gates), memory poisoning (schema-validated writes, quarantined rejections), unbounded consumption (global call budget + rate limits). Plus data leakage, insecure output, unauthenticated agents, supply-chain, over-privileged creds." c2a::c1::analysis "What is the signal/noise triage filter and what rules does it apply?" "Moves findings from candidate to confirmed/rejected. Rules: (1) Duplicate suppression — same finding raised twice is merged. (2) Known-false-positive filter — per-tool rule set (e.g., 404 on /admin is not auth bypass), code not LLM judgment. (3) Confidence threshold — below score held in 'findings' until verifier runs. A harness that dumps every candidate is a scanner; one that triages is an analyst." c2a::c1::analysis "What are the four tests in the C1.3 benchmark gauntlet?" "(1) Vuln lab recall — of N known bugs, how many confirmed? (2) OOS call block rate — inject OOS targets, 100% must be blocked, any success = scope bug. (3) Served injection payload — serve response with prompt injection, verify behavior unchanged. (4) InjecAgent suite — % injection attempts that failed to manipulate, publishable if >90%." c2a::c1::recall "What is the pass bar for the OOS call block test and what happens on failure?" "100% blocked — any OOS call that succeeds means the scope middleware has a bug. You fix it BEFORE continuing to the other tests. There is no partial credit on scope enforcement. A single OOS success is a liability." c2a::c1::application "What is InjecAgent and what score is publishable?" "InjecAgent is a prompt-injection benchmark for agentic systems. The score is the percentage of injection attempts that failed to manipulate the harness. Above 90% is a publishable security claim. Document the score, failure cases, and mitigations." c2a::c1::recall "What are the two portfolio assets C1 produces and what does each prove?" "Client report (HTML + JSON) — proves the harness WORKS (recall, findings with PoC + evidence). Published benchmark — proves the harness is SAFE (OOS block rate, injection defense, InjecAgent score). Report = effectiveness, benchmark = safety. Both are publishable to GitHub/LinkedIn/Deepthreat.ai." c2a::c1::analysis "Why is the harness severity a draft and not final?" "The LLM triage assigns a draft severity, but every severity is human-confirmed before the report ships (Levels 1 and 2). A Medium that should be Critical misleads remediation priority. The harness does the assembly; the human does the judgment. For Level 3 (autonomous lab only) the draft may ship, but that is never appropriate for live targets." c2a::c1::application