{
  "module": "11 — Security Engineering for Harnesses",
  "course": "Master Course — Harness Engineering",
  "version": "1.0.0", "duration_minutes": 40, "total_questions": 14,
  "bloom_distribution": { "target": "20/40/40", "actual": { "recall": 3, "application": 6, "analysis": 5 } },
  "passing_score_percent": 70,
  "questions": [
    { "id": "Q01", "bloom": "recall", "type": "multiple_choice", "prompt": "Which injection vector is MOST COMMON and MOST DANGEROUS?", "options": ["Direct injection", "Indirect injection (via tool output). InjecAgent: 50%+ vulnerable.", "Code injection", "SQL injection"], "answer_index": 1, "rationale": "Indirect — attacker controls content the agent reads (file/page/API). The tool faithfully returns it; the model may comply. The primary vector across the course (Module 2.4 Vector 1)." },
    { "id": "Q02", "bloom": "recall", "type": "multiple_choice", "prompt": "State the RedAgent finding (2026).", "options": ["All LLMs are safe", "Most black-box LLMs jailbreakable within 5 queries (context-specific attacks)", "Jailbreaking is impossible", "It takes 100+ queries"], "answer_index": 1, "rationale": "The empirical case for defense-in-depth. If one layer falls in 5 queries, you need multiple layers." },
    { "id": "Q03", "bloom": "recall", "type": "multiple_choice", "prompt": "How many layers in the unified defense stack (Module 11)?", "options": ["3", "6", "9 (across Modules 2, 4, 5, 6, 9, 11, C2/S12)", "12"], "answer_index": 2, "rationale": "9 layers. Each defends a different ASI risk. No single layer sufficient; attack must bypass all." },
    { "id": "Q04", "bloom": "application", "type": "multiple_choice", "prompt": "ASI04 Memory Poisoning: attack + defense?", "options": ["Attack: delete memory. Defense: backup.", "Attack: write false facts in S1; activate in S2 (sleeper). Defense: harness-managed writes (Module 4.3) — model proposes, harness validates.", "Attack: read memory. Defense: encryption", "Attack: corrupt DB. Defense: restart"], "answer_index": 1, "rationale": "The sleeper attack. Persistence is the enabler; harness-gated writes (model proposes, harness validates) is the defense." },
    { "id": "Q05", "bloom": "application", "type": "multiple_choice", "prompt": "ASI08 Supply Chain (MCP): attack + defense?", "options": ["Attack: slow network. Defense: faster network.", "Attack: malicious MCP server with hidden instructions in tool description. Defense: signed manifests + runtime verification (Course 2 S12).", "Attack: too many tools. Defense: fewer tools", "Attack: model weakness. Defense: stronger model"], "answer_index": 1, "rationale": "Vector 2 (Module 2.4). MCP definitions are untrusted code. The model reads the description as a prompt. Signed manifests verify integrity." },
    { "id": "Q06", "bloom": "application", "type": "multiple_choice", "prompt": "ASI09 Resource Exhaustion: attack + defense?", "options": ["Attack: steal data. Defense: encryption", "Attack: induce indefinite running / unbounded compute. Defense: resource caps (5.4) + circuit breaker (7.2) + token budget (1.2).", "Attack: delete files. Defense: backups", "Attack: injection. Defense: tagging"], "answer_index": 1, "rationale": "The resource-exhaustion attack. Multiple independent caps (compute, tokens, time) + the circuit breaker for stuck loops." },
    { "id": "Q07", "bloom": "application", "type": "multiple_choice", "prompt": "An attacker forges a tool result (tool output forgery). Defense?", "options": ["Trust the tool", "Tool result provenance — log and verify the SOURCE of every tool result. For MCP: signed manifests. The harness must know the result came from the real tool.", "Ignore tool outputs", "Use a stronger model"], "answer_index": 1, "rationale": "If the harness doesn't verify tool-server identity (especially MCP), an attacker spoofs results. Provenance + signed manifests verify the source." },
    { "id": "Q08", "bloom": "application", "type": "multiple_choice", "prompt": "Cascading hallucination (ASI06): which module defends, and how?", "options": ["Module 2 (tools)", "Module 9 (Verification). Computed + model-judged verification catches the hallucination before it propagates downstream.", "Module 5 (sandbox)", "Module 11 only"], "answer_index": 1, "rationale": "A hallucinated tool result, if unverified, corrupts all downstream steps. Verification (Module 9) catches it before propagation." },
    { "id": "Q09", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why does the 5-query RedAgent finding justify defense-in-depth?", "options": ["It doesn't", "If one layer falls in 5 queries, the attacker must be stopped by the 2nd/3rd layer. Single-layer = single point of failure. 9 layers = attacker must bypass ALL.", "5 queries is a lot", "It justifies giving up"], "answer_index": 1, "rationale": "The empirical case for layers. A determined attacker gets through one layer quickly; multiple independent layers raise the cost and catch what one misses." },
    { "id": "Q10", "bloom": "analysis", "type": "multiple_choice", "prompt": "Multi-step injection: why does per-turn detection miss it?", "options": ["Per-turn is too slow", "Each individual call looks benign; the attack is in the SEQUENCE. Per-turn gates evaluate calls independently and see nothing wrong. Needs session-level intent tracking (C2/S11.2).", "Per-turn uses too many tokens", "Per-turn is deprecated"], "answer_index": 1, "rationale": "The hardest detection problem. The attack emerges from the compound intent across calls, not any single call. Session-level (compound-intent) detection is required." },
    { "id": "Q11", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why does 'instruction isolation' defend against direct injection?", "options": ["It encrypts the prompt", "System prompt in a SEPARATE, HIGHER-PRIORITY layer than data. Model treats system-prompt as authoritative, tagged/data as subordinate. 'Ignore instructions' from data can't override the isolated layer.", "It hides the prompt", "It's faster"], "answer_index": 1, "rationale": "Architectural separation. Instructions and data live in different priority layers. The model is trained to treat the system layer as authoritative over data-layer content." },
    { "id": "Q12", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why does NemoClaw's governance model make ALL defenses more robust?", "options": ["It's faster", "Enforcement is OUTSIDE the agent's reach. If the agent could reach enforcement, a compromised agent could disable it. NemoClaw's guardrails sit between agent and world — unreachable.", "It uses a stronger model", "It's encrypted"], "answer_index": 1, "rationale": "Module 0.2's principle applied to all defenses. Unreachable enforcement cannot be disabled by a compromised agent. Every defense layer is more robust when it's outside the agent's process." },
    { "id": "Q13", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why is capability minimization (least privilege) a security control?", "options": ["It's faster", "An agent that CANNOT call send_email cannot exfiltrate via email, regardless of injection. Least privilege removes the capability BEFORE the attack.", "It saves tokens", "It's required by OTel"], "answer_index": 1, "rationale": "Preventive control. The agent can't do what it's not permitted to do. Injection can't invoke a capability the agent doesn't have. The most reliable defense — elimination." },
    { "id": "Q14", "bloom": "analysis", "type": "multiple_choice", "prompt": "Prompt-injection detection via secondary model: what does it do?", "options": ["Replaces the primary model", "Runs tool outputs through a SECONDARY LLM checking for injected instructions BEFORE inserting into context. Independent of the primary model.", "Encrypts outputs", "Logs outputs"], "answer_index": 1, "rationale": "A second opinion. A separate model evaluates 'does this content contain instructions attempting to override the task?' If yes, the content is quarantined or tagged, not inserted raw." }
  ]
}
