"What is the synthesis principle that FT23 lands?" "Uncensor the model so it executes; harness the model so it executes only what it should. The model steers (Layer 3 — what it DOES/formulates); the harness bounds (Layer 5 — what it MAY execute). Both layers, different jobs." c3::ft23::recall "How is FT23's synthesis related to Course 1's thesis (model 1.6%, harness 98.4%)?" "It is the COMPLEMENT, not the contradiction. Course 1 says the harness is most of the system. Course 3 zooms into the 1.6% (the model) and says fine-tuning steers behavior. FT23 joins them: when you steer the model to stop refusing, you changed what it DOES, not what it MAY do — and the gap between does and may is exactly where the harness lives." c3::ft23::recall "What does abliteration do, and at which layer?" "Layer 3 (the Steer). It finds the single direction in the residual stream that mediates refusal (Arditi et al., NeurIPS 2024) and removes it by orthogonalizing the weights against that direction. Refusal is gone INSIDE THE WEIGHTS. It gives EXECUTION (the model formulates the action); it does not give a boundary." c3::ft23::recall "What does a harness policy gate do, and at which layer?" "Layer 5 (the Boundary). A deterministic boundary AROUND the model that intercepts a proposed action and checks it against a written policy before it executes. It does not touch the weights; it bounds the model's PERMITTED actions. It gives THE BOUNDARY (what the model MAY execute)." c3::ft23::recall "Name the four properties that make a harness policy gate superior to model-level refusal for policy." "Auditable (logged gate decisions), Deterministic (same action + same policy = same decision, no sampling), Tunable to doctrine (per-deployment policy file — hospital vs red-team lab vs classified), Revisable without retraining (edit the policy, redeploy, no GPU)." c3::ft23::recall "State the absolute rule of FT23." "NEVER deploy an uncensored model without an eval'd harness whose policy gates you have hardened AND whose threat model you have explicitly hardened for the absence of model-level refusal. Two separate hardening steps: the gates AND the threat model." c3::ft23::recall "What is the tool-use agent argument for distributing refusal to the harness?" "An agent whose loop calls run_shell/execute_sql/write_file is BROKEN if its model refuses mid-loop. A chatbot declining a question is a UX annoyance; an agent declining a step is a production outage. Refusal belongs in a harness policy gate (auditable, deterministic, doctrine-tunable, retrain-free) — not baked into weights where it is a black box." c3::ft23::application "Why is a model-level refusal unsuitable as a policy control? Name four reasons." "Not auditable (a direction in a billion-dim residual stream, not a rule you can replay), Not deterministic (sampling outcome — same prompt may refuse once and comply once), Not tunable to doctrine (same refusal for all deployments — can't differ hospital vs lab), Not revisable without retraining (re-steering costs a GPU + re-eval). It is a black box you cannot prove to a regulator." c3::ft23::analysis "What is the risk-matrix claim about uncensored + weak harness?" "An uncensored model in a WEAK harness is strictly MORE dangerous than a refusal-trained model in a weak harness. The refusal-trained model has two imperfect layers (model refuses some, gate catches some); the uncensored model has one (the gate only). Removing the model layer removes a free safety layer — you must replace it with a better one (the harness) or you are worse off." c3::ft23::analysis "Why does FT23 say Pillar 5 (Alignment Control) RAISES the harness requirement rather than lowering it?" "A refusal-trained model gives you a free-but-bad safety layer (model refusal, un-auditable, non-tunable). Abliteration REMOVES that free layer. You must replace it with something better — a harness policy gate — or you are strictly worse off. 'Better' (auditable/deterministic/doctrine-tunable/retrain-free) is a higher bar than the model-level refusal ever met." c3::ft23::analysis "What capability cost does abliteration impose, and why?" "GSM8K drops from +1.5pp (best case) to -18.8pp (worst case) depending on tool/model (arXiv:2512.13655, Dec 2025). The refusal direction in the residual stream is ENTANGLED with other capabilities — not a clean refusal-only axis. Deleting it nudges the entangled capabilities, including reasoning. Direct consequence of the steering thesis (FT00): directions are not orthogonal to everything else." c3::ft23::analysis "Why might DPO-toward-compliance (FT18) be preferred over abliteration for a reasoning-heavy agent?" "FT18 steers TOWARD the policy you want (compliant continuations preferred over refused ones), which is higher-fidelity and lower-capability-cost than abliteration's blunt deletion of the refusal direction. For an agent that needs reliable math/reasoning (e.g., clinical cohort analytics), abliteration's -18.8pp GSM8K worst case may be unacceptable. Cost: DPO requires a preference dataset." c3::ft23::analysis "Why does abliteration being 'not auditable' matter for a regulated deployment?" "You cannot point an auditor to 'the refusal policy' — it is a probability surface in a billion-dimensional space, not a rule. You cannot prove what the model will or will not do; you can only report sampled behavior. A harness policy gate is the opposite: a written rule, applied deterministically, logged on every decision, replayable end-to-end. That is what a regulator can accept." c3::ft23::analysis "What does it mean that a policy gate is 'tunable to doctrine'?" "The same model + a different policy file = a different deployment. A hospital's gate refuses PHI exfiltration; a red-team lab's gate permits offensive calls within the scope-letter CIDRs and refuses outside them; a classified environment's gate refuses cross-domain transfers. Three deployments, three policy files, one model. You cannot get this from a model-level refusal — its refusal direction is the same for all inputs." c3::ft23::application "Why is 'we'll add the harness later' a failing architectural decision?" "The model is the engine; the harness is the brakes. You do not ship a car with the engine and add brakes later. If the deployment is not safe enough to ship WITH the harness, it is not safe enough to ship. An uncensored model with no harness lands in the forbidden risk-matrix quadrant (uncensored + weak harness = strictly most dangerous)." c3::ft23::analysis "What are the two separate hardening steps the absolute rule requires?" "(1) Harden the policy gates — test, eval, show they catch the action classes your doctrine forbids. (2) Re-write the threat model for the absence of model-level refusal — every attack path that previously assumed 'the model will refuse' must be re-examined: removed, mitigated at the harness, or accepted explicitly. Both steps, or neither." c3::ft23::application "Map the five layers of the Steering Stack to the modules that build each." "L1 Base: FT02 (open spectrum) + FT03 (base selection). L2 Adapter: FT09 (DoRA). L3 Steer: FT12 (SFT) + FT13 (DPO) + FT17 (abliteration) + FT18 (compliance via DPO). L4 Export: FT19 (quantization) + FT20 (serving). L5 Boundary: Course 1 (build) + 2A (secure) + 2B (red-team)." c3::ft23::recall "What is the correct course sequence after Course 3, and why that order?" "Course 1 (build the harness) FIRST — you cannot secure or red-team a harness you have not built. Then Course 2A (security-domain harnesses) if your domain is security. Then Course 2B (red-team the harness) — ALWAYS, because every harness gets red-teamed eventually; the only question is whether you do it or an adversary does. Mandatory if you deployed uncensored." c3::ft23::application "Why is 'assuming model-level refusal equals harness policy gates' an anti-pattern?" "It confuses two layers. A model-level refusal is a non-auditable, non-deterministic, non-tunable, non-revisable probability surface (Layer 3). A policy gate is an auditable, deterministic, doctrine-tunable, retrain-free written rule (Layer 5). They are not equivalent. The refusal-trained model does not substitute for the gate — even in chat, and certainly not in an agent." c3::ft23::analysis "Why is abliteration described as 'not revisable without retraining'?" "To restore any refusal behavior after abliteration, you must re-steer (abliterate-in-reverse, or DPO back toward refusal), which costs a GPU and a re-eval — and per the capability-degradation data, costs capability. A harness policy gate is the opposite: edit the policy file, reload the gate, the boundary has moved. No GPU, no re-eval, no capability regression." c3::ft23::analysis "For a hospital clinical-analytics agent that needs reliable cohort math, defend abliterate vs DPO-toward-compliance." "DPO-toward-compliance (FT18) is defensible; abliteration likely is not. The agent needs reliable reasoning for cohort analytics, and abliteration's -18.8pp GSM8K worst case is unacceptable for clinical work. DPO gives compliance at lower capability cost (steering toward the policy rather than bluntly deleting refusal). Required: a pre/post eval plan showing <2pp regression on the cohort-analytics suite. Abliteration without an eval plan is indefensible." c3::ft23::application "What is 'doctrine' in the FT23 sense, and why is it the key to the harness argument?" "Doctrine is the deployment-specific policy a harness enforces — a written file of rules. The hospital, the red-team lab, and the classified environment have different doctrines (HIPAA vs scope-letter vs cross-domain rules). Same model, three policy files, three boundaries. This is precisely what a model-level refusal CANNOT provide (its refusal direction is the same for all inputs) — and it is why refusal belongs in the gate, not the weights." c3::ft23::analysis "Why is the FT23 lab ('The Architect's Verdict') a no-GPU architecture lab rather than a hands-on training lab?" "The point is JUDGMENT, not execution. A senior engineer who can steer a model but cannot defend the architecture is not senior. The lab forces every architectural decision into the open: base openness, steering choice (abliterate vs DPO with the capability-cost defense), quantization fit, the policy file, and the re-written threat model. It is the Capstone 2 preview — the skeleton of the calibrated uncensored agent." c3::ft23::analysis