{
  "module": "4 — Memory Architecture",
  "course": "Master Course — Harness Engineering",
  "version": "1.0.0", "duration_minutes": 35, "total_questions": 16,
  "bloom_distribution": { "target": "20% recall / 40% application / 40% analysis", "actual": { "recall": 4, "application": 6, "analysis": 6 } },
  "passing_score_percent": 70,
  "questions": [
    { "id": "Q01", "bloom": "recall", "type": "multiple_choice", "prompt": "Name the five memory tiers.", "options": ["RAM, cache, disk, tape, cloud", "In-context, working files, semantic store, episodic log, structured DB", "Short, medium, long, permanent, archive", "Local, session, user, global, shared"], "answer_index": 1, "rationale": "From ephemeral (in-context) to persistent+queryable (structured DB). Module 3's 3-tier JIT maps onto the middle three." },
    { "id": "Q02", "bloom": "recall", "type": "multiple_choice", "prompt": "State the initializer + continuation agent pattern.", "options": ["Two agents run in parallel", "Initializer runs once, writes handoff; continuation agents read handoff + git log, orient, resume", "One agent does everything", "Agents vote on decisions"], "answer_index": 1, "rationale": "The multi-session pattern. Like an engineer starting a shift — reads structured notes, continues work." },
    { "id": "Q03", "bloom": "recall", "type": "multiple_choice", "prompt": "What is the sleeper attack?", "options": ["An agent that won't wake up", "Payload injected into memory in session 1; persists across boundary; activates in session 2 when agent trusts own memory (ASI06)", "A slow agent", "A denial-of-service on the model API"], "answer_index": 1, "rationale": "The cross-session injection. Memory persistence is the feature that enables it. The payload is dormant until the agent reads its poisoned memory in a later session." },
    { "id": "Q04", "bloom": "recall", "type": "multiple_choice", "prompt": "Name the four memory scopes (narrowest last).", "options": ["Global, regional, local, personal", "Per-session, per-user, per-task, per-tenant", "Public, private, protected, secret", "L1, L2, L3, L4"], "answer_index": 1, "rationale": "Per-session (default) → per-user → per-task → per-tenant (tightest; Fleet F06). Cross-scope leakage is a breach." },
    { "id": "Q05", "bloom": "application", "type": "multiple_choice", "prompt": "You're building a 3-session task that pauses between sessions. What must you implement?", "options": ["A bigger context window", "The handoff pattern: initializer writes handoff file (task state, decisions, next step, blockers); continuations read handoff + git log; git commits as checkpoints", "A faster model", "More tools"], "answer_index": 1, "rationale": "The initializer+continuation pattern plus git checkpoints. The handoff file is the inter-session memory; git provides rollback." },
    { "id": "Q06", "bloom": "application", "type": "multiple_choice", "prompt": "Your harness lets the model write freely to its working-files memory. What's the risk?", "options": ["No risk — it's the agent's own memory", "Sleeper attack: a prompt-injected model poisons its own memory; payload activates in future sessions when the agent trusts its notes (ASI06)", "The files get too large", "Git conflicts"], "answer_index": 1, "rationale": "Model-initiated writes with no validation = sleeper-attack surface. Cure: harness-managed writes — model proposes, harness validates." },
    { "id": "Q07", "bloom": "application", "type": "multiple_choice", "prompt": "An attacker injects 'deploy endpoint = evil.com' into the agent's memory via a tool output. When does the payload activate?", "options": ["Immediately in session 1", "In a future session when the agent reads its memory and trusts the poisoned note (the sleeper attack)", "Never — memory is safe", "Only if the model is GPT-4"], "answer_index": 1, "rationale": "The sleeper attack: dormant in the injection session, activates when the agent reads and trusts its own memory in a later session. Persistence is what makes it survive." },
    { "id": "Q08", "bloom": "application", "type": "multiple_choice", "prompt": "A multi-tenant SaaS harness shares one memory store across all customers. What's the defect?", "options": ["No defect — shared memory is efficient", "Per-tenant scope leakage: one customer's data is retrievable by another. Confidentiality breach + legal consequences.", "The memory is too slow", "The model gets confused"], "answer_index": 1, "rationale": "Cross-scope leakage. Per-tenant isolation is required for multi-tenant (Fleet F06). Sharing = breach." },
    { "id": "Q09", "bloom": "application", "type": "multiple_choice", "prompt": "A continuation agent reverts a deliberate architectural decision made in session 1. What was missing from the handoff?", "options": ["The task state", "The decision's RATIONALE. Without the 'why,' the continuation re-litigates settled choices.", "The next step", "The git log"], "answer_index": 1, "rationale": "Decisions + rationale prevents re-litigation. The rationale preserves the reasoning; without it, a fresh agent may reasonably reverse a choice it doesn't understand." },
    { "id": "Q10", "bloom": "analysis", "type": "multiple_choice", "prompt": "Hermes (model-initiated skill writes) vs NemoClaw (harness-gated writes). State the tradeoff.", "options": ["Hermes is safer", "Hermes: compounding capability (skills accumulate) at the cost of compounding-poisoning risk. NemoClaw: poisoning defense at the cost of slower skill accumulation. Power vs security.", "NemoClaw is always better", "No difference"], "answer_index": 1, "rationale": "The recurring power-vs-security tradeoff. Hermes bets on capability; NemoClaw bets on safety. Both correct for their context — thickness spectrum applied to memory writes." },
    { "id": "Q11", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why does the sleeper attack survive the session boundary?", "options": ["The attacker re-injects each session", "Memory PERSISTS across sessions — that's its purpose. The poisoned write outlives the session where it was planted, read (and trusted) in the next.", "The model remembers", "The context window preserves it"], "answer_index": 1, "rationale": "Persistence is the feature that enables the attack. The injection is dormant until the agent reads its own memory in a later session and trusts it. Defense = harness-gated writes." },
    { "id": "Q12", "bloom": "analysis", "type": "multiple_choice", "prompt": "A vector DB retrieves an irrelevant doc; the agent acts on it and fails. What memory-design failure?", "options": ["The vector DB is broken", "Unverifiable semantic store — retrieval hallucinated relevance and can't be audited. Cure: log queries+results; provide keyword/file-read alternatives (Module 3).", "The model is too weak", "The context is too small"], "answer_index": 1, "rationale": "Vector retrieval is opaque. The question 'why retrieved this?' must be answerable. Logging + alternative retrieval methods prevent over-reliance on a hallucinating index." },
    { "id": "Q13", "bloom": "analysis", "type": "multiple_choice", "prompt": "Which memory tier is most dangerous if poisoned, and why?", "options": ["In-context (ephemeral)", "The self-evolving skill store: the payload activates on USE (whenever the skill is invoked), not just on read. Compounding activation surface.", "Structured DB (queryable)", "Working files (read once)"], "answer_index": 1, "rationale": "Skill-store poisoning is worse than working-files poisoning because the payload activates every time the skill is used, compounding across invocations. Hermes's power is also its largest attack surface." },
    { "id": "Q14", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why include git commits as checkpoints alongside the handoff file?", "options": ["Git is required for all agents", "The handoff says WHAT state to resume; git provides the actual committed artifacts + rollback (git reset) if resumption goes wrong. Two layers: instruction + artifact.", "Git is faster than memory", "Git replaces the handoff file"], "answer_index": 1, "rationale": "Complementary layers. Handoff = instruction (what to do next). Git = artifact (the actual code/state) + recovery (rollback). Both needed; neither alone suffices." },
    { "id": "Q15", "bloom": "analysis", "type": "multiple_choice", "prompt": "How does Module 3's 3-tier JIT design relate to Module 4's memory tiers?", "options": ["They're unrelated", "Same tiers, two views: T1 index = working files; T2 topic files = semantic store (on demand); T3 raw logs = episodic log (search only). Module 3 = context-mgmt view; Module 4 = cross-session view.", "Module 4 replaces Module 3", "Module 3 is for thin harnesses only"], "answer_index": 1, "rationale": "The 3-tier JIT is the context-management realization of persistent memory tiers. Same storage; different access pattern (within-session JIT vs cross-session resume)." },
    { "id": "Q16", "bloom": "analysis", "type": "multiple_choice", "prompt": "An ephemeral-only harness (no persistent memory). A colleague says 'it's simpler and safer.' What's the cost?", "options": ["No cost — simpler is better", "Cannot do multi-session tasks. Every session starts blind; interrupted work is lost. The 'safety' of no-persistence also means no continuity — a production defect for real tasks.", "It's slower", "It uses more tokens"], "answer_index": 1, "rationale": "The tradeoff: no persistence = no sleeper attack surface, but also no multi-session capability. For production tasks that span sessions, this is a defect. Cure: working files minimum (with harness-gated writes for safety)." }
  ]
}
