{
  "module": "5 — Sandboxing & Execution Isolation",
  "course": "Master Course — Harness Engineering",
  "version": "1.0.0", "duration_minutes": 40, "total_questions": 16,
  "bloom_distribution": { "target": "20% recall / 40% application / 40% analysis", "actual": { "recall": 4, "application": 6, "analysis": 6 } },
  "passing_score_percent": 70,
  "questions": [
    { "id": "Q01", "bloom": "recall", "type": "multiple_choice", "prompt": "State the Luzzardi inside-vs-outside split.", "options": ["VM vs container", "Inside: loop+tools+creds in one container (Claude Code). Outside: loop on backend; sandbox via API (Agents SDK).", "Local vs cloud", "Single-user vs multi-user"], "answer_index": 1, "rationale": "The fundamental architecture decision. Where does the loop live relative to the sandbox boundary?" },
    { "id": "Q02", "bloom": "recall", "type": "multiple_choice", "prompt": "What's the deciding factor between inside and outside sandbox?", "options": ["Latency", "Credentials. Multi-tenant → creds cannot live in sandbox. Outside keeps them on backend.", "Cost", "Tool count"], "answer_index": 1, "rationale": "The credential question decides. A sandboxed agent that can read its own env can exfiltrate. Multi-tenant forces outside." },
    { "id": "Q03", "bloom": "recall", "type": "multiple_choice", "prompt": "Name the 3 scoping gates.", "options": ["Input, output, error", "Read scope, write scope, network egress", "User, group, other", "Read, write, execute"], "answer_index": 1, "rationale": "Three independent gates. Defense in depth — each is a separate defense. Even if one fails, others hold." },
    { "id": "Q04", "bloom": "recall", "type": "multiple_choice", "prompt": "State the credential boundary principle.", "options": ["Credentials are encrypted at rest", "Credentials NEVER enter the sandbox. Agent env has no creds. Backend performs authenticated actions and returns results.", "Credentials are rotated daily", "Credentials are stored in env vars"], "answer_index": 1, "rationale": "The agent cannot exfiltrate what it cannot read. The backend holds credentials; the sandbox process never sees them." },
    { "id": "Q05", "bloom": "application", "type": "multiple_choice", "prompt": "You're building multi-tenant SaaS. Inside or outside sandbox?", "options": ["Inside — simpler", "OUTSIDE. Credentials cannot live in the sandbox for multi-tenant. One tenant's agent could read another's creds in shared infra. Outside keeps creds on backend.", "Either works", "Depends on the model"], "answer_index": 1, "rationale": "The credential question decides. Multi-tenant forces outside. Each tenant gets an isolated sandbox; creds stay on backend." },
    { "id": "Q06", "bloom": "application", "type": "multiple_choice", "prompt": "Agent reads a secret (read-scope misconfigured) but egress is allowlisted. Outcome?", "options": ["Exfiltration succeeds", "No exfiltration. The read succeeded but the allowlist blocks sending the secret to an unlisted URL. Defense in depth: gates are independent.", "The agent crashes", "The sandbox suspends"], "answer_index": 1, "rationale": "Independence is the point of the three gates. Read-scope failure does not disable the egress gate. The secret is read but cannot leave." },
    { "id": "Q07", "bloom": "application", "type": "multiple_choice", "prompt": "Sandbox crashes at step 15 of 30. What determines resume vs restart?", "options": ["Always restart from 1", "Checkpointing (Module 8) + idempotency (Module 2). If checkpoints exist and task is idempotent, resume at 15.", "Always resume at 15", "Ask the user"], "answer_index": 1, "rationale": "Crash recovery depends on both checkpointing (state was saved) and idempotency (re-running a step is safe). Without either, restart from 1." },
    { "id": "Q08", "bloom": "application", "type": "multiple_choice", "prompt": "Anti-pattern: bash with full host access in production. Blast radius?", "options": ["The workspace only", "The entire host — any file, any URL, system state. Cure: Docker minimum (container isolation).", "Nothing — bash is safe", "The /tmp directory"], "answer_index": 1, "rationale": "Unsandboxed production = the maximum blast radius. Docker containers isolate process + filesystem, reducing blast radius to the container." },
    { "id": "Q09", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why can't inside-sandbox suspend when idle?", "options": ["It's too slow", "Loop and sandbox are ONE process. Suspending the sandbox suspends the loop. Outside separates them, so sandbox can suspend while backend waits.", "It's not allowed", "The model would forget"], "answer_index": 1, "rationale": "The architectural consequence of the split. Inside = one process; you can't suspend half of it. Outside = two layers; suspend the sandbox layer independently." },
    { "id": "Q10", "bloom": "analysis", "type": "multiple_choice", "prompt": "Skills assume local filesystem. You move to outside-sandbox. What breaks?", "options": ["Nothing — skills are portable", "Skills that read/write local files (their memory model). Outside-sandbox, the sandbox fs is ephemeral/remote; skills must be re-architected to call the sandbox over API. State-sync complexity.", "The model breaks", "The credentials leak"], "answer_index": 1, "rationale": "A real cost of the outside architecture. The local-fs assumption is baked into many skill designs. Moving outside requires re-architecting skills to use the sandbox API." },
    { "id": "Q11", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why is allow-all egress an 'exfiltration surface'?", "options": ["It's slow", "Any URL reachable. An agent that reads a secret (misconfigured read scope) can send it to ANY external URL. Allowlist blocks this independently of read scope.", "It uses too many tokens", "It's deprecated"], "answer_index": 1, "rationale": "The egress gate is independent of the read gate. Allow-all disables the egress gate, so a read-scope failure becomes an exfiltration. Allowlist keeps the gate active." },
    { "id": "Q12", "bloom": "analysis", "type": "multiple_choice", "prompt": "What's the Agents SDK's key sandboxing contribution?", "options": ["A new isolation technology", "7 providers behind a uniform abstraction. Provider becomes a deployment-time config choice, not a design-time constraint. Harness code is provider-agnostic.", "Cheaper sandboxing", "Faster cold starts"], "answer_index": 1, "rationale": "The abstraction is the contribution. You write harness code once; swap Docker for E2B by config. The provider decision is decoupled from the harness design." },
    { "id": "Q13", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why are the three scoping gates described as 'independent'?", "options": ["They run on different servers", "Each is a separate defense. A failure in one (read-scope misconfigured) does not disable the others (egress allowlist still blocks exfil). Defense in depth.", "They use different models", "They're optional"], "answer_index": 1, "rationale": "Independence is the value of having three gates rather than one. A single monolithic 'security check' has one failure mode; three independent gates require three simultaneous failures to breach." },
    { "id": "Q14", "bloom": "analysis", "type": "multiple_choice", "prompt": "A harness has no resource caps. What attack does it enable?", "options": ["Prompt injection", "Resource exhaustion (ASI #9). The agent can be driven into unbounded compute/memory consumption — a cost and availability attack.", "Memory poisoning", "Sandbox escape"], "answer_index": 1, "rationale": "Without CPU/memory/wall-clock limits, a malicious or stuck agent consumes unbounded resources. Resource caps are the defense (plus token budget from Module 1.2, per-tenant quotas from Fleet F03)." },
    { "id": "Q15", "bloom": "analysis", "type": "multiple_choice", "prompt": "Outside-sandbox adds API-hop latency on every tool call. When is this cost justified?", "options": ["Never — latency is always bad", "When the credential boundary matters (multi-tenant) or when idle suspension saves enough cost to offset the latency. The credential question decides.", "Always — outside is better", "Only for batch jobs"], "answer_index": 1, "rationale": "The tradeoff is explicit: latency vs credential isolation + idle suspend + multi-tenancy. For multi-tenant, the credential boundary justifies the latency. For single-user dev tools, inside may be correct." },
    { "id": "Q16", "bloom": "analysis", "type": "multiple_choice", "prompt": "Why does Module 5 call sandboxing 'where security engineering meets harness engineering'?", "options": ["It's the hardest module", "Sandboxing decisions are simultaneously harness architecture (inside/outside, providers, lifecycle) AND security controls (blast radius, credential boundary, egress). One decision, two domains.", "It requires a security team", "It's optional"], "answer_index": 1, "rationale": "Every sandboxing decision is both an architectural choice and a security control. The inside/outside split is architecture; the credential boundary is security. You cannot make one without making the other." }
  ]
}
