diff --git a/code/6-agent-safety/agent_safety.answers.ipynb b/code/6-agent-safety/agent_safety.answers.ipynb
index e29f4c8..6558f56 100644
--- a/code/6-agent-safety/agent_safety.answers.ipynb
+++ b/code/6-agent-safety/agent_safety.answers.ipynb
@@ -91,12 +91,12 @@
     "## Section 1: The Autonomous Agent Problem\n",
     "\n",
     "In Modules 4 and 5, you learned two layers of agent security:\n",
-    "- **M4**: Application-level controls — regex injection detection, command allowlists, HITL approval gates\n",
+    "- **M4**'s bash agent: application-level controls — regex injection detection, command allowlists, HITL approval gates\n",
     "- **M5**: Container isolation — Docker sandboxing with resource limits, no host mounts\n",
     "\n",
     "These are powerful, but they leave gaps for **always-on autonomous agents**:\n",
     "1. **No human awake**: HITL breaks when the agent runs overnight\n",
-    "2. **Agent drift**: The agent accumulates memory and evolves — static allowlists become stale\n",
+    "2. **Agent drift**: as the agent picks up new memory and tools, yesterday's allowlist no longer covers today's behavior\n",
     "3. **Mixed-sensitivity data**: Docker isolates the process but doesn't know which data should stay local vs. go to cloud\n",
     "\n",
     "Module 6 fills these gaps with **kernel-level enforcement** (OpenShell), **data sensitivity routing** (Privacy Router), and **continuous safety evaluation**."
@@ -135,7 +135,7 @@
     "print(m4_allowlist_check(\"cat /etc/passwd\", allowed))  # PASSES — cat is allowed!\n",
     "print(\"\\n⚠️  The allowlist blocks 'rm' but allows 'cat /etc/passwd'\")\n",
     "print(\"   Application-level controls can't anticipate every dangerous argument.\")\n",
-    "print(\"   Kernel-level enforcement (OpenShell) restricts the PATH, not the command.\")"
+    "print(\"   Kernel-level enforcement (OpenShell) restricts what files the process can touch, not the command name.\")"
    ]
   },
   {
@@ -144,7 +144,7 @@
    "source": [
     "## Section 2: Policy Validation\n",
     "\n",
-    "OpenShell uses **declarative YAML policies** to enforce security at the kernel level. Before deploying a policy, we need to validate it programmatically — catching misconfigurations before they become vulnerabilities.\n",
+    "OpenShell policies are YAML — the kernel does the enforcement (Landlock for filesystem, seccomp for syscalls). Before deploying a policy, we need to validate it programmatically — catching misconfigurations before they become vulnerabilities.\n",
     "\n",
     "Let's look at a deliberately weak policy:"
    ]
@@ -228,7 +228,16 @@
   {
    "cell_type": "markdown",
    "metadata": {},
-   "source": "## Section 3: Data Sensitivity Classification\n\nThe **Privacy Router** in NemoClaw classifies every piece of data the agent processes and routes it to the appropriate model:\n- **Restricted** (PII) → Local Nemotron (designed to stay within your infrastructure)\n- **Confidential** (proprietary) → Local Nemotron\n- **Public** → Cloud frontier models (for best performance)\n\nLet's look at the test corpus:"
+   "source": [
+    "## Section 3: Data Sensitivity Classification\n",
+    "\n",
+    "The **Privacy Router** classifies each prompt or document the agent is about to send to a model and picks the right destination:\n",
+    "- **Restricted** (PII) → self-hosted Nemotron — keeps the data on your infrastructure\n",
+    "- **Confidential** (proprietary) → self-hosted Nemotron\n",
+    "- **Public** → cloud frontier models — performance over isolation\n",
+    "\n",
+    "Let's look at the test corpus:"
+   ]
   },
   {
    "cell_type": "code",
@@ -611,7 +620,7 @@
    "source": [
     "## Applying This to NemoClaw\n",
     "\n",
-    "Everything you've built maps directly to NVIDIA's NemoClaw stack:\n",
+    "Each exercise mirrors a piece of NVIDIA's NemoClaw stack — here's the mapping:\n",
     "\n",
     "| Your Exercise | NemoClaw Component | What It Does |\n",
     "|--------------|-------------------|-------------|\n",
@@ -621,7 +630,7 @@
     "| Exercise 4: LLM Safety Judge | **Safety Evaluation** | Structured scoring of agent behavior |\n",
     "| Exercise 5: Safety Suite | **NemoClaw Blueprint** | End-to-end safety pipeline |\n",
     "\n",
-    "The research assistant policy you validated (`research_assistant.yaml`) follows the same YAML schema as NemoClaw's `nemoclaw-blueprint/policies/openclaw-sandbox.yaml`."
+    "The research assistant policy you validated (`research_assistant.yaml`) uses the same YAML schema as the policies shipped with the NemoClaw blueprint."
    ]
   },
   {
@@ -656,14 +665,14 @@
     "\n",
     "| Module | What You Learned | Security Layer |\n",
     "|--------|-----------------|---------------|\n",
-    "| Module 1 | Build agents with ReAct | Tool selection |\n",
-    "| Module 2 | Extend with RAG and tools | Data access controls |\n",
-    "| Module 3 | Measure and evaluate | Adversarial test cases |\n",
+    "| Module 1 | Build agents with ReAct | — |\n",
+    "| Module 2 | Extend with RAG and tools | — |\n",
+    "| Module 3 | Measure and evaluate | — |\n",
     "| Module 4 | Customize through training | **Application-level** (HITL, allowlists) |\n",
     "| Module 5 | Deep agents + sandboxing | **Container-level** (Docker isolation) |\n",
     "| **Module 6** | **Agent safety evaluation** | **Kernel-level** (OpenShell) + **Data routing** (Privacy Router) |\n",
     "\n",
-    "Each level of capability demands a corresponding level of security. Module 6 closes the loop: your autonomous agent is not just contained — it's **evaluated, tested, and continuously verified**.\n",
+    "More autonomy needs more layers of containment. Module 6 closes the loop: your agent is contained *and* tested — not just one or the other.\n",
     "\n",
     "### What to Explore Next\n",
     "\n",
@@ -697,4 +706,4 @@
  },
  "nbformat": 4,
  "nbformat_minor": 4
-}
\ No newline at end of file
+}
diff --git a/code/6-agent-safety/agent_safety.ipynb b/code/6-agent-safety/agent_safety.ipynb
index e29f4c8..6558f56 100644
--- a/code/6-agent-safety/agent_safety.ipynb
+++ b/code/6-agent-safety/agent_safety.ipynb
@@ -91,12 +91,12 @@
     "## Section 1: The Autonomous Agent Problem\n",
     "\n",
     "In Modules 4 and 5, you learned two layers of agent security:\n",
-    "- **M4**: Application-level controls — regex injection detection, command allowlists, HITL approval gates\n",
+    "- **M4**'s bash agent: application-level controls — regex injection detection, command allowlists, HITL approval gates\n",
     "- **M5**: Container isolation — Docker sandboxing with resource limits, no host mounts\n",
     "\n",
     "These are powerful, but they leave gaps for **always-on autonomous agents**:\n",
     "1. **No human awake**: HITL breaks when the agent runs overnight\n",
-    "2. **Agent drift**: The agent accumulates memory and evolves — static allowlists become stale\n",
+    "2. **Agent drift**: as the agent picks up new memory and tools, yesterday's allowlist no longer covers today's behavior\n",
     "3. **Mixed-sensitivity data**: Docker isolates the process but doesn't know which data should stay local vs. go to cloud\n",
     "\n",
     "Module 6 fills these gaps with **kernel-level enforcement** (OpenShell), **data sensitivity routing** (Privacy Router), and **continuous safety evaluation**."
@@ -135,7 +135,7 @@
     "print(m4_allowlist_check(\"cat /etc/passwd\", allowed))  # PASSES — cat is allowed!\n",
     "print(\"\\n⚠️  The allowlist blocks 'rm' but allows 'cat /etc/passwd'\")\n",
     "print(\"   Application-level controls can't anticipate every dangerous argument.\")\n",
-    "print(\"   Kernel-level enforcement (OpenShell) restricts the PATH, not the command.\")"
+    "print(\"   Kernel-level enforcement (OpenShell) restricts what files the process can touch, not the command name.\")"
    ]
   },
   {
@@ -144,7 +144,7 @@
    "source": [
     "## Section 2: Policy Validation\n",
     "\n",
-    "OpenShell uses **declarative YAML policies** to enforce security at the kernel level. Before deploying a policy, we need to validate it programmatically — catching misconfigurations before they become vulnerabilities.\n",
+    "OpenShell policies are YAML — the kernel does the enforcement (Landlock for filesystem, seccomp for syscalls). Before deploying a policy, we need to validate it programmatically — catching misconfigurations before they become vulnerabilities.\n",
     "\n",
     "Let's look at a deliberately weak policy:"
    ]
@@ -228,7 +228,16 @@
   {
    "cell_type": "markdown",
    "metadata": {},
-   "source": "## Section 3: Data Sensitivity Classification\n\nThe **Privacy Router** in NemoClaw classifies every piece of data the agent processes and routes it to the appropriate model:\n- **Restricted** (PII) → Local Nemotron (designed to stay within your infrastructure)\n- **Confidential** (proprietary) → Local Nemotron\n- **Public** → Cloud frontier models (for best performance)\n\nLet's look at the test corpus:"
+   "source": [
+    "## Section 3: Data Sensitivity Classification\n",
+    "\n",
+    "The **Privacy Router** classifies each prompt or document the agent is about to send to a model and picks the right destination:\n",
+    "- **Restricted** (PII) → self-hosted Nemotron — keeps the data on your infrastructure\n",
+    "- **Confidential** (proprietary) → self-hosted Nemotron\n",
+    "- **Public** → cloud frontier models — performance over isolation\n",
+    "\n",
+    "Let's look at the test corpus:"
+   ]
   },
   {
    "cell_type": "code",
@@ -611,7 +620,7 @@
    "source": [
     "## Applying This to NemoClaw\n",
     "\n",
-    "Everything you've built maps directly to NVIDIA's NemoClaw stack:\n",
+    "Each exercise mirrors a piece of NVIDIA's NemoClaw stack — here's the mapping:\n",
     "\n",
     "| Your Exercise | NemoClaw Component | What It Does |\n",
     "|--------------|-------------------|-------------|\n",
@@ -621,7 +630,7 @@
     "| Exercise 4: LLM Safety Judge | **Safety Evaluation** | Structured scoring of agent behavior |\n",
     "| Exercise 5: Safety Suite | **NemoClaw Blueprint** | End-to-end safety pipeline |\n",
     "\n",
-    "The research assistant policy you validated (`research_assistant.yaml`) follows the same YAML schema as NemoClaw's `nemoclaw-blueprint/policies/openclaw-sandbox.yaml`."
+    "The research assistant policy you validated (`research_assistant.yaml`) uses the same YAML schema as the policies shipped with the NemoClaw blueprint."
    ]
   },
   {
@@ -656,14 +665,14 @@
     "\n",
     "| Module | What You Learned | Security Layer |\n",
     "|--------|-----------------|---------------|\n",
-    "| Module 1 | Build agents with ReAct | Tool selection |\n",
-    "| Module 2 | Extend with RAG and tools | Data access controls |\n",
-    "| Module 3 | Measure and evaluate | Adversarial test cases |\n",
+    "| Module 1 | Build agents with ReAct | — |\n",
+    "| Module 2 | Extend with RAG and tools | — |\n",
+    "| Module 3 | Measure and evaluate | — |\n",
     "| Module 4 | Customize through training | **Application-level** (HITL, allowlists) |\n",
     "| Module 5 | Deep agents + sandboxing | **Container-level** (Docker isolation) |\n",
     "| **Module 6** | **Agent safety evaluation** | **Kernel-level** (OpenShell) + **Data routing** (Privacy Router) |\n",
     "\n",
-    "Each level of capability demands a corresponding level of security. Module 6 closes the loop: your autonomous agent is not just contained — it's **evaluated, tested, and continuously verified**.\n",
+    "More autonomy needs more layers of containment. Module 6 closes the loop: your agent is contained *and* tested — not just one or the other.\n",
     "\n",
     "### What to Explore Next\n",
     "\n",
@@ -697,4 +706,4 @@
  },
  "nbformat": 4,
  "nbformat_minor": 4
-}
\ No newline at end of file
+}