Series draft — Part 5 of 15 in Hardened Agentic Stack. Outline only; expand before un-drafting.
Phase 2: Runtime Integrity — The Local Threat Model
The Problem
Even without npx, agents can open raw sockets or manipulate file descriptors.
The Infrastructure Fix
Apply restrictive Seccomp profiles; deny high-risk syscalls not required for ClawQL core paths.
The Architecture Pattern
Syscall Allowlisting — restrict the agent’s system-level vocabulary.
Planned sections
- The “Oh No” moment — concrete incident or near-miss that makes the risk visceral.
- ClawQL context — how this control protects a high-privilege local/edge agent.
- Technical how-to — concrete configs, policies, or snippets a builder can apply.
- Safety check — what “trusted enough” looks like once this layer is in place.
Key visuals
- Default deny seccomp profile sketch
Source modules (docs.clawql.com)
Rule of Three (keep on publish)
| Layer | Takeaway |
|---|---|
| Problem | Even without npx, agents can open raw sockets or manipulate file descriptors. |
| Infrastructure fix | Apply restrictive Seccomp profiles; deny high-risk syscalls not required for ClawQL core paths. |
| Architecture pattern | Syscall Allowlisting — restrict the agent’s system-level vocabulary. |