Series draft — Part 11 of 15 in Hardened Agentic Stack. Outline only; expand before un-drafting.
Phase 4: Architectural Best Practices
The Problem
Edge agents are MitM and exfil targets on remote infrastructure.
The Infrastructure Fix
mTLS for NATS/control traffic; MinIO/S3 policies scoped to the agent workspace only.
The Architecture Pattern
Hardened Communication Plane — signed, encrypted tunnels; no ambient network trust.
Planned sections
- The “Oh No” moment — concrete incident or near-miss that makes the risk visceral.
- ClawQL context — how this control protects a high-privilege local/edge agent.
- Technical how-to — concrete configs, policies, or snippets a builder can apply.
- Safety check — what “trusted enough” looks like once this layer is in place.
Key visuals
- Edge agent ↔ NATS/MinIO trust map
Source modules (docs.clawql.com)
Rule of Three (keep on publish)
| Layer | Takeaway |
|---|---|
| Problem | Edge agents are MitM and exfil targets on remote infrastructure. |
| Infrastructure fix | mTLS for NATS/control traffic; MinIO/S3 policies scoped to the agent workspace only. |
| Architecture pattern | Hardened Communication Plane — signed, encrypted tunnels; no ambient network trust. |