Agent SafetyOutlineDraft

Supply Chain Trust: Signing Images and Artifacts

Unsigned pulls make every downstream control irrelevant. Require Cosign/Kyverno provenance before anything runs.

Series draft — Part 12 of 15 in Hardened Agentic Stack. Outline only; expand before un-drafting.

Phase 4: Architectural Best Practices

The Problem

A malicious public image or skill voids every runtime control you built.

The Infrastructure Fix

Cosign signatures + Kyverno verifyImages (and skill vetting) against trusted keys.

The Architecture Pattern

Supply Chain Verification — only proven provenance may run.

Planned sections

  1. The “Oh No” moment — concrete incident or near-miss that makes the risk visceral.
  2. ClawQL context — how this control protects a high-privilege local/edge agent.
  3. Technical how-to — concrete configs, policies, or snippets a builder can apply.
  4. Safety check — what “trusted enough” looks like once this layer is in place.

Key visuals

  • Admit vs deny admission flow

Source modules (docs.clawql.com)

Rule of Three (keep on publish)

LayerTakeaway
ProblemA malicious public image or skill voids every runtime control you built.
Infrastructure fixCosign signatures + Kyverno verifyImages (and skill vetting) against trusted keys.
Architecture patternSupply Chain Verification — only proven provenance may run.

About the author

Daniel Smith builds ClawQL, an agent operating system for token-efficient discovery and execution over APIs — with observability, hardened tool boundaries, and production routing for LLM workloads. He writes here about the systems problems behind shipping agents.