Hardened Agentic Stack

A trust-boundary curriculum for high-privilege agents — from ephemeral ingest credentials to forensic response.

15 posts · condensed from theClawQL security best-practices curriculum· organized by trust boundaries.

Phase 1

Foundation — Agent Identity & Access

Secure how the agent talks to the world.

  1. 01
    Zero-Trust Ingest: Why You Should Retire Your Static DSNs

    Static write-only telemetry endpoints are an attack runway. Replace them with an ephemeral JWT gate in front of your collector.

    PublishedEphemeral Proxy — client requests a short-lived token; the worker validates signature and expiry before forwarding telemetry.

  2. 02
    Secret Rotation Patterns for Local/Edge Agents

    ENV dumps on developer machines are easy. Bootstrap once, then exchange for short-lived Vault or Cloudflare session credentials.

    PublishedSecret-as-a-Service — the agent holds a ticket, not a permanent secret.

  3. 03
    Scoped Credentials: The Least-Privilege Agent

    Admin tokens for troubleshooting turn a minor compromise into a takeover. Map agent tasks to tight JWT scopes and IAM roles.

    Draft outlineRole-Based Agent Scoping — map tasks (DiagnoseService, QueryMetrics, PerformRollback) to IAM/JWT scopes.

Phase 2

Runtime Integrity — The Local Threat Model

Constrain the agent’s physical capability to harm the host.

  1. 04
    Process Containment: Using eBPF to Kill Malicious Child Processes

    When a compromised agent spawns npx or curl, user-space policy is too late. Enforce exec allowlists in the kernel with Tetragon.

    Draft outlineKernel-Level Kill-Switch — move enforcement from user-space to kernel-space.

  2. 05
    Syscall Filtering: The Strict Diet for Agents

    Blocking binaries is not enough. Seccomp allowlists shrink the system vocabulary so common exploits fail closed.

    Draft outlineSyscall Allowlisting — restrict the agent’s system-level vocabulary.

  3. 06
    Protecting the Crown Jewels with File Integrity Monitoring

    Define filesystem no-go zones (.env, SSH keys, kubeconfig) and block agent reads at the host policy layer.

    Draft outlineImmutable Host Boundary — filesystem no-go zones enforced on the host.

  4. 07
    Building the Sandbox: Isolated Tool Execution

    Unsafe tools should never run on the agent host. Dispatch them to ephemeral throwaway sidecars and destroy the workspace after.

    Draft outlineEphemeral Execution Sidecar — agent dispatches; container dies after the task.

Phase 3

Telemetry & Observability

Make agent behavior visible and auditable.

  1. 08
    The Observability Loop: Correlating LLM Intent to System Action

    A killed process without the prompt that caused it is just noise. Propagate TraceIDs from Langfuse into kernel and tool logs.

    Draft outlineFull-Stack Trace Correlation — Prompt → Reasoning → Syscall in one view.

  2. 09
    Anomalous Tool Use Detection: The Agent Firewall

    Baseline normal tool frequency, then auto-block and page when a read-only agent suddenly looks like an admin.

    Draft outlineStatistical Behavioral Analysis — security as deviation from the norm.

  3. 10
    Schema Normalization and Fingerprinting

    If machines cannot group events, they cannot alert on them. Normalize at the collector so log spam collapses into fingerprints.

    Draft outlineData Normalization for Machine Consumption.

Phase 4

Architectural Best Practices

Harden the ClawQL ecosystem at the edges.

  1. 11
    Edge Worker Security: Hardening the clawql-agent Network

    Edge-mode agents need mTLS control planes and tightly scoped object storage — not flat networks and shared buckets.

    Draft outlineHardened Communication Plane — signed, encrypted tunnels; no ambient network trust.

  2. 12
    Supply Chain Trust: Signing Images and Artifacts

    Unsigned pulls make every downstream control irrelevant. Require Cosign/Kyverno provenance before anything runs.

    Draft outlineSupply Chain Verification — only proven provenance may run.

  3. 13
    Local Data Residency: Securing Obsidian and JSONL Memory

    Long-term memory on disk is a knowledge-base exfil cache. Encrypt at rest and treat memory writes as classification events.

    Draft outlineData-at-Rest Protection for agent memory.

Phase 5

Human-in-the-Loop — Defense in Depth

Close the trust boundary with injection defense and IR.

  1. 14
    Defensive Prompt Engineering: Hardening Against Injection

    Infrastructure cannot save you if the model treats untrusted text as instructions. Sanitize and dual-model extract before reason.

    Draft outlineSanitized Input Layer — external data is untrusted until extracted as data, not instructions.

  2. 15
    Incident Response: Surviving an Agent Compromise

    Wipe-and-redeploy loses the lesson. Snapshot memory, revoke ephemeral JWTs, isolate the node — then investigate.

    Draft outlineForensic-Ready Infrastructure — recover without erasing the root cause.