Series
Hardened Agentic Stack
A trust-boundary curriculum for high-privilege agents — from ephemeral ingest credentials to forensic response.
Phase 1
Foundation — Agent Identity & Access
Secure how the agent talks to the world.
- 01Zero-Trust Ingest: Why You Should Retire Your Static DSNs
Static write-only telemetry endpoints are an attack runway. Replace them with an ephemeral JWT gate in front of your collector.
PublishedEphemeral Proxy — client requests a short-lived token; the worker validates signature and expiry before forwarding telemetry.
- 02Secret Rotation Patterns for Local/Edge Agents
ENV dumps on developer machines are easy. Bootstrap once, then exchange for short-lived Vault or Cloudflare session credentials.
PublishedSecret-as-a-Service — the agent holds a ticket, not a permanent secret.
- 03Scoped Credentials: The Least-Privilege Agent
Admin tokens for troubleshooting turn a minor compromise into a takeover. Map agent tasks to tight JWT scopes and IAM roles.
Draft outlineRole-Based Agent Scoping — map tasks (DiagnoseService, QueryMetrics, PerformRollback) to IAM/JWT scopes.
Phase 2
Runtime Integrity — The Local Threat Model
Constrain the agent’s physical capability to harm the host.
- 04Process Containment: Using eBPF to Kill Malicious Child Processes
When a compromised agent spawns npx or curl, user-space policy is too late. Enforce exec allowlists in the kernel with Tetragon.
Draft outlineKernel-Level Kill-Switch — move enforcement from user-space to kernel-space.
- 05Syscall Filtering: The Strict Diet for Agents
Blocking binaries is not enough. Seccomp allowlists shrink the system vocabulary so common exploits fail closed.
Draft outlineSyscall Allowlisting — restrict the agent’s system-level vocabulary.
- 06Protecting the Crown Jewels with File Integrity Monitoring
Define filesystem no-go zones (.env, SSH keys, kubeconfig) and block agent reads at the host policy layer.
Draft outlineImmutable Host Boundary — filesystem no-go zones enforced on the host.
- 07Building the Sandbox: Isolated Tool Execution
Unsafe tools should never run on the agent host. Dispatch them to ephemeral throwaway sidecars and destroy the workspace after.
Draft outlineEphemeral Execution Sidecar — agent dispatches; container dies after the task.
Phase 3
Telemetry & Observability
Make agent behavior visible and auditable.
- 08The Observability Loop: Correlating LLM Intent to System Action
A killed process without the prompt that caused it is just noise. Propagate TraceIDs from Langfuse into kernel and tool logs.
Draft outlineFull-Stack Trace Correlation — Prompt → Reasoning → Syscall in one view.
- 09Anomalous Tool Use Detection: The Agent Firewall
Baseline normal tool frequency, then auto-block and page when a read-only agent suddenly looks like an admin.
Draft outlineStatistical Behavioral Analysis — security as deviation from the norm.
- 10Schema Normalization and Fingerprinting
If machines cannot group events, they cannot alert on them. Normalize at the collector so log spam collapses into fingerprints.
Draft outlineData Normalization for Machine Consumption.
Phase 4
Architectural Best Practices
Harden the ClawQL ecosystem at the edges.
- 11Edge Worker Security: Hardening the clawql-agent Network
Edge-mode agents need mTLS control planes and tightly scoped object storage — not flat networks and shared buckets.
Draft outlineHardened Communication Plane — signed, encrypted tunnels; no ambient network trust.
- 12Supply Chain Trust: Signing Images and Artifacts
Unsigned pulls make every downstream control irrelevant. Require Cosign/Kyverno provenance before anything runs.
Draft outlineSupply Chain Verification — only proven provenance may run.
- 13Local Data Residency: Securing Obsidian and JSONL Memory
Long-term memory on disk is a knowledge-base exfil cache. Encrypt at rest and treat memory writes as classification events.
Draft outlineData-at-Rest Protection for agent memory.
Phase 5
Human-in-the-Loop — Defense in Depth
Close the trust boundary with injection defense and IR.
- 14Defensive Prompt Engineering: Hardening Against Injection
Infrastructure cannot save you if the model treats untrusted text as instructions. Sanitize and dual-model extract before reason.
Draft outlineSanitized Input Layer — external data is untrusted until extracted as data, not instructions.
- 15Incident Response: Surviving an Agent Compromise
Wipe-and-redeploy loses the lesson. Snapshot memory, revoke ephemeral JWTs, isolate the node — then investigate.
Draft outlineForensic-Ready Infrastructure — recover without erasing the root cause.