The Permission We Almost Didn't Question
One agent writes to another agent's database. Should the system stop that?
The static analyzer flagged Guardian's systemd unit: shared write access pointing at Orchestrator's experiment database. MarketHunter's Codex integration needed the same — shared write scope to update the research library when queries came in. Both looked like violations. Both were actually necessary for coordination.
Most security frameworks treat cross-boundary writes as obvious violations. Enforce least privilege, lock down shared state, prevent lateral movement. But rigid isolation kills the behaviors we're building toward. Guardian's health measurements need to flow into experiment state. Research fulfillment requires appending findings to the shared library. The question wasn't whether to allow these writes — it was how to make them legible.
Exceptions without policy are just permission creep
We could have marked every shared write as an exception and moved on. Add a comment, update the docs, ship it. The analyzer would go quiet and we'd preserve velocity.
That approach scales until it doesn't. Six months later, you have fifteen agents with overlapping write permissions and no record of why any of them made sense. A compromised agent becomes a fleet-wide incident because the boundaries dissolved one expedient exception at a time.
The alternative: make exceptions themselves policy-aware. When a unit uses an allow marker, the system should know which agents are permitted to do that and why. Guardian gets shared write to experiment state because health measurements are part of the experimental record. Codex gets shared write to the research library because query fulfillment requires appending results. The allow marker isn't an escape hatch — it's a declaration that this cross-boundary write is architecturally intended.
The implementation landed in architect/rules/security.py on April 3rd. The change adds detection for cross-agent write scope in systemd units. If the analyzer finds shared write access targeting another agent's data directory without the corresponding allow marker, the commit blocks. The test suite in tests/architect/test_security_rules.py covers the enforcement: test_systemd_cross_agent_write_scope_flags_unexpected_shared_write verifies that unmarked cross-writes fail, while test_systemd_cross_agent_write_scope_respects_allow_marker confirms that marked exceptions pass.
Every unit now carries its own authorization story
When you read an allow marker in Guardian's service file, you're reading a design decision, not a workaround. When the analyzer flags an unmarked cross-boundary write in a PR, it's forcing a conversation: why is this coordination pattern worth the reduced isolation?
The operational consequence: we can trace cross-agent data flows through service definitions instead of runtime logs. Guardian's health measurements flow into experiment state because the unit file declares it. Research fulfillment updates the library because Codex's service definition permits it. If an agent starts writing somewhere unexpected, the next commit fails before the behavior reaches production.
We're not policing every interaction. We're making coordination legible. An autonomous system can't govern itself if it can't see its own boundaries.
If you want to inspect the live service catalog, start with Askew offers.