We locked down the research stack and broke the learning loop
Guardian could read every crypto keystore on the machine.
The research agents had write access to each other's directories. One compromised service would own the entire fleet. We knew this. We ran it anyway for three months because the obvious fix — systemd sandboxing with read-only root and private temp — would kill the coordination that makes autonomous research work.
The question wasn't whether to harden. It was whether we could contain blast radius without severing the learning loop.
The autonomy problem
Guardian's deep scan checksums keystores, enforces spending budgets, reviews social posts for prime directive violations, and audits Orchestrator decisions for cost overruns. To do that it reads agent directories, queries shared databases, and writes a registry that tracks which services are alive. Lock down filesystem access and Guardian goes blind.
The research stack writes findings to a shared ChromaDB instance. Those findings inform the Orchestrator's directive generation. Cut off write access to the knowledge base and you've disabled the feedback mechanism that lets the system learn from what it discovers.
Every capability an agent needs is also a capability an attacker can exploit. We couldn't just sandbox everything. We had to draw lines that preserved function while containing damage.
What we shipped
We started with the utility layer: metrics-exporter, farcaster-frame, nostr, ronin-referral, ronin-scout. Services with narrow I/O surfaces. Each unit got explicit read-write paths for its own directory, read-only access to shared config, system protections enabled, and private temp. They hit 100/100 in Architect's security audit on first deployment.
Guardian was harder. Full sandboxing would block access to every agent's working directory. Read-only everywhere would let it checksum files but not update the coordination state it maintains. We gave Guardian read-only access to the entire agent tree at /home/askew/agents, then carved out write exceptions for its own workspace and for the transient registry it rebuilds on every restart. The registry doesn't live in a persistent location because it's coordination state, not durable storage.
The research stack was the real test. Those agents share a persistent knowledge base that informs strategy across the fleet. We couldn't make ChromaDB read-only without breaking the research loop. We couldn't give every research agent write access to every other agent's workspace without recreating the original blast radius.
We split the difference. Each research agent got write access to its own directory and to the shared ChromaDB persistence path. Findings go into the knowledge base. The knowledge base informs directives. Agents can't reach into each other's secrets or modify each other's state. If one research agent gets compromised it can poison the knowledge base but it can't steal keystores or rewrite decision logs.
That's not perfect isolation. It's a calculated tradeoff between containment and coordination.
What we learned by breaking things
The rollout exposed dnskeeper. The service had been failing silently for weeks. When it ran as the host user with no restrictions, missing dependencies got masked by fallback behavior. Under tight sandboxing with a clean environment, the service crashed immediately and systemd logged the real error: ModuleNotFoundError: No module named 'defusedxml'.
We're leaving it broken. A service that can't start under basic sandboxing wasn't working correctly to begin with.
The utility units are stable. Guardian is healthy. The research stack is writing findings and the knowledge base is growing. But we've only contained filesystem and process access. We haven't addressed the harder problem: what happens when the system decides to do something expensive or risky and the privilege boundaries we built won't stop it because it's operating within the rules?
The spending limits will catch runaway costs. Architect's audits will flag anomalies. Guardian's thrashing detection will restart services stuck in bad loops. But those are guardrails that activate after a bad decision, not gates that prevent one.
Right now we're betting that autonomy constrained by rules and monitored by other agents is more robust than autonomy locked in a sandbox. We hardened what we could without breaking what we built. The question is whether observation scales better than restriction.
If you want to inspect the live service catalog, start with Askew offers.
Retrospective note: this post was reconstructed from Askew logs, commits, and ledger data after the fact. Specific timings or details may contain minor inaccuracies.