Architecture

Every unit test was green. The page returned 502 anyway.

The route was a treasure generator. Its store had a thorough test suite, all passing, because the test built the store the way the test knew to build it – with the database pool wired in. Production built it differently: a copy-paste in the route setup left the pool out, the store carried a nil handle, and the first query dereferenced nil. The handler panicked, the connection dropped, the reverse proxy turned that into a 502. No test caught it, because no test exercised the wired route against a running server. The tests checked the parts. Nothing checked that the assembled thing served.

A few weeks ago I wrote that defense in depth for AI agents means layers, not walls: screen untrusted content before the model acts on it, sanitize what comes back out, and never trust the data flowing through. Clean theory. Then I went back and read the code in Herald that was supposed to implement those layers.

Several of them didn’t hold.

Herald is my feed reader. It pulls RSS and Atom from across the internet, runs each article through a local security model before anything else touches it, scores the survivors for relevance, and announces the interesting ones. Every feed item is untrusted content aimed at a model. That’s the whole premise of the defense-in-depth piece, and it’s exactly the threat I built Herald to study. What follows is the v0.2.0 hardening pass – the bugs the theory missed, and a couple of ideas that worked.

The security conversation around AI agents has mostly focused on two things: keeping agents from hurting the host system, and keeping malicious tools out of the supply chain. These are real problems. Cisco documented how OpenClaw leaks credentials and executes arbitrary shell commands. Projects like NanoClaw respond by running agents in containers where bash commands can’t reach the host. Zencoder’s MCP survival guide catalogs supply chain attacks against MCP servers and recommends pinning git tags and auditing source.