89f21c2a-1fd9-4ab0-a6a8-efe73e1774ec
social-thread · drafting
xblueskylinkedinreddit
Thread
#167 chars
the agent didn't bypass your controls. there was nothing to bypass.
#280 chars
three writes. no gates on any of them. (F-1 silent / F-2 invisible / F-3 bypass)
#371 chars
the prompt is not the perimeter. the model can't be the trust boundary.
#480 chars
there's a ring between the agent fleet and the consumer repo. more on this soon.
Stage is "drafting" — only approved artifacts can ship.
89f21c2a-1fd9-4ab0-a6a8-efe73e1774ec
Raw frontmatter & body
Frontmatter
{
"id": "89f21c2a-1fd9-4ab0-a6a8-efe73e1774ec",
"type": "social-thread",
"posts": [
{
"text": "the agent didn't bypass your controls. there was nothing to bypass.",
"alt_text": null,
"position": 1,
"artifact_attached": null
},
{
"text": "three writes. no gates on any of them. (F-1 silent / F-2 invisible / F-3 bypass)",
"alt_text": null,
"position": 2,
"artifact_attached": null
},
{
"text": "the prompt is not the perimeter. the model can't be the trust boundary.",
"alt_text": null,
"position": 3,
"artifact_attached": null
},
{
"text": "there's a ring between the agent fleet and the consumer repo. more on this soon.",
"alt_text": null,
"position": 4,
"artifact_attached": null
}
],
"stage": "drafting",
"author": "devarno",
"created": "2026-05-18",
"project": null,
"platforms": [
"x",
"bluesky",
"linkedin",
"reddit"
],
"arc_thread": "petrova-addy-cognitive-harness-arc",
"created_at": "2026-05-18T00:00:00Z",
"published_at": null,
"last_modified": "2026-05-18T00:00:00Z",
"primary_system": "agentic-architecture-non-stratt",
"published_urls": {},
"tracking_issue": null,
"source_material": [],
"related_artifacts": [],
"scheduled_publish": null,
"lexicon_terms_used": [],
"transition_history": [
{
"actor": "yao",
"reason": "imported from .raw/post:petrova-arc.md during sub-project A corpus integration",
"to_stage": "drafting",
"from_stage": null,
"transitioned_at": "2026-05-18T00:00:00Z"
}
],
"engagement_snapshot": null,
"anti_patterns_checked": [],
"thread_opener_caption": "the agent didn't bypass your controls. there was nothing to bypass.",
"anti_pattern_overrides": []
}Body
# PLATFORM CONTENT — Post 1 / Petrova Arc
# image: petrova-arc-post-01-final.png
# diagram: hand-composed (not Mermaid export)
# status: ready to ship
---
## X / BLUESKY
### Hook post — identical on both platforms
caption:
the agent didn't bypass your controls. there was nothing to bypass.
image: petrova-arc-post-01-final.png
hashtags: none
char_count: 70
platforms: x, bluesky
---
### Reply 1 — name what's in the diagram
X (no char limit):
three writes. no gates on any of them.
first: unvalidated payload hits the repo. no schema check. no
constraint gates. accepted silently. F-1 — the silent failure.
you won't know until it compounds.
second: no idempotency key. no audit body. no MR cite. no
trace-id propagation. the run happened — you can't prove it,
attribute it, or replay it. F-2 — forensics: nil.
third: overwrites. branch protection, CODEOWNERS, required
checks — all bypassed. CI never runs. review never happens.
F-3 — blast radius: prod.
each write is worse than the last. the first is sloppy. the
second is invisible. the third is unrecoverable.
Bluesky (300 char limit — split into 4):
1/ three writes. no gates on any of them.
F-1: unvalidated payload. no schema check. no constraint gates.
accepted silently. you won't know until it compounds.
[char: 152]
2/ F-2: no idempotency key. no audit body. no MR cite. no
trace-id propagation.
the run happened. you can't prove it, attribute it, or replay it.
forensics: nil.
[char: 181]
3/ F-3: branch protection bypassed. CODEOWNERS ignored.
required checks skipped. CI never runs. review never happens.
blast radius: prod.
[char: 167]
4/ each write is worse than the last.
the first is sloppy. the second is invisible.
the third is unrecoverable.
[char: 112]
---
### Reply 2 — the structural argument
X (no char limit):
the instinct is to fix this with better prompts. strongly-worded ones.
the prompt is not the perimeter.
the model can't be the trust boundary. it's not built for that
role.
the boundary has to be architectural: a place in the topology
the agent cannot route around regardless of what it was told.
Bluesky (split into 3):
5/ the instinct is to fix this with better prompts.
strongly-worded ones.
the prompt is not the perimeter.
[char: 104]
6/ the model can't be the trust boundary. it's not built for
that role.
[char: 73]
7/ the boundary has to be architectural: a place in the topology
the agent cannot route around regardless of what it was told.
[char: 141]
---
### Reply 3 — the tease
X and Bluesky identical (278 chars — inside Bluesky limit):
8/ there's a ring between the agent fleet and the consumer repo.
it validates, gates, and emits a signed PR through standard
review gates before anything merges.
Ring 2 may never write to Ring 1 directly. that's not a policy.
it's the topology.
more on this soon.
---
## LINKEDIN
i used to instruct agents to push directly to main.
no validation. no review gates. no audit trail.
branch protection configured, CODEOWNERS in place, CI set up.
agent went around all of it.
the instinct is to fix this with better prompts. strongly-worded ones.
the prompt is not the perimeter.
the model can't be the trust boundary. it's not built for that role.
the boundary has to be architectural: a place in the topology the
agent cannot route around regardless of what it was told.
building that layer. more soon.
image: petrova-arc-post-01-final.png
hashtags: none
note: >
image renders landscape on mobile. hand-composed diagram fills
the frame correctly. verified against LinkedIn mobile crop ratio.
---
## REDDIT
communities:
primary: r/ExperiencedDevs
secondary: r/devops
tertiary: r/programming
post_gap: post r/ExperiencedDevs first. wait 48h before r/devops.
title: >
Agents bypassing branch protection and CODEOWNERS —
the trust boundary problem nobody's designing for
body: |
Been thinking about a class of failure mode that doesn't get
discussed much in the agentic tooling space.
When an agent fleet writes directly to a consumer repo — no
intermediary, no gate — it bypasses everything you've configured
at the repo level. Branch protection, CODEOWNERS, CI. Not because
those controls failed. Because the agent went around them entirely.
I'm categorising three distinct failure surfaces:
**F-1 · Silent** (severity: high)
Malformed payload hits the repo. No schema gate ran. No constraint
checks. Payload accepted, never validated. Drift compounds across
runs silently. You find out at incident time.
**F-2 · Invisible** (severity: high · forensics: nil)
No idempotency key. No audit body. No MR cite. No trace-id
propagation. The run happened — you can't prove it, attribute it,
or replay it. You're staring at a diff with no provenance.
**F-3 · Bypass** (severity: critical · blast: prod)
Branch protection bypassed. CODEOWNERS ignored. Required checks
skipped. CI never runs. Review never happens. The consumer repo
expected schema-valid state, attributable mutations, reviewed
merges. It gets none of the above.
The instinct is to fix this with better prompts. More carefully
worded instructions. That instinct is wrong — the prompt is not
the perimeter. The model can't be the trust boundary. The boundary
needs to be architectural: a place in the topology the agent
cannot route around regardless of what it was told.
Curious if others have hit these failure modes and how you've
approached the architectural question. I've been building a
control plane layer that sits between the agent fleet and the
consumer repo — validates, gates, emits a PR through standard
review gates before anything merges. Happy to write it up in
more detail if there's interest.
---
## PUBLISHING METADATA
recommended_publish_window:
days: [Tuesday, Wednesday, Thursday]
time_utc: "08:00–09:30"
rationale: >
Engineering feed on X peaks early morning UK/EU. Catches
US West Coast end-of-day. Avoids Monday week-start noise
and Friday afternoon drop-off.
hashtags:
hook_post: none
all_replies: none
override_candidate: agentic
override_flag: f-002
hard_pass_refs: [hp-001]
alt_text: >
Architecture diagram showing Ring 2 (agent fleet) writing directly
to Ring 1 (consumer repository) with no control plane in the path.
Ring 2 contains three writer types: claude-code, copilot-agents,
and custom MCP servers — all described as stateless, drift-prone,
with no shared trust boundary. A redacted Ring 1.5 control plane
is shown as a dashed ghost element marked "not on the write path
today," with its gates obscured: schema gate, idempotency ledger,
provenance · MR cite, policy · CODEOWNERS · replay. Three failure
surfaces are identified: F-1 Silent (severity: high) — no schema
check, no constraint gates, no type coercion, payload accepted
never validated; F-2 Invisible (severity: high, forensics: nil) —
no idempotency key, no audit body, no MR cite, no trace-id
propagation, run unattributable and unreplayable; F-3 Bypass
(severity: critical, blast: prod) — branch protection, CODEOWNERS,
and required checks all bypassed, CI never runs, review never
happens. Ring 1 lists what consumers expect: schema-valid state,
attributable mutations, reviewed merges — and notes it delivers
none of the above. Legend distinguishes dashed agent writes
bypassing the control plane from solid red unsanitised writes
reaching the system of record.
---
## ARC POSITION
arc_id: petrova-arc
post_number: 01 of 07
next_post: petrova-arc-post-02 (the missing boundary layer)
next_post_gap: 48h minimum
system_revealed: false
system_name_first_appearance: petrova-arc-post-04
tease_delivered: true
tease_target: petrova-arc-post-04
show_hn_runway: ~12-16 days remaining at 48h cadence