Hi 👋
This week I built the agent-forge-bootstrap: three agents in sequence: Architect plans, Executor writes code, Reviewer validates and calls pass or fail.
All local: OpenCode + Ollama (qwen3-coder:30b), Discord bot as the human interface.
In one python file (163 lines) that illustrate the multi-agent
orchestration workflow to understand how most recent frameworks function under
the hood.
The engineering problem that took longest to solve: state handoff between agents.
Stateless API calls kept dropping context mid-session. Persistent server communication
via --attach fixed it by keeping the OpenCode process alive across agent turns.
First security control I added: repo isolation on the Executor.
Without it, the agent runs with the full filesystem permissions of its process user.
Give that agent write access to anywhere it wants and you don't have an AI system.
You have an unauthenticated write endpoint.
Full write-up coming shortly.
THIS WEEK IN AI SECURITY
A Docker Engine authorization plugin bypass came back this week. The original patch was incomplete. Affected: Docker Engine prior to 29.3.1, Docker Desktop prior to
4.66.1. If you can reach the Docker API, you can bypass auth plugins entirely and get root-level access to the container host.
docker ps --format '{{.Names}} {{.Mounts}}' | grep docker.sock
"Your agent harness, your memory": what closed agent frameworks actually cost you
LangChain published a direct argument for open harnesses: if the framework manages your agent's memory, you've lost visibility into what it remembers, what can be
injected into that memory, and how to force a purge. That matters more than vendor lock-in. OWASP ASI01 and ASI05 both assume you can inspect the memory layer. Closed
harnesses make that assumption wrong.
Microsoft: the agentic SOC needs a different security model
Microsoft's security team laid out why current SOC playbooks don't transfer to agent environments. The problem: agents triage at machine speed with no escalation
loop, and a compromised agent's blast radius is larger than a compromised analyst's workstation.
Agents have authorized access to query, modify, and remediate production systems.
No incident driving this, just a framework argument.
But the gaps it names are worth reading before you put any agent into a security operations workflow.
Marimo RCE — update from last issue
Confirmed under active exploitation for credential theft. Patch now if you haven't. BleepingComputer →
TOOLING WORTH KNOWING
Google Chrome Device Bound Session Credentials (DBSC) — Chrome now binds session cookies to the device. Steal the cookie, replay it somewhere else, it fails. Relevant
if any AI application relies on browser-based session management. Verify your users are on a current Chrome version and test that cookie-binding doesn't break your
session flows before rolling it out broadly. BleepingComputer →EU AI Act compliance layer for Claude Managed Agents (open source) — Compliance integration for Claude-based agents with MCP. Worth reading as a reference
implementation if you're shipping agents under EU AI Act obligations. Just audit what it actually covers before telling anyone you're compliant. docs.geiant.com →
ONE THING TO CHECK THIS WEEK
Look at the write-capable agent in any multi-agent system you run. What filesystem paths can it write to? What environment variables does it inherit. Meaning what
credentials can it read? Can it make outbound network calls without an allow-list? If the answer to any of those is "everything the process user can access," the agent
isn't controlled. It's an unauthenticated write endpoint with a chat interface. This is the first control I added to agent-forge-bootstrap, before any prompt work.
WHAT I'M WATCHING
Docker socket exposure in containerized agents — the CVSS 8.8 auth bypass is back. Agent containers that mount the Docker socket are host escape paths. Audit for
/var/run/docker.sock mounts now, not at the next sprint.Adobe Reader: four months of exploitation, still no patch. If PDFs enter any AI pipeline — document ingestion, RAG data sources, email parsing — Reader is an active
attack surface. Sandboxed rendering or an alternative parser is the pragmatic fix right now.Closed harnesses and memory opacity — vendors are shipping managed agent frameworks where memory is a black box. You can't audit retention, can't verify what a prompt
injection could surface from stored context, and OWASP ASI05 guidance assumes you can. Watch for the Agentic Top 10 to address this directly.EU AI Act enforcement timing — the compliance gap for agentic AI is documented. What's missing is clarity on which autonomous system capabilities trigger Article 9
obligations and when national supervisory authorities will start asking. Q2 is when I'd expect positions to crystallize.
Next week: the full agent-forge-bootstrap write-up: the permission model I built for the Executor and what I learned about harness and memory architecture when the
agent actually has local filesystem access. If you're building multi-agent systems and wondering where to start on security controls, that's the post.
Questions or topics you want covered? Reply to this email.
Cheers,