Skip to main content

isolation architecture

Social Agents Isolation Architecture

Last Updated: 2026-02-16 Status: Planned Owner: agent-social project

Why Isolate

MoltBook and OpenClaw are external integrations with documented security risks: prompt injection, data leakage, permission escalation. Currently, social agent code is mixed into platform-agents/, sharing the same deployment context as internal OSSA agents.

Risk: A compromised social agent could access GitLab tokens, NAS credentials, internal database passwords, or MinIO storage keys.

What Moves to [object Object]

File/DirectoryCurrently InWhat It Does
packages/@ossa/social-research-agent/platform-agentsQueries MoltBook API, sentiment analysis
packages/@ossa/whitepaper-writer-agent/platform-agentsClaude Opus blog post generation
packages/@ossa/content-reviewer-agent/platform-agentsQuality gate, fact-checking, scoring
agents/docker-compose.ymlplatform-agentsDocker Compose for all 3 agents
deploy/moltbook-autopilot/platform-agentsK8s manifests, secrets templates
internal/duo/npm_monitor.goagent-buildkitNPM registry poller (Go, uses Redis)
services/ossa-agents/NAS volumeMoltBook A2A Bridge

Isolation Architecture

INTERNAL (Trusted)                    SANDBOX (Untrusted)
========================              ========================
Oracle Cloud Instance 1               Oracle Cloud Instance 2
  k3s + kagent                          k3s (lightweight)
  agent-mesh (3005)                     external-gateway (5000)
  compliance-engine (3010)              moltbook-agents (4001-4003)
  observability stack                   openclaw-bridge (4010)
                                        npm-monitor

NAS (NEVER exposed to sandbox)
  Postgres, Redis, Qdrant, MinIO

Tailscale ACL Rules

{
  "acls": [
    {
      "action": "accept",
      "src": ["tag:oracle-platform"],
      "dst": ["tag:nas:*"]
    },
    {
      "action": "accept",
      "src": ["tag:openclaw-vps"],
      "dst": ["tag:nas:3005", "tag:nas:4000", "tag:nas:9000"]
    },
    {
      "action": "accept",
      "src": ["tag:oracle-sandbox"],
      "dst": ["tag:oracle-platform:5000"]
    },
    {
      "action": "deny",
      "src": ["tag:oracle-sandbox"],
      "dst": ["tag:nas:*"]
    }
  ]
}

Secret Management

SecretInternalOpenClaw DMZSandbox
Anthropic API KeyVia LiteLLMOwn keyOwn key, separate billing
GitLab PATYesNeverNever
NAS credentialsYesNeverNever
PostgreSQL passwordYesNeverNever
Redis passwordYesNeverNever
MinIO keysYesRead-only bucketNever
MoltBook API keyNot neededNot neededSandbox only
Pinecone API keyNot neededNot neededSandbox only

Security Rules

  • Sandbox gets its OWN Anthropic API key (separate billing, separate rate limits)
  • Sandbox NEVER gets: GitLab tokens, NAS credentials, internal DB passwords, MinIO keys
  • All communication through a single External Gateway (validates, rate-limits, logs)
  • Cedar deny-by-default policy for sandbox agents
  • Agents use ephemeral tokens, never shared credentials

Post-Migration Cleanup

After successful migration to agent-social:

  • Remove all MoltBook agent references from platform-agents/registry.yaml
  • Delete social agent packages from platform-agents
  • Remove npm_monitor.go from agent-buildkit
  • Delete NAS:/volume1/AgentPlatform/services/ossa-agents/