Writing
Notes on AI agent security, LangGraph hardening, and the parts of building with LLMs that don't get enough attention.
What I wish someone had told me about securing LangGraph agents before I started building them.
18 min read Jun 2026Rate limiting for LangGraph agents requires five independent control levels beyond conventional gateway limiting — covering request rates, session execution bounds, loop detection, token budgets, and cost circuit breakers — because agents amplify a single user request into unbounded resource consumption in ways that web application rate limiting structurally cannot see.
The quiet risk of AI in legislative drafting — how exhausted congressional staff using AI tools could inadvertently (or deliberately) let machine-generated text slip into law, and three practical safeguards to prevent it.
Human-in-the-loop as a first-class security control for LangGraph agents — why human judgment defends against novel, irreversible, and high-blast-radius actions that automation structurally cannot, covering interrupt placement, the LangGraph interrupt() pattern, sanitized review packages, approval validation against spoofing, securing the review interface, and fail-safe degradation.
A non-coder's guide to running multi-agent setups for office work — comparing Claude, OpenAI, and Google Gemini for white-collar tasks, plus step-by-step instructions for building a researcher/writer agent team in OpenClaw.
Security observability for LangGraph agents — why prevention is never enough and detection has to capture what agents decide and why, covering a four-layer stack of structured logging, metrics aggregation, anomaly detection and alerting, behavioral baselines, and SIEM and LangSmith integration.
Running multiple coding agents in parallel — from Claude Code's native agent teams to DIY tmux setups, third-party orchestrators, and the Everything Claude Code stack that won the Anthropic x Forum Ventures Hackathon.
Authentication and authorization for LangGraph agents — why agents complicate the well-trodden ground of OAuth, JWTs, and RBAC, covering infrastructure-established identity, action-time authorization enforcement, signed system prompts, credential injection that keeps secrets out of the context window, and OAuth for user-delegated access.
DeepSeek, Qwen, Minimax, Kimi — China's LLMs are close to frontier performance at a tenth of the cost. Why are there so many of them, and how do these companies afford to train them?
Output guardrails for LangGraph agents — the last layer between the agent and the world, covering pattern-based sensitive data detection, exfiltration screening, structured output enforcement, tool call argument inspection, and shadow-mode tuning that keeps false positives in check.
Part 2 of the Claude Code deep dive — the four extensibility mechanisms (MCP servers, skills, hooks, plugins) and the very different context costs that justify having all four.
Multi-agent security for LangGraph systems — why you can't trust your own agents, trust tiers and the downgrade rule, HMAC-authenticated messages, scoped delegation, quarantine layers, and patterns that contain compromised sub-agents.
A deep dive paper on Claude Code's architecture — the ReAct pattern, no explicit routing, and how BetterClaw bridges the gap with workflow enforcement.
State and memory security for LangGraph agents — trust-tiered schemas, immutable trusted context, encrypted checkpoints with integrity verification, namespaced long-term memory, and cross-session isolation.
Three terms that emerged as LLM chats grew into agents — what each one means, when it applies, and how the workflow shifts from prompt engineering to harness engineering.
Tool security for LangGraph agents — least privilege, parameterized interfaces, SSRF and path-traversal protection, sandboxing, output validation, and the anti-patterns to actively avoid.
A Claude agent deleted PocketOS's production database in nine seconds. The fix isn't a better system prompt — it's a deterministic gate between the agent's tool-call decision and the API actually firing.
Input validation for LangGraph agents — why the classical framing breaks down on natural language, and what actually works across user, retrieval, and state channels.
Agents, scripts with LLMs, and intent-based bots look similar from the outside. The real difference is where control lives — and what that costs you.
Adapting STRIDE for LangGraph agents — where standard threat modeling breaks down, and how to produce a model that ships controls instead of artifacts.
Seven threat categories attackers use against LangGraph agents — how they work mechanically, and what to look for.
Understanding LangGraph's architecture before you try to secure it.
A quick tour of the major agent frameworks — what they give you, what they cost, and when to skip them.
Every channel through which adversarial content can reach a LangGraph agent — thirteen attack surfaces, mapped.
Openclaw shows what AI agents can do, but also highlights the rough edges and security concerns that need addressing.
Claude Code’s source code was leaked via a source map file. Here’s what happened.
AI has turned everybody into managers. Here's how to stay effective.
LiteLLM was compromised in a supply chain attack. Here's what happened and what it means.
Vibe coding a podcast player got me thinking about the future of software and ads.