Oliver Studio /06

The homelab treats agent workloads as a platform problem, not a prompt problem. Kubernetes Agent Sandbox on a gVisor runtime class gives process isolation you can schedule; Cilium default-deny egress with DNS-aware allowlists replaces coarse IP rules; ambient Istio carries identity without bolting a sidecar onto every sandbox pod.

Early product thinking (AgentGuard) frames the north star: the policy, not the model, decides whether it runs. That means distinguishing human-triggered from agent-triggered actions at the tool layer, pausing high-risk calls for approval, and shipping an immutable audit trail — OTLP traces and controller metrics today, decision logs at the MCP boundary tomorrow.

Operationally: vendored controller CRDs, warm pools to hide cold-start latency, a sandbox router for ingress, and GitOps-controlled templates so runtime images and network posture change through PRs — not kubectl drift.

Two k3s clusters — hub and sandbox — reconciled from one Git repo. Argo CD ApplicationSets expand app folders into per-cluster Applications; optional enabledClusters gates keep experiments off production paths until you mean it.

Crossplane composites and External Secrets Operator keep cloud resources and secret material out of Git while staying declarative. Per-cluster Helm value files let the sandbox cluster run agents and flex workloads without forking charts.

A custom OpenTelemetry Collector connector calls a Python forecast service and emits low-cardinality derived metrics — forecasts and anomaly signals without copying pod labels onto the output. The connector is a stream processor, not a storage client; long-history reads stay on the service side.

Beside the real-time path sits a planning control plane: typed policies in a runtime catalog, a durable run store with idempotent keys, schedulers that only enqueue due specs, and workers that claim leases before heavy execution. Results land as advisory digests — notification-safe summaries that do not mutate SLOs or autoscalers yet.

A Kubernetes operator reconciles server deployments and materializes selected policies into runtime ConfigMaps; Python owns predictors, planning, and model work. The split keeps the hot path thin and the advisory path honest about what it will not do automatically.

SPIRE issues workload SVIDs; ambient Istio carries east-west identity without bolting a sidecar onto every pod. OIDC discovery documents published at the edge let cloud APIs trust cluster identities without long-lived static keys in Git.

Teleport adds an audited front door for humans and registered apps — GitHub SSO, app service registration for internal HTTP services, and kube-agent join without advertising the API server on the public internet.

The design goal is layered trust: cryptographic workload identity inside the mesh, federated OIDC for cloud APIs, and session-audited human access at the boundary. Application-layer policy (who invoked which tool, under what authority) sits above this stack — network identity alone cannot answer intent questions.

Local inference on the hub via vLLM and Ollama for day-to-day experiments. SkyPilot adds burst GPU when a job outgrows local silicon — same scheduling story, different substrate.

LiteLLM sits in front as a gateway: one OpenAI-compatible surface, upstream routing to hosted providers, and OTel hooks so model traffic shows up next to the rest of the observability stack.

The lane is deliberately split from identity: model routing and keys live behind LiteLLM; who may reach that gateway lives in the access plane (Teleport app registration, SSO). That keeps “which model” and “who is calling” as separate policy surfaces.

Product north star (DreamSound / 梦响): bedroom-first audio — not another living-room speaker. The vision pairs hi-fi multi-driver acoustics with sleep-stage-aware volume, NFC tap-to-connect, and DreamPass, an AI-composed “evening brief” that fades from micro-learning into ambient soundscapes as you drift off. Relationship modes (solo, couple, household) adapt content and volume without midnight phone friction.

What runs in the lab today is smaller but honest: an audio-splitter batch workload on the hub — ffmpeg graphs, containerized like Mimir or Cilium, deployed through the same Argo path. It proves creative pipelines inherit the same guardrails as production-ish infra while the hardware story stays on the drawing board.

Replacing coarse “world egress + denylist” with a dedicated Envoy forward proxy. Agent pods may reach only the proxy; Cilium enforces the coarse lockdown (DNS + proxy + telemetry), while per-domain policy lives in an app-aware layer.

Hot path: CONNECT/HTTPS hits Envoy’s dynamic forward proxy → gRPC ext_authz Check → Policy API allow/deny before bytes leave. HTTP ext_authz is intentionally avoided — it replays CONNECT to the authz server and breaks tunnels. No TLS MITM: control is hostname/SNI-level only, with structured access logs for audit.

Slow path: unknown domains default to deny; approvals grant TTL-bounded access and reuse existing agent notification channels for human-in-the-loop. Product thinking (AgentGuard) adds the complementary picture — kernel-visible egress correlated with tool-call semantics so agents cannot silently bypass the gateway.

A Kubernetes operator watches Gateway routes and PagesDomainSync resources, keeping Cloudflare Pages custom domains and public DNS CNAME targets aligned with in-cluster intent — dry-run first, then reconcile.

Public resolvers hit the Pages landing; split-horizon DNS on the tailnet still resolves the same hostnames to the internal load balancer. One hostname, two audiences, declared in Git instead of hand-edited edge consoles.

API tokens and zone identifiers stay in External Secrets; the operator consumes intent CRs only. This site itself ships through that path — editorial content in Git, edge DNS reconciled, no console-only drift.

Split planes on purpose: LiteLLM owns the LLM path — model routing, upstream keys, budgets, OTLP — while Teleport owns identity and tool access — GitHub SSO, app registration, session audit. They do not overlap.

Teleport CE on the sandbox cluster registers internal HTTP services as apps. A read-only Kubernetes MCP server exposes structured cluster reads under a least-privilege ClusterRole, reached through Teleport rather than raw network paths. A dedicated kube-agent watches dynamically registered apps because split Teleport charts cannot run app service in-process on auth or proxy.

Longer product arc (AgentGuard): an MCP-native gateway that intercepts JSON-RPC tool calls, resolves human vs agent caller identity, evaluates GitOps-declared policy (allow / deny / escalate), and writes tamper-evident audit entries. The homelab dogfood starts with read-only tools and SSO gates; escalation workflows come next.

Private image built from pinned upstream Hermes releases — not a fork of the agent logic, but a reproducible container and entrypoint the flex cluster can upgrade through GitOps like any other app.

The agent runs where the sandbox and egress stack run: tool calls and channels sit inside gVisor-backed workloads, outbound traffic flows through the forward proxy, and OTLP exports land next to the rest of the observability path.

Stdlib-only RCA agent that runs inside a warm gVisor sandbox: an orchestrator collects live Kubernetes signals (pods, events, replica sets, trimmed logs), uploads context, and streams an LLM answer with per-phase timing on stdout.

Spans export over OTLP — connect/TLS, time-to-first-token, generate — and nest under a demo orchestrator trace in Tempo. A presentation layer compares homelab sandbox bind+exec latency against an external Modal cold start on the same static incident fixture.

Platform teams accumulate CRDs faster than they accumulate memory of them. CRDPilot combines three jobs Pluto and friends leave separate: scan installed CRDs against upstream operator versions, generate human-readable docs from OpenAPI schema, and push change summaries when Istio/Argo/cert-manager ship schema diffs.

North star is a kubectl plugin plus optional SaaS portal — open-source scan locally, paid tier for continuous monitoring and Slack digests. The homelab itself still solves drift through GitOps inventory; this is the product-shaped version of that pain.

WhisperMap is a location-native social layer: nearby users appear as mood-colored bubbles on a soul map, profiles carry opt-in topics and vibes, and mutual interest opens an encrypted chat with real-time AI translation — text or voice — across languages.

Privacy is structural, not a checkbox: coarse location jitter, bilateral match gates, anonymous defaults, E2EE messages, and instant invisibility mode. The bet is that translation quality finally makes stranger discovery feel safe in dense, multilingual cities.

Most home cameras notify on motion; almost none remember that the same unknown person passed the house three Tuesdays in a row. SentinelAI is an edge hub that ingests existing RTSP/ONVIF cameras, extracts appearance and vehicle features locally, and scores cross-day repeat visits for casing behavior — before a break-in, not after.

Deliberately not facial recognition: body silhouette, clothing, plate, and vehicle re-ID only, with vectors stored on-device and rolling deletion. Raw video never leaves the property; alerts explain why a visit scored high, not just that motion happened.

TARS (retrieval architecture sketch) splits agent memory into vertical tiers — summary, working set, cold store — each with explicit token budgets and progressive disclosure rules so the model sees just enough context per step, not an ever-growing paste buffer.

Horizontally, retrieval fans out across sources (docs, tickets, metrics catalogs) with merge and dedupe before injection. The design steals from IDE indexing, observability trace browsers, and tiered prompt compilers — implementation is still paper; the homelab’s OTel and planning work informs how audit-friendly retrieval should be.

OneGraph is a separate monorepo with two products that share Postgres but not schemas: RIG (Repo Intelligence Graph) and Observer (agent evidence / routing control plane). Homelab dogfoods the agents; onegraph dogfoods how those agents find code and learn from corrections.

RIG is a Rust service: tree-sitter extractors walk git blobs incrementally (content-addressed by blob SHA, not mtime), upsert typed nodes and edges into Postgres with pgvector and pg_trgm, then serve BFS impact analysis and semantic search through petgraph in memory. Separate rig index and rig serve binaries keep indexing spikes off the query path. Ten MCP tools plus REST, bearer auth, and an agent feedback loop that boosts ranking from past successes and corrections — the three things a single-repo IDE indexer cannot do at team scale.

Observer wraps RIG: agents talk to Observer’s MCP, not RIG directly. Every tool call lands as an append-only partitioned event; task embeddings drive scoped routing priors (corrections bound by similarity, target, TTL, and trust — never poisoning global memory). Sync gates combine YAML policy, override lists, confidence thresholds, and Slack approve/reject for risky actions, fail-closed by default.

Status when this page was last updated: RIG foundation (store, security, migrations) is complete with tests green; indexer and query engine plans are in flight; Observer foundation is specced next. Claude Code hooks are the first ingest surface; headless agents share the same HTTP contract later.