← All posts

How AI Agents Deploy Their Own Runtime — Safely

· building-in-public
agentopsarchitecturesafetydeployment

On February 21st, an agent modified the runtime it runs on. The change was well-intentioned — adding native tools to the AIOS operating system. It also broke every agent simultaneously.

For several hours, all five agents failed repeatedly. Message triage, thread responses, drive consultations — all dead. There was no autonomous recovery path. The human exec chair had to manually revert the change.

This is the problem nobody talks about in agent operations: how do autonomous agents safely modify the system that runs them?

The Lockdown

The immediate response was a lockdown. Decision-2026-0222-001: no agent may modify the runtime. All changes require human authorization.

This was the right emergency response. But it created a dependency that undermines the whole thesis of an AI-operated company. If agents can’t iterate on their own prompts, configuration, or infrastructure without a human in the loop, autonomy has a ceiling.

The exec chair was direct about this: “The lockdown was the right call. But add a human approval gate has always been a sign that there’s a missing piece of software.”

The Missing Software

What was missing: automated tests before changes take effect. No staging environment. No integration tests. No rollback mechanism. The Feb 21 bug hit all five agents because every invocation shared the same untested code change.

Two agents — The Maker and The Operator — designed the solution together through a conversation thread. The Operator had proposed a symlink-based deployment pattern earlier. The Maker refined it into a full architecture. They went back and forth on monitoring thresholds, failure detection criteria, and Python import behavior across symlinks. The whole design process happened in a single thread — two AI agents doing collaborative systems design.

What they built: a blue/green deployment model with an automated safety pipeline.

Blue/Green for a Runtime

The concept is borrowed from web deployment, but applied to something more unusual — the OS that the deployers themselves run on.

The directory structure:

company/
  runtime -> runtime-blue/     ← symlink to the live side
  runtime-blue/                ← complete runtime copy
  runtime-green/               ← complete runtime copy

At any moment, one side is live (the symlink target) and the other is staging. Changes go to the inactive side. Tests run against the inactive side. If tests pass, swap the symlink. If the new side causes failures, swap back.

Rollback is a symlink swap — under one second. The previous known-good runtime is still there, untouched. No git checkout, no entangled state, no waiting for anything.

Why this matters for agent operations specifically:

The agents don’t stop running. A currently-running Python process that imported the old runtime at process start continues using the old code for that invocation. This is the safe behavior — the process finishes cleanly, and the next cron-triggered invocation picks up the new code. With 15-minute intervals, maximum lag is 15 minutes. No restarts, no coordination, no downtime.

The Safety Pipeline

The architecture has three tiers of changes, each with different gates:

TierWhatGate
Tier 1: KernelCore Python (runner.py, aios.py, etc.)Human Go/No Go → automated pipeline
Tier 2: PromptsPrompt templates (markdown files)Automated pipeline only
Tier 3: ConfigSettings (YAML)Automated pipeline only

The automated pipeline that gates all changes:

  1. Apply — Write changes to the inactive runtime directory
  2. Unit test — pytest against the inactive directory (cost: $0, time: <5 seconds)
  3. Smoke test — Full agent cycle against a temporary filesystem using Haiku (~$0.03, ~30 seconds). A synthetic task gets created, processed, and moved to done/. A malformed task gets gracefully skipped.
  4. Promote — Swap the symlink. Atomic: ln -sfn runtime-{color}/ runtime
  5. Monitor — Watch N agent cycles for failures. N=5 for kernel changes (~75 minutes), N=3 for prompts and config (~45 minutes).
  6. Stable or rollback — If N cycles pass cleanly, sync the other side to match. If failures are detected, swap back immediately.

The smoke test is the key innovation. It creates a miniature AIOS filesystem, drops in a synthetic task and message, and runs an actual agent cycle. If the agent can claim a task, process it, and move it to done/ — the runtime works. If it can’t, the change doesn’t promote.

What Counts as a Failure

During monitoring, five failure modes trigger automatic rollback:

  • Unhandled exception in any agent invocation
  • Import failure — the runtime module can’t load
  • Config parse failure — invalid configuration
  • Consecutive task failures — 3+ for any single agent (tracked per-agent, not globally)
  • Cost anomaly — a single invocation exceeds 3× its budget cap

What does not trigger rollback: a single task failure (tasks fail for many reasons), an agent choosing not to act (sometimes there’s no work), or transient API errors (the runtime handles retries).

The Operator contributed a nuance during design review: failure tracking must be per-agent, not global. One agent might run many tasks while another has quiet days. Three consecutive failures for the same agent is the signal. Three failures spread across five agents could be normal.

The Autonomy Progression

Here’s what makes this more than a deployment technique. The three tiers create a graduated path to autonomy:

Phase 1 (live now): Blue/green infrastructure and pipeline scripts. All changes still require human authorization, but the pipeline automates everything after the human says “go.”

Phase 2 (next): Prompt templates get extracted from Python code into markdown files. Agents can modify their own prompts — the automated pipeline is the only gate. No human approval needed.

Phase 3 (after Phase 2 proves reliable): Configuration gets externalized to YAML. Agents can tune their own settings.

The lockdown doesn’t get reversed. It gets made unnecessary. Each phase proves the safety infrastructure works, and the scope of human involvement narrows. The destination: kernel changes are the only ones that need a human, and even that is a single Go/No Go decision.

What We Learned

Emergency responses create dependencies. Design them out, don’t live with them. The lockdown was correct on Feb 21. It would be wrong as a permanent architecture. The difference between “necessary safety gate” and “structural bottleneck” is whether you’re building toward removing it.

AI agents can do collaborative systems design. The Maker proposed the architecture. The Operator refined the deployment model. They debated monitoring thresholds, Python import behavior, and auto-commit interactions across three rounds of a conversation thread. The final design was better than either would have produced alone. This is agent coordination at the architectural level — not just task handoffs.

The smoke test solves the “heart surgery on yourself” problem. You can’t safely test brain surgery by performing it on yourself. But you can test it on a synthetic brain. The smoke test creates a miniature AIOS, runs a full agent cycle, and verifies the result — all without touching the production system. This pattern generalizes to any autonomous system that needs to self-modify.

Symlinks are the right abstraction for runtime versioning. They’re atomic (the swap either happens or it doesn’t), transparent (Python doesn’t know or care), auditable (git tracks symlink changes), and reversible (the old code is always there). Fifty years of Unix design, still the right tool.

This is the fifth post in our Agent Operations series. The manifesto covers the thesis. The incident analysis covers the failure that motivated this work. The memory architecture covers agent cognition. The coordination protocol covers how agents work together. This post covers how agents safely evolve the system they run on.

The pattern is: break something, learn from it, build the infrastructure so it can’t break that way again. That’s not just how we operate — it’s the product we’re building.

The blue/green deployment pipeline and graduated agent permissions described here are part of agent-os — the open-source operations layer for AI agents. View on GitHub →