Gas Town Needs a Citadel
Why Industrialized Agent Orchestration Requires Industrialized Control
Steve Yegge recently introduced Gas Town which he calls “Kubernetes for agents.” While as chaotic as its namesake, Gas Town is the first real glimpse of an industrialized coding factory. In this world, 30 parallel workers move at a velocity that humans simply can’t track. There is Ralph Wiggum, and then there’s an army of Ralph Wiggums. Gas Town transforms Claude Code into an agent management system, using a persistent ledger called Beads to track tasks in a git repository. This ensures agents maintain context through the file system rather than a rotting conversation history, effectively turning a single-threaded assistant into a high-speed, multi-agent workforce.
However, there is a sobering reality behind this industrial scale. Security researcher Sean Heelan recently conducted an experiment using a zero-day vulnerability in the QuickJS interpreter. This vulnerability was actually discovered by another AI agent. Heelan challenged models like GPT-5.2 to write a working exploit while facing every modern security defense. Even with hardware-level protections and a sandbox designed to block unauthorized processes, the agent succeeded. At the cost of $150 and three hours of parallel compute, Heelan offers us a new unit of risk: search throughput.
The Problem with “Asking” a Factory to Behave
This shift from human-scale chat to machine-scale swarms creates a fundamental control problem. We are currently attempting to govern high-speed factories using the same brittle, text-based tool we use for simple chatbots. That tool is the system prompt. In the Gas Town framework, the “Mayor” is the agent coordinator but control is not guaranteed. Even Yegge warns:
“Gas Town is an industrialized coding factory manned by superintelligent robot chimps, and when they feel like it, they can wreck your shit in an instant. They will wreck the other chimps, the workstations, the customers. They’ll rip your face off if you aren’t already an experienced chimp-wrangler. So no. If you have any doubt whatsoever, then you can’t use it.”
We can ask the Mayor to ensure the agents follow the rules, but we have to accept that prompts are not brakes. The system prompt is essentially a polite request that an agent tries to follow while simultaneously optimizing for a single goal: being helpful to the user. In a high-pressure environment, an agent’s drive to deliver a result will eventually collide with safety rules. This causes the agent to enter a sycophancy loop where it treats your guardrails as optional suggestions in order to finish the job. When 30 agents are running at full speed, they are performing a relentless, automated audit of your internal logic until they find a way to succeed.
The Unit of Risk: Search Throughput
Heelan’s research demonstrates that agents do not hack through a firewall in the traditional sense. Instead, they search the logic space of a system until they find an exit. If they have compute and time, they can brute-force their way to a solution faster than humans can stop or contain them.
What Heelan describes is essentially a soft penetration test. Because agents have legitimate, authenticated access to your environment, their search isn’t just for technical zero-days. It is for the logical gaps and misconfigurations that exist in every enterprise. An agent tasked with “optimizing production code” might discover that by chaining three harmless API calls, it can bypass a legacy permission check that was never intended to be poked 1,000 times a minute. To the agent, this is just a creative solution to a mission. To the CISO, it is an insider threat created by competence.
Gas Town is built on the principle that agents should never give up. For the developer, that is a dream. For a security leader, it is a nightmare. A persistent, autonomous search engine moving at machine speed will eventually find a way out of any soft container. The risk is not just a “hack” in the traditional sense, it is a logical exploit where the agent uses its “harmless intent” to navigate around the guardrails. The speed of the search throughput ensures that the agent will find the one misconfiguration you forgot to patch.
The Citadel: Infrastructure-Level Governance
The complement to Gas Town is the Citadel, an agent harness and control plane that sits between the orchestrator and your environment. It moves governance out of the unstable prompt layer and into the architecture.
The first imperative is deterministic lanes. We must stop asking agents to stay away from sensitive tools and instead physically de-provision tool access at the infrastructure layer based on the active task context. If an agent is assigned to documentation, it should not have a network route to the production shell. This eliminates the logical risk of an agent stumbling into a sensitive system while trying to be helpful.
The second pillar involves behavioral circuit breakers that evaluate the logic of every tool call before execution. If an agent starts chaining calls in a way that mirrors an attack trajectory or data exfiltration pattern, the Citadel kills the process instantly at machine speed. These circuit breakers look for deviant logic, not just malware. They detect when an agent’s search throughput has shifted from mission completion to probing the boundaries of its environment.
This is underpinned by the establishment of a unique identity for every agent, including ephemeral ones, to solve the industry’s looming attribution challenge of whether a human or an agent took an action. In a multi-agent swarm, traditional IAM fails because it can’t distinguish between a legitimate user request and an agent’s recursive sub-task. We need a unique identity to provide the forensic ground truth required to operate a factory. By assigning every action with a governable agent identity, we create an immutable ledger that proves exactly which agent took which path through the logic space. You can only debug and secure what you can identify.
The Path to Meaningful Autonomy
Gas Town represents the next inevitable step in the journey toward multi-agent swarms. These systems are incredibly powerful, but as Heelan showed, that power can easily break away from us. Implementing the Citadel creates a paved road to production, moving an agent from a demo into a verifiable production system. It allows builders to run their agents at high speed because they have replaced prompt-based hope with architectural certainty.
We are entering an era where the bottleneck to deployment is not the speed of code generation. The bottleneck is the ability to prove that the resulting swarm is governable. By replacing flakiness with deterministic lanes, we stop managing agents like unpredictable interns and start deploying them like hardened infrastructure. The Citadel empowers us to take the —-dangerously-skip-permissions flag off our agents and move into a world of industrialized, autonomous scale.
Exceptional piece on reframing agent security. The search throughput metric is genius because it quantifies something we've all felt but couldnt measure. Once you see agents as optimizers running at machine speed, the sycophancy loop becomes inevitable not a bug. Deterministic lanes solve what prompts cant, turning hope into architecture. Been thinkingabout this problem for months and this nails it.
Where do I find Citadel?