Your Kill Switch Doesn't Work Until You've Pulled It

Every system you've never tested in anger is a system that doesn't exist.

I run a fleet of autonomous AI agents — trading bots executing real capital, content pipelines publishing to live channels, an agent platform routing messages through an org hierarchy 24/7. The whole thing runs on two physical machines in my apartment. There's no SRE team. No on-call rotation. Just me, a broker process, and the assumption that if something goes sideways at 3 AM, the kill switch will do its job.

Last week I stopped assuming and pulled the lever.

The Four Levels of Shutdown

The Principal broker — the A2A message routing layer that coordinates my entire agent fleet — implements a graduated kill switch. Four levels, each more destructive than the last:

The design is deliberate. Most incidents don't need a nuclear option. A rogue position on DOGE-USD doesn't require freezing the content pipeline. Graduated response preserves revenue while containing damage — the same principle behind military rules of engagement. You don't carpet-bomb a village because one sniper is on a rooftop.

Level 1 and Level 2 passed clean. Asset halt isolated DOGE-USD without touching the other three daemons (Foresight, Shiva, Hermes, Leverage). Full trading halt stopped all four, created an incident record, captured six audit log entries, and resumed to level zero with the incident resolved. Textbook.

Then things got interesting.

The Gap That Would Have Burned Us

Level 2's "full trading halt" calls launchctl stop on each trading daemon. Clean, native macOS process management. One problem: the broker runs on Knox (the Mac Mini), but the trading bots run on Tesseract — a separate machine at 192.168.1.150.

The launchctl stop commands succeeded silently. No errors. No warnings. They just did nothing, because the processes they targeted don't exist on the broker's host. The trading bots on Tesseract kept running, completely unaware that the kill switch had been "pulled."

The fix is straightforward: Level 2 needs to SSH to Tesseract for trading daemon stops, matching the pattern already implemented in the Level 4 nuclear path. The code for remote shutdown exists — it just wasn't wired into the intermediate levels. A classic case of building the extreme case first and assuming the middle tiers inherited the same capability.

They didn't.

The Broker Killed Itself

Level 3 — Agent Freeze — is designed to stop everything except two watchdog processes: Horus (the monitoring daemon) and Sentinel (a cron-based health checker). The implementation iterates over ALL_KNOX_DAEMONS and calls launchctl stop on each one.

The broker is in ALL_KNOX_DAEMONS.

So Level 3 dutifully killed the process responsible for managing the kill switch itself. The broker committed suicide mid-drill.

The most dangerous thing in the world is a lieutenant with a map and a compass.

— Murphy's Laws of Combat · Traditional

Now, macOS KeepAlive=true restarted the broker within seconds. The API came back up clean. Horus survived. From a pure availability standpoint, it recovered. But here's the problem: the kill switch state — the current level, the active incident, the list of stopped daemons — lived in memory. When the broker restarted, it came up at level zero with no incident. The amnesia restart erased all evidence that a Level 3 freeze was in progress.

If this had been a real incident — say, an agent gone rogue burning through API credits — the broker would restart, see no active halt, and the rogue agent's daemon would potentially restart too. The kill switch would have created a momentary disruption followed by a full resumption of the exact behavior you were trying to stop.

Two fixes present themselves. The simple one: remove the broker from ALL_KNOX_DAEMONS so it never kills itself. The robust one: persist halt state to SQLite so it survives restarts. The right answer is both — defense in depth. You don't choose between not shooting yourself and wearing a vest.

Why Drills Beat Design Reviews

I designed this kill switch. I wrote the graduated response model. I reviewed the code. I approved the PR. And I still missed both of these gaps — the silent no-op on the wrong host, and the broker self-termination — because they're emergent behaviors that only surface when the system executes against real infrastructure topology.

This is the same lesson the military learned decades ago. War games aren't conducted because generals don't understand their own battle plans. They're conducted because plans interact with terrain in ways that no amount of tabletop analysis can predict. The map is not the territory. The code is not the system.

Netflix understood this with Chaos Monkey. Google understood this with DiRT (Disaster Recovery Testing). But in the AI agent space, almost nobody is running kill switch drills. The industry is racing to give agents more autonomy, more tool access, more ability to spend money and take actions — and treating the emergency stop as a checkbox feature that ships untested.

My four trading daemons manage real positions. Foresight alone runs a signal stack with 82.5% historical accuracy on directional calls. The stakes aren't theoretical. A kill switch that doesn't actually kill is a liability masquerading as a safety feature.

The Level 4 Question

We didn't test Level 4. It requires the confirmation phrase "SHUTDOWN INVICTUS" and is genuinely destructive — full infrastructure power-down across both machines. That gets tested in a scheduled maintenance window with me physically present at both machines, not during a Sunday morning drill over VPN.

This is its own lesson. Graduated testing matters. You don't validate your nuclear option the same way you validate your asset halt. The blast radius determines the testing protocol, not the other way around. Running Level 4 cavalierly because "we should test everything" would be as reckless as never testing it at all.

The drill took less than an hour. It found two bugs that design review, code review, and unit tests all missed. Both bugs would have manifested as false confidence during a real incident — the most dangerous failure mode in any safety system.

Your kill switch is a hypothesis until you test it. And the gap between "the code handles this" and "the system handles this" is where incidents live. Every operator running autonomous agents with real-world consequences — financial, reputational, operational — owes it to themselves to pull the lever before the market forces them to.

The next drill is scheduled for April. Level 4. Both machines. Knox present. No VPN.