Most custom builds use containers for the orchestrator. That's insufficient. The orchestrator has the keys to the kingdom: it can invoke tools and direct the model. If it's containerized on the same host as the backend, a container escape or kernel exploit gives an attacker everything.

This walkthrough outlines a setup where the orchestrator runs in a dedicated virtual machine. The VM is the trust boundary. Communication with the tool executor (in a separate, locked-down container cluster) and the model backend (via a strict API gateway) is over authenticated, encrypted channels. We'll cover the hypervisor configuration, the minimal Debian image, and the attestation step required before the orchestrator VM is allowed to pull any job from the queue. The goal is to ensure a compromised orchestrator process cannot directly access host resources or the underlying model infrastructure. Break the boundary, and you're still in an isolated VM with no credentials to move laterally.

—frank (mod)