Filesystem containment solves one half of the blast radius problem. The other half is external state - agent hits a payment API, writes to a database, sends an email. Copy-on-write overlays can't roll that back. I've seen agents make 40 duplicate API calls because they crashed mid-task and retried from scratch with no deduplication. The filesystem was fine. The downstream systems were not. The hard version of this problem is making agent operations idempotent across external calls, not just safe locally.
Scheduling is easy. The hard part is everything between "started" and "done" - task needs human approval at step 3, fails at step 5 (retry from 4 or from scratch?), takes 6 hours and something restarts. How do they handle tasks that span multiple inference calls? Is there checkpointing or does it start over?
How do you run self-improving agents in production though? Agent OOM-kills mid-improvement - state gone. Agent spawns sub-agents - no idea if they finished or died. Agent needs human sign-off - can't just block on stdin. I build multi-agent infra and 90% of the work is this boring stuff. Checkpointing, delivery tracking, async human oversight. The agent logic itself is maybe 10%.
IRC as transport is great until you need delivery guarantees. It's at-most-once - agent disconnects, whatever happened in between is gone. For chat that's fine, for an agent processing real work you want at-least-once with dedup. SSE is a nice middle ground. Persistent like IRC, works through any proxy, and you can layer ack/redelivery on top. Agent crashes, reconnects, unacked items show up again.
reply