diff --git a/ansible/playbooks/agent_startup.yml b/ansible/playbooks/agent_startup.yml
index 75c74962..d13a57a2 100644
--- a/ansible/playbooks/agent_startup.yml
+++ b/ansible/playbooks/agent_startup.yml
@@ -19,6 +19,24 @@
         version: "{{ upstream_branch }}"
         force: true
       tags: [pull]
+      register: git_pull
+      ignore_errors: true
+
+    - name: "Fallback: restore config from deadman snapshot if upstream pull failed"
+      shell: |
+        if [ ! -f "{{ wizard_home }}/config.yaml" ] || [ ! -f "{{ deadman_snapshot_dir }}/config.yaml.known_good" ]; then
+          echo "SKIP: config or snapshot missing"
+          exit 0
+        fi
+        if [ {{ git_pull.failed | default('false') }} = true ] || [ {{ git_pull.rc | default(0) }} -ne 0 ]; then
+          echo "Upstream pull failed — restoring config from deadman snapshot..."
+          cp "{{ deadman_snapshot_dir }}/config.yaml.known_good" "{{ wizard_home }}/config.yaml"
+          echo "Config restored from snapshot."
+        else
+          echo "Upstream pull succeeded — no action needed."
+        fi
+      tags: [pull, fallback]
+      when: deadman_enabled | default(true)
 
     - name: "Deploy golden state config"
       include_role:
diff --git a/ansible/roles/golden_state/tasks/main.yml b/ansible/roles/golden_state/tasks/main.yml
index 9c69c8a9..f5cde063 100644
--- a/ansible/roles/golden_state/tasks/main.yml
+++ b/ansible/roles/golden_state/tasks/main.yml
@@ -15,7 +15,7 @@
   template:
     src: "../../wizard_base/templates/wizard_config.yaml.j2"
     dest: "{{ wizard_home }}/config.yaml"
-    mode: "0644"
+    mode: "0444"  # Read-only — ephemeral thin config
     backup: true
   notify:
     - "Restart hermes agent (systemd)"