Deny outbound SSH on autonomous-agent hosts (kai-server, ser8) #332
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/infrastructure#332
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Goal
kai-serverandser8are the intended hosts for autonomous agents. Autonomous-agent hosts should not be able to initiate outbound SSH — blast-radius containment so a compromised or misbehaving agent on the box can't pivot to the rest of the fleet or to external hosts.Why now
This is surfacing out of a rethink of the Ansible execution model (see discussion below). The current
infrastructure/ansiblesetup runs local-only on every box (ansible_connection: local, inventory is barelocalhost). Part of moving off hand-running sync on every host is deciding which hosts may hold SSH egress and which must not. The two autonomous-agent candidates land firmly in the "must not" column.Key distinction driving this: agent SSH egress is separate from Kai's SSH egress. Kai is always hands-on-keyboard for fleet ops. The hardening here targets the host's ability to open outbound SSH (and by extension any agent process on it), not Kai's interactive sessions.
Scope
ufw/nftablesoutbound deny on port 22, or equivalent) as an Ansible role so it's declarative and converged, not hand-applied.kai-serverandser8.Notes
Backlog burndown 2026-06-17: closing low-priority (P3/P4) to bring the open count to a manageable level. Nothing lost — reopen if this resurfaces. Batch tag:
burndown-2026-06.