deprecate coily ssh in favor of Agent Channels + per-host agent-guard validation #14
Labels
No labels
burndown-2026-06
coherence-core
consult
headless
interactive
P0
P1
P2
P3
P4
No milestone
No project
No assignees
1 participant
Due date
No due date set.
Dependencies
No dependencies set.
Reference
coilyco-flight-deck/otel-a2a-relay#14
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
coily ssh kai-server "<arbitrary>"is pre-allowed (undercoily:*) and runs the opaque string askai@kai-serverwith full local shell semantics on the remote side. Local argv validation cannot reach across the SSH pipe - coily seescoily ssh kai-server "X", but X is interpreted by the remote shell with kubeconfig at/etc/rancher/k3s/k3s.yaml, full docker socket, full tailscale auth, all SSH keys reachable from there.This is a tier-skip: it bypasses every local deny (kubectl, docker, package managers, git destructive) by running them on a host where those denies do not exist. kai-server is the homelab control plane (k3s, eco-server, factorio-server, gpg-ssm signing keys), so the blast radius is the worst of any single primitive on the local boundary.
The argv-cannot-see-across-the-pipe property is structural. Wrapping ssh with verb allowlists is possible but unsatisfying - every new remote operation needs a new verb, and ad-hoc remote debugging escapes the boundary by design.
Resolution
Deprecate
coily sshentirely. Cross-host execution moves to o2r Agent Channels + per-hostagent-guardvalidation.Under the new shape:
agent-guardvalidates the message against its own routing table before exec.The argv-cannot-see-across-the-pipe problem disappears because there is no pipe - both ends understand the same typed protocol.
Scope of this issue
Track the removal of
coily sshfrom the coily verb table once o2r Agent Channels reach feature parity for the recurring remote operations (k3s status, log tails, game-server restarts, eco-mod redeploys). Do not remove preemptively.Out of scope
Origin
Surfaced 2026-05-26 during a security-boundary walk with Claude (issue 7 of 8). The decision to deprecate
coily sshrather than wrap it with verb allowlists was Kai's call in the same conversation.Backlog burndown 2026-06-17: closing low-priority (P3/P4) to bring the open count to a manageable level. Nothing lost — reopen if this resurfaces. Batch tag:
burndown-2026-06.