deprecate coily ssh in favor of Agent Channels + per-host agent-guard validation #14

Closed
opened 2026-05-27 07:17:19 +00:00 by coilysiren · 1 comment
Owner

Problem

coily ssh kai-server "<arbitrary>" is pre-allowed (under coily:*) and runs the opaque string as kai@kai-server with full local shell semantics on the remote side. Local argv validation cannot reach across the SSH pipe - coily sees coily ssh kai-server "X", but X is interpreted by the remote shell with kubeconfig at /etc/rancher/k3s/k3s.yaml, full docker socket, full tailscale auth, all SSH keys reachable from there.

This is a tier-skip: it bypasses every local deny (kubectl, docker, package managers, git destructive) by running them on a host where those denies do not exist. kai-server is the homelab control plane (k3s, eco-server, factorio-server, gpg-ssm signing keys), so the blast radius is the worst of any single primitive on the local boundary.

The argv-cannot-see-across-the-pipe property is structural. Wrapping ssh with verb allowlists is possible but unsatisfying - every new remote operation needs a new verb, and ad-hoc remote debugging escapes the boundary by design.

Resolution

Deprecate coily ssh entirely. Cross-host execution moves to o2r Agent Channels + per-host agent-guard validation.

Under the new shape:

  • Messages are typed at both ends. The remote host's agent-guard validates the message against its own routing table before exec.
  • Opaque shell strings shipped over SSH are no longer the primitive. The Agent Channel protocol carries structured verbs.
  • Audit lives natively in the OTel spans the relay already emits, not in a separate local audit log that misses everything past the SSH boundary.

The argv-cannot-see-across-the-pipe problem disappears because there is no pipe - both ends understand the same typed protocol.

Scope of this issue

Track the removal of coily ssh from the coily verb table once o2r Agent Channels reach feature parity for the recurring remote operations (k3s status, log tails, game-server restarts, eco-mod redeploys). Do not remove preemptively.

Out of scope

  • Designing the Agent Channel protocol itself. That work lives in this repo (otel-a2a-relay).
  • The local-only side of the coily boundary (covered by separate issues from the same walk on agentic-os-kai).

Origin

Surfaced 2026-05-26 during a security-boundary walk with Claude (issue 7 of 8). The decision to deprecate coily ssh rather than wrap it with verb allowlists was Kai's call in the same conversation.

**Problem** `coily ssh kai-server "<arbitrary>"` is pre-allowed (under `coily:*`) and runs the opaque string as `kai@kai-server` with full local shell semantics on the remote side. Local argv validation cannot reach across the SSH pipe - coily sees `coily ssh kai-server "X"`, but X is interpreted by the remote shell with kubeconfig at `/etc/rancher/k3s/k3s.yaml`, full docker socket, full tailscale auth, all SSH keys reachable from there. This is a tier-skip: it bypasses every local deny (kubectl, docker, package managers, git destructive) by running them on a host where those denies do not exist. kai-server is the homelab control plane (k3s, eco-server, factorio-server, gpg-ssm signing keys), so the blast radius is the worst of any single primitive on the local boundary. The argv-cannot-see-across-the-pipe property is structural. Wrapping ssh with verb allowlists is possible but unsatisfying - every new remote operation needs a new verb, and ad-hoc remote debugging escapes the boundary by design. **Resolution** Deprecate `coily ssh` entirely. Cross-host execution moves to o2r Agent Channels + per-host `agent-guard` validation. Under the new shape: - Messages are typed at both ends. The remote host's `agent-guard` validates the message against its own routing table before exec. - Opaque shell strings shipped over SSH are no longer the primitive. The Agent Channel protocol carries structured verbs. - Audit lives natively in the OTel spans the relay already emits, not in a separate local audit log that misses everything past the SSH boundary. The argv-cannot-see-across-the-pipe problem disappears because there is no pipe - both ends understand the same typed protocol. **Scope of this issue** Track the removal of `coily ssh` from the coily verb table once o2r Agent Channels reach feature parity for the recurring remote operations (k3s status, log tails, game-server restarts, eco-mod redeploys). Do not remove preemptively. **Out of scope** - Designing the Agent Channel protocol itself. That work lives in this repo (otel-a2a-relay). - The local-only side of the coily boundary (covered by separate issues from the same walk on agentic-os-kai). **Origin** Surfaced 2026-05-26 during a security-boundary walk with Claude (issue 7 of 8). The decision to deprecate `coily ssh` rather than wrap it with verb allowlists was Kai's call in the same conversation.
coilysiren added
P4
and removed
P3
labels 2026-06-04 08:16:41 +00:00
Author
Owner

Backlog burndown 2026-06-17: closing low-priority (P3/P4) to bring the open count to a manageable level. Nothing lost — reopen if this resurfaces. Batch tag: burndown-2026-06.

Backlog burndown 2026-06-17: closing low-priority (P3/P4) to bring the open count to a manageable level. Nothing lost — reopen if this resurfaces. Batch tag: `burndown-2026-06`.
coilysiren 2026-06-17 08:23:55 +00:00
Commenting is not possible because the repository is archived.
No description provided.