coilyco-flight-deck/otel-a2a-relay
1
0
Fork 0
Code Issues 12 Pull requests Projects Releases Packages Wiki Activity Actions

deprecate coily ssh in favor of Agent Channels + per-host agent-guard validation #14

New issue
Open
opened 2026-05-27 07:17:19 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-27 07:17:19 +00:00
Owner
Copy link

Problem

coily ssh kai-server "<arbitrary>" is pre-allowed (under coily:*) and runs the opaque string as kai@kai-server with full local shell semantics on the remote side. Local argv validation cannot reach across the SSH pipe - coily sees coily ssh kai-server "X", but X is interpreted by the remote shell with kubeconfig at /etc/rancher/k3s/k3s.yaml, full docker socket, full tailscale auth, all SSH keys reachable from there.

This is a tier-skip: it bypasses every local deny (kubectl, docker, package managers, git destructive) by running them on a host where those denies do not exist. kai-server is the homelab control plane (k3s, eco-server, factorio-server, gpg-ssm signing keys), so the blast radius is the worst of any single primitive on the local boundary.

The argv-cannot-see-across-the-pipe property is structural. Wrapping ssh with verb allowlists is possible but unsatisfying - every new remote operation needs a new verb, and ad-hoc remote debugging escapes the boundary by design.

Resolution

Deprecate coily ssh entirely. Cross-host execution moves to o2r Agent Channels + per-host agent-guard validation.

Under the new shape:

  • Messages are typed at both ends. The remote host's agent-guard validates the message against its own routing table before exec.
  • Opaque shell strings shipped over SSH are no longer the primitive. The Agent Channel protocol carries structured verbs.
  • Audit lives natively in the OTel spans the relay already emits, not in a separate local audit log that misses everything past the SSH boundary.

The argv-cannot-see-across-the-pipe problem disappears because there is no pipe - both ends understand the same typed protocol.

Scope of this issue

Track the removal of coily ssh from the coily verb table once o2r Agent Channels reach feature parity for the recurring remote operations (k3s status, log tails, game-server restarts, eco-mod redeploys). Do not remove preemptively.

Out of scope

  • Designing the Agent Channel protocol itself. That work lives in this repo (otel-a2a-relay).
  • The local-only side of the coily boundary (covered by separate issues from the same walk on agentic-os-kai).

Origin

Surfaced 2026-05-26 during a security-boundary walk with Claude (issue 7 of 8). The decision to deprecate coily ssh rather than wrap it with verb allowlists was Kai's call in the same conversation.

**Problem** `coily ssh kai-server "<arbitrary>"` is pre-allowed (under `coily:*`) and runs the opaque string as `kai@kai-server` with full local shell semantics on the remote side. Local argv validation cannot reach across the SSH pipe - coily sees `coily ssh kai-server "X"`, but X is interpreted by the remote shell with kubeconfig at `/etc/rancher/k3s/k3s.yaml`, full docker socket, full tailscale auth, all SSH keys reachable from there. This is a tier-skip: it bypasses every local deny (kubectl, docker, package managers, git destructive) by running them on a host where those denies do not exist. kai-server is the homelab control plane (k3s, eco-server, factorio-server, gpg-ssm signing keys), so the blast radius is the worst of any single primitive on the local boundary. The argv-cannot-see-across-the-pipe property is structural. Wrapping ssh with verb allowlists is possible but unsatisfying - every new remote operation needs a new verb, and ad-hoc remote debugging escapes the boundary by design. **Resolution** Deprecate `coily ssh` entirely. Cross-host execution moves to o2r Agent Channels + per-host `agent-guard` validation. Under the new shape: - Messages are typed at both ends. The remote host's `agent-guard` validates the message against its own routing table before exec. - Opaque shell strings shipped over SSH are no longer the primitive. The Agent Channel protocol carries structured verbs. - Audit lives natively in the OTel spans the relay already emits, not in a separate local audit log that misses everything past the SSH boundary. The argv-cannot-see-across-the-pipe problem disappears because there is no pipe - both ends understand the same typed protocol. **Scope of this issue** Track the removal of `coily ssh` from the coily verb table once o2r Agent Channels reach feature parity for the recurring remote operations (k3s status, log tails, game-server restarts, eco-mod redeploys). Do not remove preemptively. **Out of scope** - Designing the Agent Channel protocol itself. That work lives in this repo (otel-a2a-relay). - The local-only side of the coily boundary (covered by separate issues from the same walk on agentic-os-kai). **Origin** Surfaced 2026-05-26 during a security-boundary walk with Claude (issue 7 of 8). The decision to deprecate `coily ssh` rather than wrap it with verb allowlists was Kai's call in the same conversation.
coilysiren added
P3
 and removed
P2
 labels 2026-05-31 07:01:04 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/uv/uv-e1a0e186ab
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/otel-a2a-relay#14
No description provided.