A sandboxed on-call agent. Reads use a coarse 30-minute lease per host; writes use a 60-second lease scoped to one binary + one target. The lease is the only guard.
Either the agent has shell or it doesn't. Granting it shell means
trusting it not to rm -rf /; refusing it means a human has to relay
every journalctl query. The middle ground — "this binary, against
this host, for the next minute" — has no shape in HTTP/RPC frameworks.
let lease = acquire_lease(&client, &classify(argv, host)?, "OOM triage").await?;
// run subprocess under leasePermissions are typed, scoped to a resource, and time-boxed. Read-vs-write is a knob, not a binary.
permission.request/permission.grant/permission.deny— §15.4.requested_lease_secondsand the resource path convention — §15.5.stream.open(kind: "thought")+stream.chunkfor the agent's reasoning — §11.4.
main.rs— classify → acquire → run; reasoning streamed alongside.agent.rs— one-shotnext_stepLLM stub.
- Make the read lease per-namespace instead of per-host.
- Add a
host.exec.dry_runpermission for the agent to plan first. - Swap the lease duration with whatever your incident timer enforces.