docs: add SSH sandbox transport guide for local deployments#155
docs: add SSH sandbox transport guide for local deployments#155howie wants to merge 2 commits intoopenabdev:mainfrom
Conversation
github-actions
Bot
added
needs-rebase
pending-contributor
and removed
needs-rebase
pending-contributor
labels
github-actions
Bot
added
needs-rebase
pending-contributor
and removed
needs-rebase
pending-contributor
labels
chaodu-agent
left a comment
chaodu-agent
left a comment
There was a problem hiding this comment.
🟡 Needs Rebase — Excellent docs-only PR, all content is net-new, but stale with merge conflicts.
Baseline Check (Step 0)
| Field | Value |
|---|---|
| State | OPEN |
| Mergeable | CONFLICTING |
| Created | 2026-04-09 (22 days ago) |
| Last commit | 2026-04-09 |
| Author | @ChunHao-dev |
| Changes | +151 / -0, docs only |
| Labels | closing-soon |
Main has: Zero SSH sandbox content. No docs/ssh-sandbox.md, no SSH config in config.toml.example, no SSH section in README. All 151 lines are net-new.
四問框架
1. 解決什麼問題
Users running OpenAB locally (not in K8s) need a way to sandbox agent processes on a remote host via SSH. The current docs only cover K8s pod-based deployments.
2. 怎麼解決
Adds docs/ssh-sandbox.md with full SSH transport guide (architecture, MCP access patterns, known limitations), SSH config snippet in config.toml.example, and a brief README section linking to the new doc.
3. 考慮過什麼
Explains why -T (no PTY) is mandatory (PTY corrupts JSON-RPC), BatchMode=yes for daemon context, StrictHostKeyChecking=accept-new for TOFU.
4. 最佳方案嗎
Solid approach — SSH as transparent stdio byte pipe is exactly how AcpConnection::spawn() works. The doc covers the three most common MCP access patterns (host DNS alias, SSH port forwarding, network bridge).
🟢 INFO
- The
-Tflag explanation table is outstanding — clearly explains why PTY corrupts JSON-RPC. Will save users hours of debugging. BatchMode=yesrationale is correct and important for daemon context.- MCP access patterns cover the three most common setups cleanly.
- Known limitations section is honest and actionable (especially
kill_on_drop+ ControlMaster warning). - ASCII architecture diagram is a nice touch.
- Zero code changes — pure docs, low risk.
🟡 NIT
-
TOFU security note —
StrictHostKeyChecking=accept-newis trust-on-first-use. For a doc that motivates itself with "meaningful attack surface," consider noting the tradeoff and suggesting users pin the host key first:ssh-keyscan sandbox-host >> ~/.ssh/known_hosts. -
Config snippet duplication — The SSH config appears in three places (README, config.toml.example, docs/ssh-sandbox.md). Consider having README and config.toml.example reference
docs/ssh-sandbox.mdas the single source of truth. -
working_dir = "/tmp"is misleading — This sets the local cwd for the SSH process, not the remote agent's working directory. A brief inline comment would help.
🔴 SUGGESTED CHANGES
- Merge conflict — PR status is CONFLICTING. Needs rebase onto current main before merge.
Documents SSH as a zero-code-change transport to run agents inside isolated VMs or containers, addressing the security concern of agents running with full host permissions in local deployments. - Add SSH config snippet to config.toml.example with flag rationale - Add docs/ssh-sandbox.md covering setup, MCP access patterns, and known limitations (-T requirement, kill_on_drop, key auth) - Add brief SSH Sandbox section to README linking to the new doc Closes openabdev#104 Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
|
All PRs must reference a prior Discord discussion to ensure community alignment before implementation. Please edit the PR description to include a link like: This PR will be automatically closed in 3 days if the link is not added. |
|
Discord Discuss: https://discord.com/channels/1491295327620169908/1499981797231169536 |
chaodu-agent
left a comment
chaodu-agent
left a comment
There was a problem hiding this comment.
APPROVE ✅ — Rebase done, docs-only PR, 100% net-new. One small action needed to clear closing-soon label.
📋 Update from Previous Review
Previous review (2026-05-01) was Conditional Approve pending rebase. Contributor has:
- ✅ Rebased — now MERGEABLE (was CONFLICTING)
- ✅ Added Discord Discussion URL (in comment)
- ✅
working_dircomment inconfig.toml.examplealready addresses NIT #3
🧭 Four-Question Framework
1. What problem does this solve?
Users running OpenAB locally (not in K8s) need a way to sandbox agent processes. The current docs only cover K8s pod-based deployments. Running claude --acp directly on the host gives the agent full filesystem and network access — a meaningful attack surface for a Discord bot accepting messages from arbitrary users.
2. How does it solve it?
Adds docs/ssh-sandbox.md (114 lines) — a comprehensive SSH transport guide covering:
- Architecture diagram (current vs proposed)
- SSH flag explanations (why
-Tis mandatory,BatchMode=yesfor daemon context) - Sandbox options table (OrbStack, nspawn, remote, Docker)
- MCP server access patterns (host DNS alias, SSH port forwarding, network bridge)
- Known limitations (
kill_on_drop, startup latency, key auth requirement)
Plus SSH config snippet in config.toml.example and a brief README section linking to the new doc.
3. What was considered?
SSH as a transparent stdio byte pipe is exactly how AcpConnection::spawn() works — zero code changes needed. The doc correctly identifies the three most common MCP access patterns and honestly documents limitations.
4. Is this the best approach?
Yes. Well-structured, honest about tradeoffs, and covers the practical scenarios users will encounter.
🚦 Traffic Light
🟢 INFO — The -T flag explanation table is outstanding. Will save users hours of debugging PTY-corrupted JSON-RPC streams.
🟢 INFO — Known limitations section is honest and actionable, especially the kill_on_drop + ControlMaster warning.
🟢 INFO — Zero code changes, pure docs, low risk. All content is net-new (no SSH sandbox docs exist on main).
🟡 NIT — Discord Discussion URL was posted in a comment but not added to the PR body. The closing-soon bot checks the body, so the label is still present. Please add Discord Discussion URL: https://discord.com/channels/1491295327620169908/1499981797231169536 to the PR body to clear it.
Review by 超渡法師 🙏 — great docs contribution!
超渡法師 Review — PR #1551. What problem does it solve?OpenAB's default local deployment runs the agent subprocess with full host permissions. There's no documentation on how to isolate the agent in a sandbox for local (non-k3s) deployments. This PR documents SSH as a zero-code-change transport to run the agent inside an isolated VM or container. 2. How does it solve it?Docs-only PR (+151 lines, 0 deletions) across 3 files:
3. What was considered?
4. Is this the best approach?Yes. SSH as a stdio byte pipe is a clean fit for Traffic Light🟢 INFO — Excellent technical depth
🟢 INFO — Good architectural framing
🟡 NIT
Verdict🟢 Looks good — Clean, well-scoped docs PR. No blocking issues. The NITs are minor improvements for security-conscious users. |
- Add working_dir comment to README snippet (local SSH cwd, not remote agent workdir) - Expand StrictHostKeyChecking section: explain TOFU semantics and how to pre-populate known_hosts for production - Add ControlMaster caveat: note that global ~/.ssh/config ControlMaster auto applies and how to override per host Co-Authored-By: Claude Sonnet 4.6 <[email protected]>
2 participants
Summary
config.toml.examplewith inline comments explaining each flag (especially why-Tis mandatory)docs/ssh-sandbox.mdcovering the full setup: architecture, MCP access patterns from inside a sandbox, and known limitationsChanges
This is a docs-only PR addressing issue #104. Zero code changes — SSH works as a transparent stdio byte pipe, which is exactly how
AcpConnection::spawn()communicates with agents.Closes #104
Test plan
config.toml.examplehas no syntax errors in the commented SSH blockdocs/ssh-sandbox.mdresolve correctly🤖 Generated with Claude Code