Maximum safety architecture

[konard]

In order to protect infrastructure from the errors or security vulnerabilities of AI agents we should make ideal architecture like this:

"api-orchestrator" - has access to AI api, and GitHub API, by storing tokens only here, but all execution of commands delegated to "worker"
           |
"compute-orchestrator" (optional) - it has responsiblity to maintain compute cluster and balance the load between worker machines, it also have ability to shutdown, reinstall, recreate each virtual machine or worker docker environment. So compute cluster can be executed either in kubernetes cluster (multiple virtual machines) or locally with minikube and multiple dockers.
           |
"worker" - executed in virtual machine or docker container that has its own Ubuntu 24.04 server, it can access internet or the virtual machine (sandbox) with 100% freedom. Orchestrator will provide virtual gh command, that is actually executed partially at worker's workspace, and partially via orchestrator machine (all API calls can be executed only there, because virtual gh command does not have any access to the token itself).

The best known strategy for protecting API tokens as of today is client server architecture, that ensures we never store actual tokens on worker machine, where it can be stolen. So API tokens become available only via the service.

[konard]

As opencode already uses server part, we maybe can protect API tokens and other configuration. But we need may be a server for communication with GitHub (some kind of proxy), but with predefined API token. Or we even can use separate tokens for each compute machine to keep track of actual actions of each one to detect anything suspicious.

But at the moment it still requires lots of resources to make it safe. And unsafe mode is cheaper in resources on early stage of development.