Skip to content

Comments

agent: add CLI session shim and remote install/repair with Tailscale#139

Open
AndreyMay wants to merge 2 commits intomodem-dev:mainfrom
AndreyMay:dev
Open

agent: add CLI session shim and remote install/repair with Tailscale#139
AndreyMay wants to merge 2 commits intomodem-dev:mainfrom
AndreyMay:dev

Conversation

@AndreyMay
Copy link

@AndreyMay AndreyMay commented Feb 23, 2026

What

This PR delivers two major operator/runtime improvements:

  • Adds CLI-backed dev-agent support with a session-control compatibility shim so control-agent can keep using send_to_session/list_sessions semantics.
  • Adds a new baudbot remote module for checkpointed remote install/repair workflows (Hetzner + existing hosts), including optional Tailscale setup for secure instance access.

Included changes

  • CLI dev-agent parity layer

    • pi/extensions/cli-session-shim.mjs
    • control-agent runner/update helpers under pi/skills/control-agent/scripts/
    • CLI persona templates under pi/skills/dev-agent-cli/
    • control-agent docs/heartbeat/architecture updates for backend selection + shim behavior

  • Remote operations module

    • baudbot remote command wired through bin/baudbot
    • new scripts:
      • bin/remote.sh
      • bin/lib/remote-common.sh
      • bin/lib/remote-ssh.sh
      • bin/lib/remote-hetzner.sh
    • checkpointed state + resume at ~/.baudbot/remote/targets/<target>.json
    • guided repair flow with safe and explicit advanced actions
    • Tailscale support:
      • install checkpoint tailscale_connected
      • flags: --tailscale, --no-tailscale, --tailscale-auth-key
      • status output includes Tailscale state/IP

  • Test coverage and docs

    • Added shell tests for new remote helpers/CLI
    • Added CLI dispatch regression tests
    • Updated docs in README.md, docs/operations.md, CONFIGURATION.md

Checklist

  • Tests pass (npm test)
  • Lint passes (npm run lint)
  • Docs updated (if behavior changed)
  • Security audit passes (bin/security-audit.sh --deep) — if touching security code

@greptile-apps
Copy link

greptile-apps bot commented Feb 23, 2026

Greptile Summary

This PR delivers CLI-backed dev-agent support and remote install/repair workflows, enabling control-agent to spawn ephemeral dev agents using Claude Code or Codex CLIs instead of only the pi runtime.

Major changes include CLI session shim providing Unix socket RPC compatibility, remote operations module with checkpointed workflows for Hetzner and existing hosts, optional Tailscale integration, control-agent scripts for CLI backend lifecycle, and comprehensive test coverage with 500+ new test lines.

Implementation uses curl with bash pattern for remote bootstrap (hardcoded to trusted sources), SSH with StrictHostKeyChecking accept-new for automated provisioning, and state files stored with restrictive permissions.

Confidence Score: 4/5

  • Safe to merge with minor security considerations around remote script execution
  • Well-tested implementation with comprehensive test coverage. The code follows security best practices (SSH key permissions, state file permissions, input validation). Remote script execution (curl | bash) is used appropriately for install workflows with hardcoded trusted URLs. Some caution needed around operator environment security (API tokens, SSH keys stored locally)
  • Pay attention to bin/remote.sh lines 126 and 220-221 which execute remote scripts - ensure URLs remain pointed at trusted sources

Important Files Changed

Filename Overview
pi/extensions/cli-session-shim.mjs Adds Unix socket RPC server that bridges control-agent's session protocol to CLI-backed dev agents, handling send/get_message/abort/subscribe commands
bin/remote.sh Main orchestration script for remote install/repair workflows with checkpoint-based resume, Tailscale integration, and interactive/dry-run modes
bin/lib/remote-common.sh Shared state management and utilities for remote workflows, handles JSON checkpoint persistence and target validation
bin/lib/remote-ssh.sh SSH/SCP wrappers with consistent options (accept-new host keys, timeouts, keepalives) for remote operations
bin/lib/remote-hetzner.sh Hetzner API integration for server/SSH key provisioning with JSON response parsing and cleanup operations
pi/skills/control-agent/scripts/run-cli-agent.sh Launch wrapper for CLI-backed dev agents (claude-code/codex), handles tmux session creation, persona templating, and shim coordination

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[baudbot remote install] --> B{Mode?}
    B -->|hetzner| C[Provision Hetzner Server]
    B -->|host| D[Use Existing Host]
    
    C --> E[Create SSH Key]
    D --> E
    
    E --> F[Wait SSH Reachable]
    F --> G[Run Bootstrap Script]
    G --> H[Run baudbot install]
    H --> I[Run Doctor Check]
    
    I --> J{Tailscale?}
    J -->|enabled| K[Install Tailscale]
    K --> L[Tailscale Up]
    L --> M[Wait for Running State]
    J -->|skip| N[Mark Complete]
    M --> N
    
    N --> O[Save Checkpoint]
    
    P[control-agent] --> Q[Spawn CLI Dev Agent]
    Q --> R[Launch tmux Session]
    R --> S[Start CLI Session Shim]
    S --> T[Create Unix Socket]
    
    P --> U[send_to_session RPC]
    U --> T
    T --> V[Forward to tmux via send-keys]
    V --> W[CLI Agent Processes]
    W --> X[Capture tmux Output]
    X --> Y[Return via turn_end Event]
    Y --> P
Loading

Last reviewed commit: 216220d

@benvinegar
Copy link
Member

benvinegar commented Feb 23, 2026

Hey, can you help me understand what this looks like user side?

sentry[bot]
sentry bot reviewed Feb 23, 2026
View reviewed changes
bin/remote.sh
Comment on lines +990 to +993
local admin_user
admin_user="$(remote_prompt_default "Admin username for setup" "")"
if [ -n "$admin_user" ]; then
if ! remote_run_repair_action "$dry_run" "$ssh_user" "$host" "$ssh_key_path" "[$target] rerun setup" "sudo baudbot setup $admin_user"; then
Copy link

@sentry sentry bot Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: User input for the admin_user variable is not escaped before being used in a shell command, creating a command injection vulnerability in the 'rerun setup' action.
Severity: CRITICAL

Suggested Fix

The admin_user variable must be escaped before being used in the command string. Use a shell-quoting function, similar to how remote_shell_single_quote is used for the tailscale_auth_key, and wrap the escaped variable in single quotes within the command string to prevent shell interpretation.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: bin/remote.sh#L990-L993

Potential issue: The `admin_user` variable, obtained from user input via the
`remote_prompt_default` function, is directly interpolated into a shell command string
without proper escaping or quoting. This command is then executed on a remote host via
`remote_ssh_exec`. An attacker can provide a malicious string containing shell
metacharacters (e.g., `;`, `|`, or `$()`) as the admin username. This allows for
arbitrary command injection, leading to remote code execution on the managed system with
elevated privileges.

Did we get this right? 👍 / 👎 to inform future reviews.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AndreyMay @benvinegar