Infra SSH Security Model
Infra SSH is intentionally stricter than the rest of the control plane.
Access Gates
Layers
| Layer | Purpose |
|---|---|
| admin API key tier | prevents normal users from reaching infra SSH |
X-User-Id context | ties the request to a real acting user |
| approval lease | enables low-friction but explicit elevated access |
| host/action registry | removes raw command execution from the agent surface |
| audit log | records successful, denied, and failed operations |
Approval Model
The current model is a short-lived admin session rather than per-command confirmation.
That means:
- admins do not need to re-approve every action during active debugging
- privileged access still expires automatically
- every privileged call still records the lease id in the audit trail
File and Forward Boundaries
Infra SSH file operations are bounded to approved roots and temporary directories.
Named forwards are also constrained:
- only registered services can be forwarded
- invalid or conflicting local ports are rejected
- duplicate active forwards for the same service are rejected