| 1 |
# ops-exec |
| 2 |
|
| 3 |
The trusted executor: run a typed, capability-gated **step** on a host and |
| 4 |
**observe** a host, across the tailnet, with the trust model built in. It is the |
| 5 |
one primitive under the internal ops suite — **Sando** (server promotion through |
| 6 |
gated tiers), **Bento** (app build/sign/notarize/publish), and **ops-agent** |
| 7 |
(the on-host half). |
| 8 |
|
| 9 |
MIT licensed. Design spec: `_private/docs/ops-core/executor.md`. |
| 10 |
|
| 11 |
## Trust root |
| 12 |
|
| 13 |
SSH keys + Tailscale/Headscale are the **only** trust roots — no PKI, no token |
| 14 |
service, no secrets manager. Identity comes from the tailnet node (`ops-agent` |
| 15 |
resolves a caller via `tailscale whois`) and from SSH keys (the `SshExec` |
| 16 |
transport authenticates exactly as today). `ops-exec` only *maps* that identity |
| 17 |
to capabilities. |
| 18 |
|
| 19 |
## Shape |
| 20 |
|
| 21 |
- `Executor` — the trait, scoped to one `(host, CapabilitySet)`; held as |
| 22 |
`Arc<dyn Executor>`. |
| 23 |
- `run_streaming(&Step, &mut dyn LogSink) -> RunOutput` |
| 24 |
- `pull` / `push` (rsync, with `SyncOpts`) |
| 25 |
- `observe() -> Option<EventStream>` (E3; returns `None` in v1) |
| 26 |
- `capabilities()` |
| 27 |
- Transports: `LocalExec`, `SshExec` (this crate); `AgentRpc` (feature `rpc`) |
| 28 |
talks to a remote `ops-agent`. |
| 29 |
- `Step` / `Action` — the typed step vocabulary the capability check gates on. |
| 30 |
`Step::shell(action, "set -e; …")` is the shell idiom. |
| 31 |
- `CapabilitySet` — the grant, enforced **twice**: caller-side (the transport |
| 32 |
rejects an ungranted action before dispatch) and agent-side |
| 33 |
(`CapabilitySet::intersect`, so a host's local grant is the ceiling). |
| 34 |
|
| 35 |
## Features |
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
| (default) | the trait + `LocalExec`/`SshExec` + capabilities | |
| 40 |
| `rpc` | the `AgentRpc` client transport | |
| 41 |
| `agent` | the `ops-agent` binary + HTTP server (implies rpc)| |
| 42 |
|
| 43 |
## ops-agent |
| 44 |
|
| 45 |
``` |
| 46 |
cargo build --release --features agent --bin ops-agent |
| 47 |
ops-agent --config config.toml |
| 48 |
``` |
| 49 |
|
| 50 |
Deployment assets in `deploy/`: an Aqua `LaunchAgent` plist (macOS in-session |
| 51 |
signing) and an example `config.toml`. Install on the Mac with **no root**: |
| 52 |
|
| 53 |
``` |
| 54 |
launchctl bootstrap gui/$(id -u) ~/Library/LaunchAgents/work.makenot.ops-agent.plist |
| 55 |
``` |
| 56 |
|