feat(host-editor): add SSH-backed remote file editor #676

Merged
simon merged 1 commit from feat/host-editor-ssh-workflow into main 2026-06-16 06:58:52 +00:00
Owner

Summary

  • Makes Host Editor functional with signed short-lived editor sessions and SSH/SFTP-backed remote file open/read/diff/save/rollback flows.
  • Adds transient credential handling for password or private-key SSH auth; credentials are sent only for the active operation and are not stored or written to audit metadata.
  • Adds server-side policy, path, size, payload, binary, sudo-write, backup, validation, and stale-remote-file checks before remote operations.
  • Replaces the policy-check-only host tab with a usable CodeMirror Host Editor workspace.

What is now functional

  • Engineers can open approved remote text files over SFTP as the supplied SSH user.
  • Engineers can preview server-side diffs, run configured validation commands, save normal writable paths, save sudo-write paths through the sudo flow, and roll back from the latest Host Editor backup where permissions allow.
  • Remote backups are created with a timestamped .ctops-backup-<timestamp> suffix before writes.

Security controls

  • CT-Ops host editor policy is enforced server-side before every open/read, diff, validation, write, sudo write, and rollback operation.
  • Denylist rules and sensitive default blocks continue to win over allow rules.
  • Paths must be absolute and normalized; traversal and NUL bytes are rejected.
  • Read and write payload sizes are bounded; binary-looking content is rejected for editing.
  • Normal file operations use SFTP as the supplied SSH user so Linux permissions remain the inner boundary.
  • Sudo-write and validation use SSH exec only where SFTP cannot provide the required behavior.
  • SSH host-key verification uses the trusted host metadata already used by terminal access.
  • Audit events are written for sessions, opens, diff previews, write attempts, denied reads/writes, backups, validation runs, saves, and rollbacks without file contents or SSH credentials.

Unsupported / remaining limitations

  • This is Host Editor, not a full VS Code/code-server experience.
  • Sudo-write requires non-interactive sudo for the configured SSH user. Interactive sudo prompts are not supported.
  • Rollback restores the latest adjacent Host Editor backup only when the SSH user can write it back.

Validation

  • cd apps/web && node --experimental-strip-types --test lib/host-editor/operations.test.mjs lib/host-editor/policy.test.mjs
  • pnpm --filter web type-check
  • pnpm --filter web lint (passes with existing warnings tracked in #521)
  • pnpm --filter web test:unit
  • BETTER_AUTH_URL=http://localhost:3000 BETTER_AUTH_SECRET=local-build-secret-please-ignore DATABASE_URL=postgres://ctops:ctops@localhost:5432/ctops pnpm --filter web build (passes with existing Turbopack NFT warning tracked in #538)
  • Browser smoke check against local dev server reached login; dummy local DATABASE_URL had no Postgres server, so authenticated Host Editor UI could not be reached locally.

Companion docs PR: carrtech/website branch docs/host-editor-ssh-workflow.

## Summary - Makes Host Editor functional with signed short-lived editor sessions and SSH/SFTP-backed remote file open/read/diff/save/rollback flows. - Adds transient credential handling for password or private-key SSH auth; credentials are sent only for the active operation and are not stored or written to audit metadata. - Adds server-side policy, path, size, payload, binary, sudo-write, backup, validation, and stale-remote-file checks before remote operations. - Replaces the policy-check-only host tab with a usable CodeMirror Host Editor workspace. ## What is now functional - Engineers can open approved remote text files over SFTP as the supplied SSH user. - Engineers can preview server-side diffs, run configured validation commands, save normal writable paths, save sudo-write paths through the sudo flow, and roll back from the latest Host Editor backup where permissions allow. - Remote backups are created with a timestamped `.ctops-backup-<timestamp>` suffix before writes. ## Security controls - CT-Ops host editor policy is enforced server-side before every open/read, diff, validation, write, sudo write, and rollback operation. - Denylist rules and sensitive default blocks continue to win over allow rules. - Paths must be absolute and normalized; traversal and NUL bytes are rejected. - Read and write payload sizes are bounded; binary-looking content is rejected for editing. - Normal file operations use SFTP as the supplied SSH user so Linux permissions remain the inner boundary. - Sudo-write and validation use SSH exec only where SFTP cannot provide the required behavior. - SSH host-key verification uses the trusted host metadata already used by terminal access. - Audit events are written for sessions, opens, diff previews, write attempts, denied reads/writes, backups, validation runs, saves, and rollbacks without file contents or SSH credentials. ## Unsupported / remaining limitations - This is Host Editor, not a full VS Code/code-server experience. - Sudo-write requires non-interactive sudo for the configured SSH user. Interactive sudo prompts are not supported. - Rollback restores the latest adjacent Host Editor backup only when the SSH user can write it back. ## Validation - `cd apps/web && node --experimental-strip-types --test lib/host-editor/operations.test.mjs lib/host-editor/policy.test.mjs` - `pnpm --filter web type-check` - `pnpm --filter web lint` (passes with existing warnings tracked in #521) - `pnpm --filter web test:unit` - `BETTER_AUTH_URL=http://localhost:3000 BETTER_AUTH_SECRET=local-build-secret-please-ignore DATABASE_URL=postgres://ctops:ctops@localhost:5432/ctops pnpm --filter web build` (passes with existing Turbopack NFT warning tracked in #538) - Browser smoke check against local dev server reached login; dummy local DATABASE_URL had no Postgres server, so authenticated Host Editor UI could not be reached locally. Companion docs PR: carrtech/website branch `docs/host-editor-ssh-workflow`.
feat(host-editor): add SSH-backed remote file editor
All checks were successful
Conventional PR title / Conventional PR title (pull_request) Successful in 0s
PR Checks (Docker images) / Ansible API contract (pull_request) Successful in 6s
PR Checks (Docker images) / Detect Docker image changes (pull_request) Successful in 10s
Secret Scan / gitleaks (pull_request) Successful in 27s
PR Checks (Docker images) / Ingest Docker image (pull_request) Has been skipped
PR Checks (Docker images) / Ansible API Docker image (pull_request) Has been skipped
SAST / crypto-lint (no weak hashes / ciphers) (pull_request) Successful in 1m8s
SAST / semgrep (pull_request) Successful in 1m12s
SAST / gosec (agent) (pull_request) Successful in 1m59s
SAST / trivy (config / IaC) (pull_request) Successful in 2m3s
SAST / trivy (filesystem) (pull_request) Successful in 2m9s
SAST / gosec (ingest) (pull_request) Successful in 2m15s
PR Checks (Web) / Web (lint / type-check / build) (pull_request) Successful in 2m43s
PR Checks (Docker images) / Web Docker image (pull_request) Successful in 6m50s
d6a635eb6f
simon merged commit e1bbe161f1 into main 2026-06-16 06:58:52 +00:00
simon deleted branch feat/host-editor-ssh-workflow 2026-06-16 06:58:53 +00:00
Sign in to join this conversation.
No reviewers
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
carrtech/ct-ops!676
No description provided.