Draft RFC: rfcs/0026-scoped-debug-sessions.md (in the working tree; commit when blessed). Needs human review before autonomous build — esp. the attested-project policy.
Gap: no way to debug ONE project on a multi-tenant daemon. Host SSH = root over all tenants (incl. attested); prod-OS has no SSH. The privileged ssh-debug sidecar bypassed the broker (host-net, raw docker.sock + dstack.sock) and has been removed — nothing replaces it.
Proposal: daemon-brokered, audited, TTL'd debug session into a SINGLE project container (exec + tail logs + read its dataDir) via the existing DockerProxy — no host shell, no other-tenant access, no raw dstack.sock.
POST /_api/projects/<name>/debug → mint TTL grant (audited) + scoped attach (exec/logs/read, that container only)
DELETE /_api/debug/<session> → revoke; auto-expire on TTL
- mirror
proxy/tunnel.py lifecycle (RFC 0003/0018 are the structural model); every action → proxy/audit.py
- Files:
proxy/ingress.py, proxy/docker_client.py (scoped exec/logs), proxy/audit.py, proxy/tunnel.py (model)
Open question for review: opening a debug session against an attested-mode project must not silently break its attestation story — stricter gating, recorded-event, or disallow in attested mode?
Completes the narrow-audited-axis set (0003 tunnels / 0017 state / 0018 secrets / 0026 debug) that makes the privileged sidecar permanently unnecessary.
Draft RFC:
rfcs/0026-scoped-debug-sessions.md(in the working tree; commit when blessed). Needs human review before autonomous build — esp. the attested-project policy.Gap: no way to debug ONE project on a multi-tenant daemon. Host SSH = root over all tenants (incl. attested); prod-OS has no SSH. The privileged
ssh-debugsidecar bypassed the broker (host-net, raw docker.sock + dstack.sock) and has been removed — nothing replaces it.Proposal: daemon-brokered, audited, TTL'd debug session into a SINGLE project container (exec + tail logs + read its dataDir) via the existing DockerProxy — no host shell, no other-tenant access, no raw dstack.sock.
POST /_api/projects/<name>/debug→ mint TTL grant (audited) + scoped attach (exec/logs/read, that container only)DELETE /_api/debug/<session>→ revoke; auto-expire on TTLproxy/tunnel.pylifecycle (RFC 0003/0018 are the structural model); every action →proxy/audit.pyproxy/ingress.py,proxy/docker_client.py(scoped exec/logs),proxy/audit.py,proxy/tunnel.py(model)Open question for review: opening a debug session against an
attested-mode project must not silently break its attestation story — stricter gating, recorded-event, or disallow in attested mode?Completes the narrow-audited-axis set (0003 tunnels / 0017 state / 0018 secrets / 0026 debug) that makes the privileged sidecar permanently unnecessary.