You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat: agent self-management — sudo (root) by default
The agent is meant to run its own box: install its own updates, restart
itself, manage services. That needs sudo, which is setuid and blocked by
NoNewPrivileges=true. Flip the shipped unit to NoNewPrivileges=false and
have the installer grant the run user NOPASSWD:ALL in /etc/sudoers.d/mcp-ssh
(validated with visudo). The auth-gated MCP shell is now root-capable by
design; README + docs/deploy.md document the blast radius and the lock-down
path (remove sudoers + set NoNewPrivileges=true) for operators who don't
want it.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
