[{"data":1,"prerenderedAt":1327},["ShallowReactive",2],{"navigation":3,"/ecosystem/escapes":145,"/ecosystem/escapes-surround":1322},[4,28,49,88,101,127],{"title":5,"path":6,"stem":7,"children":8,"icon":27},"Getting Started","/getting-started","1.getting-started/1.index",[9,11,15,19,23],{"title":10,"path":6,"stem":7},"Introduction",{"title":12,"path":13,"stem":14},"Working with Agents","/getting-started/working-with-agents","1.getting-started/2.working-with-agents",{"title":16,"path":17,"stem":18},"Setup a Service Provider","/getting-started/setup-service-provider","1.getting-started/3.setup-service-provider",{"title":20,"path":21,"stem":22},"Setup an Identity Provider","/getting-started/setup-identity-provider","1.getting-started/4.setup-identity-provider",{"title":24,"path":25,"stem":26},"Developers","/getting-started/developers","1.getting-started/5.developers",false,{"title":29,"icon":27,"path":30,"stem":31,"children":32,"page":27},"Guides","/guides","2.guides",[33,37,41,45],{"title":34,"path":35,"stem":36},"How It Works","/guides/how-it-works","2.guides/1.how-it-works",{"title":38,"path":39,"stem":40},"Capabilities Guide","/guides/capabilities-guide","2.guides/2.capabilities-guide",{"title":42,"path":43,"stem":44},"End-to-End Tutorial","/guides/end-to-end-tutorial","2.guides/3.end-to-end-tutorial",{"title":46,"path":47,"stem":48},"Delegation Guide","/guides/delegation-guide","2.guides/4.delegation-guide",{"title":50,"path":51,"stem":52,"children":53,"icon":27},"Ecosystem","/ecosystem","3.ecosystem/1.index",[54,56,60,64,68,72,76,80,84],{"title":55,"path":51,"stem":52},"Overview",{"title":57,"path":58,"stem":59},"grapes CLI","/ecosystem/grapes","3.ecosystem/2.grapes",{"title":61,"path":62,"stem":63},"shapes CLI","/ecosystem/shapes","3.ecosystem/3.shapes",{"title":65,"path":66,"stem":67},"escapes","/ecosystem/escapes","3.ecosystem/4.escapes",{"title":69,"path":70,"stem":71},"OpenApe Proxy","/ecosystem/proxy","3.ecosystem/5.proxy",{"title":73,"path":74,"stem":75},"OpenApe Browser","/ecosystem/browser","3.ecosystem/6.browser",{"title":77,"path":78,"stem":79},"OpenApe Auth","/ecosystem/auth","3.ecosystem/7.auth",{"title":81,"path":82,"stem":83},"OpenApe Grants","/ecosystem/grants","3.ecosystem/8.grants",{"title":85,"path":86,"stem":87},"nuxt-auth-sp","/ecosystem/nuxt-auth-sp","3.ecosystem/9.nuxt-auth-sp",{"title":89,"icon":27,"path":90,"stem":91,"children":92,"page":27},"Security","/security","4.security",[93,97],{"title":94,"path":95,"stem":96},"Compliance","/security/compliance","4.security/1.compliance",{"title":98,"path":99,"stem":100},"Threat Model","/security/threat-model","4.security/2.threat-model",{"title":102,"path":103,"stem":104,"children":105,"icon":27},"Reference","/reference","5.reference/1.index",[106,107,111,115,119,123],{"title":102,"path":103,"stem":104},{"title":108,"path":109,"stem":110},"IdP Configuration","/reference/idp-configuration","5.reference/2.idp-configuration",{"title":112,"path":113,"stem":114},"SP Configuration","/reference/sp-configuration","5.reference/3.sp-configuration",{"title":116,"path":117,"stem":118},"API Endpoints","/reference/api-endpoints","5.reference/4.api-endpoints",{"title":120,"path":121,"stem":122},"escapes Config","/reference/escapes-config","5.reference/5.escapes-config",{"title":124,"path":125,"stem":126},"Proxy Config","/reference/proxy-config","5.reference/6.proxy-config",{"title":128,"path":129,"stem":130,"children":131,"icon":27},"Operations","/operations","6.operations/1.index",[132,133,137,141],{"title":128,"path":129,"stem":130},{"title":134,"path":135,"stem":136},"Deployment","/operations/deployment","6.operations/2.deployment",{"title":138,"path":139,"stem":140},"Troubleshooting","/operations/troubleshooting","6.operations/3.troubleshooting",{"title":142,"path":143,"stem":144},"Monitoring","/operations/monitoring","6.operations/4.monitoring",{"id":146,"title":65,"body":147,"description":1316,"extension":1317,"links":1318,"meta":1319,"navigation":223,"path":66,"seo":1320,"stem":67,"__hash__":1321},"docs/3.ecosystem/4.escapes.md",{"type":148,"value":149,"toc":1300},"minimark",[150,153,162,171,176,245,252,275,279,289,294,446,450,560,564,570,641,648,652,659,781,785,788,983,986,1133,1137,1206,1210,1216,1240,1244,1248,1268,1272,1296],[151,152,65],"h1",{"id":65},[154,155,156,157,161],"p",{},"A setuid-root Rust binary that executes commands with elevated privileges after verifying an AuthZ-JWT from an OpenApe IdP. It replaces traditional ",[158,159,160],"code",{},"sudo"," with grant-based, auditable approval.",[163,164,166],"callout",{"type":165},"warning",[154,167,168,170],{},[158,169,65],{}," runs with root privileges. Follow the security hardening guidelines at the bottom of this page.",[172,173,175],"h2",{"id":174},"installation","Installation",[177,178,183],"pre",{"className":179,"code":180,"language":181,"meta":182,"style":182},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","# Build from source\ncd escapes\ncargo build --release\n\n# Install with setuid bit\nsudo make install  # → /usr/local/bin/escapes\n","bash","",[158,184,185,194,205,218,225,231],{"__ignoreMap":182},[186,187,190],"span",{"class":188,"line":189},"line",1,[186,191,193],{"class":192},"sHwdD","# Build from source\n",[186,195,197,201],{"class":188,"line":196},2,[186,198,200],{"class":199},"s2Zo4","cd",[186,202,204],{"class":203},"sfazB"," escapes\n",[186,206,208,212,215],{"class":188,"line":207},3,[186,209,211],{"class":210},"sBMFI","cargo",[186,213,214],{"class":203}," build",[186,216,217],{"class":203}," --release\n",[186,219,221],{"class":188,"line":220},4,[186,222,224],{"emptyLinePlaceholder":223},true,"\n",[186,226,228],{"class":188,"line":227},5,[186,229,230],{"class":192},"# Install with setuid bit\n",[186,232,234,236,239,242],{"class":188,"line":233},6,[186,235,160],{"class":210},[186,237,238],{"class":203}," make",[186,240,241],{"class":203}," install",[186,243,244],{"class":192},"  # → /usr/local/bin/escapes\n",[154,246,247,248,251],{},"The ",[158,249,250],{},"make install"," target:",[253,254,255,262,268],"ul",{},[256,257,258,259],"li",{},"Copies the binary to ",[158,260,261],{},"/usr/local/bin/escapes",[256,263,264,265],{},"Sets ownership to ",[158,266,267],{},"root:root",[256,269,270,271,274],{},"Enables the setuid bit (",[158,272,273],{},"chmod u+s",")",[172,276,278],{"id":277},"usage","Usage",[154,280,281,283,284,288],{},[158,282,65],{}," receives a pre-approved AuthZ-JWT (typically from ",[285,286,287],"a",{"href":58},"grapes",") and executes the authorized command.",[290,291,293],"h3",{"id":292},"grant-delivery-methods","Grant Delivery Methods",[177,295,297],{"className":179,"code":296,"language":181,"meta":182,"style":182},"# JWT as command-line argument\nescapes --grant \u003Cjwt> -- systemctl restart nginx\n\n# JWT from stdin (pipe-friendly)\necho \"$JWT\" | escapes --grant-stdin -- apt-get upgrade\n\n# JWT from file\nescapes --grant-file /tmp/grant.jwt -- systemctl restart nginx\n\n# Run as specific user (instead of root)\nescapes --run-as deploy --grant \u003Cjwt> -- systemctl restart nginx\n",[158,298,299,304,337,341,346,377,381,387,406,411,417],{"__ignoreMap":182},[186,300,301],{"class":188,"line":189},[186,302,303],{"class":192},"# JWT as command-line argument\n",[186,305,306,308,311,315,318,322,325,328,331,334],{"class":188,"line":196},[186,307,65],{"class":210},[186,309,310],{"class":203}," --grant",[186,312,314],{"class":313},"sMK4o"," \u003C",[186,316,317],{"class":203},"jw",[186,319,321],{"class":320},"sTEyZ","t",[186,323,324],{"class":313},">",[186,326,327],{"class":203}," --",[186,329,330],{"class":203}," systemctl",[186,332,333],{"class":203}," restart",[186,335,336],{"class":203}," nginx\n",[186,338,339],{"class":188,"line":207},[186,340,224],{"emptyLinePlaceholder":223},[186,342,343],{"class":188,"line":220},[186,344,345],{"class":192},"# JWT from stdin (pipe-friendly)\n",[186,347,348,351,354,357,360,363,366,369,371,374],{"class":188,"line":227},[186,349,350],{"class":199},"echo",[186,352,353],{"class":313}," \"",[186,355,356],{"class":320},"$JWT",[186,358,359],{"class":313},"\"",[186,361,362],{"class":313}," |",[186,364,365],{"class":210}," escapes",[186,367,368],{"class":203}," --grant-stdin",[186,370,327],{"class":203},[186,372,373],{"class":203}," apt-get",[186,375,376],{"class":203}," upgrade\n",[186,378,379],{"class":188,"line":233},[186,380,224],{"emptyLinePlaceholder":223},[186,382,384],{"class":188,"line":383},7,[186,385,386],{"class":192},"# JWT from file\n",[186,388,390,392,395,398,400,402,404],{"class":188,"line":389},8,[186,391,65],{"class":210},[186,393,394],{"class":203}," --grant-file",[186,396,397],{"class":203}," /tmp/grant.jwt",[186,399,327],{"class":203},[186,401,330],{"class":203},[186,403,333],{"class":203},[186,405,336],{"class":203},[186,407,409],{"class":188,"line":408},9,[186,410,224],{"emptyLinePlaceholder":223},[186,412,414],{"class":188,"line":413},10,[186,415,416],{"class":192},"# Run as specific user (instead of root)\n",[186,418,420,422,425,428,430,432,434,436,438,440,442,444],{"class":188,"line":419},11,[186,421,65],{"class":210},[186,423,424],{"class":203}," --run-as",[186,426,427],{"class":203}," deploy",[186,429,310],{"class":203},[186,431,314],{"class":313},[186,433,317],{"class":203},[186,435,321],{"class":320},[186,437,324],{"class":313},[186,439,327],{"class":203},[186,441,330],{"class":203},[186,443,333],{"class":203},[186,445,336],{"class":203},[290,447,449],{"id":448},"typical-flow-with-grapes","Typical Flow with grapes",[177,451,453],{"className":179,"code":452,"language":181,"meta":182,"style":182},"# One-liner: request, wait, execute\ngrapes run escapes \"systemctl restart nginx\" --reason \"Deploy\"\n\n# Manual flow\ngrapes request \"apt-get upgrade\" --audience escapes --wait\nJWT=$(grapes token \u003Cgrant-id>)\nescapes --grant \"$JWT\" -- apt-get upgrade\n",[158,454,455,460,487,491,496,518,542],{"__ignoreMap":182},[186,456,457],{"class":188,"line":189},[186,458,459],{"class":192},"# One-liner: request, wait, execute\n",[186,461,462,464,467,469,471,474,476,479,481,484],{"class":188,"line":196},[186,463,287],{"class":210},[186,465,466],{"class":203}," run",[186,468,365],{"class":203},[186,470,353],{"class":313},[186,472,473],{"class":203},"systemctl restart nginx",[186,475,359],{"class":313},[186,477,478],{"class":203}," --reason",[186,480,353],{"class":313},[186,482,483],{"class":203},"Deploy",[186,485,486],{"class":313},"\"\n",[186,488,489],{"class":188,"line":207},[186,490,224],{"emptyLinePlaceholder":223},[186,492,493],{"class":188,"line":220},[186,494,495],{"class":192},"# Manual flow\n",[186,497,498,500,503,505,508,510,513,515],{"class":188,"line":227},[186,499,287],{"class":210},[186,501,502],{"class":203}," request",[186,504,353],{"class":313},[186,506,507],{"class":203},"apt-get upgrade",[186,509,359],{"class":313},[186,511,512],{"class":203}," --audience",[186,514,365],{"class":203},[186,516,517],{"class":203}," --wait\n",[186,519,520,523,526,528,531,533,536,539],{"class":188,"line":233},[186,521,522],{"class":320},"JWT",[186,524,525],{"class":313},"=$(",[186,527,287],{"class":210},[186,529,530],{"class":203}," token",[186,532,314],{"class":313},[186,534,535],{"class":203},"grant-i",[186,537,538],{"class":320},"d",[186,540,541],{"class":313},">)\n",[186,543,544,546,548,550,552,554,556,558],{"class":188,"line":383},[186,545,65],{"class":210},[186,547,310],{"class":203},[186,549,353],{"class":313},[186,551,356],{"class":320},[186,553,359],{"class":313},[186,555,327],{"class":203},[186,557,373],{"class":203},[186,559,376],{"class":203},[172,561,563],{"id":562},"verification-chain","Verification Chain",[154,565,566,567,569],{},"Before executing any command, ",[158,568,65],{}," performs a 7-step verification:",[571,572,573,580,586,596,609,618,627],"ol",{},[256,574,575,579],{},[576,577,578],"strong",{},"Issuer check"," — JWT issuer matches a configured allowed issuer",[256,581,582,585],{},[576,583,584],{},"Signature verification"," — JWT signature is valid (EdDSA)",[256,587,588,591,592,595],{},[576,589,590],{},"Approver check"," — ",[158,593,594],{},"decided_by"," claim is in the allowed approvers list",[256,597,598,591,601,604,605,608],{},[576,599,600],{},"Audience check",[158,602,603],{},"aud"," claim matches ",[158,606,607],{},"\"escapes\""," (or configured audience)",[256,610,611,591,614,617],{},[576,612,613],{},"Target host check",[158,615,616],{},"target_host"," claim matches the current hostname",[256,619,620,591,623,626],{},[576,621,622],{},"Command hash check",[158,624,625],{},"cmd_hash"," matches the SHA-256 hash of the command to execute",[256,628,629,632,633,636,637,640],{},[576,630,631],{},"IdP consume check"," — For ",[158,634,635],{},"once"," grants, calls the IdP's ",[158,638,639],{},"/consume"," endpoint to mark the grant as used",[154,642,643,644,647],{},"If any check fails, execution is aborted with exit code ",[158,645,646],{},"5",".",[172,649,651],{"id":650},"configuration","Configuration",[154,653,654,655,658],{},"Config file location: ",[158,656,657],{},"/etc/openape/config.toml"," (root-owned, mode 0644)",[177,660,664],{"className":661,"code":662,"language":663,"meta":182,"style":182},"language-toml shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","# Optional: override system hostname\nhost = \"prod-server.example.com\"\n\n# User to run commands as (default: root)\nrun_as = \"root\"\n\n# Audit log location\naudit_log = \"/var/log/openape/audit.log\"\n\n[security]\n# Only accept JWTs from these issuers\nallowed_issuers = [\"https://id.example.com\"]\n\n# Only accept approvals from these users\nallowed_approvers = [\"admin@example.com\", \"ops@example.com\"]\n\n# Only accept JWTs with these audiences\nallowed_audiences = [\"escapes\"]\n\n[tls]\n# Custom CA bundle for IdP verification\nca_bundle = \"/etc/ssl/certs/ca-certificates.crt\"\n","toml",[158,665,666,671,676,680,685,690,694,699,704,708,713,718,724,729,735,741,746,752,758,763,769,775],{"__ignoreMap":182},[186,667,668],{"class":188,"line":189},[186,669,670],{},"# Optional: override system hostname\n",[186,672,673],{"class":188,"line":196},[186,674,675],{},"host = \"prod-server.example.com\"\n",[186,677,678],{"class":188,"line":207},[186,679,224],{"emptyLinePlaceholder":223},[186,681,682],{"class":188,"line":220},[186,683,684],{},"# User to run commands as (default: root)\n",[186,686,687],{"class":188,"line":227},[186,688,689],{},"run_as = \"root\"\n",[186,691,692],{"class":188,"line":233},[186,693,224],{"emptyLinePlaceholder":223},[186,695,696],{"class":188,"line":383},[186,697,698],{},"# Audit log location\n",[186,700,701],{"class":188,"line":389},[186,702,703],{},"audit_log = \"/var/log/openape/audit.log\"\n",[186,705,706],{"class":188,"line":408},[186,707,224],{"emptyLinePlaceholder":223},[186,709,710],{"class":188,"line":413},[186,711,712],{},"[security]\n",[186,714,715],{"class":188,"line":419},[186,716,717],{},"# Only accept JWTs from these issuers\n",[186,719,721],{"class":188,"line":720},12,[186,722,723],{},"allowed_issuers = [\"https://id.example.com\"]\n",[186,725,727],{"class":188,"line":726},13,[186,728,224],{"emptyLinePlaceholder":223},[186,730,732],{"class":188,"line":731},14,[186,733,734],{},"# Only accept approvals from these users\n",[186,736,738],{"class":188,"line":737},15,[186,739,740],{},"allowed_approvers = [\"admin@example.com\", \"ops@example.com\"]\n",[186,742,744],{"class":188,"line":743},16,[186,745,224],{"emptyLinePlaceholder":223},[186,747,749],{"class":188,"line":748},17,[186,750,751],{},"# Only accept JWTs with these audiences\n",[186,753,755],{"class":188,"line":754},18,[186,756,757],{},"allowed_audiences = [\"escapes\"]\n",[186,759,761],{"class":188,"line":760},19,[186,762,224],{"emptyLinePlaceholder":223},[186,764,766],{"class":188,"line":765},20,[186,767,768],{},"[tls]\n",[186,770,772],{"class":188,"line":771},21,[186,773,774],{},"# Custom CA bundle for IdP verification\n",[186,776,778],{"class":188,"line":777},22,[186,779,780],{},"ca_bundle = \"/etc/ssl/certs/ca-certificates.crt\"\n",[172,782,784],{"id":783},"audit-logging","Audit Logging",[154,786,787],{},"Every execution attempt is logged as JSONL to the audit log:",[177,789,793],{"className":790,"code":791,"language":792,"meta":182,"style":182},"language-json shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","{\n  \"timestamp\": \"2025-01-15T10:30:00Z\",\n  \"grant_id\": \"abc123-...\",\n  \"command\": [\"systemctl\", \"restart\", \"nginx\"],\n  \"requester\": \"agent+deploy@example.com\",\n  \"approver\": \"admin@example.com\",\n  \"result\": \"success\",\n  \"exit_code\": 0,\n  \"duration_ms\": 1234\n}\n","json",[158,794,795,800,824,844,887,907,927,947,964,978],{"__ignoreMap":182},[186,796,797],{"class":188,"line":189},[186,798,799],{"class":313},"{\n",[186,801,802,805,809,811,814,816,819,821],{"class":188,"line":196},[186,803,804],{"class":313},"  \"",[186,806,808],{"class":807},"spNyl","timestamp",[186,810,359],{"class":313},[186,812,813],{"class":313},":",[186,815,353],{"class":313},[186,817,818],{"class":203},"2025-01-15T10:30:00Z",[186,820,359],{"class":313},[186,822,823],{"class":313},",\n",[186,825,826,828,831,833,835,837,840,842],{"class":188,"line":207},[186,827,804],{"class":313},[186,829,830],{"class":807},"grant_id",[186,832,359],{"class":313},[186,834,813],{"class":313},[186,836,353],{"class":313},[186,838,839],{"class":203},"abc123-...",[186,841,359],{"class":313},[186,843,823],{"class":313},[186,845,846,848,851,853,855,858,860,863,865,868,870,873,875,877,879,882,884],{"class":188,"line":220},[186,847,804],{"class":313},[186,849,850],{"class":807},"command",[186,852,359],{"class":313},[186,854,813],{"class":313},[186,856,857],{"class":313}," [",[186,859,359],{"class":313},[186,861,862],{"class":203},"systemctl",[186,864,359],{"class":313},[186,866,867],{"class":313},",",[186,869,353],{"class":313},[186,871,872],{"class":203},"restart",[186,874,359],{"class":313},[186,876,867],{"class":313},[186,878,353],{"class":313},[186,880,881],{"class":203},"nginx",[186,883,359],{"class":313},[186,885,886],{"class":313},"],\n",[186,888,889,891,894,896,898,900,903,905],{"class":188,"line":227},[186,890,804],{"class":313},[186,892,893],{"class":807},"requester",[186,895,359],{"class":313},[186,897,813],{"class":313},[186,899,353],{"class":313},[186,901,902],{"class":203},"agent+deploy@example.com",[186,904,359],{"class":313},[186,906,823],{"class":313},[186,908,909,911,914,916,918,920,923,925],{"class":188,"line":233},[186,910,804],{"class":313},[186,912,913],{"class":807},"approver",[186,915,359],{"class":313},[186,917,813],{"class":313},[186,919,353],{"class":313},[186,921,922],{"class":203},"admin@example.com",[186,924,359],{"class":313},[186,926,823],{"class":313},[186,928,929,931,934,936,938,940,943,945],{"class":188,"line":383},[186,930,804],{"class":313},[186,932,933],{"class":807},"result",[186,935,359],{"class":313},[186,937,813],{"class":313},[186,939,353],{"class":313},[186,941,942],{"class":203},"success",[186,944,359],{"class":313},[186,946,823],{"class":313},[186,948,949,951,954,956,958,962],{"class":188,"line":389},[186,950,804],{"class":313},[186,952,953],{"class":807},"exit_code",[186,955,359],{"class":313},[186,957,813],{"class":313},[186,959,961],{"class":960},"sbssI"," 0",[186,963,823],{"class":313},[186,965,966,968,971,973,975],{"class":188,"line":408},[186,967,804],{"class":313},[186,969,970],{"class":807},"duration_ms",[186,972,359],{"class":313},[186,974,813],{"class":313},[186,976,977],{"class":960}," 1234\n",[186,979,980],{"class":188,"line":413},[186,981,982],{"class":313},"}\n",[154,984,985],{},"Failed attempts (verification failures, execution errors) are also logged:",[177,987,989],{"className":790,"code":988,"language":792,"meta":182,"style":182},"{\n  \"timestamp\": \"2025-01-15T10:31:00Z\",\n  \"error\": \"cmd_hash mismatch\",\n  \"expected_hash\": \"sha256:a1b2c3...\",\n  \"actual_hash\": \"sha256:d4e5f6...\",\n  \"command\": [\"rm\", \"-rf\", \"/\"],\n  \"requester\": \"agent+deploy@example.com\"\n}\n",[158,990,991,995,1014,1034,1054,1074,1113,1129],{"__ignoreMap":182},[186,992,993],{"class":188,"line":189},[186,994,799],{"class":313},[186,996,997,999,1001,1003,1005,1007,1010,1012],{"class":188,"line":196},[186,998,804],{"class":313},[186,1000,808],{"class":807},[186,1002,359],{"class":313},[186,1004,813],{"class":313},[186,1006,353],{"class":313},[186,1008,1009],{"class":203},"2025-01-15T10:31:00Z",[186,1011,359],{"class":313},[186,1013,823],{"class":313},[186,1015,1016,1018,1021,1023,1025,1027,1030,1032],{"class":188,"line":207},[186,1017,804],{"class":313},[186,1019,1020],{"class":807},"error",[186,1022,359],{"class":313},[186,1024,813],{"class":313},[186,1026,353],{"class":313},[186,1028,1029],{"class":203},"cmd_hash mismatch",[186,1031,359],{"class":313},[186,1033,823],{"class":313},[186,1035,1036,1038,1041,1043,1045,1047,1050,1052],{"class":188,"line":220},[186,1037,804],{"class":313},[186,1039,1040],{"class":807},"expected_hash",[186,1042,359],{"class":313},[186,1044,813],{"class":313},[186,1046,353],{"class":313},[186,1048,1049],{"class":203},"sha256:a1b2c3...",[186,1051,359],{"class":313},[186,1053,823],{"class":313},[186,1055,1056,1058,1061,1063,1065,1067,1070,1072],{"class":188,"line":227},[186,1057,804],{"class":313},[186,1059,1060],{"class":807},"actual_hash",[186,1062,359],{"class":313},[186,1064,813],{"class":313},[186,1066,353],{"class":313},[186,1068,1069],{"class":203},"sha256:d4e5f6...",[186,1071,359],{"class":313},[186,1073,823],{"class":313},[186,1075,1076,1078,1080,1082,1084,1086,1088,1091,1093,1095,1097,1100,1102,1104,1106,1109,1111],{"class":188,"line":233},[186,1077,804],{"class":313},[186,1079,850],{"class":807},[186,1081,359],{"class":313},[186,1083,813],{"class":313},[186,1085,857],{"class":313},[186,1087,359],{"class":313},[186,1089,1090],{"class":203},"rm",[186,1092,359],{"class":313},[186,1094,867],{"class":313},[186,1096,353],{"class":313},[186,1098,1099],{"class":203},"-rf",[186,1101,359],{"class":313},[186,1103,867],{"class":313},[186,1105,353],{"class":313},[186,1107,1108],{"class":203},"/",[186,1110,359],{"class":313},[186,1112,886],{"class":313},[186,1114,1115,1117,1119,1121,1123,1125,1127],{"class":188,"line":383},[186,1116,804],{"class":313},[186,1118,893],{"class":807},[186,1120,359],{"class":313},[186,1122,813],{"class":313},[186,1124,353],{"class":313},[186,1126,902],{"class":203},[186,1128,486],{"class":313},[186,1130,1131],{"class":188,"line":389},[186,1132,982],{"class":313},[172,1134,1136],{"id":1135},"exit-codes","Exit Codes",[1138,1139,1140,1153],"table",{},[1141,1142,1143],"thead",{},[1144,1145,1146,1150],"tr",{},[1147,1148,1149],"th",{},"Code",[1147,1151,1152],{},"Meaning",[1154,1155,1156,1167,1177,1186,1196],"tbody",{},[1144,1157,1158,1164],{},[1159,1160,1161],"td",{},[158,1162,1163],{},"0",[1159,1165,1166],{},"Command executed successfully",[1144,1168,1169,1174],{},[1159,1170,1171],{},[158,1172,1173],{},"1",[1159,1175,1176],{},"Configuration error or HTTP error (IdP unreachable)",[1144,1178,1179,1183],{},[1159,1180,1181],{},[158,1182,646],{},[1159,1184,1185],{},"JWT verification failed (any of the 7 checks)",[1144,1187,1188,1193],{},[1159,1189,1190],{},[158,1191,1192],{},"126",[1159,1194,1195],{},"Command found but execution failed (permission denied)",[1144,1197,1198,1203],{},[1159,1199,1200],{},[158,1201,1202],{},"127",[1159,1204,1205],{},"Command not found",[172,1207,1209],{"id":1208},"environment-sanitization","Environment Sanitization",[154,1211,1212,1213,1215],{},"Before executing the command, ",[158,1214,65],{}," resets the environment to prevent privilege escalation attacks:",[253,1217,1218,1228,1237],{},[256,1219,1220,1223,1224,1227],{},[158,1221,1222],{},"LD_PRELOAD",", ",[158,1225,1226],{},"LD_LIBRARY_PATH"," — removed",[256,1229,1230,1233,1234,274],{},[158,1231,1232],{},"PATH"," — reset to safe default (",[158,1235,1236],{},"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",[256,1238,1239],{},"All other environment variables — removed except explicitly safe ones",[172,1241,1243],{"id":1242},"security-hardening","Security Hardening",[290,1245,1247],{"id":1246},"mandatory","Mandatory",[253,1249,1250,1253,1259,1265],{},[256,1251,1252],{},"Config file must be owned by root with restricted permissions",[256,1254,1255,1258],{},[158,1256,1257],{},"allowed_issuers"," should list only your IdP(s) — never use wildcards",[256,1260,1261,1264],{},[158,1262,1263],{},"allowed_approvers"," should list only trusted human administrators",[256,1266,1267],{},"Audit log directory must be writable by root only",[290,1269,1271],{"id":1270},"recommended","Recommended",[253,1273,1274,1277,1280,1283,1286],{},[256,1275,1276],{},"Enable DNSSEC for your IdP domain",[256,1278,1279],{},"Use a dedicated agent user per machine (not a shared key)",[256,1281,1282],{},"Monitor the audit log for failed verification attempts",[256,1284,1285],{},"Rotate agent Ed25519 keys periodically",[256,1287,1288,1289,1291,1292,1295],{},"Use ",[158,1290,635],{}," grants for destructive operations; reserve ",[158,1293,1294],{},"always"," grants for read-only actions",[1297,1298,1299],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}",{"title":182,"searchDepth":207,"depth":196,"links":1301},[1302,1303,1307,1308,1309,1310,1311,1312],{"id":174,"depth":196,"text":175},{"id":277,"depth":196,"text":278,"children":1304},[1305,1306],{"id":292,"depth":207,"text":293},{"id":448,"depth":207,"text":449},{"id":562,"depth":196,"text":563},{"id":650,"depth":196,"text":651},{"id":783,"depth":196,"text":784},{"id":1135,"depth":196,"text":1136},{"id":1208,"depth":196,"text":1209},{"id":1242,"depth":196,"text":1243,"children":1313},[1314,1315],{"id":1246,"depth":207,"text":1247},{"id":1270,"depth":207,"text":1271},"Setuid-root Rust binary for local privilege elevation via AuthZ-JWT.","md",null,{},{"title":65,"description":1316},"16MuHIEJlmVqzNcqQsUDe6kuAJFMk2aFn5Ki03KNQJo",[1323,1325],{"title":61,"path":62,"stem":63,"description":1324,"children":-1},"Grant-constrained execution layer — run any CLI through structured permissions.",{"title":69,"path":70,"stem":71,"description":1326,"children":-1},"Agent HTTP gateway with grant-based access control.",1774221116104]