Viktor wants a Claude-driven web UI on the agent service to act as a
breakglass: when the devvm is down he can open it, have Claude SSH in to
diagnose/repair, and power-cycle the VM via the Proxmox host if needed.
Grilling settled the design. Recording it now as the design record before
implementation:
- CONTEXT.md: glossary for the breakglass language (breakglass agent,
warm/cold case, forced-command verb, cycle vs reset, forensics).
- ADR 0001: the security architecture — isolated deployment in its own
namespace + narrow Vault policy (the existing claude-agent namespace's
terraform-state policy grants secret/data/* to Bash-wielding agents that
ingest untrusted input, so co-locating root-on-devvm keys would be
exfiltratable); warm-case-only scope (devvm wedged, cluster healthy —
the in-cluster UI can't survive the shared PVE host going down, which
stays the separate cold-path SSH design); and bounded-but-broad host
capability (full sudo on devvm, autonomous forced-command PVE power
verbs, forensics-first).
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
