Connection lost
Trying to reconnect…
Server didn't respond
Recovering…
Compare
Why not just give the LLM SSH?
The honest answer: you can. Some people do. It works on the days it works. Here's what changes when it doesn't.
Both approaches run real commands
emisar isn't a sandbox. When the runner executes nodetool repair, it really repairs the keyspace — exactly like
SSH would. The difference is what happens before exec, and what's
left after.
Side-by-side
| Concern | Raw SSH | emisar action pack |
|---|---|---|
| What can the LLM run? | Anything in the user's shell | Only declared actions; everything else rejected |
| What are the args? | Free-text command line | Typed, validated, redacted at the boundary |
| What actually ran? | Whatever was on PATH that day |
Content-addressed pack — the runner recomputes the SHA-256 and blocks changed contents until an admin re-trusts |
| Approvals? | Human-in-the-loop in chat — easy to skip | Policy gates with approver email + audit; skipping means a policy change, itself audited |
| Audit trail? |
Whatever lands in .bash_history + Slack scrollback
|
Hash-chained JSONL on host, mirrored to cloud |
| Output redaction? | None — passwords leak into chat logs | 20+ patterns (bearer/JWT, AWS/GitHub/Slack keys, secret assignments) masked on the host before egress |
| Lateral movement? | SSH key on the model's box ≈ key everywhere | Per-runner token + per-user runner scopes every API key inherits — revoke the user, every key they minted shrinks |
| Recovery story? | "Read the chat scrollback and the logs and hope" |
emisar audit verify + replay every dispatched envelope
|
When raw SSH is the right answer
Single-operator side projects, throwaway environments, dev clusters you can wipe. The cost of declaring an action pack only pays back when there's another human who needs to audit, override, or recover from the AI's decisions.
When it isn't
Production. Anything regulated. Anything where post-incident your VP of Engineering will ask "what did the model do, exactly, and on whose authority?". That's the question raw SSH can't answer without a forensic budget. emisar makes the answer a query.