Pick a file in Files to edit it here.
- Break-glass #1: aiq-mac-recover — recovery key encrypted in the gcloud vault (AES-256-GCM, synced to GCS), extractable only with your gcloud auth,
opens full-access SSH. Survives Hetzner deletion. Tested — got full shell.
- Break-glass #2: PiKVM console + FileVault password.
- Posture already tight: one Hetzner key + the recovery key; key-only, no root, no passwords; tunnel is the only inbound path (no public SSH port);
firewall + stealth on; SSH forwarding now disabled on the Hetzner key.
⏳ The gate (build-only whitelist + destructive-block + no-probe) — designed, not yet applied. I have the full design: a forced-command wrapper
(aiq_build_gate) pinned to the Hetzner key that accepts only a structured AIQOP <verb> protocol (status / api / emu / mksrc / gitpull / shot +
tightly-constrained rsync-into-source-root and scp-of-uploads) and refuses everything else — so rm, nmap, arbitrary shell simply have no verb to run
through. The build itself still runs its commands in the encrypted sandbox.
My recommendation
This gate is a forced-command lockdown + a transport change to reactor-build (which 50 reactors now depend on) + security-tricky rsync/scp gating.
That's exactly the kind of thing I should build and test carefully, not rush at the end of a very long session — a subtle bug is either a lockout or
a bypass. The good news: your recovery break-glass is already proven, so when I build it there's zero lockout risk.
Two ways to go — your call:
● User answered Claude's questions:
⎿ · The anti-lockout + hardened posture are done and verified. The build-only gate is a security-critical forced-command + reactor-build transport
change. How do you want to proceed? → Build the gate now
· Misting… (14m 48s · ↓ 59.9k tokens · thinking with max effort)
⎿ Tip: Use /btw to ask a quick side question without interrupting Claude's current work
❯ then encrypt the audit etc as well remember
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── continue-conversation ──
❯ Press up to edit queued messages
⏵⏵ bypass permissions on (shift+tab to cycle) · ← for agents · esc to interrupt