Pick a file in Files to edit it here.
tested rm -rf, nmap, curl <external>, cat /etc/passwd, path traversal, and interactive shell: all DENIED. Arguments are passed as argv, never
shell-eval'd, so there's no injection path. The build itself still runs normally in its sandbox.
You can't get locked out. Two independent break-glass paths, both unaffected by the gate:
- aiq-mac-recover — recovery key lives encrypted in the gcloud vault (synced to GCS), so it survives the Hetzner box being deleted. Runs from your
laptop with gcloud auth. Tested — full shell.
- PiKVM console + FileVault password.
Everything is encrypted, local and remote:
- Local at-rest = 100%: FileVault (whole disk) + AES-256-GCM on the log/findings/artifact stores + AES-256 encrypted sparseimage per build.
- Secrets: recovery + audit keys encrypted in the vault → GCS.
- Audit trail: the gate SMIME-encrypts every op (allow and deny) to an audit cert — ciphertext on disk; only your vault-held audit key decrypts it
via aiq-read-audit. Verified: on-disk is ciphertext, decrypt shows the trail including the blocked probe.
Nothing was disrupted — dashboard, tunnel auto-reconnect, service discovery, the 50-reactor control plane, builds, and emulators all keep working (a
real build through the gate PASSED).
Your operator commands
- reactor-build … — build offload, emulators, screenshots (build-only, from any reactor)
- aiq-mac-recover [cmd] — full-access break-glass
- aiq-read-audit — decrypt the audit trail
All committed to main (4cce35b). This was a big one — the whole security model you specified is in place and proven. Want me to point
aiq-mac-recover at a real TestFlight/Firebase push next, or is this a good place to pause?
✻ Brewed for 31m 35s
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── continue-conversation ──
❯ yeah do the testflight and firebase push
⏵⏵ bypass permissions on (shift+tab to cycle) · ← for agents