Connection lost
Trying to reconnect…
Server didn't respond
Recovering…
Compare
Why not just give the LLM SSH?
The honest answer: you can. Some people do. It works on the days it works. Here's what changes when it doesn't.
Both approaches run real commands
emisar isn't a sandbox. When the runner executes nomad job revert, it really rolls back the deploy — exactly like
SSH would. The difference is what happens before exec, and what's
left after.
# one key opens the whole box
$ nomad job revert api 17
↳ done — no who, no why, no record
$ cat /srv/api/.env
DB_PASSWORD=hunter2…
↳ now sitting in the chat scrollback
nomad.job_revert(job: api, version: 17)
reason: roll back the 502 spike
⏸ approval — nomad.job_* is gated
✓ approved · one use · recorded
↳ output redacted · hash-chained journal
Same revert. The shell version also just read your database password into the chat log — and left nothing you can hand an auditor.
Side-by-side
What can the LLM run?
Raw SSH
Anything in the user's shell
emisar
Only declared actions; everything else rejected
What are the args?
Raw SSH
Free-text command line
emisar
Typed, validated, redacted at the boundary
What actually ran?
Raw SSH
Whatever was on PATH that day
emisar
Content-addressed pack — the runner recomputes the SHA-256 and blocks changed contents until an admin re-trusts
Approvals?
Raw SSH
Human-in-the-loop in chat — easy to skip
emisar
Policy gates with approver email + audit; skipping means a policy change, itself audited
Audit trail?
Raw SSH
Whatever lands in .bash_history + Slack scrollback
emisar
Hash-chained JSONL on host, mirrored to cloud
Output redaction?
Raw SSH
None — passwords leak into chat logs
emisar
20+ patterns (bearer/JWT, AWS/GitHub/Slack keys, secret assignments) masked on the host before egress
Lateral movement?
Raw SSH
SSH key on the model's box ≈ key everywhere
emisar
Per-runner token + per-user runner scopes every API key inherits — revoke the user, every key they minted shrinks
Recovery story?
Raw SSH
“Read the chat scrollback and the logs and hope”
emisar
emisar audit verify + replay every dispatched envelope
When raw SSH is the right answer
Single-operator side projects, throwaway environments, dev clusters you can wipe. The cost of declaring an action pack only pays back when there's another human who needs to audit, override, or recover from the AI's decisions.
When it isn't
Production. Anything regulated. Anything where post-incident your VP of Engineering will ask "what did the model do, exactly, and on whose authority?". That's the question raw SSH can't answer without a forensic budget. emisar makes the answer a query.
Stop handing AI agents raw SSH.
The same real commands — declared, policy-gated, approval-checked, and journaled. Recovery you're not betting your weekend on.
Three runners. Seven-day audit. No credit card.