Skip to main content

Compare

Why not just give the LLM SSH?

The honest answer: you can. Some people do. It works on the days it works. Here's what changes when it doesn't.

Both approaches run real commands

emisar isn't a sandbox. When the runner executes nomad job revert, it really rolls back the deploy — exactly like SSH would. The difference is what happens before exec, and what's left after.

Raw SSH · a full shell

# one key opens the whole box

$ nomad job revert api 17

↳ done — no who, no why, no record

$ cat /srv/api/.env

DB_PASSWORD=hunter2…

↳ now sitting in the chat scrollback

claude · emisar MCP

nomad.job_revert(job: api, version: 17)

reason: roll back the 502 spike

⏸ approval — nomad.job_* is gated

✓ approved · one use · recorded

↳ output redacted · hash-chained journal

Same revert. The shell version also just read your database password into the chat log — and left nothing you can hand an auditor.

Side-by-side

What can the LLM run?

Raw SSH

Anything in the user's shell

emisar

Only declared actions; everything else rejected

What are the args?

Raw SSH

Free-text command line

emisar

Typed, validated, redacted at the boundary

What actually ran?

Raw SSH

Whatever was on PATH that day

emisar

Content-addressed pack — the runner recomputes the SHA-256 and blocks changed contents until an admin re-trusts

Approvals?

Raw SSH

Human-in-the-loop in chat — easy to skip

emisar

Policy gates with approver email + audit; skipping means a policy change, itself audited

Audit trail?

Raw SSH

Whatever lands in .bash_history + Slack scrollback

emisar

Hash-chained JSONL on host, mirrored to cloud

Output redaction?

Raw SSH

None — passwords leak into chat logs

emisar

20+ patterns (bearer/JWT, AWS/GitHub/Slack keys, secret assignments) masked on the host before egress

Lateral movement?

Raw SSH

SSH key on the model's box ≈ key everywhere

emisar

Per-runner token + per-user runner scopes every API key inherits — revoke the user, every key they minted shrinks

Recovery story?

Raw SSH

“Read the chat scrollback and the logs and hope”

emisar

emisar audit verify + replay every dispatched envelope

When raw SSH is the right answer

Single-operator side projects, throwaway environments, dev clusters you can wipe. The cost of declaring an action pack only pays back when there's another human who needs to audit, override, or recover from the AI's decisions.

When it isn't

Production. Anything regulated. Anything where post-incident your VP of Engineering will ask "what did the model do, exactly, and on whose authority?". That's the question raw SSH can't answer without a forensic budget. emisar makes the answer a query.

Try it: install the runner from the quickstart, declare one action you'd otherwise SSH for, and point your model at it. The free tier covers 3 runners — no credit card.

Stop handing AI agents raw SSH.

The same real commands — declared, policy-gated, approval-checked, and journaled. Recovery you're not betting your weekend on.

Three runners. Seven-day audit. No credit card.