Host Bridge — Secrets and Approved Host Actions
Status: Deferred — design only, no implementation started; blocked on jackin❯ daemon production lifecycle/socket foundation plus a separate per-request approval and audit design. Plan 042 deliberately did not prototype host bridge because it invokes host actions and can expose secrets; it must wait until the daemon base and operator-approval contract are proven.
Shipped baseline
Today's in-container affordances cover single-session, container-local needs: jackin-exec and MCP execution give agents in-container, session-scoped command access, and the operator credential picker resolves secrets at launch time through the credential-source pattern. None of that is a host bridge — there is no long-running host approval service, durable audit log, cross-session policy, or operator-presence proof for host actions. The jackin❯ daemon this item depends on is itself still an open design proposal with no implementation, so this adapter has not started.
Remaining work
- Ship jackin❯ daemon phase 1 first — this feature is one adapter on top of the daemon's control-socket and lifecycle, and cannot land before it.
- MCP server exposing
host.runonly,always-promptpolicy only (no allowlist/blocklist yet) — the simpler of the two proposed flows. - macOS approval surface via
LocalAuthentication(TouchID + password fallback). - Linux approval surface via a terminal password prompt (polkit integration deferred past this cut).
- Audit log written to
~/.jackin/log/host-bridge.jsonlwith rotation. Bridgetab in thejackin consoleworkspace editor (parallel to General / Mounts / Roles / Secrets / Auth): enable/disable per workspace, view recent audit entries.- Deferred past this cut:
secret.request/secret.use_inhandle lifecycle, allowlist/blocklist policies, polkit integration,host.run_capability, prompt-fatigue debounce, audit-export tooling, Windows support, cross-host reach.
Related work
- jackin❯ daemon — host-side process this feature plugs into; must ship phase 1 before this adapter can.
- Live bidirectional auth sync — sibling daemon adapter, same precedent for per-axis features on top of the daemon.
- Agent attention prompts — sibling MCP-server feature using the same auto-registration pattern; both flow through the daemon.
- jackin❯ Desktop Agent Hub — native macOS surface that should eventually show host-bridge approvals and audit entries, with daemon policy/execution staying the source of truth.
- Research: Host bridge design — flows, threat model, open questions — the two-flow design, operator approval surface, threat model, defense-in-depth, and open design questions behind this item.
- Container credential exposure — beyond env injection — broader trade-off between today's
docker run -eenv injection and the daemon-mediatedsecret.requestflow this item proposes. crates/jackin-capsule/src/runtime_setup.rs— current MCP-registration pattern fortirith/shellfirm; the bridge MCP server would register through the same code path.