Reactive daemon programPhase 3 — Operator-mediated host bridge

Host Bridge — Secrets and Approved Host Actions

Status: Deferred — design only, no implementation started; blocked on jackin daemon production lifecycle/socket foundation plus a separate per-request approval and audit design. Plan 042 deliberately did not prototype host bridge because it invokes host actions and can expose secrets; it must wait until the daemon base and operator-approval contract are proven.

Shipped baseline

Today's in-container affordances cover single-session, container-local needs: jackin-exec and MCP execution give agents in-container, session-scoped command access, and the operator credential picker resolves secrets at launch time through the credential-source pattern. None of that is a host bridge — there is no long-running host approval service, durable audit log, cross-session policy, or operator-presence proof for host actions. The jackin daemon this item depends on is itself still an open design proposal with no implementation, so this adapter has not started.

Remaining work

  1. Ship jackin daemon phase 1 first — this feature is one adapter on top of the daemon's control-socket and lifecycle, and cannot land before it.
  2. MCP server exposing host.run only, always-prompt policy only (no allowlist/blocklist yet) — the simpler of the two proposed flows.
  3. macOS approval surface via LocalAuthentication (TouchID + password fallback).
  4. Linux approval surface via a terminal password prompt (polkit integration deferred past this cut).
  5. Audit log written to ~/.jackin/log/host-bridge.jsonl with rotation.
  6. Bridge tab in the jackin console workspace editor (parallel to General / Mounts / Roles / Secrets / Auth): enable/disable per workspace, view recent audit entries.
  7. Deferred past this cut: secret.request / secret.use_in handle lifecycle, allowlist/blocklist policies, polkit integration, host.run_capability, prompt-fatigue debounce, audit-export tooling, Windows support, cross-host reach.

On this page