Skip to content

Instantly share code, notes, and snippets.

View kcosr's full-sized avatar

Kevin kcosr

24 followers · 4 following
View GitHub Profile
@kcosr
kcosr / securing-file-based-credentials-in-containers.md
Last active December 5, 2025 14:36
Securing File-Based Credentials in Containers

Securing File-Based Credentials in Containers

This pattern allows a non-root container user to run utilities that use file-based credentials (e.g., gh, git) while limiting direct access to those credentials files. Credentials are mounted into root's home read by utilities run using sudo.

If a priviledged utility can be instructed to read arbitrary files or dump credentials, no security is provided beyond obfuscation. This pattern can be useful to prevent accidental reads or low-complexity exploits but will not block access. A proxy-based approach, combined with credentials injection in the request, is better.

Example Exploits

gh auth token
@kcosr
kcosr / securing-network-access-from-containers-with-transparent-proxy.md
Last active December 31, 2025 18:13
Securing Network Access from Containers with a Transparent Proxy

Securing Network Access from Containers with a Transparent Proxy

This pattern uses iptables to redirect outbound HTTP/HTTPS traffic through a transparent MITM proxy such as kcosr/acl-proxy (WIP prototype), allowing you to filter requests by URL, inspect content, log traffic, enforce allow/deny lists, or even inject credentials you don't want to deploy in the container.

Note: This approach can be used without containers if you trust that all commands invoked by the agent CLI will respect HTTP_PROXY environment variables.

How It Works

  1. Container starts with temporary sudo access to iptables
  2. Entrypoint script configures iptables to redirect traffic to the proxy
@kcosr
kcosr / orchestration-workflow.md
Created December 9, 2025 03:50
Multi-Agent Orchestration Workflow

Multi-Agent Orchestration Workflow

This document describes the workflow for an orchestrator agent to break down a large task into sub-tasks, delegate to worker agents, and coordinate the work to completion.

Overview

┌─────────────────────────────────────────────────────────────────┐
│                     Orchestrator Agent                          │
│                                                                 │
@kcosr
kcosr / cli-provider-for-pi.md
Created January 24, 2026 17:26
CLI Provider for pi

CLI Provider for Pi

Overview

This design document describes integrating external CLI tools (like Claude CLI, Codex CLI) as a new Provider type in pi. The goal is to create an abstraction layer that takes streaming JSON output from external CLIs and converts it into pi's native AssistantMessageEvent format.

Background

Assistant App's CLI Integration

@kcosr
kcosr / http-service-tunneling-design.md
Last active February 9, 2026 02:31
HTTP Service Tunneling Design

HTTP Service Tunneling Design

Repository: https://github.com/kcosr/termstation

Purpose

This guide explains how TermStation exposes container-local services to API clients through a reverse tunnel, including HTTP proxying and WebSocket upgrades on paths like:

  • /api/sessions/:sessionId/service/:port/...