June 25, 2026
Three Tiers, Zero Surprises: Letting an AI Run Commands Safely
The trade-off nobody wants to make
Letting an AI assistant run diagnostic commands during an incident is genuinely useful — kubectl describe, pvesh get, a targeted grep across a log directory all save real time when you're mid-incident. Letting it run anything is a different proposition entirely. TRCAA's shell execution system exists to keep the useful part without the blank check.
Tier 1: auto-execute
Read-only, inherently safe commands run immediately, no prompt: kubectl get, kubectl describe, kubectl logs, and general read-only shell diagnostics like cat, grep, ls. These can't mutate state, so there's nothing to approve.
Tier 2: approval required
Anything that changes state — kubectl apply, kubectl delete, kubectl scale, ssh, systemctl restart — triggers a real-time approval modal before it runs. You see the exact command, you approve or deny it, and that decision is recorded per session so you're not re-approving the same safe action five times in a row during one incident.
Tier 3: always denied
Some things don't get a modal at all. rm -rf, shutdown, mkfs, and their equivalents are classified as always-deny, full stop — no approval path exists for them, by design. If a command needs that level of access, it needs a human at a real terminal, not an approval click in a chat window.
Classifying pipes and chains, not just single commands
The interesting edge case is command chaining. cat safe-file.txt | xargs rm -rf isn't safe just because it starts with cat. The classifier analyzes piped and chained commands as a whole and escalates the tier to match the most dangerous stage in the chain — a chain is only as safe as its riskiest link.
Where this runs
The classifier ships with 19 tests covering the tier boundaries (src-tauri/src/shell/classifier.rs), and every execution — tier, status, exit code, stdout, stderr, timing — is written to a full audit trail (command_executions), alongside per-session approval decisions. Multiple kubeconfigs are supported with AES-256 encrypted storage, so this works across clusters without keeping cleartext credentials on disk.
The goal isn't to make the AI cautious about everything — it's to make the safe things instant and the risky things visible, and to make sure there's a third category that's simply not on the table.